May 19, 2014 – With recent developments such as the Health Care Reform Act, the Updated COSO Internal Control Framework and the release of the Non-Profit Revitalization Act there are plenty of reasons to ‘need’ internal audit. The amount of resources allocated to an internal audit function varies greatly depending on the size of a firm, but every organization has some internal audit function be it formal, or informal. Simply operating in a business environment comes with certain degrees of risk, and internal audit serves an important role in ensuring that unexpected risks to the company are, at the very least, understood and communicated.
Staying abreast of these regulatory changes has kept us all very busy, but how can we really be sure that all the necessary changes have been made, and have achieved their objective? Enter internal audit. The primary difference between the external audit function and the internal audit function is their focus. Internal audit focuses on all risks facing a business, as opposed to external audit, which is primarily focused on external financial statement reporting risks. Internal audit provides the knowledge and expertise necessary to evaluate risks associated with:
Controls and Control Deficiencies
- Once risks have been identified and assessed it is important that appropriate measures are implemented to ensure that the identified risks are mitigated to an acceptable level that aligns with the risk appetite of the organization. If controls have been put into place but are not effective in achieving their objective, management and board members could be lulled into a false sense of security.
- Internal Compliance – Organizations that have established policies and procedures to gain assurance that business risks have been appropriately identified and mitigated can employ an internal audit function to help ensure that these controls are operating effectively, and identify areas where significant risk remains unchecked.
- External Compliance – Ensuring that an organization is in compliance with regulations or laws can be a significant function of internal audit. Taking preventative action is typically far less costly than penalties for violations, not to mention that deficiencies have to be corrected after these penalties have been assessed which can often be more costly.
Assessment of Operational and Financial Data
- What value does internal reporting provide if the reliability of the reporting is questionable, especially in instances where this information is relied on to make strategic business decisions that can have lasting impacts? Internal audit can help to ensure that the process used to generate this information is operating effectively, and provide recommendations for continued improvement in operations.
Reducing the Opportunity for Fraud, Waste, and Abuse
- An important goal of an internal audit function is to focus on identifying areas of exposure, whereas other business functions are working to achieve strategic objectives and, accordingly, are more focused on the day-to-day operations of the organization. Internal audit can offer a different perspective that identifies waste and abuse of company resources, the legitimacy of liabilities, the appropriate acquisition of assets, and detection and prevention of fraud.
Should You Still Be Living Without It?
There are too many well-known examples of situations where significant business risks went unchecked causing significant embarrassment and even reputational damage to a company when those risks came home to roost. While we certainly wouldn’t claim that an effective internal audit function will guarantee that such situations will never occur in your business, we do believe that some form of internal audit function – whether it be formal or informal, in-house or outsourced – can be an effective insurance policy. The question really should be: internal audit, can we really live without it?
About the Author
Dopkins Not-for-Profit Team
Dopkins has extensive experience with the accounting, reporting, regulatory, operational and tax aspects of not-for-profit organizations. For more information, contact Karen Costa at firstname.lastname@example.org or Nicholas Fiume at email@example.com.