Upon hearing the words “internal audit,” does a cold finger of fear slither down your spine? Or perhaps the phrase evokes images of files and forms and computer printouts avalanching across your desk. Fear no more.
We’ll break down the purpose of an audit, detailing internal control audit objectives. You’ll finish reading not only understanding the process but also realizing that the benefits of the internal control audit to your organization outweigh any perceived discomfort.
What are the objectives of an audit?
The overall purpose of an internal audit is to create a roadmap to improve business success. Throughout the process, an auditor examines, reviews, and tests the efficiency of operations in the day-to-day activities of an organization.
The auditor evaluates findings to provide management with appraisals regarding the quality of internal controls, recommendations for improvement, and advice on how to fine-tune operating style to advance achievement of objectives within the business.
The key piece of a successful audit is to properly evaluate and test the specific internal controls of an organization.
The journey begins with the recommended foundation of an effective internal control system. There are no federal, state, or regulatory laws for the acceptance and use of an internal control system, but over the years, organizations such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) have established solid and accepted guidelines.
The COSO Framework as an audit tool
COSO’s Internal Control-Integrated Framework defines five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring. Although the main focus of an internal audit is on the reliability of financial reporting, the audit will encompass the entire internal control system.
The foundation of an effective internal control system relies on the support of everyone within the organization. COSO refers to the concept of “tone at the top,” which explains that the adoption of internal controls begins with an entity’s board of directors, trustees, or management. An auditor wants to understand management philosophy regarding the importance, acceptance, and adherence to the internal control system.
A few examples of what an internal control audit checks for:
- The internal control consciousness of its people—is everyone aware of the policies and procedures for internal controls?
- Are ethical values encouraged, exemplified, and rewarded by management?
- Do staff have a solid understanding of and receive training on how to perform control activities associated with their individual responsibilities?
As an internal auditor, risk management is one of the overlying responsibilities. By nature of the process, one of the internal control audit objectives is to conduct a risk assessment.
Internal control audit objectives are defined by the specific control activities adopted within an organization. Control activities are the basis of an auditor’s evaluation and testing of controls.
Information and communication
Information systems provide reporting in all areas of operations, including financial, operational, and compliance-based materials. To correctly perform its function, the audit staff monitors the quality of communications and information systems within the organization.
Ongoing monitoring of internal controls is a management function with many monitoring activities built into the daily operations of an organization. Some internal controls are classified as monitoring activities. Additional and periodic monitoring occurs in the form of an internal audit.
Understanding internal control audit objectives
Any organization in operation has risks. Risks need controls. Controls need to be evaluated, improved, redefined, or discarded. To complete a comprehensive internal control audit, auditors test control activities against specific control objectives.
Definition of internal control objective: A control objective is the reason a control activity is put into action. More specifically, a control objective is a series of actions and statements describing how a control activity is designed to avoid or reduce risk to an acceptable level.
Three categories for control objectives
Control objectives are generally classified into three categories: operational, reporting, compliance.
Objectives revolving around effective and efficient business operations.
Examples of control activities designed to meet operational objectives:
- Business performance reviews
- Physical safeguards and security over assets
- Education, training, coaching
- Review and approval
- Segregation of duties
Objectives pertaining to reliable, transparent, and timely reporting of both financial (internal and external) and non-financial transactions.
Examples of control activities designed to meet reporting objectives:
- Review and approval
- Password protections
- Segregation of duties
- Performance reviews
Objective relating to following and abiding by state and federal laws and industry regulations.
Examples of control activities designed to meet compliance objectives:
- Verification (information is correctly captured)
- Performance reviews
- Education and training
- Policies and procedures manuals
Internal control audit objectives
Audit objectives are designed to verify that the preferred outcome of a control activity is achieved. This is completed by judging the control procedure against a set of predefined criteria. These are commonly referred to as audit objectives.
Transaction-related audit objectives include:
- Reporting and summarization
To better understand the process, let’s look at an example of applying internal control audit objectives to evaluate internal control over financial reporting.
Control objective: verify that a misstatement was prevented or detected by a specific control activity
Control activity: management authorization of expenditures
Application of internal control audit objectives:
- Occurrence: management authorizes all expenditures
- Completeness: Authorizations are recorded in appropriate fashion
- Accuracy: Authorizations are stated in correct amounts throughout financial statements
- Classification: Authorized expenditures are classified according to established guidelines
- Timing: Authorizations are dated and recorded on correct dates
- Reporting and summarization: Authorizations are documented in appropriate reports and include a summary of each transaction
In a sense, an internal audit is like hiring a consultancy agency. Internal control audit objectives not only serve to find potential problems, but to discover opportunities for improvement and help implement necessary changes.
Interested in streamlining your internal audit process? Learn more about the ZenGRC solution today.