An internal audit is the examination, monitoring and analysis of activities related to a company’s operations, including its business structure, employee behavior and information systems. Internal audit regulations, such as the Sarbanes-Oxley Act of 2002, have increased corporate requirements for performing internal audits. Audits are important components of a company’s risk management as they help to identify issues before they become substantial problems, such as attempts to steal intellectual property.
A daily, weekly, monthly or annual internal audit assesses the effectiveness of a company’s internal control system and helps uncover evidence of fraud, waste or abuse. Some departments may be audited more frequently than others. For example, a manufacturing process may need daily audits for quality control purposes, while the human resources department may need an annual audit of records and processes.
Scheduling audits on a calendar helps ensure they are performed consistently. Departments should be given notice so they can have the required documentation and materials available for the auditor. A surprise audit may be conducted if suspicion of unethical or illegal activity exists.
Internal Audit Procedure
An internal audit begins by an auditor assessing current processes and procedures. The auditor then analyzes and compares the results to internal control objectives. He determines whether the results comply with internal policies and procedures as well as state and federal laws. Finally, the auditor compiles and presents an audit report to the business owner.
Assessment techniques ensure an internal auditor completely understands internal control procedures and determines whether employees comply with internal control directives. An auditor avoids disrupting the daily workflow by beginning with indirect assessment techniques. For example, he may review flowcharts, manuals, departmental control policies or other existing documentation, or he may trace specific audit trails from start to finish. He may conduct one-on-one interviews and process observations with staff if document reviews or audit trails do not fully answer all of his questions.
Substantive procedures such as transaction matching, physical inventory count, audit trail calculations and calculating already-reconciled financial statements help determine whether work products contain data entry errors or whether financial statements contain misstatements. Analysis techniques may test random data or target specific data if an auditor believes an internal control process needs work.
Internal audit reporting always includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor feels are pertinent for immediate sharing with the business owner. The final report is more formal than the interim report. The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings and suggestions for improvements of internal controls and control procedures.