Internal Audits

An internal audit is the examination, monitoring and analysis of activities related to a company’s operations. Internal audits to verify the accuracy of records and compliance with standards, policies and procedures. The main goal of internal audits is to make companies and organizations of all kinds perform better and maintain their regulatory compliance.

Some of the main responsibilities of an internal auditor may include:

  • Analyzing processes and controls
  • Testing
  • Identifying improvement opportunities
  • Preparing workpapers
  • Developing recommendations to strengthen internal controls, improve business processes, and verify that proper internal control safeguards are in place
  • Assist in the preparation of reports to communicate the results and recommendations to management

Internal audit is designed to help the organization to reach its objectives. Fulfillment of organizational objectives defines the company’s achieved success. Business objectives are organizational goals and what the company wants to achieve. If they are coherent and can be measured, they are in fact evaluation criteria of the organization’s success. The organization states its objectives in a mission and vision statements. Mission statement conveys what the organization is and what it wants to achieve today. Vision statement communicates aspirations to what it intends to achieve in the future

The internal audit process consists of:


  1. Prepare annual audit plan
  2. Conduct internal audit planning and opening meeting
  3. Perform audit fieldwork
  4. Conduct preliminary closing meeting
  5. Obtain management responses
  6. Draft audit report & distribute
  7. Conduct closing meeting
  8. Disseminate final report
  9. Perform audit follow up

The goals of internal audits

Authorization – The objective is to ensure that all transactions are approved by responsible personnel in accordance with specific or general authority before the transaction is recorded.

Completeness – The objective is to ensure that no valid transactions have been omitted from the accounting records.

Accuracy – The objective is to ensure that all valid transactions are accurate, consistent with the originating transaction data and information is recorded in a timely manner.

Validity – The objective is to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management’s general authorization.

Risk assessment

Risk assessment is a process by which an auditor identifies and evaluates the quantity of the organization’s risks and the quality of its control over those risks.

Assessments typically analyze the risks inherent in a given business line or process, the mitigating controls processes, and the resulting residual risk exposure to the institution.  Assessment should be well documented and dynamic, reflecting changes to the system of internal controls, infrastructure, work processes and new/changed business lines or laws and regulations.

Risk assessments should consider thematic control issues, risk tolerance, and governance within the institution. Assessments may be qualitative and quantitative and include factors such as impact/likelihood of an event occurring.

The risk assessment should be formally documented and supported with written analysis of the risks. And it should also include specific rationale for the overall auditable entity score

A high-level summary of risk assessment results should be provided to the audit committee and include the most significant risks facing the institution, as well as how those risks have been addressed in the audit plan

Internal audits vs. external audit

External Audit

  • Confirms the validity of the financial position expressed by an organization
  • Investigation may be supported by internal audit function

Internal Audit

  • Confirms the effectiveness of business process controls in reducing financial risk
  • Assures compliance with the law
  • Indicates areas where business processes may be improved upon

An internal audit is designed to look at the key risks facing the business and how the business is managing those risks effectively. It usually results in recommendations for improvement across departments. Both financial and non-financial elements are usually included and the company’s reputation may be a factor which is assessed.

An external audit focuses on finance and the key risks associated with the business’ financial business. They are usually performed on at least an annual basis to provide the annual statutory audit of the financial accounts. This audit is designed to show whether the accounts are a true and fair reflection of where the company sits financially. External auditors will evaluate all the internal controls put in place to manage financial risk to assess whether they’re working effectively.