Internal Audit: What It Is, Different Types, and the 5 Cs

What Is an Internal Audit?

Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. These types of audits ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. Internal auditors are hired by companies who work on behalf of their management teams. These audits also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.

KEY TAKEAWAYS

• An internal audit offers risk management and evaluates the effectiveness of many different aspects of the company.
• Types of internal audits include financial, operational, compliance, environmental, IT, or for a very specific purpose.
• Internal audits provide management and the board of directors with a value-added service where flaws in a process may be caught and corrected prior to external audits.
• Similar to external audits, internal audits are conducted through planning, auditing, reporting, and monitoring steps.
• Internal audits may enhance the efficiency of operations, motivate employees to adhere to company policy, and allow management to explore specific areas of its operations.

Understanding Internal Audits

Internal audits play a critical role in a company’s operations and corporate governance, especially now that the Sarbanes-Oxley Act of 2002 holds managers legally responsible for the accuracy of their company's financial statements. SOX also required that a company's internal controls be documented and reviewed as part of its external audit.12

In addition to ensuring that a company complies with laws and regulations, internal audits also provide a degree of risk management and safeguard against potential fraud, waste, or abuse. The results of internal audits provide management with suggestions for improvements to current processes not functioning as intended, which may include information technology systems as well as supply-chain management.

Internal audits may take place on a daily, weekly, monthly, or annual basis. Some departments may be audited more frequently than others. For example, a manufacturing process may be audited on a daily basis for quality control, while the human resources department might only be audited once a year.

 

Important: Audits may be scheduled, to give managers time to gather and prepare the required documents and information, or they may be a surprise, especially if unethical or illegal activity is suspected.

 

Types of Internal Audits

Compliance Audit

A company may be required to adhere to local laws, compliance needs, government regulations, external policies, or other restrictions. To demonstrate compliance with these rules, a company may task an internal audit committee to review, compile appropriate information, and provide an overall opinion on the status of the compliance requirement.

Internal Financial Audit

Public companies are required to perform certain levels of external financial auditing where a completely independent third party provides an opinion on the company's financial records. Companies may want to dive further into audit findings or perform an internal financial audit in preparation for an external audit. Many of the tests between an internal or external auditor may be similar; the nature of independence separates the two types of audits for financial audits.

 

Environmental Audit

As companies become continually more environmentally conscious, some take the steps of reviewing the business' impact on the planet. This results in an internal audit covering how a company safely sources raw materials, minimizes greenhouse gases during production, utilizes eco-friendly distribution methods, and reduces energy consumption. Companies leveraging triple bottom line reporting may perform internal environmental audits as part of annual reporting.

 

Technology/IT Audit

An IT audit may have different objectives. The internal audit may be the result of an external lawsuit, a company complaint, or a target to become more efficient. An internal audit focused on technology reviews the controls, hardware, software, security, documentation, and backup/recovery of systems. The goal is likely to assess general IT accuracy and processing capabilities.

Performance Audit

An internal audit focused on performance pays less attention to the processes and more on the final result. The company will have likely have set performance objectives or metrics that may be tied to performance bonuses or other incentives. As a result, an internal auditor assesses the outcome of an objective that may not be easily quantifiable.

For example, a company may wish to have expanded its use of diverse suppliers; the internal auditor, independent of any purchasing process, will be tasked with analyzing how the company's spending patterns have changed since this goal was set.

Operational Audit

An operational audit is most likely to occur when key personnel leaves or when new management takes over an entity. The company may want to assess how things are done and whether resources are being used more efficiently. During an operational internal audit, the auditor will review whether current staff and processes fulfil the mission statement, value, and objectives of a company.

Construction Audit

Development, operating, real estate, or construction companies may perform construction audits to ensure not only appropriate physical development of a building but appropriate project billing along the life of the project. This mostly includes adherence to contract terms with the general contractor, sub-contractors, or standalone vendors as necessary.

This may also include ensuring the company has remit the appropriate payments, collected the appropriate payments, and internal project reports regarding project completion are correct.

Special Investigations

Many of the audits above may be recurring and performed each year. In some cases, it might make sense for an internal audit committee to evaluate a special circumstance that will occur only once. This may entail gathering a report on the efficiency on a recent merger, the hiring of a key employee, or a complaint from staff. When selecting the individuals for the special investigation audit, a company must be especially mindful to select members with appropriate expertise and independence.

