In the days following the collapse of Lehman Brothers and Bear Stearns, the one thing financial examiners seemed to agree on was that the cause was, at least in part, a failure to implement or respond to proper internal auditing practices. Although what’s come to light reveals a much more complex and systemic series of failures, it’s clear that if the basic tenets of internal auditing had been put into practice and internal controls respected, the firms would not have exposed themselves to such unreasonable risk.
The Institute of Internal Auditors (IIA) is the foremost international professional association for internal auditing. The IIA’s globally accepted definition of internal auditing states that:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
In simplest terms, the duties of an internal auditor are to:
- Objectively review an organization’s business processes
- Evaluate the efficacy of risk management procedures that are currently in place
- Protect against fraud and theft of the organization’s assets
- Ensure that the organization is complying with relevant laws and statutes
- Make recommendations on how to improve internal controls and governance processes
Although several major congressional acts become law following the 1929 stock market crash – the Securities Act of 1933, The Trust Indenture Act of 1939, The Investment Company Act of 1940, and The Investment Advisers Act of 1940 – there are two that have come to define the role of internal auditing within a legal framework: the Securities Exchange Act of 1934 and the Sarbanes-Oxley Act of 2002. More recently, the Dodd-Frank Wall Street Reform and Consumer Protection Act has specifically targeted practices within the financial service sector.
The Dodd-Frank Wall Street Reform and Consumer Protection Act . Dodd-Frank seeks to stabilize the U.S. economy by improving transparency and accountability within the financial service sector. It’s objective is to prevent the possibility of an undue financial burden being placed on taxpayers by ending bailouts and doing away with the ‘too big to fail’ mentality. The implementation of this act into law saw the creation of two new federal oversight agencies: The Financial Stability Oversight Council and The Office of Financial Research. As this sweeping legislative reform is being put into effect, internal auditors are paying close attention to how this will affect the work they perform.
Although there is some uncertainty in it’s early stages, there are some things that are known to affect internal auditing practices:
- Internal auditors that report questionable conduct will be protected from retributive termination
- There will be an increased occurrence of risk auditing
- Internal auditors will adapt to new reporting mechanisms and audit systems
- Internal auditors will adapt to new internal controls within organizations
- Internal Auditors will work with new mandatory internal risk committees
The Securities Exchange Act of 1934 was one of the first modern pieces of federal legislation that sought to regulate the financial markets in the United States. The Act accomplished this goal by establishing a centralized regulatory agency, the Securities and Exchange Commission (SEC). The Act also set forth several mandatory audit requirements in Section 10A for publicly traded companies. Some of the highlights of Section 10A include:
- The creation of auditing procedures that are designed to detect illegal activities that may have a direct effect on the determination of accurate financial statement amounts
- The creation of procedures designed to identify related-party transactions that may have a material effect on the company’s financial statements
- An evaluation regarding the financial ability of an issuer of stock to continue offering securities for the upcoming year
- Required reporting of illegal activities to company management, the audit committee and the board of directors
- Refraining from engaging in prohibited activities that may result in a conflict of interest
The Sarbanes-Oxley Act of 2002 was passed in an effort to increase reporting and oversight standards for publicly traded companies following Enron and WorldCom’s high profile corporate accounting scandals. In an effort to implement the new standards for integrated audits, the SEC set up the Public Company Accounting Oversight Board (PCOAB) to oversee, inspect and discipline companies that are required to comply with the provisions of the law. Some of the main highlights of the Act include:
- Mandatory financial auditing on a periodic basis
- Certification of financial reports by company officers that reports do not contain false or misleading information
- Required periodic evaluations and reports regarding the efficacy of internal control procedures and a list of any deficiencies in the current procedures
- Required reports regarding any significant changes in internal auditing or control procedures that could potentially expose the company to additional risk
- Criminal sanctions for failing to comply with the requirements of the Act
Types of Internal Audits
Internal auditing has historically been synonymous with the performance of financial auditing, which seek to ensure an organization is using generally accepted accounting procedures (GAAP) to create and manage financial information through the review of financial statements. Businesses also recognize the need for other types of auditing that look beyond ledgers and balance sheets with respect to legal compliance, IT security, environmental, operational and performance oversight objectives:
Compliance Audits are used to evaluate an organization’s compliance with applicable laws, regulations, policies and procedures. Legal and policy requirements may be created by federal or state statute. An organization’s management or board of directors can also create compliance requirements internally.
