Internal auditing involves very different responsibilities, reporting lines and scope of work to those discussed above relating to the external audit. An internal audit is carried out to assist management and add value to the business by improving the performance of controls, risk management and governance processes across the organisation.
The key aspects of internal auditing are set out below, again from a fraud perspective.
The Institute of Internal Auditors (“IIA”)7 defines an internal audit as:
An independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The IIA goes on to set out the responsibilities of internal auditors so far as fraud is concerned as follows:
Internal auditors should have sufficient knowledge to identify indicators of fraud but they are not expected to have the expertise of a person whose prime responsibility is preventing and detecting fraud.
The IIA implemented a new standard in 2009 that requires internal auditors to consider fraud formally when planning their work, as follows:
Internal auditors must consider the probability of significant errors, fraud, non-compliance, and other exposures when developing the engagement objectives.