Conducting internal audits of your company’s compliance mechanisms and its business practices is a great way to discover potential sources of legal liability, as well as ways to make your company operate more efficiently. However, not all audits work the same. Some can be poorly planned or inexpertly executed. Others are all-encompassing, conducted efficiently with little wasted time or money, and produce actionable recommendations that alleviate the most pressing concerns of all of the stakeholders involved.
Certain best practices should be followed to ensure that an internal audit is a successful one rather than a disappointing one. Over the course of years of experience, our team of internal auditing consultants and professionals at Corporate Investigation Consulting have found that the following five best practices are among the most important.
1. The Final Audit Report Needs to Be Concise and Actionable
The final audit report is the culmination of the internal audit. It is the document that the internal auditors end up handing over to the company and its stakeholders. The report is probably the single most important aspect of an internal audit because it communicates the audit’s findings, provides its recommendations, and summarizes the investigation.
It is hard to overstate the importance of a good final audit report. However, it is easy for internal auditors to lean towards the over-inclusion of information, generally in an attempt to avoid the potential for leaving out relevant or important details or because of the time that the audit took to uncover them. Taking this route, though, inflates the length of the report and often provides details and information that are not very valuable. They may also do little other than to add bloat to the report.
A better practice is to make the report quick and concise, focusing on the important information that backs up recommended changes and other conclusions, and little else. This helps steer stakeholders towards the outcome that will help their company, giving them guidance for improvement without making them wade through extraneous information.
2. Always Look Out for a Lack of Duty Segregation
Internal auditors should always beware of a lack of duty segregation within a company, whether for audits of compliance procedures or business practices.
Duty segregation refers to how many steps that one person does in a row within a specific process or function. An example of a lack of duty segregation is when a single person is responsible for:
- Receiving cash payments as a cashier,
- Balancing the cash drawer at the end of the shift or business day,
- Recording the amount in the drawer,
- Depositing the money from the drawer into the business’ bank account, and
- Recordkeeping of bank statements.
When one person or party is responsible for so many steps in a row, it opens up the possibility for costly errors or intentional and potentially even criminal misconduct. Because one person is responsible for so many steps without intervention or supervision, it is easy for them to act in their own interests and then cover up their conduct after the fact. It also presents the opportunity for innocent mistakes to be made at one stage that skews the results for the rest of the process.
Auditors should be on the lookout for these situations and give them extra scrutiny. Pulling out what is really going on during these situations can be trickier than normal.
3. Never Blindly Take Someone’s Word for Anything
Internal auditors should behave like investigative journalists, confirming and corroborating any statements given to them by employees and other workers within the organization being audited. Uncorroborated statements must be taken with a grain of salt, and if there is no way to find supporting evidence to back it up, then the speaker’s motivations must be scrutinized closely before a decision is made as to whether they are reliable or not. Even if they are used during the audit, any information that they provide or that they lead to should be denoted with an asterisk.
4. Always Remember to Keep the Goal of the Audit in Mind
One of the most important things that internal auditors have to do during the execution of the audit is to keep their focus on the goal of the process. Not all audits have the same goal – some focus on the company’s compliance measures, while others focus on business efficiency, and even within these general categories different audits can serve different purposes. Staying on track of the current audit is one of the most fundamental best practices in all of internal auditing.
It is also one of the most important, though.
If an audit gets sidetracked by extraneous information that is outside the scope of the inspection or that does not alleviate or dispel the concerns of the stakeholders to the company, at the very least it will slow down the audit until it can get back on track. If it never returns to the intended focal point of the audit, the resulting final audit report will be unsatisfactory or nearly useless to the company’s stakeholders.
5. Document the Auditing Process
Finally, a best practice that is frequently overlooked is documenting the auditing process. Including documentation into the process can seem like a waste of time. However, it pays some very important dividends to those who take the time.
Auditors who take meticulous notes of the process, the findings, and how the auditors moved forward with those findings can find themselves with an additional source of strong support for their eventual conclusions and recommendations.
