Internal auditing, it is not a new term for the world of organization. The concept of internal audit is old like 5000 years, at that time people of civilized communities which were economically and politically stable used this approach to check effectiveness of their taxes and businesses so they can check errors and safe the state property from dishonest taxpayers.

In modern world especially in the United States this approach rise after the Second World War and steadily growing. Internal audit has much similarity with financial auditing and a number of theories are derived from management consulting and public accounting.


“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Internal audit is a preventive action of a company and it is done by the professionals or experts of that company. These professionals called internal auditor and they evaluate internal control system of the company. This study or audit report is submitted to management and from this report they can take steps for improvements. In requirement part of ISO 9001:2000 it is found in the monitoring and measurement section which gives idea that it is an activity that measures implementation of quality management system.

Scopes and objectives of internal auditing:


The main objective of an internal audit in the company is to improve quality and reduce risk by evaluating the effectiveness of process. Other than this internal audit is done for checking financial and operating information’s reliability, to safe assets from loss, resource management, established process or program me is following its objective and compliance with policies, laws and regulations, identification which area needed improvement, verification of cGMP compliance.


Internal audit’s main scope is assuring quality in respected area which is under the audit procedure. Design, approval and evaluation of product should comply with GMP. Ensure quality in GMP implementation, performance of staff, feedbacks. Include documents, instruction and records and covering all parts of GMP.

Principles and Requirements of internal audit:

As per ISO 9000 standards require maintenance of document evidence for internal audit process. Document evidence must include: who is executing the internal audit, which department is under the audit, describing whole process, supervision after internal audit plan and where the results are documented.

These are the some common principles that applied at the time of internal audit implementation.

Internal audit is independent and evidence based approach.

All activities of internal audit should be reviewed by independent party, have a sampling and tracking line and they are open and constructive.

Insure all resources are available before starting audit.


Auditor is a employee of the company with sufficient experience and background who conduct the internal audit. Though he is an employee of the firm he has to audit his colleagues and their performance and for this he has some abilities that audit results are not affected by his personal relation. For this he has to be ethical, open minded, diplomatic, observer, versatile, persistence, decisive and independent.

Patience is needed in auditing and so the auditor must be cool and need to see what the actual situation in the organization. Generally people don’t like to be audited and for this he makes lot of effort psychologically to get the real answer and avoid the conflict. In the audit period he has main one objective – put the real status of the organization to top management.

Internal Audit process:

For successful audit it is required effective communication between management and auditor. To obtain effectiveness and in time audit it is necessary that auditor do not go depth in every item and take a quick overview and focus on the parts which do not comply with the company policies.

Every audit is unique; the audit process is containing these four stages which are commonly found in every audit:

Planning of audit ( review and preliminary phase)

Performing an audit ( field work phase)

Audit report ( documentation phase)

Change implementation ( follow-up phase)

1. Planning of an audit (review and preliminary phase)

In the stating of an audit management do a meeting to plan about auditor that who will handle the audit, objectives and scopes of an audit, which area should be cover under the audit, which criteria should be considered, gather information about important processes, prepare paper work and distribution of audit plan.

2. Performing an audit (field work phase)

After planning now it is time to implement audit procedure but there is no common way that auditor perform the audit. An auditor should looking what is requirement, which way the process can be improved, gathering and analyzing information and making best conclusion on his effort.

Keep in mind that internal audit is not always done for the improvement or find out defects, it also recognize individuals who are putting their outstanding efforts.

The following procedure is generally followed in each audit:

In starting of audit process the auditor first make a meeting with the head of area which is going to be audited, explaining him scope and objective of this effort and making him relax for the audit.

Auditor will study all processes carefully and their outcome, here auditor checking that processes is operating in conformance of company’s quality management system.

He gathers information by asking open-ended question about process and personal competence.

Auditor make notes about data he got during the various point of audit process.

Auditor analyzes all the data he found and ask himself that is process running in compliance with company’s policy? Or process needs improvement.

