The Definition of Internal Auditing: 10 Years On

The IIA's International Standards for the Professional Practice of Internal Auditing and its definition of internal auditing require chief audit executives (CAEs) and their team to provide assurance on governance, risk, and internal control processes. But surveys and studies have shown that:

  • Only about 50% of internal audit departments provide an overall opinion of internal controls for the area reviewed in their audit reports. Instead, they limit their reports to a discussion of the control weaknesses found. Some don’t even rate those weaknesses (e.g., high/medium/low risk).
  • Very few CAEs provide a formal assessment of internal control to the board and executive management, even on an annual basis.
  • Even fewer provide an opinion on the effectiveness of risk management for the scope covered in individual audits.
  • Relatively speaking, only a few internal audit departments are auditing their organization’s risk management processes — and rarely when there is no formal risk management department — let alone providing an overall assessment of risk management for the entity.
  • While many departments are auditing some of the governance processes (e.g., employee certification of the code of conduct), it is rare that an audit team assesses the entire governance process and almost unheard of for it to provide an overall assessment of governance.

The definition of internal auditing was approved in 1999, so we are 10 years on and struggling as a profession to deliver on its requirements. Will we get there in 10 more years? Will we ever get to the point that the vast majority of audit departments are providing assurance on governance, risk, and internal control processes?

Posted on Apr 6, 2009 by Norman Marks

Share This Article:    

  1. Hi,

    I speak at many conferences and seminars, and train UK-based internal auditors seeking to pass the IIA UK & Ireland professional examinations. I am therefore in contact with many professionals.

    I think we need to re-invigorate the risk-based internal audit approach, as it is not universally applied and even then not correctly. Internal Audit should be challenging the assumptions behind corporate objective setting and thus need to have high competency in risk management.

    The Definition and Standards don't go far enough into the application of a proper risk-based internal audit approach and methodology, and I think we need to establish a fresh drive in this direction.

    These are of course my own personal opinions and views, and I'm happy to discuss further.


Leave a Reply