Internal Auditing Professionals at Corporate Investigation Consulting
Planning for and then executing an effective internal audit takes skill, experience, and a meticulous attention for detail. The auditing experts at Corporate Investigation Consulting have built a long track record of successful audits for companies large and small, including in a wide variety of industries, from pharmacies to laboratories to law firms.
Contact them online or call them at (866) 352-9324.
Before starting an internal audit, professional auditors need to determine what is going to be the best way to execute their inspection. They need to fully understand what the concerns of the company are, how those concerns can best be addressed by the audit, and foresee any potential obstacles or problems that may arise. Not creating an effective internal audit process can all but completely undermine the value of the audit to the company that wants it done.
In their time helping clients and corporations, the internal auditing consultants at Corporate Investigation Consulting have found five keys to creating an internal audit process:
- Listen to the client’s concerns
- Investigate the client’s problems and reasons for the audit
- Provide experienced feedback to draw out underlying worries and risks
- Determine what is needed to alleviate these concerns, as well as what is not
- Create the audit procedure in a way that hits all of the salient points without wandering too far
1. Listen to the Client’s Concerns
One of the most important things that all auditors need to do from the very start is to listen to the client. While most audits end up being similar to one another, the reality is that they are all unique in their own way, albeit often only a small one. Understanding what that small nuance is going to be in the next audit can change its results from merely satisfactory to a huge success.
Gone are the days when most companies would conduct internal audits on a regular basis to make sure they were on the right path or to ensure compliance. Now, many internal audits are the result of a regulator’s warning or a new risk exposure. Auditors need to know what that concern is before creating the process for the upcoming internal audit. The only way for auditors to get that awareness is by including stakeholders in the planning stage and asking pointed questions to reveal their concerns and intentions for the audit.
2. Look Past the Stated Worries for Underlying Risks
Experienced auditors, however, know that what company stakeholders say is their goal for the audit is not always completely accurate. It is not that stakeholders are lying or hiding their intentions, though. While stakeholders may feel like they have a good idea of what is going on and that they understand what the potential threat is to their company, in some cases their concerns are misplaced or are focused on problems that are actually just the tip of the iceberg. They just do not know it.
In crafting an effective internal audit process, experienced auditors – like those at Corporate Investigation Consulting – know to take the stakeholder’s stated concerns with a grain of salt. They know to dig into them and search for the unspoken worries and the risks that are really causing them, but are hidden from the stakeholders’ often relatively inexperienced eyes.
3. Provide Experienced Feedback to Pin Down the Real Goal
If that seems to be the case and stakeholders are missing the real threats to their company that could be addressed in the audit, auditors should press stakeholders on these issues before creating the audit procedures. This needs to be done during the planning stage, or else the audit will have run at least some of its course before it becomes apparent that it will not be addressing the root cause of the problems faced by the company.
Generally, this can be done by asking pointed questions about the context surrounding the need for an audit and providing experienced feedback about the underlying cause of the stakeholders’ concerns.
4. Figure Out How to Deliver on That Goal
Once the true risks and needs are ascertained, the next step is to use them as the foundation for creating the internal audit processes. How the audit runs its course should adhere closely to the needs of the company and its stakeholders. However, audits can be executed in a huge variety of ways. Choosing the one that is appropriate for the calls of the situation can be difficult. Importantly, the risks of not getting it right at this stage can keep the audit from producing results that the company can use to streamline its business or insulate itself from potential liability.
5. Create the Audit Procedure That Executes Efficiently
However, delivering on the goal of an internal audit is only the most basic part of a successful review. Good audits do not just deliver; they deliver a streamlined and efficient result that does not overcharge the stakeholders or their company or waste any time or resources.
This added level of success is something that all internal auditors strive for, and is something that the professionals at Corporate Investigation Consulting take very seriously. Pursuing the goal of the audit without a care for the efficiency of the process increases the costs of the inspection exponentially, and all for very little value added to the company. The results provided in the final audit report end up being expensive to produce, but are often duplicative, meaningless, and little more than filler.
