The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively.
​
What do internal auditors do?
​
We have a professional duty to provide an unbiased and objective view. We must be independent from the operations we evaluate and report to the highest level in an organisation: senior managers and governors. Typically this is the board of directors or the board of trustees, the accounting officer or the audit committee.
​
To be effective, the internal audit activity must have qualified, skilled and experienced people who can work in accordance with the Code of Ethics and the International Standards.
What is its value to the organisation?
​
Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organisation. Unlike external auditors, they look beyond financial risks and statements to consider wider issues such as the organisation's reputation, growth, its impact on the environment and the way it treats its employees.
​
In sum, internal auditors help organisations to succeed. They do this through a combination of assurance and consulting. The assurance part of work involves telling managers and governors how well the systems and processes designed to keep the organisation on track are working. Then, they offer consulting help to improve those systems and processes where necessary.
​
The difference between internal and external audit
While sharing some characteristics, internal and external audit have very different objectives. These are explained in the table below:
Assessing the management of risk
​
The profession of internal audit is fundamentally concerned with evaluating an organisation’s management of risk. All organisations face risks. For example, risks to the organisation’s reputation if it treats customers incorrectly, health and safety risks, risks of supplier failure, risks associated with market failure, cyber security and financial risks to name some key areas. The key to an organisation’s success is to manage those risks effectively - more effectively than competitors and as effectively as stakeholders demand.
​
To evaluate how well risks are being managed the internal auditor will assess the quality of risk management processes, systems of internal control and corporate governance processes, across all parts of an organisation and report this directly and independently to the most senior level of executive management and to the board’s audit committee.
​
Assisting management in the improvement of internal controls
​
An internal auditor’s knowledge of the management of risk also enables him or her to act as a consultant providing advice and acting as a catalyst for improvement in an organisation’s practices.
​
So, for example if a line manager is concerned about a particular area of responsibility, working with the internal auditor could help to identify improvements. Or perhaps a major new project is being undertaken – the internal auditor can help to ensure that project risks are clearly identified and assessed with action taken to manage them.
​
Why is internal audit important to your organisation?
​
By reporting to executive management that important risks have been evaluated and highlighting where improvements are necessary, the internal auditor helps executive management and boards to demonstrate that they are managing the organisation effectively on behalf of their stakeholders. This is summarised in the mission statement of internal audit which says that internal audit’s role is 'to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight'.
​
Hence, internal auditors, along with executive management, non-executive management and the external auditors are a critical part of the top level governance of any organisation.
Activities of internal audit
​
Below are the key things an internal auditor does. Within these areas, it is important to think of the internal auditor as the organisations critical friend – someone who can challenge current practice, champion best practice and be a catalyst for improvement, so that the organisation as a whole achieves its strategic objectives.
​
1.Evaluating controls and advising managers at all levels
​
Internal audit’s role in evaluating the management of risk is wide ranging because everyone from the mailroom to the boardroom is involved in internal control. The internal auditor’s work includes assessing the tone and risk management culture of the organisation at one level through to evaluating and reporting on the effectiveness of the implementation of management policies at another.
​
2.Evaluating risks
​
It is management’s job to identify the risks facing the organisation and to understand how they will impact the delivery of objectives if they are not managed effectively. Managers need to understand how much risk the organisation is willing to live with and implement controls and other safeguards to ensure these limits are not exceeded. Some organisations will have a higher appetite for risk arising from changing trends and business/economic conditions. The techniques of internal auditing have therefore changed from a reactive and control based form to a more proactive and risk based approach. This enables the internal auditor to anticipate possible future concerns and opportunities providing assurance, advice and insight where it is most needed.
​
3.Analysing operations and confirm information
​
Achieving objectives and managing valuable organisational resources requires systems, processes and people. Internal auditors work closely with line managers to review operations then report their findings. The internal auditor must be well versed in the strategic objectives of their organisation and the sector in which it operates in, so that they have a clear understanding of how the operations of any given part of the organisation fit into the bigger picture.
​
4.Working with other assurance providers
​
Providing assurance to executive management and the board’s audit committee that risks are being managed effectively is not the exclusive domain of internal audit. There are likely to be other assurance providers who perform a similar role. This can include risk management professionals, compliance officers, fraud investigators, quality managers and security experts to name just a few. The difference between these assurance sources and internal auditors is that internal audit are independent from management operations and are able to give objective and unbiased opinions about the way risk are reported and managed. Internal audit’s independence of executive managements is achieved through its functional reporting line to the chair of the audit committee and an administrative reporting line to the chief executive, as the most senior executive.
