There is a wrong notion that internal audit is exclusive to only big companies. This perception paints a wrong picture of what internal audit entails and the benefits of it to a company. But then, internal audit is a process that allows a company to carry out regular review of its operations. A review critically looks at a company’s internal operations including its accounting processes or systems and corporate governance. A company often defines the scope or purpose of the audit.
Indeed, internal audit usually assesses the financial, operational, compliance, information technology (IT) or for any other specific purpose. Operational audit, for instance, may want to assess procedures in the company and whether resources are being used more efficiently. That said, information technology (IT) audit examines the controls, hardware, software, security, documentation and backup (recovery) of systems. An audit report is primarily used by the internal management to improve a company’s operations. What then are the internal audit processes and the inherent benefits?
The Internal Audit Process
Even though the internal audit process is not cast in stone, it can generally be conducted through a series of steps as outlined below:
- Planning – This involves defining the scope and objectives of the audit, identifying the key areas and processes to be audited and developing an audit plan and schedule. The audit plan must usually develop a checklist to guide the audit process. The audit will also need to review prior exercises to understand management expectations for presentation and data collection.
- Information Gathering/Data Collection – This may include a previous audit report, financial records, existing policies and procedures and other relevant documents. A company’s internal auditor or team will usually conduct interviews with employees to gain insights into operations, existing controls or procedures. To help streamline this step and obtain significant data, aide memoire or a checklist which relates to the type of audit (operational, compliance, finance etc.) being conducted is essential.
- Risk Assessment – Audit should be risk-based to help use resources judiciously. Risk assessment in that regard is necessary to identify potential risks inherent in the company’s operations or which its exposed to. The internal audit risk assessment critically evaluates those incidents of risks and impacts.
- Testing and Analysis – To assess the effectiveness of internal controls and processes, internal auditors review transactions, examine supporting documents and conduct sample testing. Sample testing may involve transaction matching, audit trail calculations and physical inventory count. Analysis of the sampling results will help establish whether controls are operating as intended and identify any control weaknesses or deviations from established policies and procedures.
- Findings and Recommendations – Internal auditors compile their findings and document any control deficiencies, non-compliance issues or areas for improvement. In addition, they can also provide recommendations to address the identified issues and improve the effectiveness of controls and processes.
- Reporting – This step entails summarizing the audit results with actionable recommendations. A holistic audit report should encompass requirements generally known as the 5 C’s. The five (5) C’s are:
- Criteria: This refers to the standard policy, a procedure or a benchmark against which the condition is being evaluated. It is the reference point used to assess whether a condition meets the desired or required level. Questions which are normally addressed focus on why was the internal audit needed? Who requested the audit and why did this party request the audit? What particular issue was identified?
- Condition: This describes the current state or situation observed during the audit. It identifies a specific issue, deficiency or non-compliance. It looks at a checklist of questions which addresses questions if the company has a policy that has been violated, a benchmark or a condition that was not met? Is the company confident that no issue exists or do they believe an issue is at hand?
- Cause: This involves an analysis of the underlying factors or root causes that have contributed to the condition being present. The “Cause” element answers questions such as “why did the problem occur? who was involved, what processes were broken and how could the problem have been avoided?
- Consequence: This pinpoints the potential impact of the identified condition on the organization. Thus, it highlights the risks, implications or negative outcomes. It identifies the questions such as what is the outcome of the problem? Are issues limited to internal matters, or are there risks of external consequences? What are the financial implications of the issue?
- Corrective Action: This outlines the recommendations to address the identified condition and prevent its recurrence. It provides specific measures that should be implemented to resolve the issue and improve the current state. In effect, the corrective action answers the checklist of questions ranging on what specific steps can the company do to fix the problems identified and the monitoring strategy after solutions have been put in place.
- Follow-up and Monitoring: The internal audit may call for a follow-up after the audit report has been presented to ensure appropriate implementation of audit recommendations. The roadmap for monitoring is incorporated in the final audit report.
Benefits of Conducting Internal Audit
Internal Audit report directly goes to a company’s management or a Board (sub-committee if one exists). Internal audit does add value to an organization and its operations in many ways. Internal audit offers a company an opportunity to improve its governance structure, retool its risk management systems and uphold compliance with relevant laws and regulations. It serves as an early warning system to identify inefficiencies in operational and control procedures and then provides recommendations to correct them. Some of the inefficiencies could be related to poor job descriptions, confusing workplace hierarchies or unnecessary levels of oversight or sign-off requirements by supervisors.
Management relies on the recommendations to re-train employees on their responsibilities to improve performance, use other resources wisely and thereby enhance the overall efficiency and effectiveness of the organization. Internal audit also helps systems to work better by making an organization to be more of a process-dependent than person-dependent to drive accountability within the organization.
Furthermore, internal audit can help an organization to uncover employee’s misconduct that could have gone unnoticed without such exercises on regular basis. The misconduct could arise from negligence or failure by an employee to uphold the company’s compliance protocols which end up putting the business at risk of liability. A misconduct could be deliberate and driven by fraudulent intents of an employee or in connivance with a third-party. These issues can be spotted in audits that focus on compliance mechanisms as well as those that pinpoint the business’ routine practices and policies.
The results of an internal audit can provide a company with new and more robust strategies to tighten its “control environment.” Internal controls are the procedures and processes that a company implements to ensure the integrity of systems. The control environment identifies gaps or “trouble spots” where procedures and controls are not properly designed. It aims at retooling systems to prevent or defect fraud. In the same vein, the report could provide measures that a business can take to further protect itself against internal and external attacks which can undermine business continuity and sustainability. Internal audit processes also verify internal documentation regarding business practices and finances. It so determines accuracy of financial transactions and documented in line with necessary disclosures.
Conclusion
Findings of an internal audit in many instances come as a surprise to business owners. This is mainly because of their familiarity with the company’s operations and hardly admit the weaknesses or inefficiencies. Internal audit serves as the mirror to reveal those inefficiencies and provide an organization with a value-added service to enhance its overall governance, risk management and compliance architecture. Internal audits enhance operational efficiencies, re-awaken employees and other stakeholders to adhere to relevant policies. Recommendations from internal audits can help streamline a business’ practices and sustain its future prospects.
BERNARD BEMPONG
Bernard is a Chartered Accountant with over 14 years of professional and industry experience in Financial Services Sector and Management Consultancy. He is the Managing Partner of J.S Morlu (Ghana) an international consulting firm providing Accounting, Tax, Auditing, IT Solutions and Business Advisory Services to both private businesses and government.
Our Office is located at Lagos Avenue, East Legon, Accra.
Contact: +233 302 528 977
+233 244 566 092
Website: www.jsmorlu.com.gh
