Icebergs wreak havoc in the North Atlantic. Opening an amusement park filled with genetically-cloned dinosaurs will always be a bad idea. And when a 25 foot Great White is spotted just offshore, it’s a good idea to close the beaches and always have a bigger boat.
These Hollywood pitches sound familiar for a reason. Not only are they the plot points to some of the biggest movies in history, they also provide a convenient touchstone for the latest and greatest analogy from your friends at Embark -- bad things can happen when the tools you have in place to spot issues before they become larger, systemic problems fail in their responsibilities.
Companies rely on their IA teams, policies, and procedures to spot those metaphorical icebergs before they tear a whole into the side of the organization. When internal audits fail to provide their intended insights and direction, your company can suffer dire consequences. Granted, those likely won’t include colleagues being devoured by a velociraptor or hungry shark but could certainly have a lasting negative impact on your business.
Since your comrades at Embark want to do everything we can to help you keep your organization financially stable and sound, we’ve gathered a list of signs that could indicate your internal audit might need some help.
Sign #1: Spotty or Missing Risk Assessment
The set of standards, processes, and structures that comprise the control environment provide the basis for carrying out internal control across the organization and must absolutely work in tandem to cover as much ground as possible. No single aspect or mechanism of a control environment will ever be sufficiently thorough on its own so a layered, comprehensive approach to complete risk assessment should be done every year.
If your current control environment isn’t being regularly reviewed for completeness, it likely lacks the checks and balances approach that ensures properly exhaustive risk assessment procedures. While this layered approach requires constant diligence, it’s well worth the effort. Patching up holes as they arise might fix singular issues but will ultimately always fail to identify and address systemic problems that could threaten the stability of the entire organization.
Furthermore, if your company doesn't have the time or staff to invest in a more comprehensive control environment, items like safety standards, health standards, fraud, department audits, and industry compliance will likely lack sufficient attention within the audit process.
This is a telltale sign that your audit team is struggling to handle their current responsibilities and are not identifying gaps and the corresponding mitigating controls. As companies grow, audits and controls of other areas of the business should be implemented to ensure a much-needed thoroughness to correspond with corporate growth. If your team isn't assessing these other controls, it's quite likely they are either understaffed or missing major issues.
Sign #2: Audit Reports Have Memory Loss
Auditing isn’t a static endeavor. Audits need to be fluid in nature and build on insights gathered from past audits. Failure to do so increases the likelihood of missing gaps as well as new areas of growth by never integrating suggested process improvements. If this presents a common area of concern, it could be an indicator that your department is understaffed or incapable of looking at additional approaches.
Sign #3: Insufficient Flowcharts, Narratives and Checklists
Maintaining effective internal controls begins with a thorough understanding of the control systems themselves. Flowcharts, process narratives, or a combination of different tools are used to document and define that understanding. When process narratives or flow charts are not sufficiently developed or updated annually, this can be a sign of infrequent or insufficient walkthroughs that are crucial in establishing the reliability of the internal control procedures. In other words, failure to maintain flowcharts and narratives makes it much more difficult, perhaps even impossible, to monitor and maintain effective internal control systems.
Sign #4: Your IA Department Isn’t Liked or Respected
Every show or movie that has anything to do with junior high or high school has at least one scene where the unpopular kid is shown eating lunch by themselves in the school cafeteria. Sometimes it’s a cheap writer’s ploy to gain sympathy towards the character from the audience, other times it’s due to the character just being generally unlikeable.
If your IA team eats by itself in the cafeteria of life, at least when it comes to the workplace, that’s another sure sign something is rotten in your state of internal auditing. It is of utmost importance that your IA department works well with other departments within the organization, especially accounting.
More often than not, when such issues arise, it stems from inefficiency, ineffectiveness, excessive finger pointing, or a generally uninformed IA team. In many ways, your IA department serves as an important lynchpin to your entire organization so their ability to work productively, both within themselves as well as others, is an absolute requisite to breeding a healthy IA environment.
Sign #5: Differences Between Internal and External Audits
Perhaps the biggest telltale sign of an internal audit process that needs help is a consistent difference in what is identified in internal audits versus external audits. When this occurs, there is going to be an overarching source that is responsible, most likely failures within the internal controls and not a grossly incompetent external auditor. While those sources can be many and varied, any of the previously mentioned points could be playing a role in the discrepancies, only further evidence that internal control systems must be constantly monitored and maintained to ensure reliability.
Think of your audits as living, breathing entities. Although a bad audit can feel like an unforeseen slap in the face that rattles your cage, your colleagues at Embark assure you that looking for these signs within your auditing procedures can go a long way towards preventing them from ever happening again. Collectively, all of the facets and requirements of an internal audit speak of the value an IA department can add to your entire organization. Aside from giving insight into efficiencies and possible new sources of growth, an IA department should always provide governance, management, and employees alike the assurance that the organization is effectively identifying and mitigating any and all sources of risk. In other words, financial icebergs, dinosaurs, and giant sharks will be spotted well before they become too destructive and ferocious.