The internal audit function is crucial to a company’s growth. Objectively evaluating risks, analyzing and assessing processes and systems for efficiencies, doing spot-checks for as-yet-unknown issues, and keeping departments aligned and meeting business objectives are all important ways that auditors can bring value.
Internal auditing examines and assesses company records, workflows, systems, and processes. They analyze company records and financial documents. Through the internal audit function, teams will identify issues like compliance concerns, complete risk assessments, investigate internal or external fraud, and sometimes identify data inaccuracies in financial reporting. The audit team‘s ultimate goal is to be a highly valued business partner to other segments of the organization.
Internal auditors use their unique skill sets and knowledge of industry requirements and regulations, internal company policies, and standard procedures to execute various audits and reviews as well as to identify potential issues, potential instances of noncompliance, or other areas of risk to the business. An internal auditor’s role usually includes reviewing processes and procedures, examining financial records, assessing compliance with applicable laws and regulations, evaluating risks and developing recommendations to improve risk management, and investigating fraud. It is also critical for internal audit to effectively communicate results — being a strong and effective interviewer and communicator is key in the information-gathering phase, as well as the next steps of putting that information together and effectively messaging it out to relevant management teams in a clear and concise manner. Those skills may well be one of the most important aspects of any auditor’s role.
Here, we’ll take you through the fundamentals of the internal auditing function, types of audits, best practices for the auditing process, and what must-have items should be included in internal audit reports. Read on for everything you need to know about internal auditing.
What Is Internal Auditing?
Internal auditing is the independent and objective-focused consulting activity that occurs within an organization’s 3rd line. At the core, an internal audit is an unbiased review of a company’s internal systems, processes, and procedures. The goal of an internal audit is to provide independent assurance over a company’s operations. Internal audits help teams to accomplish their goals by bringing a disciplined approach and objective perspective to the effectiveness of internal controls, risk management, and adherence to and alignment with company goals and objectives. Some areas that internal audit might focus on include operational risks, environmental compliance, procedural efficiency, effectiveness of systems, fraud management, health and safety compliance, and regulatory compliance.
The Importance of Internal Audits
Internal audits are mission-critical and should not be overlooked. Internal auditors work in many different industries, including health care, technology, education, and government. All fields benefit from the existence of internal audit teams who regularly examine business operations improve the effectiveness of risk and controls, uncover potential issues, and/or identify new opportunities for efficiencies and improvements. Based on an effective risk assessment process and approved audit plan, Organizations ought to consinder internal audits as a normal, ongoing component of business. Whether looking broadly and functioning as an overall assessment or covering just one area of a company, the main goal of internal audits is to provide independent assurance over the effectiveness of the organization’s risk, controls, and business operations.
Difference Between Internal and External Audits
While internal and external audits have similar objectives — analyzing an aspect of an organization to determine an opinion — there are very distinguishable differences between the two types of audits.
With internal audit activity, the internal audit team (internal, co-sourced, or out-sourced) performs audits on behalf of the organization to add value and improve an organization’s operations. The internal audit team is led by the Chief Audit Executive (“head of audit”) who often reports administratively to management (usually the CFO) while retaining their independence by reporting directly to the organization’s Audit Committee of the Board of Directors. Internal auditors follow the requirements set forth by The Institute of Internal Auditors, and often hold the designation of Certified Internal Auditor or Certified Information Security Auditor from ISACA.
In an external audit, the company engages an outside audit firm to perform an outside audit of their financial reporting and opine an opinion on the results of the audit. External audit team members are assigned to various clients, and are referred to by the client as their external auditors. There also may be staff requirements for external audits, such as being a Certified Public Accountant (CPA). Internal audit results will be used by the management team to improve operations, processes, or more, while external audit results are used by outside investors.
What Types of Internal Audits Are There?
While a majority of audits tend to cover the effectiveness of risks and internal controls the internal audit function to perform reviews on key areas including compliance, environmental, security and technology, performance, financial, operational audits, and special projects and investigations at the request of management. Audit services may also address the safety and security of team members.
Compliance Audit
Compliance audits assess compliance with relevant laws and regulatory policies and procedures. Depending upon an organization’s business sector, failure to comply with these laws may result in fines or lawsuits, and the result can mean that there will be a big impact on an organization’s finances. (Examples of regulations to keep track of for today’s businesses include the United States legislation for the Foreign Corrupt Practices Act and Europe’s General Data Protection Regulation requirements.) A compliance audit may assess control processes and overall control environment tools and their effectiveness.
Environmental Audit
These audits assess the impact of a company’s actions and operations on the environment, and may also assess an organization’s compliance levels with relevant environmental laws and regulatory requirements. With more boards, individual investors, and consumers focusing on the ESG (environmental, social, and governance) characteristics of a company, this should be a high-priority area for an organization’s internal audit team.
