Mark Simmons "An Overview of The Professional Practice of Internal Auditing"

by Mark R. Simmons, CIA, CFE

With the various activities and reviews internal auditors are being called on to perform, and changes taking place today in the practice of internal auditing, I have lately been thinking more and more about the way internal auditing is perceived, and how it perhaps ought to be perceived. About twelve years ago, I was offered the opportunity to expand my professional development by moving into an internal audit department. At the time, having come from a background in public accounting, and having no
familiarity with internal auditing standards, if you had asked me to define "internal auditing", I probably would have said something like "it's auditing within an organization to help safeguard assets". I'm willing to bet that in many organizations, if you where randomly to ask employees, managers and executives about their perception of internal auditing today, many would tell you "it's the same thing that our external CPAs do, only it's done by employees of the company". Others might say that "it's anything our internal auditors do".

The purpose of this article is to examine the concept of internal auditing from the perspective of The Standards for the Professional Practice of Internal Auditing. For a moment, think about how important The Standards are in day to day professional internal audit activities. Some of the routine ways internal audit professionals apply the standards include how they plan and carry out their work, how the audit director determines what that work will be, and how the results of their efforts are communicated. By obtaining a clearer understanding of the essence of professional internal auditing standards, we can develop
a clearer understanding of the essence of internal auditing itself. Obtaining that understanding is critical not only to presenting ourselves in the most professional way, but also to clearly defining our area of expertise and thus the value we can provide to our organizations.

The basic framework of The Standards For The Professional Practice Of Internal Auditing consists of:

the Statement of Responsibilities of Internal Auditing

the Code of Ethics
the Standards for the Professional Practice of Internal Auditing, consisting of five general standards, twenty five specific
standards, and suggested guidelines for complying with the standards.
the Statements on Internal Auditing Standards
professional practice releases

Some of the key points emphasized in the introduction to The Standards are:

the principal elements of the organization served by internal auditing are management and the board of directors, with internal auditors owing a responsibility to both
"the board" means the board of directors, the audit committees of such boards, heads of agencies or legislative bodies to whom the internal auditors report, boards of trustees, or any other designated governing body of organizations.
"Management" is anyone in an organization with responsibility for setting and/or achieving objectives.
"senior management" is the individual, or group of individuals in management to whom the director of internal auditing is responsible.
The purpose of The Standards is:
* to impart an understanding of the role of internal auditing
* to establish a basis for the guidance and measurement of internal auditing performance
* to improve the practice and professionalism of internal auditing
Compliance with the concepts enunciated by the standards is essential before the responsibilities of internal audit can be met.

When performing internal audits, the Code of Ethics of the Institute of Internal Auditors (IIA) requires each member of the Institute and each Certified Internal Auditor (CIA) to adopt suitable means to comply with The Standards and to conduct internal audits in accordance with the requirements and spirit of The Standards. This is one of the key provisions of the Code of Ethics.

Not everything that an internal auditor might be called on to do is internal auditing. If you are a member of the IIA and/or are a CIA, it is your responsibility to understand the essence of what internal auditing is; to know what is, and is not, an internal auditing activity; to distinguish internal auditing from other types of audit activity that are not internal audits; and to distinguish internal auditing from other types of non-audit activities that an internal auditor might be called on to perform. The following table compares internal auditing (as defined by The Standards) with other activities performed by internal auditors.

PROFESSIONAL INTERNAL AUDITING UNDER THE STANDARDS

OTHER INTERNAL AUDIT ACTIVITIES

A REVIEW OF HOW MANAGERS PLAN, ORGANIZE AND DIRECT OPERATIONS
CONDUCTED BY MEMBERS OF THE ORGANIZATION
TO FORM AN OPINION AS TO WHETHER OR NOT MANAGEMENT HAS REASONABLE ASSURANCE THAT:
Assets are safeguarded
Laws, rules, regulations, policies and procedures are complied with
Business objectives are met
Financial and management data is accurate and reliable
Operations are carried out efficiently and economically

Professional Internal Auditing focuses on an evaluation of the system or framework of internal control.

