What is Internal Audit?
An Internal Audit is a department or an organization of people within a company that is tasked with providing unbiased, independent reviews of systems, business organizations, and processes. The role of Internal Audit is to provide senior leaders and governing bodies of an organization an objective source of information regarding the organization’s risks, control environment, operational effectiveness, and compliance with applicable laws and regulations.
As Internal Audit reports to senior leadership, it is only appropriate that its activities are directed by the CEO or Board of Directors through its Audit Committee. Members of Internal Audit must be independent of internal politics and unbiased to provide leadership with an objective source of information. Under the direction of the Audit Committee, Internal Audit works with management to systematically review control activities over critical systems and processes.
The reviews performed by Internal Audit are often called internal audits. An internal audit may be used to assess an organization’s performance or the execution of a process against a number of standards, policies, metrics, or regulations. These audits may include examining a business’s internal controls around corporate governance, accounting, financial reporting, and IT general controls. Internal audits may also entail evaluating the effectiveness/efficiency of critical business operations such as supply chain management. Those individuals working in Internal Audit are called internal auditors. Internal auditors may cover all areas of an organization or specialize based on their skill-sets.
The aim of internal audits is to identify weaknesses within the organization’s processes and control the environment internally so that they can be fixed as quickly as possible to prevent harm to the organization or its stakeholders. Accordingly, the internal audit plan for an organization should be driven by a risk basis or, in other words, be designed to examine those areas that present the greatest risk to the company. The internal audit plan should also include a component of the strategic needs of an organization.
Internal vs External Audits: How are They Different?
There is a little bit of confusion about what the difference is between internal and external audits. From my experience, whenever the word “audit” is appended to a phrase or a subject, it instantly becomes boring. Try it sometime—it is great for killing small talk during the holidays.
Whenever an audit is mentioned, we, or at least most of us, switch into Charlie Brown school mode—our eyes glaze over and the speaker’s voice turns into a stream of mumbles. As a result, most people in any organization view them as synonyms for the same thing—audit. Despite this popular perception, internal and external audits are not the same thing.
I think the simplest way to explain the difference between internal and external audits is to compare the who, what, and why’s associated with the two types of audits. Some of the key differences are highlighted in the following table.
Who Performs the Audit?
- Internal Audits – Internal Auditors, typically employees of the company
- External Audits – External Auditors, typical members of a CPA firm
Who is the Audit Reported to?
- Internal Audits – Board of Directors, and members of management
- External Audits – Shareholders and members outside of the company
What Does the Audit Cover?
- Internal Audits – Internal Controls related to:
- Risk Management
- Process Improvement
- External Audits – Financial Reports, and Internal Controls related to Financial Reporting
Why is the Audit Performed?
- Internal Audits – To assess and improve the effectiveness of governance, risk management, and control over critical processes. To provide the board and management with information and assurance related to their duties.
- External Audits – To validate, or provide reasonable assurance, the material accuracy of financial reports from the organization to its stakeholders.
When are Results Reported by the Audit?
- Internal Audits – May report at any frequency designated by the Board
- External Audits – Annually
As you can see, there is a difference between an internal and external audit. Both are checking whether the organization is performing certain activities or controls correctly. However, internal audit results are reported in-house while the results from external audits are reported to individuals inside and outside of the organization. When the two cover the same scope, I like to say that an internal audit is a pre-test, and an external audit is the final. The organization can use the results from the internal audit to identify its weaknesses and work to correct or strengthen them in preparation for the external audit where the results will be shared publicly.
You will notice that the scope and objectives of the two types of audits also differ. Internal audits are typically smaller focused audits that (collectively over a year) will cover a broader range of scope. This allows the company’s Board and management to get more frequent/timely information that they may use to govern and improve the organization. In contrast, a business will typically have one big external financial audit each year. The objective of the external audit is to determine the accuracy of annual financial statements.
The last area of difference that I would like to highlight is in regards to the scope of responsibilities between internal and external auditors. Internal auditors function as a consultant who performs the assessment and then advises the organization’s management on how to address the risks identified. External auditors do not have any responsibility to the organization. External auditors’ only responsibility is to assess.
Why Do Organizations Have Internal Audit?
When the Sarbanes-Oxley Act of 2002 was passed, it made executives of publicly traded companies legally responsible for the accuracy of their financial statements and the internal controls over financial reporting. Internal Audit functions play a critical role in helping executives to reach their conclusions. Also, Internal Audit efforts to identify breakdowns in internal controls help safeguard against potential fraud, waste, or abuse, and ensure compliance with laws and regulations.
What Value does Internal Audit Provide to an Organization?
Technically, Internal Audit is a cost center in a company—it does not generate revenue. However, a good internal audit function can be profoundly important to the survival and prosperity of any organization.
Unlike external auditors, internal auditors look beyond financial statement reporting risk to consider broader issues such as the organization’s reputation, operational efficiency, strategic growth, its impact on the environment, and the way it treats its employees.
