Courtesy: ISO 9001 Lead auditor training
The required organizational independence from management enables unrestricted evaluation of management activities and personnel and allows internal auditors to perform their role effectively. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit activity is the entity charged with oversight of management’s activities. This is typically the audit committee, a sub-committee of the board of directors. Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board: Approving the internal audit charter; Approving the risk based internal audit plan; Approving the internal audit budget and resource plan; Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters; Approving decisions regarding the appointment and removal of the chief audit executive; Approving the remuneration of the chief audit executive; and Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.
Role in internal control
Internal auditing activity is primarily directed at evaluating internal control. Under the COSO Framework, internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following core objectives for which all businesses strive:
- Effectiveness and efficiency of operations.
- Reliability of financial and management reporting.
- Compliance with laws and regulations.
- Safeguarding of Assets
Management is responsible for internal control, which comprises five critical components: the control environment; risk assessment; risk focused control activities; information and communication; and monitoring activities. Managers establish policies, processes, and practices in these five components of management control to help the organization achieve the four specific objectives listed above. Internal auditors perform audits to evaluate whether the five components of management control are present and operating effectively, and if not, provide recommendations for improvement.
In the United States, the internal audit function independently tests managements control assertions and reports to the company’s audit committee of the board of directors.
Role in risk management
Internal auditing professional standards require the function to evaluate the effectiveness of the organization’s Risk management activities. Risk management is the process by which an organization identifies, analyses, responds, gathers information about, and monitors strategic risks that could actually or potentially impact the organization’s ability to achieve its mission and objectives.