What do internal audit professionals do?
The role of internal auditors is to provide assurance to senior management and stakeholders that there are suitable controls in place to manage risk in line with the organisation’s risk appetite/tolerance. They also check to ensure these controls are operating efficiently.
Internal auditors blend audit, consultancy, and advisory skills to add value to businesses by identifying synergies, cost savings, and asset safeguarding.
In immature businesses, where ways of working may be informal and unstructured, there is greater emphasis on consulting and advisory to create, formalise, and document scalable controls and processes. Interventions are typically forward-looking in nature.
In mature business, where ways of working may be formal, documented, and structured, there is greater emphasis on assessing whether the process is being operated as designed. This is typically a retrospective review of the controls/processes and a case of testing to verify they are working effectively.
Most businesses sit in the middle of being immature and mature, or have functions that vary in maturity, so internal auditors often combine both control design and control testing in their work.
Management can view internal audit as performing ‘health checks’ within the business to support maturity and strengthen governance.
Internal audit is independent of management and is not responsible for implementing changes to controls and processes, or operating functions within a business. This responsibility sits with management. This allows the internal audit function to perform an independent and unbiased assessment of the controls and processes to identify and collaborate with management on what the best action plan to address findings is. Internal audit monitors the progress of this action plan and periodically reports on the status to the Audit Committee, senior leaders, and management.
What are the different types of internal audit?
There are many types of internal audit, and each business may have different types or structure their internal audit team to accommodate specialist knowledge.
The broad categories are:
| Category | Focus | Examples |
| Compliance | Assessment of whether controls and processes are compliant with laws and regulations. This could assess an end-to-end process or focus on a particular law or regulation. |
Minimum wage – assessment of whether workforce pay meets the minimum wage requirements. |
| IT/IS | Assessment of controls and processes in information technology and information security. These can be complex, and often require in-depth knowledge and skill. |
Privileged access management (PAM) – assessment of the different levels of access given to a person in a system. Data back-up – assessment of how often business data is backed up, where data is stored, the format of stored data, and how long data is kept. |
| Financial | Assessment of controls and processes in relation to finance and external reporting. These can be complex, and often require in-depth knowledge and skill. |
Tax – assessment that tax is calculated appropriately, paid timely and correctly recorded in line with laws, regulations, and standards. Bad debts – assessment of how bad debts are recorded, monitored, written-off or retrieved. |
| Operational | Assessment of controls and processes in relation how a business operates. | Supplier due diligence – assessment of the checks performed on suppliers before contracts are signed, eg, credit checks, capacity meets demand, creditability/reputation, etc. |
| Forensic | Assessment of controls relating to fraud investigations and whistleblowing. | Whistleblowing – assessment of whether appropriate processes exist for employees to raise whistleblowing concerns, which are reported in a timely way to the appropriate individuals and are investigated in compliance with laws and regulations. |
Which industries have internal audit?
Technically, all industries could have an internal audit function in the UK.
US businesses that must comply with SOX regulations, UK listed businesses of a certain size, and UK businesses who may qualify for the UK BEIS financial control framework must consider their assurance over financial controls ¬ whether this through a dedicated internal control team or through internal audit. This is typically why internal auditors in the UK often have a finance background.
All other businesses can choose whether to have an internal audit function.
What qualifications will I need?
A wide skillset is considered when pursuing a career in internal audit, and there are no set rules. However, most job advertisements require qualifications or experience. The most desired qualifications are:
- ACA, which focuses on in-depth financial knowledge and controls. This is the main UK qualification requested.
- CIA, which focuses on a rounded knowledge of risk and controls across all business processes. This is mainly a US qualification but is growing in popularity in the UK because it is broad.
- MBA, which focuses on in-depth rounded knowledge of business processes, operations, and strategic initiatives. This is a universal qualification, requested for senior leaders as opposed to entry level positions.
Qualifications can be gained before or during your internal audit career.
Additionally, the industry and the maturity of the business you choose to work in could impact the type of internal audit work you perform and job requirements.
Listed businesses, SOX businesses, and businesses which meet the BEIS financial control framework criteria may put emphasis on financial controls knowledge within their internal audit team.
Highly regulated industries may put emphasis on compliance knowledge, and complex industries such as pharmaceutical and energy industries may put emphasis on industry knowledge and experience, as well as sector-specific qualifications.
What does a typical day look like?
Internal audit assignments are outlined in the internal audit plan, which states the scope of work and timetable for audits to be performed. Audits are identified for the plan based on their risk profile and ability to add value to the business.
Audits require collaboration with management to understand the processes and controls in place. Active listening and curiosity are important, as those who operate the process and controls will have experience and opinions to consider. The internal auditors validate this understanding against supporting evidence, often by testing the control for effectiveness. Once complete, the internal auditor writes a report of what is working well and what could be improved, outlining feasible, commercial actions for management to implement to improve the process. These actions are agreed with management with deadlines that are monitored and reported to stakeholders by the internal audit team until completion.
Throughout the audit cycle, you will be collaborating with your team and stakeholders, as well as working independently on your own. Each day is different, depending on which stage of the audit process you are in and the scope of work you are performing.
What skills will I need?
Internal audit requires interaction with a variety of stakeholders at different levels so there is emphasis on communication, active listening and relationship building. Objectivity, commercial awareness, and curiosity are valued skills alongside attention to detail to that the action plan addresses the root cause of the findings. Clear, concise report writing skills are required.
What is the difference between internal audit and external audit?
External audit focuses on the financial processes and controls which lead to the production of the company’s financial accounts. The objective to provide an evaluation and examination of the company’s financial accounts and form an opinion on whether the financial numbers reported provide a true and fair view within a threshold called materiality. This could include testing IT related controls and financial systems which produce the numbers. External auditors are appointed by shareholders and/or the audit committee and must be an external company, independent from management. External audits are required for public companies, and companies of certain sizes in certain industries.
Some businesses will have an internal audit function which focusses on all business processes and controls, not limited to financial. The objective of the internal audit function is to give shareholders and management assurance that controls and processes are designed effectively and working efficiently. Internal audit is appointed by the Audit Committee Chair, often in conjunction with the CFO or CEO, and are internal employees of the company. The internal audit function is not fully segregated from the business, although there is an independent reporting line to the Audit Committee Chair. Internal audits are required for some companies and optional for others.
Internal audit can provide assurance on the financial controls and processes in advance of external audits, which external audit can leverage and reperform to reduce their testing. Internal audit cannot be used as a substitute for external audit.
| External Audit | Internal Audit | |
| Focus | Financial controls and processes. | All business processes and controls |
| Objective | To form an opinion on the company's financial accounts | To give shareholders and management assurance that the controls and processes are designed effectively and working efficiently. |
| Appointed | Shareholders/Audit Committee | Audit Committee Chair |
| Performed by | External organisation | internal function |
| Required for listed business | Yes | No - optional and needs to be considered and depends on industry |