CONTRACT AUDITING
COMPLIANCE AUDITING
VOUCHER AUDITING
CLAIMS AUDITING
FINANCIAL STATEMENT AUDITING
PERFORMANCE AUDITING
EXTERNAL AUDITING OF OTHER ORGANIZATIONS
OR ANY MANAGEMENT ACTIVITY ASSOCIATED WITH THE PLANNING, ORGANIZING AND DIRECTING OF OPERATIONS

While these all may be value-added activities that internal auditors perform, they do not meet the criteria of "Internal Auditing" described by The Standards". Many, if not all, of these audit activities are governed by other professional auditing standards, such as those of the AICPA and the General Accounting Office.

As practiced under the Standards, professional internal auditing focuses on an evaluation of the system or framework of internal control, which the Standards describe as "the integrated collection of control systems developed by the organization to achieve its objectives and goals". There is a very close correlation between the Standards and COSO (for a detailed discussion, see "The Standards and the Framework", Internal Auditor, April 1997). The primary objective of internal controls is to give managers reasonable assurance that:

financial and operating information is accurate and reliable
policies, procedures, plans, laws and regulations are complied with
assets are safeguarded against loss and theft
resources are used economically and efficiently
established program/operating goals and objectives will be met.

The elements of internal auditing therefore consist of :

Appraising the reliability and integrity of financial and operating information by evaluating the means developed by management to identify, classify, measure, and report such information
Appraising the systems management has established to ensure compliance with policies, plans, procedures, laws and regulations that could have a significant impact on operations and reports, and determining whether the organization is in compliance
Appraising the means management has established to safeguard assets, and, as appropriate, verifying the existence of such assets
Appraising the systems management has established to ensure economical and efficient use of resources
Appraising the systems management has established to ensure results are consistent with established objectives/goals and operations or programs are carried out as planned.

Although there is some degree of overlap, these five elements differ from performance audits. The primary objective of a performance audit is to evaluate operational processes (which may or may not include internal controls) and the related results of operations, rather than the system of control itself (GAO Yellow Book, 1994 Revision, Chapter 2, sections 2.6 through 2.9). While some might consider this distinction insignificant, under the Standards, it is not the internal auditor's job to evaluate a manager's performance; to decide what the organization's objectives and goals are, or whether they are the correct objectives
and goals. These determinations and decisions are the responsibility of management. The SPPIA instead focuses the internal auditor primarily on forming an opinion as to whether or not management has reasonable assurance that desired objectives and goals are being achieved, and the degree to which controls provide the reasonable assurance that managers need (SPPIA 300.04, 300.08, and 300.08.2.c).

When we combine the definition of internal control with the scope of internal auditing, five possible audit objectives emerge regarding how managers plan, organize and direct activities. Internal auditors seek to answer one or more of the following questions:

Do controls over financial and operating data provide managers with reasonable assurance that the financial and operating data is accurate and reliable
Do controls over compliance with policies, procedures, plans, laws and regulations provide managers with reasonable assurance that proper compliance actually occurs
Do controls over assets provide managers with reasonable assurance that assets exist and are protected against loss that could result from theft, fire, improper or illegal activities, or exposure to the elements
Do controls over operations provide managers with reasonable assurance that resources are used efficiently and economically. In this context, the auditor wants to know whether operating standards have been established for measuring economy and efficiency; whether operating standards are understood and are being met; whether deviations from operating standards are identified, analyzed and communicated to those responsible for corrective action; and whether effective corrective action has been taken
Do controls over operations and programs provide managers with reasonable assurance that the operations and programs are being carried out as planned, and that the results of operations are consistent with established goals and objectives.

