Internal audits and compliance: two sides of the same coin
When you’re in business, doing an internal audit evokes feelings you haven’t had since high school or college. Getting a report card that spells out how well the company is doing in every area can be a little nerve-wracking. But, like those grade sheets of the past, internal audits are essential. And necessary.
If you don’t take a hard, data-based look at yourself, you never spot the opportunity for improvement. You don’t learn where to shore up your compliance efforts until, possibly, it’s too late. You need to see where you can operate more efficiently or cost-effectively, and, most of all, you need to commit to making the changes the audit surfaces.
What is an internal audit, anyway?
An internal audit is a chance to look inward at the processes and programs in a company to see how you're doing. The answers aren’t always obvious, especially if your policies have been in place for a long time, and your philosophy is “if it isn’t broken, don’t fix it.”
Sometimes companies find themselves in a rut, doing things the way they always have. Without an audit, they never get to see how to improve their operations. Internal audits should be performed by impartial outside parties in concert with designated employees. Professional auditors don’t have skin in the game, and they don’t need to worry about getting on the wrong side of a manager. With those locks out of the way, a company can get to the truth.
Why conduct an internal audit?
Think of an audit the way you’d think of running a diagnostics program on your PC. You don’t know for sure if something is wrong, but if something is lurking unbeknownst to you, you want to know about it so you can fix it before it becomes a problem. For an internal audit to be effective, you need a baseline. Everyone involved should know why you’re conducting an audit and what you hope to get out of it. Communication is vital.
Everyone should be able to answer these questions about the audit:
- Why is a particular project, department, or process being audited?
- How does the audit help the company achieve its goals?
- What compliance risks will the audit look for?
- Is there a previous audit that we can compare this new one to?
- If there has been a previous audit, what policy changes have been made since the last internal audit?
Once you have leveraged internal and external resources to identify relevant risks, you will want to build an audit program that tests for these risks.
How compliance and audits work separately—and together
Before we dive into the mechanics of an internal audit, let’s take a moment to clarify the role of compliance in an internal review. It can be a bit confusing—isn’t it the compliance team’s job to make sure that all the processes and procedures are working under the law? And if so, why is an internal audit a separate thing?
Think of it this way: The compliance team oversees the day-to-day issues that keep the company in compliance with all regulatory mandates. They look to the future to plan for changes that they’ll need to implement as new laws take effect.
The internal audit team is temporary. This team takes a snapshot of a point in time and analyzes it to see what’s working and what needs improvement. While part of the audit will probably include compliance, the audit goes beyond governmental regulations and looks into the inner workings of the company’s own rules.
Compliance is undoubtedly a stakeholder in the audit process, and they also may serve as part of the audit team, but the two functions are fundamentally different. It’s a system of checks and balances assuring every policy in the company is followed, whether from a legal or a corporate point of view.
How to prepare for an internal audit
We can’t say this often enough: effective and frequent communication at every step of the way is crucial to the success of an internal audit. First, the audit team should meet with everyone in the company—perhaps at an all-hands meeting or webinar. Make sure everybody is clear about the objectives of the audit and understands what the process will look like.
Along with communication comes transparency. Provide an opportunity for anyone to ask questions and get satisfactory answers. Then it’s time to meet with the key stakeholders. Together, the teams will iron out the process.
Additionally, The auditors should interview employees. Asking them to explain how they work and what steps they take to do their jobs gives auditors a realistic picture of what’s going on in the company, and also provides them with a comparison between the written policies and the actual work process. These interviews serve another purpose: they help auditors discover how well employees know the procedures and where they may need more training.
The company can help the auditors to gain the trust of the stakeholders by helping them to be prepared and informed about the company in advance. “Auditors who approach audits in a more clinical way may underestimate the benefit of investing in building a foundation of mutual trust with an auditee,” writes auditing software company Auditboard.
"Often, if the person you are auditing trusts you they will be more forthright and more open to a collaborative engagement towards the common goal of bettering processes and controls.”
Going inside the audit
What goes into an internal audit? The audit program should follow a standard template that the auditors adhere to, so there are no formatting surprises. What’s covered includes descriptions of each process, potential risks to the process, and controls in place to mitigate it.
The audit report will go into detail about each control, including:
- Is the control preventing a risk event, or merely detecting it?
- How often is that control put into place
- Does the control help to eliminate the opportunity for fraud?
- How is the control performed? Is it automated, run manually, or both?
- How serious is the risk in question?
The auditor will delve into testing procedures for each control, asking probing questions of employees, observing the control as it runs, and inspecting documentation about the results of each control. Ultimately, the auditor may work independently to reproduce the same control to validate each outcome.
What to do with the data gathered by the internal audit
Auditors will document their findings in a report, which should be written in a clear and easy to read style. Senior management has the first chance to read the report. If any results flag a need for improvement, management should develop an improvement plan. When the management presents the findings to employees, the report can be delivered with a solution plan already in place.
Your audit is complete... now what?
Let’s return to the report card metaphor. As you learned back then, getting a different grade than you anticipated wasn’t the end of the world. It probably helped you in the long run because you could identify where you needed to improve, and you probably took some actions to make sure you did.
In the case of an internal audit, making changes, particularly in the realm of non-compliance, is not optional.
If the audit has identified an issue, you must address it. Knowing about a problem and not fixing it, from a legal and moral standpoint, is much worse than the problem itself. Penalties for non-compliance can cripple the company and affect the lives of innocent employees. So, either way, an internal audit is a valuable tool. It helps a company to stay on the right side of the law, get an assessment of the efficacy of policies in place, and make changes to make sure your next audit is straight A’s.
What does compliance mean for your company, and what can you do to ensure you’re meeting the requirements? Download the ebook: Envoy’s Essential Guide to Workplace Compliance now.