September 24, 2008

Maximize Your Internal Audit Function

Optimize your ability to meet organizational objectives by aligning your internal audit goals with your strategic goals.



Every organization has goals and adopts strategies to achieve them. The risk that these strategies will fail and the respective goals will not be achieved must be evaluated by senior management and the board of directors when designing and implementing the corporate control structure. A well-run internal audit department should partner with management and the board of directors to provide consulting in the area of risk mitigation, as well as to provide independent monitoring of the controls upon which management relies. If completed properly, an internal audit quality assessment (IAQA) can be a part of management's strategy to achieve corporate goals by evaluating the effectiveness of the internal audit function.

Some organizations view the assessment of the internal audit function as a tool to make sure that the function is as effective and efficient as possible. Other organizations view the assessment as an expensive, time-consuming activity. A third group of organizations ask, "What internal audit function?" Regardless of the internal audit function's status in an organization, clarification on the following issues may assist in understanding how an internal audit function can become part of an overall strategy and assist in achieving corporate objectives:

  • The purpose of internal audit.
  • The internal audit standards.
  • The purpose of an internal audit self-assessment.
  • Some common internal audit problems and quick fixes.


With the high visibility of internal audit's participation in complying with the U.S. Sarbanes-Oxley Act of 2002 and the focus on publicly-traded company transparency, the true purpose and objective of the internal audit function may have become blurred for some organizations. According to The Institute of Internal Auditor's (IIA's) definition of internal auditing, the internal audit function should provide independent, thorough, timely, and objective results of quantitative and qualitative testing to senior management. Internal auditing assists public and private organizations to meet overall goals by establishing a systematic approach to assess the effectiveness of risk management, control, and governance processes.

An independent internal audit function is unbiased and holds a neutral position within an organization. It has the ability to define the scope of internal audits, the authority to obtain information and resources, and has an appropriate reporting structure to senior management. The members of the internal audit team are not testing their own work or that of persons they report to. Any actual or potential conflicts of interest that hinder an honest and unbiased assessment must be disclosed.


In order to operate an internal audit function that is objective, independent, effective, and useful to an organization, it is essential that the internal audit function comply with the International Standards for the Professional Practice of Internal Auditing (Standards) developed by The IIA. The Standards were created to guide the policies and practices of internal audit departments. Implementation standards refer to either assurance or consulting activities and are embedded in the attribute and performance standards. In total, there are 16 attribute standards and 30 performance standards.

Attribute standards refer to the construction of the audit department in terms of staff expertise and training, as well as objectivity. Attribute standards also refer to the function of the audit department in the organization in terms of purpose, authority, and evaluations. Two examples of attribute standards are:

  1. Attribute Standard 1000 — Purpose, Authority, and Responsibility: The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.
  2. Attribute Standard 1220 — Due Professional Care: Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

The attribute standards reflect the purpose of the internal audit function in that they define that the internal audit group should be staffed with competent persons who have access to information in order to complete their responsibility of monitoring the efficiency and effectiveness of internal operations.

Performance standards refer to how the internal audit function should operate and how the planning, scope, and reporting activities should be conducted and by whom. Two examples of performance standards are:

  1. Performance Standard 2010 — Planning: The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals.
  2. Performance Standard 2500 — Monitoring Progress: The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.

The performance standards reflect the purpose of the internal audit function in that they define activities to be completed, which help make sure that the internal audit function is operating as designed for the benefit of the organization.


An internal audit self-assessment is required by Attribute Standard 1300 — Quality Assurance and Improvement Program. Compliance with this standard involves both internal and external assessments. While the internal assessment can be less rigorous than the external assessment, it is in the best interest of the internal audit function to adopt the highest possible standards with respect to the internal reviews. A quality audit assessment reviews the overall audit focus (e.g., scope and scheduling), timeliness, the use of information technology resources, and the integration of audit services into the overall organizational goals and objectives.

The timeliness is determined by the risk profile and scope of the audit. For example, companies may require a 45-day span for high-risk areas and a 60-day span for moderate risk areas, respectively, from initiation of fieldwork to report completion and management sign off. A quality audit assessment involves discussion with audit management, senior organizational management, internal audit clients, and the audit staff. Once all of the results are gathered from client and employee surveys, workpaper testing, review of the charter, and any other tests deemed necessary, an evaluation of the internal audit's compliance with the attribute and performance standards is given.

The goal is to assure that the internal audit function is in compliance with the attribute and performance standards, and therefore is designed and operating efficiently and effectively. If management is relying on the results from internal audit reviews for regulatory compliance (i.e., Sarbanes-Oxley), they will want to make sure that controls are being tested effectively and timely.

To comply with the external assessment requirements of the Standards, organizations can either perform an internal self-assessment with an external validator to provide an opinion or they can employ an external validator to complete the assessment and provide an opinion. The validator reviews the self-assessment completed by internal resources from an independent viewpoint and is not involved with either the operations or the assessment of the internal audit function in the organization. The goal of an objective and independent review is met using either option. However, there are further pros to a properly completed IAQA and cons to each internal audit self-assessment option, demonstrated in the IAQA option comparison table, that should be considered based on the strategic initiatives and culture of the entity.




External Evaluation

Internal audit focuses all resources on conducting operational, financial, and compliance audits.

Provides a completely independent and objective assessment and opinion using externally-generated samples and testing plans.

