The profession of auditing has been with us for a long time. Mesopotamian scribes in around 3000 BC utilized elaborate systems of internal controls using stone documents that contained ticks, dots, and checkmarks. Auditing has evolved over the millennia, and today we generally think of two basic types of business enterprise auditors: external and internal. An external auditor is chartered by a regulatory authority, with authority to visit an enterprise or entity to independently review and report on the results of that review. Those reviews generally cover financial statements but may involve other compliance areas. In the United States, financial external auditors are Certified Public Accountants (CPAs), who are state-licensed and follow the standards of the American Institute of Certified Public Accountants (AICPA; www .aicpa.org). However, there are many other types of external auditors in fields such as medical equipment devices, television viewer ratings, and multiple governmental areas.
Internal auditing, as discussed throughout this book, is a broader and often more interesting field. As an employee or member of an enterprise, an internal auditor independently reviews and assesses operations in a wide variety of areas, such as accounting office procedures, information technology systems controls, or manufacturing quality processes. Most internal auditors follow high-level standards established by their prime professional enterprise, the Institute of Internal Auditors (IIA; www.theiia.org), but there are many different practices and approaches to internal auditing today due to its worldwide nature and wide range of auditing activities.
The primary objective of this book is to define and describe internal auditing as it is or should be performed today—modern internal auditing—as well as to describe a common body of knowledge (CBOK) for internal auditing. Because of modern internal auditing’s many variations and nuances, the chapters following describe and discuss it in terms of this CBOK, the key tools and knowledge areas that all internal auditors should generally use in their internal audit activities or at least know, as well as some other knowledge areas where internal auditors should have at least a good general understanding. These are the common practices that are essential to the profession of modern internal auditing.
An effective way to begin to understand internal auditing and its key CBOK areas is to refer to the internationally recognized internal audit professional organization, the IIA, and its published professional standards that define the practice:
This statement becomes more meaningful when one focuses on its key terms. Auditing suggests a variety of ideas. It can be viewed very narrowly, such as the checking of arithmetical accuracy or physical existence of accounting records, or more broadly as a thoughtful review and appraisal at the highest organizational level. Throughout this book, the term auditing will be used to include this total range of levels of service, from detailed checking to higher-level appraisals. The term internal defines work carried on within an enterprise, by its own employees, in contrast to external auditors, outside public accountants, or other parties such as government regulators who are not directly a part of the particular enterprise.
The remainder of the IIA’s definition of internal auditing covers a number of important terms that apply to the profession:
- Independent is used for auditing that is free of restrictions that could significantly limit the scope and effectiveness of any internal auditor review or the later reporting of resultant findings and conclusions.
- Appraisal confirms the need for an evaluation that is the thrust of internal auditors as they develop their conclusions.
- Established confirms that internal audit is a formal, definitive function in the modern enterprise.
- Examine and evaluate describe the active roles of internal auditors, first for fact-finding inquiries and then for judgmental evaluations.
- Its activities confirm the broad jurisdictional scope of internal audit work that applies to all of the processes and activities of the modern enterprise.
- Service reveals that the help and assistance to the audit committee, management, and other members of the enterprise are the end products of all internal auditing work.
- To the organization confirms that internal audit’s total service scope pertains to the entire enterprise, including all personnel, the board of directors, and their audit committee, stockholders, and other stakeholders.
As a small terminology point, the chapters following will generally use the term enterprise to refer to the whole company or business, and the term organization or function to reference an individual department or unit within an enterprise. In the chapters to come, we describe a variety of other terminology and usage conventions as we discuss a CBOK for internal auditing and internal audit professionals.
Internal auditing should also be recognized as an organizational control within an enterprise that functions by measuring and evaluating the effectiveness of other controls. When an enterprise establishes its planning and then proceeds to implement its plans in terms of operations, it must do something to monitor the operations to assure the achievement of its established objectives. These further efforts can be thought of as controls. While the internal audit function is itself one of the types of controls used, there is a wide range of other organization- or function-level controls. The special role of internal audit is to help measure and evaluate those other controls. Thus internal auditors must understand both their own role as control function and the nature and scope of other types of controls in the overall enterprise.
Internal auditors who do their job effectively become experts in what makes for the best possible design and implementation of all types of controls and preferred practices. This expertise includes understanding the interrelationships of various controls and their best possible integration in the total system of internal control. It is thus through the internal control door that internal auditors come to examine and evaluate all organization activities and to provide maximum service to the overall enterprise. Internal auditors cannot be expected to equal, let alone exceed, the technical and operational expertise pertaining to the many various activities of an enterprise. However, they can help the responsible individuals achieve more effective results by appraising existing controls and providing a basis for helping to improve them. In addition, because internal auditors often have a good knowledge and understanding of many organizational units or special activities within a total enterprise, their levels of understanding often exceed those of other people.
