Here’s a statement that the IIA and others need to actually understand and react to. Internal audit is not external audit. Or for my international (American) audience, financial statements audit is not either internally, or externally, provided internal audit.
Sure internal audit emerged as an internal in-year form of financial controls checking to make sure that the financial accounts and the external audit of them went well at the end of the year. Sure some elements of the skill set are similar, an appreciation of finance is needed (at least for private profit-making businesses) interview techniques, audit evidence, disciplined evaluation of control objectives and systems of control, the ability to weigh and evaluate evidence, and the capacity to report to audit committees of non-executives assurance opinions. But they are not (I emphasise again) the same.
I think it is worth considering what external audit do. Well their objective is to tell the non executives of the business that one document, the financial statements are true and fair. This is captured in the auditor’s ‘opinion’. If we break this down, true means essentially accurate and fair means presented appropriately to the reader of the document, free from bias if you prefer. Note that ‘fairness’ of presentation has increasingly and now essentially means presented in line with accounting rules or standards (which in theory are designed to ensure fair presentation of financial results and also now increasingly the same the world over). The other task is to ensure that the members’ statement or corporate governance statement is, broadly, right. This is much less defined as these are more qualitative. This is fine though that the requirement is merely to report by exception. That is the auditor is not saying it is true or fair, merely that it is not outright ‘wrong’. One final bit is that they need to tell you about going concern, that is whether the business will go bust within 12 months of their opinion in their view.
Now let’s think about how the external auditors go about this task. Well first they find, the globe over, that businesses and organisations are all clear about the objective of producing this one document for each period (usually a year) and that they have designed processes and staffed an entire arm of the business to produce these accounts. In fact finance functions historically and current unmodernised ones are still the ‘accounts’ department. Modern finance departments should produce lots of financially oriented value beyond the accounts but many still just ‘account’.
So as the auditor you have a shared understanding with your client finance department about the objective, the rule and expected format of the output, the detailed best practice processes about how the finance department should go about it. The external auditor and the finance department have a shared common experience (as most FDs probably trained as an auditor or have done audit when training) and may even have come from the big four background and culture.
So the external auditor will approach the audit by identifying control systems (the detailed processes through which the accounts are produced). These are so similar the globe over that the professional services firms will have a single audit approach to all clients. This will be granular in detail and will even specify sample sizes and approach. A controls based audit will look at the design of these systems, assess whether they can be relied upon (based upon sample testing) and then enable a small sample of transaction testing to confirm that the systems will produce the correct answer for the overall document, the accounts.
Now let’s compare to internal audit. First internal audit is opining on something far more complex, business risk. Second the organisation or business is not at all set up around managing risk (most risk hits organisations an businesses horizontally across departments and structures, not vertically within them). Third businesses do not always have clear objectives. Fourth, as consequence, processes and systems are not at all clearly designed and operated for the objective of managing business risk. Fifth the opinion given is more bespoke. Sixth there are no detailed rules about the one internationally best way of achieving a particular business objective. Sixth, an appreciation of finance may, or may not, be required to audit a business risk.
Why then is external and internal audit thought so interchangeable? Why do so many internal auditors think that they need not hold an internal audit specific qualifications? Why do the firms use their financial statements audit colleagues to in-fill with work on internal audit? Even externally-provided internal audit is often imbued with all of the narrow and two-dimensional thinking of a financial statements audit.
For me the internal audit profession needs to stand up and come out as being different from external audit. Apples compared to oranges. Perhaps we should rename internal audit as business risk audit rather than continue with the now inaccurate historical anachronism of internal audit’s birth from financial statements ‘external’ audit?