Internal auditing is the independent and objective evaluation of an organisation's internal controls to effectively manage risk within its risk appetite.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Internal auditing achieves this by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice.
The scope of internal auditing within an organization is broad and may involve topics such as an organization's governance, risk management and management controls over: efficiency/effectiveness of operations (including safeguarding of assets), the reliability of financial and management reporting,and compliance with laws and regulations. Internal auditing may also involve conducting proactive fraud audits to identify potentially fraudulent acts; participating in fraud investigations under the direction of fraud investigation professionals, and conducting post investigation fraud audits to identify control breakdowns and establish financial loss.
Managers establish policies, processes, and practices in these five components of management control to help the organization achieve the four specific objectives listed above. Internal auditors perform audits to evaluate whether the five components of management control are present and operating effectively, and if not, provide recommendations for improvement.
Role in risk management:
Under the COSO enterprise risk management (ERM) Framework, an organization's strategy, operations, reporting, and compliance objectives all have
associated strategic business risks - the negative outcomes resulting from internal and external events that inhibit the organization's ability to
achieve its objectives. Management assesses risk as part of the ordinary course of business activities such as strategic planning, marketing planning,
capital planning, budgeting, hedging, incentive payout structure, credit/lending practices, mergers and acquisitions, strategic partnerships, legislative
changes, conducting business abroad, etc. Sarbanes-Oxley regulations require extensive risk assessment of financial reporting processes.
Internal Audit Execution:
A typical Internal Audit Assignment involves the following steps:
1. Establishing and communicating the scope and objectives of the Audit to appropriate members of management.
2. Developing an understanding of the business area under review - this includes objectives, measurements & key transaction types and involves interviews
and a review of documents - flowcharts and narratives may be created, if necessary.
3. Describing the key risks facing the business activities within the scope of the Audit.
4. Identifying management practices in the five components of control used to ensure that each key risk is properly controlled and monitored. Internal
5. Audit Checklist[13] can be a helpful tool to identify common risks and desired controls in the specific process or specific industry being audited.
6. Developing and executing a risk-based sampling and testing approach to determine whether the most important management controls are operating as intended.
7. Reporting issues and challenges identified and negotiating action plans with the management to address these problems.
8. Following-up on reported findings at appropriate intervals. Internal Audit Departments maintain a follow-up database for this purpose.
9. Audit Assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the
above steps are iterative and may not all occur in the sequence indicated.
In addition to assessing business processes, specialists called Information Technology (IT) Auditors review Information technology controls
Internal audit reports:
Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action
plans from management. An audit report may have an executive summary'a body that includes the specific issues or findings identified and related
recommendations or action plans, and appendix information such as detailed graphs and charts or process information. Each audit finding within the
body of the report may contain five elements, sometimes called the "5 C's":
1. Condition: What is the particular problem identified?
2. Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark.
3. Cause: Why did the problem occur?
4. Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding?
5. Corrective action: What should management do about the finding? What have they agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization achieve effective and efficient governance, risk and control processes associated with operations objectives, financial and management reporting objectives; and legal/regulatory compliance objectives.
A risk management strategy provides a structured and coherent approach to identifying, assessing and managing risk or uncertainties followed up by minimizing, monitoring and controlling the impact of risk realities or enhancing the opportunity potential by applying coordinated and economical resources.
Audit findings and recommendations may also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.
Adan Corporate's Value Proposition
Our experts partner with clients on internal audit, providing perspective not only on immediate value and impact, but on long-term
implications. We work closely with management and other advisers to leverage and complement their knowledge and ensure maximum impact,
and actively support implementation and skill building.
We have provided full range of Internal Audit services to our clients including fully outsourced, co-sourced, and loaned staff internal audit functions for multiple companies in various industries. Although each project is unique, we typically report to our client's Audit Committee or to the Head of Internal Audit, and as part of our service offerings, we have performed various internal audit activities such as enterprise risk assessments, fraud risk assessments, operational, tactical, regulatory, forensic, business transformation, strategic internal audits, and many other value-added activities.
Under a co-sourcing arrangement, we will work directly with your internal audit department under our tried and true method of full team integration; one team, one goal. We can provide specialized skills and also augment short-term staffing shortages on ad-hoc reviews and projects.
We can assist your organization in developing an internal audit approach focused on high-risk areas rather than the traditional compliance approach. Oftentimes, an organization retains a high-level resource such as a lead internal auditor who is responsible for the organization's internal audit process and communications with the Audit Committee. We assist by conducting all the agreed-upon internal audit reviews throughout the year.