Internal Audit

Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. These audits ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. Internal audits also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit:

• An internal audit offers risk management and evaluates the effectiveness of many different aspects of the company.
• Types of internal audits include financial, operational, compliance, environmental, IT, or for a very specific purpose.
• Internal audits provide management and the board of directors with a value-added service where flaws in a process may be caught and corrected prior to external audits.
• Similar to external audits, internal audits are conducted through planning, auditing, reporting, and monitoring steps.
• Internal audits may enhance the efficiency of operations, motivate employees to adhere to company policy, and allow management to explore specific areas of its operations.

Understanding Internal Audits:

Internal audits play a critical role in a company’s operations and corporate governance, especially now that the Sarbanes-Oxley Act of 2002 (SOX) holds managers legally responsible for the accuracy of their company's financial statements. SOX also required that a company's internal controls be documented and reviewed as part of their external audit.

In addition to ensuring a company is complying with laws and regulations, internal audits also provide a degree of risk management and safeguard against potential fraud, waste, or abuse. The results of internal audits provide management with suggestions for improvements to current processes not functioning as intended, which may include information technology systems as well as supply-chain management.

Internal audits may take place on a daily, weekly, monthly, or annual basis. Some departments may be audited more frequently than others. For example, a manufacturing process may be audited on a daily basis for quality control, while the human resources department might only be audited once a year.

Audits may be scheduled, to give managers time to gather and prepare the required documents and information, or they may be a surprise, especially if unethical or illegal activity is suspected.

Types of Internal Audits:

1.         Compliance Audit:

A company may be required to adhere to local laws, compliance needs, government regulations, external policies, or other restrictions. To demonstrate compliance with these rules, a company may task an internal audit committee to review, compile appropriate information, and provide an overall opinion on the status of the compliance requirement.

2.         Internal Financial Audit:

Public companies are required to perform certain levels of external financial auditing where a completely independent third party provides an opinion on the company's financial records. Companies may want to further dive into audit findings or perform an internal financial audit in preparation for an external audit. Many of the tests between an internal or external auditor may be similar; the nature of independence separates the two types of audits for financial audits.

3.         Environmental Audit:

As companies become continually more environmentally conscious, some take the steps of reviewing the business' impact on the planet. This results in an internal audit covering how a company safely sources raw materials, minimizes greenhouse gases during production, utilizes eco-friendly distribution methods, and reduces energy consumption. Companies leveraging triple bottom line reporting may perform internal environmental audits as part of annual reporting.

4.         Technology/IT Audit:

An IT audit may have different objectives. The internal audit may be the result of an external lawsuit, a company complaint, or a target to become more efficient. An internal audit focused on technology reviews the controls, hardware, software, security, documentation, and backup/recovery of systems. The goal is likely to assess general IT accuracy and processing capabilities.

5.         Performance Audit:

An internal audit focused on performance pays less attention to the processes and more on the final result. The company will have likely have set performance objectives or metrics that may be tied to performance bonuses or other incentives. As a result, an internal auditor assesses the outcome of an objective that may not be easily quantifiable.

For example, a company may wish to have expanded its use of diverse suppliers; the internal auditor, independent of any purchasing process, will be tasked with analysing how the company's spending patterns have changed since this goal was set.

6.         Operational Audit:

An operational audit is most likely to occur when key personnel leaves or when new management takes over an entity. The company may want to assess how things are done and whether resources are being used more efficiently. During an operational internal audit, the auditor will review whether current staff and processes fulfil the mission statement, value, and objectives of a company.

7.         Construction Audit:

Development, operating, real estate, or construction companies may perform construction audits to ensure not only appropriate physical development of a building but appropriate project billing along the life of the project. This mostly includes adherence to contract terms with the general contractor, sub-contractors, or standalone vendors as necessary.

This may also include ensuring the company has remit the appropriate payments, collected the appropriate payments, and internal project reports regarding project completion are correct.

8.         Special Investigations:

Many of the audits above may be recurring and performed each year. In some cases, it might make sense for an internal audit committee to evaluate a special circumstance that will occur only once. This may entail gathering a report on the efficiency on a recent merger, the hiring of a key employee, or a complaint from staff. When selecting the individuals for the special investigation audit, a company must be especially mindful to select members with appropriate expertise and independence.

Depending on the structure of the organization, the internal audit may be prepared by the board of directors of by upper management.

Internal Audit vs. External Audit

Internal audits and external audits have the same objective: both analyse an aspect of a company to determine a specific opinion. However, there are many differences between the two types of audits.

In an internal audit, the company is often able to select their own audit team. This may be advantageous to specifically place certain employees with very niche experience on the team. In an external audit, the company can often select the external audit firm; however, the company often does not have a say in the specific employees put on their external audit.

There may be some requirements regarding the external audit staff depending on the audit. For example, in an external financial audit, a Certified Public Accountant (CPA) or a Chartered Accountant (CA) must certify the financial statements. In an internal audit, there is no requirement that any member on the audit team must be a CPA or CA.

