Introducing Internal Auditing
The word “audit” has now taken a new meaning. Before, an audit was only associated with the annual statutory audit conducted by external auditors. However, due to today’s dynamic business environment, firms are constantly exposed to certain risks, where an entity’s success is based on the ability to adapt to environmental changes and manage business risks with the ultimate aim of fulfilling the organisational objectives. Creating a successful business has always been challenging, but it is seemingly becoming more complex. Whilst before an entity’s success was based on cost-cutting practices aiming to produce a product or provide a service at the lowest cost possible, today’s business environment is so much more than that. Due to the new risks being faced by entities, it is of utmost importance to have an effective risk management strategy in place, and if this is done properly this can enhance the success of your business.
On a day-to-day basis, entities face various risks such as:
- Operational Risk – It occurs when an entity’s daily activities threaten to decrease its profits.
- Financial Risk – This can threaten an entity’s financial stability.
- IT Risk – This entails any negative business outcome involving the misuse of IT.
- Reputation Risk – This can threaten how an entity is viewed by the public which might lead to loss of sales,
- Health and Safety Risk – This consists of any hazards that might put a person’s health and safety in a vulnerable or harmful position,
- Legal Risk – This occurs when an entity fails to follow rules and regulations, thereby leading to disputes or possibly having a license revoked.
Moreover, good corporate governance is also a critical success factor for an entity. Corporate governance refers to the systems and processes that direct and control entities. An effective corporate governance framework helps to mitigate risks and provides shareholders in listed and non-listed entities with comfort knowing that the entity is being run efficiently. An effective good corporate governance system will result in added shareholder value.
A crucial activity which helps to ensure good corporate governance over the entity’s business activities is an internal audit.
What Is an Internal Audit? Why Is It an Important Business Tool?
At a very high level, an internal audit can be considered a tool which improves the operational performance of all processes within an entity and safeguards the entity against potential internal and external risks. This will provide entities with a broad overview of how they are conducting their business activities whilst allowing them to identify areas for improvement. Setting up an internal audit function is not a legal obligation in Malta in most cases, but rather an optional activity conducted at management’s discretion. On the other hand, public and regulated companies have different obligations. These obligations come from industry-specific regulations, such as Banking Regulations, VFA Act, etc., as well as from listing exchanges which differ from one country to the country.
Nevertheless, having an internal audit is a key value-adding component to every entity. An internal audit consists of the following activities:
- Assessing risks,
- Analysing opportunities,
- Suggesting improvements,
- Promoting ethics and
- Educating management on critical issues by raising concerns and recommending stronger controls.
As stated by the Institute of Internal auditors, the mission statement of an internal audit is “to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight” by performing assurance and consultancy activities.
The role of an internal audit is to provide independent assurance that an organization’s governance, risk management, and internal control processes are operating effectively. This will ultimately help entities in maintaining operational efficiency and financial reliability. An internal audit is also critical for monitoring and safeguarding an entity’s assets from any potential threats.
Internal audit is a cornerstone of good corporate governance within organisations, and it can play a crucial role in improving management and accountability. The internal audit activity must assess and make appropriate recommendations for improving governance processes.
Ultimately, the internal audit activity will:
- Promote appropriate ethics and values within an entity.
- Ensure effective organizational performance management and accountability.
- Communicate risk and control information across the entity.
- Coordinate activities and communicate information among the board, external auditors and management.
Risk is inherent in the decisions that an organisation takes in managing and running its operations. Risk management is deemed as a powerful business tool, which if used properly will enhance business performance. It is a dynamic process which entails the identification of business risks and how the entity should respond to the identified risks and the impact they can leave on company objectives. Internal auditing assists management and stakeholders by conducting a thorough analysis of the operations of the entity to identify potential risk zones.
While conducting internal auditing, risk management is not limited to financial risks. Financial risks are just one of the many risks examined. Other risks, which cannot be quantitatively defined, case in point reputation risks are too taken into consideration. Such risks cannot be easily quantified but are still extremely important. For instance, in the past, Apple has been accused that some of its suppliers force their employees into forced labour. While this is not something that is checked while conducting the external audit, it is definitely something which is taken into consideration by the internal auditors.
