Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
What are the most common types of Internal Audits?
Financial audits – the purpose of a financial audit in general is to provide reasonable assurance that the financial statements are presented fairly, in all material respects and give a true and fair view in accordance with the financial reporting framework. The objective is achieved through an independent and objective assessment of internal controls over financial reporting (control testing) and additional audit procedures aimed at gathering substantive evidence. Specifically, in case of internal financial audits, the focus of each audit project can be very specific, depending on the audit plan and the contingent requirements
Operational audits – the purpose of operational audits is to evaluate the effectiveness and efficiency of operations and business processes. The scope and objectives of each audit project may vary depending on various circumstances and the specific requirements.
Compliance audits – the objective of a compliance audit is to review an organization’s adherence to laws and regulations, also including company policies and procedures. Compliance audits can be performed before the issuance of the relevant regulations in order to assess the level of the organization preparedness, such as in a readiness review, or after, to evaluate the actual level of compliance, highlight any risk exposure and recommend corrective actions.
Fraud investigations – fraud investigations are a very specific type of audit. They should preferably be performed by certified fraud examiners due to their inherent high sensitivity and the related legal and reputational implications. Usually legal and HR functions are also involved in such investigations. In specific cases, forensic experts may be required, especially if legal evidence that can be used in a court of law or legal proceeding may be needed.
IT audits – an IT audit can be broadly defined as the evaluation of an organization’s information technology infrastructure, policies and operations, to determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business’s overall goals. IT audits can be classified in three broad categories:
a) IT General Controls audits. These cover one or more of the following key areas: System and Program Development, Change Management, Computer Operations, Access to Programs and Data, IT and Cyber-security threats.
b) Application Controls audits, these audits focus on the technical configuration of business systems that enable specific controls to operate, in a full or semi-automated manner.
c) Robotic Process Automation. This is a relatively new IT audit category which is growing in its importance as corporations are investing in robotics to automate business processes. A robotic process automation audit will include a combination of IT General Controls and Application controls audit procedures.
Why is Internal Audit important?
The independence and broad perspective that internal auditors can bring to an organization makes them a valuable resource to enhance risk management, achieve objectives, helping the audit committee and the board to ensure that the organization as a whole is held accountable to all its stakeholders and that it is follows sound management practices
On another note, prolonged periods without independent and objective advice may lead management to fall for certain psychological traps such as “fear of upsetting the status-quo”, “anchoring”, “over-reliance on your echo-chamber” and “hostage to the past”. These “traps” may hamper the growth potentiality of your business and perpetuate inefficient or ineffective courses of action, or both.
How can you respond?
It is important to carefully consider how Internal Audit can assist your organization. You may opt for different approaches and solutions also depending on the applicable laws and regulations. You may wish to have internal audits performed only in specific areas of interest. These could cover specific risks, pain points, projects, the organization’s readiness for new regulations, etc. In some cases you may prefer to have internal auditors define a complete annual internal audit plan which will cover various areas. The annual internal audit plan should be prepared following an internationally acknowledged methodology. The plan should be presented and approved by the Audit Committee or, in absence of such committee, by the board of directors. Another key decision is whether you would like to set up an in-house internal audit function, with full time employees, or fully outsource the function to a specialised service provider such as Horizon Compliance, or work with a combination of both.