For many people, the words “internal audit” conjure a sense of fear and anticipation of high cost. Even under the best circumstances, having someone review your activities can be intimidating, but internal audit provides an unbiased, independent review of data and business processes. It provides senior leaders and governing bodies an objective source of advice that is not swayed by politics and is independent of the organization. Knowing what to expect during an internal audit and being aware of potential pitfalls can go a long way toward putting you at ease and ensuring a successful assessment. Proper planning can also make the process more cost-effective.
Phases of an internal audit:
Internal audit activities generally fall into one of four phases:
- Planning – During the planning process, the audit team conducts an introductory meeting, reviews documentation, reviews previous audits, defines the scope and objectives, and lays out the timeline and budget.
- Fieldwork – Throughout this phase, the audit team will execute the audit on-site. This usually includes a review of documentation, interviews, testing of the controls and identifying exceptions and recommendations.
- Reporting – During the reporting phase, the auditor will generate the audit report that is actionable and that leads directly to process improvements. Typically, this includes issuance of a draft report, review with management and issuance and distribution of the final report.
- Follow-up – The final stage is to follow-up to ensure that the required recommendations have been implemented and to offer consultation services.
What should be audited:
It is tricky to provide a specific list of items to audit. This is due to the fact that anything can fall under the scope of what can be covered in an internal audit, and the list should be tailored to an individual business following an examination of its threats and risks. Below is a list of some common areas that most companies, big and small, tend to focus on.
- Security – Who has access to sensitive data? Who has access to your systems? How do you know if you have been breached? Do you know the threats and attack vectors?
- Data Integrity – Is data a key to your organization? Is that data being used to make business decisions? Is the data accurate? Where does it come from? Can the data be better? Are there gaps?
- Compliance – What relevant government regulations and requirements need to be followed; are you following them? Do you have company policies and are they being followed?
- Business Continuity – What happens if operations are interrupted? How fast can the organization recover? Can the organization recover? What are the core business functions that need to be restored first? What, if anything, can wait?
- Employee and Customer Satisfaction – Are people happy? Would people recommend your product and organization to others? Are they loyal? Do you know what they like/dislike?
Common pitfalls that can derail an internal audit:
An internal audit can be extremely useful to help streamline processes, find gaps and identify fraud. However, my experience as an auditor has taught me to recognize the red flags that can quickly derail the process.
- Scope creep: Proper planning and definition of scope is key to a successful internal audit. With complex systems and workflows, it is easy for the scope to expand rapidly. Be sure to proactively plan for when an issue occurs that may affect scope, so that the team can respond quickly and efficiently (e.g. do you ignore the issue, add to it, put it off until later). When scope starts to expand, be sure to pump the brakes and reassess; nothing is worse than allowing the scope to increase and later realizing that you are one step away from basically auditing the entire organization and all the processes.
- Not talking to all clients/stakeholders: Be sure to involve your client and stakeholders early and often. I recommend going deeper than managers or team leads; talk with the staff, engineers, etc. Many times, the “people in the trenches” may be following a completely different process than what is documented or understood by management.
- Not reviewing the data: When data is needed, it’s typical to ask the team you are auditing to provide it, but how do you know that the data is accurate? Was the data modified, trimmed or altered in any way? If possible, sit with the DBA or data provider to understand how the data is being generated. Always ask questions and try to get data that has been generated directly from the system, along with the queries or constraints used to generate it.
- Objectivity and Independence: This is especially difficult in a smaller organization. In a larger organization, internal auditors report to a board of directors or an audit committee, but in smaller companies, an internal auditor may be reporting to the same person or group they are auditing. The key is to stay objective, independent and have a forward looking mindset. Remember that an internal auditor is trying to help and should be allowed to do so even if the results are hard to hear.
High-level differences between internal and external audit:
- Internal audit findings are not generally made public. External audit findings are publicly available.
- Internal audit is optional and external audits are a legal requirement.
- Internal audit reports are used by management and the board of directors. External audit reports are used by stakeholders.
- Internal auditors can provide advice and other consulting services to the organization. External auditors are limited in providing consulting services to an audit client.
- Internal audits are performed throughout the year. External audits are generally performed annually or as required.
An internal audit is not just for large organizations or organizations that are publicly traded. All organizations big and small can benefit from an internal audit. Regular auditing can help ensure that the organization is operating efficiently, staff and customers are happy, the organization is meeting their compliance requirements, and can potentially help identify fraud. And whether it be an internal audit or a less rigorous self-assessment, following the activities and avoiding the common mistakes mentioned above can have long-term benefits when used correctly. Organizations can be more efficient, perform better, and have superior governance, risk management and control processes.