Audit, Auditor and Auditing: Definition, Meaning, Internal Report – What is Auditing?
1. (Economics, Accounting & Finance / Accounting & Book-keeping)
a. an inspection, correction, and verification of business accounts, conducted by an independent qualified accountant
b. (as modifier) audit report
2. (Economics, Accounting & Finance / Accounting & Book-keeping) US an audited account
3. any thoroughgoing check or examination
4. Archaic a hearing
1. (Economics, Accounting & Finance / Accounting & Book-keeping) to inspect, correct, and certify (accounts, etc.)
2. (Social Science / Education) US and Canadian to attend (classes, etc.) as an auditor
[from Latin audītus a hearing, from audīre to hear]
v. au·dit·ed, au·dit·ing, au·dits
1. To examine, verify, or correct the financial accounts of: Independent accountants audit the company annually. The IRS audits questionable income tax returns.
2. To attend (a course) without requesting or receiving academic credit.
Meaning of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organization's effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
The scope of internal auditing within an organization is broad and may involve topics such as the efficiency of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations.
Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds.
Publicly traded corporations typically have an internal auditing department, led by a Chief Audit Executive ("CAE") who generally reports to the Audit Committee of the Board of Directors, with administrative reporting to the Chief Executive Officer.
The profession is unregulated, though there are a number of international standard setting bodies
Internal Auditors explanation and FAQ`s
Who are internal auditors?
As defined by the Institute of Internal Auditors (IIA), "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Auditors' roles include monitoring, assessing, and analyzing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization's corporate governance is strong and effective. And, when there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures."
Why does Cornell have an internal audit function?
The University Audit Office exists by charter and by-law to assist University management and the Audit Committee of the Board of Trustees in effectively fulfilling their responsibilities. We are charged with examining and evaluating the policies, procedures, and systems which are in place to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the economical and efficient use of resources.
Where does the audit function fit in the organization?
The University Auditor has a solid-line reporting relationship to Cornell's President and the Audit Committee of the Board of Trustees.
What's the difference between external and internal auditors?
External auditors can be government auditors or independent public accounting firms that Cornell hires. Government auditors focus primarily on compliance with government regulations and award terms. Since both federal and state governments fund a significant portion of the university's activities, they want to make sure we use their money as they intended.
Independent public accounting firms review the university's annual financial statements to ensure the information presented accurately portrays Cornell's financial condition. Government agencies, Cornell's Board of Trustees, and bond rating agencies rely on the independent auditor's opinion of Cornell's financial statements.
Internal auditors sometimes look at the same data or perform some of the same steps as external auditors. If there is a problem, it's better to find it and fix it before external auditors review our practices.
What if an external auditor contacts you?
All external audits should be coordinated through the University Audit Office or Sponsored Program Services. If you or your unit is contacted by an external auditor, before sharing any information, direct them to contact the University Audit Office or Sponsored Program Services. We can sometime dissuade an audit or at least minimize the impact on an operation.
Remember, internal audit is on your side and can help you get through an external audit.
How are units selected for audit?
Every two years, the University Audit Office helps determine where Cornell risks failing in its mission due to internal procedural deficiencies. First, the university is broken down into areas of institutional concern, such as Sponsored Research, and auditable activities such as units, departments, cost centers, subsidiaries, information systems or processes. Next, relevant risk factors such as control environment, reputation/legal impact, and operations impact are weighted. Institutional concerns and auditable activities are then scored using these factors and the audit office decides which areas to audit based on these risk rankings and the audit resources available.
What are internal auditors looking for?
Primarily compliance with university policies and sound internal controls. Cornell's policies are designed to help ensure we all comply with applicable laws and regulations and operate efficiently. By following these policies we help protect the university from unnecessary risks and help ensure sound business practices are consistent throughout the university. However, not all internal controls can be codified in policy. If we find control weaknesses, we regularly make recommendations to implement a control even though it may not be specifically required by policy.
What if something isn't handled correctly?
We will make recommendations for improvement. The recommendations are realistic because we want you to implement them. It is the responsibility of management to weigh possible additional costs of implementing our recommendations in terms of benefits to be derived and the relative risks involved.
Is the Audit Office part of the Division of Financial Affairs?
No, the Audit Office works independently of the Division of Financial Affairs. Our office has a solid-line reporting relationship to Cornell's President and the Audit Committee of the Board of Trustees.
Can a department request an audit?
Yes! We consider requests for audit work, although our ability to perform the audit might be affected by our staffing levels, or year end deadlines. Still, if you are concerned about an area in your department, we will try to make time for a limited examination of the area.
How long does an audit take?
We budget between 200 and 600 hours for a typical audit, depending on the size and complexity of the area. We normally have one auditor leading the audit, and auditors will sometimes have more than one audit in process at a time, so an audit could take from two months to six months to complete.
During the audit opening meeting, we will discuss the audit schedule and try to accommodate time constraints that you may have. Although 200 to 600 hours looks like a lot of time, much of our work is done behind the scenes. Many people operate under the erroneous belief that in doing an audit we will spend lots of time with you and take time away from your other obligations. We may need to meet key personnel on the audit two or three times for maybe an hour at a time over the audit period. We may spend equal amounts of time, and perhaps less, with others in the department, but we will not be monopolizing anyone's time in the department and much of our work such as audit planning and report writing, is done in our offices.
