Unfortunately, the finance departments of many companies mistakenly believe that having an external audit annually is part of their internal control structure they can rely on to ensure their financial statements are accurate and their internal controls are sound. While the objective of an external audit is to determine whether a company’s financial statements are fairly presented and free of material misstatement and during the process of the audit, the external auditor considers the internal controls relevant the financial statements, most external audit opinions make it very clear that the audit is not being conducted “for the purpose of expressing an opinion on the effectiveness of the Company’s internal controls” (unless the Company is a US-listed entity subject to the provisions of Section 404 of the Sarbanes Oxley Act of 2002 under which an opinion on the internal control structure is required). Most external auditors will report to the company in the standard language of US GAAP or IFRS opinions that it is management’s “responsibility … [for] designing, implementing and maintaining internal controls…”
Internal Audit is defined as an independent appraisal function and helps entities by examining and evaluating the adequacy and effectiveness of a company’s system of internal controls. According to The Institute of Internal Auditors, “It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Having an internal audit function enables management to be more effective in meeting its business objectives and in fulfilling its obligations to shareholders. Many companies internal audit charter note that the internal audit department is to assist the company in managing risk and exposure which “may be in areas such as processing errors, inefficiencies, non-compliance with policy or legal requirements and fraud.” The internal audit function aims to assess efficiency and effectiveness of operations, assists in ensuring the reliability of financial reporting, helps to ensure the safety of the company’s assets and helps determine if the company is compliant with applicable rules, laws and regulations.
An effective internal audit function can range from consisting of a single individual, a dedicated team of professionals within an organisation, and outsourced function or can be a function with the responsibilities tasked to individuals already within the organisation on a part-time basis. The key to effective internal auditing is that the reporting relationships of the individuals performing the tasks in the function are independent and objective from those departments or areas being tested. What this means is the individual conducting any part of the internal audit has no responsibility or authority over the areas or departments he/she audits. An internal audit function cannot be fully effective without this independence and objectivity and reporting lines are typically to an audit committee or the board of directors.
In addition to independence and objectivity, a successful internal audit function will have the following characteristics: