Leverage internal audit principles - even without a formal IA department

Even if your company is not subject to requirements for an independent internal audit function, you can strengthen your company's risk management by drawing inspiration from the typical tasks and organisational structure of a proper IA department. This can be achieved without being constrained by formal requirements, which may be perceived as resource-intensive with limited value creation.

The requirement for internal audit in Danish companies applies only to financial institutions of a certain size, while the board of directors of smaller financial companies solely have an obligation to annually assess the need to voluntarily establish an internal audit function.

Furthermore, the guidelines issued by the Corporate Governance Committee – which serve as best practice for the management of listed companies in Denmark – recommend that the audit committee assesses the need for establishing an internal audit function, based on the complexity of the company.

Therefore, in this article, we will explore the purpose of internal audit in relation to the company's overall risk management, and why you should consider implementing it on a smaller scale.

The purpose and organisation of internal audit can, for example, be broadly understood within COSO's control framework. COSO is a recognised framework for internal control and risk management, which describes the components of a company's control system that address operational, reporting and compliance risks – across both legal and organisational interfaces.

What specific tasks does internal audit perform, and how does it create value for the company? Depending on the size and complexity of the company, the responsibilities consist of the following:

One of the most common tasks is the ongoing review of business procedures across the various processes in the company. The purpose is to ensure that they remain optimally designed, adhere to the company's core values and policies (corporate governance), and operate effectively.

The review is also used to identify any shortcomings or untapped potential that can increase efficiency, strengthen the business and, depending on the area, enhance profitability. It should likewise ensure that implemented controls continue to function effectively and address relevant risks, as processes naturally evolve over time and controls must be adjusted accordingly.

Another important task involves continuously assessing the many internal and external risks associated with the company, and reporting these to management along with recommendations on how best to address them - either with new solutions or with a more effective approach.

The risk assessment covers everything from exposure to key customers and suppliers to litigation, fraud and regulatory requirements. However, focus lies predominantly on evaluating the materiality of risks and proposing appropriate modified safeguards.

One of the most significant reporting risks is the constant evolution of regulatory requirements.

A current example is the requirements for corporate social responsibility reporting, which are being replaced by new requirements regulated by the EU's Corporate Sustainability Reporting Directive (CSRD). These requirements will be significantly more extensive and complex than the current ones. The internal audit function's task here is to constantly stay ahead and continuously inform management, including regarding the consequences of non-compliance on one or more parameters.

To ensure the reliability of both internal and external reporting, it is the task of internal audit to test the accuracy of data inputs that form the basis for reporting. This includes, among other things, tests in the reporting and accounting system as well as sample checks, where transactions are traced to the underlying documentation.

An important task for internal audit is to perform audit procedures of various types and at different levels of the business solely for the purpose of addressing the risk of fraud. This is a risk that will be present in any company and requires constant attention.

By integrating activities from internal audit into regular financial controlling, the company is forced to select specific areas that require special attention. As the internal audit function is not directly involved in operations, it can ensure the necessary degree of independence in the assessments.

Whether you implement internal audit activities or voluntarily establish a dedicated internal audit function, it will add competence, objectivity and assurance to the work of the operational organisation.

It is important to define the activities or the role of the function so that they organisationally constitute the third line of defence. This way, you ensure that the task primarily becomes to assess already existing processes, business procedures and risk management of both internal and external factors.

The results are reported to management with clear recommendations, whilst the internal audit acts as a sounding board for the organisation towards improving risk management.

Precisely this guidance from specialists who have deep operational insight into the company can be a significant reason for assessing the need for an internal audit function. This specialist knowledge and insight into details can – quite naturally – often be lacking when risk assessment and management must be evaluated by individuals higher up in the organisation (who already form part of the control activities), who instead focus on managerial and strategic responsibilities. Internal audit provides exactly the detail- and specialist-oriented insight necessary to ensure risk management with the required quality in the company's specific risk areas.

When the internal audit function is established voluntarily, its tasks, organisational positioning, etc. can be freely determined. However, to create value and avoid wasting resources through unclear roles and responsibilities in relation to the first and second lines of defence, it is logical to draw inspiration from legislation and guidance provided by, for example, the Corporate Governance Committee.

To create structure, you can benefit from developing a function description for internal audit the purpose of which is to strengthen and protect the company's values by providing risk-based and objective assurance. This requires a systematic and disciplined approach to evaluating and improving the effectiveness of management processes, risk management and control procedures.

Positioned in the third line of defence, an internal audit function can focus on:

• Assessment of whether the risk identification process ensures a reliable and up-to-date risk profile for the company
• Evaluation of whether the components in the COSO control framework are appropriate in relation to the company's risks
• Testing of critical control activities to ensure that critical risks, including fraud risk, are effectively mitigated.

Because internal audit is not part of the operational organisation, management can more easily deploy these resources to targeted focus areas such as visits to subsidiaries in high-risk countries generally or risk activities specifically, or based on specific suspicion towards, for example, a procurement organisation, local management, etc. If your company has retail outlets, internal audit can, for instance, be used to conduct unannounced cash audits, either to ensure that business procedures are followed or for preventive reasons. Other efforts may focus on areas such as travel and entertainment expenses that do not comply with internal guidelines.

The internal audit function also creates value as a sounding board for the traditional finance function. This can occur through everything from business procedures that can be optimised, to consultation on accounting technical matters, for example where they involve significant judgement or estimation decisions.

To ensure targeted efforts and that the resources in internal audit do not end up either as part of the operational finance organisation or without creating value, you would benefit from formulating the activities in an internal audit plan to ensure alignment of expectations with management. With such a plan, it is also easier to report on observations and recommendations. To strengthen independence from the CFO – or rather to reduce dependence – one solution could be that the function reports directly to the CEO.