FAST FACT:

Depending on the structure of the organization, the internal audit may be prepared by the board of directors of by upper management.

 

Internal Audit vs. External Audit

Internal and external audits have the same objective. Both types of audits analyze an aspect of a company to determine a specific opinion. However, there are many differences between the two types of audits.

In an internal audit, the company is often able to select its own audit team. As such, the team represents the interests of the company's management team. This may be advantageous to specifically place certain employees with very niche experience on the team. In an external audit, the company can often select the external audit firm; however, the company often does not have a say in the specific employees put on their external audit.

There may be some requirements regarding the external audit staff depending on the audit. For example, in an external financial audit, a Certified Public Accountant (CPA) must certify the financial statements. In an internal audit, there is no requirement that any member of the audit team must be a CPA.3

U.S. Securities and Exchange Commission. "All About Auditors: What Investors Need to Know."

The end goal of either audit is an audit report; however, audit reports are used for very different reasons. An internal audit report is usually used by internal management to improve the operations, processes, or policies of the company. An external audit report is often required for an outside reason and is more often used by members outside of the company.

Finally, the nature of the engagement will be very different. During an internal audit, the employees of a company may often freely give advice, discuss unrelated matters with the company, or may have a very fluid consulting agreement. During an external audit, a very defined scope is often set, and the external auditor will often take great care to ensure they do not exceed their audit boundaries.

Internal Audits

• A company is usually able to select its own internal audit lead and team members
• Members of the audit team often do not need to have specific titles or licenses
• Audit reports are primarily used by internal management to improve company operations
• Internal audits may be less formal with blurred structure as the auditor provides casual guidance

External Audits

• A company or board can usually pick the audit firm but not audit team members
• Members of the audit team may be required to hold specific titles or license as part of the audit agreement
• Audit reports are primarily used by external parties to satisfy a reporting requirement
• External audits are often more formal with defined boundaries and disallowed services

Internal Audit Process

Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.

Step 1: Planning

Before any audit procedures are performed, the internal auditors often start by developing the audit plan. This sets the audit requirements, objectives, timeline, schedule, and responsibilities across audit team members. The audits may review prior audits to understand management expectations for presentation and data collection.

The audit plan often has a checklist to ensure members of the team adhere to broad expectations. The internal audit team may also preemptively plan to meet with management throughout the audit to communicate the status and any struggles of the audit. The planning stage often ends with a kick-off meeting that launches the audit and communicates the initial information needed.

Step 2: Auditing

Many of the auditing procedures used by internal audits are the same as external auditors. Some companies might use continuous audits to ensure ongoing oversight of company practices. Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives.

To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies, or other existing documentation.

Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliation as is required by law. Analysis techniques may test random data or target specific data if an auditor believes an internal control process needs to be improved.

The internal audit may have started with a defined scope; but as the internal audit team gathers and analyzes information, it may become necessary to redefine the purpose and extent of the audit. This includes re-evaluating the original timeline or resources allocated to the audit.

Step 3: Reporting

Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. Similar to an interim financial statement, an interim audit communicates a partial set of information useful for laying the road for the remaining portion.

Often, a company may deliver a draft copy of the final audit report and host a pre-close internal audit meeting with management. This may allow management to provide rebuttals, additional information that may change findings, or provide commentary on their feedback regarding the audit findings.

The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings, and suggestions for improvements to internal controls and control procedures. The final report may also communicate next steps in terms of changes to be implemented, future monitoring processes, and what future reviews will entail.

Step 4: Monitoring

After a designated amount of time, an internal audit may call for follow-up steps to make sure the appropriate post-close audit changes were implemented. The details and process for these monitoring and review steps is often agreed to at the delivery of the final audit.

For example, an internal financial audit may find severe internal control deficiencies that an internal auditor believes will not pass an external financial audit. Management agreed to implement changes within the next six weeks. After six weeks, the internal auditor may be tasked with implementing a small-scope or limited review of the deficiency to see if the issue still persists.

 

FAST FACT:

The monitoring step of an internal audit is technically not required. Management or the board may decide to disregard internal audit findings and not implement the changes the audit report suggests.

