In this time of economic and organizational disruption, the impact of an internal control or shortcut of processes can be quite significant. But how do you monitor your organizational processes and internal controls in order to be both effective and efficient?
Organizations that strategically evaluate and manage risk as part of their business operations lower their level of risk and create opportunities for valuable business planning. Your internal audit function can be the best resource for monitoring whether your controls are in place and functioning as intended.
What is an Internal Audit?
The definition of an internal audit is an independent, objective review and evaluation of an organization’s internal controls, corporate governance and accounting processes and procedures. Internal audits exist to reduce and mitigate risk and improve operational performance and controls.
There are many ways that an organization can effectively utilize internal audit resources, including:
Protect your organization from potential risk and improve organizational controls.
How can Internal Audit Add Value to Your Business?
The benefits of a strong internal audit function go well beyond mitigating breakdowns in controls that may have significant financial and operational impacts on your organization:
Trained Resources: An inherent byproduct of internal audit’s role is the establishment of a team with a thorough understanding of the company and its operations. Internal audit staff often include specialists that possess technical understanding of operational areas (for instance, revenue processes and other unique industry issues, such as physician relationships, regulatory compliance and information technology), in addition to the general financial or operational audit staff.
Leverage with Other Functions: Internal audit can play a significant role in efforts to implement Enterprise Risk Management (ERM) and to comply with ORSA regulation. While the scope of these functions is broader than internal audit, leveraging the risk assessment and work performed by an internal audit is directly relevant to the ERM program. Additionally, as it is with other company functions and operations, internal audit should review, test and report on the effectiveness of the ERM function, providing independent confirmation to the board.
New Initiative and Project Consultation:Internal audit can also play a more consultative role within an organization. To compete, companies often undergo restructuring, expand into new lines of business or new geographic areas, add new IT systems and tools, or acquire or merge with other companies. As auditors of the organization, internal audit has the training necessary to perform and report on these activities while maintaining independence from operations.
Examples of how internal audit can effectively assist management and the board include:
Board Governance: An effective internal audit function is an important aspect of good governance. It can assist the board in monitoring and managing key risks and their related controls, providing an important aspect of an effective risk management control framework. In addition, internal audit can serve as a platform that provides board governance education.
Entity Monitoring and Mitigation Strategies of Industry Risks and Trends: Monitoring industry trends and assessing how the enterprise addresses risk is a core competency of internal audit. In addition, internal audits can be a great source of talent when in search of operational/financial resources. In fact, it is not uncommon for companies to use their internal audit as a training ground for financial and operational personnel, and, at times, require personnel to serve a rotational period in internal audit to broaden knowledge and obtain a more thorough understanding of overall business objectives.
Is your internal audit function delivering enough value?
How do you Create an Internal Audit Plan?
When it comes to a plan for your internal audit, one size does not fit all. Because you have different needs, policies, procedures, staffing, risks, risk appetites and other variables, your internal audit function should be as unique as your company, institution or organization. In addition, your employees’ time is becoming more and more valuable, so your internal audit function should strive for more efficiency than ever before. A risk-based internal audit plan can give you both a unique and tailored approach to your internal audit function and increased efficiency.
Determine Your Risk Scores
A risk-based approach begins with the preparation of an annual risk assessment and internal audit plan. Through inquiries and observations, you assess risk across the general areas of the company or organization.
The goal of the risk assessment process is to assign a “risk score” to each general area, which is the basis for your annual internal audit plan. Areas that score higher in risk are tested more frequently by internal audit—perhaps on an annual basis. Those areas assigned lower risk scores are tested by internal audit less frequently, and may only be included in your internal audit plan on a tri-annual basis.
Tailor Your Approach
When you have your risk-based internal audit plan for the year defined, the internal auditor will then carry out the audits of the general areas of the institution according to the plan. It is important to incorporate a risk-based element when determining the internal audit procedures that you will complete for a given area.
High-risk areas require more controls and more internal audit testing to verify the controls exist and are operating effectively. Low-risk areas do not have as many internal controls in place; as a result, internal audit testing could be kept at a higher level. Audit programs should be tailored to your organization based on the area’s existing controls, the effectiveness of those controls and previous recommendations related to the particular area.
Once an audit of a given area is completed, a report should be submitted directly to the audit committee, board of directors or supervisory committee detailing the findings, recommendations or observations. You can also incorporate a risk-based element into this reporting process. You can choose not to include all technical or isolated exceptions in your reports and report specific exceptions only to management. Try not to place too much emphasis on specific findings and exceptions in these written reports, however. Instead, address questions such as “What caused this exception?” Or, “What process needs to be enhanced so that this does not happen again?” This manner of reporting helps to ensure that the audit committee, board of directors or supervisory committee understands the process improvements and the value that an internal audit department brings to the organization. Often, it is helpful to stratify recommendations based upon level of risk determined in order to better prioritize them for management action plans, as well as identify if the recommendation is more control based and/or operational in nature.
How do you Ensure the Quality of Your Internal Audit?
The primary tool for evaluating internal audit activity and whether or not it conforms with the standards is through a Quality Assurance and Improvement Program.
A Quality Assurance and Improvement Program is an ongoing program intended to increase the quality and value of internal audit services. It assesses the efficiency and effectiveness of the internal audit activity. The program will evaluate conformance with relevant policies, procedures, standards, core values and a code of ethics.
Who should Perform an Internal Audit?
A strong internal audit department can take one of many forms, depending on your size, shape, and available resources:
So, how do you know which one to choose?
Budgeting and staffing for internal audit is a common struggle. This is especially true for small to medium-sized organizations. A complication to funding internal audit is determining what type of staffing model is needed. This model can be determined by answering these questions:
In a time of uncertainty, you’ll want to make sure you’re properly managing risk. Let a trusted third-party outsource or co-source your internal audit needs.
Why You Need to Consider An Internal Audit Now
In this time of constant change and business disruption, your internal audit is critical to managing business risk. Efficiency is no longer a goal; it is a necessity. Developing a strong, risk-based internal audit function will help you to monitor your business risks, governance processes and internal controls and reduce the fear of the unknown.
Formal, strategic internal audit functions will help your organization proactively manage risks, resolving the fear of the unknown and allowing you to identify strategic business opportunities.