Internal Audit - A Tool For Business Value
February 25, 2014
As a CEO or CFO, you set specific business goals such as increasing market share, rolling out new products and services, improving customer responsiveness, reducing costs, etc. Progress toward these business goals can be undermined by risks, such as changes in market preferences, inconsistent product quality or poorly trained customer service staff, etc. Management needs to consider and implement risk management measures so as to minimize the adverse impact the risks might have to achieving strategic business goals. Likewise, Audit Committees need to consider risk management relating to financial reporting.
So, where does internal audit fit into this? Internal Auditors are trained professionals that have the expertise to assess risks and their potential impact on the business and evaluate controls that a company might have implemented to mitigate those risks. Risks can be of various types – business risk, financial reporting risk, compliance risk, information risk etc. These risks collectively impact all aspects of an enterprise’s operations and are hence called “enterprise risks.” Previously, internal auditors were concerned mainly with assessing and reporting on financial risks. With greater knowledge of risk management and introduction of the COSO framework, the domain of internal auditing has grown to encompass all areas of risk management i.e. “Enterprise Risk Management.”
A natural question CEOs/CFOs would ask is: How do I organize my internal audit function so I get the maximum benefits for the investment? The answer: Internal Audit can be managed internally by a company or outsourced to an experienced consulting firm. Both models have their advantages and disadvantages. Keeping the internal audit function in house brings the advantage of better utilizing company specific knowledge which internal auditors (being company employees) have of the companies’ business operations. In contrast, bringing in external firms as an outsourced internal audit service will enable the organization to get the benefits of that firm’s experience and expertise across industries as well as greater objectivity that an outside professional can bring to the Audit Committee. Management and the Audit Committee can seek the combined benefits of both models by creating a co-sourced internal audit function. Certain key business areas where the internal team has sufficient knowledge can be retained in house, and other areas where the in house staff might not have sufficient expertise (e.g. information technology controls) can be outsourced to consulting firms.
Whether the internal audit is an internal department or an outsourced function, it is critical that internal auditors maintain their independence and objectivity. Ideally, the internal audit committee should report directly to the chair of the audit committee. Additionally, internal auditors should not be involved in the design of operation of any controls within the organization as that would undermine their independence and objectivity.
Benefits of Internal Audits
Companies derive significant business value from the internal audit function at multiple levels. At a minimum, most companies that use internal audits rely on the function to provide assurance on the financial reporting and compliance processes. To derive greater value, management may also consider giving a broader role to internal audit and include elements of enterprise risk management into the internal audit charter. Some of the key benefits include:
a) Identification and assessment of risks: Internal audit helps companies identify the risks and barriers they might face in the path to achieving their business objectives. Internal audit also assesses the likelihood of the risk materializing and its possible consequences, thereby giving a perspective of what risks are “key” and therefore require more urgent anagement attention. Internal audit can help companies be better prepared to prevent certain adverse events from occurring and also to provide an adequate response should such events occur. This means that an organization is likely to face fewer surprises or crises situations and be better prepared for most eventualities.
b) Evaluating Controls: Companies can assess whether the controls and procedures they have put in place are adequate to mitigate the identified risks. This enables companies to improve controls procedures and make course corrections where needed. Evaluation of controls through experts in this field can help remedy gaps in internal controls and may even lead to prevention and/or detection of fraudulent activities.
c) Ensuring compliance with regulations: Compliance with regulations as well as internal policies and procedures is a key result of the involvement of internal audit. A constant focus on this area through the internal audit function can help management promote a culture of “compliance consciousness” where compliance occurs as a part of everyone’s daily work rather than as a separate process.
d) Improve effectiveness and efficiency of processes: When management extends the internal audit scope to include evaluation of enterprise risks, this can enhance the effectiveness and efficiency of processes by identifying duplication and redundant activities.
e) Provide comfort to management, the Board and other stakeholders: One of the most important benefits of internal audit is to provide assurance to management and a level of comfort to the Audit Committee, Boards of Directors and external stakeholders that the company has a strong control environment that sufficiently mitigates the risks that a company might be exposed to and contributes towards meeting business objectives.
Management must actively utilize the services of internal audit to act a sounding board for strategies under development, to anticipate risks before they materialize and take appropriate and timely action. Used effectively, internal audit thus becomes a tool that helps creates significant business value.