A good internal audit process should strike a balance between these competing demands: The rigid requirement that the audit be all-encompassing and thorough and the conflicting, but softer need that it is also not wasteful.
The Professionals at Corporate Investigation Consulting Can Help
Creating the internal audit process is one of the most important phases of a good internal audit. Without a solid process in place, even a perfect execution will fail to address the needs and concerns of the stakeholders and their company.
The auditing consultants at Corporate Investigation Consulting have helped numerous companies, both large and small, in the past. With CIC’s help, internal auditors have drafted procedures to follow that were both thorough and streamlined, providing effective and actionable plans in the audit report without entering the field of diminished returns.
Contact us online or call our firm at (866) 352-9324.
Internal auditing is a profession. In order to promote uniformity across the field and to ensure that companies know what they are getting when they hire an internal auditor, entities that regulate the field offer certifications to auditors who pass rigid tests that prove their auditing abilities.
Many of the internal auditing professionals at Corporate Investigation Consulting have these credentials, which are often difficult to obtain and easy to lose.
How Internal Audit Certifications Work
An internal audit certification is a badge of honor that can only be worn by those who have the eligibility to take a strenuous examination and then the experience and the abilities necessary to actually pass it. The credentials that internal auditors get for passing the test show that they have a skillset that is above and beyond those that have not done so.
For companies that want to hire an internal auditor or a consulting firm to conduct an internal audit of the business’ operations and compliance protocols, these certifications matter. They let hiring parties see, at a glance, the types of skills and knowledge that they can expect from a given job applicant, auditor, or consulting firm. This helps them quickly identify who may be right for the job and who will be in over their head. It also lets hiring agents, as well as the company itself, rest assured that someone qualified is handling their internal audit for them, rather than someone who might expose the company to even more liability.
The Many Types of Internal Audit Certifications
Not all internal audit certifications are the same, though. Many show that the certified person has a specialized skill set and body of experience in a very particular role within the field of internal auditing, like the auditing of information systems. Others only indicate that the holder has a generalized skillset in the auditing world.
Some auditors have multiple certifications, showing that they are adept in several specific areas.
Generally, all auditors have a college degree in accounting or something very similar, as well as a background or working experience as an accountant or in a similar financial role. However, some certifications substitute extra working experience for a college degree.
The following are some of the most common certifications that you will see internal auditors have on their resumes.
Certified Public Accountant (CPA)
Perhaps the most common certification that internal auditors can get is the CPA, which makes them a Certified Public Accountant. While individual state accounting boards grant the CPA designation, it is the American Institute of Certified Public Accountants (AICPA) that administers the exam that leads to the certification. People who pass the exam can then become AICPA members, but do not have to do so in order to practice.
While each state varies slightly in their requirements for a CPA, when you see an internal auditor with a CPA certification, you can generally rest assured that they:
- Have a college degree in accounting with at least 150 credit hours
- Passed an ethics exam
- Passed the Financial Accounting and Reporting (FAR) exam
- Are up to date on their continuing education mandates
The FAR exam is not easy. Around half of test takers fail it the first time around.
Certified Internal Auditor (CIA)
The Certified Internal Auditor (CIA) certification is sponsored by the Institute of Internal Auditors (IIA). While it is a generalized internal auditing certificate, it sets internal auditors apart from other accountants, which is essential for hiring entities to know.
To get a CIA, accountants have to provide character references, have an extensive working experience – especially if they do not have a college degree in accounting – and pass an extremely difficult exam that includes 325 multiple-choice questions and lasts for 6.5 hours. The exam covers topics like:
- The governance, risk management, and control of internal auditing
- Auditing industry standards
- Quality assurance
- Planning and managing an internal audit
- Practical aspects surrounding the communication of the results of the audit
- Financial management
- Information technology issues
Importantly, the CIA certification is a global one. Non-U.S. professionals can obtain one.