Security and Technology Audit
Security and technology audits evaluate an organization’s information technology systems and the underlying infrastructure to assess the accuracy and/or security of data and information or intellectual property. They often include the evaluation of IT controls as well as a review of change management and system backups and recovery processes.
Performance Audit
These audits evaluate if a company is meeting the internal targets and able to hit key performance indicators and other goals set by management teams. If teams are not meeting goals, performance audits can potentially uncover underlying issues that are increasing costs or pulling focus and acting as blockers for the team.
Financial Audit
These audits may be performed to confirm or recalculate internal financial reporting as it pertains to the overall business, budgets, assets, or special projects. They also may take place to check on the accuracy of billing, expenses, or company reimbursements.
Operational Audit
Operational audits assess a company’s control mechanisms and their overall effectiveness, efficiency, and reliability.
Special Projects and Investigations
Special Projects and Investigations are “special purpose” audits and reviews performed at the request of management, and frequently involve fraud and forensic investigations.
What Are the Steps in the Internal Audit Process?
Internal auditors are guided by the internal audit charter that defines their purpose, authority, responsibility, and position within an organization. Internal auditors follow the standards set forth by The International Professional Practices Framework (IPPF) supported by The Institute of Internal Auditors (IIA).
The internal audit function will conduct a risk assessment to identify and prioritize potential high-risk areas, focusing on the most important auditable activities. The risk assessment is used to develop an audit plan, which is a listing of audits to be performed. When an audit is performed, the audit team will scope the audit and perform fieldwork, which involves generating an understanding of the current processes and associated risks to determine the objectives for the audit steps to be performed. After all of these efforts, teams create an official audit report to share with line management, senior management, and the audit committee. Lastly, all audit recommendations and management corrective action plans are followed up on to provide assurance that plans are implemented. When developing a system for your team or project, it may be helpful to look outside of your organization and learn from those who have undergone similar activities and efforts.
1. Building the Internal Audit Team
Start with building the internal audit team. Candidates for an internal audit team should have strong analytical and critical thinking skills and also be good communicators when it comes to both receiving and sharing information. Auditors should be fair, objective, discreet, strong collaborators, ethical, analytical, and great at synthesis and communication. Attention to detail is important, as auditors spend much of their time drilling down into complex data. They need to be able to identify issues that most people would overlook. Internal auditing is also a good career path for individuals that are highly self-motivated, as even when auditors are on project teams they frequently do most of their work alone.
2. Risk Assessment and Audit Planning
Internal auditors begin by performing a risk assessment (at least annually) which is the process of identifying your audit universe; ranking or scoring the audit universe on various risk factors; and choosing which audit areas to include in the audit plan. This sets out all of the audit requirements, objectives, and schedule, and assigns roles and responsibilities among team members. There is typically a kick-off meeting that launches the audit and then multiple communication check-points throughout the process.
3. Audit Scoping and Fieldwork
The scoping process assists in establishing expectations between the internal audit team and the Auditee regarding the purpose of the audit and the scope of the review. Auditors may begin with indirect assessment techniques, such as reviewing team manuals, policies, and other existing documentation. Fieldwork may also include transaction testing, observations, or various types of analysis. Some analyses may be targeted and others may be randomized in order to test various controls and systems.
During the course of a project new information might be uncovered that requires the original scope or planning of the audit to be adjusted to accommodate the learnings. In this phase, auditors should keenly pay attention to glean information that may inform their results or adjust the direction of the audit. Listening for what is truly being said — and in some cases listening for what is not being said and then delving into those areas — is a must for auditors doing fieldwork. Based on the work performed, internal audit may uncover issues, or audit findings. After confirmation, the internal audit team will share these findings with the auditee along with recommendations and work to define a road to remediation. These findings are ultimately included in the audit report.
4. Reporting Findings
The major deliverable for the internal audit team is a formal report, which may be preceded by a preliminary, interim report. An interim report might include sensitive or timely data that the team thinks senior management needs to be aware of right away. Sometimes audit teams provide a draft copy of the final report to the leadership team so that they can provide additional feedback or relevant commentary on the findings that can be added to the final report. Then, the final report will include a summary of the procedures and techniques used in the audit, a description of the findings, and suggestions for improvements. This final report will often include next steps that include recommended changes and monitoring processes and may be presented in this format — or an abbreviated one — to the audit committee of the board of directors.
5. Follow-Up
After a set amount of time, internal audit typically enacts next steps to make sure appropriate recommendations to the audit findings were enacted or remediated.
What Are the Five C’s of Internal Audit?
