Regardless of the size of a company, the term “internal audit” generally evokes an initial response of hesitation – “Our processes are operating fine!” and “The time isn’t worth it!” However, companies do not need to dedicate significant time or resources to an internal audit system for an audit to be effective and result in unexpected benefits.
In fact, many entrepreneurs and small business owners already have an “internal audit” mindset because they intuitively think about risks, how to mitigate them, and how they can improve their bottom line. The information or process may be there, but it’s important to also document your information, processes, and results to uphold consistency. Furthermore, these documented processes will help train new or temporary managers and employees. Smaller businesses often lack manuals and written processes due to dependency on long-term employee knowledge, which presents a disruption in business when that employee leaves or retires.
Before beginning an audit, first decide what you want to achieve. Small businesses generally have a three common reasons to perform an audit:
After you determine what you want to achieve, then work to focus on a few key procedures and keep the “testing” of them fairly simple. Document your results. Follow up often and adjust as necessary. To help you better understand how you can adapt this process for your business, we provided two examples below that show common audit goals as they drive internal audit processes and remediation:
If your goal is fraud detection – select and follow a transaction through the accounting cycle to the general ledger; compare the findings to those of the previous month and budgeted numbers; if the data does not reconcile, expand the testing procedures to investigate the discrepancy. At the end of each month, it should be standard practice to review financial statements and compare them to the previous month, budget, and/or forecasting statement to see if they meet expectations. Unexpected results should be investigated to ensure there is an appropriate business justification.
If your goal is process improvement, focus on the known problems. Physically observe the process to identify control breakdowns. As you observe, solicit input from the individuals involved in the day-to-day process; you will likely be surprised by the insight they are able to provide. Likewise, you should also solicit input from external individuals with expertise in the area you are looking to improve. Then, after talking with both sets of experts, develop a realistic action plan to drive positive and real change. The action plan can include short-term and long-term objectives. Follow-up as often as necessary with each objective to ensure remedial actions remain in place.
Every company is different in regard to processes and internal controls; however, risk management and controls are present within all successful companies, regardless of size. Internal controls are designed to help a company achieve strategic, operational, financial, and compliance objectives.
Remember, taking the time to identify your business’ top risks and priorities will lead way to a more meaningful internal audit program that is scaled to fit your business, and that audit program will give you the assurance that your risk management and control processes are monitored and operating effectively. You will thank yourself down the road!