According to the Institute of Internal Auditors, internal audit refers to the independent assurance and consultation activity that is designed to improve the organisation’s objectives (Cascarino & Van Esch 2007, p. 130). Internal audit helps organisations realise their set objectives. It is also useful in helping companies enhance risk management initiatives, governance and control processes. Moreover, it is perceived as a self-governing and objective focus as well as consulting initiative that aims for value addition and promotion of the operations of the organisation. Apparently, the objective of internal audit activities is to assess the potentiality of the organisation’s risk management network and governance. Furthermore, it helps control initiatives to allow the company effectively function in risk identification and management. What is more, internal audit helps organisations to attain their objectives and adhere to organisational policies. The current management climate is dynamic, thereby requesting regular improvements by organisations if they propose to proceed with their pursuit of stable corporate governance. Currently, economic and financial markets face threats resulting from ineffective and inadequate risk management. Therefore, internal audit helps to identify, curb, and manage risks that can prevent the success of the organisation (Moeller 2008, p. 317).
Internal audit processes are successfully undertaken with cooperation between internal auditors and the management as they review systems and operations (Moeller 2008, p. 315). In fact, the reviews are important as they help organisations assess whether they have appropriate processes in place and if they are working in line with the acceptable procedures. While conducting the assessment of the organisation’s risk management initiatives, internal auditing helps companies identify specific areas that require efficiencies and innovations (Pickett 2013, p. 317). It must also be perceived as an ongoing program that involves auditing and provision of advice in line with the organisation’s strategic needs. With regard to cooperation between internal auditors and the management, it is essential as the auditing process covers all sections of the organisation. For example, the review process extends to tangible operational issues like the supply chain of the company and the intangible elements like the organisational ethics and culture. Thus, this extensive scope of the auditing process justifies that the initiative does not focus solely on the organisation’s financial control and IT.
There is a collective requirement by the International Professional Practices Framework (IPPF) and standards of the Institute of Internal Auditors (IIA) that request that the management of every organisation set their risk management target. Cascarino and Van Esch (2007, p. 127) emphasize that the management is expected to initiate risk management processes and be in the forefront in making decisions about risk responses. Therefore, internal audit helps organisations to systematically apply discipline while assessing and enhancing effectiveness of control, risk management and governance initiatives. It is worth noting that the functions of internal audit do not hinder the ministry management from executing its mandates. The ministry management retains its duty to create and strengthen an effective environment for internal control. Thus, it plans, organises and directs the duties of adequate controls to offer appreciable assurance concerning the attainment of governmental goals and objectives. The objectives should be achieved in an efficient, economical and effective way.
Organisations have to establish an internal audit committee to show their compliance with the Sarbanes-Oxley Act of 2002 (Cascarino & Van Esch 2007, p. 130). The Sarbanes-Oxley Act of 2002 is a federal law that was passed as a result of great accounting and corporate scandals. Apparently, some of the scandals that necessitated the Act include the Enron scandal and the Tyco international scandal. The scandals of such magnitude affected the field of accounting; as a result, they reduced public trust in accounting and reporting, thereby necessitating the intervention of the government to make essential reforms. From the time when the Act was passed, its application became mandatory in the field of accounting. Hereby, all companies, irrespective of their size, were required to adhere to the Act. The need to establish an audit committee is stipulated in the Act’s corporate responsibility section. According to it, the audit committee should be solely composed of independent members. Moreover, the Act requires organisations to declare whether the audit committee has a minimum of one financial expert. After its establishment, the audit committee is mandated to hire internal auditors and oversee the auditing process. Apparently, the committee provides the link between internal auditors and the management. Furthermore, the Act gives the corporate officials a responsibility to justify their auditing process (Swinkels 2012, p. 123). The officials like the CEO and the CFO are charged with the responsibility to sign financial reports as a proof that they reviewed them. The signatures justify that the corporate officials are convinced that the reports are fairly documented in line with the generally accepted accounting principles (GAAP).
Proficiency of internal auditors is based on possession of skills and knowledge that are necessary for them to perform their responsibilities. In fact, knowledge should enable internal editors to identify the signs of fraud. Consequently, knowledge and experience of internal auditors is considered as an asset to an organisation.
A professional of internal audit emphasizes the need for organisations to acknowledge that effective internal audit processes relate to the organisation’s success (Swinkels 2012, p. 133). The reason is that the audit helps companies to meet their objectives and to evaluate whether the audit control system operates as expected. In addition, successful internal audit reflects the success of individual auditors within the organisation. It is also noted that strengthening the internal audit process helps organisations to ensure that the procedures and activities are appropriate. Therefore, the proficiency of internal audit is regarded as a vital characteristic of effective internal audit functioning and the way it facilitates internal control.
