The role of an internal auditor is to carry out an independent appraisal of how a company operates, its processes, and the risks that may affect the company.  Internal audits evaluate a company’s internal controls, including its corporate governance and its accounting processes. 

These audits check for compliance with laws and regulations and identify problems before they are discovered during an external audit.  

The Increasing Importance of Internal Audits

Internal audits became increasingly important with the passing of the Sarbanes-Oxley Act of 2002 (SOX), which holds management legally responsible for the accuracy of a company’s financial statements.  One specific outcome of SOX was that a company’s internal controls must be documented and reviewed as part of its external audit.  These controls are policies and procedures that ensure the integrity of the financial and accounting information of a company, promote accountability and help prevent fraud.  An internal audit serves to identify any shortcomings in the company’s internal controls.  These audits provide a degree of risk management and identify and help protect against potential fraud, waste or abuse.

Internal Audit v. External Audit

There are several key differences between an internal audit and an external audit.  

• Internal auditors are employed by the company they are auditing.  They have an in-depth understanding of the company’s culture, operations, strategies and risks.  An external auditor only has an in-depth understanding of a company’s operations as needed to form the audit opinion.  

• Internal auditors are responsible for providing assurance and advice to the Board of Directors and senior management so that the company can improve its state of governance, risk management and internal controls within the company.  External auditors are mandated to provide assurance to external stakeholders on the accuracy of a company’s reports and compliance with laws and regulations.

• External auditors must maintain independence from the client in accordance with the AICPA Code of Professional Conduct. Internal auditors must also maintain independence, but not in accordance with the AICPA Code of Professional Conduct.

• Often internal audit services are continuous within a company and cover many areas and operations.  An external audit usually follows a routine schedule, often annually.

The Key Functions of an Internal Audit

There are six key functions of an internal audit:

1. Dealing with risk - internal auditors have a responsibility to help identify and understand risk areas, specifically high-risk areas, and ensure that the controls established by the company are performing as intended.

2. Reporting on the company’s operations - internal auditors often discover areas for increased efficiency and can assist in identifying ways for a company to run more effectively.

3. Uncovering fraud - often an internal audit can identify potentially fraudulent behaviors before they have a chance to impact the company financially.

4. Identifying and preventing crisis and emergencies - internal auditors are often able to identify situations that could have a significant negative effect on a company.  This identification may be completed early enough that the negative effect can be minimized

5. Creating and ensuring the appropriate controls are in place - along with key function number one, testing the controls established by the company is critical for an internal audit to be effective.

6. Making recommendations for the future - internal audits are invaluable to a company when planning for the future, including preparing for future external audits.  Often an internal audit can identify an area of weakness that can be addressed before the start of an external audit.