An internal audit can yield all of those benefits. While external audits focus exclusively on risks related to financial reporting, an internal audit identifies and assesses risks throughout the organization. Using enterprise risk-management methodology, management can then decide how to mitigate any unacceptable risks.
When conducted annually, the risk-assessment process re-sets the risk profile and establishes the internal audit plan for the year. Each internal audit builds upon previous findings, providing the organization with a continual means for monitoring risks associated with asset protection, loss prevention, and compliance efforts.
Each organization is unique, and the internal audit must encompass processes crucial to the company’s business strategies and overall success. In a metal-plating company, for example, the internal audit would evaluate risks associated with correctly storing, handling, treating and disposing of various chemicals used in metal plating processes.
The audit objectives would address whether or not actual practices conform to established policies. That evaluation would also address whether those policies comply with workplace safety, environmental protection and other applicable regulatory standards.
All areas of the organization must be accessible for internal audit, with the appropriate risk influences rated on their potential impact, and the likelihood of occurrence. The risk rating then allows the organization to determine what areas should be audited for the period. In addition to addressing other concerns, internal audit objectives are designed to reveal anomalies to what would be regarded as normal financial transactions and business relationships, as well as patterns that indicate ongoing fraudulent activity.
A significant increase in orders given to one supplier could indicate the presence of vendor kickbacks. A vendor with the same street address or Post Office box number as an employee typically indicates that the individual has established a ghost company to which company funds are channeled. An unusually high amount of overtime claimed, or a large number of requests for expense reimbursements, also serve as indicators of potential fraud.
Uncovering further details in such cases may require the services of an independent attorney or forensic accountant. Thorough investigation and related litigation may take years. Pursuing criminal charges requires law enforcement involvement. Damage to internal morale and external credibility accompany disclosures of fraudulent activity.
Such costs are acute but necessary expenses that a company must bear in order to resolve a case of suspected fraud. Fortunately, internal audits also illuminate vulnerabilities for fraud, giving the organization an opportunity to take less costly, preventative action.
Most fraud cases involve one individual acting alone, one person given too many duties and too little oversight. Some individuals are motivated to commit fraud by perceived pressure, while others are driven by perceived opportunity. Some employees find ways to rationalize fraud. Whatever the underlying motivation may be, an internal audit can identify situations in which someone is handling conflicting or incompatible duties. Segregating such duties institutes a system of checks and balances.
Segregating all conflicting duties requires sufficient staffing levels, with corresponding access restrictions defined for various information technology (IT) functions. If an organization cannot afford the required additional personnel, it should implement regular reviews, use exception reports or establish some other means of oversight.
Taking such a proactive approach helps nurture a corporate culture that values accountability, ethical behavior and awareness of potential risks. Those characteristics enhance confidence and trust in the company among customers, investors, vendors and other stakeholders. With those residual benefits, the internal audit function’s value extends beyond the initial findings it provides to management and the board of directors.
Alyssa G. Martin, CPA, MBA, email@example.com, is partner in charge of the Risk Advisory Services Group at Weaver and Tidwell LLP, in Fort Worth, Texas.