Environmental Audits identify the impact of a company’s activities on the environment and determine whether the company is complying with environmental laws and regulations.
Information Technology Audits evaluate information management systems and computer databases to ensure that confidential customer information and proprietary intellectual property is secure. Information technology audits ensure that only authorized users are able to gain access to privileged information and that the information itself is accurate.
Performance Audits assess whether an organization is meeting the goals and objectives set forth by the board of directors. If the organization is not meeting its stated goals, the internal auditor will identify process shortfalls and make suggestions for improvement to the board of directors.
Operational Audits assess the overall efficiency and reliability of an organization’s control mechanisms. An essential component of operational auditing is the objective review of the way an organization allocates resources. If resources are not being used efficiently, the internal auditor will report these findings along with recommendations on how to reduce wasteful or inefficient resource allocation.
Who Uses Internal Auditing Procedures?
The Securities and Exchange Commission (SEC) requires all publicly traded companies to conduct internal audits on a periodic basis. The New York Stock Exchange (NYSE) has also reiterated this requirement in their Listed Company Manual, which states that any company that offers to sell shares to the general public must conduct regular audits and assessments of their internal controls.
Most closely held companies and small businesses are not required by law to conduct audits within their businesses; however, many private companies elect to employ auditors in an effort to improve their business processes and procedures.
Many government agencies and nonprofit organizations also employ auditors to monitor financial activities and eliminate wasteful spending. The General Accounting Office and the Defense Contract Audit Agency are two of the federal government’s internal auditing departments responsible for ensuring that resources are used efficiently within the administrative and legislative branches of government.
The Relationship Between Internal Auditors and Other Segments of the Organization
Most business organizations are set up with a three-tiered oversight structure:
- The board of directors is responsible for making major decisions on behalf of the business such as establishing corporate policies and procedures, enacting mergers and taking steps to expand business operations.
- The internal auditing department consisting of financial controllers led by a chief audit executive (CAE), acts as the bridge between the board and the managers. They essentially assess whether the Board’s directives and policies are compliant with the law and whether they increase the overall efficiency and productivity of the business. If the board’s directives are inefficient or are not being implemented by the management staff, the internal auditor has a duty to report back to the board with his findings and recommendations.
- Various levels of management are responsible for carrying out the directions and policies that are determined by the board of directors, as well as making day-to-day decisions regarding how the business is run.
The Scope of the Internal Auditor’s Job
The main goal of the internal auditing department of any organization is to gather information that can be analyzed and converted into valuable insights into how the company can be run more efficiently. There are four common techniques that are used in the practice of internal auditing to achieve this end:
- Observing the target business environment
- Inspecting the specific risk management, financial reporting and productivity strategies that are currently in place
- Inquiring or asking questions of management personnel related to the effectiveness of the current internal controls
- Confirming whether the goals and objectives of the business are being met
Collectively, the four techniques that make up the internal auditing process allow auditors to collect information and evidence, analyze the collected data and report back to the board of directors with suggestions for improvement if necessary.
In the course of bridging the gap between the board of directors and the corporate management team, internal auditors are called upon to use their professional judgment to determine the standards by which business activities are measured. This involves:
- Conducting special studies
- Analyzing business policies, processes and procedures
- Defining audit objectives
- Deciding the nature and extent of the audit procedure
- Stating final opinions and conclusions
- Reporting and distributing findings to the board and management
Arguably, one of the most important aspects of an internal auditor’s job is the ability to perform an objective evaluation of a company’s activities. If company politics prevent the internal auditing department from performing its job as intended, the company will not receive the benefits that are associated with an honest internal audit such as increased efficiency and productivity, decreased waste, financial savings and legal compliance.
