Internal auditing is fundamentally about internal controls. What are internal controls? They are processes which aim to prevent harm, sometimes called risks. If you need to cross a road, you look left and right to avoid being hit by a car. Risks exist because we have objectives, in this case, to cross a road. But since we have objectives, we also have opportunities to achieve them. If we see a subway we can seize the opportunity and cross under the road safely.

So turning that all round:

• The achievement of objectives is helped by opportunities but threatened by risks.
• The processes which maximize opportunities or minimize risks are known as internal controls.

There are two types of process that are relevant to internal auditing:

• Internal controls. These are processes which are part of the day-to-day activities of the business and their existence and correct operation is essential to the achievement of objectives.
• Decision-making. Decisions are made at all levels of an organization to seize opportunities or mitigate risks. The best decisions make an organization; the worst, break one. (Decision-making is not normally considered by internal auditors as a control but it is probably more important than 'internal controls' in the achievement of objectives)

Internal auditing checks that these processes are working to enable the achievement of objectives.

An internal audit department provides an opinion as to whether an organization is likely to achieve its objectives based on the management of opportunities and risks. In other words, do the decisions being made and the internal controls operating maximize the likelihood that objectives will be achieved?

Internal auditing used to be primarily concerned with financial systems and, possibly, computer controls. The term 'risk based internal auditing' is applied to audits decided on the basis of risks and the books available from this website use this methodology.

What’s the aim of this website?

The aim of this website, and the books and spreadsheets available from it, is to provide practical ideas on implementing internal auditing focused on the achievement of objectives. These ideas are not meant to represent ‘best practice’ but to be thought provoking.

There are four books with associated spreadsheets. Click the heading to be taken to the page giving more details, or click the navigation buttons on the left:

1. Book 1: Risk based internal auditing - an introduction. This introduces risk-based principles and details the implementation of risk based auditing for a small charity providing famine relief, as an example. It includes example working papers.

2. Book 2: Compilation of a risk and audit universe. This book aims to show you how to assemble a Risk and Audit Universe (RAU) for a typical company and extract audit programs from it.

3. Book 3: Three views on implementation. Looks at the implementation of risk based internal auditing from three points-of-view: the board; Chief Audit Executive (CAE); internal audit staff.

4. Book 4 Audit Manual. This shows the audit working papers from an accounts payable audit and therefore provides a detailed account of how a risk based audit is carried out in practice.

If you are interested in Specifying, Choosing and Implementing Computer Systems, check out my website at www.systemsimplementation.co.uk