In this time of economic and organizational disruption, the impact of an internal control or shortcut of processes can be quite significant. But how do you monitor your organizational processes and internal controls in order to be both effective and efficient?
Organizations that strategically evaluate and manage risk as part of their business operations lower their level of risk and create opportunities for valuable business planning. Your internal audit function can be the best resource for monitoring whether your controls are in place and functioning as intended.
What is an Internal Audit?
The definition of an internal audit is an independent, objective review and evaluation of an organization’s internal controls, corporate governance and accounting processes and procedures. Internal audits exist to reduce and mitigate risk and improve operational performance and controls.
There are many ways that an organization can effectively utilize internal audit resources, including:
- Operational efficiency reviews
- Due diligence for new acquisitions and impact on controls
- Monitor the myriad of compliance requirements
- Review and test new IT systems during implementation and before going “live”
- Investigation of employee fraud
- Monitor and report on ongoing important projects and their impact on internal controls
- Advise on streamlining control processes
Protect your organization from potential risk and improve organizational controls.
How can Internal Audit Add Value to Your Business?
The benefits of a strong internal audit function go well beyond mitigating breakdowns in controls that may have significant financial and operational impacts on your organization:
Trained Resources: An inherent byproduct of internal audit’s role is the establishment of a team with a thorough understanding of the company and its operations. Internal audit staff often include specialists that possess technical understanding of operational areas (for instance, revenue processes and other unique industry issues, such as physician relationships, regulatory compliance and information technology), in addition to the general financial or operational audit staff.
Leverage with Other Functions: Internal audit can play a significant role in efforts to implement Enterprise Risk Management (ERM) and to comply with ORSA regulation. While the scope of these functions is broader than internal audit, leveraging the risk assessment and work performed by an internal audit is directly relevant to the ERM program. Additionally, as it is with other company functions and operations, internal audit should review, test and report on the effectiveness of the ERM function, providing independent confirmation to the board.
New Initiative and Project Consultation:Internal audit can also play a more consultative role within an organization. To compete, companies often undergo restructuring, expand into new lines of business or new geographic areas, add new IT systems and tools, or acquire or merge with other companies. As auditors of the organization, internal audit has the training necessary to perform and report on these activities while maintaining independence from operations.
Examples of how internal audit can effectively assist management and the board include:
- Monitoring through the use of sophisticated data analytics and other technology-related tools
- Reporting on ongoing important projects in the company and their impact on internal controls
- Advising on streamlining control processes to focus on key control processes
- Conducting pre- and post-implementation testing for new IT systems
- Performing reviews of acquisitions considering process integration opportunities
- Conducting investigations for suspected fraudulent activity
Board Governance: An effective internal audit function is an important aspect of good governance. It can assist the board in monitoring and managing key risks and their related controls, providing an important aspect of an effective risk management control framework. In addition, internal audit can serve as a platform that provides board governance education.
Entity Monitoring and Mitigation Strategies of Industry Risks and Trends: Monitoring industry trends and assessing how the enterprise addresses risk is a core competency of internal audit. In addition, internal audits can be a great source of talent when in search of operational/financial resources. In fact, it is not uncommon for companies to use their internal audit as a training ground for financial and operational personnel, and, at times, require personnel to serve a rotational period in internal audit to broaden knowledge and obtain a more thorough understanding of overall business objectives.
Is your internal audit function delivering enough value?
How do you Create an Internal Audit Plan?
When it comes to a plan for your internal audit, one size does not fit all. Because you have different needs, policies, procedures, staffing, risks, risk appetites and other variables, your internal audit function should be as unique as your company, institution or organization. In addition, your employees’ time is becoming more and more valuable, so your internal audit function should strive for more efficiency than ever before. A risk-based internal audit plan can give you both a unique and tailored approach to your internal audit function and increased efficiency.
Determine Your Risk Scores
A risk-based approach begins with the preparation of an annual risk assessment and internal audit plan. Through inquiries and observations, you assess risk across the general areas of the company or organization.