To meet these audit objectives, internal auditors evaluate the things managers do to plan, organize and direct activities and operations. The reasonable assurance that managers need comes about when managers plan, organize and direct in such a way that in the normal course of doing business, cost-effective actions are taken to minimize the risk that undesired outcomes will occur, and maximize the likelihood that desired outcomes will occur.

After examining the way managers have planned, organized and directed the activities of the organization, the internal auditor draws conclusions about the adequacy and the effectiveness of the controls. The internal auditor then expresses an opinion as to whether or not the control system provides the necessary reasonable assurances. When the internal auditor is of the opinion that weaknesses or conditions are present that significantly reduce the likelihood that reasonable assurance exists, the internal auditor reports to senior management:

the condition(s) found
criteria or standard against which the condition is being measured
the cause(s) that produced the condition
potential or actual effect(s) on desired outcomes; and recommendations for corrective action that will improve the degree of reasonable assurance.

Internal auditors perform other activities, such as: contract auditing; compliance auditing; voucher auditing; claims auditing; financial statement auditing; performance auditing; external auditing of other organizations; and other management activities associated with the planning, organizing and directing of operations. While these all may be value-added activities, they do not meet the criteria of "Internal Auditing" described by the Standards". Many, if not all, of these audit activities are governed by
other standards. In the United States, for example, these might be those of the American Institute of CPAs; the US General Accounting Office' Government Auditing Standards; regulations and laws of the Securities and Exchange Commission; or various other federal regulations such as Circular A-133 of the US Office of Management and Budget. Does that mean internal auditors should refrain from doing these other things when requested to do so? No. But they should not confuse these other activities with internal audits; and should not represent them as being internal audits.

What about consulting? Almost all of us at one time or another get involved in "consulting" situations within our organizations. How does internal auditing activity compare to consulting work?

According to studies by the IIA:

Internal Audits

are based on past or current activities
address management's reasonable assurance of achieving objectives
are initiated by the Audit Director
have the Audit Committee/Senior Management as the primary client
are conducted primarily by members of the internal audit department
lead to production of a standard audit report.

Consulting Activities

are future oriented
address implementing activities
are initiated by a line manager
have the line manager as the primary client
involves staff outside the internal audit department
yield a product or outcome other than an audit report opinion

Based on the IIA research, most internal auditors agree that the following activities are examples of consulting:

Business Planning
Non-Accounting System Consulting
Business or Project Feasibility Studies
Accounting System Design and Implementation
Total Quality Management
Budgeting
Forecasts and Projections

The more progressive practitioners of internal auditing have recognized the value of and have embraced the idea that partnering with audit clients can improve significantly the results of internal audit work. These innovative approaches and the required paradigm shifts are endorsed by the IIA. While the Standards do not pose any impediments to their use, additional implementation guidance is needed. This is particularly true regarding the issue of auditor independence vis a vis auditing in consultation with management. "Auditor Independence" has been a cornerstone of the profession for many years - a carryover
from internal audit's roots in public accounting. IIA studies indicate that some practitioners, in hiding behind The Standards' guidance on independence, have needlessly sacrificed opportunities to make significant contributions to their organizations. This is an area requiring further study by the IIA.

These issues also have sparked some interesting observations regarding the exclusion of compliance audits and performance audits from the "internal audit" category. The material above briefly touches on the issue of performance audits. Regarding compliance audits, the issue is one of focus. Further examination may serve as an example of how an internal audit is conducted under the Standards.

The objective in a typical compliance audit is to determine whether an entity has followed applicable laws and regulations or followed proper procedures. For example, in an audit of a youth detention center, if government regulations require that the cafeteria only serve items listed on a dinner menu, and the kitchen runs out of the listed ice cream and serves pudding for dessert, a compliance audit would cite the center for failing to follow the regulations (a ludicrous, but true example). The compliance auditor doesn't really care about the system of internal control. In audit parlance, internal control risk is assessed at
maximum (i.e., it is assumed controls are not effective). Nor does the compliance auditor necessarily care why a violation has occurred. The compliance auditor's job is to identify violations or deviations, and, where necessary, impose sanctions, withhold payments, obtain refunds, identify and report employee mistakes, etc. This is not an internal audit; and more importantly, using this methodology to carry out an internal audit is not a particularly efficient or effective way to identify systemic, mission critical control problems.

