Internal revision

from Wikipedia, the free encyclopedia

Internal auditing (also internal auditing ; both often abbreviated to "IR") is an objective audit and advisory activity in an organization that is independent of day-to-day business. It supports the organization in achieving its goals by means of a systematic and disciplined approach to assessing and improving the effectiveness of risk management, internal control environment and corporate governance. Its purpose is to continuously improve business processes and create added value for the organization.

The internal auditing department supports the management (usually the supervisory board, board of directors or administrative board) in their control, steering and steering functions by carrying out independent, internal auditing mandates. It is usually directly subordinate to the management of the organization and is therefore usually a staff position .

The current understanding of internal auditing is mainly based on the Anglo-Saxon term "internal audit". Such a corporate function established itself in the 1930s and 1940s against the background of the emergence of large companies (increasingly confusing for the supervisory bodies), as well as the necessity that emerged during the Second World War to submit complex and resource-intensive projects or companies promptly and in detail from an independent source evaluate or critically accompany. The internal audit has historically been classified parallel to the emergence of the modern term " management consulting ", with the insurance function ("assurance") being in the foreground over the advisory function ("consulting").

Tasks, codified standards and requirements

The internal audit should fulfill the following primary functions:

  • Trust function: Assurance for the organizational decision-makers that processes run properly and in accordance with the rules (e.g. legal norms, principles of proper accounting are observed)
  • Preventive function: increasing the risk of detection for people who (want to) carry out fraudulent acts
  • Information function: Creation of transparency about processes and organizational units to support the decision-making of the organizational management.

In Germany, statutory requirements for the establishment of an internal audit department result from the German Stock Corporation Act ( Section 91 (2) AktG). There are further requirements for individual economic sectors: The requirements for the establishment of such an institution arise from the Banking Act ( Section 25a (1) No. 3 KWG) for credit institutions and the Insurance Supervision Act ( Section 30 VAG) for insurance companies , regardless of their legal form. In addition, the function and tasks of internal auditing are described in more detail in the minimum risk management requirements issued by the Federal Financial Supervisory Authority (BaFin) - in separate regulations for banks , insurance companies and investment companies .

The targeted monitoring of the processes and structures of an organization with a view to the proper pursuit of its - legitimate - goals is in the interest of a large number of interest groups, which are summarized under the umbrella term " stakeholders ": investors, customers, employees and the public.

The internal auditing department has the task of checking procedures for correctness and uncovering ineffectiveness, irregularities (booking errors, legal consequences) or manipulations (for example embezzlement) (English "fraud detection"). In addition to controlling , which is primarily responsible for the processing and validation of control information, it thus forms an essential part of the higher-level control and monitoring system of an organization.

In addition to the examination of the thematized compliance, the implementation and efficiency of strategic initiatives are questioned by examining business processes, programs and projects. The modern internal auditing department also has the task of initiating change processes in the company as a "change agent" and increasingly (in addition to the classic audit mandates) also taking on consulting mandates for the individual specialist departments.

Testing, Control and Monitoring - Definitions

A check is initially understood to mean any target / actual comparison. However, in contrast to controls, the person carrying out an audit is “outside” the organization to be assessed (such as: auditors, tax auditors, social security auditors and internal auditors).

He examines organizational issues (actual) (for example a process or a procedure) to see whether they match the specifications (target). The target is usually an internal regulation (for example, a guideline, manual, work instruction or operating regulation) or a law. If there is a difference between the actual and the target (error, finding, deviation, deficiency), suggestions for improvement are expected from the auditor. The review is not primarily of an advisory nature, but sensible suggestions for improving the actual and, if necessary, the target (for example, restriction of deviation analyzes that cost more than they bring, correct interpretation of legal requirements or introduction of technically improved monitoring standards) can be of great use be.

Controls are organizationally anchored target / actual comparisons that are (regularly) carried out by competent employees, regardless of their position in or in the respective sub-area of ​​the organization. Controls carried out independently by the staff on the production line are just as much a part of this, as are those that - according to the principle of internal control - are carried out by people from other areas (quality control, administration). Here, too, in the event of deviations, it makes sense to take control and adjustment actions immediately afterwards. Machine control measures are also conceivable.

The controls and measures to be set here are quite different depending on their objectives. An important area to be controlled in many industries is the purchasing sector. Depending on the size of the project, precise requirements must be met with regard to obtaining counter-offers, right through to the precise announcement at the prescribed location for the purpose of EU-wide invitation of all potential bidders.

The controls, along with processes and structures, are primarily recorded in the organizational manual. Controls and related corrective and control measures are only useful in connection with the activities they are intended to secure.

