Effective internal audits
- What is the focus of an internal audit?
- What happens during an internal audit?
- Who should do an internal audit?
- How often should internal audits be done?
- Who should the internal auditor report to?
The primary focus of an internal is to test the adequacy and effectiveness of the internal control systems in mitigating risks facing the organisation. The internal audit cycle is a way to ensure that the internal control systems are continuously improving.
- Their work usually begins with consideration of the risks and they may review your risk register if you have one, as well as your finance manual as a starting point.
- They should follow up any recommendations from previous audits, to check that actions have been taken.
- They will normally then check a sample of transactions or processes to confirm that the proper procedures have been followed. They may conduct interviews with various staff, Board, Management, or beneficiaries. They may carry out site visits. They may use an internal audit checklist.
If they identify any problems, these ‘findings’ are usually classified according to how serious they are. This may be a simple ‘red orange yellow’ flag system, or a more formal split between ‘major non-conformity, minor non-conformity, and observation’.
- When the internal auditor makes a ‘finding’, there is a need for action. There are two types of action that can be taken:
- Corrective action: This makes whatever was wrong, right. For example, if a payment has been wrongly entered or coded, it can be corrected. If a cash advance is overdue from a certain employee, it can be recovered. If bank reconciliations are out of date, they can be carried out.
- Preventative action: This aims to ensure that the same error won’t happen again in the future. For example, making sure that the person who does the coding understands the coding system. Making sure that outstanding advances are regularly reported and reviewed. Setting up a month end checklist for the accountant so that their manager can see when any given month end reconciliation is behind schedule.
Finally the internal auditor discusses his findings and recommendations, and prepares a written report. At the next audit, those recommendations are followed up and the cycle continues.
The internal auditor needs to be independent from the internal control system, be sufficiently skilled to identify problems, and have enough confidence and integrity to report them.
Usually, only larger organisations (say 50+ people) can staff an internal audit team that can be kept busy and maintain a suitable level of independence from the day to day activities and staff in the organisation.
For smaller organisations it can be more useful and cost effective to hire the services of a professional firm to carry out the internal audits. Sometimes your external auditors may be able to offer this service if they also offer consultancy, risk assurance or advisory services. But be careful in case their independence is compromised.
Sometimes it is appropriate to compliment the technical skill of the auditor with some ‘on-the-ground’ knowledge of how things really work. In this case the auditors could be accompanied by a member of the audit committee on the Board, or even beneficiaries.
In some countries, especially in local government, an ‘internal auditor’ has to approve each and every payment before it can be processed. Such a person is actually just acting as another layer of authorisation. To be independent, the internal auditor should not have any executive authority. They should be outside the system looking in, not part of the system itself.
One of the great advantages of internal audit is that they can be more frequent than the annual external audit, enabling problems to be identified and corrected on a timely basis. More risky aspects of your operations (such as construction work) may need to be audited more frequently than others.
As a rule of thumb, every three months is a good time scale for internal audits, as it gives enough time to implement recommendations, at the same time providing timely feedback.
There are various groups of people who ought to have access to the internal auditor’s findings:
- NGO management
It is management who need to help identify appropriate corrective and preventative actions and ensure that they are carried out.
- The governing body
It is important that the internal auditor has direct access to the Board, even if they are an employee of the organisation. This is important in case management are themselves overriding internal control procedures.
- The audit committee
In some organisational structures, the audit committee is a sub-committee of the Governing Body, responsible for making sure that audit findings are acted upon. In cases where the Governing Body and Management are the same people (which is not good practice, but does happen sometimes!) the audit committee may be separately elected to oversee the Governing Body.
- The beneficiaries / members
It may be appropriate for the internal auditor to share relevant findings with beneficiaries (for example at a meeting). They have a right to know and may be best placed to make sure that problems are not repeated.
Donors may request to see internal audit reports. This should not be anything to fear. Even if significant findings come to light, if they are swiftly acted upon, this reflects very well on the organisation.
- External auditors
The external auditors may wish to see internal audit reports and to rely on their findings when assessing your internal control processes. If your internal audits have been effective, then there should be no surprises for your external audit.
Internal audit checklist – useful starting point for carrying out an internal audit review