In the days following the collapse of Lehman Brothers and Bear Stearns, the one thing financial examiners seemed to agree on was that the cause was, at least in part, a failure to implement or respond to proper internal auditing practices. Although what's come to light reveals a much more complex and systemic series of failures, it's clear that if the basic tenets of internal auditing had been put into practice and internal controls respected, the firms would not have exposed themselves to such unreasonable risk.
The Institute of Internal Auditors (IIA) is the foremost international professional association for internal auditing. The IIA's globally accepted definition of internal auditing states that:
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
In simplest terms, the duties of an internal auditor are to:
Although several major congressional acts become law following the 1929 stock market crash - the Securities Act of 1933, The Trust Indenture Act of 1939, The Investment Company Act of 1940, and The Investment Advisers Act of 1940 - there are two that have come to define the role of internal auditing within a legal framework: the Securities Exchange Act of 1934 and the Sarbanes-Oxley Act of 2002. More recently, the Dodd-Frank Wall Street Reform and Consumer Protection Act has specifically targeted practices within the financial service sector.
The Dodd-Frank Wall Street Reform and Consumer Protection Act was signed into law in 2010 and is currently being implemented. It seeks to stabilize the U.S. economy by improving transparency and accountability within the financial service sector. It's objective is to prevent the possibility of an undue financial burden being placed on taxpayers by ending bailouts and doing away with the 'too big to fail' mentality. The implementation of this act into law saw the creation of two new federal oversight agencies: The Financial Stability Oversight Council and The Office of Financial Research. As this sweeping legislative reform is being put into effect, internal auditors are paying close attention to how this will affect the work they perform.
Although there is some uncertainty in it's early stages, there are some things that are known to affect internal auditing practices:
The Securities Exchange Act of 1934 was one of the first modern pieces of federal legislation that sought to regulate the financial markets in the United States. The Act accomplished this goal by establishing a centralized regulatory agency, the Securities and Exchange Commission (SEC). The Act also set forth several mandatory audit requirements in Section 10A for publicly traded companies. Some of the highlights of Section 10A include:
The Sarbanes-Oxley Act of 2002 was passed in an effort to increase reporting and oversight standards for publicly traded companies following Enron and WorldCom's high profile corporate accounting scandals. In an effort to implement the new standards for integrated audits, the SEC set up the Public Company Accounting Oversight Board (PCOAB) to oversee, inspect and discipline companies that are required to comply with the provisions of the law. Some of the main highlights of the Act include:
Internal auditing has historically been synonymous with the performance of financial audits, which seek to ensure an organization is using generally accepted accounting procedures (GAAP) to create and manage financial information through the review of financial statements. Businesses also recognize the need for other types of auditing that look beyond ledgers and balance sheets with respect to legal compliance, IT security, environmental, operational and performance oversight objectives:
Compliance Audits are used to evaluate an organization's compliance with applicable laws, regulations, policies and procedures. Legal and policy requirements may be created by federal or state statute. An organization's management or board of directors can also create compliance requirements internally.
Environmental Audits identify the impact of a company's activities on the environment and determine whether the company is complying with environmental laws and regulations.
Information Technology Audits evaluate information management systems and computer databases to ensure that confidential customer information and proprietary intellectual property is secure. Information technology audits ensure that only authorized users are able to gain access to privileged information and that the information itself is accurate.
Performance Audits assess whether an organization is meeting the goals and objectives set forth by the board of directors. If the organization is not meeting its stated goals, the internal auditor will identify process shortfalls and make suggestions for improvement to the board of directors.
Operational Audits assess the overall efficiency and reliability of an organization's control mechanisms. An essential component of operational auditing is the objective review of the way an organization allocates resources. If resources are not being used efficiently, the internal auditor will report these findings along with recommendations on how to reduce wasteful or inefficient resource allocation.
The Securities and Exchange Commission (SEC) requires all publicly traded companies to conduct internal audits on a periodic basis. The New York Stock Exchange (NYSE) has also reiterated this requirement in their Listed Company Manual, which states that any company that offers to sell shares to the general public must conduct regular audits and assessments of their internal controls.
Most closely held companies and small businesses are not required by law to conduct audits within their businesses; however, many private companies elect to employ auditors in an effort to improve their business processes and procedures.
