Frequently asked questions

Internal audit is an independent function that supports management and the board through providing assurance and feedback on the organisation’s governance, risk management and internal control frameworks. The service must remain independent of the areas that it reviews to ensure that it can provide an objective view.

The service can be provided in house (by employees) or outsourced (often to a professional services firm). The service will be delivered by professionally qualified internal auditors who are experts in risk and control. They will agree a plan of work with the organisation’s management and audit committee and deliver that plan through the year in a series of audits.

Each individual audit will result in formal feedback, usually in a report. As well as the internal auditor’s opinion on the adequacy of the control and risk management arrangements, feedback may also include ideas for improving efficiency and effectiveness. The report should contain actions that have been agreed with management to address any areas that require improvement.

The purpose of the audit should be to support the business to continually improve. The assurance provided should be considered as part of the wider risk management framework so that management and the audit committee understand the implications of any control weaknesses. 

The Global Institute of Internal Auditors publishes the International Professional Practices Framework (IPPF) which applies to all members of the Institute and anyone who is delivering internal audit services. The IPPF contains mandatory and recommended guidance.

The elements of the IPPF are: 

• Global Internal Audit Standards

• Topical Requirements

• Global Guidance

Some countries may also have their own standards or rules for internal auditing. For example in the United Kingdom the public sector follows the Global Internal Audit Standards, and additionally there is a Public Sector Application Note which sets out requirements that internal auditors in central government, local government and the health service must follow alongside the global standards. The application note is published by the Internal Audit Standards Advisory Board.

Additionally the Chartered Institute of Internal Auditors has published an Internal Audit Code of Practice which is supplemental to the global standards, and applies to financial services, private and third sector organisations in the UK and Ireland.

Internal audit should report to a level in an organisation that means that it is able to act independently. 

What do the standards say?

The Global Internal Audit Standards do not specify exactly who the head of internal audit should report to, but state that organisational independence is effectively achieved “when the chief audit executive [head of internal audit] reports functionally to the board”. The standards also state that the chief audit executive must communicate and interact directly with the board.  However within the standards, ‘board’ may refer to another committee that has certain delegated functions, typically the audit committee.

Is there any other guidance?

The Chartered Institute of Internal Auditors’ Internal Audit Code of Practice includes the following:

• Principle 18: The primary reporting line for the chief audit executive should be to the chair of the board audit committee.

• Principle 24: If internal audit has an administrative reporting line, this should be to the chief executive in order to preserve independence from any particular business area or function and to establish the standing of internal audit alongside the executive committee members.

As well as reporting lines, the Code also emphasises the need for Internal Audit to be positioned in the right place in the organisation to have a voice at top table through:

• Principle 15: The chief audit executive should be positioned at a senior management level (normally expected to be at executive committee or equivalent) within the organisation to give them the appropriate standing, status, access and authority to challenge senior management.

• Principle 24 [this part applicable to organisations who operate in the private and third sectors]: In certain scenarios, the administrative reporting line can be to another member of senior management who promotes, supports and protects internal audit’s independent and objective voice. This should be agreed with the chair of the board audit committee.

What does this mean in practice?

In reality most heads of internal audit will have two reporting lines: a functional reporting line to the chair of the audit committee, and an administrative reporting line to a member of senior management. The reporting line to management should ideally be to the chief executive. If not the chief executive, the reporting line must be to someone who is part of the most senior management team and will be able to support internal audit’s independence

‘Chief audit executive’ is the title that the Institute of Internal Auditors uses to describe the individual who is responsible for leading the internal audit function.

However, this does not have to be the job title of the individual in that role. The job title used will vary across organisations. Commonly used job titles include Head of Internal Audit, Director of Internal Audit and Chief Internal Auditor.

In short, yes, internal audit can be provided as an outsourced service by an external provider.

Typically it is smaller and less complex organisations which decide to outsource their internal audit service, often to an accounting or professional services firm.

In the public sector there are other options available, for example the Government Internal Audit Agency provides internal audit services to a large number of UK Government Departments and agencies. In the NHS and local government, there are a number of shared services or specialist providers which provide internal audit services to multiple organisations.

Additionally, some in-house internal audit functions will outsource some of their work to an external provider, for example if they need to buy in a particular specialism to augment the in-house team.

While internal audit should not write policies, that does not prevent internal auditors from providing advice and feedback on policies.

It is likely that in the course of its work, internal audit will review and conclude not only whether policies and procedures are complied with, but how effective those policies and procedures are.

Objectivity is a core ethical principle for internal auditors. In the situation where internal audit has written a policy, it would not be able to provide objective assurance in that area. An internal auditor would not be able to objectively comment on whether a policy was effective if they had also written that policy.

Guest auditors are colleagues from other departments in the organisation who join an in-house internal audit team for a short period of time. This could be for one audit or may be for a longer period such as an agreed secondment of several months or a year.

Guest auditors are often invited to join internal audit to bring a specialist skill or experience.

In some organisations, the head of internal audit will have a resourcing plan that combines a mix of career auditors and guest auditors. There are also organisations where it is expected that people on the leadership or talent programme will spend some time in the internal audit department as they rotate through the business.

Yes, we often have people who are not internal auditors attend our training courses.

In particular:

• Non-auditors who need to develop or learn skills that are core to auditing. Usually these individuals are in an assurance or compliance or inspection role.  Recent delegates have included controls assurance teams, health & safety officers and food safety officers.

• Subject matter experts from the wider business who are working with internal audit as a ‘guest auditor’ and participate in the training with the wider internal audit team.

We have had so much interest from non-auditors that we now provide a course on testing, sampling and control evaluation aimed at non-auditors.

All of our courses are prepared and run for teams. We do not run open courses as we find that our delegates get most from a course that has been tailored to their specific needs.

Our courses also provide an environment for teams to explore and assess what works well and how they may enhance their current working practices.

Absolutely. 

We always prefer to ensure that training courses are tailored to the needs of your team. Please contact us to discuss your training needs.