Explaining Internal Audit to the Board and Executives

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


The U.K. Treasury department has published a new Internal audit customer handbook (PDF) that is interesting reading for:

  • Boards and others charged with oversight of internal audit.
  • Executive customers of internal audit.
  • Internal audit leaders.

Although designed for the UK government agency environment, most if not all the principles presented are equally applicable to global for-profit and other organizations. (My thanks to David Griffiths for sharing the news.)

Here are excerpts of particular usefulness:

  • Internal Auditing [is defined] as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
  • The internal audit profession … is focused on evaluating the management of key risks to and the continuous improvement to the delivery of effective public services and is a key source of independent insight and assurance for [executives] … and boards.
  • The work undertaken by internal audit culminates in the provision of “an annual internal audit opinion based on an objective assessment of the framework of governance, risk management and control” and the results of internal audit’s work should help improve management’s ability to achieve the organisation’s  …. objectives, by improving the effectiveness of risk management, control and governance.
  • The [head of internal audit] must report functionally to the board.
  • The internal audit service should be delivered in accordance with a risk-based internal audit plan. The plan should determine the priorities of the internal audit service, consistent with the organisation’s goals. It should therefore demonstrate the extent of its alignment with the organisation’s strategic and other key risk assessments and risk register and set out the engagements to be conducted and the planned timescales, and should differentiate between assurance, consulting and if undertaken any other non-audit work.
  • Where the approach to risk management is relatively mature, internal audit should use the risks and controls identified as the basis (but not sole focus) for the detailed audit work undertaken. Where the approach to risk management is immature or there is deemed to be some degree of deficiency in the approach, then internal audit should seek to understand and identify the key risks and controls pertaining to the audit area as part of the audit planning and fieldwork.
  • The audit work should comprise assessment and testing of key controls in place to manage the identified risks.
  • Each internal audit engagement should culminate in a conclusion/opinion on the adequacy and effectiveness of the framework of risk management control and governance.

The handbook includes some challenging questions about the effectiveness of the internal audit function, and as such make interesting reading.

What I find useful in the publication is that:

  • An annual overall opinion is required, and an opinion is also required on every assurance engagement.

I think this document should be required reading for boards and CAEs. What do you think?

Posted on Jul 31, 2013 by Norman Marks

Share This Article:    

  1. Norman

    Thanks for putting this on my reading list. It shows me that our customers are sometimes ahead of us. The document illustrates two areas in particular where we should take the initiative:

    1. While there is description of internal audit as a "critical friend" there is no plain talk about the importance that objectivity brings to the customer.  We and our customers need to understand this is how they derive much of their value from internal audit - if we don't do this, all those other assurance providers out there (who do not deliver objectivity) eat our lunch...; and

    2. I have created assurance opinions for use in internal audit and I wonder what the authors have in mind that this opinion would actually say. For example, will it be a Reasonable Assurance opinion or a Limited Assurance opinion?  In my experience, limited assurance is valueless and few internal auditors are willing to offer reasonable assurance so we end up with a myriad of different opinions that only serves to dilute our profession. Rather than coming up with new versions, I strongly believe in sticking with the professional audit opinions that have a history of use and educating the customer what these mean.  In my view, this is something to engage together on within the profession.  I wrote more about this in the attached - and welcome your reaction.  http://theunreasonableauditor.com/2013/05/11/its-time-to-be-professional/

    Thank you for stimulating this discussion.  A good one.



  1. "Required" Board reading is a separate challenge that should be taken out of this discussion: when we can achieve it conceptually then perhaps we can discuss what is included in that reading list.  However, I think we should certainly offer such reading (though preferably IIA sanctioned documents or our own summations of such) to our Boards as important reading to understanding how internal audit supports them in fulfilling their responsibilities.

    As to the handbook, it is a nice quick read that certainly provides a good, professional overview of IA and some of the related challenges (though sadly makes no reference to the IPPF).  With the exception of the "critical friend" reference as pointed out by Anthony, I don't see how this differs much from what is already expeected of Internal Auditors through the IPPF.  The IIA could summarize the IPPF in a similar fashion as required reading but I think the IPPF should be a CAEs required reading. As to the "critical friend" concept with references in the handbook to also maintaining independence, I think personally think "friend" is a poor choice of words and would prefer some think like "critical advisor."

  1.  This just came out. It is consistent with the guide above and is from the UK's Chartered Institute of Internal Auditors (the UK affiliate of the IIA): Effective Internal Audit in the Financial Services Sector

Leave a Reply