Internal Audit: The Function That Should Be Finding Issues Before External Auditors Do

Internal audit is mandatory under the Companies Act 2013 for specified classes of companies including listed companies, unlisted public companies meeting certain thresholds, and private companies meeting turnover or borrowing thresholds. The specific thresholds are set out in the Companies (Accounts) Rules and are updated periodically. Companies that meet the thresholds must have internal audit conducted by a qualified internal auditor, with reporting to the audit committee or board. Beyond the statutory requirement, internal audit is valuable for any organization of meaningful scale, regardless of whether it is legally required. Organizations that rely only on statutory audit for assurance miss the timely issue identification that internal audit can provide.

External audit (typically statutory audit) provides independent assurance on financial statements for the benefit of shareholders, regulators, and other external stakeholders. It is governed by auditing standards and legal requirements, and produces an opinion that is filed publicly. Internal audit provides assurance and advisory to management and the board on governance, risk, and control effectiveness. It is governed by internal audit standards and the organization's own expectations, and produces reports that are used internally to drive improvement. External audit is focused on financial reporting accuracy. Internal audit has broader scope covering operational, compliance, and strategic dimensions. The two functions serve different purposes and should be complementary rather than duplicative.

Both approaches have merit. In-house internal audit provides deep knowledge of the organization, close relationships with business units, and permanent presence. Outsourced internal audit provides specialized expertise, scale flexibility, independence from organizational politics, and access to methodology and tools that would be expensive to build internally. Co-sourced arrangements combine elements of both by having core internal audit capability supplemented by external expertise for specialized areas. The right model depends on organizational scale, complexity, the maturity of internal audit capability, and strategic priorities. Mid-sized organizations often benefit from outsourcing because the cost of building effective in-house capability is difficult to justify at smaller scale. Large organizations often benefit from co-sourced arrangements that combine internal knowledge with external expertise.

Effective internal audit reports functionally to the audit committee or board, with administrative reporting to senior management for day-to-day operations. The functional reporting to the audit committee is critical because it provides the independence needed for effective audit. Internal audit should have unrestricted access to all parts of the organization, authority to examine any area of concern, and protection from retaliation for uncomfortable findings. The internal audit charter, approved by the audit committee, should formalize these arrangements. Organizations that position internal audit under a CFO or COO without functional reporting to the audit committee consistently produce weaker internal audit than organizations with appropriate governance structures. The positioning decision affects internal audit effectiveness for years and should be made deliberately rather than as an organizational convenience.

Risk-based internal audit allocates audit resources based on the relative risk of different areas rather than on uniform coverage or regulatory requirements alone. The approach begins with risk assessment that identifies the areas of highest exposure, then allocates audit effort to those areas while maintaining sufficient coverage of other areas. Risk-based planning produces more effective use of limited audit resources and focuses attention on the issues that matter most. The challenge is conducting risk assessment that captures the actual risks facing the organization, not just the risks that have historically been audited. Effective risk assessment requires engagement with management, review of strategic priorities, consideration of external factors, and the willingness to update risk rankings as circumstances change.

Audit frequency depends on risk rating, regulatory requirements, and management priorities. High-risk areas may be audited annually or more frequently. Medium-risk areas may be audited every 2 to 3 years on rotating cycles. Lower-risk areas may be audited less frequently with monitoring in between. Specific regulatory areas may have prescribed audit frequencies. The audit universe and planning process should identify the appropriate frequency for each area and ensure that cumulative coverage is adequate. Organizations that audit everything on the same frequency typically misallocate resources, over-auditing some areas while under-auditing others. Effective risk-based planning produces audit frequencies that match the underlying risk profile.

Effective audit reports include an executive summary of key findings, detailed findings with supporting evidence, root cause analysis, risk implications, specific recommendations, and management responses with implementation timelines. Reports should be written for the audiences who will use them, with executive summaries suitable for senior management and audit committee, and detailed sections suitable for process owners who will implement changes. Reports should focus on issues that drive action rather than cataloging observations that do not affect decisions. Reports that identify many minor issues without distinguishing between them typically fail to drive meaningful change. Reports that focus on the issues that matter and explain why they matter produce significantly more value.