Internal Audit and Control: Protect, Improve and Grow Your Business

The term “internal audit” is usually associated with publically held or very large companies. However, internal audits may also be used by small- and medium-sized enterprises in an efficient and cost-effective way in order to improve businesses and their underlying process, and thereby also improve economic results and valuations.  

The context is, of course, very different for SME’s than with large public companies: in the SME context, an internal audit is typically a customized audit, designed to meet very specific needs and requirements.

Before answering why smaller organizations might want to perform an internal audit, let us first define “internal auditing”.

According to the Institute of Internal Auditors, internal auditing is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

In other words, unlike external auditors, internal auditors work directly with management in areas such as governance, risk, control and compliance, helping to examine and validate that the company is operating as intended, managing its biggest risks, and complying with applicable laws and regulations.

Internal audit areas common for SMEs typically cover key risks (strategic, operational, compliance and financial) that need to be managed and mitigated. In contrast to external audits, which focus exclusively on financial reporting and its associated risks, internal audits cover broad categories of risk and their management.

The list of areas varies according to a company’s size and industry. For instance, KPMG lists cybersecurity, transitioning to and operating in the cloud its publication “Top 10 internal audit focus areas for technology companies.”

Reasons to Audit

Smaller companies usually have specific reasons to perform internal audits, as pointed out in “Internal Auditing is an Asset for Small Companies as well as Large Ones”, by risk and business consulting company Protiviti:

•    To understand and verify how activities and processes are actually operating, going beyond a perception of how they are working;

•    To look into known problem areas and develop a fact-based action plan to make corrections and improvements; and

•    To verify that critical areas that must operate flawlessly are in fact doing so.

Internal audit for a smaller company may become a catalyst towards maturity. SMEs often look at internal audits as a cost, but it would be better to consider it an investment. Better efficiency, governance and risk management should lead to superior performance and valuation. Internal audit may help improve business processes and sustainability in crisis, and also help prepare an organization for the purposes of capital raising or selling a company.

When areas to be audited are identified, a typical internal audit cycle in a smaller organization might be designed as follows:

Typical internal audit process

As an internal audit assesses effectiveness of controls put in place to mitigate risks, it should result in actionable reports that lead directly to process improvement.  

Internal audits and internal controls are both methods of risk management. However, in contrast to internal controls, internal audits are performed at pre-determined intervals. Internal control is an ongoing system to ensure continuous improvement in operational efficiency and effectiveness through the control of risks. Therefore, internal controls may be considered a part of a company’s day-to-day management and administration.

Turbull Report

The Turnbull Report, now the Financial Reporting Council’s Internal Control document that sets out best practice on internal control, defines internal control and its scope as follows:

“The policies, processes, tasks, behaviors and other aspects of an organization that taken together:

•    Facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational, financial, compliance and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that liabilities are identified and managed.

•    Ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from both internal and external sources.

•    Ensure compliance with applicable laws and regulations and also with internal policies.”

Adequate internal control procedures reduce operational risk, help prevent fraud and theft, and enhance reliability of financial reporting, all extremely important issues for SMEs.

To conclude, SMEs should embrace both internal audit and internal control. Their main goal is to help protect and improve businesses, especially as they grow. Effective internal audit and internal control increase the likelihood of achieving and maintaining business health.

Les Nemethy is CEO of Euro-Phoenix (www.europhoenix.com), a Central European corporate finance firm, author of Business Exit Planning (www.businessexitplanningbook.com) and a former president of the American Chamber of Commerce in Hungary.