Unlike external audits, internal audits are typically not required. So why would you invest your organization’s money and time in them? In a word, protection.
Internal audits attempt to uncover deficiencies and inefficiencies in a company’s operations — including internal controls, corporate governance, compliance, and accounting processes — before they are brought to light in an external audit.
The sole purpose of an internal audit is to provide management and the board of directors with information about the business, so the scope of the audit can be as broad or limited as needed. Audit tests can focus heavily in some areas while ignoring others. This flexibility is one reason why business owners avoid internal audits — they don’t know where to begin.
To help you understand what internal audits are and how your organization can benefit from them, let’s review the basics.
What Does an Internal Audit Look Like?
Since internal audits are performed purely for the benefit of management and the board of directors, there is no predetermined audit process. But most audits follow the same basic framework.
Define objectives.
What do management and the board of directors want out of their audit? Do they want to:
Tighten up cash flow?
Test the effectiveness of their controls?
Shore up financial processes for an impending sale?
Search for fraud?
Everything that follows will fall back on this objective, so audit goals should be clearly defined.
Evaluate risk.
At the outset of an audit, auditors typically perform a risk assessment to uncover strategic, financial, operational, and compliance threats facing their organization. Here are some examples:
Strategic RisksMisallocation of resources
Market fluctuations
Inaccurate projections
Financial RisksTheft, fraud, or misuse of funds
Accounting errors
Fiscal mismanagement
Compliance RisksFinancial misrepresentation
Insufficient documentation
Code of conduct breaches
Defining risk is important, but it’s just as important to determine management’s threshold for risk. Businesses cannot realistically mitigate all risk, so management must be clear about what risks they are willing to accept.
Determine scope.
Once risk is assessed and risk threshold is determined, auditors can determine the extent and range of testing that’s required. This is called audit scope. When determining audit scope, you might be asking yourself these kinds of questions:
Should we test 20 sales transactions, or is 10 sufficient?
Should we review purchase outliers that have a 50% variance from average, or 30%?
Since we began outsourcing our payroll last year, can we test fewer payroll reports this year?
In general, once it is set, audit scope should not change. Scope is closely linked to audit objectives, so unless those objectives change, scope should not change.
Perform testing.
When performing fieldwork, your internal auditors will perform a variety of types of tests. The types of tests vary based on the goals of your audit and the area of the organization you’re auditing. A few of the most common types of tests your auditors will perform are:
Inquiry — interviewing an employee about their process or role
Observation — observing a process or procedure
Inspection — looking at documentation, like procedure manuals, flowcharts, policies, etc.
Reperformance — reperforming the procedure to see if they get the same results
Report findings.
The internal auditors will prepare reports outlining the types and scope of testing they performed and their findings. Some may even include recommendations to management for making improvements.
What’s the Difference Between Internal and External Audits?
Although both internal and external audits look critically at an organization and provide reports based on their findings, they are quite different.
Internal Audit
External Audit
What is the purpose of the audit?
To analyze and improve upon an organization’s performance and controls
To express an opinion on whether an organization’s financial statements accurately represent the company’s financial position
Who performs the audit?
Internal auditors (either employees of the company or outsourced third party)
External auditors (must be CPAs)
Who is the report intended for?
Management and board of directors (internally focused)
Shareholders, investors, customers, creditors, lenders, and other stakeholders (externally focused)
What does the audit cover?
Internal controls, corporate governance, compliance, and accounting processes
Financial reports, and potentially internal controls as they pertain to financial reporting
What is the audit frequency?
Any frequency (as determined by the board of directors or management)
Annual
Why Are Internal Audits Important?
A well-performed internal audit can:
Identify risks that would not be known otherwise
Improve operating efficiencies
Provide objective insight into the business and its industry
Predict future outcomes for the business
Improve the control environment
And most importantly, a positive internal audit report will increase board member confidence that the business is operating efficiently. If any deficiencies are discovered, management can confront those challenges head on.
Should You Outsource Your Internal Audit Function?
Internal audits are often performed in-house, but they don’t have to be. Internal audits can be co-sourced or outsourced to an audit firm if you need additional support. Outsourcing your internal audit may be a good choice if:
Your business has grown rapidly
You suspect fraud
You do not have the experience or resources available internally
You are preparing for a future sale
You find it difficult to manage everyday financial reporting tasks
Your compliance needs have grown
If you have questions about whether your company needs an internal audit function or how to improve your internal audit process, your CRI advisors can help. We can talk you through the options, including hiring internally, outsourcing, or co-sourcing your internal audit function.