Certified Fraud Examiner (CFE)
A Certified Fraud Examiner (CFE) is someone who specializes in fraud prevention. They have passed the CFE exam, which is sponsored by the Association of Certified Fraud Examiners (ACFE).
These professionals are often what companies look for when they need to test their internal systems for problems like healthcare fraud.
Certified Information Systems Auditor (CISA)
A Certified Information Systems Auditor (CISA) has passed a rigorous examination related to the auditing practices for information and technology systems. The exam is sponsored by ISACA.
CISA certifications are especially important for companies that may want to conduct an internal audit on their cybersecurity systems and structures, like home health agencies and pharmacies.
Certified Information Systems Security Professional (CISSP)
A Certified Information Systems Security Professional (CISSP) has passed an exam administered by the non-profit International Information System Security Certification Consortium, or ISC². People with these certifications have:
- Passed background checks
- At least five years of experience working in information security, or fewer years if they have a college or master’s degree in information security
- Passed the four-hour CISSP exam
- Been endorsed by another ISC² certification holder
CISSP holders have shown a strong familiarity in the following areas of knowledge:
- Security and risk management
- Asset security
- Identity and access management
- Security operations
- Software development security
- Security assessment and testing
- Security architecture and engineering
- Communication and network security
The Auditing Professionals at Corporate Investigation Consulting
Certifications are a quick, easy, and reliable way of seeing what skill sets a person has, as well as whether he or she has focused their internal auditing talents into a particular field or issue. Knowing the field and the level of expertise that you are getting is critical for making an informed decision about who to hire to conduct an internal audit of your company and what you can expect once the hire is made.
The auditing professionals and consultants at Corporate Investigation Consulting (CIC) have numerous certifications scattered among our team of financial investigators. Whether your internal audit is to look for flaws in your cybersecurity system, holes in your corporate compliance mechanism, or fraud in your billing apparatus, we have professionals with the experience that you need the most.
Contact us online or call CIC at (866) 352-9324.
An internal audit checklist is an essential tool for auditors. It lists all of the things that the audit is supposed to check, as well as all of the ways that the audit’s findings could benefit the company. Because internal auditing is, at its core, an effort in organization and measurement, having a good checklist is one of the most important things that an internal auditor can have.
While each checklist will be as unique as the particular audit it accompanies, there are some overarching templates that can be used to ensure that all of the general bases are covered.
Checklists Promote Uniformity Between Audits
One of the most important roles of an internal audit checklist is actually behind the scenes, hidden from view of the companies that are conducting the audit: The checklist ensures that each of the internal auditor’s projects covers at least the same baseline of issues, ensuring a degree of uniformity between audits that gives each a credibility that it would not otherwise have.
This is not a minor benefit to using a good audit checklist.
Reliability is one of the most important aspects of an internal audit. Companies that conduct one should rest assured that they are going to at least cover the basics and that it will be as reputable as the last one that was performed. By using an internal audit checklist, an auditor can make this happen.
Audit Planning Should Be Reflected in the Checklist
While a checklist should ensure uniformity with prior or subsequent audits, that consistency should only cover the basic elements of the internal audit. Each internal audit is different – companies in different industries have widely diverging risks to manage or compliance goals to achieve, and even audits within the same industry or even the same company can have different focal points. The checklist used by the internal auditor should reflect that. Only the basic elements should always be the same.
For example just a few of the different industries that make heavy use of internal auditing are:
- Hospitals
- Law firms
- Healthcare companies
- Pharmaceutical manufacturing companies
- Pharmacies
- Family investment offices
- Home health and hospice companies
- Laboratories
- Private equity funds
The risks that companies in each of these fields face are radically different. Even those in the same field can face drastically different risks and compliance needs based on their business practices. For example, companies that deal internationally will have to take compliance measures – and then audit them – for International Traffic in Arms Regulations (ITAR) and the Foreign Corrupt Practices Act (FCPA). Healthcare and pharmaceutical companies, on the other hand, can be the target of corporate healthcare fraud investigations and have to take care not to raise scrutiny on that front. Organizations of all sorts may find themselves in need of auditing internal processes related to:
- Corporate compliance
- Bribery and corruption investigations
- Background screening
- Brand and reputation management
- Counterfeiting and other forms of financial fraud
Each of these types of companies and types of audits require their own focal points. The planning that goes into ascertaining the overall goal of the audit should be reflected in the checklist that ends up getting used by the auditors conducting the inspection.
