Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > The Internal Audit Role—Is There an Expectation Gap in Your Organization?

Auditing Best Practice

The Internal Audit Role—Is There an Expectation Gap in Your Organization?

by Jeffrey Ridley

Executive Summary

  • Every internal audit role should be established with a charter approved and reviewed annually at board level.

  • The internal audit charter should describe the internal audit role in the organization it serves, including its purpose, authority, responsibility, and relationships with external organizations.

  • The internal audit charter should be promoted across the organization at all levels and as appropriate across its supply chains and to its stakeholders.

  • Internal audit should have measures in place to demonstrate its level of performance to the organization.

  • Expectation gaps at organization and individual customer levels should be identified, and all performance measures continuously monitored if the full added value of the internal audit role is to be achieved.

  • New dimensions of the internal audit role in an organization should be continuously explored to ensure that it is at the cutting edge of its professional attributes and in its performance.


Establishing the internal audit role in any organization requires formality to ensure that it is understood not only by the board and management but also by its customers across the organization and, where necessary, those external to the organization. The internal audit assurance and consulting role should be explained clearly in a charter to minimize any expectation gaps at board and organization levels. When the role is being established, it is important that internal audit management should have an input into the formal process through discussion with the board and senior management.

The Institute of Internal Auditors (IIA), as the global professional body representing internal auditing in every country, has always recommended and now requires in its Standards 1 the purpose, authority and responsibility of an internal audit activity to be formally approved and kept under review at the highest level in an organization”. In some sectors this may also be a requirement of one or more of an organization’s stakeholders, such as government or a sector’s regulator.

Purpose, Authority, and Responsibility of the Internal Audit Role


The purpose of professional internal audit is described in the IIA’s 2009 definition as:

“Internal auditing is an independent objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Key to this definition of internal auditing are the words in bold:

  • Independence of the internal audit and its objectivity are critical for all dimensions of the role practiced by the internal auditor.

  • The value it adds to improve an organization’s operations should be measured and reported continuously.

  • All its services require systematic and disciplined processes.

  • It requires a wide and deep knowledge and understanding of risk management, control and governance within the organizations it serves, across their supply chains, and with all their stakeholders.

Writers on internal auditing have been promoting its independent assurance and consulting roles since the first statement of responsibilities of the internal auditor was published by the IIA in 1947. Consultancy and training were never mentioned as such in the IIA’s statements but were implied by its scope of responsibilities. The best evidence for this is in the “objective and scope of internal auditing” in its 1957 statement:

“The overall objective of internal auditing is to assist all members of management in the effective discharge of their responsibilities, by furnishing them with objective analyses, appraisals, recommendations and pertinent comments concerning the activities reviewed. The internal auditor therefore should be concerned with any phase of business activity wherein he can be of service to management. The attainment of this over-all objective of service to management should involve such activities as:

  • Reviewing and appraising the soundness, adequacy and application of accounting, financial and operating controls.

  • Ascertaining the extent of compliance with established policies, plans and procedures.

  • Ascertaining the extent to which company assets are accounted for, and safeguarded from losses of all kinds.

  • Ascertaining the reliability of accounting and other data developed within the organization.

  • Appraising the quality of performance in carrying out assigned responsibilities.”

The 1971 revision to this statement changed the fourth activity from “accounting and other data” to “management data,” and added a sixth activity—“Recommending operating improvements.” This widened the scope of internal audit into all operations. In 1981, the statement was further changed to state that internal auditing is a service to the “organization,” not just to “management.” This brought the board and all operating levels in the organization into the internal auditing market place.

Lawrence Sawyer 2 supported the role of internal auditors as consultants (and trainers) in his 1979 writings. He draws vivid pictures of “problem-solving internal auditors” providing reviews, appraisals, communications and advice on management: “the [internal] auditor has a duty to know the functions of management as thoroughly as the manager does.” He discusses various consulting opportunities for internal auditors in the services they can provide, and he also gives recognition to internal auditors as teachers: “the internal auditor’s role as a teacher is little known, insufficiently practiced, and generally not believed or accepted.”

As the IIA scope statement was being revised, practicing internal auditors were broadening their services by increasing the number of dimensions in the role they provided in their organizations. Dr James Wilson and Dr Donna Wood3 researched the behavioral dynamics of internal auditing, recognizing seven dimensions and conflicts in the internal auditor’s role at that time (1985):

  1. Accountant

  2. Policeman

  3. Watchdog

  4. Teacher

  5. Consultant

  6. Communicator

  7. Future Manager

These dimensions and conflicts still exist in internal auditing. They should all be addressed at board level and, as appropriate, be clearly seen in its charter. They are currently seen in the IIA’s definition of internal auditing and in its Standards.4 The two roles in the definition—assurance and consultancy—are defined thus:

  • Assurance servicesare an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.

  • Consulting services are advisory and related client services, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management and control processes without the internal auditor assuming management responsibility.

The other dimensions can all be seen in these roles in practice and in the Standards and supporting guidelines.


The authority of internal audit should always lie at board level, evidenced by its reporting lines to the board and senior management and reviews of its performance at these levels. That authority may include reporting lines to the chair of an audit committee and presence at its meetings. It should also include open access to all an organization’s employees, operations, systems, records, and property.


The responsibility of internal audit should clearly state the scope of its work in the organization and its reporting requirements to the board, senior management, and customers. In some organizations this may also include reference to the internal audit role in the organization’s training programs, code of conduct, procedure for dealing with whistleblowing, and fraud prevention, detection, and investigation processes.

Back to Table of contents

Further reading


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share