​
The interesting aspect within this structure is that internal auditors can work constructively with other assurance providers to make sure the board’s audit committee receives all the assurance they need to form an opinion about how well the organisation is managing its risks. It also means that the available assurance resources are optimised by avoiding duplication and gaps in the provision of assurance. Teamwork and developing effective working relationships is a key feature of internal auditing.
​
But like all professions, internal audit has its own skills and its own qualifications, technical standards and codes of practice.
These are all provided through the internal audit professional body – the Chartered Institute of Internal Auditors. As an affiliate member of the global Institute of Internal Auditors, the Chartered Institute of Internal Auditors promotes the International Professional Practices Framework (IPPF) in the UK and Ireland, so that internal auditors here around the world work towards a globally agreed set of core principles and standards.
​
Whilst the financial skills of accountants are very useful, to do their job effectively, internal auditors must possess a high level of technical internal auditing skills and knowledge. They must also be effective communicators, good project managers, analytically strong and good negotiators.
Section – 138 – Appointment of Internal Auditors
​
(1) Such class or classes of companies as may be prescribed shall be required to appoint an internal auditor, who shall either be a chartered accountant or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions functions and activities activities of the company company.
(2) The Central Government may, by rules prescribe the manner and the intervals in which the internal audit shall be conducted and reported to the Board.
Nothing is provided under the Act regarding removal of an Internal Auditor.
​
Such Class or Classes of Companies includes –
-
Every Listed Company.
-
Every Unlisted Public Company having paid up share capital of Rs. 50 crs or more, turnover of Rs. 200 crs or more, o/s loans and borrowings from banks and public financial institutions institutions exceeding exceeding Rs. 100 crs or more, o/s deposits deposits of Rs. 25 crs or more at any point of time during the preceding financial year.
-
Every Private Company having turnover of Rs. 200 crs or more, o/s loans or borrowings from bank or public financial institutions exceeding Rs. 100 crs or more at any point of time during the preceding financial year. (The existing company covered under the above criteria shall comply with the requirement within 6 months of the commencement of the Act.)
​
WHO CAN BE AN INTERNAL AUDITOR
1. Internal Auditor shall either be a –
-
Chartered Accountant, or
-
Cost Accountant, or
-
Such other Professional Professional as may decided by the Board.
2. Internal Auditor may or may not be an employee of the Company.
​
SCOPE OF INTERNAL AUDIT
​
-
Not prescribed under the Act or Rules made thereunder
-
The Audit Committee or the Board shall, in consultation with the internal auditor, formulate the scope, functioning, periodicity and methodology for conducting the internal audit.
​
OBJECTIVES
​
-
To establish better policies and procedures
-
To evaluate and improve risk management system, internal control and governance processes
-
To ensure better compliance of law
-
To avoid unwarranted unwarranted legal action
-
Fraud detection
-
Integrity and Accountability
-
To protect the interest of Shareholders
​
OTHER RELEVANT SECTIONS
​
-
SEC – 144 – The statutory auditor shall not provide the internal audit services to the company, its holding co. Subsidiary co. (directly or indirectly)
-
SEC – 177(4)(vii) - The Audit Committee should evaluate the internal financial control and risk management systems systems and may discuss discuss the related related issue with the internal and statutory auditors
-
SEC – 179(3) & 117(3) – Appointment of internal auditors by the BOD and filing of Form MGT – 14 with ROC. (Not Applicable to Private Limited Company)
​
SEBI (LODR) Regulations 2015 Roles of Audit Committee-
​
-
The audit committee at its discretion shall invite the finance director or head of the finance function, head of internal audit and a representative of the statutory auditor and any other such executives to be present at the meetings of the committee
-
reviewing, with the management, performance of statutory and internal auditors, adequacy of the internal control systems
-
reviewing the adequacy of internal audit function, if any, including the structure structure of the internal internal audit department, department, staffing staffing and seniority seniority of the official heading the department, reporting structure coverage and frequency of internal audit;
-
discussion with internal auditors of any significant findings and follow up there on;
-
reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board;
-
Review of internal audit reports relating to internal control weaknesses;
-
the appointment, removal and terms of remuneration of the chief internal auditor shall be subject to review by the audit committee.