Mary was one of the original employees of ABC company going back to it founding in 1987. As a result, she has more vacation time than any employee and when returning from her latest vacation this week, she was greeted with a surprise. She had been made the company’s Internal Auditor.The first thing that comes to Mary’s mind when she hears this news is this “What do I do as Internal Auditor? Do I constantly count cash funds? Do I do whatever special projects I am assigned by the President? Just what is or should be my role?
In an ideal world, a company hires an Internal Auditor with a background specifically geared to the job function. But the world is not always ideal, based on operational side cost constraints. Thus, many times a Mary finds herself with the new title of Internal Auditor.
In such a new role, of significant importance are the Institute of Internal Audit (IIA) Standards for the Professional Practice of Internal Audit, Definition of Internal Audit, Code of Conduct, and Quality Assurance Program. These are a good starting point for understanding Internal Audit.
Right off in the definition of Internal Audit, the IIA references the term “risk management”. Mary must ensure the company’s Internal Audit schedule adequately addresses the risk of her specific organization. Thus, it is highly unlikely that counting cash is going to present a significant organizational risk. While special assigned projects may come with the role, again Mary must ensure organizational risk is addressed.
Another definition component is “independence." In other words, Mary may report to the President administratively, but for independence purposes she is employed by the Board of Directors. The President does not review and approve Mary’s Internal Audit reports; rather, within the IIA standards, she prepares her reports and submits them to the Board or a Committee thereof.
Another definition component is “adequately resourced." Mary must ensure she has adequate resources to address organizational risk. If not, she needs to bring this up to the Board. It could be that outside resources need to be employed to ensure that organizational risk is addressed or simply because Mary lacks certain technical skills needed to review certain areas. This point ties directly into the “competency” provision of the IIA Code of Ethics and of the Rules of Conduct. Mary should not engage in an Internal Audit in which she lacks the necessary “knowledge, skills, and experience”.
One of the Rules of Conduct is “Integrity”. Mary should not be a party to any “illegal activity” or engage in “discreditable” acts.
“Objectivity” is essential both in fact and appearance. “Confidentiality” must be protected and no information obtained can be used for “personal gain” or to the “detriment” of the organization and its objectives.
“Competency” means continued improvement. Mary must undergo continuing education to increase her skills and constantly update her knowledge base. IIA Standards require the creation and maintenance of a Quality Assurance and Improvement Program. These Standards require independent external review at least every five years. Mary’s work is also subject to review by the External Auditors as well as, in a regulatory environment, regulatory agencies. Thus, as Internal Auditor, no one is audited as often as Mary.
After her first review of these referenced IIA resources, Mary now wonders if going on vacation this past week was a wise move on her part.