A Guide to Completing an Internal Audit for Compliance Management

Learn the best way to complete an internal audit for your compliance management program.

The Basics of Internal Audits

Internal audits are an exercise a company undertakes itself to assess the company’s internal controls. These controls include its governance, compliance, security, and accounting processes. Internal audits provide management and the board’s audit committee with objective assurance about the design and operation of the organization’s governance, risk, and compliance (GRC) program and whether that program functions effectively throughout the enterprise.

Internal audits are useful because they identify problems before those issues are discovered during an external audit, when the problems can be much more expensive to fix. Regular internal audits help your organization to evaluate and improve the effectiveness of risk management, control, and governance processes.
By establishing a disciplined, integrated approach to regulations, policies, risks, controls, and issues, your organization can demonstrate that it has a firm grasp on its regulatory compliance obligations and can provide transparency into overall business risks.

What Is the Purpose of an Internal Audit?

Internal auditing gives insight into an organization’s culture, policies, and processes, while assisting board and management supervision by checking internal controls such as operational effectiveness, risk mitigation mechanisms, and compliance with relevant laws or regulations.

Through a systematic risk assessment, an internal audit program aids management and other stakeholders in identifying and prioritizing risks. In addition, a risk assessment can assist in identifying any gaps in the environment and allow for the implementation of a repair strategy.

Your internal audit program will assist you in tracking and documenting any changes to your environment and mitigating the risks you discover.

Internal audits can also enhance the organization’s control environment by analyzing efficiency and operational effectiveness. For example, are your controls serving their intended purpose? Are they effective in risk reduction?

You can assure compliance with all relevant rules and regulations by conducting internal audits regularly (annually, for example). Audits also provide you peace of mind that you are ready for your next external audit. Internal auditing is an important and valuable activity for your firm since it helps you gain client trust and prevent costly fines connected with non-compliance.

How Do Internal and External Audits Differ?

Internal and external auditors both assist organizations to assure that the company’s financial reporting and other operational processes are consistent with accounting principles, that internal controls are functioning correctly, and that the company complies with applicable laws and regulations. That said, the two audits happen in different ways.

Internal auditors, as the name suggests, operate as employees within a business; external auditors are independent of the organizations they examine. Internal audit is a voluntary role within a company, while external audits are often required.
For example, annual audits of publicly traded companies are mandated by law. In addition, lenders and other stakeholders may request audited financial accounts as a condition of continuing financial assistance.

Top Considerations When Conducting an Internal Audit

An internal audit might be warranted under several circumstances. For example, your business might need to devise a solution to a known problem area; or verify that a critical business process is working as it should. In addition, you should understand how and why an activity happens or operates.

The benefits of an internal audit are many. First, you can define the scope of the audit yourself rather than have an outside party dictate the scope for you. Internal audit reports also go directly to management rather than to regulators or outside parties. An internal audit functions as an early warning system: it recommends steps to improve the efficiency or effectiveness of procedures before an external audit is conducted.

Most large organizations conduct internal audits regularly. Many private or small businesses also establish internal audits as a core organizational governance capability, although they aren’t required to do so.

Any organization with a compliance management program should regularly conduct internal audits to assure that the business operates its compliance program efficiently and comprehensively.

Internal Audits and Compliance

Compliance is typically described as adhering to obligations derived from applicable laws, regulations, industry and organizational standards, contractual commitments, corporate commitments, values, sanctions, ethics, and corporate policies and procedures.

Large organizations often have a dedicated compliance function to assure that employees follow the company’s regulatory obligations; so an internal audit might look at the effectiveness of that compliance team. Other organizations might not have a dedicated compliance function. In those cases, internal audits can assess how well other business functions (legal, HR, finance, operations) adhere to the company’s regulatory obligations.

While the compliance function exists to assure that your organization complies with all those requirements, the internal audit function is meant to monitor and evaluate your company’s internal control environment and examine its adequacy, efficiency, and effectiveness – to achieve compliance, or any other business objectives.
For example, an internal audit might assess how well the company follows the PCI DSS standard for protecting credit card data; or whether the company’s compliance team can manage multiple obligations at once, such as PCI DSS and HIPAA, the standard for protecting personal health information.

