May is Internal Audit Awareness Month, and we want to raise awareness by trying to explain what internal audit is and what it does. In this A-Z, we've listed a word or phrase for every letter of the alphabet from the world of internal audit. Hopefully this provides an insight into the profession, and explains some of the jargon commonly used!

You can also view this as a PDF (opens in new tab)

Assurance The process of examining evidence with the purpose of providing an independent assessment of an organisation's governance, risk management and internal control arrangements. 
Board The highest level governing body charged with directing the activities of an organisation. In the context of internal audit, the board usually refers to the Audit Committee which oversees the work of the internal audit function. 
Control environment The combination of several elements encompassing the governance of an organisation which, when taken together, provide the discipline and structure for the achievement of the primary objectives of a system.
Data analysis Looking at large sets of data and using tools to work out what it's telling you. This is used in audit to examine large amounts of information and see if patterns emerge or if it indicates any issues. For example, an auditor might conduct data analysis on an organisation's payroll to check everyone is being paid on time. 
Enterprise risk management The gold standard of risk management. A structured, consistent and continuous process across the whole organisation for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.
Follow-up Where actions from internal audit findings are not implemented or their implementation does not address the underlying issue, this exposes an organisation to risk. The follow-up process is the final part of the audit cycle. It involves tracking the status of actions, obtaining evidence to support completion and even re-testing where risks are highest. Follow-up activity should be reported to the Audit Committee.
Governance Governance can be described as the combination of processes and structures implemented by the board to direct the activities of the organisation towards the achievement of its objectives. The internal audit function is required to evaluate and make appropriate recommendations to improve an organisation's governance processes.
Head of Internal Audit The Head of Internal Audit (or Chief Audit Executive) is the individual in a senior position who is effectively responsible for managing internal audit activity in accordance with the internal audit charter and professional standards. 
Independence Independence is characterised by a freedom from conditions which threaten the internal audit function from carrying out its responsibilities in an unbiased manner. Independence is achieved through the Head of Internal Audit having direct and unrestricted access to senior management and the Audit Committee. Threats to independence must be managed at organisational, functional, engagement and individual auditor levels.
Joint working Internal audit often works alongside other assurance services like risk management and counter fraud. If a fraud investigation reveals a gap in the system, officers can work with the auditors to make sure it doesn't happen again. This also links to what's known as assurance mapping.
Key controls These are the controls that make a significant contribution to the management of a risk in a given system. Reliance is placed on key controls in order to form an opinion and to provide assurance on the design and operating effectiveness of the system under review.
Lines of defence The three lines of defence is a model that provides a simple and effective way to manage risks. It outlines the roles and responsibilities of parties to increase the effective management of risk and control. Read more detail about the first, second and third lines of defence. 
Methodology Included within the definition of internal auditing is the requirement to bring a structured and discliplined approach to the evaluation of risk management, control and governance processes. Adopting a consistent and repeatable methodology encourages compliance with professional standards. At Veritau, we codify this in our audit manual.
Networks Audit networks are important. They help professionals keep up with the latest guidance and share best practice. Veritau is a member of Audit Together and various other networks and partnerships. We share development ideas and maximise the opportunity to add value.
Objectivity An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Internal auditors need to make a balanced assessment of all the relevant circumstances and must not be unduly influenced by their own interests or by others in forming judgements.
Professional bodies Several professional bodies govern the world of internal audit. The Institute of Internal Auditors (IIA) is a global organisation providing the standards for internal audit, and provides the professional qualification that all Veritau trainees gain. The Chartered Institute of Internal Auditors (CIIA) is the UK body. Auditors also gain specific knowledge and insights from bodies such as the Chartered Insititute of Public Finance and Accounting (CIPFA). 
Quality assurance The Head of Internal Audit is required to develop a Quality Assurance and Improvement Programme (QAIP) which covers all aspects of internal audit activity. The QAIP should enable evaluation of conformance with professional standards, application of the code of ethics and the overall efficiency and effectiveness of the internal audit function.
Reporting This is the end product of an internal audit. Findings need to be communicated clearly and effectively to those involved with the audit. Typically reports include findings, ie what is not working so well, and actions, ie what can be done to improve things in the future. 
Specification Also known as a terms of reference or brief, the specification is drawn up at the beginning of an audit and agreed with the client. It sets out the scope and objectives of the work to be undertaken and thus where assurance is and is not being provided.
Testing After identifying the system controls that are in place, an internal auditor's next job is to test how effectively they are working. For example, this could involve taking a sample of payment documents to check that each one has been signed off by the appropriate people. Testing can be carried out using Computer Assisted Auditing Techniques (CAAT) such as IDEA (see D for data analytics).
Universe The collection of auditable areas that exist within an organisation. The audit universe is usually structured by business units, service areas, processes, systems or by risk. 
Value-added Adding value is at the heart of internal auditing and value-added contributions should be made throughout the internal audit activity. Value is added through strengthening an organisation's control environment, adopting a risk-based approach, identifying process improvements, acting in a consultative capacity and simply by providing assurance to senior management and the board. 
Whistleblowing Whistleblowers are workers who report wrongdoing in the public interest. They are protected by law if they're an employee, trainee, agency worker or volunteer at the organisation. Audit can play a key role in protecting the independence that whistleblowing requires. Internal audits will work with HR or fraud officers, where appropriate, to investigate and report on any concerns.
EXternal audit Ok, so we've cheated a little here, but did you really expect us to find an audit term beginning with X? Internal and external audit are quite different - as the names would suggest, one looks at the organisation from the inside, and the other from the outside. External audit is more financial based, while internal audit focuses on day-to-day operations. While they are usually conducted by different organisations, the two should have a working relationship to ensure their work is coordinated and resources are used efficiently. This is achieved by internal audit carrying out something known as assurance mapping.
Year-end Internal audit teams generally work to an 'audit year', meaning all work has to be completed by a specific point in the year. For us, this is 30 April, so April is what’s known in our office as 'year end'.
Zeitgeist There have been many high profile scandals in the world of business which have shaped how internal auditors think and act (eg Enron and Arthur Anderson and, a bit closer to home, Carillion). It is important that lessons are learned from these scandals so that auditors can continue to help clients to achieve their objectives sustainably. Scandals like these could be considered the 'zeitgeist' of the audit world.


Read more: what is internal audit?

Enjoyed this A-Z? Follow us on social media for more Internal Audit Awareness Month content, or get in touch to find out more about our audit services.

Sign up for the Veritau Alerts Click subscribe to receive the monthly bulletin