In this article we answer the following questions:

• What does an internal auditor do?
• What activities does an internal audit in an organisation involve?
• How do the Global Internal Audit Standards define assurance and consulting services?

In today's world, internationally operating organisations face many challenges resulting from dynamic changes in their environment, the growing complexity of processes, and the diversity of stakeholders. In such a context, it is crucial not only to effectively manage the development of the business, but also to create appropriate structures and processes that enable the achievement of organisational goals and effective risk management. The best results in this field are achieved by companies that decide to use the help of an experienced internal auditor. Why? And what does the work of such a specialist actually involve?

As indicated by the Organisation for Economic Co-operation and Development (OECD) in the document "OECD Guidelines for Multinational Enterprises on Responsible Business Conduct", enterprises should apply good corporate governance practices resulting from the "G20/OECD Principles of Corporate Governance".

These principles place great emphasis on responsible and transparent management of an organisation. Good corporate governance practices are crucial for an entity to enjoy the trust of investors and other stakeholders, and are also necessary to maintain the stability and effectiveness of the actions taken by the company.

The management board's task is therefore not only to develop a development strategy for the company, but also to effectively monitor its activities and ensure that the decisions made are consistent with the interests of all stakeholders.

In this case, an independent internal audit and control systems implemented as part of proper risk management play a special role in the organisation. They are essential for identifying and minimising potential threats, both financial and operational. It is not just about taking appropriate actions incidentally, before making significant changes or business decisions – regular visits by statutory auditors and specialists providing assurance services ensuring compliance with international and local law and maintaining appropriate standards are also crucial to avoiding legal sanctions and damage to reputation.

In the context of increasing globalisation and the growing complexity of markets, the application of good practices and principles identified by the OECD is becoming increasingly important in many industries for maintaining competitiveness and meeting the recommendations regarding the sustainable development of enterprises¹.

Role of internal audit in the effective risk management

The internal control system is an integral part of every entity, allowing it to efficiently achieve its goals and function continuously and effectively².

According to the three lines model, effective risk management requires that the supervisory body, which represents the interests of all stakeholders, has full insight into the actions taken by management. Only in this way can one be sure that decisions are made taking into account different perspectives and potential risks. Cooperation between the supervisory body and management is crucial, because acting together, they have the opportunity to support innovation and continuous improvement of processes.

Internal audit plays an important role in this context. An independent and objective assessment of the functioning of the control system allows the audit firm to provide supervisory authorities with valuable information about the strengths and weaknesses of the organisation. Auditors' recommendations can contribute to improving not only the operational efficiency of the company, but also to increasing the transparency of operations and gaining the trust of stakeholders.

According to the three lines model, the services provided by certified internal auditors enable, among other things:

• provision of independent and objective assurance to interested parties,
• advising entities on the adequacy and effectiveness of implemented organisational governance and risk management processes (including internal control procedures)³.

Types of internal audit: how does a specialist evaluate the management system?

Assurance services

The Global Internal Audit Standards define assurance services as services performed for the purpose of providing assurance⁴. They are therefore primarily concerned with the audit of processes and procedures to confirm their implementation and effectiveness, as well as to determine whether they are an appropriate response to identified risks.

Importantly, organisations can obtain two types of assurance – limited or sufficient – depending on the scope of services established.

Advisory services

Advisory services (also known as consulting services) are defined by the Standards as services that do not involve taking specific actions, but only providing appropriate advice⁵. Their scope therefore includes primarily investigative services, training and evaluation of developed or implemented regulations, processes or systems.

How do the services provided by an internal auditor positively impact corporate governance?

As part of the services provided, the certified internal auditor focuses on the analysis of risks and the responses to these risks that are in force in the organisation. The purpose of the internal audit is not only to assess compliance with regulations and procedures, but also to identify areas for improvement that can contribute to achieving strategic goals and maintaining the value of the organisation.

Internal audit thus allows not only to streamline and improve the processes currently in force in the organisation, but also to set new strategic goals with greater awareness and supervise their implementation. Importantly, such analyses are also helpful in implementing solutions in the field of ESG and CSR, and therefore can significantly affect the reputation of the entity and trust in it.

In the face of the growing complexity of procedures and regulations and uncertainty caused by dynamic changes taking place in international markets, it is worth investing in the development of effective management structures and processes that enable making optimal decisions, proper risk management, and supporting innovation. Cooperation between all stakeholders, reinforced by an independent internal audit, is crucial for achieving success in the current, demanding business environment.

¹OECD (2024), Wytyczne OECD dla przedsiębiorstw wielonarodowych dotyczące odpowiedzialnego prowadzenia działalności biznesowej, OECD Publishing, Paris, https://doi.org/10.1787/9fe6d8dc-pl, p.18.

²Agnieszka Skoczylas-Tworek, Monitorowanie systemu kontroli wewnętrznej organizacji na podstawie modelu COSO III w: Studia Ekonomiczne, 2013, pp. 371-382.

³The Institute of Internal Auditors (2020), Wprowadzony przez IIA model trzech linii.

⁴The Institute of Internal Auditors (2024), Globalne Standardy Audytu Wewnętrznego, p. 13.

⁵The Institute of Internal Auditors (2024), Globalne Standardy Audytu Wewnętrznego, p. 13.