An A-Z of internal audit

24 May 2021

May is Internal Audit Awareness Month, and we want to raise awareness by trying to explain what internal audit is and what it does. In this A-Z, we’ve listed a word or phrase for every letter of the alphabet from the world of internal audit.

Hopefully this provides an insight into the profession, and explains some of the jargon commonly used.


View the A-Z of internal audit as a visual graphic

See as PDF (opens in new tab)

File type: pdf

File size: 525KB

Download this file

The process of examining evidence with the purpose of providing an independent assessment of an organisation’s governance, risk management and internal control arrangements.


The highest level governing body charged with directing the activities of an organisation. In the context of internal audit, the board usually refers to the Audit Committee which oversees the work of the internal audit function.

Control environment

The combination of several elements encompassing the governance of an organisation which, when taken together, provide the discipline and structure for the achievement of the primary objectives of a system.

Data analysis

Looking at large sets of data and using tools to work out what it’s telling you. This is used in audit to examine large amounts of information and see if patterns emerge or if it indicates any issues.

For example, an auditor might conduct data analysis on an organisation’s payroll to check everyone is being paid on time.

Read more: Senior auditor Luke explores the increasingly popular use of auditing with data analytics

Enterprise risk management

The gold standard of risk management. A structured, consistent and continuous process across the whole organisation for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.


Where actions from internal audit findings are not implemented or their implementation does not address the underlying issue, this exposes an organisation to risk. The follow-up process is the final part of the audit cycle.

It involves tracking the status of actions, obtaining evidence to support completion and even re-testing where risks are highest. Follow-up activity should be reported to the Audit Committee.


Governance can be described as the combination of processes and structures implemented by the board to direct the activities of the organisation towards the achievement of its objectives.

The internal audit function is required to evaluate and make appropriate recommendations to improve an organisation’s governance processes.

Head of Internal Audit

The Head of Internal Audit (HoIA, or Chief Audit Executive) is the individual in a senior position who is effectively responsible for managing internal audit activity in accordance with the internal audit charter and professional standards. Max Thomas is the HoIA for a number of our councils.


Independence is characterised by a freedom from conditions which threaten the internal audit function from carrying out its responsibilities in an unbiased manner. Independence is achieved through the Head of Internal Audit having direct and unrestricted access to senior management and the Audit Committee.

Threats to independence must be managed at organisational, functional, engagement and individual auditor levels.

Joint working

Internal audit often works alongside other assurance services like risk management and counter fraud. If a fraud investigation reveals a gap in the system, officers can work with the auditors to make sure it doesn’t happen again. This also links to what’s known as assurance mapping.

Key controls

These are the controls that make a significant contribution to the management of a risk in a given system. Reliance is placed on key controls in order to form an opinion and to provide assurance on the design and operating effectiveness of the system under review.

(three) Lines

The three lines is a model that provides a simple and effective way to manage risks. It outlines the roles and responsibilities of parties to increase the effective management of risk and control. Read more detail about the first, second and third lines (these articles were written before the model was updated, when it was called the ‘lines of defence’).


Included within the definition of internal auditing is the requirement to bring a structured and disciplined approach to the evaluation of risk management, control and governance processes.

Adopting a consistent and repeatable methodology encourages compliance with professional standards. At Veritau, we codify this in our audit manual.


Audit networks are important. They help professionals keep up with the latest guidance and share best practice. Veritau is a member of Audit Together and various other networks and partnerships. We share development ideas and maximise the opportunity to add value.


An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made.

Internal auditors need to make a balanced assessment of all the relevant circumstances and must not be unduly influenced by their own interests or by others in forming judgements.

Professional bodies

Several professional bodies govern the world of internal audit. The Institute of Internal Auditors (IIA) is a global organisation providing the standards for internal audit, and provides the professional qualification that all Veritau trainees gain.

The Chartered Institute of Internal Auditors (CIIA) is the UK body. Auditors also gain specific knowledge and insights from bodies such as the Chartered Insititute of Public Finance and Accounting (CIPFA).

Quality assurance

The Head of Internal Audit is required to develop a Quality Assurance and Improvement Programme (QAIP) which covers all aspects of internal audit activity.

The QAIP should enable evaluation of conformance with professional standards, application of the code of ethics and the overall efficiency and effectiveness of the internal audit function.


This is the end product of an internal audit. Findings need to be communicated clearly and effectively to those involved with the audit.

Typically reports include findings, ie what is not working so well, and actions, ie what can be done to improve things in the future.


Also known as a terms of reference or brief, the specification is drawn up at the beginning of an audit and agreed with the client. It sets out the scope and objectives of the work to be undertaken and thus where assurance is and is not being provided.


After identifying the system controls that are in place, an internal auditor’s next job is to test how effectively they are working. For example, this could involve taking a sample of payment documents to check that each one has been signed off by the appropriate people.

Testing can be carried out using Computer Assisted Auditing Techniques (CAAT) such as IDEA (see D for data analytics).


The collection of auditable areas that exist within an organisation. The audit universe is usually structured by business units, service areas, processes, systems or by risk.


Adding value is at the heart of internal auditing and value-added contributions should be made throughout the internal audit activity. Value is added through:

  • Strengthening an organisation’s control environment
  • Adopting a risk-based approach
  • Identifying process improvements
  • Acting in a consultative capacity
  • Providing assurance to senior management and the board

Whistleblowers are workers who report wrongdoing in the public interest. They are protected by law if they’re an employee, trainee, agency worker or volunteer at the organisation.

Audit can play a key role in protecting the independence that whistleblowing requires. Internal auditors may work with HR or fraud investigators to look into any concerns.

EXternal audit

Ok, so we’ve cheated a little here, but did you really expect us to find an audit term beginning with X? Internal and external audit are quite different – as the names would suggest, one looks at the organisation from the inside, and the other from the outside.

External audit is more financial based, while internal audit focuses on day-to-day operations. While they are usually conducted by different organisations, the two should have a working relationship to ensure their work is coordinated and resources are used efficiently. This is achieved by internal audit carrying out something known as assurance mapping.


Internal audit teams generally work to an ‘audit year’, meaning all work has to be completed by a specific point in the year. For us, this is 30 April, so April is what’s known in our office as ‘year end’.


There have been many high profile scandals in the world of business which have shaped how internal auditors think and act (eg Enron and Arthur Anderson and, a bit closer to home, Carillion).

It’s important that lessons are learned from these scandals so that auditors can continue to help clients to achieve their objectives sustainably. Scandals like these could be considered the ‘zeitgeist’ of the audit world.

Get in touch

Want to find out more? Read ‘what is internal audit?‘ or contact our team