Internal Audit: A Critical Function in Times of Growth and Change

Periods of growth or transformation often bring excitement that can overshadow attention to emerging, evolving, or complex risks. As organizations accelerate toward new opportunities, leadership and boards may encounter increasing challenges that heighten risk exposure - ranging from inefficiencies and weak internal controls to fraud and compliance issues. In such circumstances, assessing the need for an internal audit function becomes a critical step in supporting sustainable growth and unlocking untapped opportunities.

When the Need for an Internal Audit Function Arises

Common factors that indicate the need for an internal audit include:

• • Rapid organizational growth (expansion in scale, geography, products, systems, or processes).
  • Regulatory compliance requirements (particularly in regulated sectors).
  • Board and stakeholder expectations for greater transparency, control, and risk management.
  • Weaknesses in internal controls or frequent process deficiencies.
  • Fraud and FinCrime prevention and detection needs.
  • Mergers and acquisitions (ensuring governance, risk integration, and control alignment during consolidation).

Typical Scenarios Highlighting the Need for Internal Audit:

• • When an organization reaches a level of size and complexity where senior management and the board no longer have direct control or active involvement in every operational or business aspect. Questions begin to arise about performance results, process standardization, investments in systems and infrastructure, the quality and timeliness of reporting, and whether risk assessment and management are appropriate for the organization’s scale.
  • In certain sectors, regulatory requirements mandate the establishment of an internal audit function to ensure compliance and strengthen governance.

The Role and Value of Internal Audit

Internal audit provides a structured approach to identifying and managing risks, strengthening governance and internal control environments, improving operational performance, ensuring compliance, supporting the development of future leaders, and bridging communication gaps within a changing organization.

Essentially, everything within the company’s scope of activities – processes, functions, systems, and other areas – can be assessed and improved through internal audit.

In most cases, the role of internal audit focuses on three key aspects:

• • Risk management, internal control, and governance
  • Operational efficiency (optimizing resource use) and effectiveness (achieving objectives)
  • Compliance (with legal acts, policies, and standards)

The extent of internal audit’s involvement in these areas depends on the organization’s maturity level.

To make the best use of limited audit resources, it is crucial to prioritize the most significant and high-risk areas.

A mature internal audit function goes beyond compliance or identifying policy breaches and control weaknesses. It highlights improvement opportunities aligned with the company’s strategy and objectives, supports performance enhancement, and promotes best practices from the market.

There is no one-size-fits-all template for organizations

There is no universal organizational profile, nor a standard audit list (audit plan) with identical priorities that suits every organization – even among those required to conduct internal audits due to regulatory obligations. Each organization is unique, so the audit plan, scope, methods, and priorities must be tailored to its specific environment and risks.

Risk Assessment and Risk-Based Audit Planning

An effective internal audit function must align with the company’s strategy and objectives, focus on the high risk areas, and consider other risk management and assurance activities.

Risk assessment forms the basis for:

• • Annual and long-term internal audit plans
  • Audit programs for each engagement

The internal audit function must have a deep understanding of:

• • The organization and its business activities: processes, systems, challenges, objectives, changes, external factors, and resource needs.
  • Management and board priorities and expectations: insights from leadership and the Boad and reports, industry trends, comparable and aspirational organizations, challenges in adjacent sectors, and supplier and customer expectations; leveraging data and performance indicators for identifying emerging risks.
  • Other assurance and risk management functions within the organization: such as risk management, legal, compliance, quality, safety, controls, information security, and external (financial statement) audit - along with their programs, plans, and results.
  • Changes in risk over time: risk assessments must be continuously updated. The planning process should remain flexible and adaptive to evolving business needs, emerging and new risks, new regulatory requirements, and shifting expectations from the board and management. Each new assessment cycle become more thoughtful, comprehensive, and focused.

Standards 

The internal audit function operates systematically and in a structured manner, guided by recognized standards and methodologies. The most widely accepted include:

• • The Institute of Internal Auditors (IIA) – active for over 80 years and recently introduced updated Global Internal Audit Standards to support consistent and effective audit practices.
  • Information Systems Audit and Control Association (ISACA) – for more than 55 years, addressing IT governance, risk management, audit, and control needs.

In addition to these, Grant Thornton experts also apply other widely recognized professional standards, tailored to the specific context of the engagement and needs of each organization.

In-House vs. Outsourced Internal Audit Functions

An in-house internal audit function often has a deeper understanding of the organization’s processes, culture, and specific risks. Being embedded within the organization enables faster response and closer collaboration. However, it may face challenges related to independence and objectivity, as well as limited external perspective.

An outsourced internal audit function brings broader market knowledge, and regulatory expectations, best practices, stronger independence, and a fresh viewpoint. It offers greater ability to drive change and provides flexible access to specialized expertise (e.g., AML/CFT, IT, cybersecurity, ESG). At the same time, it may have less familiarity with the organization’s culture and unique characteristics.

It is important to note that neither in-house nor outsourced auditors will ever know more about a specific function or process than its responsible manager or owner. However, internal audit adds value by offering new ideas, objective assessments, and recommendations for improvement. External auditors, in addition, bring market best practices, enhanced independence, and the ability to evaluate areas from a broader perspective – helping identify blind spots or gray areas that internal teams might overlook and empowering organizational change.

Preparing for Change is Essential

When implementing or operating an internal audit function, areas requiring recommendations will be identified. This may demand engagement from managers and employees and lead to changes in their activities. To ensure success, the following are critical:

• • Tone at the top and commitment from the board and senior management.
  • Change management: assigning responsible individuals, setting timelines for implementing action plans or recommendations, ensuring proper execution and adherence to set timelines.
  • Ongoing monitoring is essential to maintain sustainable value after planned actions are completed.

Internal Audit as a Partner to Management and the Board

Internal audit is more than just ensuring compliance. It is a strategic, value-creating function that helps the organization grow safely, efficiently, and effectively. It strengthens governance, enhances control and risk management environments, and supports decision-making through reliable information and analysis.

***********************************************

The article is based on insights from Grant Thornton USA. You can find the original articles here:

Unlocking value through internal audit at private companies | Grant Thornton (Part 1)

Building your private company internal audit function | Grant Thornton (Part 2)