Internal audit should monitor that any weaknesses identified are also addressed. In this section, we show you how.

Principles and approach


As an internal auditor, you should have the freedom to fulfil your responsibilities as you see fit. You must decide what subjects you audit and when, what issues you raise and what rating you give.

Directors and managers can influence you, but shouldn’t be able to overrule you, either directly or through indirect pressure.

The head of internal audit (HoIA) should have access to the board and chief executive as and when required.

If the internal audit department’s independence is – or could be deemed to be – compromised, you should notify the audit committee so that it can either accept the risk or ask for it to be managed differently.


The same conclusions and opinion should be reached by any professional internal auditor reading the evidence on file. You should ensure that your objectivity isn’t compromised or could be challenged due to personal or business relationships.

If you believe that your objectivity is – or could be deemed to be – compromised, you should notify your manager. The manager can then take appropriate action by removing you from the audit or increasing oversight, or raise it with the HoIA to accept the risk.

There are many definitions of internal controls. For more details, visit either the Institute of Internal Audit (IIA) website or Committee of Sponsoring Organisations (COSO) website.

These definitions are essentially the safeguards and activities that ensure that good things happen (ie objectives are achieved) and bad things are avoided/reduced and/or their impact minimised (ie risks are managed).

Similarly, there are many definitions of risk. A risk is something with a potentially negative outcome. It’s often expressed as its likelihood x its impact. If you think about an organisation, the total risk may be expressed as the cost of expected losses. Within financial services, this should also include the cost of capital required to cover unexpected losses.

Risk appetite is the maximum level of risk that the organisation is happy to be exposed to. This may be set in terms of expected/unexpected losses, key risk indicators (KRIs) or limits.

Organisations have to take risks, but they must also control them. Internal audit assesses how risk appetite is set, although it’s unlikely to challenge the actual risk appetite set, unless this is extreme.

Internal audit will only fully achieve its objectives if the weaknesses identified are addressed and risk becomes effectively managed.

Hints and tips