Control - its establishment and processing - has also been a generally applicable term since Erich Gutenberg for the relevant obligation of management with the use of meaningful delegation. This goes so far that the examination of the existence and effectiveness of these controls can be delegated to an appropriately authorized internal auditor.

There is no generally accepted definition of surveillance. Monitoring is process-independent, mostly external; it has this in common with the examination. It can encompass individual areas or the entire organization (e.g. supervisory boards, trade inspectorates, banking supervision or audit committees). These institutions should primarily make it easier to identify crises on a large scale.

For the design and evaluation of internal control systems often control models such as COSO and CobiT used.

Internal and external auditing

Internal revision

Internal auditing is an independently operating staff unit that reports directly to top management for internal audits and relevant consultancy activities.

Your task is to confirm matters ("assurance" or "re-assurance" in connection with the internal control system (ICS) ) as well as to provide relevant advice ("consulting") on organizational issues .

The internal audit contributes to the realization of the goals of organizations by systematically examining and further developing the company processes and the related objectives (control objectives), risk management, control and monitoring ("governance"). The work of the internal audit is intended to increase the value of the organization as a whole (statement of the IIA ); it can create “individual added value or added value”.

Normally, an internal audit department cannot and will not audit the entire company year after year. However, all areas should be covered once over a test cycle defined in advance over several years. When dividing the organization into test areas, care must be taken that there are no "gray" unchecked zones at the interfaces. For the process-oriented definition, the functionally fanned out corporate objectives ("control objectives") as well as the existing organizational areas (for example purchasing, sales, marketing and production) are to be used.

A more detailed definition and description are contained in the standards of professional practice in internal auditing published by the Institute of Internal Auditors (IIA) and the national professional associations.

Internal auditing can be an internal department or it can be purchased externally for projects or audits to be revised ( outsourcing ). Mixed forms between the two are also possible, the so-called cosourcing or partnering models.

The work of internal auditing is defined in the standards for professional practice of internal auditing. Certified internal auditors ( Certified Internal Auditor ) comply with a code of ethics and internationally recognized professional standards of the Institute of Internal Auditors (IIA), the national associations as DIIR e. V. (formerly IIR e.V.), SVIR and IIA Austria. The European professional associations for internal auditing are organized in the European Confederation of Institutes of Internal Auditing (ECIIA). The Institute of Internal Auditors (IIA) has revised the professional standards (Professional Practices Framework) and put the new version into effect on January 1, 2009 under the title “International Professional Practices Framework (IPPF)”.

External revision

The external auditor, on the other hand, is an external auditing body that primarily (but not only) examines the annual financial statements on behalf of the law with the aim of protecting shareholders and / or creditors . In addition to auditors appointed by company management or the general assembly ( auditors , tax or management consultants), this also includes auditors appointed by public authorities, which may vary depending on the industry and case (for the banking industry, for example, auditors from BaFin or Bundesbank would be mentioned ). Against the background of the increased demands on the research ability and preparation of tax-relevant data, the revision is being accentuated as a prevention instrument .

Revision elements

Revision fields

Internal auditing has a wide range of uses and can provide essential information for the company's external relations. The classic subdivision of the revision types is as follows:

  • Compliance audit
  • Financial audit
  • Credit audit
  • Management audit
  • Operational audit
  • System audits.

Compliance audits are the preparation of the content of the environmental and safety requirements for the company as well as auditing of compliance.

Financial audits are audits in the accounting (bookkeeping) of an organization or a company to determine whether the accounting principles, for example according to the commercial code or tax laws, are correct. The organization or the company protects itself against errors that could lead to problems with the tax authorities or the interested public.

Credit revision refers to the borrower's assessment of the risk associated with a loan and its creditworthiness. So-called risk classes are formed for this purpose. The assessment by the auditor is carried out independently of the credit approval.

Management audits specifically aim to check the quality of management at the management levels below top management. The extent to which they achieve their defined goals is examined here: A prime example is the audit of subsidiaries, in which the "briefing" of the internal audit takes place with the decisive participation of the group management. This approach presupposes the experience and qualification of the auditor, because the result of such an audit results from many complex issues: For decisions made by local management levels, discretionary leeway must be conceded, which also requires the auditor to critically and independently consider the "pros and cons". A management audit is usually carried out by an external team of consultants; The central performance criteria here are benchmarks from the market (from the executive search) and the objectivity of the consultants (see Management Audit ).

Operational audits are process-oriented reviews of certain core processes in an organization. In a company, this could include purchasing, sales, and human resources. In a non-profit organization, this could include membership management and fundraising. The aim is to improve processes by reducing costs or the risk of fraudulent acts (white-collar crime).

