Internal audit roles and responsibilities
A baseline definition of internal auditing provides a starting point for understanding the roles and responsibilities of internal audit function. The Institute of Internal Auditors ("IIA") offers the following description:
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
Major roles and responsibilities of internal audit function are summarised as below:
- evaluates and provides reasonable assurance that risk management, control, and governance systems are functioning as intended and will enable the organisation's objectives and goals to be met
- reports risk management issues and internal controls deficiencies identified directly to the audit committee and provides recommendations for improving the organisation's operations, in terms of both efficient and effective performance
- evaluates information security and associated risk exposures
- evaluates regulatory compliance program with consultation from legal counsel
- evaluates the organisation's readiness in case of business interruption
- maintains open communication with management and the audit committee
- teams with other internal and external resources as appropriate
- engages in continuous education and staff development
- provides support to the company's anti-fraud programs.
Reporting Structure of Internal Audit Function
Existing corporate governance regulations do not address the interaction between the audit committee and the internal audit function, or the responsibilities of the function.
In most companies, the internal auditor traditionally reported to either the Chief Financial Officer or the Chief Risk Officer, though other may have existed in some companies. Today, the internal auditor may either report directly to the Audit Committee, or the Audit Committee will have a role in hiring, firing, evaluating and compensating the Chief Audit Officer. The Audit Committee’s increasing role with regard to the internal audit is being undertaken to help ensure the internal auditor’s "independence" and objectivity.
The relationship between the Audit Committee and the internal audit function should be clearly defined and addressed in the Audit Committee’s charter.
Authoritative Guidance
The Institute of Internal Auditors ("IIA"):
Organizational Governance - Guidance for Internal Auditors
By providing assurance on the risk management, control, and governance processes within an organisation, internal auditing is one of the key cornerstones of effective organisational governance. The guidance was issued by IIA and it was designed to help internal auditing in its assurance and advisory role with regard to specific aspects of organisational governance. This guidance is available at http://www.theiia.org/ under the "Professional Guidance / Standards and Practices / Position Papers & Responses / View Position Papers" section.
The Institute of Internal Auditors ("IIA"):
Internal Audit Reporting Relationships – Serving Two Masters
This report is based on research developed under the leadership of The IIA Research Foundation and the Research Department of The Institute of Internal Auditors. It reviews the reporting relationships of the chief audit executive as an integral part of the governance process. This report is available at http://www.theiia.org/ under the "Research Foundation / Research Reports / Chronological Listing Research Reports" section.
The Institute of Internal Auditors ("IIA"):
Sample Internal Audit Department Charter
The purpose, authority, and responsibility of the internal audit activity should be defined in a charter. A sample of Internal Audit Department Charter is available at http://www.theiia.org/ under the "Professional Guidance / Standards and Practices / Additional Resources / Audit Committees & Board of Directors / Sample Charters" section.
Learn more
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cn/en/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
