What is Internal Audit?
Internal audit is an independent and impartial assurance and consultancy activity that aims to add value to an organization's activities with the aim of improving those activities. This sentence has many keywords in itself. There is the concept of developing activities and processes, this concept has become the most important concept that actually underlies today's internal audit function. Because internal audit is no longer an act of finding fault, searching for the fault of people, institutions and processes; It is useful to underline this.
The Purpose of Internal Audit
The internal audit function is defined as a systematic and independent control, and consultancy activity carried out in order to improve the internal processes of an institution, to improve its activities and to add value to those activities. So here we put process improvement at the main focus. The first thing that comes to mind of the person who hears this subject is "They will try to find out where, how, what I did wrong.". This understanding does not reflect internal control. On the contrary, internal audit means performing an assurance function that focuses on processes from a modern point of view, focuses on how to make processes better, examines them as independent and impartial, i.e objective, and adds advice and control. Here, we use the old and modern, old and new concepts as a gradual. To put this more clearly; the emergence of internal audit is not new. It has existed since ancient times, but it is a concept that became famous especially in the 1980s. We could say that in those days, the concept itself really focused on finding mistakes a little more. However, in today's world, since the 2000s, the event, process-based management and "I found the mistake, but what should I do?", "How can I transform it into a value-creating one? How can I see the error as an opportunity and use this opportunity?", it has evolved to seek the answers to questions. The internal audit activity is now becoming a proactive activity. It used to be an activity that remained static by looking back at the past of current or current behavior, in the 80s and 90s. Today, it is defined as a process and risk-based activity. In the past, the definition of internal audit ended as weighted control. Now it ends as a consultancy activity.
Benefits of the Internal Audit
Today's internal audit is an internal guidance activity that will enable companies to turn their activities into a state where they can create value. It is useful to see internal audit as an early warning system for institutions and companies. For example, think of yourself as the owner, board member, shareholder of a company, the internal audit activity actually makes early alarm bells ring within your company. What are those early alarm bells? It includes the discovery of the out-of-control or the points that you cannot see, reach and touch that emerged with the growth of your company, and the analysis of how to do them more correctly after the discovery and finally the formulation of these analyzes into concrete suggestions and guidance projects. As a board member, company owner, you must be the person who most desires and demands the internal audit function. Your instinct to demand this should be evaluated as where there are opportunities to create more value, where there are opportunities to create more value, where there are opportunities to create more value, and internal audit structure should be built with this motivation.
Risk Based Audit: Why is it Important to Business?
Corporate risk management mostly provides an accurate view of the future of the company, while internal audit provides a mostly accurate view of the past. These lines were much sharper in the past, internal audit completely covered the old. Today, the sharpness of these two concepts has decreased. We can see that both of them overlap and support each other in the sense of short past and short future, both of which are used in the same sentence because process-based control is now dominant. There are already some formulated and detailed suggestions regarding the determination of corporate risk structures in the internal audit activity. In corporate risk management, it involves revealing what the company actually does in its current structure, how these are effective on the results, how important results these may have and the consequences of the past. When considered, both internal audit and corporate risk management become concepts that deserve to be used side by side in the same sentence. In fact, one of the modern definitions of internal audit today is; corporate risk management is a guidance, assurance and consultancy activity that aims to make governance and internal control mechanisms systematic and sustainable. Therefore, you can often see internal audit and corporate risk management in the same definition.
Internal Audit Types
There are 5 main types of internal audits. These;
1. Compliance Audit
2. Performance Control
3. Financial Audit
4. Information Technology Audit
5. System Check
A compliance check is to check compliance with a situation. Conformity audit is the documents that explain the facts, rules, regulations, directives, instructions, procedures, how a job or process should be done as tools that will facilitate this management during the management of the company. This documentation is just a form of being documented. The most important thing is the implementation. This documentation indicates how the company should be managed and operated, and the legislation that concerns all operational processes in every area (not specific processes and departments) and to what extent the implementation steps defined in this legislation are carried out in accordance with that legislation, how differently they are carried out, where there are bottlenecks, what determining that it is made differently according to the legislation, justifying and exemplifying this determination and presenting concrete improvement suggestions as a result of this exemplification.