 

Internal Audit Reports: The 5 C's

Internal audit reports are often known for adhering to the 5 C's reporting requirement. A complete, sufficient internal audit often ends with a summary report that communicates answers to the following questions:

របាយការណ៍សវនកម្មផ្ទៃក្នុងត្រូវបានគេស្គាល់ជាញឹកញាប់សម្រាប់ការប្រកាន់ខ្ជាប់នូវតម្រូវការរាយការណ៍របស់ 5 C ។ សវនកម្មផ្ទៃក្នុងពេញលេញ និងគ្រប់គ្រាន់តែងតែបញ្ចប់ដោយរបាយការណ៍សង្ខេបដែលទាក់ទងចម្លើយចំពោះសំណួរខាងក្រោម៖

1.   Criteria: What particular issue was identified, and why was the internal audit necessary? Is the internal audit in preparation for a future external audit? Who requested the audit, and why did this party request the audit?

លក្ខណៈវិនិច្ឆ័យ៖ តើបញ្ហាជាក់លាក់មួយណាត្រូវបានសម្គាល់ និងហេតុអ្វីមានភាពចាំបាច់អោយមានសវនកម្មផ្ទៃក្នុង? តើសវនកម្មផ្ទៃក្នុងកំពុងរៀបចំសម្រាប់សវនកម្មខាងក្រៅនាពេលអនាគតដែរឬទេ? តើអ្នកណាស្នើសុំសវនកម្ម ហើយហេតុអ្វីបានជាភាគីនេះស្នើសុំសវនកម្ម?

2.   Condition: How as the issue in relation to a company target or expectation? Does the company have a policy that was broken, a benchmark that was not met, or other condition that was not satisfied? Is the company confident no issue exists, or do they believe an issue is at hand?

ស្ថានភាព របកគំហើញ ឬលក្ខខណ្ឌ៖ តើ​បញ្ហា​ទាក់ទង​នឹង​គោលដៅ​ឬ​ការ​រំពឹង​ទុក​របស់​ក្រុមហ៊ុន​យ៉ាង​ដូចម្តេច? តើ​ក្រុមហ៊ុន​មាន​គោលការណ៍​ដែល​ខូច គោល​ការណ៍​ដែល​មិន​បាន​បំពេញ ឬ​លក្ខខណ្ឌ​ផ្សេង​ទៀត​ដែល​មិន​ពេញ​ចិត្ត? តើ​ក្រុមហ៊ុន​មាន​ទំនុក​ចិត្ត​ថា​មិន​មាន​បញ្ហា​ទេ ឬ​តើ​ពួក​គេ​ជឿ​ថា​មាន​បញ្ហា​នៅ​ក្នុង​ដៃ?

3.   Cause: Why did the issue arise? Who was involved, what processes were broken, and how could the issue have been avoided?

បុព្វហេតុ ឬមូលហេតុ៖ ហេតុអ្វីបានជាបញ្ហាកើតឡើង? តើ​នរណា​ជា​អ្នក​ពាក់ព័ន្ធ ដំណើរការ​អ្វី​ខ្លះ​ត្រូវ​បាន​ខូច ហើយ​តើ​បញ្ហា​ត្រូវ​បាន​ជៀសវាង​ដោយ​របៀប​ណា?

4.   Consequence: What is the outcome of the problem? Are issues limited to internal matters, or are there risks of external consequences? What is the financial implications of the issue?

ផលវិបាក ឬបច្ច័យ៖ តើអ្វីជាលទ្ធផលនៃបញ្ហា? តើ​បញ្ហា​មាន​កម្រិត​ចំពោះ​បញ្ហា​ផ្ទៃ​ក្នុង ឬ​មាន​ហានិភ័យ​នៃ​ផល​វិបាក​ខាង​ក្រៅ? តើអ្វីជាផលប៉ះពាល់ផ្នែកហិរញ្ញវត្ថុនៃបញ្ហា?

5.   Corrective Action: What can the company do fix the problem? What specific steps will management take to resolve the issue, and what type of monitoring or review will occur after solutions have been put in place to ensure a fix has been implemented?

