Learn the best way to complete an internal audit for your compliance management program.
The basics of internal audits
Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. They provide management and the audit committee with unbiased assurance about the design and operation of the organization’s governance, risk, and compliance (GRC) program, and whether the program functions effectively throughout the enterprise.
Internal audits are necessary because they identify and correct problems before those issues are discovered during an external audit — when the problems can be much more expensive to fix. Regular internal audits help your organization to evaluate and improve the effectiveness of risk management, control, and governance processes.
By establishing a disciplined, integrated approach to regulations, policies, risks, controls, and issues, your organization can demonstrate that it has a firm grasp on its regulatory compliance obligations and can provide transparency into overall business risks.
Top considerations when conducting an internal audit
There are several circumstances where an internal audit might be warranted. For example, your business might need to devise a solution to a known problem area; or need to verify that a critical business process is working as it should. You may just need to understand how and why an activity happens or operates.
The benefits of an internal audit are plenty. First, you can define the scope of the audit yourself, rather than have an outside party dictate the scope for you. Internal audit reports also go directly to you, rather than to regulators or some other outside party. An internal audit functions as an early warning system: it recommends steps to improve the efficiency or effectiveness of procedures, before an external audit is conducted.
Most large organizations conduct internal audits regularly. Many private or small businesses also establish internal audit as a core organizational governance capability, although they aren’t required to do so.
Any organization with a compliance management program should regularly conduct internal audits, to assure that the business is operating at maximum efficiency in all department areas, especially regarding compliance.
Internal audits and compliance
Compliance is typically described as the process of adhering to obligations derived from applicable laws, regulations, industry and organizational standards, contractual commitments, corporate commitments, values, sanctions, ethics, and corporate policies and procedures.
While the compliance function is designed to assure that your organization is complying with all those requirements, the internal audit function is meant to monitor and evaluate your company’s internal control environment and examine its adequacy, efficiency, and effectiveness.
Working together, compliance and internal auditing help the organization’s senior leaders to understand how much the business is or isn’t meeting performance expectations. That understanding can then drive the wiser use of resources, reduce undesirable outcomes, and give the company a greater ability to hit business objectives.
Compliance and internal auditing are more effective when they’re used together. That includes tasks such as joint planning and coordination of risk assessment efforts, coordinated reporting to management and the board, and shared involvement in compliance-related committees, task forces, and other working groups.
The compliance function usually relies on internal audit to conduct regulatory audits. Compliance risks, however, are just one category of risk that internal auditors monitor to evaluate the effectiveness of your organization’s risk management process.
Although your compliance officer might make recommendations for an internal audit plan, compliance is a management function that also needs to be audited — typically by internal auditors.
Each function plays a fundamental role in the risk management activities of your organization, and risk assessment is a key analytical tool used to identify and assess the extent of a likely hazard.
Therefore, internal audit and compliance must work together. Both functions need to be guided by overarching principles and executed through repeatable processes, and they need to take governance issues into account to be a part of your organization’s governance structure.
Types of internal audits
There are several different types of internal audits your organization might conduct. Which one you choose will largely depend on the specific goals and objectives you hope to meet.
- Operational audit. This audit evaluates the performance of a particular function or department to assess its efficiency and effectiveness. The primary sources of evidence will include the operational policies and achievements related to organizational objectives. Operational audits may evaluate controls and efficiency, and can include organizational structure, processes and procedures, accuracy of data, management and security of assets, staffing, and productivity.
- Compliance audit. This audit evaluates an organization’s adherence to established laws, standards, regulations, policies or procedures. Typically, a compliance audit is conducted because of a policy or statutory requirement. The objective of a compliance audit is to assure adequate control over an important internal process.
- Financial audit. This audit is an independent evaluation of the fairness, accuracy, and reliability of financial data across a fixed period of time — usually a calendar quarter or a fiscal year. The objective of a financial audit is to assure that the financial activity of the department, unit, or area is completely and accurately reflected in the appropriate financial reports.
- Follow-up audit. These audits are usually conducted approximately six months after an internal or external audit report has been issued; they are intended to evaluate whether corrective action has been taken on the audit issues previously reported. A follow-up audit revisits the past auditor’s recommendations as well as management’s action plans, to determine whether corrective actions were taken and if they are working; or whether the situation has changed enough to warrant different actions.
- Investigative audit. This audit only takes place as a result of a report of unusual or suspicious activity. It focuses on specific aspects of the work of a department or individual. Investigative audits are conducted to determine the extent of a loss, assess weaknesses in controls, and make recommendations for corrective actions.
- Information technology (IT) audit. IT audits evaluate the controls related to your organization’s automated information processing systems. IT audits make recommendations to management regarding the adequacy of internal controls and security inherent in your organization’s information systems and the effectiveness of the associated risk management. The goal of these audits is to make sure that IT systems are safeguarding assets, maintaining data integrity, and operating efficiently to achieve business objectives.
