What is an internal audit function? Internal auditing is an integral part of corporate governance and under the direct responsibility of the audit committee (Auditcom). The internal audit department (the IAD) is the “eyes and ears” of the audit committee in performing its oversight functions over the company-wide control environment in behalf of the Board of Directors (the Board).

In its broadest context, internal audit is an independent, objective assurance and consulting activity. It brings in to the organization a systematic, disciplined, risk-based approach to evaluate and improve the effectiveness of operating and managerial controls, and governance processes — aligned with and in support of the overall company objectives and strategies. It is a global profession, though not a regulated one, and is guided by relevant internationally recognized and accepted standards and ethical guidelines set by the relevant governing bodies such as the Chartered Institute of Internal Auditors.

The internal control responsibilities in any organization starts from the Board of Directors as provided for under Section 6d of the revised SEC Code of Corporate Governance (the Code). Under the Code, the Board’s oversight on the organization’s internal control environment is vested in the Auditcom, which in turn is tasked with the responsibility to set up the IAD and consider the appointment of the chief audit executive (CAE). The Code also includes risk management as an integral part of the internal audit function. And beyond legal compliance, the Board and the Auditcom can assign other strategic tasks and undertakings to the IAD such as evaluation of investment alternatives and review of merger and acquisition contracts and agreements.

The value of internal audit lies in its objectivity and independence as a function. These two traits distinguish internal audit from the duties and responsibilities of other departments or units. All departments and/or units as well as the key officers, including the President/CEO, are the subjects of internal audit process. Accordingly, because of its unique and independent function, the IAD reports directly to the Auditcom. However, the IAD personnel are under the responsibility of the President/chief executive officer (CEO) in as far as all their administrative needs and requirements are concerned.

At the end of each fiscal year, the Auditcom must submit to the SEC an Annual Audit and Risk Management Committee Report, as mandated under the Code. Among others, the committee must render an overall assessment of the company’s overall internal control environment, based on the findings and recommendations of the internal audit department.


Given the enormous duties and responsibilities vested in the IAD, the internal auditors must possess deep accounting, auditing and finance background and experiences. They must have adequate computer literacy, report writing capability, as well as ability to interact objectively with key officers like the president, chief financial officer (CFO), department heads, and the chief risk officer as well as the external auditors. There must be proper planning and execution of all internal audit activities.

The above high-level competencies have already been adopted by many multinational companies abroad and here in the Philippines. The total transformation of their IAD serves as one of the key determinants and symbols of their successes. For instance, their IADs have formal charters that include vision and mission statements, access authority, reporting responsibilities, applicable professional standards, ethical considerations, performance evaluations, clear description of independent environment, relationship with other departments and other pertinent imperatives.

Many patriarchs and matriarchs of growing family businesses have also embarked on professionalizing the top management and internal audit functions in their organizations by hiring experienced consultants and advisers, realizing the urgent need for the eventual transition of the family corporations to the next generation and to be highly competitive.


Ironically, the tangible benefits of having an organized internal audit function have not yet been given adequate recognition by the business community. Many corporations still do not have an established IAD or a working internal audit function. Many key governance players do not have any clear idea of this important “check and balance” mechanism. For those who have hired internal auditors or set up IADs, the common practice is merely to perform activities basically relating to detection of accounting and financial reporting errors, irregularities, and fraud — hardly linking the vital internal audit process to the overall company strategic initiatives.

A sense of confusion seems to pervade as to the proper role of the internal auditors and who they should report to in the organization. It is still common to include internal auditing as part of the accounting and finance department’s function. Internal auditors report directly to or under the direct supervision of the chief accountant, controller, finance officer or even the president/CEO who themselves are the subjects or targets of the internal audit process. In many cases, the CFOs or controllers themselves provide audit training to the internal auditors under their supervision and even prepare their internal audit plans.

Even among public and publicly listed corporations which are already mandated to adhere strictly with the provisions of the SEC Code, many of their IADs are established merely for compliance purposes, i.e. not capable enough to provide strategic support to the Auditcom. Worse, looking inward to the macro control environment, many Auditcoms of today, which are primarily responsible for the creation of the IAD, lack the needed competency to oversee the undertakings of the IADs. Most Auditcom chairmen and members do not have financial and audit background. There is an apparent laxity in the Code’s requirements for financial literacy of AuditCom members. The SEC Code merely requires that members “preferably have accounting and finance background”, meaning financial literacy for Auditcom members is not mandatory.

In brief, a breakdown in the overall control environment of the organization arises in a situation where there is a weak IAD under the oversight of a weak Auditcom — a possible dereliction of the board’s fiduciary oversight function and a situation which is contrary to the board’s ultimate objective of increasing shareholders’ value.

You can’t go wrong with an effective internal audit function!

On an effective internal audit process really plays an indispensable role in today’s good corporate governance initiatives. Even family-owned corporations, big or small, will benefit from having a transformed IAD. With the ever increasing expectations from governance players and stakeholders, with many governance players having fallen victims already of financial malfeasance, and given the ever changing, complex business environment, it has now become imperative for the Board of Directors to strengthen the organization’s control environment, starting with the establishment of an efficient IAD.

It is high time to employ duly accredited internal auditors, with deep skills and knowledge of the current trends in risk and value-based internal auditing techniques. However, the appropriate needs and requirements will vary depending on the size and complexity of the business.

There are professional accounting firms that offer internal audit outsourcing services as an alternative or replacement for an ineffective IAD. The perceived benefits of outsourcing are unabated supply of qualified staff at reasonable costs, better planning and wider coverage, and continuity of function at high level. With the apparent shortage of qualified internal auditors in the market, and relative difficulty of certain corporations to set up an IAD, this outsourcing option is worth considering.

For evaluating company’s need, engaging the services of professional consultants and advisers is worth considering.

This article reflects the personal opinion of the author and does not reflect the official stand of the Management Association of the Philippines (MAP).The author sits in the boards of several listed companies as an independent director and serves as chairman of audit committees. He has an accumulated 40 years of background and experience in accounting, auditing and risk management. He is a member of the MAP Committee on Corporate Governance and Chairman of the MAP Best Annual Report Awards Committee. He is a Trustee and Vice-President of the Shareholders’ Association of the Philippines. He is a Fellow of the Australian Institute of Company Directors. Feedback at [email protected] For previous articles, please visit map.org.ph.