សកម្មភាពកែតម្រូវ ឬអនុសាសន៍៖ តើក្រុមហ៊ុនអាចដោះស្រាយបញ្ហាអ្វីខ្លះ? តើការគ្រប់គ្រងនឹងចាត់វិធានការជាក់លាក់អ្វីខ្លះដើម្បីដោះស្រាយបញ្ហា ហើយតើការតាមដាន ឬការពិនិត្យឡើងវិញប្រភេទណាដែលនឹងកើតឡើងបន្ទាប់ពីដំណោះស្រាយត្រូវបានដាក់ឱ្យដំណើរការ ដើម្បីធានាថាការជួសជុលត្រូវបានអនុវត្ត?

Importance of Internal Audits

Some may think internal audits are not as valuable as external audits. After all, a company may hand-pick its own internal audits who do not have full independence from the company. However, there are many ways internal audits provide value to the company and external parties:

• Management can be more efficient about what to explore. For example, while external financial audits must test an entire financial system, a company may be concerned about whether the cash management process is being fraudulently managed; therefore, management can elect to have all audit procedures analyze cash processes.
• Internal audits may save companies money. If a company's processes are very strong, the external audit process may not be as long as intensive, thereby reducing the external audit fee and time spent supporting external auditors.
• The company enhances its control environment. Even if the internal audit yields no findings, employees may be aware that their work gets analyzed and reported on, thereby motivating adherence to company policy.
• Internal audits may make companies more efficient. External audits often are not intended to make processes better; they are meant to review whether processes are accurate. This distinction is important because a company may be "just getting by" with inefficient processes that meet very minimum requirements.
• Internal audit reports give management a head start to make corrections. Instead of having to scramble when an external audit finds a deficiency, management can take longer to think through solutions, implement the solution with care, and review whether the solution worked.
• Certain departments may need enhanced oversight. Whether it is lack of expertise, staffing shortages, or problem with current personnel, a company may benefit from targeting a specific area and formally reviewing its workflow and processes.

What Are the Types of Internal Audits?

A company can choose to perform an internal audit for almost any reason. This may lead to an internal financial audit, operational audit, compliance audit, environmental audit, IT audit, or a special one-time circumstance.

What Is the Role of Internal Audit?

The role of an internal audit is to identify a deficiency or substantiate a proficiency. For example, a company may issue an internal financial audit to make sure its internal controls over accounts payable adhere to company policy. Alternatively, the company may launch an internal environmental audit to explore how environmental impact its eco-friendly changes had on the planet last year.

What Is the Internal Audit Process?

The internal audit process entails planning the audit, performing the audit procedures, compiling the audit report, and monitoring post-audit changes. Management may choose to expand the scope of an audit at any point of the audit if findings during the audit cause the scope to shift a different direction.

 

What Are the 5 C's of Internal Audit?

Internal audit reports often outline the criteria, condition, cause, consequence, and corrective action. These five areas report why the audit was performed, what caused the reason for the audit, how the audit will be performed, what the auditor aims to achieve, and what steps will be taken after the audit findings are presented.

The Bottom Line

An internal audit is a process that allows a company to self-select an audit team to carry out the review of its operations. The company can often define the scope of the internal audit. In addition, the company can often choose almost any reason to conduct an internal audit. Though internal audits are less useful for meeting external reporting requirements, they hold tremendous value for improving internal operations as well as informing management ways the company can get better.

DUAL CONTROL VS SEPARATION OF DUTIES

 I know firsthand the importance of understanding the intricacies of security measures, especially when it comes to protecting valuable assets from threats and breaches. That is why I’m here to delve into the topic of “Decoding the dissimilarity: Dual Control vs Separation of Duties”.

Let’s face it, cybersecurity can be challenging to comprehend, and even more so when it comes to technical terms. But worry not, as I’m here to help. In this article, we’ll explore the difference between Dual Control and Separation of Duties.

Why is this important, you ask? Well, these two security measures are often confused with one another, but they have their unique functions and must be implemented correctly to ensure maximum protection.

So, if you’re interested in safeguarding your business from cyber threats, then keep reading to gain valuable insights into the difference between Dual Control and Separation of Duties. Trust me, it’s worth it.

WHAT IS THE DIFFERENCE BETWEEN DUAL CONTROL AND SEPARATION OF DUTIES?

When it comes to creating a secure environment for your business, there are two terms that are often used interchangeably: dual control and separation of duties. While both of these concepts are important for ensuring that your company stays safe from potential threats, they are actually quite different in nature.