Internal auditing is crucial in improving the control environment of an entity, irrespective of its size. By objectively monitoring and reviewing entity policies and procedures, an internal audit will allow for a thorough assessment of the effectiveness of the internal controls in place. Insights into an entity’s control culture will too be provided during this process which will eventually allow for better risk mitigation whilst ensuring compliance with any relevant laws or regulations. This helps entities to avoid unnecessary and costly fines associated with non-compliance. Moreover, by conducting an internal audit, entities ensure that operations are in line with the policies and procedures in place thereby enhancing operational effectiveness.
Throughout the engagement, the internal auditor will provide an independent assessment of the operations of the entity. Unlike the work of the external auditor, all the reports carried out by the internal auditor are private and not disclosed to the public or any other authority.
An internal audit saves organisations substantial amounts of money and protects an entity’s reputation by identifying operational inefficiencies and unnecessary spending whilst prioritising stakeholder needs.
Moreover, the significance of conducting an internal audit has been emphasised through an increase in stakeholder expectations, advancements in technological development, growing complexities within the business environment, an increase in competition and unforeseen business risks fuelled by the Covid-19 pandemic. Therefore, regardless of an entity’s size or structure, having an internal audit will contribute to an organisation’s success.
What Is the Difference Between an External and Internal Audit
The basis and reasoning of internal audit work are fundamentally different from that of external audit work. The differences between the role of an external and internal audit are illustrated in the table below:
|An exercise which enables auditors to express an opinion on the financial statements||OBJECTIVE||Designed to add value and improve an organisations’ operations|
|To the shareholders, members of the company as well as to the public.||REPORTING||To the board of directors, and those charged with governance|
|The audit report is publicly available||REPORTS||Reports are strictly private for the directors and those in charge|
|To report on the truth and fairness of the financial statements||SCOPE||Related to the operations of the organisation|
|Independent of the company||RELATIONSHIP||Has a close link with the company|
|At the interim/end of the year||WORK||Continuous throughout the year|
Misconceptions, Advantages and Disadvantages of an Internal Audit
The biggest misconception when it comes to an internal audit is that this is something which is only required by large organisations. Whilst it is true that all large organisations, especially public companies have the function of internal audit, smaller companies too, benefit from this. When it comes to the firms’ sizes, the biggest difference is typically displayed in the budget allocated for the internal audit function. Larger firms tend to employ a team of full-time internal auditors and have an in-house internal audit committee which reports directly to those in charge of management. Smaller firms tend to outsource the internal audit function and have internal auditors visit their premises periodically throughout the year.
To help set a clearer picture the table below lists the advantages and disadvantages of an internal audit:
|More effective management of the entity’s risks and operations||Qualified and experienced internal auditors are hard to come by|
|Ensures optimum use of resources||Unlike the statutory audit, the findings are not published which may lead to managers possibly disregarding the findings|
|Enhances staff performance||It is also a time-consuming exercise and requires the allocation of significant financial and human resources|
|Provides and maintains better management, supervision and effective internal controls||There is no end in sight and the work is required to be carried over and over again.|
|Identifies risks and allows for businesses to be proactive|
|Could potentially lead to cheaper statutory audit fees|
Such limitations should not discourage entities from carrying out an internal audit. Quite the contrary. They have been listed as a way to provide insights on what it entails to have an internal audit and to prepare as well as educate managers and those charged with governance. The majority of the limitations presented can be easily resolved by outsourcing the internal audit function to experienced and highly qualified experts. At Borg Galea & Associates, we have extensive experience assisting firms of all sizes. We can assist your firm to outsource the internal audit function, advise the internal audit committee on different strategies to be applied and assess their work or else help you build the internal audit from the ground up. Whatever your size or requirements, we will work around your budgets and will assist you to make the most of such engagement. To learn more about how we can add value to your organisation, do not hesitate to speak with one of our advisors.