The Importance of the Internal Audit Function in a Post-COVID World

The internal audit function (IAF) provides independent analyses, evaluations, recommendations, and objective work products to enhance governance of an organization’s financial policies and procedures — and with the onset of remote work, it’s more relevant than ever.

Members of the IAF team typically report to the audit committee and are independent of any other function in the company. The IAF conducts autonomous analyses to ensure the prescribed policies and procedures are functioning as intended. The team also provides recommendations to improve and enhance the company’s operations.

Most publicly traded companies have an IAF — it typically exists in larger rather than smaller companies. In a privately held company, the owners must decide if the benefit of potentially preventing any irregularities will offset the cost to implement an IAF. Companies that don’t have an IAF typically engage an outside consulting firm. Among other things, the firm will perform an evaluation and provide recommendations to strengthen internal controls. If a company does not engage an outside consulting firm, then management must ensure that the company has proper segregation of duties and other relevant internal controls. Reliance on management may be beneficial, but those benefits could be offset if managers don’t have time to perform their typical duties. There is also less autonomy in the review process when it’s completed by managers compared to an IAF.

In the post-COVID world, IAFs play an increasingly vital role in ensuring a company’s inherent and residual vulnerabilities are protected.¹ The economic impact of COVID caused IAFs to look beyond simply testing controls and evaluating a company’s policies and procedures. The new challenges as a result of COVID include, but are not limited to:

1. Remote working;
2. New risks associated with protecting company information;
3. Cybersecurity risks associated with the remote work environment; and
4. The creation of new methods and tools due to COVID working conditions that need to be tested.

The activities of the IAF differ from those of external auditors, whose purpose is to opine on the fairness of the financial statements in accordance with generally accepted accounting principles using generally accepted audit procedures. The IAF team does not issue any opinion on the financial statements at the conclusion of their work.

Typically, the IAF provides evidence pertaining to the effectiveness of the organization’s internal controls. The team evaluates the prescribed policies and makes recommendations to enhance those procedures if the evidence from their testing reveals the need for more comprehensive procedures. The IAF ideally is a continual function that operates throughout the year, balancing ongoing internal control testing with investigating reported defalcations. In some cases, the IAF looks to outside consulting firms specializing in fraud investigations if it believes fraud may be present.

Findings reported in a bi-annual publication by The Association of Certified Fraud Examiners (the Association) showed that IAFs offer numerous potential benefits. In 2022, the Association published Occupational Fraud 2022: A Report to the Nations (Report), a global study documenting occupational fraud and abuse. Unlike past years, this Report includes frauds investigated after the start of COVID. The Report covered 2,110 cases in 133 different countries with aggregated total losses of approximately $3.6 billion.²

The Report identified several key factors with respect to the IAF. It documented that 16% of all fraud cases were detected by an IAF team — second only to a tip (42%), of which more than half came from employees.³

Of the companies included in the Report, anti-fraud controls were in existence in 77% of the companies that had an IAF in place. This was second only to the external audit of the financial statements and a formal code of conduct, each at 82%.⁴

According to the Report, when the IAF was in place, the median loss was reduced from $150,000 to $100,000. The difference in the median loss was represented in 77% of the cases. Additionally, the duration of the fraud was 12 months with an IAF, and 18 months without.⁶ The IAF reduced the median loss and duration of the fraud by 33%.

The Report also indicated the size (based on number of employees) of the victim companies studied. Only 36% of the companies with fewer than 100 employees had an IAF, compared to 88% of the companies with more than 100 employees.⁷ This demonstrates that smaller companies may not have the resources for an IAF, or chose not to have one.

The IAF is a vital and important tool for companies to design, evaluate, and test internal controls and investigate potential fraud reported within the company. It provides the audit committee, board of directors, and/or management insight into whether the policies and prescribed corporate procedures are followed. With COVID changing the way employees work, the IAF has become more relevant. Management should evaluate the results of the IAF as part of their fiscal oversight and if they do not have an IAF, they should consider engaging an outside consulting firm to evaluate and assist in designing internal controls. The devastation from one fraud can be difficult to recover from, even after it is discovered.

Sources

1. Inherent risk is the risk that exists when no internal controls are in place to protect against material misstatement in the financial reporting of the company. Residual risk is the remaining risk after internal controls have been created. Although internal controls have been incorporated, a perpetrator may still be able to commit fraud.
2. Occupational Fraud 2022: A Report to the Nations, p.4.
3. Ibid.
4. Ibid., p. 34.
5. Ibid., p. 36.
6. Ibid., p. 37.
7. Ibid., p. 38.