Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Has Financial Reporting Impacted on Internal Auditing Negatively?

Auditing Best Practice

Has Financial Reporting Impacted on Internal Auditing Negatively?

by Andrew Chambers

Executive Summary

  • At the turn of the millennium, the internal auditing profession sought to formally broaden its role for internal audit by embracing “consulting services” that went beyond its traditional assurance role. This move was almost immediately challenged by the collapse of Enron and other large corporations, which led to stockholders and boards demanding more focus not only on the internal audit assurance role but also, more specifically, on the assurance of internal control over financial reporting—at the expense of assurance on operational effectiveness and efficiency and assurance on compliance with laws, regulations, and policies.

  • Since then, internal audit has often been commandeered into discharging what should be management’s role—for instance, to comply with Section 404 of the Sarbanes–Oxley Act (2002)—whereas the proper internal audit role should be to audit the compliance work that management has done. A better balance is now being achieved, not least as the Sarbanes–Oxley compliance requirements become bedded into companies as well as becoming slightly less onerous.

  • The storm that hit the US corporate sector at the turn of the millennium was a salutary reminder of the importance of effective assurance auditing and the need for this to be done in depth. However, it is not only (or even primarily) in financial and accounting matters that assurance is needed. Entities achieve their objectives mainly in the operational areas of their businesses, and they need assurance that operations are effective and efficient. They also need assurance that laws and regulations are being complied with, for instance with regard to the security of personal data in IT.

  • Entities can also benefit from the consulting services that internal audit is able to offer, but internal audit is still neglecting these activities by focusing disproportionately on the internal control of financial reporting.

Internal Audit’s Consulting Role

It was unfortunate that the Institute of Internal Auditors (IIA) released its first consulting Standards, to add to its already existing assurance Standards, at exactly the time when Enron collapsed. “Implementation Standards” set out how the “Attribute Standards” and “Performance Standards” should be applied in the context of either assurance or consulting work. In 2007 the IIA announced that it had no plans to release further sets of “Implementation Standards.”1

In spite of its bad timing, the release of the consulting Standards was a natural development in the evolution of internal auditing, albeit not one that gained universal approval. This development was the principal driver behind the release in 2000 of a completely revamped set of Standards (effective January 1, 2002) to replace the IIA’s original Standards that had remained unaltered, except in one or two minor details, since their release in 1978. The main need for new Standards arose from a widely held perception that the old Standards had ceased to describe either what constituted contemporary best practice in internal auditing or, indeed, how internal auditors spent much of their time. Faced with this challenge, the IIA set out to determine the nature of internal auditing as it currently was. Prior to developing the new Standards the IIA invested much effort, including two exposure drafts, in achieving an agreed new definition of internal auditing. The new Standards were then modeled around this new definition (see Optimizing Internal Audit).

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”2

Prior to this definition and prior to the new Standards, internal auditing had been perceived as an assurance service, but now “consulting activity” was added. Some say this definition gives the consulting role equal weight to the assurance role (for example, “the definition gives equal consideration to both assurance and consulting activities”)3. The fundamental challenge was to determine whether all the non-assurance activities that engaged internal auditors’ time should continue to be regarded as noninternal audit work or whether they should be brought within the definition of internal auditing. The latter was decided upon. This was hardly surprising as throughout the 1990s there had been some skepticism as to the value of internal auditors’ assurance work and a view that their role in providing consulting services was much more constructive and added much more value.

Back to Table of contents

Further reading



  • The Institute of Internal Auditors:
  • This Florida-based website is a fund of information. In particular: Sarbanes–Oxley Section 404: A Guide for Management by Internal Controls Practitioners (2nd ed., January 2008) at The Institute’s bimonthly membership newsletter, AuditWire, is available in electronic form to IIA members and subscribers on its website and via e-mail. The IIA runs Global Audit Information Network (GAIN)—a very effective and economic online benchmarking service for internal audit functions. More information at

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share