A performance audit is established to serve a purpose as a company, institution, organization and existence. Every firm has a goal. These targets may be long-term targets such as 5-10-15 years as stated in strategic plans, or they may be annual targets. How this is handled in the internal audit; As the top management, we set goals, set the direction to go, and set numerically measurable goals on how to understand whether this direction will be successful or not. A performance audit is a name given to the type of audit that shows us how harmoniously we are progressing towards these goals, namely these performance targets, how much the route is followed at each top glance and the bottom view of each process and department. Performance audit tries to measure the difference between goals and achievement of goals. It is to do this on a general basis (ie institution-company-wide) as well as process and department-specific. Therefore, by entering the sub-headings, it checks the compliance of the performance of the company's subtitles to the goals, based on the principle that the combination of each subheading will actually achieve the final result. Therefore, a performance audit is performed.
Financial control focuses purely on numbers. Every corporation-company is established with a profit instinct or an instinct to achieve financial success, and sets goals execute its operations and make an effort in this way. It is the financial-fiscal data that also shows whether this effort has been paid for. These can be listed as follows; company turnover, annual sales income data, financial structure data, cash flow data, profitability data, financial statement data. At the same time, as a result of the combination of various financial data such as the debt-to-debt status of the company, how much debt can be rolled over, short-long-term debt ratios, the company carries out its activities and can observe whether success occurs. Whether all these financial data reflect the truth in both the upper perspective and the sub-breakdowns of each, whether the data is healthy in real terms, whether it is applied correctly in the sense that even if it is healthy, whether it is applied correctly in the sense that it affects the result, whether they are ultimately overlapping with real operations and financially. The type of internal audit that sets itself a goal is called a financial audit.
Information Technology Audit
Information technology control which was mentioned less in the 80s and 90s, but has become an indispensable part of our lives in the 2020s, can also take on the name of digital transformation control. According to the accepted view, information technology audit is the end-to-end information technologies used in all operations carried out by a board, firm, company itself, from the purchase of a good to the production and dispatch of that good, from the performance evaluation of a new employee recruited by a human resource to career management. (software, hardware, industry 4.0, big data) is a type of internal audit that checks to what extent it is sustainable and can be used continuously.
These activities must be defined within the company. It wouldn't be great if the company used such software. What is essential in information technology control is to use existing systems in a sustainable and safe manner. Considering that information technologies are spreading all over companies, even programs such as excel and word running on computers are information technology. While entering the company, finger reading-card reading systems are also information technology. Information technology audit is the area where the answers to the topics such as how sustainable, reliable, systematic, personal data security provided and usable are collected.
The area where an internal audit is needed is very related to the concept of the system, because when it is considered, a company that performs very good activities with the right strategy and effectiveness, management grows, and later on, it makes investments by enlarging the business and incorporating new technologies. Later, the company will observe that the system related to all these new changes is out of control. Because maybe it will not even be integrated into the existing system yet. For example, imagine that a breastfed baby grows suddenly, you will observe that his clothes are not for him. This will bring systemic difference with it, but at the point where you try to make old clothes crap, everything will get messy. Therefore, you will need to renew the existing system and buy a new outfit, because there is a systemic deficiency or improvement. At this point, it is necessary to create and develop value in the current system, and if it is necessary to combine lean philosophy with internal control, continuous auditing and continuous improvement must become a must for a company. Therefore, the concept of system audit, which we have listed in the type of audit as the main heading, is the type that emerges with the growth, development, new investment of companies and naturally includes that the manager of the company thinks that he has lost control. You are the owner of a company and at this point, you made a new breakthrough by first setting up your system. You will go from 100 people to 500 people. At this point, you may have set up certain internal control systems for 100 people. For example, with your employees and your factory, you can produce 10,000 products with 100 people a day. When you increase your employees from 100 to 500, many factors that you need to change in your system will come into play. At this point, system control comes into play.
