Don’t rely solely on your external audits! Elements of a successful internal audit function.
Unfortunately, the finance departments of many companies mistakenly believe that having an external audit annually is part of their internal control structure they can rely on to ensure their financial statements are accurate and their internal controls are sound. While the objective of an external audit is to determine whether a company’s financial statements are fairly presented and free of material misstatement and during the process of the audit, the external auditor considers the internal controls relevant the financial statements, most external audit opinions make it very clear that the audit is not being conducted “for the purpose of expressing an opinion on the effectiveness of the Company’s internal controls” (unless the Company is a US-listed entity subject to the provisions of Section 404 of the Sarbanes Oxley Act of 2002 under which an opinion on the internal control structure is required). Most external auditors will report to the company in the standard language of US GAAP or IFRS opinions that it is management’s “responsibility … [for] designing, implementing and maintaining internal controls…”
Internal Audit is defined as an independent appraisal function and helps entities by examining and evaluating the adequacy and effectiveness of a company’s system of internal controls. According to The Institute of Internal Auditors, “It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Having an internal audit function enables management to be more effective in meeting its business objectives and in fulfilling its obligations to shareholders. Many companies internal audit charter note that the internal audit department is to assist the company in managing risk and exposure which “may be in areas such as processing errors, inefficiencies, non-compliance with policy or legal requirements and fraud.” The internal audit function aims to assess efficiency and effectiveness of operations, assists in ensuring the reliability of financial reporting, helps to ensure the safety of the company’s assets and helps determine if the company is compliant with applicable rules, laws and regulations.
An effective internal audit function can range from consisting of a single individual, a dedicated team of professionals within an organisation, and outsourced function or can be a function with the responsibilities tasked to individuals already within the organisation on a part-time basis. The key to effective internal auditing is that the reporting relationships of the individuals performing the tasks in the function are independent and objective from those departments or areas being tested. What this means is the individual conducting any part of the internal audit has no responsibility or authority over the areas or departments he/she audits. An internal audit function cannot be fully effective without this independence and objectivity and reporting lines are typically to an audit committee or the board of directors.
In addition to independence and objectivity, a successful internal audit function will have the following characteristics:
- A clear and specific internal audit charter which defines roles and responsibilities
- Given specific authority by management and the board to effectively function
- Possess a professional audit staff (or securing comparable out-sourced services) with sufficient experience, knowledge, skills and professional certifications to meet the needs of the internal audit function
- Performance of an annual risk assessment to determine the scope of the work and responsibilities of the function, which includes these activities
- Identify key operating processes
- Addressing risk factors and linking to operating processes
- Understanding the executive directors and management’s concerns over high risk areas
- Preparation and performance of an annual plan as a result of the risk assessment
- Possess the ability to follow up on exceptions and direct remediation and appropriate follow-up responses
- Maintain a quality assurance program, including both internal and external assessments
- A successful internal audit function will have open access to management, the board and the external auditors.
The benefits of a successful internal audit function include the formal preparation of risk assessments annually, including the assessment of risk of fraud, and performing evaluations of the operating effectiveness of controls in place. The identification of gaps between controls and risks and development of additional administrative policies and control procedures helps to ensure compliance with company policy as well as applicable external rules and regulations. When remediating control gaps, a successful internal audit function will make recommendations for changes that are cost-effective while mitigating risk and monitoring operational effectiveness.
While most large companies have a dedicated team to perform the internal audit function, smaller and medium sized firms, which may not have the resources for a fully staffed internal audit function, do have the ability to use outside consultants to assist with the function, saving on fixed costs and benefiting from the independence and objectivity that a third party service provider can bring as well as the experience, expertise and flexibility that an outsourced arrangement provides.
Whether you choose to source from within or engage a third party service provider, an internal audit function can bring additional comfort to management, the board and a company’s other stakeholders. A successful internal audit function will improve an entity’s efficiency, the effectiveness of its risk management system and internal control structure and help to ensure regulatory compliance, reducing the risk of fraud and improving the controls over financial reporting and safeguarding of assets.