The role of the internal auditor
Your internal auditor must take a systematic and risk-based approach to evaluation to:
- meet your strategic business goals
- ensure the integrity of financial and operational information
- protect your assets
- comply with local laws and regulations
- assess any risk of fraud.
The case for outsourcing
While there is a clear need for internal audit, you need to decide whether to create your own internal audit function or use the services of an external consultancy.
For the typical small and medium-sized enterprise there are clear benefits to outsourcing.
- You can focus your attention on your core business activities – the activities that make you money.
- You will find it easier to buy in the services of an expert than it is to recruit and employ an expert.
- Specialist consultancy firms can give you the range of skills that you won’t find in one person. For example, you may not only need an accountant but also an information technology or human resources expert.
- When you employ a specialist you create a reliance on that person. When that person leaves, you suffer disruption to your business while you try to replace that expertise. This is not an issue when you outsource as each consultant works to a common process.
- Employing someone with the experience and qualifications to perform an internal audit role is expensive. If you try to recruit cheaply you will get someone who is poorly qualified; this may cost you in the future. There is a clear cost-benefit argument for outsourcing.
- When you outsource you ensure independence and objectivity.
- You can monitor easily your relationship with your consultant through confidentiality and service-level agreements.
Development of standards
Standard-setting has developed at a pace in recent years and will no doubt continue to do so in the future.
The Institute of Internal Auditors (IIA) – the international professional body – laid down the first standards in 1978. These were reviewed and updated in 1998. In doing so, the IIA redefined the role of an internal auditor, introduced a code of ethics, created international standards and incorporated earlier guidelines.
You can expect the internal audit arena to continue to develop and evolve in the future. This strengthens further the case for outsourcing as you can be confident you are using up-to-date expertise.
Financial scandals such as Enron increased the need for robust regulation. One of the most important developments was the Sarbanes-Oxley Act, the requirements of which all companies listed on the US stock exchange have to meet.
This US law was designed to protect stakeholders in listed companies by improving the accuracy of corporate disclosures and deterring corporate and accounting fraud.
Among other things, the Act introduced the idea of the audit committee to oversee corporate financial reporting, established mandatory registration of auditors of listed companies, defined conflicts of interest, prohibited external auditors from providing certain services, and introduced a system of periodic rotation of auditors.
The Act also imposed on management the legal responsibility for the content of the financial report and for maintaining a system of controls to discourage fraud.
Although Sarbanes-Oxley only applies to companies listed on the US stock exchange, many companies are adopting its requirements in the spirit of good governance. Several countries around the world have developed legislation that has its roots in Sarbanes-Oxley.
Information technology (IT) risk
In recent decades, business reliance on IT has increased out of all proportion. It is essential that your corporate governance addresses and manages your IT risk, and there are steps you can take to do this.
- Review your IT service level agreement and check that it meets the needs of your business.
- Ensure your IT operates in a secure area, is reliable, and confidentiality and integrity are not compromised.
- Make sure you provide adequate training and support to users.
- React to issues and solve them as they arise.
- Review your business continuity and other contingency plans to ensure they are robust and up to date.
The IIA’s international standards contain specific guidance on evaluating IT risk and provide a methodical approach to doing so.
In summary, outsourcing your internal audit provides you with a highly specialised, systematic approach to a task that carries the utmost importance to the success of your business. For the small and medium-sized enterprise there is also a clear cost-benefit advantage to outsourcing.