In the minds of many, the word “auditor” conjures up images of an unwelcome annual visitor to the business premises who, perhaps for a few weeks, tends to cause upheaval in the day-to-day operations with very little direct positive impact on the business. This is, of course, the external auditor whose work is mandated by Article 179 of the Companies Act. There is, however, a separate branch of auditing, internal auditing, which is designed to address the needs of the organisation and has a broader scope extending beyond even the business’s accounting records.

It has already been mentioned that external auditing is imposed by law on all corporate entities with limited liability but this is not the only way that the two auditing disciplines differ. Their target audience is different. Whereas the audit report contained in the published financial statements is addressed to the members of the company and gives an opinion on the truth and fairness of the accounting records, internal auditors should ideally report to a non-executive committee so that they remain unencumbered by any undue pressure that the executive directors, as stewards of the business, may place on them. Furthermore, the area of responsibility of internal auditors is not restricted to what is published in the financial statements nor is their penetration of focus guided by what is essentially the indistinct and vague objective of truth and fairness. Internal auditors are required to address diverse issues, both financial and non-financial, that the audit committee may require of them.

So what does internal auditing provide to the commercial entity that external auditing does not? The work of the internal auditor is essentially risk-driven. Little time is wasted on matters that may be immaterial, highly improbable and/or expected to have a very low adverse impact. The focus is on those matters that, should they be allowed to persist, may threaten the very existence of the business or, at the very least, place it at a disadvantage against its competitors on the market. The design of a risk matrix will guide the audit committee in identifying those areas it would like the internal audit function to focus on and what priority should be attributed to each assignment. The critical areas identified by the matrix are likely to fall under one or more of the following categories.

Compliance with legislation

At face value, the need to ensure that a corporate entity is compliant may appear obvious. Confirming that it is indeed so may be a more complicated affair especially when one considers the onerous responsibilities placed on directors, even in their personal capacity, by legislation on a wide array of issues like tax, health and safety, data protection, money laundering and safeguarding the interests of all stakeholders. Viewed from this perspective, it is difficult to understand why directors do not apply at least some token effort to ensure that compliance issues are meticulously identified and constantly monitored.

Testing the integrity of the financial records

There is a considerable degree of overlap with the work carried out by the external auditor and the latter normally places heavy reliance on internal audit work to arrive at a decision on truth and fairness. However, an external audit may be carried out as much as 18 months after a mistake or attempted fraud has been committed, by which time it would typically be too late to mitigate the damage. In contrast, internal audit is more likely to identify shortcomings as they occur increasing the chances of any damage being curtailed or even reversed.

Strengthening internal controls

Small businesses with only a few hundred transactions per year may easily survive without having a formal system of internal control. The owner or manager would probably be involved in all matters be they operational, tactical or strategic.

As the business grows, so does the detachment of management from the day-to-day transactions. To have comfort that all processes are being followed as intended, it is important for all involved to have a thorough understanding of, inter alia:

  • responsibilities, authorisation levels, processes and objectives;
  • the individual’s role and how this interacts with the roles of colleagues;
  • key performance indicators;
  • policies and procedures in issue; and
  • channels of communication intended to facilitate the efficient flow of information up and down the corporate hierarchy.

Enhancing efficiencies and reducing redundancies

The internal audit function can target levels of refinement not normally associated with other forms of auditing. In other words, it is not sufficient to ensure that things are working well and that the business is running smoothly; it is also necessary to make sure that all processes add value, redundant systems are eliminated and all opportunities for maximizing efficiencies are taken up. This can be instrumental to securing an advantage over competitors normally by being able to provide products or services that are priced more aggressively while still returning healthy profits.

Protecting business assets

An asset is defined as a resource with economic value that has the potential to channel future economic benefits to its owner. This is a wide-ranging definition and encapsulates, tangible and intangible, fixed and current and also operating and non-operating assets. The criticality of asset protection becomes evident when one contemplates the consequences of, say, letting a right to use an intangible asset expire thereby allowing the competition to compete on equal terms. Internal audit, in its role as a watchdog, would ensure that all assets are registered, categorised and monitored for obsolescence, continued efficiency and warranty coverage.

Working capital, being the life blood of any business, can also be carefully monitored to ensure that no unnecessary resources are locked in inventory and collectibles to finance the daily operations, when the released cash can so easily be re-channelled to reduce longer term debt or finance further investment from internal sources rather than external finance.

Investigation failure and obtaining value for money

Unavoidably, some business ventures result in failure. This may be the result of mismanagement, fraud, inefficiency, negligence or even unfavourable business conditions. To assume that it is enough to abandon failed projects without instituting probing inquiries on what led to failure would be to lose the opportunity of learning valuable lessons on avoiding similar expensive repetitions in the future. A proper investigation may be instrumental in identifying culprits, modifying processes or even putting the business in a position to recover some of the losses incurred. Without the existence of a formal function like internal audit that is professional capable of carrying out an independent post mortem exercise on failed projects, it is likely that directors, as stewards of the business, would be falling significantly short of their duty of care towards other stakeholders.

The major advantage of internal over external audit is that it is so flexible in its application. The reporting rigidity associated with external audit does not apply. Indeed, the audit committee is totally free to apply the internal audit function as it sees fit, depending on its perception of where the opportunities for risk avoidance and efficiency maximisation exist. The function itself is also scalable. It is possible to engage just one official reporting to the non-executive branch of the board or even to outsource the internal audit function to a practitioner extraneous to the business having similar reporting obligations. What is certain is that internal audit also generates a useful by-product: the provision of additional information to managers which they can then use for a more effective discharge of their duties.


Vince Mifsud is a Consultant at Credence.
You can get in touch with Vince via email.