The definition “Internal Audit“ is not defined clearly in Decree 05/2019/NĐ-CP, so we will refer to this one from The institute of Internal Auditor (“IIA”).
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
With the above definition, we should note some following important points:
- Internal audit is assurance and consulting activities regarding Governance, Risk management, and Internal control processes of an enterprise, helping the enterprise accomplish its objectives.
- Internal audit must be Independent and objective, meaning that internal audit must be allowed to report functionally to the highest-level governing body (including independent members and non-operating members). Depending on different organizational models, the highest level governing body can be: the Supervisory Board (set up by the General Meeting of Shareholders), the Audit Committee (set up by the Board of Directors with independent and non-executive members), or Board of Members, etc.
- Internal audit must help to add values to enterprises (the benefits of carrying out internal auditing must be more than the expenses for it) and improve an organization operation (effectiveness and efficiency).
- Internal audit is highly disciplined and systematic, meaning that audit procedures methodology, judgments, and conclusions of internal audit must be logically and reasonably presented and connected.
Though not clearly defining “internal audit”, the Article 4, Decree 05/2019/NĐ-CP presents objectives of internal audit that are quite in line with IIA’s definition as follows:
“By implementing checking, evaluation and consulting activities, internal audit provides independent and objective opinions and recommendations on:
- Whether the internal control system of an enterprise has been established and operated in an appropriate manner in order to prevent, detect and manage risks?
- Whether the governance and risk management processes of an enterprise ensure their effectiveness and efficiency?
- Whether operational and strategic objectives and plans are fulfilled?
Purposes, Authorities and Responsibilities of internal audit?
With the above definition, we can understand as follows:
- Purpose: Internal audit aims to bring values to enterprises and improve the enterprise’s operation.
- Authority: To fulfill their responsibilities, internal audit must have:
(1) power to access the documents/people/properties related with their tasks.
(2) power to report and communicate directly to the highest-level governing body about the audit plans, findings, and obstacles to timely receive adequate and proper supports.
- These authorities must be prescribed clearly in the internal audit charter so that every departments of the enterprise can understand and follow. In addition, the enterprise’s organization model must show that the internal audit is under the highest level governing body that including independent members and non-operating members. Depending on different organizational models, the highest level governing body can be: the Supervisory Board (set up by the General Meeting of Shareholders), the Audit Committee (set up by the Board of Directors with independent and non-executive members), or Board of Members, etc.
- Responsibility: Internal audit’s responsibility is to provide the enterprise with assurance and consulting services that will add value and improve the enterprise’s operation.Specifically, the internal audit must evaluate and improve the effectiveness of the enterprise’s governance, risk management, and internal control processes.
From the legal perspective, the authority and responsibility of internal audit are also specified in the Decree 05/2019/NĐ-CP. Enterprises need to pay attention when building their own internal audit charter and policies to ensure the compliance.