The defined types do not overlap. The internal audit department has evolved from financial audits to operational audits and management audits. A modern internal audit should cover all of these types. This tripartite division also covers certain types of audits that differ in terms of methodology and scope from typical audit audits, for example investigations into white-collar crime.

System tests are used to check an existing system to determine whether the instructions have been implemented or whether they are really useful - mostly in the form of laws. Examples are the various directives from the pronouncement on minimum requirements for the operation of commercial transactions by credit institutions , which have led to instructions based on which tests are carried out to determine whether the purpose of the directive has been achieved.

System audits are also a synonymous term for operational audits - with particular emphasis on the fact that not only results (as in financial audits), but structures and processes are checked according to the known aspects.

Revision process

Framework conditions for the work of internal auditing, both for auditing and consulting assignments, are bindingly regulated in the standards for the professional practice of internal auditing (IIA standards, IIAS) for certified internal auditors or those belonging to the professional associations. The so-called practical advice, part of the set of rules for the professional practice of internal auditing (IIA Professional Practices Framework), also provides more detailed, non-binding assistance.

For real work in internal auditing, the guidelines mentioned are only an aid for orientation, but not for practical implementation. As a qualification, good knowledge of general business administration, controlling (in the broadest sense), the operation of database systems, above-average linguistic logic (model thinking) and knowledge of English business language are required - usually at the start. For many examinations, it is also necessary to comply with the relevant (tax and commercial) regulations.

An examination project runs on the basis of defined phases:

  1. Exam planning (IIAS 2000)
  2. Preliminary survey (IIAS 2200)
  3. Collection and evaluation of information (testing in the narrower sense; IIAS 2100, 2300)
  4. Reporting and reconciliation (IIAS 2400)
  5. Review (IIAS 2500).

Last but not least, all of the audits carried out by the auditors serve the purpose of identifying the need for action and providing the basis for decisions . An authorized person ideally meets these requirements on the basis of solid and complete information. The task of internal auditing is to help create or maintain this transparency.

This applies to both the decisions delegated to subordinate levels and the responsibility of top management, which can no longer be delegated. Commercial regulations regarding the rights of managing directors, authorized signatories and authorized representatives help with delegation.

Management decisions are primarily strategic and operational "if-then decisions" with long-term and - hardly reversible - financial effects for an entire company.

Revision principles

  • Economic efficiency: The scope and frequency of the revision are to be determined according to the economic efficiency principle . In general, the revision has to "pay off" at least from the point of view of most executive floors, including as a task force. The benefit (return) from auditing activities should exceed their costs. It should not be overlooked, however, that the damage-preventing activity of the IR - as it is also required by lawmakers - can hardly be quantified in money. If this cost / benefit calculation is "brutally" related to the respective year, an IR can come under severe pressure due to incompatible objectives.
  • Materiality: Audit areas and the criteria for the selection of the issues to be examined are to be determined according to the materiality and urgency for corporate management. In addition to cash registers or inventories, the revision should primarily examine risky areas or processes of the company, which in turn requires the use of the results of the company's risk analysis.
  • Diligence (completeness, objectivity, ability to make judgments, freedom of judgment): The internal audit department is subject to a strict duty of care and objectivity. This also requires independence from authority to issue instructions.

Organizational involvement

The organizational integration of internal auditing is stipulated by law or regulation (e.g. MaRisk) in regulated industries (e.g. financial service providers). For non-regulated industries, the OECD Corporate Governance Principles 2004 (Annotations to VD7 Board duties: Internal Audit reporting to the Board and / or an Audit Committee ) as well as the EU Commission's Action Plan on Corporate Governance (COM (2003) 248 fin sub 3.1.3) clues.

Normally, the internal audit department reports directly to the board of directors or the management. If these consist of several members, the chairman is responsible. Only in this way can it act independently of any areas to be checked. However, there is no automatic obligation to speak to other stakeholders or bodies, such as the supervisory board , or only in special cases. This would only be the case if the supervisory board were the disciplinary superior of internal auditing.

Publicly appointed auditors and auditing companies , sworn accountants, tax consultants , experts and consultants are to be regarded as external to the company, depending on the assignment (examination within the framework of statutory regulations versus examination within the framework of loss prevention).

Quality management in the area of ​​internal auditing

The German Institute for Internal Auditing (DIIR), together with the Institute of Auditors (IDW), developed the DIIR auditing standard No. 3 - auditing of internal auditing systems (DIIR designation) and the standard IDW PS 983 - principles of proper auditing of internal auditing systems ( IDW designation). It was published in April 2017. Both standards are almost identical and contain 82 individual criteria for assessing the effectiveness and appropriateness of the internal auditing system. Six minimum requirements are defined in the standards. If one of these is not complied with, there is a major complaint, which leads to a refusal of the audit judgment. This would eliminate the need to confirm the effectiveness of an internal audit system.

