Internal audit

This is Information Sheet 221 (INFO 221). It provides guidance to assist organisations that are considering whether to have an internal audit function, and to ensure the quality of this function. It may be relevant to directors and audit committees of entities subject to the ASX principles.

This information sheet explains:

• what internal audit is
• what the ASX Corporate Governance Principles say about having an internal audit function
• how to maintain the internal audit function's independence
• how the quality of internal audit work can be assured
• where to get more information.

What is internal audit?

An internal audit function can contribute to corporate governance by providing an organisation's directors and audit committee with independent reviews of, and suggestions for, improving the design and operation of the organisation’s:

• financial and non-financial control environment
• processes for identifying and monitoring risks
• governance processes.

Internal audit can be an important element in the control environment of organisations and can contribute to more effective risk management.

What do the ASX Corporate Governance Principles say about having an internal audit function?

The ASX Corporate Governance Principles and Recommendations (PDF 2.2MB) state that if a listed entity does not have an internal audit function, they need to explain the reason for this. Additionally, they should explain how risk management and internal control processes are managed, evaluated and continually improved in the absence of an internal audit function.

How can internal audit be independent?

In order to ensure the independence of the internal audit function from management:

• the internal audit function should report directly to the audit committee, rather than the management of the organisation
• the internal audit charter and plan should be reviewed and approved by the audit committee, who should also receive and review reports on internal audit engagements, and monitor the performance and independence of the internal audit function
• while the internal audit budget may be set with the chief executive officer, the appropriateness of the budget should be reviewed by the audit committee.

Internal audit services may be provided by employees, external service providers or a combination of the two. However, the external auditor should generally not also provide internal audit services to the same organisation.

How is the quality of internal audit work assured?

Internal audit should maintain a quality assurance and improvement program, including workpaper reviews and performance evaluations. Periodic external reviews of internal audit may also be appropriate.

Where can I get more information?

• The Institute of Internal Auditors Australia
• Internal Audit in Australia – a publication by the Institute of Internal Auditors Australia.
• International Standards for the Professional Practice of Internal Auditing

Important notice

Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. We encourage you to seek your own professional advice to find out how the applicable laws apply to you, as it is your responsibility to determine your obligations.

You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases, your particular circumstances must be taken into account when determining how the law applies to you.