Who will receive copies my audit report?
We send copies of audit reports to the department administration, the President, the Vice President for Finance and CFO, the Controller, the external auditors and to others, depending on the type of audit. Reports on academic units are sent to the Provost. IT audit reports go to the Vice President for Information Technologies. Reports on irregularities are sent to University Counsel, and may be sent to either the Dean of Faculty, Vice President for Human Resources, or the Judicial Administrator depending on if they involve faculty, staff, or students.
Does the Board of Trustees see what is in the audit reports?
We prepare an annual report for the Trustees containing a dozen or so of the most significant findings or systematic issues from our audits for the year.
Who audits the Audit Office?
Excellent question! Actually, we are audited every five years by other auditors under guidelines set forth by the Association of College and University Auditors. This "peer review" process draws upon the standards and guidelines set forth by the Institute of Internal Auditors in their International Standards for the Professional Practice of Internal Auditing. The peer reviewers typically include auditors from other universities, public accounting firms, or specialists in an audit area and they issue a report with findings and recommendations, just as we do when we audit university units.
If I call you with information about a possible irregularity, will my identity be kept a secret?
This is a hard question to answer without knowing whether or not the specific circumstance you are reporting will end up in legal action. As a general rule, we do not reveal our sources to the person being investigated. And we always try to corroborate any accusations with our own observation. If an irregularity is referred to the District Attorney for legal prosecution, and your testimony would be critical to the outcome of the case, it may become necessary to involve you in the irregularity. In addition, the Cornell Hotline provides for anonymous report of financial irregularities.
Things not to say in an auditing Internal Report
Don’t say, “Management should consider…”
Audit reports should offer solid recommendations for specific actions. When our recommendation is merely to “consider” something, even the most urgent call to action can become nebulous. No auditor wants a management response that says merely, “Okay, we’ll consider it.”
Don’t use “weasel words.”
It’s tempting to hedge our words with phrases such as “it seems that” or “our impression is” or “there appears to be.” It may feel safer to avoid being specific, but when you have too many hedges, particularly in the same sentence, there’s a danger that you are not presenting well-supported facts. Report readers need to know they can rely on our facts, and over-use of weasel words can make solid recommendations sound a little too much like hunches.
Use “intensifiers” sparingly.
Because they can add emphasis, words such as “clearly,” “special,” “well,” or “very” might seem to be the opposite of weasel words. In actuality, these intensifiers are so non-specific that they can be another type of “weaseling.” Intensifiers raise questions such as “Significant compared to what?” and “Clearly according to whose criteria?” If you use intensifiers freely, two readers of the same report may be left with very different impressions: Numbers such as 23 percent or $3 billion tell a story, but just what does “very large” mean?
The problem is rarely universal.
It’s good to be specific, but there’s a danger in words such as “everything,” “nothing,” “never,” or “always.” “You always” and “you never” can be fighting words that can distract readers into looking for exceptions to the rule rather than examining the real issue. It’s safe to say you tested 10 transactions and none were approved — less safe to say transactions are never approved.
Avoid the “blame game.”
The purpose of internal audit reports is to bring about positive change, not to assign blame. We’re more likely to achieve buy-in when our reports come across as neutral rather than confrontational. The goal is to get to the root cause rather than to call out the name of the guilty party. It’s fine for a report to identify the party responsible for taking action on a recommendation — not so fine to say, “It was Fred’s fault.”
Don’t say “management failed.”
Making statements such as “Management failed to implement adequate controls” will invariably annoy those to whom we are looking to implement corrective actions. Simply stating the condition without assigning blame through words like “fail” is much more likely to result in the needed corrective actions and help preserve our relationship with management for the next time we conduct an audit of their area.
“Auditee” is old-school.
A few years back, people undergoing an audit were most often referred to as “auditees.” Today, many experts believe that the phrase has negative connotations and that “auditee” implies someone who has something done to them by an auditor. Internal audit has become a collaborative process, and terms such as “audit client” and “audit customer” indicate that we are working with management, not working on them.
Avoid unnecessary technical jargon.
Every profession needs a certain amount of technical jargon, but the more we can avoid audit-speak, the more we can be sure that the message is clear. If you use more than one phrase such as “transactional controls,” “stratified sampling methodology,” or “asynchronous transfer mode” on a single page of an audit report, don’t be surprised when some of your readers check out without reading to the end of the report.
Avoid taking all the credit
It is tempting in audit reports to use phrases such as “internal audit found” or “we found.” Management will often bristle that you are taking credit for identifying something that wasn’t all that well concealed. It comes off like you threw them under the bus, and then backed over them.
If it sounds impressive, you probably need a re-write.
Work to get readers to remember your recommendations and take action — not to impress with pompous words or bloated phrases. Avoiding jargon is only the beginning: Try substituting “by” for “by means of,” “now” for “at the present time,” and “so” for “so as to,” for example.
I like to use the fifth-grader test: If an intelligent middle-schooler couldn’t understand your report, it may be needlessly complicated. Take, for example, this sentence from an actual internal audit report that basically just says little things can add up:
“During the aforementioned examination of the accounts undertaken by the internal auditors, the team evaluated the cumulative impact of individually immaterial items and in doing so relied on the assumption that it was appropriate to consider whether such impacts tended to offset one another or, conversely, to result in a combined cumulative effect in the same direction and hence to accumulate into a material amount.”