The Internal Audit: Quality Assurance for Business Processes

Internal op­er­a­tions in larger companies that are for the most part active in­ter­na­tion­ally are often very complex. Lots of processes for various de­part­ments, and possibly different locations, must be brought together in order to achieve the desired goal. The fact is that this can also result in problems – for instance, through mis­un­der­stand­ings or con­flict­ing goals. Processes are not as efficient as they should be in most cases. They can also be risky – not least by un­know­ingly violating legal reg­u­la­tions. This is where the internal audit comes in. It serves the purpose of both un­cov­er­ing in­ef­fi­cient processes and risks, and of making re­com­mend­a­tions for solutions.

An internal audit is part of a system for analysing and op­tim­iz­ing processes that are executed within an or­gan­iz­a­tion. Within the company it is usually overseen directly by man­age­ment and audits internal pro­ced­ures, provides their results, and, if needed, makes re­com­mend­a­tions. This serves the purpose of helping the or­gan­iz­a­tion in question work as ef­fi­ciently and low risk as possible. The internal audit is also a mon­it­or­ing tool for man­age­ment within the tiers of gov­ernance, risk man­age­ment and com­pli­ance.

The internal audit is – as the name states – an internal matter for the or­gan­iz­a­tion in question. It is carried out by members of this or­gan­iz­a­tion. This dis­tin­guishes it from the external audit, which involves in­spect­ors who aren’t employed by the company. The internal in­spect­ors are process in­de­pend­ent. Their work is detached from day-to-day op­er­a­tions, so they are not actively involved in the processes they are in­vest­ig­at­ing. The body (i.e. the relevant in­di­vidu­als and/or divisions) that carries out the audit is referred to as the internal audit de­part­ment. Ideally, the internal auditor is only entrusted with this task. However, in smaller companies es­pe­cially, internal auditing is often un­der­taken with the help of employees in ac­count­ing or con­trolling.

Es­tab­lish­ing an internal audit is in the well-un­der­stood interest of the or­gan­iz­a­tion. The un­der­ly­ing concept does however have a standard, such the iia’s guidelines, which outlines the ideal manner of internal audit practice.

The tasks assigned to internal auditing sometimes makes it difficult to dif­fer­en­ti­ate it from con­trolling. The latter is un­der­stood as a tool for corporate planning and man­age­ment, though in practice the borders are often fluid. The dif­fer­ence lies in the fact that con­trolling refers to on-going or planned pro­ced­ures, while the internal audit in principle examines past, concluded processes. It contrasts how the actual execution differs from the original planning (target-actual com­par­is­on) and attempts to map out potential existing flaws and their causes. Based on this ex­am­in­a­tion, re­com­mend­a­tions for action and more efficient measures for future processes can then be derived.

Spe­cific­ally, an internal audit is made up of the following tasks:

• Man­age­ment Audit: Auditing the per­form­ance of man­age­ment personnel (executive level being the exception) – with attention given to the specified company ob­ject­ives and ef­fi­ciency and con­veni­ence
• Op­er­a­tion­al Audit: Audit of a company or or­gan­iz­a­tion’s activ­it­ies in all areas and de­part­ments; most notably this involves examining the ef­fi­ciency of com­mu­nic­a­tion, hierarchy and co­oper­a­tion.
• Financial Audit: Audit of all ac­count­ing pro­ced­ures – book­keep­ing es­pe­cially – with respect to the organized im­ple­ment­a­tion of reg­u­la­tions defined in com­mer­cial and tax law
• Credit Audit: Sys­tem­at­ic as­sess­ment of risks that relate to in­di­vidu­al credit borrowers – in­de­pend­ent of their credit approval in normal business practice
• Com­pli­ance Audit: Iden­ti­fic­a­tion of the en­vir­on­ment­al and security re­quire­ments for the or­gan­iz­a­tion as well as auditing com­pli­ance with these.
• Audit of the Internal Control System: Auditing the technical and or­gan­iz­a­tion­al control measures to ensure that business processes are operated in ac­cord­ance with business reg­u­la­tions, and to ensure that damage through neg­li­gence or ma­nip­u­la­tion is prevented
• Pre­ven­tion: In­vest­ig­at­ing when there is suspicion of criminal activity in order to expose illegal activity (e.g. cor­rup­tion pre­ven­tion)

Auditing can in­vest­ig­ate the above-mentioned areas both in in­di­vidu­al audits (that is to say, cross-de­part­ment auditing of specific issues) and during a general system audit (the in­spec­tion of all projects aspects including relevant back­grounds and legal reg­u­la­tions). In doing so, you can choose from the following criteria:

• Com­pli­ance: Auditing whether processes are executed in a way that is both compliant and con­sist­ent with reg­u­la­tions
• Security: Audit of security-related para­met­ers
• Economic Ef­fi­ciency: Audit of cost-ef­fi­ciency and prof­it­ab­il­ity

Internal auditing should orient itself around these three prin­ciples in the course of its activity:

• Economic Ef­fi­ciency: Frequency and scope of an audit must cor­res­pond to the expected benefit (e.g. in the form of potential savings, loss aversion, or risk mit­ig­a­tion).
• Ma­ter­i­al­ity/Urgency: Pri­or­it­iz­a­tion of audit tasks which are of great interest to future decisions by man­age­ment
• Diligence: Thorough im­ple­ment­ing auditing steps and an objective as­sess­ment of results that takes company ob­ject­ives into account

As well as the standards mentioned above, there are also in­ter­na­tion­al standards that the IIA set out. These are part of the In­ter­na­tion­al Pro­fes­sion­al Practices Framework, and are worth looking into.

Please note the legal dis­claim­er relating to this article.