The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.
Internal audit report should contain:
- observations and comments of the auditor,
- presents the audit findings, and
- discusses recommendations for improvements.
Internal auditor’s report should contain a clear written expression of significant observations, suggestions/recommendations based on the policies, processes, risks, controls and transaction processing taken as a whole and managements’ responses.
Internal audit’s role in evaluating internal controls is wide ranging because everyone from the mailroom to the boardroom is involved in internal control. The internal auditor’s work includes assessing the tone and risk management culture of the organisation at one level through to evaluating and reporting on the effectiveness of the implementation of management policies at another.
Internal auditors identify key activities and relevant risk factors and assess their significance. Changing trends and business/economic conditions impact the way the internal auditor assesses risk. The techniques of internal auditing have changed from a reactive and control based form to a more proactive and risk based approach. This enables the internal auditor to anticipate possible future concerns and opportunities as well as identifying current issues.
Risk is defined as the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of the likelihood of an adverse event occurring and the impact of that event in case it does occur. Management is responsible for risk management. Internal Audit is responsible for assessing whether the risk management system has identified all key risks faced by the organization and appropriate measures and controls have been established to minimize the impact of the risk should it occur.
Achieving objectives and managing valuable organisational resources requires systems, processes and people. Internal auditors work closely with line managers to review operations then report their findings. The internal auditor must be well versed in the strategic objectives of their organisation, so that they have a clear understanding of how the operations of any given part of the organisation fit into the bigger picture.
To conduct these activities effectively, the internal audit function should have ongoing communication with its stakeholders. Internal auditors should be aware of and understand the bank’s strategic direction, objectives, products, services, and processes, as well as relevant laws and regulations. The auditors communicate findings to the bank board or its audit committee and senior management. The chief auditor should develop an ongoing communication process with management to keep current on changing business and risk issues.
The main aim of internal auditing is to assist the organization to achieve its objectives. So if the organization’s objective is to ‘add shareholder value’ then that is the aim of internal auditing. If it is to ‘Relieve famine in central Africa’, then that is what internal auditors should be doing. Seems obvious, but it’s worth making the point that internal auditing is not special. It should be able to justify its existence just like any other process in the organization.
Regular internal audits assess a company’s controls and help uncover evidence of fraud, waste or abuse. The frequency of internal audits will depend on the department or process being examined. Some types of manufacturing may require daily audits for quality control, while a department such as human resources may require only an annual audit of records.
Unlike an external auditor that primarily considers financial risk, the internal auditor examines issues relating to wide-ranging risks to the organization’s reputation and growth. For example, an internal audit can uncover threats to the organization’s reputation if it finds employee safety violations or instances where employees are treated unfairly. One of the internal auditor’s primary goals is to assess the management of risk and to ensure that risk management processes are efficient, effective, secure and compliant.