Such central minimum requirements include the neutrality of the audit function, its independence from other functions and an unrestricted right to information.

In order to meet the requirements of the DIIR revision standard No. 3 and IDW PS 983 as well as the international (IPPF) revision standard 1312, an external quality assessment must be carried out by a qualified and independent auditor or audit team at least every five years . Examiners who carry out such assessments must meet various requirements. Among other things, they must demonstrate practical experience and complete a special DIIR qualification procedure or regularly refresh this qualification.


The international (IPPF) Audit Standard 1120 provides that internal auditors should be impartial and unbiased and any conflict of interest must be avoided. The implementation guideline 1120 is this more technical explanations and instructions for implementation, which are not binding, but constitute recommendations. A study from 2016 led to the conclusion that in the opinion of internal auditors, job rotation for auditors can increase objectivity, but the net effect of this measure does not necessarily have to be positive. A survey of auditors showed that 77 percent did not see a rotation as necessary. Such a rotation was not used in 60 percent of the companies.

Professional associations

Professional associations for specialists and managers in internal auditing are:

  • Germany: German Institute for Internal Auditing eV (DIIR), Frankfurt am Main.
  • Austria: Institute for Internal Audit Austria (IIA Austria), Vienna.
  • Switzerland: Swiss Association for Internal Auditing (SVIR), Zurich.
  • Global: The Institute of Internal Auditors (IIA), USA, Altamonte Springs.

Professional examination in the field of internal auditing

Relevant and widespread professional exams of the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA) are:

  • CIA, Certified Internal Auditor (overall internal auditing, world's most important professional examination in the field of internal auditing).
  • CCSA, Certification in Control Self-Assessment (focus: internal control systems)
  • CISA, Certified Information Systems Auditor (focus: IT systems)
  • CRMA, Certification in Risk Management Assurance (focus: risk management)

See also


  • Andre Heerlein: Factors influencing the capacity of internal auditing: To design an effective auditing function . Berlin 2009, ISBN 978-3-8349-2021-8 .
  • TF Ruud, Ph. Friebe, D. Schmitz: International framework for the professional practice of internal audits . In: Der Schweizer Treuhänder, Issue 9/2009, pp. 647–652.
  • Christoph, Schmidt: Increasing the objectivity of internal auditors. Rotation as an instrument. 1st edition 2016, Springer, ISBN 3-658-15235-4
  • The Institute of Internal Auditors: The International Professional Practices Framework (IPPF) . 2009, ISBN 978-0-89413-639-9 .
  • Volker H. Peemöller, Joachim Kregel: Basics of the internal audit . 2nd edition 2014, Erich Schmidt Verlag, ISBN 978-3-503-15600-9 .

Web links

Individual evidence

  1. International Professional Practices Framework and DIIR auditing standards . German Institute for Internal Auditing. Accessed on May 16, 2019.
  2. Oliver Bungartz: International standards for the professional practice of internal auditing . Erich Schmidt Publishing House. Retrieved May 16, 2019.
  3. International Professional Practices Framework ( English ) The Institute of Internal Auditors. Retrieved May 16, 2019.
  4. a b c German Institute for Internal Auditing eV: DIIR Auditing Standard No. 3 - Examination of Internal Auditing Systems (Quality Assessments) . (PDF, 423 kB.) Accessed October 20, 2017.
  5. Institut der Wirtschaftsprüfer: HFA adopts IDW PS 983 for the examination of the internal auditing system . April 7, 2017. Retrieved October 20, 2017.
  6. Institute of Internal Auditors (IIA): Internationaler Revision Standard 1120 Personal Objectivity , in: International Basics for the Professional Practice of Internal Auditing 2017 . ( Memento of the original from October 25, 2017 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. 2017. (PDF, 736 kB.) Retrieved on October 23, 2017. @1@ 2Template: Webachiv / IABot /
  7. Institute of Internal Auditors (IIA): Implementation Guideline 1120 Personal Objectivity , in: International Basics for the Professional Practice of Internal Auditing 2017 (including the implementation guidelines) . 2017. (PDF, 2,981 kB.) Retrieved on October 23, 2017.
  8. Christoph Schmidt, Anne d'Arcy: Rotation as an effective tool to increase the objectivity of internal auditors? In: Journal for Internal Auditing (ZIR), edition 6/2016, pp. 300–307. Erich Schmidt Verlag, Berlin. Retrieved October 23, 2017.