An internal audit helps ensure regulatory compliance, and can expose business risks.
Internal audits aren't just for large financial institutions or public companies. Any business can implement an audit to evaluate the risks it faces and assure that the proper controls are in place to reduce that risk to acceptable levels. In fact, a recent survey by the Institute of Internal Auditors (IIA) found that today's internal audit efforts are increasingly focused on operating risks--those posed by processes, people, systems and external events. Examples include fraud, equipment failure, natural disasters, market upheavals and failure to enforce critical controls. Here are some issues to review when considering an internal audit:
Start with the risks. Even if you haven't done so systematically, you've probably considered at least some of the risks your business faces and how you mitigate or respond to them--for example, purchasing insurance in case of property loss. With your team, list all the risks and score them by their two primary characteristics: likelihood and impact. Keep it simple, with a scale of low, medium or high for each. Any risk with a high impact on your business and a high likelihood of occurrence should be examined immediately.
Determine your management strategy. There are four broad ways you can respond to a risk: You can avoid them (though doing so may mean missing out on opportunities), transfer them (for instance, by buying insurance), plan contingencies for their occurrence (such as an emergency business-continuity plan) or treat them by introducing processes that reduce their consequence and likelihood. An example of the latter might be requiring department heads to sign off on expenditures over a certain dollar amount to prevent fraud and abuse.
Make sure everything works. Once you've established certain processes--financial procedures, safety rules, authorizations--to mitigate risk, ask yourself if they're being followed. An independent, objective third party is well positioned to evaluate processes for their real-world effectiveness. In larger companies, this might be a full-time internal auditor, an entire team or it might be an outside consultant. For those with limited resources, it could simply be a supervisor or anyone who is not a direct stakeholder in the processes being examined.
Keep in mind that the goal of internal auditing is not to sleuth for wrongdoing (though it might well uncover it) or punish employees who fail to follow procedures. Rather, it is to work with a department or team in making sure that the processes in place are actually effective, and finding ways to mitigate risks they may have overlooked. Audits can often uncover waste, whether effort or money, and find ways to streamline operations and prioritize resources that advance the company's overall objectives.
The article you read was prepared for general information purposes by McMurry. These articles are for general information purposes only and are not intended to provide legal, tax, accounting or financial advice. PNC urges its customers to do independent research and to consult with financial and legal professionals before making any financial decisions.These articles may provide reference to Internet sites as a convenience to our readers. While PNC endeavors to provide resources that are reputable and safe, we cannot be held responsible for the information, products, or services obtained on such sites and will not be liable for any damages arising from your access to such sites. The content, accuracy, opinions expressed, and links provided by these resources are not investigated, verified, monitored or endorsed by PNC.