Auditors Who Use Checklists Work Faster and Miss Fewer Issues
Another big benefit to using an internal audit checklist is that it keeps the audit process more focused, organized, and streamlined. Auditors who keep to their checklist do not get distracted by issues that fall outside the scope of the inspection. They move from one step to the next, progressing the audit along without hesitation or delay.
That organization also reduces the odds that the auditor will miss a key finding within the scope of the audit, enhancing the thoroughness of the process.
Internal Auditing Checklists Tend to Follow a Template
Generally, these internal auditing checklists tend to follow a basic template that covers the fundamental aspects of the audit process, plus additional elements that cover the more specific concerns that are to be addressed.
Some examples of elements in the template that many checklists are built from include:
- How well performance processes further the organization’s business plan and goals
- Whether prior audits proposed corrective actions and whether those actions were implemented
- Whether customer satisfaction is recorded and, if it is, how well the company responds to problems that it raises
- How qualified employees and other personnel are for their job duties
- Whether there are workplace hazards that could jeopardize occupational health and safety
- How reliable quality control processes are
- Whether prior records regarding quality control are kept
The goal of this general template is to begin to uncover important evidence related to the business’ activities. As more information is gathered, new questions will present themselves that prove to be invaluable to the auditor and to the business that is being audited.
Compliance and Risk Management Auditing Consultants at Corporate Investigation Consulting
When done well, internal audits can reveal gaps in compliance protocols that have exposed the company to substantial legal liabilities, or can uncover inefficient systems and processes that are costing the company thousands of dollars every year. When done poorly, internal audits can miss important signs of wasted money and effort or can falsely lead the company to believe that it is in compliance with all relevant laws and regulations.
Companies should strongly consider hiring internal audit professionals or consultants to make sure their audit is done the right way.
The auditing consultants at Corporate Investigation Consulting have years of experience working with federal law enforcement agencies, including the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice (DOJ), investigating signs of noncompliance and putting together cases of financial misconduct in industries from securities trading to healthcare fraud.
Contact them online or call them at (866) 352-9324 to get their input on your internal auditing needs.
Developing internal controls is an extremely important part of a company’s compliance structure. Without them, achieving compliance with applicable laws is nearly impossible, and it can be extremely difficult to reach planned objectives that mean to streamline your company so it performs more efficiently.
Here, the internal audit professionals at Corporate Investigation Consulting summarize five keys to developing effective internal audit controls.
What are Internal Controls?
According to the Committee of Sponsoring Organizations (COSO), internal controls are procedures that are “designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
Essentially, internal controls are a how:
- How to improve operational and financial performance or safeguard assets from loss
- How to adequately report financial and other information to regulators
- How to reach compliance with applicable laws and regulations
They are steps that everyone in a given company has a role in furthering. Precisely because there are so many people involved, though, there are numerous weaknesses in developing a good set of internal audit controls.
1. There Needs to Be an Environment of Following Internal Controls
First and foremost, everyone has to be on board with the internal audit controls that are adopted for the company. This includes the board of directors and all supervisors. If these important players in the company do not go out of their way to parrot the importance of the internal controls that have been adopted, the lower level employees who have a direct role in implementing those controls will not take their obligations seriously. If they see these workplace responsibilities as anything short of mandatory and as being crucial to follow to the letter, they are likely to cut corners in ways that undermine the effectiveness of the control process and that can expose the company to legal liability for noncompliance.
It is up to the higher level employees and partners to instill a sense of urgency in following the internal control system. Only then will there be an environment of compliance inherent in the company.