Dual control refers to a security measure that requires the participation of at least two people to complete a single task. This helps to ensure that no single person has complete control over sensitive information or actions that could harm the business. Essentially, dual control adds an extra layer of oversight and accountability to important tasks.

Separation of duties, on the other hand, is a requirement that one person is not able to carry out two distinct actions that, if combined, could pose a risk to the business. This means that different individuals are responsible for different aspects of a process or task, ensuring that no one person has too much power or control. For example, the person who approves invoices should not also be responsible for writing checks, as this could lead to fraudulent activity.

So while both dual control and separation of duties are important for maintaining a secure business environment, they serve different purposes. Dual control adds an extra layer of oversight by requiring two people to complete a task, while separation of duties ensures that no one person has too much power or control over different aspects of a process. By implementing these measures, businesses can help to reduce the risk of internal fraud, theft, or other malicious activity.

---

???? Pro Tips:

1. Dual control refers to the practice of requiring two individuals to perform a critical task or transaction together, while separation of duties involves assigning different responsibilities to different people to ensure accountability and prevent fraud.
2. Dual control is often used in situations involving sensitive information or valuable assets, such as financial transactions, while separation of duties is commonly used in accounting and auditing to minimize the risk of errors or fraud.
3. Dual control can provide an additional layer of security, but it can also create delays and inefficiencies, while separation of duties can help ensure that no single individual has too much power or access to sensitive information.
4. When implementing dual control or separation of duties, it is important to clearly define roles and responsibilities, train employees on the requirements, and regularly review and update policies and procedures as needed.
5. Both dual control and separation of duties are important concepts in risk management and should be considered as part of a comprehensive cybersecurity strategy to protect against insider threats and unauthorized access.

UNDERSTANDING DUAL CONTROL IN CYBERSECURITY

Dual control in cybersecurity refers to the requirement that at least two individuals must work together to complete a specific task. This approach is used to add an extra level of security and reduce the risk of fraud or error. The idea behind dual control is that no one person should have complete control over a critical function or system. Instead, two individuals must work together and collaborate to complete the task.

This approach is commonly used in industries such as finance, healthcare, and government. For example, in the finance industry, dual control is used when approving transactions above a certain value. In healthcare, dual control may be required for accessing patient records or entering medication orders. In government, dual control may be used for granting security clearances or accessing sensitive information.

THE IMPORTANCE OF SEPARATION OF DUTIES FOR SECURE OPERATIONS

Separation of duties is a critical concept in cybersecurity. It involves ensuring that no single individual is responsible for every step of a process, particularly if those steps could be used to commit fraud, error, or other malicious acts. This separation helps to protect sensitive data and ensure proper control over critical systems.

For instance, in the context of payment processing, one individual may be responsible for invoicing, while another individual is responsible for approving payments. This separation helps to ensure the integrity of the payment process by minimizing the risk of fraudulent or unauthorized transactions.

Similarly, in network security, one individual may be responsible for monitoring the network for threats, while another is responsible for updating software and systems. This separation fosters accountability and control in network operations, ensuring that critical security updates are not overlooked or delayed.

DUAL CONTROL VS SEPARATION OF DUTIES: KEY DIFFERENCES

While dual control and separation of duties may seem similar, they have some crucial differences. Dual control is primarily concerned with the need for two individuals to collaborate and complete a specific task, whereas separation of duties is focused on ensuring that one person does not wield too much power or control over a process or system.

In dual control, two individuals share responsibilities and accountability, and both individuals have equal access to the necessary resources to complete the process. In contrast, in separation of duties, individuals are assigned specific roles and responsibilities, and there are strict limitations on who can access certain resources.

Another key difference is the level of communication required between individuals in each approach. In dual control, individuals must work together to complete the task and must communicate effectively to avoid errors or fraud. In contrast, with separation of duties, the workflow is designed to reduce the need for excessive communication and to minimize the risk of collusion or fraud.

BEST PRACTICES FOR IMPLEMENTING DUAL CONTROL AND SEPARATION OF DUTIES

Implementing dual control and separation of duties requires careful planning and execution. Here are some best practices to follow:

Dual Control:

• Identify critical processes or systems that require dual control.
• Design workflows that require collaboration between two individuals, with clear roles and responsibilities defined.
• Set up access controls to ensure that both individuals have equal access to the necessary resources.
• Establish clear communication processes to facilitate collaboration and reduce the risk of errors.