An internal audit of the detention center under the Standards, however, would focus on whether or not the management of the detention center has reasonable assurance that significant applicable laws and regulations are being complied with. The internal auditor would want to see evidence, for example, that management has conveyed the importance of compliance to the employees; that employees have the necessary tools and resources to effect compliance; that employees have been properly trained in and understand compliance issues; that management has assessed and addressed the risks and obstacles associated with compliance; that policies and procedures have been established to address identified risks; that information and communications systems provide necessary data in an accurate and timely way regarding issues associated with effective compliance; and that monitoring activities will, in the normal course of events, identify and correct problems, and bring significant issues to light for attention, corrective action and follow up by higher level management. If this sounds very much like COSO, it should, since the SPPIA and COSO are two sides of the same coin (as might be expected since the IIA is one of the
sponsoring organizations). The SPPIA actually is a framework for audit implementation of COSO theory.

If the internal auditor determines significant weaknesses exist in the control system over compliance, he/she may conclude that the required reasonable assurance does not exist, and recommend corrective actions. To reinforce the need for corrective action, the internal auditor may test for evidence of errors, omissions or other adversities associated with non-compliance that are so serious that immediate intervention by management is required to mitigate the resultant business risks. If the internal auditor believes the internal control system is effective, and that as a result management has the requisite reasonable assurance, some testing may still be done to confirm the effectiveness of the control system (it depends on the internal auditor's assessment of his/her own risk of arriving at an incorrect opinion).

Conclusion

We, as internal audit professionals, have to be clear about what it is we are "expert" in. That clarity comes from the Standards. Our reason for being as a profession is to support executive management and the board of directors in carrying out corporate governance. We do that by providing them professional opinions about the degree to which reasonable assurance exists that business objectives will be achieved (i.e. the state of internal control) and by keeping them informed about critical control issues that impact on achievement of business objectives. Does that mean we can't help operating management do a better job in the process? No. Does that mean we hide behind the Standards and avoid going in new directions? No. Does that mean we do whatever we feel like, or whatever our management requests, in disregard of the Standards, and still call it "internal auditing"? While that might appear beneficial on an individual level, we can't, as a profession, do that either, because in the larger picture, doing so confuses, obscures and weakens the role of our profession in corporate governance; undermines our profession's value to those we are supposed to serve; and ultimately hurts us as a profession. But does that mean internal auditors should refrain from doing such things when requested to? No, it does not. However, we should not confuse these other activities with internal audits; and we should not represent them as being internal audits.

Internal auditors perform many different functions that add value to the organizations they serve, and only the foolhardy would respond "that's not my job" when asked by senior management to perform work outside the bounds of The Standards. Internal auditing is a management control, however, and like any other control, when its actual function digresses further and further from its original purpose, the control is weakened. The Standards define the mission of internal auditing, and establish how both
the internal audit function, and individual internal audits, should be planned, organized and directed. Government entities that have incorporated "professional internal auditing standards" as part of the defining language of legislation regarding internal audit activities in government explicitly require and rely upon compliance with The Standards as a minimum level of expected professionalism. When properly understood and applied, The Standards provide the foundation for reasonable assurance that
the internal audit function will be both professional and effective. Achieving those goals is critical to presenting ourselves in the most professional way, to clearly defining the expertise and value we can provide to our organizations, and most importantly, to maintaining oversight of control systems - the primary reason the internal audit function exists.

Mark R. Simmons, CIA, CFE can be contacted by e-mail at mrsciacfe@aol.com