Audit team reports frequently adhere to the rule of the “Five C’s” of data sharing and communication, and a thorough summary in a report will include each of these elements. The “Five C’s” are criteria, condition, cause, consequence, and corrective action. Here are the details on each of these items and what a team’s auditing report should make sure to include.
Criteria
Share what issues were identified and why the audit was requested. Are any other related internal or external audits expected? Who requested this audit, and why? Did the initiative come from the internal audit department, or elsewhere?
Condition
Share how the issue investigated relates to a company goal or expectation. Is there a policy broken? A goal unmet? Is safeguarding required? Or, is the team investigating a possible issue or anomaly?
Cause
Why did the issue come to the fore? Was something flagged due to internal audit reports? Who raised it, what processes were broken, and how might things have been handled differently in order to avoid the issue?
Consequence
What outcomes emerged from the issue? Do new governance processes need to be implemented? Are there any issues related to company finance? Are there any external and/or regulatory consequences? In what way should the board of directors be informed? What are the ultimate financial implications related to this issue?
Corrective Action
What actions can the company take to fix the problem? What follow-up and next steps exist for management to resolve the issue, and what internal monitoring will take place going forward to ensure that it doesn’t happen again? What are the next steps for corporate governance? What solutions have been put in place?
Examples of Audit Findings
During the internal audit process there are some common factors that are often uncovered. Some examples of internal audit findings often include the following frequent observations:
Segregation of Duties
Tasks and process flows must have proper checks and balances. For example, if someone is responsible for collecting payments they should not also be responsible for creating the deposit and reconciling the books and source documents.
Lack of Detailed Policy and Procedures
Departmental business transactions and related internal controls within an organization’s operations should be clearly documented, periodically reviewed, and updated. Company policies and procedures should be written down and documented so that they can be referenced and revised as needed.
Lack of Formal Approvals
Evidence should be captured and maintained to document independent approvals, reconciliations, departmental financial statements, and more. The individuals that are responsible for approvals should be captured and controls access should be matched against the appropriate roles.
Absence of Supporting Documentation
Transactions should be appropriately supported by relevant documentation. When it comes to purchases, there should be backup materials regarding requisitioning, competitive bidding and proposals, purchase orders, invoices, and approvals.
Common Factors That May Hinder Internal Audits
Internal auditors are used to identifying and managing risk for the organization, but they are not immune to risks themselves. Common risk factors that may impact their own work include talent shortages, remote work, internal relationship issues, evolving skill needs, and tech tool gaps.
Talent Shortages
Attracting and retaining internal audit staff has become an ongoing issue and many organizations. Hiring budgets have grown in some cases, but filling open positions continues to be difficult. Companies need to bring in top talent with flexibility and a willingness to fulfill the requirements of today’s evolving workforce. Flexibility on workday locations and start and stop times is key. Strict rules about facetime and office hours are becoming obsolete and are a barrier to bringing in talented team members. Instead, emphasize individual growth and learning and a commitment to work-life balance.
Remote Work
The remote workforce of today’s operations have made internal auditing efforts more complex than ever before. Fieldwork that once may have required a few localized on-site visits might now require traveling to multiple locations to fulfill information gathering via interviews and assessments. On the plus side, if a team is comfortable with remote information gathering, video conferencing interviews and the digital team documentation that the remote workforce requires can streamline data gathering and lower team time spent and the organization’s associated costs and expenditures required to support the audit.
Relationship Barriers
Remote workforces have also created some relationship barriers amongst working teams. Without water cooler moments, teams may have less natural and trusted relationships to lean on with their coworkers, complicating some internal audit conversations and investigations. Fewer touchpoints between auditing departments and internal stakeholders may require greater efforts to maintain ties.
Evolving Skill Needs
While critical thinking has always been key to being a successful auditor, there are also broader skills needed — and that list is growing rapidly. Current needs include risk assessment capabilities, cybersecurity, data mining, and analytics expertise. Today’s teams also need to stay current with regard to new cyber threats and new technologies
Technology Solution Gaps
Teams must ensure that they have the right technology tools to do their work. Purpose-built audit management software will centralize and streamline audit management, improve communication and collaboration between teams, and maximize an organization’s efficiency. Teams need to work hard to stay on top of fast-paced technological changes — integrating new tools and systems is important, along with training teams on how to take advantage of the new tech.
Manage the Internal Audit Process With AuditBoard
The importance of a strong internal audit team and process cannot be overstated. Teams should be working actively to minimize risk, which means conducting consistent audits and reviews and sharing results with senior management and audit committee in a clear and timely fashion. AuditBoard can help with this process, whether your team is just starting out or refining their processes and capabilities. Get started with AuditBoard’s internal audit management software today!
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.