Internal Audit

What is Internal Audit?

Unless you are an Internal Auditor or are audited by Internal Auditors, most people do not know what Internal Audit is.

Often when an Internal Auditor tells someone their occupation the first reaction is “oh so you’re an accountant”. The answer is ‘no’, very rarely do we deal with accounts.

To try and expand on what Internal Auditor’s do we will often reply “actually we look at systems and processes”. This simply leads to the further wrong conclusion that “you work in IT?”. Again the answer is ‘no’, although there are specialist IT Auditors who will audit IT systems.

The best example to use is probably that Internal Auditors are like Health and Safety Officers, although we look at procedures, processes, systems, controls and risks, rather than physical elements of risk.

All government agencies are required to have Internal Audit and whilst it is not statutory for other organizations and companies, it is seen as good practice to have an Internal Audit function. This function could be an in-house team or outsourced to a contractor such as RSM Tenon.

What does Internal Audit do?

The short technical answer is that Internal Audit helps organisations to achieve their objectives; we do this by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of Risk Management, Control and Governance processes.

To simplify and expand on this explanation we can break down what we do into the following parts:

• We look at specific areas within an organisation and talk to the Director or Senior Manager to get a high level view of what they do and how what they do helps the organisation to achieve its objectives.
• We talk to senior and junior Managers to find out what might prevent them from meeting their areas objectives, we call this identifying the risks.
• We find out what processes (we call these controls) are in place and actions that people carry out to either reduce the change of the risk happening or to reduce the impact. This is something that we do in our own lives on a daily basis e.g. we want to cross the road; there is a risk that we might get run over, the actions we take to reduce this risk might be to use a pelican crossing and to look and listen etc.
• Once we have identified the controls we use our judgment to make sure that they fit the risk (they are designed well) and we check to make sure that the control processes are being followed (they are applied).
• We discuss the results of our investigations with the head of the service area we are reviewing and where we think the controls need improving we make recommendations.
• Finally we write a report which is circulated to senior Management and the Board, in the report we provide an assurance which is where we tell the Board what we have found and state whether, in our opinion, the controls in the service area are well designed and applied and the likelihood that that area will meet its objectives.

It’s really important for a Board of Directors to have a report from us because we are not involved in the running of the organisation and we can give them an independent view of what’s going on and how well the risks in the organisation are being managed.

What would I do?

As an IA graduate you have to think, and learn, fast. You’ll start off helping senior auditors and managers with their audits – performing key tests, researching, and writing reports; but it won’t be long before you’re running audits yourself, with all the responsibilities that come with working autonomously.

IA gives you an overview of many aspects, of a number of different types of organisations. You’ll get to learn about a wide variety of organisations, and all the aspects/departments that help them run smoothly. You can expect to be constantly challenged, but with a framework of support from colleagues who are there to ensure you not only succeed when challenged, but that you do so with growing confidence. Overall, you can expect to work hard; but find the work varied, interesting and rewarding.

What is a typical day?

There’s no typical day as an IA graduate: and that’s what makes it so challenging, and so exciting. You will constantly find yourself moving from client to client, looking at different organisations, and focusing on different areas. There will be days when you have long tests to do on financial data. Days when you need to research how a process is completed by an organisation. Days when you will be attending meetings with colleagues and/or clients. Days when you will be writing reports from the office or from home. Then there will also be days when, just like at university, you have to go to lectures and study.

What would Internal Audit expect from me?

We find that most graduates applying for positions in Internal Audit generally have a Business related degree. However, we have also had graduates with a range of degrees. A business degree is probably the most helpful as it would have usually provided a good grounding in being able to quickly understand an organisation and to take a more practical approach to audit reviews.

You need excellent people skills and to be confident in meeting and talking to everyone, from the guy that works in the post room at a Council, to the Director of Resources at a charity. The more personable you are the more you get from your ‘auditee’ and the easier your job becomes.

For the majority of the time Internal Auditors work autonomously and therefore need to be really self motivated and because we can be working at a different place every day of the week you need to be highly organised.

It is also necessary to have the capability to pick up new things easily, so as to readily understand the new organisation, function and operations you are auditing and therefore some prior research on the Internal Auditors part would normally be required.

Internal Auditors also need to be able to work to stringent budgets, i.e. an allocated number of days to complete an audit, and to tight deadlines, so as to provide clients with timely products, i.e. internal audit reports.

What can I expect to be doing 6 months to 2 years down the line?

6 months after starting work, you can expect to have begun studying for whichever qualification you have chosen to take. You will be working semi-independently, with a firm support network around you.

A year down the line, you will be well underway with your qualification, with a more in depth knowledge of processes. You will be working almost totally independently, running full audits on your own. However, if you need them, your senior management team will be there to help.

2 years down the line, you will be part-qualified, and able to work almost completely independently. Although there will always be support available for you, it will be rare that you will have to use it.

What qualification can I study?

The most relevant qualifications for Internal Audit and the ones that we would prefer our Internal Auditors to study are the qualifications offered by the Institute of Internal Auditors – UK and Ireland.
The initial qualification is the Diploma in Internal Audit which consists of 5 study modules with written exams at t he end and two skills modules. This qualification is very relevant to the work you would be doing and is a huge help to in learning the ropes.

Having completed the Diploma you can then study for the advanced Diploma or you could do a computer auditing course.

How long will I be training for?

The IIA Diploma takes about 2 years depending on how many modules are taken during each 6 month period.