Unlike external audits, internal audits are typically not required. So why would you invest your organization’s money and time in them? In a word, protection.
Internal audits attempt to uncover deficiencies and inefficiencies in a company’s operations — including internal controls, corporate governance, compliance, and accounting processes — before they are brought to light in an external audit.
The sole purpose of an internal audit is to provide management and the board of directors with information about the business, so the scope of the audit can be as broad or limited as needed. Audit tests can focus heavily in some areas while ignoring others. This flexibility is one reason why business owners avoid internal audits — they don’t know where to begin.
To help you understand what internal audits are and how your organization can benefit from them, let’s review the basics.
What Does an Internal Audit Look Like?
Since internal audits are performed purely for the benefit of management and the board of directors, there is no predetermined audit process. But most audits follow the same basic framework.
Define objectives.
What do management and the board of directors want out of their audit? Do they want to:
Tighten up cash flow?
Test the effectiveness of their controls?
Shore up financial processes for an impending sale?
Search for fraud?
Everything that follows will fall back on this objective, so audit goals should be clearly defined.
Evaluate risk.
At the outset of an audit, auditors typically perform a risk assessment to uncover strategic, financial, operational, and compliance threats facing their organization. Here are some examples:
Strategic RisksMisallocation of resources
Market fluctuations
Inaccurate projections
Financial RisksTheft, fraud, or misuse of funds
Accounting errors
Fiscal mismanagement
Compliance RisksFinancial misrepresentation
Insufficient documentation
Code of conduct breaches
Defining risk is important, but it’s just as important to determine management’s threshold for risk. Businesses cannot realistically mitigate all risk, so management must be clear about what risks they are willing to accept.
Determine scope.
Once risk is assessed and risk threshold is determined, auditors can determine the extent and range of testing that’s required. This is called audit scope. When determining audit scope, you might be asking yourself these kinds of questions:
Should we test 20 sales transactions, or is 10 sufficient?
Should we review purchase outliers that have a 50% variance from average, or 30%?
Since we began outsourcing our payroll last year, can we test fewer payroll reports this year?
In general, once it is set, audit scope should not change. Scope is closely linked to audit objectives, so unless those objectives change, scope should not change.
Perform testing.
When performing fieldwork, your internal auditors will perform a variety of types of tests. The types of tests vary based on the goals of your audit and the area of the organization you’re auditing. A few of the most common types of tests your auditors will perform are:
Inquiry — interviewing an employee about their process or role
Observation — observing a process or procedure
Inspection — looking at documentation, like procedure manuals, flowcharts, policies, etc.
Reperformance — reperforming the procedure to see if they get the same results
Report findings.
The internal auditors will prepare reports outlining the types and scope of testing they performed and their findings. Some may even include recommendations to management for making improvements.
What’s the Difference Between Internal and External Audits?
Although both internal and external audits look critically at an organization and provide reports based on their findings, they are quite different.
Internal Audit
External Audit
What is the purpose of the audit?
To analyze and improve upon an organization’s performance and controls
To express an opinion on whether an organization’s financial statements accurately represent the company’s financial position
Who performs the audit?
Internal auditors (either employees of the company or outsourced third party)
External auditors (must be CPAs)
Who is the report intended for?
Management and board of directors (internally focused)
Shareholders, investors, customers, creditors, lenders, and other stakeholders (externally focused)
What does the audit cover?
Internal controls, corporate governance, compliance, and accounting processes
Financial reports, and potentially internal controls as they pertain to financial reporting
What is the audit frequency?
Any frequency (as determined by the board of directors or management)
Annual
Why Are Internal Audits Important?
A well-performed internal audit can:
Identify risks that would not be known otherwise
Improve operating efficiencies
Provide objective insight into the business and its industry
Predict future outcomes for the business
Improve the control environment
And most importantly, a positive internal audit report will increase board member confidence that the business is operating efficiently. If any deficiencies are discovered, management can confront those challenges head on.
Should You Outsource Your Internal Audit Function?
Internal audits are often performed in-house, but they don’t have to be. Internal audits can be co-sourced or outsourced to an audit firm if you need additional support. Outsourcing your internal audit may be a good choice if:
Your business has grown rapidly
You suspect fraud
You do not have the experience or resources available internally
You are preparing for a future sale
You find it difficult to manage everyday financial reporting tasks
Your compliance needs have grown
If you have questions about whether your company needs an internal audit function or how to improve your internal audit process, your CRI advisors can help. We can talk you through the options, including hiring internally, outsourcing, or co-sourcing your internal audit function.