The measure of effectiveness of internal audit is based on the ability of the department to report important findings and provide recommendations. Apparently, the recommendations are derived from the findings, and they help organisations to improve their risk management initiatives. If the internal audit department fails to give its auditing results and recommendations, it becomes hard for it to foster good governance within the organisation. Thus, to attain the required standards of effectiveness, internal auditors should demonstrate that they have some distinct technical skills. Due to the changes that take place in the business environment, internal auditors are expected to demonstrate continual professional development so that they remain relevant in the audit process.
Schartmann and the European Confederation of Institutes of Internal Auditing (2007, p. 43) note that the proficient internal audit helps organisational governance and the management to be assured of the effectiveness of the risk management framework. It warns that any failure with regard to the appointment of an internal audit committee can expose the organisation to a crisis, as it presents challenges with regard to risk identification and management. The internal audit function is essential as it is utilised in corporate governance and makes reliable financial reporting. The current guidelines of corporate governance are based on the understanding that risks can be identified in good time, then measured and even managed. The function is only actualized by the internal auditors who possess the skills and relevant experience for it. Internal auditors can also enhance their professionalism and competence by having adequate knowledge of the internal control system. The knowledge serves as a source of power that enhances the level of competence of the auditors as they operate within their organisations. Companies can assess their level of exposure to risks and realise the need for extensive internal audit.
On the other hand, an internal audit assignment is undertaken through seven basic steps. The steps are meant to be procedurally undertaken for a desirable result to be derived. The first step of an internal audit assignment is the establishment and explanation of the objectives and scope for the audit (Swinkels 2012, p. 129). It is essential for internal auditors to know the goal of their auditing work so as to get a guideline in the audit function. As it was mentioned earlier, effective internal audit should attain its objectives. It should present results obtained in the process of auditing and give viable recommendations that can facilitate effective risk management.
The second step involves the development of a clear understanding of the organisational area to be reviewed. Internal auditors spend enough time to examine documents derived from the target area or department and conduct interviews with relevant authorities in the area. Moreover, internal auditors investigate the area’s main types of transaction and scrutinize its objective measurements. The third step involves the description of the main risks that challenge the business activities within the limits set for the review. Phillips (2009, p.4) notes that the possession of a prior knowledge of the potential risks aids the auditors in focusing their review to assess the level of organisational vulnerability to the risks.
The fourth step involves the identification of management activities in the control components so as to take control of all risks and adequately manage them. Internal auditors can enhance efficiency at this stage by creating an audit checklist (Swinkels 2012, p. 134). In fact, the checklist can be used to identify the risks that are often encountered and the necessary controls that need to be taken to curb the implications of the risks within the area being audited. Afterwards, auditing reaches the fifth stage which concerns the establishment and implementation of a risk-oriented sampling and testing to check if the vital management controls are operating as required. After the fifth stage, internal auditors present reports on the challenges that they identified during the auditing process and discuss appropriate action plans that should be taken by the management to respond to the identified problems. The final stage includes making a follow-up on the findings that were presented in the report. The internal audit department conducts a follow-up after appropriate intervals using a database that is established and maintained for that purpose.
The end of the internal auditing process is marked by the submission of a report. The report is considered an instrumental document that helps an organisation to know the areas of weakness, the risks that have been identified and the recommendations on how to address the challenges. In the report, there are audit findings that are identified in five elements referred to as the “5C’s’ (Swinkels 2012, p. 131), and they include condition, the specific problem identified criteria, the standard that was obtained, cause, consequence and the corrective action.
The internal audit function is measured by the application of a balanced scorecard approach (Phillips 2009, p.4). The evaluation of the internal audit function is done with reference to the quality of the counsel and recommendations that the internal auditors provide to the management and the organisation’s auditing committee. The quality of the information and the recommendations that are given to the auditing committee are often difficult to measure because they are often qualitative. A customer survey that is given to the managers at the end of each audit process can be applied in measuring the audit process. The surveys often use dimensions like the level of work timeliness, the quality of counsel, utility of meetings and professionalism among others. To develop a performance measurement process, it is important to know the expectations of the audit committee and the management.
The work has demonstrated the need for internal audit in any organisation. It is worth noting that as a result of serious accounting and corporate scandals, such powerful laws as the Sarbanes-Oxley Act of 2002 were passed. It is beneficial to organisations to establish internal committees that can help them conduct the assessment of risks and initiate appropriate measures to manage them. Companies should also constitute their internal audit committee that aids in hiring at least one professional auditor to work alongside other internal auditors. With regard to the tasks involved, it is also necessary for the auditors to have adequate knowledge in auditing, since it will enable them to identify the signs of fraud and give recommendations on how to avoid possible risks. Internal audit gives independent assurance and a consultation service to an organisation to increase its chances of achieving its objectives. For efficiency, they can incorporate a balanced scorecard to evaluate the internal audit function based on the quality of the counsel and information given to the auditing committee and the management.