What is an Internal Audit?

Internal audits play a critical role in a company’s operations and corporate governance, especially now that the Sarbanes-Oxley Act of 2002 (SOX) holds managers legally responsible for the accuracy of their company's financial statements. SOX also required that a company's internal controls be documented and reviewed as part of their external audit. Internal controls are processes and procedures implemented by a company to ensure the integrity of its financial and accounting information, promote accountability, and help prevent fraud. Examples of internal controls are segregation of duties, authorization, documentation requirements, and written processes and procedures. Internal audits seek to identify any shortcomings in a company's internal controls.

In addition to ensuring a company is complying with laws and regulations, internal audits also provide a degree of risk management and safeguard against potential fraud, waste, or abuse. The results of internal audits provide management with suggestions for improvements to current processes not functioning as intended, which may include information technology systems as well as supply-chain management. Cybersecurity is becoming increasingly important as companies need to protect their confidential electronic information from outside attacks.

Internal audits may take place on a daily, weekly, monthly, or annual basis. Some departments may be audited more frequently than others. For example, a manufacturing process may be audited on a daily basis for quality control, while the human resources department might only be audited once a year. Audits may be scheduled, to give managers time to gather and prepare the required documents and information, or they may be a surprise, especially if unethical or illegal activity is suspected.

What are the Objectives of Internal Audit?

Some of the objectives of internal audit are:

1. Proper Control: To keep proper control over the organisation is one of the main objectives of internal audit. The authenticity of the financial records and the efficiency of the firm have to be maintained and the management needs proper assurance. The internal audit helps to establish both.
2. Perfect Accounting System: The accounting system of the organisation is thoroughly checked by an internal audit. From vouchers to the authority of transactions to accuracy in mathematics all serve the purpose of internal audit. All entries are verified so that chance of mistakes or frauds can be reduced.
3. Review of Business: The financial and operational aspects of a business is to be checked by the internal audit. Internal audit process checks out the mistakes, strengths and weaknesses in the business. 
4. Asset Protection: Internal audit process performs the valuation and verification of an asset. In case of any special transactions like purchase, sale or revaluation of asset, the authorization is audited particularly by internal audit. 
5. Keeps a Check on Errors: There will be mistakes in financial records and is checked at the end of a financial year. But with internal audit, the mistakes are spotted and rectified immediately.
6. Detection of Fraud: This is another main purpose of internal audit. In fact, internal audit is helpful to the organisation because due to its presence, an employee is less likely to do any fraudulence activity. There will be no time in making fraud and how the internal audit process will run and so this will end up committing less fraud in an organisation.

What are the types of Internal Audit?

Some types of internal audit are:

• Operational Audit: The efficiency and effectiveness of a particular department in an organisation is evaluated by the operational audit. Some areas of the operational audit are organizational structure, the accuracy of data, processes and procedures, management and security of staffing, assets and productivity.
• Environmental Audit: The impact of the operations of a company on the environment is assessed by environmental audits. Assessment of company’s compliance with certain environmental laws and regulations is also maintained.
• Compliance Audit: Evaluation of compliance with applicable laws, policies, regulations and procedures. Failure to comply with laws like the Foreign Corrupt Practices Act (FCPA), General Data Protection Regulation (GDPA), may result in fines with a huge amount or may even prevent a company from doing further business.
• Financial Audit: A financial audit is historically oriented and independent evaluation process performed to maintain fairness, accuracy and reliability of financial data. The objective is to ensure that the financial activity of a unit or area or department is accurately reflected in the financial reports.
• Information Systems Audits: The information systems audit function develops audit programs to assess, evaluate, and make recommendations to management regarding the adequacy of internal controls inherent in the University’s information systems, and the effectiveness of the associated risk management. The information system audit function assesses the extent to which automated information processing systems, technology, architecture and processes produce reliable and accurate information, and are in accordance with University policies and procedures, and applicable laws and regulations.
• Advisory and Consulting Engagements: Advisory and consulting engagements include review of existing business processes and strategies, as well as implementations. It also includes evaluation and advice on policies, procedures, process enhancements, and any management requests for reviews of areas considered mutually critical.

What is the process of Internal Audit?

Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.

Assessment Techniques

Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives. To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies or other existing documentation. If documented procedures are not being followed, direct discussion with department staff may be necessary.

Analysis Techniques

Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliation as is required by law. Analysis techniques may test random data or target specific data, if an auditor believes an internal control process needs to be improved.

Reporting Procedures

Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings, and suggestions for improvements to internal controls and control procedures. The formal report is reviewed with management and recommendations for improvement are discussed. Follow up after a period of time is necessary to ensure the new recommendations have been implemented and have improved operating efficiency.

What are Common Pitfalls that can Derail an Internal Audit?

An internal audit can be extremely useful to help streamline processes, find gaps and identify fraud. However, my experience as an auditor has taught me to recognize the red flags that can quickly derail the process.

Scope creep: Proper planning and definition of scope is key to a successful internal audit. With complex systems and workflows, it is easy for the scope to expand rapidly. Be sure to proactively plan for when an issue occurs that may affect scope, so that the team can respond quickly and efficiently (e.g. do you ignore the issue, add to it, put it off until later). When scope starts to expand, be sure to pump the brakes and reassess; nothing is worse than allowing the scope to increase and later realizing that you are one step away from basically auditing the entire organization and all the processes.

Not talking to all clients/stakeholders: Be sure to involve your client and stakeholders early and often. I recommend going deeper than managers or team leads; talk with the staff, engineers, etc. Many times, the “people in the trenches” may be following a completely different process than what is documented or understood by management.

Not reviewing the data: When data is needed, it’s typical to ask the team you are auditing to provide it, but how do you know that the data is accurate? Was the data modified, trimmed or altered in any way? If possible, sit with the DBA or data provider to understand how the data is being generated. Always ask questions and try to get data that has been generated directly from the system, along with the queries or constraints used to generate it.

Objectivity and Independence: This is especially difficult in a smaller organization. In a larger organization, internal auditors report to a board of directors or an audit committee, but in smaller companies, an internal auditor may be reporting to the same person or group they are auditing. The key is to stay objective, independent and have a forward looking mindset. Remember that an internal auditor is trying to help and should be allowed to do so even if the results are hard to hear.

Conclusion

An internal audit can ensure that an organisation can secure timely compliance with law and regulations. The audit provides a degree of safety and helps manage risk emerging from fraud, abuse of power, or any other scenarios. An internal auditor provides the management with their objective assessment of the processes and accounts. The management can improve their operational and financial performance using the services of an internal auditor, risk emerging from fraud, abuse of power, or any other scenarios. An internal auditor provides the management with their objective assessment of the processes and accounts. The management can improve their operational and financial performance using the services of an internal auditor.