2. Internal Controls Should Be Reevaluated Regularly
This is a key to developing strong internal audit controls that many executives overlook or forget about. Just because controls have been synthesized and adopted by the company does not mean that they will always be the most efficient way of getting things done or the best way to comply with applicable laws.
Technological developments can make the current processes that are set out in the internal controls policies outdated. Should this happen, the internal controls would no longer be the most efficient way to conduct business. By regularly reevaluating those controls, they can be updated to reflect the new best practices.
The laws and regulations that your company has to comply with can also evolve over time. What were once good ways of complying with them may no longer be necessary or may no longer insulate the company from legal risk or liability. Auditing the internal controls is essential to keep them up to date.
3. Employees Need to Know That Controls Exist for a Reason, Even If They Seem to Slow Their Workflow
Similar to the first key to success in developing internal audit controls, above, it has to be pressed into employees that the internal controls exist for a reason. Many workers, particularly those who have an important role in performing the internal compliance controls but who do not directly see how it fits into the grand scheme of things, lose sight of the importance of what they do or never appreciate it in the first place. This can happen especially quickly if the internal controls prove to be a hassle for them to implement in their daily workflow.
Whether through training and retraining, a company-wide culture of compliance with the demands of the control protocol, or with education regarding the role that the employee has in the scheme and the importance of them fulfilling it, it is especially important for rank-and-file workers to uphold their obligations. In many cases, they are the ones who are most responsible for the actions that actually implement the policy.
4. Internal Controls Need to Be Monitored to Ensure Compliance
The internal controls that are adopted require consistent monitoring to make sure that they are actually doing what they were intended to do. They can fail or struggle to succeed for two reasons:
- Employees are not taking their obligations under the control system seriously
- The internal control requirements are not precise enough to solve the problem or inefficiency that they were designed to correct
Monitoring both the input and the output of the control system is essential for detecting shortcomings.
5. Determine How Selected Controls Can Be Evaded and Take Corrective Action
Effective monitoring can be supported with careful inspection of the control requirements to isolate potential practices that could undermine it. Employees who perceive that the obligations that they have under the policies are onerous and infringing on their work product may elevate their work over the demands of the internal control system. This is a very foreseeable and predictable event. Determining how those employees would go about evading their obligations is trickier. Figuring out how they would go about doing so and then patching up that possibility is a crucial part of developing a good internal audit control for the company.
The Professional Internal Auditing Control Team at Corporate Investigation Consulting
Establishing effective, but also streamlined, internal audit controls is essential for every company that intends to streamline its business practices or shore up its compliance requirements.
The auditing professionals at Corporate Investigation Consulting can help. Whether you are trying to create an effective corporate compliance program or manage risks that your company has to deal with every day, our team of professionals can help. Contact us online or call us at (866) 352-9324 so we can plan and execute the set of internal controls that will make your business even better.
The goal of an internal audit is to test a company’s policies to ensure that they are doing what they are supposed to do. The key performance indicators, or KPIs, of an internal audit aim to measure how well those policies are working in a way that is easy to describe and understand.
The internal auditing professionals at Corporate Investigation Consulting make heavy use of KPIs to ensure that the audits that they conduct or oversee meet the expectations and demands of their clients and help them make actionable responses to the audit’s findings.
What are KPIs for Internal Audits?
KPIs are measurements of how well a policy or process executes the goal that it is meant to achieve – nothing more, but also nothing less. These measurements can take a huge variety of forms, as both the goals and the ways of achieving them can be almost anything.
Generally, though, KPIs fall into 2 broad categories:
- Execution indicators, and
- Value indicators.
Execution indicators track the audit, itself. Some common execution KPIs can be:
- How many hours the audit has taken, so far
- The percentage of the audit that has been completed
- How many problems have been detected
- How many corrective actions have been proposed
- How many of those corrective actions have been implemented
Value indicators, on the other hand, measure how well the audit has helped the company that is being audited. Some common value KPIs are:
- Reductions in expenses from the audit’s corrective actions
- Hours of work time saved because of changes implemented after the audit
- Productivity increases
- Satisfaction rates from employees and managers
These are just a few examples. Every internal audit should have a unique set of KPIs.