What are the Types of Internal Audits?
While a significant portion of the internal audit covers internal controls over financial reporting within the organization as they pertain to generally accepted accounting procedures (GAAP) impacting their financial statements. Many organizations also recognize the need for other types of assessments or audits outside of accounting or finance. Some of these key areas include compliance (i.e., regulatory), environmental, information technology, operational, and performance audits.
- Compliance Audits evaluate compliance with applicable laws, regulations, policies, and procedures. Some of these regulations may have a significant impact on the company’s financial well-being. Failure to comply with some laws, such as the Foreign Corrupt Practices Act (FCPA) or General Data Protection Regulation (GDPR), may result in millions of dollars in fines or preclude a company from doing business in certain jurisdictions. Here is a link to a beginner’s guide to GDPR.
- Environmental Audits assess the impact of a company’s operations on the environment. They may also assess the company’s compliance with environmental laws and regulations.
- Information Technology Audits may evaluate information systems and the underlying infrastructure to ensure the accuracy of their processing, security, and confidential customer information or intellectual property. They will typically include the assessment of general IT controls related to logical access, change management, system operations, and backup and recovery.
- Operational Audits assess the organization’s control mechanisms for their overall efficiency and reliability.
- Performance Audits evaluate whether the organization is meeting the metrics set by management in order to achieve the goals and objectives set forth by the Board of Directors.
What is the Internal Audit Procedure / Process?
An internal audit should have four general phases of activities—Planning, Fieldwork, Reporting, and Follow-up. The following provides a brief synopsis of each phase.
- Planning – During the planning process, the internal audit team will define the scope and objectives, review guidance relevant to the audit (e.g., laws, regulations, industry standards, company policies, and procedures, etc.), review the results from previous audits, set a timeline and budget for the audit, create an audit plan to be executed, identify the process owners to involve, and schedule a kick-off meeting to commence the audit.
- Fieldwork – Fieldwork is the actual act of auditing. Throughout this phase, the audit team will execute the audit plan. This usually includes interviewing key personnel to confirm an understanding of the process and controls, reviewing relevant documents and artifacts for example execution of the controls, testing the controls for a sample over a period of time, documenting the work performed, and identifying exceptions and recommendations.
- Reporting – As you might guess, an internal audit will draft the audit report during the reporting phase. The report should be written clearly and succinctly to avoid misinterpretation and to encourage the intended audience to actually read and understand the report. Findings should be accompanied by recommendations that are actionable and lead directly to process improvements. The process of issuing an internal audit report should include drafting the report, reviewing the draft with management to ensure the accuracy of findings, and issuance and distributing the final report.
- Follow-up – The final stage is an important one that is often overlooked and neglected. Following up is critical to ensure that the recommendations have been implemented to address the findings identified. This process should include appropriate follow-up with process owners needing to implement the recommendations as well as Board oversight of the company’s overall status in addressing findings identified by internal audit. If an organization fails to follow up on the implementation of recommendations, it is unlikely that the changes will be made.
What are Common Pitfalls that can Derail an Internal Audit?
An internal audit can be extremely useful to help streamline processes, find gaps, and identify fraud. However, my experience as an auditor has taught me to recognize the red flags that can quickly derail the process.
- Scope creep: Proper planning and definition of scope are key to a successful internal audit. With complex systems and workflows, it is easy for the scope to expand rapidly. Be sure to proactively plan for when an issue occurs that may affect the scope, so that the team can respond quickly and efficiently (e.g. do you ignore the issue, add to it, put it off until later). When the scope starts to expand, be sure to pump the brakes and reassess; nothing is worse than allowing the scope to increase and later realizing that you are one step away from basically auditing the entire organization and all the processes.
- Not talking to all clients/stakeholders: Be sure to involve your client and stakeholders early and often. I recommend going deeper than managers or team leads; talk with the staff, engineers, etc. Many times, the “people in the trenches” may be following a completely different process than what is documented or understood by management.
- Not reviewing the data: When data is needed, it’s typical to ask the team you are auditing to provide it, but how do you know that the data is accurate? Was the data modified, trimmed, or altered in any way? If possible, sit with the DBA or data provider to understand how the data is being generated. Always ask questions and try to get data that has been generated directly from the system, along with the queries or constraints used to generate it.
- Objectivity and Independence: This is especially difficult in a smaller organization. In a larger organization, internal auditors report to a board of directors or an audit committee, but in smaller companies, an internal auditor may be reporting to the same person or group they are auditing. The key is to stay objective, independent, and have a forward-looking mindset. Remember that an internal auditor is trying to help and should be allowed to do so even if the results are hard to hear.
What are the Professional Standards in an Internal Audit?
The Institute of Internal Auditors (IIA) has set the internationally recognized framework for internal auditing. It is called the International Professional Practices Framework (IPPF). The IPPF provides “mandatory” and “strongly recommended” guidance. These are standards that apply are applied by over 160,000 internal auditors who are working globally within the framework.