Internal Corporate Audits: Who, What, When, Where & Why?
Internal corporate audits are essential to managing compliance, mitigating risk and responding to litigation threats. However, in order for an internal corporate audit to serve its intended purpose, it needs to be conducted effectively.
Conducting an effective internal corporate audit requires careful consideration of several key factors. This includes everything from the timing of the audit to the personnel involved. If an audit comes too late, if the right people aren’t involved, or if the focus of the audit misses the mark, the audit could end up doing more harm than good. When conducted ineffectively, an internal corporate audit can provide a false sense of security, and this can cause companies to let down their guard when they need to be taking measures to protect themselves.
“Companies may need to conduct internal corporate audits for a variety of different reasons. When the need for an audit arises, the process must be structured, targeted, and sufficiently comprehensive to ensure that no relevant information goes overlooked.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
When conducting internal corporate audits, companies must have a clear focus, and they must follow policies and protocols that are designed to ensure that the audit is sufficiently comprehensive to produce a reliable outcome. This includes policies and procedures that provide guidance before, during, and after the audit process.
Who Should Be Involved in an Internal Corporate Audit?
One of the first key questions that needs to be addressed with regard to conducting an internal corporate audit is the question of who should be involved. The answer to this question depends on why the audit is being conducted (more on this below).
For compliance audits (both scheduled and ad hoc), the company’s chief compliance officer will typically play a central role. The chief compliance officer should be intimately familiar with the company’s compliance efforts to date as well as the company’s auditing policies and procedures.
Other members of the company’s leadership team or board may need to be involved as well—at least in some capacity. This can help to establish accountability, and it can facilitate prompt and decisive action in the wake of the audit if necessary.
Generally speaking, this audit should also be conducted under the oversight of the company’s legal counsel. This serves a few important functions. First, it adds an element of independent oversight. Second, legal counsel who are knowledgeable about auditing policies and procedures can help ensure that the audit is sufficiently comprehensive. Third, engaging legal counsel to oversee the audit can afford the protection of the attorney-client privilege while also ensuring that relevant records are preserved for litigation purposes as necessary.
When establishing an internal corporate audit team, it is also important to consider whether any individuals should be excluded. This analysis focuses primarily on the risk of bias based on a conflict of interests. If an employee or executive could potentially be implicated in any compliance violations or other alleged corporate wrongdoing, then he or she should generally be excluded from the audit process.
What is an Internal Corporate Audit?
Before we go farther, let’s take a step back and examine the internal corporate audit itself and understand what it is exactly.
An internal corporate audit is an investigative procedure focused on uncovering information that can be used to make decisions regarding compliance, risk management, and/or litigation. It involves collecting and examining corporate records, and frequently also involves interviewing relevant personnel.
Companies conduct this audit on both routine and ad hoc bases. For example, companies will typically audit the effectiveness of their legal and regulatory compliance programs every twelve months—if not more frequently. Companies may also conduct internal corporate audits when changes in the law or changes in their operations necessitate updates to their existing compliance policies and procedures. These types of audits are commonplace with regard to compliance obligations including:
Antitrust and securities law compliance
Consumer finance and protection compliance
Federal program and contract compliance
Foreign Corrupt Practices Act (FCPA) compliance
Industry-specific compliance obligations
Companies also use internal corporate audits to respond to litigation risks. For example, an audit will typically be necessary in order to determine a company’s obligations following a cybersecurity breach. This audit can be highly effective for assessing employment-related risks as well.
When Should Companies Conduct Internal Corporate Audits?
Determining when to conduct an internal corporate audit requires due consideration of a variety of different factors. This includes factors ranging from budgetary constraints to the level of risk presented by various corporate activities and external (as well as internal) litigation threats.
Broadly speaking, however, there are three main circumstances in which it will be prudent for corporate leaders and in-house counsel to conduct internal corporate audits. These are:
Routine Auditing of the Company’s Compliance Programs – Routine auditing is an essential component of an effective corporate compliance program. Companies should conduct compliance audits on an annual basis at least, following systems and procedures designed to ensure that the audit produces unbiased and unfiltered results which are well-documented.
Ad Hoc Compliance Auditing – Various circumstances can trigger the need for an ad hoc compliance audit. As noted above, changes in companies’ legal and regulatory obligations can necessitate an internal corporate audit, as can changes in companies’ operations. For example, launching a new product or service may entail new regulatory obligations, and assessing the scope of these obligations will be the first step toward implementing effective policies and procedures.
Internal Corporate Audits Triggered by Litigation Threats – Litigation threats will also frequently necessitate this audit. For example, if an employee alleges systemic discrimination, it will be necessary to thoroughly audit the company’s employment practices in order to assess the employee’s allegations and build an evidence-backed defense. Likewise, if a customer, government agency, or other payor alleges fraudulent billing, an internal corporate investigation will be necessary to determine whether (and to what extent) these allegations can be substantiated.
In terms of timing, aside from routine compliance audits, the general rule is that companies should conduct internal corporate audits as soon as possible once a triggering event occurs. Not only will conducting a prompt audit be essential for allowing corporate leadership to make informed decisions, but any delays could potentially be viewed as apathy, insensitivity, or complicity in the underlying allegations.
Where Do Companies Need to Look When Conducting Internal Corporate Audits?
In today’s world, identifying the full universe of files and devices that fall within the scope of an internal corporate audit is becoming increasingly challenging. Yet, it remains critically important, as overlooking even a single piece of relevant information can potentially frustrate the purpose of the audit.
With this in mind, one of the first critical steps in the auditing process is determining where to look. This is often easier said than done; and, even when conducting routine compliance audits, companies must be careful to ensure that they are reviewing data from all pertinent sources (including any new sources that may not have fallen within the scope of prior audits).
In addition to examining on-site internal file management systems (both electronic and hardcopy), companies must also determine whether any remotely-stored data or records shipped to third-party storage vendors need to be reviewed. Data and other files stored on employee-owned devices and company-owned devices used at home may need to be reviewed as well.
Why Conduct an Internal Corporate Audit?
So, why go through the effort and devote the resources necessary to conduct an internal corporate audit? This article has already touched on some of the key reasons already. To summarize, some of the primary reasons why companies will need to conduct this audit include:
Assessing Compliance – For companies that are subject to legal or regulatory oversight, conducting routine internal corporate audits is essential for assessing compliance. It also serves the related purpose of generating ongoing documentation of the company’s compliance efforts.
Assessing Compliance Needs – In addition to assessing compliance efforts, internal corporate audits can also be used to assess companies’ compliance needs. This is relevant both when developing an initial compliance program and when external or internal developments necessitate changes to existing policies and procedures.
Investigating Allegations – Internal corporate audits can also be used to assess allegations of corporate wrongdoing. This includes everything from billing fraud to discrimination in the workplace. If your company is facing allegations from employees, customers, regulators, or others, conducting an audit is the first step toward making informed decisions.
Determining Necessary Steps – Conducting an internal corporate audit allows the company’s leaders to determine necessary steps. This is true with regard to ongoing compliance efforts as well as other internal and external risks. For example, decisions regarding voluntary disclosures and breach notifications need to be made based on reliable data.
Making Decisions Regarding Possible Litigation – Company leaders also need to be able to make informed decisions when facing possible litigation. A clear and comprehensive understanding of all pertinent facts is crucial, and this requires a comprehensive and effective internal corporate audit.