KPIs Should Be Tailor-Made for Each Audit
Because almost any metric can be used as a KPI for a given internal audit, it is important to select the right ones for your purposes. No matter how effective and detail-oriented the audit is, if it is based on poorly chosen KPIs, the results will not be actionable or even very useful.
So, for example, if you are a healthcare company that is conducting an internal audit of its billing practices to make sure overcharges are not being made that could expose the company to allegations of fraud, some important value and execution KPIs might be:
- The number of bills or transactions that have been reviewed
- How many improperly billed services have been found
- The percentage of bills that have errors in them
- The net amount of overcharges discovered
- How many billing errors each employee is responsible for making
- Which billing codes are more or less likely to be incorrectly used
- The percentage of bills that are within the scope of the audit that have been examined
Obviously, if your internal audit is for a different type of company, or is being run to detect other kinds of compliance issues, the KPIs should be different. For example, if the goal of the audit is to test your company’s compliance with the Securities and Exchange Commission (SEC), then the KPIs will be completely different.
A skilled and experienced auditing team will know which metrics will produce the data that you want to see.
All Good KPIs Rely on Well-Defined Goals
However, because KPIs are metrics for how well a given process reaches certain objectives or goals, KPIs are only as reliable or useful as the goals themselves. If the objective of a certain process is vague or poorly defined, then it becomes debatable whether the process is working or not. Because it is the success of the process that is being quantitatively measured by the KPI, this can produce a wide variety of results, undermining the value of the measurement, its reliability, and faith in the audit as a whole.
Ascertaining and defining the actual goals of the procedures and policies that are being audited are essential steps to take before the audit begins.
KPIs Should Promote Efficiency and Reduce Liability
Generally, the use of KPIs during internal audits can serve two important functions. They should be geared towards:
- Promoting efficiency within the company, and
- Reducing the company’s exposure to legal liability.
The purpose of the audit will determine which of these functions should be the focus of the inspection. For example, audits that are designed to test the company’s compliance mechanisms are going to focus on the exposure to legal liability. However, that focus does not necessarily have to be exclusive. Good auditors will still make note of potential issues at the fringes of the scope of the audit that they are conducting.
Without KPIs, the Findings of an Internal Audit are Vague
The value of using KPIs during an internal audit becomes even more apparent when you consider what would happen without using them. A lack of quantitative measurements would lead to audit results that are vague, at best. The lack of precision would make the audit’s findings difficult to understand and work with, making it almost impossible to use them to improve the inner workings of the company.
This undermines the real value of an internal audit: The production of data and findings that are actionable.
The Internal Auditing Consultants at Corporate Investigation Consulting
Crafting and executing an effective internal audit is part science and part art. It takes foresight to see the difficulties that are going to arise, given your company’s unique business practices and structure. It also takes creativity to come up with KPIs that are going to produce data points that can be used to gauge your company’s performance, legal exposure, and efficiency, and that will draw out actionable responses for your company to implement.
The experienced internal auditing professionals at Corporate Investigation Consulting can help you and your company from square one of this intimidating but incredibly important process. Contact them online or call their office at (866) 352-9324.
When company executives, the legal department, or compliance officers want to hire outside help to conduct an internal audit, steps must be taken to ensure that you get auditors who are going to help your company the most. Creating a job description for the internal audit is an effective way to weed out the potential auditors who are not going to be a good fit for your company’s needs.
In order to be effective, a good internal audit job description should utilize a wide variety of ways to separate the bad candidates from the good, and to give ideal auditors the opportunities they need to stand out from the rest of the pack.
Here are four elements to consider for your company’s internal audit job description.
