What is an Internal Audit?
Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. They ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. Internal audits also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.
- An internal audit offers risk management and evaluates the effectiveness of a company’s internal controls, corporate governance, and accounting processes.
- The Sarbanes-Oxley Act of 2002 introduced new internal control requirements and holds management legally responsible for their financial statements by requiring senior corporate officers to certify in writing that the financials are accurately presented.
- Internal audits provide management and board of directors with a value-added service where flaws in a process may be caught and corrected prior to external audits.
Understanding Internal Audits
Internal audits play a critical role in a company’s operations and corporate governance, especially now that the Sarbanes-Oxley Act of 2002 (SOX) holds managers legally responsible for the accuracy of their company's financial statements. SOX also required that a company's internal controls be documented and reviewed as part of their external audit. Internal controls are processes and procedures implemented by a company to ensure the integrity of its financial and accounting information, promote accountability, and help prevent fraud. Examples of internal controls are segregation of duties, authorization, documentation requirements, and written processes and procedures. Internal audits seek to identify any shortcomings in a company's internal controls.
In addition to ensuring a company is complying with laws and regulations, internal audits also provide risk management and safeguard against potential fraud, waste, or abuse. The results of internal audits provide management with suggestions for improvements to current processes not functioning as intended, which may include information technology systems as well as supply-chain management. Cybersecurity is becoming increasingly important as companies need to protect their confidential electronic information from outside attacks.
Internal audits may take place on a daily, weekly, monthly or annual basis. Some departments may be audited more frequently than others. For example, a manufacturing process may be audited on a daily basis for quality control, while the human resources department might only be audited once a year. Audits may be scheduled, to give managers time to gather and prepare the required documents and information, or they may be a surprise, if unethical or illegal activity is suspected.
Internal Audit Process
Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.
Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives. To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies or other existing documentation. If documented procedures are not being followed, direct discussion with department staff may be necessary.
Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliation as is required by law. Analysis techniques may test random data or target specific data, if an auditor believes an internal control process needs to be improved.
Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings, and suggestions for improvements to internal controls and control procedures. The formal report is reviewed with management and recommendations for improvement are discussed. Follow up after a period of time is necessary to ensure the new recommendations have been implemented and have improved operating efficiency.