Do You Need an Internal Audit?
What it is and what it can do for your business
You have worked hard to develop your business, and your efforts have paid off! Now you have a thriving business. You employ lots of employees, have a wider geographical reach, and have built relationships with lots of vendors. You have always been involved in every aspect of your business, but now it is too big for you to be directly involved with every part of the operations. Do you find yourself asking these types of questions?
- Have we identified all our significant business risks and are we protected?
- Are there inefficiencies in some of our processes?
- Do we have any fraud exposures and are we mitigating them? The 2016 Global Fraud Study reported that the typical organization loses 5% of revenues in a given year as a result of fraud
If any of the above or similar thoughts have been weighing on you, having an internal audit might give you peace of mind. So, what is involved with having an internal audit?
The internal audit process is not a cookie-cutter, one size fits all process. The process can be tailored to the specific needs of the organization. With that said, it would generally include some basic steps that will be discussed below.
Step 1: Identify the risks
The first step is to identify the key risks that are inherent to the organization and could prevent it from achieving its goals. This phase identifies “what can go wrong?” And if they do go wrong, would it have a high, moderate, or low negative impact? This phase is accomplished with the involvement of the key people in the organization who are knowledgeable about its various processes. The company’s management is usually aware of the various risks, but there could be important risks that are being overlooked.
Step 2: Identify the controls
The second step involves identifying what controls were implemented to mitigate the various risks faced by the organization. This exercise is intended to highlight if there are gaps (risks where no mitigating controls have been implemented). A side benefit is the identification of redundancies — risks where there are too many controls implemented, usually resulting in the cost of the controls outweighing the expected benefits. A comparison of the inherent risks and the controls in place results in the residual or net risk.
Step 3: Plan the audit
The internal auditor determines what areas will be included in the audit testing. Audit coverage is usually focused on the higher risk areas and the related key controls in those areas. If the internal audit is conducted in an advisory capacity for management, the nature and scope of the testing are subject to agreement with management. Additionally, in this phase, various administrative tasks are performed, such as identifying and scheduling the internal audit resources that have the requisite knowledge to perform the testing.
Step 4: Perform audit testing
The internal audit function can serve as the eyes and ears of management. They can serve in an advisory capacity to management by performing testing to determine if the controls that were implemented are actually in place and working as intended. The methods used by the internal auditors to obtain evidence to support their conclusions are: inquiry, observations, inspections of records, and reperformance. Inquiry is the weakest form of audit evidence while inspection of records and reperformance are considered the strongest.
Step 5: Report audit results
In this step, the results of the audit testing are summarized. The internal auditor determines if the exceptions represent a trend or are isolated cases. Exceptions that are pervasive (represent a pattern or trend) are then communicated to management.
Step 6: Follow up on remediation efforts
Remediation is management’s responsibility. Internal audit usually comes in after corrective actions have been implemented and performs testing to verify that remediation efforts are successful in addressing the issues that were identified. Since remediation efforts can be like a New Year’s resolution that is practiced for one or two months and then forgotten for the rest of the year, internal audit usually lets the newly implemented control mature before performing follow-up testing.
If you would like more information about how internal audit can help your company or would like a brief demonstration to experience how we operate, please contact us for a free consultation at 925.271.8700 or at firstname.lastname@example.org.