- Management audit. Also called performance audits, these audits provide independent and objective insight into the efficiency of business processes. Because internal auditing is an activity that is independent of management, internal auditors can (ideally) review a business process, organization, or strategy without worrying about backlash from management. A common management audit is a review of organizational structure, such as examining how administrative work is divided throughout your organization and whether opportunities exist for increased efficiency.
- Integrated audit. This audit combines two types of audit into one project: say, an IT audit and an operational audit, or a financial audit and an IT audit focused on internal controls over financial reporting.
Who performs an internal audit?
No matter what type of internal audit your organization conducts, it will need to be done by an internal auditor.
Unlike compliance officers, who come from various educational backgrounds, internal auditors are professionals who are trained according to established standards of the Institute of Internal Auditors.
Internal auditors are hired by your organization’s management, although they should report directly to the audit committee of the board of directors. External auditors are appointed by a shareholder vote.
Ultimately, internal auditors are employed to show the board, management, and staff how the organization can function more effectively.
How to conduct an internal audit
The basic steps to conduct an internal audit are as follows:
- Identify areas that need auditing. Begin by identifying the departments that operate using policies and procedures written by your organization or by regulatory agencies. These can include activities as complex as manufacturing processes or as simple as accounting procedures. Make a list of each activity and the functions that require review.
- Determine how often auditing needs to be done. While some areas may only need to be audited annually, other departments may require more frequent audits. For example, the HR function may only require an annual audit of records and processes, while a manufacturing process may require daily audits for quality control purposes.
- Create an audit calendar. A structured and systematic approach to the auditing process will help assure that the function lives up to its full potential. Audits should be integrated into corporate objectives, like any other business goal. Scheduling audits on your business calendar will assure that they are done consistently.
- Alert departments of scheduled audits. Give departments notice of an audit so they can prepare the necessary documents and materials for the auditor. A surprise audit should only be conducted if you suspect unethical or illegal activity, and department managers should not feel threatened by an auditor.
- Be prepared. An auditor should come prepared with an understanding of policies and procedures and a list of items for review. The more prepared an auditor is, the more efficient the process will be.
- Interview employees. The auditor should interview employees and ask them to explain their work process compared to written policy. This step will help to establish an understanding of employee competence and identify employees who need additional training.
- Document results. Record the results and any differences in practice to how policies are written, as well as when policies are followed and when they are not. This may also include other information that is gathered from the interview process. The goal is to identify any gaps in compliance and find a way to bridge those gaps.
- Report findings. Create an easy-to-understand audit report to be reviewed with senior management. In addition, an improvement plan should be developed for areas with any gaps in compliance.
Here are some other considerations when conducting an internal audit:
- When reviewing policies and procedures, consider whether written policies are meeting the needs of “customers” (that is, your employees) and adding value to the organization.
- Policies and procedures should be focused on continuous improvement as it relates to how work is performed.
- Ask whether the team environment is healthy and supports compliance with policies and procedures. A dysfunctional team has the potential to impact procedural compliance.
- Policies and procedures should be reviewed annually to assure they reflect the changing business environment.
After the audit: improving your compliance
Once you complete an internal audit, you should remediate any gaps identified during the process. Conducting a follow-up audit after the initial audit will increase the likelihood that an external audit goes well.
There are a number of risks that your organization may identify during an internal audit, including:
- Reputation risk
- Operational risk
- Transactional risk
- Credit risk
- Compliance risk
- Strategic risk
- Country risk
- Legal risk
- Vendor concentration risk
- IT/Cybersecurity risk
- Cloud risk
Identifying these high risks during an internal audit is the first step. Creating a plan to remediate any of these risks will assure that your organization is ready for an external audit.
That said — if your organization uses spreadsheets to conduct internal audits, you may be in for a time-consuming, frustrating ride.
Fortunately, there’s a GRC solution that can help.
How Reciprocity can help
Relying on multiple systems with multiple deployments can cause conflicting versions of truth; you won’t know which set of data is complete and accurate. A standardized solution can resolve these problems and establish a single source of truth for your entire enterprise.
Discover the best solutions for you with ZenGRC from Reciprocity. ZenGRC provides greater efficiency, improves collaboration, and reduces the time and resource costs associated with compliance processes.
ZenGRC breaks down the walls between internal audit and compliance groups. It is a comprehensive software solution that eliminates information silos and redundant data entry, and improves information transparency and communication.
ZenGRC delivers a flexible, centralized solution to meet all of your compliance requirements, eliminating tedious manual processes and the time and resources associated with them.
Pre-loaded with compliance framework content supporting more than 30 standards and regulations, ZenGRC not only saves time; it helps identify gaps and overlaps of running multiple programs at the same time.
With continuous compliance monitoring, you can create positive audit outcomes by automating the compilation of evidence for internal and external auditors and quickly assessing the acceptability of risk controls.
Pre-built compliance dashboards provide visibility into completed tasks, open items, and more, to reveal the health of your company’s compliance and IT information security programs along with a simple way to manage your compliance program.
Learn how ZenGRC can fit into your business and schedule a demo today to help us guide your organization to confidence in infosec risk and compliance.