A system audit is an audit activity that examines and analyzes questions such as how effective the existing systems, how much the current operation is included, are their places left without a system in the current ongoing operation, how to systematize, how deep and to what extent systems can be installed, and reports the results of the analysis. The system audit is an activity that forms the heart of internal auditing.
Internal Audit Standards-ISO Audits
To talk about the standards of internal auditing, with some exceptions, internal auditing is not a mandatory activity in some countries and sectors. Therefore, it would not be right to talk about this as a globally required standard, internal audit is a set of practices. Internal audit has become an indispensable corporate function, as all companies and institutions have come to the same point with the logic that, consequently, the way of mind is one. Over the years, it has been observed that different applications have started to be applied differently in different countries and in different companies, institutions, public sector, private sector, and different organizations within the private sector and it has been observed that different methodologies have emerged. The United States has taken the first steps in internal audit. In the United States, institutions such as the internal audit institute and the internal auditors' institute were established in the 80s. And these institutions have started to publish certain internal audit standards in order to achieve this commonality among themselves. Later, as these internal audit standards became widespread around the world, an organization called the Institute of Internal Auditors (IIA) was established. This organization has published internal audit standards that are widely accepted around the world. Therefore, when we talk about standards here, we mean the standards published by the International Institute of Internal Auditors. These standards are very comprehensive and they are standards that are constantly revised, take additional modules, develop to meet the emerging concepts as the world develops, and consist of different subtitles of hundreds of pages. Internal audit functions and internal auditors around the world are generally expected to act in accordance with these standards. When new changes emerge with the developing world, these standards are constantly updated during a certain follow-up period (years-months). There are two main categories of standards;
- Qualifications Standards (what the nature of the internal audit should be, how it should be, how to answer that question should be standards)
- Performance Standards (Standards that answer the questions of how to measure the performance of internal audit, how it should be, how much performance should be performed)
Internal audit is mandatory in some sectors. For example, the banking sector in the US for the internal audit is a rule within the framework of the law. There are inspection boards and inspectors in banking with its widely known name. Inspection and inspector is the old language of inspection. In fact, the inspection board is the internal audit board, and bank inspectors are internal auditors. There are many inspection agencies within the Bank since ancient years both in the US and in the world as otherwise required by law.
Internal audit is an activity that is carried out solely to improve companies' own performance and activities. However, there are some quality standards of the internationally accepted ISO, which can appeal to different sectors that envision the same goal. These;
As ISO 9-1001 2015
ISO 14-1001 2015
OHSAS 18-1001 2015 standards
With the new approach in 2015 in all three, the concept of process-based audit and internal audit has actually become an integral part of these quality management systems. However, the perspective here should be formed by saying that as a company, I need an internal audit rather than establishing the internal audit function to obtain the quality system certificate. Why do companies need this? In order to improve activities, to add value, to identify where wrongdoings have been done, to recognize areas of improvement and to regain control of growth or get out of control. This is how we can summarize the link between the quality management system and internal audit standards.
How Should Businesses Position Internal Audit in the Organization
While defining internal audit, we talked about the essential functions in the organization; one is neutrality and the other is independence. If these two do not occur, there is no question of an internal audit. There should be a direct internal audit unit, which should report to the company's top management. It should not even be subordinate to the general manager, because the general manager normally has the right to hire, dismiss, promote, and determine the salary. However, if you are directly affiliated with the board of directors, only the board of directors is accountable and one can be independent and objective as much as possible. In fact, one of the examples of this good practice is to form committees such as the early detection and audit of risk committee within the board of directors (or there may be cases where these are two separate committees), and if possible, by establishing structures in which the independent member of the company's board of directors is chairman, these structures should be accounted for and These structures should be moved directly.
