The word “audit” covers a lot of ground. Upon hearing it, most people immediately think of an IRS review of tax returns, a Single Audit under Uniform Guidance or another of the various legally mandated audit types. Those are big deals, to be sure, but it is the often-overlooked and purely voluntary internal audit that frequently brings the most value to an organization. An internal review of processes and procedures can identify significant issues and provide insight that helps organizations of every size mitigate risks, strengthen internal controls and improve operations.
An internal audit is appropriate for every aspect of the business: human resources, IT security, accounting, inventory management, order fulfillment, manufacturing and much more. Depending on your organization’s focus and resources, you may want to select certain areas to audit or choose to perform a comprehensive review. In either case, begin by clearly delineating the areas under analysis.
Once you’ve decided on the scope of your audit, carefully review all relevant business documents. This could include policy manuals, procedural manuals, organizational charts, orientation and training materials, job descriptions and similar items. Think about whether the current policies as described in existing materials are adequate for the company’s current size and goals. Do they still help it function smoothly and meet customer needs?
Next, it’s time to review the processes that are actually taking place and compare your findings to the theoretical processes outlined in the procedural manuals. You should make inquiries as well as observations to get an accurate picture of what’s happening. As you proceed, keep these questions in mind:
- Are there any gaps in the manuals that need to be addressed?
- Are staff following the processes as defined?
- Can you (or staff that work in these areas) identify ways to add efficiency or improve processes?
If there is any discrepancy between policy and action, you need to determine exactly when, how and why this deviation occurs. In some cases staff may be following a more effective or efficient path than the one described in the manual. Changing the policy might add value to the business. Other times, it’s the behavior that needs to be corrected rather than the policy. Consider testing different methods to determine whether there is justification for policy changes.
So far we’ve discussed general audit procedures suitable for all business functions, but departments that handle finance and accounting deserve additional scrutiny. Walk through the processes for key controls in these areas: payroll, cash receipts, cash disbursements and other critical points. Review each control area for potential risks like fraud, misuse and misappropriation to identify vulnerabilities. Where and how could these risks occur? Is there sufficient segregation of duties (oversight, review and approval) in all key control areas? How is the organization addressing risks, and what signs would indicate a problem if they are happening?
When your review is complete, take time to compile all the findings and determine next steps. Did you uncover areas or processes that can be improved or made more efficient? What about areas that need additional controls, oversight or review? Which areas hold the most risk, and what strategies can the organization utilize to reduce current risk levels? Are there other areas that need change, either to add value or increase compliance?
Reaping the most benefit from your internal audit requires careful analysis of results as well as strategic action based on the insights you gained. Formulate a plan to implement changes that reflect your findings. What needs to change, and in what order? When will you initiate and enforce the new policies? How will you address resistance to change? Which techniques will allow you to measure the improvement that follows, or to determine whether a particular change leads to the results you expected?
Conducting a thorough internal audit may require
s a significant investment of time and resources, which sometimes leads smaller organizations to postpone or avoid them entirely. However, the value of a properly executed internal audit should render it a priority for businesses of every size. For help with your next internal review and strategies to leverage your findings, please contact the business advisory professionals at HBP.
Written by Rebecca Jex, Audit Manager