The end goal of either audit is an audit report; however, the audit reports are used for very different reasons. An internal audit report is usually used by internal management to improve the operations, processes, or policies of the company. An external audit report is often required for an outside reason and more often used heavier by members outside of the company.

Last, the nature of the engagement will be very different. During an internal audit, the employees of a company may often freely give advice, discuss unrelated matters with the company, or may have a very fluid consulting agreement. During an external audit, a very defined scope is often set, and the external auditor will often take great care to ensure they do not exceed their audit boundaries.

Internal Audits:

• A company is usually able to select its own internal audit lead and team members
• Members of the audit team often do not need to have specific titles or licenses
• Audit reports are primarily used by internal management to improve company operations
• Internal audits may be less formal with blurred structure as the auditor provides casual guidance

External Audits:

• A company or board can usually pick the audit firm but not audit team members
• Members of the audit team may be required to hold specific titles or license as part of the audit agreement
• Audit reports are primarily used by external parties to satisfy a reporting requirement
• External audits are often more formal with defined boundaries and disallowed services

Internal Audit Process

Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.

Step 1: Planning

Before any audit procedures are performed, the internal auditors often start by developing the audit plan. This sets the audit requirements, objectives, timeline, schedule, and responsibilities across audit team members. The audits may review prior audits to understand management expectations for presentation and data collection.

The audit plan often has a checklist to ensure members of the team adhere to broad expectations. The internal audit team may also pre-emptively plan to meet with management throughout the audit to communicate the status and any struggles of the audit. The planning stage often ends with a kick-off meeting that launches the audit and communicates the initial information needed.

Step 2: Auditing

Many of the auditing procedures used by internal audits are the same as external auditors. Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives. To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies or other existing documentation.

Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliation as is required by law. Analysis techniques may test random data or target specific data, if an auditor believes an internal control process needs to be improved.

The internal audit may have started with a defined scope; as the internal audit team gathers and analyses information, it may become necessary to redefine the purpose and extent of the audit. This includes re-evaluating the original timeline or resources allocated to the audit.

Step 3: Reporting

Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. Similar to an interim financial statement, an interim audit communicates a partial set of information useful for laying the road for the remaining portion.

Often, a company may deliver a draft copy of the final audit report and host a pre-close internal audit meeting with management. This may allow management to provide rebuttals, additional information that may change findings, or provide commentary on their feedback regarding the audit findings.

The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings, and suggestions for improvements to internal controls and control procedures. The final report may also communicate next steps in terms of changes to be implemented, future monitoring processes, and what future reviews will entail.

Step 4: Monitoring

After a designated amount of time, an internal audit may call for follow-up steps to make sure the appropriate post-close audit changes were implemented. The details and process for these monitoring and review steps is often agreed to at the delivery of the final audit.

For example, an internal financial audit may find severe internal control deficiencies that an internal auditor believes will not pass an external financial audit. Management agreed to implement changes within the next six weeks. After six weeks, the internal auditor may be tasked with implementing a small-scope or limited review of the deficiency to see if the issue still persists.

The monitoring step of an internal audit is technically not required. Management or the board may decide to disregard internal audit findings and not implement the changes the audit report suggests. 

Internal Audit Reports: The 5 C's

Internal audit reports are often known for adhering to the 5 C's reporting requirement. A complete, sufficient internal audit often ends with a summary report that communicates answers to the following questions:

1. Criteria: What particular issue was identified, and why was the internal audit necessary? Is the internal audit in preparation for a future external audit? Who requested the audit, and why did this party request the audit?
2. Condition: How as the issue in relation to a company target or expectation? Does the company have a policy that was broken, a benchmark that was not met, or other condition that was not satisfied? Is the company confident no issue exists, or do they believe an issue is at hand?
3. Cause: Why did the issue arise? Who was involved, what processes were broken, and how could the issue have been avoided?
4. Consequence: What is the outcome of the problem? Are issues limited to internal matters, or are there risks of external consequences? What are the financial implications of the issue?
5. Corrective Action: What can the company do fix the problem? What specific steps will management take to resolve the issue, and what type of monitoring or review will occur after solutions have been put in place to ensure a fix has been implemented?

Importance of Internal Audits:

Some may think internal audits are not as valuable as external audits. After all, a company may hand-pick its own internal audits who do not have full independence from the company. However, there are many ways internal audits provide value to the company and external parties:

• Management can be more efficient about what to explore. For example, while external financial audits must test an entire financial system, a company may be concerned about whether the cash management process is being fraudulently managed; therefore, management can elect to have all audit procedures analyse cash processes.
• Internal audits may save companies money. If a company's processes are very strong, the external audit process may not be as long as intensive, thereby reducing the external audit fee and time spent supporting external auditors.
• The company enhances its control environment. Even if the internal audit yields no findings, employees may be aware that their work gets analysed and reported on, thereby motivating adherence to company policy.
• Internal audits may make companies more efficient. External audits often are not intended to make processes better; they are meant to review whether processes are accurate. This distinction is important because a company may be "just getting by" with inefficient processes that meet very minimum requirements.
• Internal audit reports give management a head start to make corrections. Instead of having to scramble when an external audit finds a deficiency, management can take longer to think through solutions, implement the solution with care, and review whether the solution worked.
• Certain departments may need enhanced oversight. Whether it is lack of expertise, staffing shortages, or problem with current personnel, a company may benefit from targeting a specific area and formally reviewing its workflow and processes.

