Internal auditing involves identifying the risks that could keep an organization from achieving its goals, making sure the organization’s leaders know about these risks, and proactively recommending improvements to help reduce the risks.
For internal auditing to be effective, the organization’s leaders must be open to discussing tough issues and seizing opportunities to make necessary changes for improvement. And the internal auditors must have an independent reporting line to the highest governing body (e.g., the audit committee of the board of directors), ensuring them the requisite authority to access all areas of the organization and know that they will be supported if and when their views differ from those of management.
The essential features of an effective internal audit department are as follows:
- appropriate staffing and training
- due care
- planning, controlling and recording
- evaluation of the internal control system
- Reporting and follow-up.
It is management’s responsibility to maintain the internal control system and to ensure that resources are properly directed. This, of course, will include a responsibility for the prevention and detection of fraud. If an internal auditor discovers evidence of, or suspects, fraud or some other malpractice, they should report their suspicions to the appropriate level of management. It is a management responsibility to determine what further action to take. Objectively examines, evaluates and reports on the adequacy of internal control as a proper, economic, efficient and effective use of resources.
Risk is defined as the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of the likelihood of an adverse event occurring and the impact of that event in case it does occur. Management is responsible for risk management. Internal Audit is responsible for assessing whether the risk management system has identified all key risks faced by the organization and appropriate measures and controls have been established to minimize the impact of the risk should it occur.
Internal auditing is an independent, objective assurance and consulting activity. Its core role with regard to enterprise risk management is to provide objective assurance to the board on the effectiveness of risk management. Indeed, research has shown that board directors and internal auditors agree that the two most important ways that internal auditing provides value to the organization are in providing objective assurance that the major business risks are being managed appropriately and providing assurance that the risk management and internal control framework is operating effectively.
Who are the internal auditors?
The profession of internal audit is fundamentally concerned with evaluating an organisation’s management of risk. All organisations face risks. For example, risks to the organisation’s reputation if it treats customers incorrectly, health and safety risks, risks of supplier failure, risks associated with market failure, cybersecurity and financial risks to name some key areas. The key to an organisation’s success is to manage those risks effectively – more effectively than competitors and as effectively as stakeholders demand
As an internal auditor your Essential Duties will be:
- Perform audit tests and prepare working papers in accordance with professional IIA standards and FCU IA methodology
- Evaluate the adequacy of process design and the effectiveness of controls in meeting business and control objectives. Identify and document control and process weaknesses and provide evidential support for findings
- Propose practical and value added recommendations to address control weaknesses and/or process inefficiencies
- Organize and reference work papers for review by Manager, Internal Audit
- Participate in closing meetings with client at the end of fieldwork, providing clear explanations for identified issues
To conduct these activities effectively, the internal audit function should have ongoing communication with its stakeholders. Internal auditors should be aware of and understand the bank’s strategic direction, objectives, products, services, and processes, as well as relevant laws and regulations. The auditors communicate findings to the bank board or its audit committee and senior management. The chief auditor should develop an ongoing communication process with management to keep current on changing business and risk issues.
Internal auditors often have an advisory or consulting role in current or emerging risks at the bank. The advisory role serves the bank’s board and management in evaluating safeguards and controls, including appropriate documentation and audit trails of the bank’s planning and implementation processes. Refer to the “Advisory and Other Activities” section of this booklet for more information.
The internal audit function should ensure that it appropriately safeguards information in fulfilling its responsibilities. The sophistication of tools and processes used by internal audit may vary based on the size and complexity of the bank. Auditing work program tools, for example, may store audit supporting documents that contain customer data. Appropriate access and other internal controls should be in place to safeguard information.