Before reaching the conclusion he take all the aspects of audit in consideration, is there any failure event appeared, any area needs to be considered improvement? Are there any individuals or departments displayed uncommon behavior?

In the end of his fieldwork the auditor, hold the closing meeting with head of the area in presence of plant manager. Explain him positive and negative outcome of his study and corrective actions for that. He tries to resolve any disagreement on his conclusion in this meeting.

3. Audit report (documentation phase)

It is most difficult part of the process. An auditor should write brief and clear summery of his finding, which includes both positive and negative outcomes of his study. These positive outcomes may help company for improvement.

The data or findings must be truthful, scope and objective oriented, and written in manner that management can easily understand that and can take corrective action from that. Audit report is a official record that should contain: scope, criteria and objective of an audit, Auditor’s information, time and area where auditing done, outcomes of audit (positive and negative), a closing statement.

4. Change implementation (follow-up phase)

During this phase the non compliance is submitted to quality committee. The quality committee studies the report submitted by an Auditor and checking all the non compliances are in fact differ from the company’s quality management system. Upon agreement that process or item is none conforming, the quality committee takes action to correct it and gives responsibility for this correction to suitable person with time limit.

During correction quality committee observe the process of correction and after change is implemented and process or item working in compliance with company’s policy, committee ask the same person for follow up inspection. The Auditor check in same manner as he done before and check the difference in outcome, if it is compliance with quality management system of company than he give the satisfactory report to the management. The whole process is documented that it could be useful for future study.

Audit activities

Evaluation of an auditor

Monitoring and reviewing

Identifying correction

Preventive action

Opportunities for improvement




Selecting auditor

Monitoring audit






Start the Audit programme







Fig. 1. Process flow diagram of internal auditing

Internal controls:

Internal control is a major part of an internal auditing and evaluation of internal controls is one of the primaries objectives of internal auditing.

In auditing internal controls can be defined as process affected by organization’s structure, employee and management information system, authority and work flow, designed to fulfill organization’s scope and objectives. These are common objectives for internal control: effective and efficient operations, reliable financial reports, compliance with laws and policies, protecting assets of organization.

Internal controls are divided in main two categories preventive controls (designated to prevent errors and irregularities from occurring) and detective controls (designed to find out errors and irregularities after they have occurred). The examples of internal control activities are separation of duties, authorization, proper documentation, control over assets, variance analysis, monitoring operations.

A question arise that who take the responsibility for internal controls, it’s not only a job of internal auditor. Every employee of the organization is responsible for maintenance of internal controls. Internal audit assist management to evaluate and promote internal control system.

Risk management:

Internal audit play an important role in risk assessment and evaluation of processes which have significant risks. Risk management is process that in which way organizations sets its objectives and then evaluates and analyzes the risks which can produce impact to realize its objective.

In regular basis organization applied strategic, marketing or capital planning, budgeting, and hedging to evaluate the risk. Internal audit evaluate all this activities and processes applied by the management to report and monitor potential risk identified.

These are some core roles of internal audit in risk management: assuring risk management process, assuring evaluation of risks and evaluation of risk management process, key risks evaluation and reviewing them to the management, assisting management in responding of risks, developing risk management framework and coordinating all activities.

Internal audit vs. External audit:

External audit:

In External audit organization contact person (auditor) outside of the firm who audits organization’s financial statement and submit a report to the management. External auditor differs from internal auditor mainly in two ways: (1) internal auditor mainly focuses on risk management and internal control framework, (2) internal auditor do not form an opinion on organization’s financial statements.

Some similarities also there between internal and external auditor:

Both internal and external auditor examines and evaluates many transactions.

Both report if the procedures are poor and ignorance in adhering them.

They both deeply involved in information system and based on discipline and work with profession standards.

Both are concerned for occurrence of errors and they are tied with internal control system of organization.

Both give formal report of their activities.


Internal audit

External audit


Leave a Comment