This article was written by Melissa Bucukovski, CIA, MBA, Consulting Manager
When many people think of internal audit, they think of repetitive, check-the-box compliance type work that for lack of a better phrase, sounds as interesting as watching paint dry. While that can certainly be a part of internal auditing, it’s only scratching the surface of what an internal audit function can do for an organization – internal audit is so much more than you think!
Let’s start with some formal definitions and frameworks published by the Institute of Internal Auditors (IIA). The IIA was established in 1941 and is the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, and certifications that currently serves more than 200,000 members in over 170 countries.
- Per the IIA, Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
- The IIA also developed the Three Lines Model (Formerly known as the Three Lines of Defense):
There are separate publications explaining each line of the Three Lines Model in a great amount of detail, but a summary of the roles in basic terms is as follows:
- Management of the organization make up the “first” and “second lines”, as described in the diagram above. This includes individuals such as the CEO, CFO, Directors, VPs, Compliance Officer, Department Managers, etc.
- Internal Audit is the “third line”.
- Up top is the governing body, such as the Board of Directors, Finance/Audits Committees, etc.
- On the side are “External Assurance Providers,” typically referring to the external CPA firm that performs the annual audit of the organization’s financial statements.
Great, what does this all mean? The Three Lines model illustrates the unique position internal audit has as a partner and advisor to Management while also having direct, independent access to the Board/Audit Committee. Typically, the head of an internal audit department will report directly to the Audit Committee with an administrative reporting line to the CFO for daily functions. Functionally reporting to an organization’s audit committee helps ensure that the internal audit function remains independent and can carry out its duties with objectivity. Internal audit is considered the “last line of defense” for an organization before they are subject to external auditors and other regulatory agencies. Therefore, internal audit can “catch things” before someone else does so that it can be remediated ahead of an external audit.
Speaking of external auditors, what is their role? An external audit is performed by an independent CPA firm with a focus on reviewing the organization’s financial statements. They assess compliance with accounting standards, provide an opinion of the accuracy of the financials, and identify any material misstatements or disclose other relevant items. External audits often review similar areas year over year, depending on the materiality of the various business units and functions that make up the organization. These audits are typically mandated by law and are critical to the success of an organization.
That makes sense, sounds like external audit has it covered…so what does internal audit do? Let’s break internal audit down into two categories – Compliance Based and Risk-Based Financial and Operational reviews:
- Compliance Based: Going back to the initial sentence of this article, internal audit can certainly be rooted in compliance. These types of audits usually occur when some semblance of auditing is mandated (aside from an external financial statement audit). Examples include audits for compliance with the Sarbanes-Oxley Act (SOX) as required by law for all publicly traded companies, or the requirement that all banks and financial institutions have an internal audit/compliance function. In these cases, the organization will often have an “Internal Audit” team whose primary responsibility is testing for compliance with those laws and regulations. Those audits are typically repetitive year over year unless there are changes within the organization or updates to regulations.
- Risk-Based Financial and Operational (Non-Compliance Based): Saved the best for last! The true value-add aspect of an internal audit function lies within risk-based audits that are not being performed based on a legal requirement, but rather based on audit committee input and dynamic risk assessments. Internal audit professionals use their knowledge, experience, and expertise to perform audits by developing their own unique testing plans based on real-time events and discussions with management to achieve the desired goal, versus simply rolling over prior testing and audit programs. The goal of these audits can range anywhere from assessing whether adequate internal controls exist, to evaluating operational and administrative processes for efficiency/effectiveness, to analyzing future organization initiatives from a strategic viewpoint. In the end, the internal audit team reports their results and provides management with observations and most importantly, value-added recommendations. Oftentimes, these recommendations are inherently adding value since the audit scope covers an area or function that has never been reviewed, or covers it at a deeper, more granular level from a different perspective. That, combined with the uniqueness of the structure of the internal audit function, can yield results that truly benefit and improve an organization.
An internal audit team is often comprised of professionals with expertise in accounting and finance, but also those who have expertise in other operational areas, such as IT/cybersecurity, billing, project management, regulatory matters, etc. There are so many risks that are not covered by an external audit, because the main purpose of an external audit is to form an independent opinion on the accuracy of the financial statements. To make that opinion, various risks are considered but oftentimes are not reviewed at a detailed level due to materiality considerations. This is especially true for larger and more complex organizations. Examples of risks that internal audit can delve into that may not be addressed by other audits relate to:
- Fraud Risk (All types, not just financial statement fraud)
- Third Party Management Risk
- Business Resilience Risk
- Talent Management Risk
- Data Privacy Risk
- Supplier and Vendor Management Risk
- Environment Health and Safety (EHS) Risks
- Emerging Risks: Environmental, Social, and Corporate Governance (ESG); Social Media; Economic Changes
How is it determined which audits should be done? Risk-based internal audits are usually selected based on an annual or semi-annual risk assessment made up of both quantitative and qualitative factors. Examples of qualitative inputs are interviews with senior management and other stakeholders, results of other audits, and information from prior investigations/reviews. Quantitative inputs can include financial ratios and performance, market/industry data, and other indexes. An audit plan is developed based on the risk assessment, which is presented to and approved by the Audit Committee. Risk-based internal audits can cover essentially anything; some examples include:
- A financial/operational review of a particular unit within an organization (e.g., Northeast division of ABC Inc; Agency A of Nonprofit Organization XYZ)
- A deep dive financial/operational review of a particular function or department (e.g., Service Billing; Standard and Off-Cycle Payroll; Endowment Funds; Executive Compensation; Supply Chain and Logistics; Procurement; Human Resources)
- Site Review or Shared Service Center Review
- Readiness Review for an upcoming system implementation
- Regulation-Based Review (e.g., Compliance with the Foreign Corrupt Practices Act or Medicaid Laws)
- IT and Cybersecurity (e.g., Vulnerability Assessments, Network Infrastructure Reviews, Data Privacy Audit)
- Strategic Reviews (e.g., Succession Planning, Enterprise Risk Management Assessment)
- Advisory Services may also be performed upon Management request
Internal auditors essentially serve as consultants to the group they are auditing, with the best intentions in mind – after all, they are all employees of the same organization (or are representing the organization). Internal audit can be tailored to serve an organization in several different ways, and it is highly beneficial to maximize what internal audit can offer, which is far more than just “checking the box”. While there is an upfront cost, the savings and improvements an organization can realize through proper utilization of an Internal Audit function can prove to be invaluable.
If you have any questions or are interested in learning more about this topic, we’re here to help. Please do not hesitate to reach out to our trusted experts today.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.