How internal audit adds strategic value.

• Author: Jeffrey, Chris
• Position: Private companies - Charles Niemeier member of the Public Company Accounting Oversight Board - Interview

An internal audit function is typically seen by most financial executives as a best practice. While the role of audit groups has varied, most have spent the bulk of their time dealing with requirements of The Sarbanes-Oxley Act of 2002.

So where exactly does internal audit fit into a private company or a nonprofit organization?

The institute of Internal Auditors defines internal audit as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."

Notice that the requirements of Sarbanes-Oxley are not mentioned. In fact, The HA recommends that management outside of internal audit should control a firm's Sarbanes-Oxley compliance process, and internal audit should only be used for control-testing purposes.

In the past, internal audit had a reputation for focusing primarily on an organization's financial statements and the internal controls directly impacting financial statements. But that's no longer true.

Modern internal audit groups are starting to take on an increasingly "risk-based" function. Boards of directors and senior managers have been asking: "What are our organization's primary risks, and are we covered?"

Obviously, some of these risks are related to reporting accurate financial statements. But what about strategic, operational and financial risks? In other words, internal audit groups are beginning to focus more on what could truly "bring an organization down."

Which begs the question: What exactly is the value that internal audit provides?

Consider your firm's strategic and operational goals. One of the key roles of management is to ensure that these goals are clearly communicated and the appropriate tactics are taken to ensure these goals are met.

In addition, management should be aware of the risks the organization faces that may impede the accomplishment of these goals.

Internal audit's role here is to help management and the board clearly articulate these risks and rank them in order of impact to the firm as well as their likelihood of occurring. One of the common problems faced by most organizations is the existence of "silos" or independently operating groups or divisions.

Internal audit helps to break down silos around risk identification. And given internal audit's independent position within the company (the group usually reports to the board or audit committee), the board can be assured that it is receiving unbiased information.

In addition to identifying and ranking these risks, internal audit can help assure management and the board that key risks are appropriately controlled. For instance, one big risk associated with many private companies is their ability to obtain operating capital, especially in the current economic environment.

Internal audit can help ensure that firms have good controls around treasury process so capital is available when needed. Internal audit can also play a significant role for companies in industries that are highly regulated by ensuring to management and the board that the firm is taking the appropriate steps to ensure compliance.

When it comes to nonprofits, internal audit can help ensure the organization has not deviated away from its charter; helping to maintain its tax-exempt status.

A key to a successful internal audit function is the ability of the group to clearly understand the strategic goals and operations of the company. In addition, a keen knowledge of the industry is a must.

Consider chief executive officers who don't understand the industry in which their companies operate. How would this CEO know what strategic path the firm should pursue?

The same holds true with internal audit. If an internal audit group does not clearly understand the industry, how could it decipher what the greatest risks to the organization were?

In addition, most modern internal audit groups are multi-disciplinary in nature. They include representatives from not only finance, but also contain information technology and operational experts. For example, a manufacturing company may include an individual schooled in engineering.

In this fashion, management and the board can be assured that all risks will be appropriately covered.

Many smaller organizations have found success in either co-sourcing their internal...