Achieving Objectives Through Internal Audit
August 7, 2009
Jared Lauber, Senior Manager – Risk Management
Depending on your background and experience, the term Internal Audit may conjure up thoughts of pouring over financial statements or anxiously awaiting a visit from the IRS. You’re not alone if you aren’t completely clear on what the term means. Internal Audit covers a fairly wide range of activities. And, once you understand what it is, you’ll need to know when your company or organization needs Internal Audit and how to get it started.
What Is Internal Audit?
Internal Audit helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance within the organization.
Okay, but what does that really mean?
Simply put, companies create Internal Audit departments to conduct independent, objective audits of the company’s operations, focusing on internal control design, efficiency, and operating effectiveness. By looking at the company at multiple levels, Internal Audit strives to answer two questions: 1) what processes are key to meet the company’s objectives, and 2) are those processes operating as expected and can they be improved?
Internal Audit affects a company on two distinct levels: the enterprise level and the process level. At the enterprise level, Internal Audit provides a framework to assess risk and controls across the entire company. The assessment includes all processes and is used to help management understand risks and prioritize resources. At the process level, Internal Audit provides insight into the control effectiveness of one or more specific processes.
The practice of Internal Auditing is guided by the Institute of Internal Auditors (the IIA). The IIA is a nonprofit organization established in 1941 that maintains the International Standards for the Professional Practice of Internal Auditing and the profession’s Code of Ethics. IIA members are required to adhere to these guidelines, which establish baseline requirements for providing high-quality, high-impact audit work.
How Does Internal Audit Differ from Other Audit Services?
Internal Audit is different from other audit services, such as a financial statement audit or an audit to determine compliance with the Sarbanes-Oxley Act of 2002 (SOX). One important difference is that Internal Audit assesses the effectiveness and efficiency for the entire scope of internal controls within a company: financial, operational, compliance, and information technology.
The primary purpose of a financial statement audit is to attest to the accuracy of financial information presented by management. It’s conducted by an independent third-party that reports directly to the audit committee. Similarly, a SOX audit is directly related to the financial statement audit, but focuses primarily on the financial controls framework. Though these two audit services are valuable, they focus solely on the financial statement assertions or on the financial controls of the company and do not focus on the company’s operational efficiency and effectiveness as does Internal Audit. Internal Audit addresses the entire scope of internal controls within a company: financial, operational, compliance, and information technology.
For example, a financial statement audit of accounts payable provides assurance that the reporting of obligations to vendors is complete and accurate; a SOX review of the accounts payable provides assurance that the financial controls are properly designed and are functioning as documented. Internal Audit provides an assessment on all the accounts payable controls collectively to reveal that a company can save money through vendor consolidation, identify improvements to contract terms and conditions, or streamline the vendor sourcing process. The financial statement and SOX auditors are concerned that financial results are properly reported and may or may not discover if a company overpays for services or merchandise.
When to Start Internal Audit
Though all companies can benefit from Internal Audit, only certain companies are required to have an internal audit function. Several factors go into determining when a company will begin Internal Audit. Companies in highly regulated industries—such as financial institutions—are required to have an Internal Audit department, regardless of the company’s asset size. The New York Stock Exchange requires its listed companies to have an Internal Audit function, but public companies listed on other exchanges (for example, NASDAQ) are not subject to this requirement.
Typically, small public companies in less regulated sectors—such as technology or consumer goods—begin to consider an Internal Audit department when revenues reach around $100 million. Because it’s not required, private companies typically don’t begin Internal Audit activity until revenues are much larger (over $500 million). The drive to initiate Internal Audit may come from management or the board and is traditionally tied to a company’s risk profile and the need for continuous improvement.
A Roadmap to Success
Regardless of a company’s size and industry, barriers to starting Internal Audit typically include the cost of undertaking such activity, finding the right team with the necessary skills, concern with setting the right tone within the company, and addressing management’s expectations. Creating a new department whose purpose is to, in effect, evaluate the management team requires a delicate and deliberate process. There are six steps to setting up an Internal Audit department.
Step One: Communicate expectations and establish consensus. Interview management and the audit committee chairman to build rapport and ensure management has a clear picture of the Internal Audit function. Clarify expectations of all involved parties and advise them as to whether their expectations can be reasonably met by Internal Audit. A key to success is direct management support and realistic short- and long-term goals. Goals typically include the number and size of audit engagements, the types of audits to be completed, department training, and receiving positive audit feedback from management. The goals should be documented and approved by the audit committee.
Step Two: Perform benchmarking based on company industry and size. A powerful resource is the IIA’s GAIN survey. It provides comprehensive peer information regarding an Internal Audit department’s size, audit scope, and skill set.
Step Three: Create the Internal Audit charter. The charter establishes the department’s authority, independence from management, reporting structure, and access to company records and information. It serves as a building block to establishing the department’s vision. It should be developed with management and approved by the audit committee.
Step Four: Create the Internal Audit execution methodology. The audit methodology should address project milestones, deliverables, communication protocols, report formats, work paper preparation, and follow-up procedures. The methodology promotes effective communication with management, process owners, and within the Internal Audit team; it provides users of Internal Audit information assurance that quality standards are met.
Step Five: Perform a comprehensive risk assessment. A risk assessment using a standard methodology to evaluate and prioritize a company’s risk factors is critical. The annual audit plan will be developed based on the results of the risk assessment. What an Internal Audit team can accomplish will depend on the risks identified, Internal Audit’s resources, and staff size. The plan should focus on the company’s critical areas.
Step Six: Evaluate required expertise. Because the scope of Internal Audit work spans a wide range of topics from financial reporting and compliance to information technology matters, the department’s skill set must also be diverse. In a small Internal Audit department (consisting of five or fewer auditors) it may be difficult to manage the entire scope of work internally. The creation of comprehensive training and development plans promote effective audit execution to help ensure the department’s success.
A Valuable Asset
The importance of Internal Audit is sometimes difficult to explain and is often underestimated. Starting an Internal Audit department and getting it up and running can be a daunting task for any size company, public or private. It’s a process that can take time and encompass many milestones. If designed properly, an Internal Audit department will help a company achieve its objectives, whatever they may be.
Download Achieving Objectives Through Internal Audit – August 7, 2009 Article