Therefore, companies should have an internal audit unit, should be directly attached to and accountable to the top management of the company, and a structure consisting of internal audit manager and internal auditors, and the independence and objectivity of all these are guaranteed by the internal audit regulation to be issued by the executive board. Top management has a function here. The work does not end just by establishing a department, companies have to guarantee the relationships with other departments and processes. Therefore, companies have to ensure that the internal audit directive and regulation will be signed and published under the top management.
Processes of Internal Audit
There are 4 main processes during an internal audit. These;
- The audit
- The monitoring of audit results
The first inspection shall be made at the planning stage. It is the process in which the internal audit is planned from the beginning to answer questions such as with which resources, how many auditors are required, what is the scope of the functions to be internally audited, what is the calendar in time, is the scope of the directive issued by the senior management sufficient. The resource, time, budget and stakeholders that may be associated with them should be planned before going down to the field.
Execution of the Audit
The execution of the audit is divided into two. As a preliminary study, there are things that the internal audit unit and the internal auditor must do before landing on the field. The first of these is to hold an opening meeting. In other words, the employees should be informed by giving the details of the process to be entered in a way that concerns the whole company. These details include the following questions;
- What will be done?
- What will it be done for?
- When will it take time?
- What will be the benefit to the organization and employees?
- What will be the outcomes of this benefit?
- What kind of processes will there be?
- How long will it take and how deep will it go?
Therefore, an opening meeting should be held that will enable the other parties to know what they will encounter and to ask questions in their minds, if any. Internal audit question sets should be created. These questions;
- What will be asked in the field when the internal audit is made and the relevant field is landed?
- What will be observed?
- What will be analyzed?
- How will the outputs be presented?
It is necessary to prepare question sets in which all these are planned. Preparing the sub-documentation of all of these, suggestion tables, output reporting format, the presentation format to be made to the senior management, etc. It is a subtitle of the preliminary work during the preparation and execution of the audit.
The second title is fieldwork. The field is where all activities are performed and all operations take place. Sales, marketing, human resources units, stores, warehouses, etc. Every place where it is located is called a field. Therefore, fieldwork is an activity that includes the groundwork for planning and observing what will be done when landing on the field, asking questions in line with the internal audit question set, taking notes in terms of compliance, performance, financial audit, information technologies and analyzing in line with these notes. .
It is an activity reporting in which the findings, data sets and observations revealed during the fieldwork are combined, analyzed, interpreted at the desk and these comments are transformed into added value. The most important phase of internal audit, which we define by saying that systematically improves activities and focuses on creating value, is assurance and consultancy activities, is the reporting activity. This is because in the reporting phase, findings, observations, data and areas where the value will be created are determined. The area for internal consultancy is the reporting part. The stage that spends the most time with planning is the reporting stage. In the reporting section, many points such as analyzing data, findings, determining areas of development, presenting recommendations, determining corporate risk areas, and creating importance rankings are mentioned. This report is then presented to the board of directors.
Monitoring Audit Results
If the process is stopped after performing a function as the internal audit unit (such as performing the audit, writing and leaving the report), a sustainable process will not be achieved. It does not end with presenting the report. In fact, it is necessary to monitor the improvement areas proposed there, the project proposals, the places determined in terms of corporate risk, the places determined in the nonconformity test of the control system. If this monitoring process is done properly, the boss or bosses can be convinced that the internal audit function is actually performing. That's when a difference is made. Internal audit's own task is to establish systems that will make a difference in terms of the general operation of the company, but when asked where it will be understood that internal audit makes a difference, the part of "monitoring audit results" is used as an answer. At this stage, if you are actively involved, if you make the right impressions and systematically set the goal of continuous improvement and development, the company will always move itself one step ahead.