Compliance and internal audit teams can work together to help the organization’s senior leaders understand how much the business is or isn’t meeting compliance expectations. That understanding can then drive the wiser use of resources, reduce undesirable outcomes, and give the company a greater ability to hit business objectives.

Compliance and internal audit are more effective when used together. That includes joint planning and coordination of risk assessment efforts, coordinated reporting to management and the board, and shared involvement in compliance-related committees, task forces, and other working groups.
The compliance function usually relies on internal audits to conduct regulatory audits. Compliance risks, however, are just one category of risk that internal auditors monitor to evaluate the effectiveness of your organization’s risk management process.

Although your compliance officer might make recommendations for an internal audit plan, compliance is a management function that must be audited by someone else – typically by internal auditors.

Each function plays a crucial role in the risk management activities of your organization, and for maximum advantage, internal audit and compliance should work together. Both functions must be guided by overarching principles and executed through repeatable processes. In addition, they need to take governance issues into account to be a part of your organization’s governance structure.

Types of Internal Audits

There are several types of internal audits your organization can conduct. Your choice will largely depend on the specific goals and objectives you hope to meet.

• Operational audit. This audit evaluates the performance of a particular function or department to assess its efficiency and effectiveness. The primary sources of evidence will include the active policies and achievements related to organizational objectives. Operational audits may evaluate controls and efficiency, and they consist of organizational structure, processes and procedures, data accuracy, management and security of assets, staffing, and productivity.
• Compliance audit. This audit evaluates an organization’s adherence to established laws, standards, regulations, policies, or procedures. Typically, a compliance audit is conducted because of a policy or statutory requirement. The objective of a compliance audit is to ensure adequate control over an essential internal process.
• Financial audit. This audit is an independent evaluation of financial data’s fairness, accuracy, and reliability across a fixed period (usually a fiscal quarter or fiscal year). The objective of a financial audit is to assure that the financial activity of the department, unit, or whole enterprise is completely and accurately reflected in the appropriate financial reports.
• Follow-up audit. These audits are usually conducted approximately six months after an internal or external audit report has been issued; they are intended to evaluate whether corrective action has been taken on previous audit issues. A follow-up audit revisits the past auditor’s recommendations, management’s actions to implement those recommendations, and whether those recommendations actually work. Follow-up audits also assess whether the situation has changed enough to warrant different activities.
• Investigative audit. This audit only occurs due to a report of unusual or suspicious activity. It focuses on specific aspects of the work of a department or individual. Investigative audits are conducted to determine the extent of a loss, assess weaknesses in controls, and make recommendations for corrective actions.
• Information technology (IT) audit. IT audits evaluate the controls related to your organization’s information processing systems. IT audits make recommendations to management regarding the adequacy of internal controls and security inherent in your organization’s information systems and the effectiveness of the associated risk management. These audits aim to assure that IT systems safeguard assets, maintain data integrity, and operate efficiently to achieve business objectives.
• Management audit. Also called performance audits, these audits provide independent and objective insight into the efficiency of business processes. Because internal auditing is an activity that is independent of management, internal auditors can (ideally) review a business process, organization, or strategy without worrying about backlash from the administration. A standard management audit reviews the organizational structure, examining how administrative work is divided throughout your organization and whether opportunities exist for increased efficiency.
• Integrated audit. This audit combines two types of audit into one project: an IT audit and an operational audit, or a financial audit and an IT audit focused on internal controls over financial reporting.

What Are the 5 Cs of an Internal Audit?

Regardless of the type of internal audit your organization might conduct, there are five core aspects that every internal audit covers, namely:

1. Criteria: What were the reasons behind mandating an audit? Which stakeholders were behind the audit request?
2. Condition: What were the prevailing organizational conditions that necessitated an audit?
3. Cause: What caused these conditions to arise that triggered the need for an audit?
4. Consequence: What might these conditions lead to and what is the potential aftermath, if these conditions were not audited?
5. Corrective action: How can the organization take charge and fix the condition, with the help of the audit findings?

Who Performs an Internal Audit?

No matter what type of internal audit your organization conducts, it will need to be done by an internal auditor.

Unlike compliance officers, who come from various educational backgrounds, internal auditors are professionals trained according to established standards of the Institute of Internal Auditors.

Internal auditors are hired by your organization’s management, although they should report directly to the audit committee of the board of directors. Ultimately, internal auditors are employed to show the board, management, and staff how the organization can function more effectively.

