the White Star Line had an Internal Audit Report carried out before the Titanic was even finished. Imagine that a third party had performed a thorough risk assessment of the vessel and gone through a number of “what if “scenarios. Maybe the lookout in the crow’s nest would have had his binoculars and seen the iceberg earlier. Maybe Harland and Wolff would have used a different kind of rivet which wasn’t so prone to popping under pressure. Maybe there would have been sufficient lifeboats for all the passengers and crew. The list goes on and on.
More recently, BP’s Deepwater Horizon disaster in the Gulf of Mexico has provided another timely reminder of how a massive company can be virtually brought to its knees by something which might have been avoided if proper risk assessment procedures had been conducted in the first place.
OK, so these are extreme examples of what can go seriously wrong in any major organisation but they do underline the need for constant vigilance when it comes to identifying possible risks and making sure that they are mitigated as much as possible.
Most larger companies now have their own internal audit departments reporting to the board of directors’ audit committee but, however competent they may be, it always pays to have a third party either conducting its own separate audit or working alongside internal personnel. If nothing else, it brings a fresh perspective to bear and enables issues to be identified that insiders might have missed altogether. The remit of an internal auditing team is usually broad and may encompass areas such as the efficiency of operations, the reliability of financial reporting, the deterrence and investigation of possible fraud, safeguarding assets, and compliance with laws and regulations.
Internal auditors typically conclude each audit with a report summarising their findings, making any necessary recommendations and noting any responses or action plans from management. An audit report may well contain an executive summary; a section that includes the specific issues or findings identified and related recommendations or action plans supplemented by appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's":
1. Condition: What is the particular problem identified?
2. Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark.
3. Cause: Why did the problem occur?
4. Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding?
5. Corrective action: What should management do about the finding? What have they agreed to do and by when?
The recommendations laid out in an internal audit report are designed to help the organisation achieve its goals. These may relate to operations, financial reporting or legal/regulatory compliance. They may relate to effectiveness (i.e. whether goals were met or compliance with standards was achieved) or efficiency (i.e. whether the outputs were generated with minimum inputs).