Internal Audit is part of the management control system in an organisation. It is an internal appraisal service, established by the management of an organisation, which reviews the internal control system. It should objectively examine, evaluate and report on the adequacy of internal control as a contribution to the efficient and effective use of resources. The internal audit function should provide an unrestricted range of coverage of the organisation's operations. The internal auditors should have sufficient expertise as well as authority to allow them free and unrestricted access to such assets, records and personnel as are necessary for the proper fulfilment of their responsibilities and to report to the board where they feel it is necessary.
Across the public sector, key requirements for the internal audit function remain mostly the same.
In State bodies, the Code of Practice for the Governance of State Bodies 2016 requires that each State body have a properly constituted independent internal audit unit or engage appropriate external expertise. Where the size or the risk to the State body does not warrant a separate internal audit unit, access to such a unit should be put in place through a joint venture or client arrangement with another State body, or some other appropriate arrangement. Overall, the internal audit unit is responsible for the effective review of both internal control and risk management. However, the existence of the internal audit unit does not relieve line management of its responsibility for effective control of the activities for which it is responsible.
Some of the key requirements for the Internal Audit function for State bodies include:
- The independence of the internal audit unit from the activities it audits is crucial. Internal audit should be able to make unbiased judgements and provide impartial advice to management.
- The internal audit unit should have unrestricted access to all functional areas, records (both manual and electronic), property, and personnel in the performance of its audits and have the right to review all the management and control systems both financial and operational.
- The internal audit's annual programme of audits should be drawn in consultation with the Audit and Risk Committee. It should have regard to the Statement of Strategy and Risk Management policy.
- The internal audit unit must demonstrate objectivity, comprehensiveness and relevance to management, the Audit and Risk Committee and the Board in respect of the areas to be audited and the respective priorities for these audits within the programme.
- The internal audit unit must adhere to the Code of Ethics and International Standards of the Institute of Internal Auditors or equivalent professional standards.
In 2012, the Department of Public Expenditure and Reform published an information note on the IIA Standards for Central Governments. The information note declares that the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (IIA Standards) should apply across all Departments and other Vote Holders. The note highlights key elements of the Standards.
The note highlights that, in central Departments, Internal Audit has an important role in providing the Accounting Officer with assurances on the adequacy of control systems and procedures including internal controls, risk management and governance arrangements.
In local government as well, the role of the internal audit function is to provide a critical and independent opinion on the adequacy and effectiveness of the control framework across the organisation. As part of the overall governance and control environment in the council, it provides audit assurance that all significant operating risks are identified, managed and controlled effectively. Here again, the internal audit function is independent in the performance of its duties and in its reporting arrangements.
The Governance Code for Charities describe the internal audit function as the organisation’s self-examination. It analyses the activities, processes and procedures of a business. The internal audit function identifies weak links in an organisation’s systems as well as opportunities for improvement. It also acts as a feedback mechanism for the management and board. In the code as well, the independentce for the internal audit process is stressed.
The Code advises that the audit committee reports to the board on the work of Internal Audit. It stresses that it is important for the organisation to make sure that there is clarity about the:
- activities; and
- responsibility and performance of the internal audit function between board, audit committee, CEO and senior management.