The goal of the risk assessment process is to assign a “risk score” to each general area, which is the basis for your annual internal audit plan. Areas that score higher in risk are tested more frequently by internal audit—perhaps on an annual basis. Those areas assigned lower risk scores are tested by internal audit less frequently, and may only be included in your internal audit plan on a tri-annual basis.
Tailor Your Approach
When you have your risk-based internal audit plan for the year defined, the internal auditor will then carry out the audits of the general areas of the institution according to the plan. It is important to incorporate a risk-based element when determining the internal audit procedures that you will complete for a given area.
High-risk areas require more controls and more internal audit testing to verify the controls exist and are operating effectively. Low-risk areas do not have as many internal controls in place; as a result, internal audit testing could be kept at a higher level. Audit programs should be tailored to your organization based on the area’s existing controls, the effectiveness of those controls and previous recommendations related to the particular area.
Once an audit of a given area is completed, a report should be submitted directly to the audit committee, board of directors or supervisory committee detailing the findings, recommendations or observations. You can also incorporate a risk-based element into this reporting process. You can choose not to include all technical or isolated exceptions in your reports and report specific exceptions only to management. Try not to place too much emphasis on specific findings and exceptions in these written reports, however. Instead, address questions such as “What caused this exception?” Or, “What process needs to be enhanced so that this does not happen again?” This manner of reporting helps to ensure that the audit committee, board of directors or supervisory committee understands the process improvements and the value that an internal audit department brings to the organization. Often, it is helpful to stratify recommendations based upon level of risk determined in order to better prioritize them for management action plans, as well as identify if the recommendation is more control based and/or operational in nature.
How do you Ensure the Quality of Your Internal Audit?
The primary tool for evaluating internal audit activity and whether or not it conforms with the standards is through a Quality Assurance and Improvement Program.
A Quality Assurance and Improvement Program is an ongoing program intended to increase the quality and value of internal audit services. It assesses the efficiency and effectiveness of the internal audit activity. The program will evaluate conformance with relevant policies, procedures, standards, core values and a code of ethics.
Who should Perform an Internal Audit?
A strong internal audit department can take one of many forms, depending on your size, shape, and available resources:
- Outsourced: The entire internal audit cycle is outsourced to a third party. You’ll have access to industry expertise and best practices, variable costs replace fixed staffing costs, and independence is better enabled. Current personnel’s time can then be allocated to core functions where they can provide more value.
- Co-sourced: A third party works with your internal audit personnel to provide additional hours or special expertise as needed. Your organization will still have access to best practices as well as access to industry or technical expertise.
- Internal: Your internal audit personnel complete all internal audit functions.
So, how do you know which one to choose?
Budgeting and staffing for internal audit is a common struggle. This is especially true for small to medium-sized organizations. A complication to funding internal audit is determining what type of staffing model is needed. This model can be determined by answering these questions:
- Why is internal audit important to our organization?
- What should internal audit be responsible for?
- What value can management realize from internal audit beyond conducting planned audits and core oversight responsibilities?
- What type of budget can we allocate to this function? (Or, consider the risks you are up against and what the cost could be if you do not implement internal audit.)
- What type of training/experience should our internal audit practitioners possess? (e.g., accounting, finance, IT, operational areas, etc.)
In a time of uncertainty, you’ll want to make sure you’re properly managing risk. Let a trusted third-party outsource or co-source your internal audit needs.
Why You Need to Consider An Internal Audit Now
In this time of constant change and business disruption, your internal audit is critical to managing business risk. Efficiency is no longer a goal; it is a necessity. Developing a strong, risk-based internal audit function will help you to monitor your business risks, governance processes and internal controls and reduce the fear of the unknown.
Formal, strategic internal audit functions will help your organization proactively manage risks, resolving the fear of the unknown and allowing you to identify strategic business opportunities.