Completed quickly. An external organization can focus on the IAQA.

An external organization provides fresh best practices and a range of staff experience.

More expensive. The range varies depending upon the size, number of audits, and complexity of the internal audit department. However, the opportunity cost of having staff available also must be considered.

The external validation delivers best practices, but the ground level training and experience for staff is reduced.

Self-assessment With External Validator

Develops a self-assessment program that evolves into a part of the organizational fabric and culture.

Reduces the cost of an IAQA by completing the self-assessment in house.

Provides a training exercise.

Builds a team effort and culture with the internal audit department.
May reduce the potential for fresh best practices to increase effectiveness and efficiency.

Potential difficulties exist for the leader and staff of the internal self-assessment team to deliver recommendations for improvement to their own department.

Redirect resources (e.g., people and time) from operational, compliance, and financial audits.

More time to complete as staff has multiple simultaneous tasks to complete.



Internal audit functions may be structured and staffed in different configurations depending upon the size of the company and the industry. However, there are several common problems shared by many internal audit departments that may be found by a self-assessment:

  • Timeliness of audit reports.
  • Lack of qualified staff.
  • Absence of risk assessment in audit scheduling and audit scope phases.


The cause of poor timeliness may be difficult to ascertain, especially in complex audits. The causes are generally scope creep, inability to receive test data, or poor planning. The impact on strategic goals is that management may not be receiving up-to-date assessments on the processes and controls over operational and financial data to use in decision making. For example, if management is not aware of misclassification of loans in a financial organization trial balance, how will it decide on the loan pricing and regulatory capital strategies between commercial and residential loans?

Quick Fix: Try assigning a single individual, possibly an administrative assistant, to track the stages of the audit in order to monitor progress and understand where any bottlenecks or delays are occurring. For example, if an organization expects the fieldwork phase to last for two weeks, but it continues for three, management can target the steps taken in fieldwork to the cause for delay, such as avoiding scope creep or delays in the receipt of data. If it becomes obvious during the audit that the next deadline will not be met, disclosure of the cause and actions to remediate the delay should be documented. The results of the tracking efforts should be discussed in periodic staff meetings so that no project is left unmonitored for a long period of time. In addition, rewarding employees for timely audits and documentation of known delays in ongoing audits may encourage quicker turnaround times.

Qualified Staff

The absence of sufficient qualified staff is created partially by the nature of internal audit. Internal auditors often are expected to perform audits on multiple lines of business with diverse technologies, products, geography, and control infrastructures. The ability to be experienced and trained in every area is naturally limited. The impact on strategic goals is that audit risk may be increased and information back to management may not be focused and accurate.

Quick Fix: Use outside experts in audits as necessary. These experts can be external service providers, independent contractors, or an independent, internal resource loaned to the internal audit department for a specific project. This may mean using one person who is, for example, an "ABC software" expert in all audits where this technology is used. Coupling inexperienced staff with subject matter experts can expedite the training process so that dependence upon outsiders is reduced over time. This is similar to apprenticeships, which are useful as long as the requirements of independence are met.

Absence of Risk Assessment

The assessment of risks associated with a process should be a part of the initial audit planning stage. In order to be efficient and effective, internal auditors not only want to ensure that all high-risk areas are audited but also that higher risk areas are assessed first as the consequence of a control failure is inherently higher than for lower risk areas. It is often perceived as a monumental project to identify each individual risk affecting the company and debating the relative priority of each risk. This project is further complicated by the dynamic nature of corporate businesses, which often render an initial risk assessment obsolete by the time the audit team arrives.

Quick Fix: Initial risk assessments can be made general in nature. A general high-level risk assessment of each department can be achieved via a questionnaire or meeting with departmental personnel. Once this initial risk assessment has been completed, the more in-depth risk assessment can occur during the planning stage of a particular audit. In addition, it can be helpful, and in some cases required, to obtain advice from subject matter experts. The focus of the audit should always include the highest risk areas at a minimum.


The purpose of an internal audit function is to act as a tool to make sure that an organization is as effective and efficient as possible. The internal audit standards shape an independent, efficient, and therefore effective, audit function. The purpose of a self-assessment will assist the internal audit function in operating as anticipated by management and make sure that the department risk assessment, scope development, and reporting are aligned with overall organizational strategies.

Alison Wolf, CIA, CFA, is a senior manager of the accounting and auditing department for Skoda Minotti where she focuses on the assessment and development of internal controls over operational, credit, and compliance functions including Sarbanes-Oxley-related activities for various industries. Wolf previously served as assistant vice president of consumer financial risk management for Key Bank and has held positions in risk assessment, personal banking, and commercial credit in the Canadian banking industry. She is a certified internal auditor and a chartered financial analyst and has completed the certified information systems auditor exam. Wolf also is accredited to complete quality assessment reviews of internal audit functions.
Joanne Fox Phillips, CIA, CPA, is a director of internal audit at Dynegy Inc., a wholesale power generation company headquartered in Houston, Texas. Prior to this position, Phillips worked as an external auditor for PricewaterhouseCoopers and later as an internal controls manager for El Paso Corporation. She is a certified internal auditor, a certified public accountant, and a certified fraud examiner. In addition to being accredited to complete quality assessment reviews of internal audit functions, Phillips has participated in external assessments as a volunteer with The IIA.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.