The philosophies and guidance provided in this chapter form a foundation on which the rest of the book is built. It should be noted that while this first chapter is written from an internal auditor's perspective, the concepts and philosophies can be adapted to guide the external audit function as well. The rest of this book (certainly Part II) is essentially internal/external auditor neutral.
Before we can develop an effective internal audit department, we must first come to an understanding of the department's purpose. Why does the internal audit department exist? What's the end goal?
Is our purpose to issue reports? To raise issues? To make people look bad? To show how smart we are and how dishonest, incompetent, and corrupt the rest of the company is? To flex our muscles and show that we can do anything and tell on anyone because we report to the board of directors? Hopefully, it's obvious that none of these are the right answer. Sadly, though, you will find that many (perhaps most) internal audit departments function as if one or more of these items are the answer. Many audit departments spend their existence in adversarial relationships with the rest of the company, keeping themselves comfortably removed from and "independent" of everyone else. Unfortunately, such departments are missing the point and failing to realize the potential benefits that they could be providing to their companies.
Most audit departments were formed by the company's audit committee (a subset of the board of directors) for the purpose of providing them with independent assurance that internal controls are in place and functioning effectively. In other words, the audit committee wants a group that it can trust to be objective enough to tell it if there is anything the committee should be worried about. The committee wants to have someone it can trust to tell it what's "really going on" in the company. The committee wants someone it can trust to turn in all the evildoers in the company who refuse to implement internal controls. Internal audit departments usually report directly to the chairman of the audit committee, so they feel protected from blowing the whistle on the hordes of dishonest managers who surely have infested the company.
We cannot lose sight of this very important function. Despite the levity in the preceding paragraph, it is absolutely essential that the audit committee have eyes and ears within the company that can tell it what, if anything, it needs to be worried about. This is critical for the committee's ability to function and serve the company's shareholders. It also should be noted that most companies' audit departments dual report to an executive within the company, such as the chief executive officer (CEO) or the chief financial officer (CFO). We'll discuss later some implications of this reporting relationship, but for now, let's agree that this indicates that senior management is interested in the state of the company's internal controls, just like the audit committee. Therefore, I think we can comfortably establish that one of the internal audit department's key functions is to provide an objective body that the audit committee and senior management can go to, to find out if there's anything bad going on in the company from an internal control perspective. From an IT perspective, this means that audit committee and senior management want to be able to ask such questions as, "Are our firewalls really secure?" and "Is our plan to collaborate and share networks with our biggest rival going to expose us to any security concerns?" and believe that they will get an honest answer.
Therefore, can we say that the function of the internal audit department is to report internal control issues to the audit committee and senior management (or provide them with assurance that there are no issues)? The answer is, "Sort of." This is certainly an important role for the audit department to play. However, if we stop there, we are not getting the whole picture. We haven't totally missed the boat-it's more like we showed up as the boat was pulling away from the dock, jumped to catch it, and currently are hanging from the outside railing, holding on for dear life.
But why are we really here? What's the value of reporting issues? Merely reporting issues accomplishes nothing, except to make people look bad, get them fired, and create additional hatred of auditors. The real value comes when issues are addressed and problems are solved. In other words, reporting the issues is a means to an end. In this context, the end is to improve the state of internal controls at the company. Reporting them provides a mechanism by which the issues are brought to light and therefore receive the resources and attention needed to fix them. If I tell senior management that I discovered a hole in the wall of our most important data center, it may help in my goal of making myself look good at the expense of others, but the hole is still there, meaning that the company is still at risk. It's only when the hole is patched that I've actually done something that adds value to the company (and that's only if the company wasn't already aware of and planning to fix the hole prior to my audit).
Therefore, the real mission of the internal audit department is to help improve the state of internal controls at the company. Admittedly, this is accomplished by performing audits and reporting the results, but we must remember that these acts provide no value in and of themselves. They only provide value when the internal control issues are resolved. This is an important distinction to remember as we develop our approach to auditing and, most important, to dealing with the people who are the "targets" of our audits.
The internal audit department's goal should be to promote internal controls and to help the company develop cost-effective solutions for addressing issues.
In summary, the internal audit department's mission is twofold:
To provide independent assurance to the audit committee (and senior management) that internal controls are in place at the company and are functioning effectively.
To improve the state of internal controls at the company by promoting internal controls and by helping the company to identify control weaknesses and develop cost-effective solutions for addressing those weaknesses.
The rest of this chapter will discuss how this mission can be accomplished most effectively, specifically for the IT audit function.
You will see that the term internal controls is used frequently throughout this chapter. Internal controls, stated in the simplest terms, are mechanisms that ensure the proper functioning of processes within the company. Every system and process within the company exists for some specific business purpose. The auditor must look for risks to that purpose being accomplished and then ensure that there are internal controls in place that mitigate those risks. We will dedicate some time in Chapter 2 to delving into the real meaning of this term.