Internal auditing is done by internal auditors…and they are the company’s own employees.

As what we
have learned before, internal auditors are the one who usually performs the operational auditing
whereas the external auditors are the one who performs the financial statement audit. Internal auditing
is not just about looking back to what the organization did, but also looking forward to what the
organization could do.

So back to the definition of internal auditing, The Institute of Internal Auditing defined it as “an
independent, objective assurance and consulting activity designed to add value and improve an
organization’s operations.”

This just means that internal auditing involves identifying the risks that could keep an organization from
achieving its goals. Example of these risks is the employee’s fraudulent practices.

After identifying the risk, the Board of Directors and Management should be duly informed about these
risks and thereafter, the internal auditor will proactively recommend improvements to help reduce the
risks. If the internal controls of the organization were found to be ineffective, of course the internal
auditor will then suggest stronger controls to be implemented.

There are several keywords found in the definition of internal auditing.

Independence – the internal auditor is independent and not under the control of those whom they are
auditing. Internal auditors should be reporting directly to the highest authority, for example the audit
committee on the Board of Directors. Through this, internal auditors would be free from any internal
and internal interference or obstruction and could perform their duties. Also, this ensures them the
requisite authority to access all areas of the organization and know that they will be supported if and
when their views differ from those of management. Independence ensure that the organization is held
accountable to its stakeholders.

If you can remember, when we compared internal and external auditing before, internal auditing has
lesser independence compared to external auditing because they themselves are the employees of the
organization. But then, if the leaders of the organization really want to improve then they should let the
internal auditors do their job, since they are paying internal auditors to do that.

Objectivity – it is the internal auditor’s ability to make unbiased judgment and decisions based on the
documents, processes, and programs, without an agenda, with no other motive than to find the truth
and communicate it accurately and promptly. They should assess it as what it is. This also another
reason why internal auditors should not be too comfortable with their co-employees because when
time comes that they will audit their friends, they may have conflicts of interest as their judgment may
affect their friendship. This conflict of interest is one of the biggest threats to objectivity.

Assurance – it relates to the auditors’ ability to give confidence and make statements regarding the
condition of matters within the organization. The assurance given by auditors is “REASONABLE
ASSURANCE” not absolute, because there limitations exist in all systems of internal control, and those
uncertainties and risks may exist, which no one can confidently predict with precision. Absolute
assurance is just completely impossible. So, if the internal auditors cannot give absolute assurance, how
can they be trusted? Of course, the internal auditor would display his or her professional competence or
expertise on the field, showing that she is equipped with the necessary skills for the job. Examples of this
are, of course your license as a CPA or as a Certified Internal Auditor, your trainings and work
experiences. Another thing is, which we’ve also learned before, the internal auditor act with due
professional care, which means they diligently perform, in good faith and with integrity, the gathering
and objective evaluation of evidence.

Do you remember Professional Skepticism? An auditor should have professional skepticism, a

questioning mind and a critical assessment of the audit evidence. You are not satisfied just because
everyone believes the company and its employees honest, you yourself should see it with persuasive
evidence that they really are.

Consulting – again internal auditors give suggestions and recommendations to the leaders of the
organization as to what to change and improve in the company

Designed to add value and Improve an organization’s operations – by identifying the risks and mitigate
or remove it, the organization would be able to operate more efficiently and the internal controls would
work effectively

Therefore, it will

Help an organization accomplish its objectives – since the risks are most likely eliminated or mitigated,
then there will be less obstruction for the organization to accomplish its objectives.

By bringing a systematic, disciplined approach – internal auditing is methodical, and those

methodologies are quite extensive. It provides enough direction and flexibility as a framework to
examine virtually any aspect of an organization’s operations. From planning the audit, obtaining and
evaluating evidence, and making the report. Auditing is under the Generally Accepted Auditing
Standards and Philippine Standards on Auditing, and the Auditing and Assurance Standards Council who
promulgates the said standards.3

To evaluate and improve the effectiveness – internal auditors do not just assess how an organization
operates and identifies the problems then reports it. Just what I previously stated, internal auditors help
an organization accomplish its goals and objectives.

So what exactly are those goals and objectives?

1. Risk Management – identification, measurement, assessment, and response to risks. Risk

management is a continual process not an event. So if the company performed properly, it can
be a powerful tool that enables organizations to operate at an optimal risk level that allows
them to maximize their value creation.
 2. Control – activities that mitigate relevant risks. This is why internal controls should be effective
so that control risks like employee fraudulent practices and the likes can be avoided. Example of
internal control is the separation of duties. Through internal controls, the organization would
have no need to worry or doubt their internal operations.

3. Governance processes – relates to ethical behavior by directors and others charged with the
creation and preservation of wealth for all stakeholders. This includes as to how those in charge
of governance allocates the resources and the rewards mechanisms…whether or not it is
susceptible to fraud or for the director or officer to allocate an amount to himself and disguise it
as a reward he deserve.

So the internal auditor shall make an independent and objective assessment on the
appropriateness of the organization’s governance structures…is it ethical? Is it unbiased? Does it not
only benefit a certain group of people? Is it appropriate for the betterment of the organization? So the
internal auditor shall evaluate this and will help discern what should be changed or improve.

Another part of the definition of internal auditing is to “improve an organization’s operations”. Internal
auditors before traditionally focus on the accounting and financial risk, risk of poor recordkeeping,
financial abuse, theft….meaning their focus are already on the financial aspect, but what about how the
operations are run?

When internal auditors also focus about how the operations are inefficient and ineffective, then how the
resources are used could be improved. If the quality of the production of the products and the training
for giving the services are strengthened, it will lessen the risk of reworking it again, thus lessening the
costs of services or production. If the logistics are well-managed, the delays in shipping and receiving
materials would be avoided, lessening the storage costs.

There are just so many ways to improve an organization, not just by focusing on its financial aspect and
or the safety of the wealth of an organization.

This is why Operational Auditing is born. Internal Auditors should focus on operational auditing.

So after all that, what is Operational Auditing?

OPERATIONAL AUDITING is a future-oriented, independent, systematic and business-focused evaluation

of management, and the organization’s activities controlled by management and third parties.

Like what I’ve said before, we are looking forward on the future of the organization by evaluating the
efficiency of its operations and therefore giving recommendations.

With the purpose of, of course, to improve organizational profitability and the attainment of
organizational objectives.
An example of this is when internal auditors are not only just checking whether employees are doing
their job in accordance to the policies and procedure, they are also expected to verify employee
manuals, whether these are up to date, that they are relevant, that they reflect the best way to perform
the work with regards to efficiency and effectiveness (whether the auditor thinks that there are still
areas to improve), that these documents are safe from unauthorized change, they are understood by
employees, and that the location of the internal auditor is known by employees so they can refer to
them for guidance when there are questions.

Operational audits also relates with the structure of an organization whether it is appropriate or
wasteful, whether their employees are not staying or resigning constantly (maybe something is wrong
with their Human Resource Management or work environment, which should be immediately
addressed), and whether the organization has a good relationship with their suppliers and customers
(which could greatly affect the profitability and expenditures of an organization).

With the help of operational auditors, these problems could be discovered and actions can be taken
right away. Operational auditors bring unbiased and reliable view on the company’s weaknesses.