If you want to minimize the risks associated with organizational errors, damaging actions by senior employees or even just economic crime in your company, you do not want to leave anything to chance. An ICS - short for Internal Control System - establishes guidelines that enable the monitoring of operational processes. What does an ICS look like?
Internal operations in larger companies that are for the most part active internationally are often very complex. Lots of processes for various departments, and possibly different locations, must be brought together in order to achieve the desired goal. The fact is that this can also result in problems – for instance, through misunderstandings or conflicting goals. Processes are not as efficient as they should be in most cases. They can also be risky – not least by unknowingly violating legal regulations. This is where the internal audit comes in. It serves the purpose of both uncovering inefficient processes and risks, and of making recommendations for solutions.
What is an Internal Audit?
An internal audit is part of a system for analyzing and optimizing processes that are executed within an organization. Within the company it is usually overseen directly by management and audits internal procedures, provides their results, and, if needed, makes recommendations. This serves the purpose of helping the organization in question work as efficiently and low risk as possible. The internal audit is also a monitoring tool for management within the tiers of governance, risk management and compliance.
The internal audit is – as the name states – an internal matter for the organization in question. It is carried out by members of this organization. This distinguishes it from the external audit, which involves inspectors who aren’t employed by the company. The internal inspectors are process independent. Their work is detached from day-to-day operations, so they are not actively involved in the processes they are investigating. The body (i.e. the relevant individuals and/or divisions) that carries out the audit is referred to as the internal audit department. Ideally, the internal auditor is only entrusted with this task. However, in smaller companies especially, internal auditing is often undertaken with the help of employees in accounting or controlling.
If employees from accounting or controlling also take on the task of internal auditing, this can be problematic. Among other reasons, in this case there isn’t the required independence from the process, which results in conflicts (for example, if there exists a need for optimization precisely in accounting).
Role within the Company
Establishing an internal audit is in the well-understood interest of the organization. The underlying concept does however have a legal basis, such the Sarbane-Oxley Act of 2002, which states that a company’s board of directors must adopt oversight measures.
Tasks and Procedures Involved in an Internal Audit
The tasks assigned to internal auditing sometimes makes it difficult to differentiate it from controlling. The latter is understood as a tool for corporate planning and management, though in practice the borders are often fluid. The difference lies in the fact that controlling refers to on-going or planned procedures, while the internal audit in principle examines past, concluded processes. It contrasts how the actual execution differs from the original planning (target-actual comparison) and attempts to map out potential existing flaws and their causes. Based on this examination, recommendations for action and more efficient measures for future processes can then be derived.
Specifically, an internal audit is made up of the following tasks:
- Management Audit: Auditing the performance of management personnel (executive level being the exception) – with attention given to the specified company objectives and efficiency and convenience.
- Operational Audit: Audit of a company or organization’s activities in all areas and departments; most notably this involves examining the efficiency of communication, hierarchy and cooperation.
- Financial Audit: Audit of all accounting procedures – bookkeeping especially – with respect to the organized implementation of regulations defined in commercial and tax law
- Credit Audit: Systematic assessment of risks that relate to individual credit borrowers – independent of their credit approval in normal business practice
- Compliance Audit: Identification of the environmental and security requirements for the organization as well as auditing compliance with these.
- Audit of the Internal Control System: Auditing the technical and organizational control measures to ensure that business processes are operated in accordance with business regulations, and to ensure that damage through negligence or manipulation is prevented
- Prevention: Investigating when there is suspicion of criminal activity in order to expose illegal activity (e.g. corruption prevention)
Auditing can investigate the above-mentioned areas both in individual audits (that is to say, cross-department auditing of specific issues) and during a general system audit (the inspection of all projects aspects including relevant backgrounds and legal regulations). In doing so, you can choose from the following criteria:
- Compliance: Auditing whether processes are executed in a way that is both compliant and consistent with regulations
- Security: Audit of security-related parameters
- Economic Efficiency: Audit of cost-efficiency and profitability
Internal auditing should orient itself around these three principles in the course of its activity:
- Economic Efficiency: Frequency and scope of an audit must correspond to the expected benefit (e.g. in the form of potential savings, loss aversion, or risk mitigation).
- Materiality/Urgency: Prioritization of audit tasks which are of great interest to future decisions by management
- Diligence: Thorough implementing auditing steps and an objective assessment of results that takes company objectives into account
Standards for Internal Audits
The Institute of Internal Auditors (IIA), based in Lake Mary, Florida, publishes detailed international standards for the professional practice of internal auditing that are updated regularly.