Does Your Organization Need an Internal Audit?
- Contributor
- Jon Heath
Unlike external audits, internal audits are typically not required. So why would you invest your organization’s money and time in them? In a word, protection.
Internal audits attempt to uncover deficiencies and inefficiencies in a company’s operations — including internal controls, corporate governance, compliance, and accounting processes — before they are brought to light in an external audit.
The sole purpose of an internal audit is to provide management and the board of directors with information about the business, so the scope of the audit can be as broad or limited as needed. Audit tests can focus heavily in some areas while ignoring others. This flexibility is one reason why business owners avoid internal audits — they don’t know where to begin.
To help you understand what internal audits are and how your organization can benefit from them, let’s review the basics.
Since internal audits are performed purely for the benefit of management and the board of directors, there is no predetermined audit process. But most audits follow the same basic framework.
What do management and the board of directors want out of their audit? Do they want to:
Everything that follows will fall back on this objective, so audit goals should be clearly defined.
At the outset of an audit, auditors typically perform a risk assessment to uncover strategic, financial, operational, and compliance threats facing their organization. Here are some examples:
Strategic Risks
Misallocation of resources |
Operational Risks
IT security breaches |
Financial Risks
Theft, fraud, or misuse of funds |
Compliance Risks
Financial misrepresentation |
Defining risk is important, but it’s just as important to determine management’s threshold for risk. Businesses cannot realistically mitigate all risk, so management must be clear about what risks they are willing to accept.
Once risk is assessed and risk threshold is determined, auditors can determine the extent and range of testing that’s required. This is called audit scope. When determining audit scope, you might be asking yourself these kinds of questions:
In general, once it is set, audit scope should not change. Scope is closely linked to audit objectives, so unless those objectives change, scope should not change.
When performing fieldwork, your internal auditors will perform a variety of types of tests. The types of tests vary based on the goals of your audit and the area of the organization you’re auditing. A few of the most common types of tests your auditors will perform are:
The internal auditors will prepare reports outlining the types and scope of testing they performed and their findings. Some may even include recommendations to management for making improvements.
Although both internal and external audits look critically at an organization and provide reports based on their findings, they are quite different.
Internal Audit | External Audit | |
What is the purpose of the audit? | To analyze and improve upon an organization’s performance and controls | To express an opinion on whether an organization’s financial statements accurately represent the company’s financial position |
Who performs the audit? | Internal auditors (either employees of the company or outsourced third party) | External auditors (must be CPAs) |
Who is the report intended for? | Management and board of directors (internally focused) | Shareholders, investors, customers, creditors, lenders, and other stakeholders (externally focused) |
What does the audit cover? | Internal controls, corporate governance, compliance, and accounting processes | Financial reports, and potentially internal controls as they pertain to financial reporting |
What is the audit frequency? | Any frequency (as determined by the board of directors or management) | Annual |
A well-performed internal audit can:
And most importantly, a positive internal audit report will increase board member confidence that the business is operating efficiently. If any deficiencies are discovered, management can confront those challenges head on.
Internal audits are often performed in-house, but they don’t have to be. Internal audits can be co-sourced or outsourced to an audit firm if you need additional support. Outsourcing your internal audit may be a good choice if:
If you have questions about whether your company needs an internal audit function or how to improve your internal audit process, your CRI advisors can help. We can talk you through the options, including hiring internally, outsourcing, or co-sourcing your internal audit function.
Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.