Learn the best way to complete an internal audit for your compliance management program.

The Basics of Internal Audits

Internal audits assess a company’s internal controls, including its governance, compliance, security, and accounting processes. They provide management and the board’s audit committee with objective assurance about the design and operation of the organization’s governance, risk, and compliance (GRC) program and whether that program functions effectively throughout the enterprise.

Internal audits are necessary because they identify problems before those issues are discovered during an external audit, when the problems can be much more expensive to fix. Regular internal audits help your organization to evaluate and improve the effectiveness of risk management, control, and governance processes.

By establishing a disciplined, integrated approach to regulations, policies, risks, controls, and issues, your organization can demonstrate that it has a firm grasp on its regulatory compliance obligations and can provide transparency into overall business risks.

What Is the Purpose of an Internal Audit?

Internal auditing gives insight into an organization’s culture, policies, and processes while assisting board and management supervision by checking internal controls such as operational effectiveness, risk mitigation mechanisms, and compliance with relevant laws or regulations.

Through a systematic risk assessment, an internal audit program aids management and stakeholders in identifying and prioritizing risks. In addition, a risk assessment can assist in identifying any gaps in the environment and allow for the implementation of a repair strategy.

Your internal audit program will assist you in tracking and documenting any changes to your environment and mitigating the risks you discover.

Internal auditing can also enhance the organization’s control environment by analyzing efficiency and operational effectiveness. For example, are your controls serving their intended purpose? Are they effective in risk reduction?

You can assure compliance with all relevant rules and regulations by conducting internal audits often (annually, for example). Audits also provide you peace of mind that you are ready for your next external audit. Internal auditing is an important and valuable activity for your firm since it helps you gain client trust and prevent costly fines connected with non-compliance.

How Do Internal and External Audits Differ?

Internal and external auditors both assist organizations to assure that the company’s financial reporting and other operational processes are consistent with accounting principles, that internal controls are functioning correctly, and that the company complies with applicable laws and regulations.

Internal auditors, as the name suggests, operate as employees within a business; external auditors are independent of the organizations they examine. Internal audit is a voluntary role within a company, but external audits are often required.

Annual audits of publicly traded companies are mandated by law. In addition, lenders and other stakeholders may request audited financial accounts as a condition of continuing financial assistance.

Top Considerations When Conducting an Internal Audit

An internal audit might be warranted under several circumstances. For example, your business might need to devise a solution to a known problem area; or verify that a critical business process is working as it should. In addition, you should understand how and why an activity happens or operates.

The benefits of an internal audit are plenty. First, you can define the scope of the audit yourself rather than have an outside party dictate the scope for you. Internal audit reports also go directly to management rather than to regulators or outside parties. An internal audit functions as an early warning system: it recommends steps to improve the efficiency or effectiveness of procedures before an external audit is conducted.

Most large organizations conduct internal audits regularly. Many private or small businesses also establish internal audits as a core organizational governance capability, although they aren’t required to do so.

Any organization with a compliance management program should regularly conduct internal audits to assure that the business operates efficiently in all department areas, especially for compliance.

Internal Audits and Compliance

Compliance is typically described as adhering to obligations derived from applicable laws, regulations, industry and organizational standards, contractual commitments, corporate commitments, values, sanctions, ethics, and corporate policies and procedures.

While the compliance function exists to assure that your organization complies with all those requirements, the internal audit function is meant to monitor and evaluate your company’s internal control environment and examine its adequacy, efficiency, and effectiveness.

Compliance and internal audit teams can work together to help the organization’s senior leaders understand how much the business is or isn’t meeting performance expectations. That understanding can then drive the wiser use of resources, reduce undesirable outcomes, and give the company a greater ability to hit business objectives.

Compliance and internal audit are more effective when used together. That includes joint planning and coordination of risk assessment efforts, coordinated reporting to management and the board, and shared involvement in compliance-related committees, task forces, and other working groups.

The compliance function usually relies on internal audits to conduct regulatory audits. Compliance risks, however, are just one category of risk that internal auditors monitor to evaluate the effectiveness of your organization’s risk management process.

Although your compliance officer might make recommendations for an internal audit plan, compliance is a management function that must be audited – typically by internal auditors.

Each function plays a crucial role in the risk management activities of your organization, and for maximum advantage, internal audit and compliance should work together. Both functions must be guided by overarching principles and executed through repeatable processes. In addition, they need to take governance issues into account to be a part of your organization’s governance structure.

Types of Internal Audits

There are several types of internal audits your organization might conduct. Your choice will largely depend on the specific goals and objectives you hope to meet.

  • Operational audit. This audit evaluates the performance of a particular function or department to assess its efficiency and effectiveness. The primary sources of evidence will include the active policies and achievements related to organizational objectives. Operational audits may evaluate controls and efficiency, and they consist of organizational structure, processes and procedures, data accuracy, management and security of assets, staffing, and productivity.
  • Compliance audit. This audit evaluates an organization’s adherence to established laws, standards, regulations, policies, or procedures. Typically, a compliance audit is conducted because of a policy or statutory requirement. The objective of a compliance audit is to ensure adequate control over an essential internal process.
  • Financial audit. This audit is an independent evaluation of financial data’s fairness, accuracy, and reliability across a fixed period (usually a fiscal quarter or fiscal year). The objective of a financial audit is to assure that the financial activity of the department, unit, or whole enterprise is completely and accurately reflected in the appropriate financial reports.
  • Follow-up audit. These audits are usually conducted approximately six months after an internal or external audit report has been issued; they are intended to evaluate whether corrective action has been taken on the audit issues previously reported. A follow-up audit revisits the past auditor’s recommendations, management’s actions to implement those recommendations, and whether those recommendations actually work. Follow-up audits also assess whether the situation has changed enough to warrant different activities.
  • Investigative audit. This audit only occurs due to a report of unusual or suspicious activity. It focuses on specific aspects of the work of a department or individual. Investigative audits are conducted to determine the extent of a loss, assess weaknesses in controls, and make recommendations for corrective actions.
  • Information technology (IT) audit. IT audits evaluate the controls related to your organization’s information processing systems. IT audits make recommendations to management regarding the adequacy of internal controls and security inherent in your organization’s information systems and the effectiveness of the associated risk management. These audits aim to assure that IT systems safeguard assets, maintain data integrity, and operate efficiently to achieve business objectives.
  • Management audit. Also called performance audits, these audits provide independent and objective insight into the efficiency of business processes. Because internal auditing is an activity that is independent of management, internal auditors can (ideally) review a business process, organization, or strategy without worrying about backlash from the administration. A standard management audit reviews the organizational structure, examining how administrative work is divided throughout your organization and whether opportunities exist for increased efficiency.
  • Integrated audit. This audit combines two types of audit into one project: an IT audit and an operational audit, or a financial audit and an IT audit focused on internal controls over financial reporting.