Corporations can promote objective auditing by employing auditors that do not serve in any other capacity within the organization. The Institute of Internal Auditors recommends in Section 1100 of the IIA “Guidance and Standards” manual that internal auditors report to a single committee or board member who has oversight authority over the internal auditing department in order to maintain independence and objectivity. Auditors who fill other roles within the organization may have a harder time performing objective audits since their findings may impact other groups, individuals or managers who have seniority or authority over them.
Internal Auditing Practice Standards
Although laws are in place requiring companies to conduct ongoing audits of their operations, qualification and practice standards for auditing professionals are unregulated by state and federal licensing departments. That is to say that auditors do not need to take specific courses or register with a governing body. State and federal licensing departments are responsible for establishing and maintaining practice standards in regulated professions such as certified public accounting; however, in keeping with the independent nature of the private sector, which makes use of internal auditing services, standards are maintained by non-governmental professional collectives.
The Institute of Internal Auditors (IIA) is the foremost independent regulatory body of the internal auditing profession. While it is not mandatory that internal auditors join the IIA, membership in this internationally recognized professional association offers opportunities for continued professional development and certification designations. All members of the IIA are bound by the Institute’s Code of Ethics and Professional Standards.
In addition to the IIA’s requirements, all internal auditors are bound by the standards contained in procedure manuals that are developed and published by the individual companies that the auditors work for. These standards may vary from business to business. Some smaller businesses may not have established internal standards and procedures in place prior to bringing an internal auditor on board. In such cases, the auditor will need to work closely with management and the owners of the business to refine controls and develop internal auditing procedures.
Internal Auditing Education and Degree Options
Internal auditors often have professional and educational backgrounds in accounting, finance, behavioral science, communications, computer systems management, economics and law. Internal auditors are well versed in quantitative methods, statistical sampling and business processes. Their backgrounds can play a major role in their understanding of a particular business niche, as understanding the overarching business being evaluated is vitally important to the performance of successful internal auditing. For this reason individuals who have served in different capacities within business will be better suited to identify the objectives and challenges that are associated with the internal auditing process.
Although internal auditors generally hold baccalaureate or graduate degrees, they haven’t all participated in a rigid course of study exclusively in the area of auditing. Diverse coursework and professional experiences only help to provide a better understanding of how the auditing teams fit into the corporate structure.
According to the United States Department of Labor, Bureau of Labor Statistics, most jobs in the area of internal auditing require at least a bachelor’s degree; however, individuals seeking employment in this field have several degree options that include:
- Bachelor’s degree with a focus in the area of private sector accounting and internal auditing
- Bachelor’s degree in business, accounting or a related field with a minor concentration in internal auditing
- Master’s of Science in Accounting
- Master of Business Administration degree with a specialization in internal auditing
- Graduate-level certificate in internal auditing to complement related degrees
Students interested in working in the area of internal auditing will select elective courses in:
- Federal and state corporate income tax
- Business law
- Business Management
- Statistics and Quantitative Methods
- Accounting Principles
- Financial Management and Auditing
Are you an accountant intested in auditing? Click here to learn more about Accounting vs. Auditing.
Internal Auditing Certification
Established in 1972, the Institute of Internal Auditors (IIA) is the oldest and best recognized certifying agency in the accountancy area of internal auditing. In order to be eligible for the Certified Internal Auditor (CIA) designation, candidates must meet the following requirements:
- Hold a bachelor’s degree from an accredited college or university
- Obtain a minimum of 24 months of internal auditing work experience (individuals with Master’s degrees must have 12 months of work experience)
- Submit a character reference from another certified internal auditor or supervisor
- Agree to uphold the Certified Internal Auditor Code of Ethics.
If applicants meet the eligibility criteria, they will be required to pass a written exam before receiving their certification. The internal auditing exam consists of four main topics that include: general principles of accounting, internal auditing techniques and principles of management.
The IIA also offers specialty certification including:
- Certified Financial Services Auditor (CFSA), which offers three exam options based on a candidate’s industry: banking, insurance, or securities
- Certification in Control Self-Assessment (CCSA) is specific to auditors who specialize in control self-assessment (CSA) within their organization
- Certified Government Auditing Professional (CGAP) is a public-sector designation for those who work with fund accounts and grants.
Still have questions about what auditing is? Find out more here.