When should a company consider establishing an Internal Audit Department?

By James C. Paulus CPA, CFE

I was asked an intriguing question earlier this week by a CFO who has made a career working for startup and strategic growth businesses: “Under what set of circumstances should a company establish an internal audit function?”

The answer is the proverbial “It depends.” It is generally accepted that companies who are contemplating an IPO or who will shortly be required to be SOX compliant generally should strongly consider having an internal audit department. In fact, in September 2015, The Institute of Internal Auditors made a formal recommendation to the U.S. Securities and Exchange Commission that all publicly traded companies be required to have an internal audit function. However, smaller private companies or not-for-profit organizations should consider other situations when having a value-add internal audit department makes strategic sense.

A well-run internal audit department should have its mission, audit plan and special projects focused on both governance and achievement of the Board’s strategic business objectives. This means the function should be dedicated to identifying and helping mitigate the strategic and preventable risks of the business to help the company achieve its success strategy - not focused solely on financial or compliance risks. (See my previous post: Internal Audit Departments: Strategic Business Ally or Compliance Check-the-Box?)

There are several considerations (not all inclusive) that should be contemplated to help determine when an Internal Audit department should be established outside of an impending IPO or other regulatory requirement (i.e. publicly traded companies):

1. The Company is projected to have substantial growth impacting operations, head count and/or its geographical footprint in the next few quarters. This is especially true if operations are expanding internationally.
2. The company is poised to make large acquisitions in the near future materially impacting the financial results, operations and company culture.
3. Growth and/or changes have increased to the point that mid and upper management experiences significant challenges in “keeping the pulse” on key or emerging risks impacting the organization.
4. Recent or alleged complaints from international operations surrounding potential anti-bribery or Foreign Corrupt Practices Act (FCPA) violations.
5. Growth, operational problems, people/culture issues or new regulations are squeezing management’s ability to assess, monitor or resolve critical business issues.
6. A company-wide system change from one ERP system to a new platform.
7. A significant business expansion into a new product line that may significantly increase the overall business risk to the organization.

Companies experiencing some or all of these issues should consider having discussions at the c-suite and Board level to determine if adding an internal audit function will help the company improve its overall risk profile.

Special thanks to Robert Schnitzius for his contributions to this post.