Many government agencies and nonprofit organizations also employ auditors to monitor financial activities and eliminate wasteful spending. The General Accounting Office and the Defense Contract Audit Agency are two of the federal government's internal auditing departments responsible for ensuring that resources are used efficiently within the administrative and legislative branches of government.
Most business organizations are set up with a three-tiered oversight structure:
The main goal of the internal auditing department of any organization is to gather information that can be analyzed and converted into valuable insights into how the company can be run more efficiently. There are four common techniques that are used in the practice of internal auditing to achieve this end:
Collectively, the four techniques that make up the internal auditing process allow auditors to collect information and evidence, analyze the collected data and report back to the board of directors with suggestions for improvement if necessary.
In the course of bridging the gap between the board of directors and the corporate management team, internal auditors are called upon to use their professional judgment to determine the standards by which business activities are measured. This involves:
Arguably, one of the most important aspects of an internal auditor's job is the ability to perform an objective evaluation of a company's activities. If company politics prevent the internal auditing department from performing its job as intended, the company will not receive the benefits that are associated with an honest internal audit such as increased efficiency and productivity, decreased waste, financial savings and legal compliance.
Corporations can promote objective auditing by employing auditors that do not serve in any other capacity within the organization. The Institute of Internal Auditors recommends in Section 1100 of the IIA "Guidance and Standards" manual that internal auditors report to a single committee or board member who has oversight authority over the internal auditing department in order to maintain independence and objectivity. Auditors who fill other roles within the organization may have a harder time performing objective audits since their findings may impact other groups, individuals or managers who have seniority or authority over them.
Although laws are in place requiring companies to conduct ongoing audits of their operations, qualification and practice standards for auditing professionals are unregulated by state and federal licensing departments. That is to say that auditors do not need to take specific courses or register with a governing body. State and federal licensing departments are responsible for establishing and maintaining practice standards in regulated professions such as certified public accounting; however, in keeping with the independent nature of the private sector, which makes use of internal auditing services, standards are maintained by non-governmental professional collectives.
The Institute of Internal Auditors (IIA) is the foremost independent regulatory body of the internal auditing profession. While it is not mandatory that internal auditors join the IIA, membership in this internationally recognized professional association offers opportunities for continued professional development and certification designations. All members of the IIA are bound by the Institute's Code of Ethics and Professional Standards.
In addition to the IIA's requirements, all internal auditors are bound by the standards contained in procedure manuals that are developed and published by the individual companies that the auditors work for. These standards may vary from business to business. Some smaller businesses may not have established internal standards and procedures in place prior to bringing an internal auditor on board. In such cases, the auditor will need to work closely with management and the owners of the business to refine controls and develop internal auditing procedures.
Internal auditors often have professional and educational backgrounds in accounting, finance, behavioral science, communications, computer systems management, economics and law. Internal auditors are well versed in quantitative methods, statistical sampling and business processes. Their backgrounds can play a major role in their understanding of a particular business niche, as understanding the overarching business being evaluated is vitally important to the performance of successful internal auditing. For this reason individuals who have served in different capacities within business will be better suited to identify the objectives and challenges that are associated with the internal auditing process.
Although internal auditors generally hold baccalaureate or graduate degrees, they haven't all participated in a rigid course of study exclusively in the area of auditing. Diverse coursework and professional experiences only help to provide a better understanding of how the auditing teams fit into the corporate structure.
According to the United States Department of Labor, Bureau of Labor Statistics, most jobs in the area of internal auditing require at least a bachelor's degree; however, individuals seeking employment in this field have several degree options that include:
Students interested in working in the area of internal auditing will select elective courses in:
Are you an accountant intested in auditing? Click here to learn more about Accounting vs. Auditing.
Established in 1972, the Institute of Internal Auditors (IIA) is the oldest and best recognized certifying agency in the accountancy area of internal auditing. In order to be eligible for the Certified Internal Auditor (CIA) designation, candidates must meet the following requirements:
If applicants meet the eligibility criteria, they will be required to pass a written exam before receiving their certification. The internal auditing exam consists of four main topics that include: general principles of accounting, internal auditing techniques and principles of management.
The IIA also offers specialty certification including:
Still have questions about what auditing is? Find out more here.