The information contained in an internal audit consists of written and oral reports relating to the three major process areas relevant to a business: risk management, governance and control auditing. The International Standards for the Professional Practice of Internal Auditing is the guiding reference manual that has been adopted by the Institute of Internal Auditors, and it outlines the internal audit logistics as well as the required content of the internal audit results, notes the Institute of Internal Auditors.
Risk management auditing involves gathering information on how a business obtains and processes information. It looks at how aware the business leaders are of potential risks that could impact the organization's objectives. It is the job of the internal auditor to identify risks that may be either unknown by management or outside of the bounds or criteria that management is willing to assume. These results are conveyed to senior management or legal counsel, according to the Institute of Internal Auditors.
Governance auditing analyzes how policies, process and the organizational reporting structure of the business are developed and used, explains the Institute of Internal Auditors. The internal auditor's job is to assess and recommend improvements in a number of areas. He evaluates organizational ethics and values, determines the state of organizational accountability, makes sure that information regarding risks and control are related to responsible parties within the organization, and communicates these results to the board, senior management and other auditors employed by the firm. He also reports on the effectiveness of the organizations information technology systems.
Control, the third key process area, involves how well the business is run. Key aspects of control auditing include evaluating and reporting on financial data correctness, asset protection, legal compliance, and strategic objective achievement, notes the Institute of Internal Auditors.