The Types of Internal Audits:

A company can choose to perform an internal audit for almost any reason. This may lead to an internal financial audit, operational audit, compliance audit, environmental audit, IT audit, or a special one-time circumstance.

The Role of Internal Audit:

The role of an internal audit is to identify a deficiency or substantiate a proficiency. For example, a company may issue an internal financial audit to make sure its internal controls over accounts payable adhere to company policy. Alternatively, the company may launch an internal environmental audit to explore how environmental impact its eco-friendly changes had on the planet last year.

Internal Audit Process:

The internal audit process entails planning the audit, performing the audit procedures, compiling the audit report, and monitoring post-audit changes. Management may choose to expand the scope of an audit at any point of the audit if findings during the audit cause the scope to shift a different direction.

The 5 Cs of Internal Audit:

Internal audit reports often outline the criteria, condition, cause, consequence, and corrective action. These five areas report why the audit was performed, what caused the reason for the audit, how the audit will be performed, what the auditor aims to achieve, and what steps will be taken after the audit findings are presented.

The Bottom Line:

An internal audit is a process that allows a company to self-select an audit team to carry out the review of its operations. The company can often define the scope of the internal audit. In addition, the company can often choose almost any reason to conduct an internal audit. Though internal audits are less useful for meeting external reporting requirements, they hold tremendous value for improving internal operations as well as informing management ways the company can get better.

How to Conduct an Internal Audit?

The Basic Steps to Conduct an Internal Audit are as Follows:

1. Identify areas that need auditing. Begin by identifying the departments that operate using policies and procedures written by your organization or by regulatory agencies. These can include activities as complex as manufacturing processes or as simple as accounting procedures. Make a list of each activity and the functions that require review.
2. Determine how often auditing needs to be done. While some areas may only need to be audited annually, other departments may require more frequent audits. For example, the HR function may only require an annual audit of records and processes, while a manufacturing process may require daily audits for quality control purposes.
3. Create an audit calendar. A structured and systematic approach to the auditing process will help assure that the function lives up to its full potential. Audits should be integrated into corporate objectives, like any other business goal. Scheduling audits on your business calendar will assure that they are done consistently.
4. Alert departments of scheduled audits. Give departments notice of an audit so they can prepare the necessary documents and materials for the auditor. A surprise audit should only be conducted if you suspect unethical or illegal activity, and department managers should not feel threatened by an auditor.
5. Be prepared. An auditor should come prepared with an understanding of policies and procedures and a list of items for review. The more prepared an auditor is, the more efficient the process will be.
6. Interview employees. The auditor should interview employees and ask them to explain their work process compared to written policy. This step will help to establish an understanding of employee competence and identify employees who need additional training.
7. Document results. Record the results and any differences in practice to how policies are written, as well as when policies are followed and when they are not. This may also include other information that is gathered from the interview process. The goal is to identify any gaps in compliance and find a way to bridge those gaps.
8. Report findings. Create an easy-to-understand audit report to be reviewed with senior management. In addition, an improvement plan should be developed for areas with any gaps in compliance.

Here are some other considerations when conducting an internal audit:

• When reviewing policies and procedures, consider whether written policies are meeting the needs of “customers” (that is, your employees) and adding value to the organization.
• Policies and procedures should be focused on continuous improvement as it relates to how work is performed.
• Ask whether the team environment is healthy and supports compliance with policies and procedures. A dysfunctional team has the potential to impact procedural compliance.
• Policies and procedures should be reviewed annually to assure they reflect the changing business environment.

After the Audit: Improving the Compliance

Once you complete an internal audit, you should remediate any gaps identified during the process. Conducting a follow-up audit after the initial audit will increase the likelihood that an external audit goes well.

There are a number of risks that your organization may identify during an internal audit, including:

Reputation risk

Operational risk

Transactional risk

Credit risk

Compliance risk

Strategic risk

Country risk

Legal risk

Vendor concentration risk

IT/Cybersecurity risk

Cloud risk

Identifying these high risks during an internal audit is the first step. Creating a plan to remediate any of these risks will assure that your organization is ready for an external audit.

Disclaimer:

Publisher of this article does not accept any liability for the quality of information published. The sole intent behind publishing this article is to provide free educational content for students and professionals working in respective domains to which the subject of the article has been referred.

Readers are here advised to treat this article as educational content only. Any words, sentences, pictures, schedules, diagrams, or contents resembling other publications can either be coincidental or used solely for informative purposes as this article is an exposition of different reading materials and not research. If anyone wants the removal such content from this presentation, may write to me through LinkedIn message. I will see the objections and try to respond at the earliest.