Internal Audits

Internal audits are conducted for different reasons and with varying objectives and with each type of risk exposure an organization would need to conduct a particular type of internal audit. Some audits are required by regulation or policy, while others are requested by management to help improve processes or identify internal control weaknesses.

Here are some types of internal audit:

Operational Audit:

An operational audit evaluates the performance of a particular function or department to assess its efficiency and effectiveness. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Internal controls and efficiencies may be evaluated during this type of audit. Some areas of operational audits include organizational structure, processes and procedures, the accuracy of data, management, and security of assets, staffing, and productivity.

Compliance Audit:

A compliance audit evaluates an area’s adherence to established laws, standards, regulations, policies, and/or procedures. Compliance audits are done because of a policy or statutory requirement. While the audit is done for regulatory reasons, the objectives are still to ensure adequate control over an important internal process.

Financial Audit:

A financial audit is a historically oriented, independent evaluation performed for the purpose of attesting to the fairness, accuracy, and reliability of financial data. The central objective is to ensure that the financial activity of the department, unit, or area is completely and accurately reflected in the appropriate financial reports.

Follow up Audit:

These are audits conducted approximately six months after an internal or external audit report has been issued. They are designed to evaluate corrective action that has been taken on the audit issues reported in the original report. The purpose of a follow-up audit is to revisit a past audit’s recommendations and management’s action plans to determine if corrective actions were taken and are working, or if situations have changed to warrant different actions.

Investigative Audit:

This is an audit that takes place as a result of a report of unusual or suspicious activity on the part of an individual or a department. It is usually focused on specific aspects of the work of a department or individual. Investigations are conducted to determine the extent of loss, assess weaknesses in controls, and make recommendations for corrective actions.

IT Audit:

An Information Technology (IT) audit evaluates controls related to the institution’s automated information processing systems. The information technology audit function develops audit programs to assess, evaluate, and make recommendations to management regarding the adequacy of internal controls and security inherent in an organization’s information systems, and the effectiveness of the associated risk management. The goal is to ascertain that IT systems are safeguarding assets, maintaining data integrity, and efficiently operating to achieve business objectives.

Management Audit:

Also called performance audit, are internal consulting projects. Because an internal audit is an activity independent of management, it is often an excellent resource to provide independent and objective insight on the efficiency of business processes. Management can request internal auditors to review a business process, organization, or strategy; and the auditors do not have to worry about backlash from management. A common management audit is a review of organizational structure, such as having an internal audit look at how administrative work is divided among divisions and if there are opportunities to be more efficient.

Other types of internal audits would include the integrated audit, which is a combination of the IT Audit and the Operational Audit.