Every employee must implement our system of internal control in his/her responsibility area.

Welcome to One Internal Auditor

Internal auditing is the service to the governing body (board of directors) of an organisation that provides consulting (advice) on adequate internal control and assurance (independent assessment) on the implementation of that adequate internal control.

The governing body (board of directors) of an organisation is who the buck stops with and who establishes internal control in an organisation.

It is an insult to say internal auditing is auditing because that refers to only part of the mandate of internal auditing. It also opens the way to a situation where one is assessed without knowing what one is assessed on.

Independent assessments follow this pattern:

Competent internal auditing understands that if the subject has no idea what the criterion is, then it is meaningless to continue with the assessment and claim credit for how many wrong things one discovered.

That is why the consulting mandate is important, to ensure that what is assessed is what is expected rather than what is hoped for.

It is also an insult to say internal auditors are jacks of all trades and masters of none. Such remark betrays a lack of uderstanding of what the area of expertise of internal auditing is and what one should expect from internal auditing.

The area of expertise of internal auditing, its scope, is internal control and only internal control.

The governing body (board of directors) of an organisation is expected to exercise even more care to the affairs of its organisation than to the respective affairs of its respective members.

That means the governing body (board of directors) of an organisation must anticipate and address all opportunities and threats to the mission of the organisation.

Those opportunities and threats constitute the risk universe of the organisation, also known as the environment the organisation operates in.

For completeness, internal control consists of:

It is the governing body (board of directors) of an organisation that establishes the internal control applicable in the organisation.

An inadequate system of internal control amounts to the governing body (board of directors) of an organisation and internal auditing expecting employees to implement the wrong practices.

For this reason, the first focus of internal auditing is to provide advice on adequate internal control.

Only when there is adequate internal control may internal auditing provide independent assessment on the implementation of internal control.

The 'independent' in independent assessment implies that employees have already conducted self (internal) assessments.

The implementation and assessment are continuous, not continual, activities.

The implementation and assessment must cover the whole organisation, all the time. In other words, anything other than continuous full coverage is meaningless.

One Internal Auditor provides a default risk universe. Nevertheless the governing body (board of directors) of an organisation may and must modify it for its own purposes because it is what separates one organisation from the next.

The aim of adequate internal control is to ensure that risks (the opportunities and threats) facing the organisation are identified and addressed at the level at which they arise, with appropriate supervision and oversight.

Internal audit stakeholders consist of two groups:

Oversight body members consist of:

Regarding oversight body members:

Employees consist of:

What this means is that an employee has access to internal control information of:

What a particular employee has access to constitutes the area of responsibility of that employee.