8 Steps of the Internal Audit Process

The basic steps to conduct an internal audit are as follows:

1. Identify areas that need auditing. Begin by identifying the operating departments using policies and procedures written by your organization or regulatory agencies. These can include activities as complex as manufacturing processes or as simple as accounting procedures. Make a list of each activity and the functions that require review.
2. Determine how often auditing and field work needs to be done. While some areas only need to be audited every few years, other departments may require audits annually or even more often. For example, the HR function may only require an annual audit of records and processes, while a manufacturing process may require daily field work audits for quality control purposes.
3. Create an audit calendar. A structured and systematic approach to the auditing process will help assure that the function lives up to its full potential. Audits should be integrated into corporate objectives, like any other business goal. Scheduling audits on your business calendar will assure that they are done consistently.
4. Alert departments of scheduled audits. Give departments notice of an audit so they can prepare the necessary documents and materials for the auditor. A surprise audit should only be conducted if you suspect unethical or illegal activity, and department managers should not feel threatened by an auditor.
5. Interview employees.The auditor should interview employees and ask them to explain their work process compared to written policy. This step will help to establish an understanding of employee competence and identify employees who need additional training.
6. Perform field work. Audits may need more than interviews with personnel. As necessary, perform tests of controls or business processes to see how well they conform to expectations. Thoughtfully design your audit procedures in advance, so that they address the issue you are trying to assess.
7. Document results. Record the results and any differences in practice to how policies are written, as well as when guidelines are followed and when they are not. This may also include other information that is gathered from the interview process. The goal is to identify gaps in compliance and find a way to bridge those gaps.
8. Report findings. Create an easy-to-understand final report to be reviewed with senior management. In addition, you should develop an action plan for improvement areas with any gaps in compliance.

Here are some other considerations when conducting an internal audit:

• When reviewing policies and procedures, consider whether written policies meet the needs of “customers” (your employees) and add value to the organization.
• Focus your policies and procedures on continuous improvement regarding how work is performed.
• Ask whether the team environment is healthy and supports compliance with policies and procedures. A dysfunctional team has the potential to harm procedural compliance.
• Review your policies and procedures annually to assure they reflect the changing business environment.

After the Audit: Improving Your Compliance

Once you complete an internal audit, you should remediate any gaps identified during the process. In addition, conducting a follow-up audit after the initial audit will increase the likelihood that an external audit will go well.
There are numerous risks that your organization may identify during an internal audit, including:

• Reputation risk
• Operational risk
• Transactional risk
• Credit risk
• Compliance risk
• Strategic risk
• Country risk
• Legal risk
• Vendor concentration risk
• IT/Cybersecurity risk

Identifying these risks during an internal audit is the first step. Creating a plan to remediate any risks will assure that your organization is ready for an external audit.

Take Charge of Compliance Management With ZenGRC

If your organization uses spreadsheets to conduct internal audits, expect a time-consuming, frustrating ride. Fortunately, there’s a GRC solution that can help.
Relying on multiple systems with multiple deployments can cause conflicting versions of truth, and you won’t know which data is complete and accurate to include in your audit. A standardized solution can resolve these problems and establish a single source of truth for your entire enterprise.

Discover the best solution for you with the ZenGRC. ZenGRC provides greater efficiency, improves collaboration, and reduces the time and resource costs associated with compliance processes.

ZenGRC breaks down the walls between internal audit and compliance groups. It is a comprehensive software solution that eliminates information silos and redundant data entry and improves information transparency and communication.

Pre-loaded with compliance framework content supporting more than 30 standards and regulations, ZenGRC saves time by identifying gaps and overlaps of running multiple programs simultaneously. ZenGRC delivers a flexible, centralized solution to meet all your compliance requirements, eliminating tedious manual processes and the associated time and resources.

With continuous compliance monitoring, you can create positive audit outcomes by automating the compilation of evidence for internal and external auditors and quickly assessing the acceptability of risk controls.

Pre-built compliance dashboards provide visibility into completed tasks, open items, and more to reveal the health of your company’s compliance and IT information security programs and a simple way to manage your compliance program.
Learn how ZenGRC can fit into your business and schedule a demo today to help us guide your organization to confidence in infosec risk and compliance.