The Internal Audit: Quality Assurance for Business Processes

Internal op­er­a­tions in larger companies that are for the most part active in­ter­na­tion­al­ly are often very complex. Lots of processes for various de­part­ments, and possibly different locations, must be brought together in order to achieve the desired goal. The fact is that this can also result in problems – for instance, through mis­un­der­stand­ings or con­flict­ing goals. Processes are not as efficient as they should be in most cases. They can also be risky – not least by un­know­ing­ly violating legal reg­u­la­tions. This is where the internal audit comes in. It serves the purpose of both un­cov­er­ing in­ef­fi­cient processes and risks, and of making rec­om­men­da­tions for solutions.

An internal audit is part of a system for analyzing and op­ti­miz­ing processes that are executed within an or­ga­ni­za­tion. Within the company it is usually overseen directly by man­age­ment and audits internal pro­ce­dures, provides their results, and, if needed, makes rec­om­men­da­tions. This serves the purpose of helping the or­ga­ni­za­tion in question work as ef­fi­cient­ly and low risk as possible. The internal audit is also a mon­i­tor­ing tool for man­age­ment within the tiers of gov­er­nance, risk man­age­ment and com­pli­ance.

The internal audit is – as the name states – an internal matter for the or­ga­ni­za­tion in question. It is carried out by members of this or­ga­ni­za­tion. This dis­tin­guish­es it from the external audit, which involves in­spec­tors who aren’t employed by the company. The internal in­spec­tors are process in­de­pen­dent. Their work is detached from day-to-day op­er­a­tions, so they are not actively involved in the processes they are in­ves­ti­gat­ing. The body (i.e. the relevant in­di­vid­u­als and/or divisions) that carries out the audit is referred to as the internal audit de­part­ment. Ideally, the internal auditor is only entrusted with this task. However, in smaller companies es­pe­cial­ly, internal auditing is often un­der­tak­en with the help of employees in ac­count­ing or con­trol­ling.

Es­tab­lish­ing an internal audit is in the well-un­der­stood interest of the or­ga­ni­za­tion. The un­der­ly­ing concept does however have a legal basis, such the Sarbane-Oxley Act of 2002, which states that a company’s board of directors must adopt oversight measures.

The tasks assigned to internal auditing sometimes makes it difficult to dif­fer­en­ti­ate it from con­trol­ling. The latter is un­der­stood as a tool for corporate planning and man­age­ment, though in practice the borders are often fluid. The dif­fer­ence lies in the fact that con­trol­ling refers to on-going or planned pro­ce­dures, while the internal audit in principle examines past, concluded processes. It contrasts how the actual execution differs from the original planning (target-actual com­par­i­son) and attempts to map out potential existing flaws and their causes. Based on this ex­am­i­na­tion, rec­om­men­da­tions for action and more efficient measures for future processes can then be derived.

Specif­i­cal­ly, an internal audit is made up of the following tasks:

• Man­age­ment Audit: Auditing the per­for­mance of man­age­ment personnel (executive level being the exception) – with attention given to the specified company ob­jec­tives and ef­fi­cien­cy and con­ve­nience.
• Op­er­a­tional Audit: Audit of a company or or­ga­ni­za­tion’s ac­tiv­i­ties in all areas and de­part­ments; most notably this involves examining the ef­fi­cien­cy of com­mu­ni­ca­tion, hierarchy and co­op­er­a­tion.
• Financial Audit: Audit of all ac­count­ing pro­ce­dures – book­keep­ing es­pe­cial­ly – with respect to the organized im­ple­men­ta­tion of reg­u­la­tions defined in com­mer­cial and tax law
• Credit Audit: Sys­tem­at­ic as­sess­ment of risks that relate to in­di­vid­ual credit borrowers – in­de­pen­dent of their credit approval in normal business practice
• Com­pli­ance Audit: Iden­ti­fi­ca­tion of the en­vi­ron­men­tal and security re­quire­ments for the or­ga­ni­za­tion as well as auditing com­pli­ance with these.
• Audit of the Internal Control System: Auditing the technical and or­ga­ni­za­tion­al control measures to ensure that business processes are operated in ac­cor­dance with business reg­u­la­tions, and to ensure that damage through neg­li­gence or ma­nip­u­la­tion is prevented
• Pre­ven­tion: In­ves­ti­gat­ing when there is suspicion of criminal activity in order to expose illegal activity (e.g. cor­rup­tion pre­ven­tion)

Auditing can in­ves­ti­gate the above-mentioned areas both in in­di­vid­ual audits (that is to say, cross-de­part­ment auditing of specific issues) and during a general system audit (the in­spec­tion of all projects aspects including relevant back­grounds and legal reg­u­la­tions). In doing so, you can choose from the following criteria:

• Com­pli­ance: Auditing whether processes are executed in a way that is both compliant and con­sis­tent with reg­u­la­tions
• Security: Audit of security-related pa­ra­me­ters
• Economic Ef­fi­cien­cy: Audit of cost-ef­fi­cien­cy and prof­itabil­i­ty

Internal auditing should orient itself around these three prin­ci­ples in the course of its activity:

• Economic Ef­fi­cien­cy: Frequency and scope of an audit must cor­re­spond to the expected benefit (e.g. in the form of potential savings, loss aversion, or risk mit­i­ga­tion).
• Ma­te­ri­al­i­ty/Urgency: Pri­or­i­ti­za­tion of audit tasks which are of great interest to future decisions by man­age­ment
• Diligence: Thorough im­ple­ment­ing auditing steps and an objective as­sess­ment of results that takes company ob­jec­tives into account

The Institute of Internal Auditors (IIA), based in Lake Mary, Florida, publishes detailed in­ter­na­tion­al standards for the pro­fes­sion­al practice of internal auditing that are updated regularly.

Click here for important legal dis­claimers.