Who Performs an Internal Audit?

No matter what type of internal audit your organization conducts, it will need to be done by an internal auditor.

Unlike compliance officers, who come from various educational backgrounds, internal auditors are professionals trained according to established standards of the Institute of Internal Auditors.

Internal auditors are hired by your organization’s management, although they should report directly to the audit committee of the board of directors. Ultimately, internal auditors are employed to show the board, management, and staff how the organization can function more effectively.

8 Steps of the Internal Audit Process

The basic steps to conduct an internal audit are as follows:

  1. Identify areas that need auditing. Begin by identifying the operating departments using policies and procedures written by your organization or regulatory agencies. These can include activities as complex as manufacturing processes or as simple as accounting procedures. Make a list of each activity and the functions that require review.
  2. Determine how often auditing needs to be done. While some areas only need to be audited every few years, other departments may require audits annually or even more often. For example, the HR function may only require an annual audit of records and processes, while a manufacturing process may require daily audits for quality control purposes.
  3. Create an audit calendar. A structured and systematic approach to the auditing process will help assure that the function lives up to its full potential. Audits should be integrated into corporate objectives, like any other business goal. Scheduling audits on your business calendar will assure that they are done consistently.
  4. Alert departments of scheduled audits. Give departments notice of an audit so they can prepare the necessary documents and materials for the auditor. A surprise audit should only be conducted if you suspect unethical or illegal activity, and department managers should not feel threatened by an auditor.
  5. Be prepared. An auditor should come prepared with an understanding of policies and procedures and a list of items for review. The more prepared an auditor is, the more efficient the process will be.
  6. Interview employees. The auditor should interview employees and ask them to explain their work process compared to written policy. This step will help to establish an understanding of employee competence and identify employees who need additional training.
  7. Document results. Record the results and any differences in practice to how policies are written, as well as when guidelines are followed and when they are not. This may also include other information that is gathered from the interview process. The goal is to identify gaps in compliance and find a way to bridge those gaps.
  8. Report findings. Create an easy-to-understand audit report to be reviewed with senior management. In addition, you should develop an improvement plan for areas with any gaps in compliance.

Here are some other considerations when conducting an internal audit:

  • When reviewing policies and procedures, consider whether written policies meet the needs of “customers” (your employees) and add value to the organization.
  • Focus your policies and procedures on continuous improvement regarding how work is performed.
  • Ask whether the team environment is healthy and supports compliance with policies and procedures. A dysfunctional team has the potential to harm procedural compliance.
  • Review your policies and procedures annually to assure they reflect the changing business environment.

After the Audit: Improving Your Compliance

Once you complete an internal audit, you should remediate any gaps identified during the process. In addition, conducting a follow-up audit after the initial audit will increase the likelihood that an external audit will go well.

There are several risks that your organization may identify during an internal audit, including:

  • Reputation risk
  • Operational risk
  • Transactional risk
  • Credit risk
  • Compliance risk
  • Strategic risk
  • Country risk
  • Legal risk
  • Vendor concentration risk
  • IT/Cybersecurity risk
  • Cloud risk

Identifying these high risks during an internal audit is the first step. Creating a plan to remediate any risks will assure that your organization is ready for an external audit.

If your organization uses spreadsheets to conduct internal audits, expect a time-consuming, frustrating ride.

Fortunately, there’s a GRC solution that can help.

ZenComply Is the Secret to Compliance Management

Relying on multiple systems with multiple deployments can cause conflicting versions of truth; you won’t know which data is complete and accurate, to include in your audit. A standardized solution can resolve these problems and establish a single source of truth for your entire enterprise.

Discover the best solutions for you with ZenComply from Reciprocity. ZenComply provides greater efficiency, improves collaboration, and reduces the time and resource costs associated with compliance processes.

ZenComply breaks down the walls between internal audit and compliance groups. It is a comprehensive software solution that eliminates information silos and redundant data entry and improves information transparency and communication.

Pre-loaded with compliance framework content supporting more than 30 standards and regulations, ZenComply saves time; it helps identify gaps and overlaps of running multiple programs simultaneously. ZenComply delivers a flexible, centralized solution to meet all your compliance requirements, eliminating tedious manual processes and the associated time and resources.

With continuous compliance monitoring, you can create positive audit outcomes by automating the compilation of evidence for internal and external auditors and quickly assessing the acceptability of risk controls.

Pre-built compliance dashboards provide visibility into completed tasks, open items, and more to reveal the health of your company’s compliance and IT information security programs and a simple way to manage your compliance program.

Learn how ZenComply can fit into your business and schedule a demo today to help us guide your organization to confidence in infosec risk and compliance.

Improve How You Manage
Internal Controls