1. Be Industry and Audit Specific
It is crucially important to remember that auditing a company in one industry is not the same as auditing another company in a completely different industry. This is particularly true when the internal audit is being done to test the corporation’s compliance protocols. Healthcare companies face radically different compliance requirements than, say, a family investment office. One has to comply with extensively detailed billing obligations for healthcare services provided, while the other has to abide by coextensive sets of securities and investment rules laid out by the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA).
Some other divergent industries that require auditors who are familiar with the particular legal compliance obligations of the field are:
- Hospice and home health agencies
- Laboratories
- Private equity funds
- Hospitals
- Pharmacies, whether for cybersecurity issues or preparing for a pharmacy benefit manager (PBM) audit
- Law firms
Even within these industries, there are different types of audits. Some focus on certain aspects of the company’s compliance obligations, while others focus on other pressing issues like:
Your internal audit job description should reflect how specialized the auditing field has become. Make it clear what type of auditor you are looking for, and scour the applicants for those who match the industry you are in and the skillset that you want.
2. Do Not Just Demand Experience: Demand Relevant Experience
It is not uncommon for internal audit job descriptions to demand at least a certain number of years of experience in conducting internal audits.
This is not precise enough.
Rather than requiring, say, five years of experience in internal auditing, you should be demanding at least a set number of years in internal auditing in your industry and in the type of audit you want to run. Even if you have to lower the threshold for candidates to meet, you will still be far more likely to get auditors with the skillsets that you want.
Therefore, consider replacing, “10 years of experience in internal auditing,” with something like this, “4 years of experience conducting risk management audits for healthcare providers that handle Medicaid, Medicare, and Tricare.”
3. List Audit Certifications
Professional auditors who are serious about their jobs will accumulate as many auditing certifications as they can. A few of these certifications will be relevant to the needs that you have for your particular internal audit. Many others will not be.
Just because there are only one or two certifications that you want to see, though, does not mean that the others are meaningless. Instead, they show a professional drive on the part of the auditor to expand the breadth of their understanding of their field. That broad knowledge base can be useful for your company.
However, this is not necessarily the case, and is not always a good thing. As mentioned earlier, applicants who respond to an internal audit job posting should have a deep familiarity within your industry and should have experience conducting internal audits that align with the purpose of the one that you want to do. A broad range of certifications – especially those well outside your company’s field – can be a sign that the auditor’s experience is too diluted to be the best value in your pool of candidates.
This is still helpful information to have, so encouraging applicants to list all of their auditing certifications in the job description is often still a good idea.
4. Keep an Eye Out for Potential Conflicts of Interest
The job description is also a good place to draw out information about past work experience that can reveal a potential conflict of interest.
For all of the importance in getting an auditor that has extensive experience in conducting the type of audit that you want in the industry that your business is in, you also want to be on the lookout for an auditor’s prior clients that are too close to your company. If an auditor has helped competitors in the past, it may be wise to at least be more careful in your contract negotiations, should you choose to hire them to conduct the internal audit of your own company.
Generally, these concerns are needless, as auditors are professionals in their own right. However, it can be wise to use the internal audit job description as a way to tease out these potential conflicts of interest so you can behave appropriately to them.
The Internal Auditing Professionals at Corporate Investigation Consulting
Hiring outside help to conduct an internal audit of your company is both essential and stressful.
On the one hand, getting an independent auditor to review the compliance protocols in your company is the best way to obtain unbiased, professional, and often novel ideas about the shortcomings, weaknesses, and inefficiencies in your company’s policies. The best auditors can uncover problems that are exposing your company to legal liability, as well as any needlessly onerous costs of compliance that are costing your company time and money for little benefit.
On the other hand, it can be extremely difficult to determine which outside auditing professional is going to be the best fit for your needs.
Crafting an internal audit job description that accurately represents your needs and desires and that sets an appropriate standard for applicants to meet is a big start in the process.
The professionals at Corporate Investigation Consultants can help you and your company decide who should perform an internal audit of your firm’s compliance protocols. Call them at (866) 352-9324 or contact them online.