Separation of Duties:

• Identify processes or systems that require separation of duties.
• Define clear roles and responsibilities for each individual involved in the process.
• Establish access controls that limit the privileges of each individual based on their role and responsibilities.
• Implement regular auditing and monitoring to identify any potential issues or breaches.

REAL-WORLD EXAMPLES OF DUAL CONTROL AND SEPARATION OF DUTIES IN CYBERSECURITY

One example of dual control in cybersecurity is the use of two-factor authentication to prevent unauthorized access to critical systems. In this approach, individuals must provide two forms of identification to gain access, such as a password and a fingerprint scan or a smart card and a PIN.

Another example of separation of duties is the use of firewalls and intrusion detection systems in network security. One individual may be responsible for configuring and updating the firewall settings, while another is responsible for monitoring the system for any potential intrusions or threats.

ADVANTAGES AND LIMITATIONS OF DUAL CONTROL AND SEPARATION OF DUTIES IN CYBERSECURITY

Advantages:
Dual Control:

• Reduces the risk of errors or fraud by requiring collaboration and accountability between two individuals.
• Provides an additional layer of security to critical processes or systems.
• Ensures that no individual has complete control over a process or system.

Separation of Duties:

• Minimizes the risk of fraud or error by limiting the power and control of any single individual.
• Increases accountability and transparency by clearly defining roles and responsibilities.
• Helps to protect sensitive data and ensure proper control over critical systems.

Limitations:
Dual Control:

• Can be time-consuming and increase the complexity of workflows.
• May require additional resources to support the collaboration between two individuals.

Separation of Duties:

• May be costly to implement and maintain, particularly in larger organizations with many processes and systems.
• Can lead to communication errors or delays if not properly managed.

In conclusion, both dual control and separation of duties are essential concepts in cybersecurity. Each approach has its unique advantages and limitations, and they can be used together or separately to provide greater protection and security to critical systems and processes. By following best practices and implementing these approaches effectively, organizations can reduce the risk of fraud, error, and other malicious acts while promoting transparency, accountability, and control.

 

Internal Auditors:

As the third line of Défense, internal auditors provide assurance and advisory support to management on internal control. Depending on the jurisdiction, size of the entity, and nature of the business, this function may be required or optional, internal or outsourced, large or small. In all cases, internal audit activities are expected to be carried out by competent and professional resources aligned to the risks relevant to the entity.

The internal audit activity includes evaluating the adequacy and effectiveness of controls in responding to risks within the organization’s oversight, operations, and information systems regarding. For example:

• Reliability and integrity of financial and operational information

• Effectiveness and efficiency of operations and programs

• Safeguarding of assets

• Compliance with laws, rules, regulations, standards, policies, procedures, and contracts

 

All activities within an organization are potentially within the scope of the internal auditor’s responsibility. In some entities, the internal audit function is heavily involved with controls over operations. For example, internal auditors may periodically monitor production quality, test the timeliness of shipments to customers, or evaluate the efficiency of the plant layout. In other entities, the internal audit function may focus primarily on compliance or financial reporting–related activities. In all cases, they demonstrate the necessary knowledge of the business and independence to provide a meaningful evaluation of internal control.

 

The scope of internal auditing is typically expected to include oversight, risk management, and internal control, and assist the organization in maintaining effective control by evaluating its effectiveness and efficiency and by promoting continual improvement. Internal audit communicates findings and interacts directly with management, the audit committee, and/or the board of directors. Internal auditors maintain an impartial view of the activities they audit through their skills and authority within the entity. Internal auditors have functional reporting to the audit committee and/or the board of directors and administrative reporting to the chief executive officer or other members of senior management.

 

Internal auditors are objective when not placed in a position of subordinating their judgment on audit matters to that of others and when protected from other threats to their objectivity. The primary protection against these threats is appropriate internal auditor reporting lines and staff assignments. These assignments are made to avoid potential and actual conflicts of interest and bias. Internal auditors do not assume operating responsibilities, nor are they assigned to audit activities with which they were involved recently in connection with prior operating assignments.