Return to CHAPTER 22

state seal 22.30
Internal Audit Basics


July 1, 2017

Internal audit definition

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The internal audit program provides assurance that internal controls in place are adequate to mitigate risks, governance processes are effective and efficient, and organizational goals and objectives are being met.

Internal auditing bridges the gap between management and the executive leadership or the board of an agency; assesses the ethical climate and the effectiveness and efficiency of operations; and serves as an organizationís safety net for compliance with rules, regulations, and overall best business practices.

Internal audits are performed by professionals employed by the agency who have an in-depth understanding of the business culture, systems, and processes.

The internal audit function is an integral part of the agency and derives its authority from senior management. It serves to promote objective, comprehensive review coverage, and to assure the consideration of audit recommendations.


July 1, 2017

Roles and responsibilities

The Office of Financial Management (OFM) will determine for which agencies an internal audit program is required. OFM will periodically review the criteria to determine which agencies are required to establish and maintain an internal audit program.


The agency head will establish an internal audit program when required or elected for the agency. The agency head approves the internal audit charter which formally defines the organizational placement, program responsibilities, authority, and the nature of program activity consistent with the definition of internal auditing, the Code of Ethics and internal audit standards. The agency head establishes an environment supportive of the internal audit program. 


The chief audit executive (CAE) is the person within an agency with overall responsibility for the internal audit program.  The CAE is responsible for developing the internal audit charter, staffing, administering, and managing the internal audit program to ensure it operates in accordance with professional standards and adds value to the organization. The CAE reports to the agency director or board significant nonconformance of professional standards that impacts the overall scope or operation of the internal audit program.


Depending on an agency’s governance structure, an audit committee may be used to help the agency review, monitor, and/or direct the agency’s activities related to maintaining effective internal control. An agency audit committee could also improve financial practices and reporting, and enhance both the internal and external audit functions.


The internal auditor or other professionals (internal or external to the agency) may provide assurance and advisory support to management in areas such as developing appropriate procedures to conduct risk assessments and internal reviews of control activities.


External auditors are not part of an agency’s internal audit program and cannot be a replacement for or supplement to an adequate internal audit program.  The role of the external auditor is to provide independent accountability and assurance to the public and external stakeholders. However, this independent assurance is also valuable feedback to those charged with governance and agency management.


July 1, 2017

Professional audit standards

The internal audit program must conform to either the International Standards for the Professional Practice of Internal Auditing and Code of Ethics (IIA Red Book), Generally Accepted Government Auditing Standards (GAO Yellow Book), or both.

Regardless of which set of standards are adopted, the internal auditing program should adhere to the following core principles and mandatory attributes of internal auditing.

Core principles

  • Demonstrates integrity
  • Demonstrates quality and continuous improvement
  • Demonstrates competence and due professional care
  • Communicates effectively
  • Is objective and free from undue influence
  • Provides risk-based assurance
  • Aligns with the strategies, objectives, and risks of the organization
  • Is insightful, proactive, and future-focused
  • Is appropriately positioned and adequately resourced
  • Promotes organizational improvement

Common mandatory attributes

  • Organizational independence
  • Individual objectivity
  • Proficiency and due professional care
  • Quality assurance and improvement program


January 1, 2018

Organizational independence and objectivity

The internal audit program must be independent, and internal auditors must be objective in performing their work.

Organizational independence – Standards require the CAE to report to a level within the organization that allows internal audit to fulfill its responsibilities.  Therefore, it is necessary to consider the organizational placement and supervisory oversight/reporting lines of internal audit to ensure organizational independence.

Individual objectivity – It is necessary for internal auditors to perform their professional responsibilities with an impartial, unbiased attitude and to avoid any conflict of interest.

Internal auditors are not authorized to:

  • Provide assurance services for any area for which they perform operational duties, such as designing or implementing internal controls, developing procedures, installing systems, preparing records, directing employees, or engaging in any other activity that may impair their objectivity.
  • Participate in collective bargaining (RCW 41.80.005).
  • Be designated as the agency Internal Control Officer.


July 1, 2017

Proficiency and due professional care

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.  In addition, the internal audit program collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

Due professional care is acting responsibly when providing services and is the individual responsibility of every internal auditor. 


July 1, 2017

Quality assurance and improvement program

To help ensure the internal audit program is functioning as intended, professional auditing standards require a quality assurance and improvement program.


July 1, 2017

Internal and external auditors

State agencies are subject to audit by external organizations, including the State Auditor’s Office, the Joint Legislative Audit and Review Committee, federal regulators, and others. An effective internal audit program will coordinate with external auditors to leverage each audit organization’s work and help improve overall agency governance.

As an integral part of the organization, internal auditors possess an in-depth understanding of the agency’s culture, operations, strategies, and risks.  External auditors gain an understanding of operations only as needed to inform their specific audit.

Some key differences between internal and external auditing to consider in coordinating efforts include:

Internal audit

  • Staffed by employees or contractors of the agency.
  • Mandated to provide assurance and advice to senior management (and board, if applicable) to improve the state of governance, risk management, and control within the agency.
  • Focused on all functions and operations of the agency.
  • Required to meet audit standards for organizational independence.
  • Provide continuous services to management.

External audit

  • Staffed by employees or contractors of the external audit organization.
  • Mandated by authorizing law, rule, or other authority to provide assurance to external stakeholders (the public, legislature, federal regulators, etc.) on the accuracy of agency reports, compliance with laws and rules, and efficiency of operations.
  • Focused on areas stipulated by statute, rule, or authority.
  • Independent of the agency.
  • Audits may be intermittent or routine such as the end of a fiscal period or grant period.


July 1, 2017

Annual requirements for agencies

Annually, each agency director or board of an agency with an internal audit program is required to sign and submit an internal audit certification.  By signing the certification, they certify that they are responsible for establishing and maintaining an internal audit program in accordance with RCW 43.88.160(4) and this chapter.

If applicable, a summary of any material nonconformance and a brief corrective action plan must be attached to the certification.  “Material nonconformance” is defined as not meeting a core principle or common mandatory attribute to an extent that it impacts the internal audit program’s ability to fulfill its objectives.

The certification is to be submitted as an attachment to the Financial Disclosure Certification form. See Chapter 90.40 for due dates.

Click here if you would like to print a PDF Version of this document.
Return to CHAPTER 22