Unlocking value through internal audit at private companies

Prepare your leaders for a transformational change

Editor’s note: This is the first article in a limited series focused on the benefits of, and approach to, establishing an impactful internal audit function for private companies, including family-owned enterprises.

In times of growth or transformation, the thrill of progress may overshadow emerging risks and complexities. When a company races toward new opportunities, leadership may notice growing operational concerns that can increase risks related to inefficiency, internal controls, fraud, and regulatory compliance. These are the moments that call for evaluating the need for an internal audit function — a critical step in the growth of many businesses, and a landmark opportunity for any organization.

“In many cases, you are getting to the size where senior leadership and the board no longer have direct control over, or active involvement in, every aspect of the business,” said Grant Thornton Risk Advisory Director Brian Shellito. “They are starting to raise questions related to operational performance and standardization, investing in the company’s systems and infrastructure, quality and timeliness of reporting, and ensuring there is adequate consideration of enterprise risks.”

Internal audit offers a structured approach to identifying and mitigating risks, improving business performance, enabling compliance, cultivating future leaders for the company, and bridging communication gaps across an evolving organization.

“Literally everything within the umbrella of a company can be subject to assessment and improvement through internal audit,” said Grant Thornton Risk Advisory Services Principal Adam Ross.

A well-designed and well-executed internal audit function can strengthen management practices and unlock new potential for the company. However, if implemented and executed poorly, internal audit can lead to dissent and resentment about a perceived new layer of bureaucracy.

“The organization needs to be prepared to change, because once you get an internal audit function, it’s going to present recommendations that may require management to do things differently,” Ross said.

Identifying the need for internal audit

For most companies, the potential role of internal audit rests on three legs:

• Risk management and internal control
• Operational efficiency
• Compliance

But there is no single portrait of a company that needs internal audit, even among those required by regulatory compliance obligations. These organizations can look dramatically different from one another — pre-revenue start-up to multi-billion-dollar, multi-generational family-owned business, domestic or international, older-but-evolving organization to newly formed spinoff, consolidated business via merger, and so on.

“If there have been problems at the organization in the past — operational inefficiency, accounting errors, fraud, a cyber security breach, a failed system implementation, gaps in compliance, and so on — that can be an indicator that internal audit can add value,” said Grant Thornton Risk Advisory Services Principal Matthew Lerner.

One of Ross’s clients, a multi-billion-dollar private company, has been successful for decades without internal audit. However, in addition to the lack of an internal audit function, the company has not invested in process standardization, technology enablement and internal control, all contributing to high degrees of inefficiency. The result has been margin compression and executives constantly “putting out fires.”

“In many cases, a CFO will decide it's time to establish an internal audit function to help uncover the root causes of known issues and recommend improvement opportunities, and to have a way to get that information to senior management and the board more consistently,” he said.

Building the case — and dispelling myths

In the early stages, it is helpful to identify tangible examples of the power of internal audit, including from peer companies. Ross gave one recent example from his internal audit consultancy work.

“Using analytics, we identified over $25 million in potential duplicate vendor payments. We worked with our client to identify which ones were likely duplicates, which ones might be false positives, and which required further analysis by the company to conclude,” he said.

In addition to delivering direct financial returns, an internal audit function can enhance a company’s workforce as a training ground for new leaders with cross-functional experience. Ross recalled a conversation from very early in his career: “Besides me,” the department director said, “you are the only one who understands our end-to-end processes.” That brief conversation helped the director realize she needed to increase cross-training across the team and break down silos that had been unintentionally built up over the years.

Internal audit can also foster the cross-pollination of leading practices within your organization, from competitors, and from other industries. For example, Ross shared an experience where he helped a hospital system adapt a leading practice in user authentication and access management from an unlikely source — the gaming industry.

“I was able to talk to a hospital CIO about how casinos were solving for an issue they were struggling with,” he said.

A high-performing internal audit function doesn’t just underline compliance and regulatory needs, or point out policy violations and internal control weaknesses. It identifies improvement opportunities that align with the company’s strategy and objectives, enabling the organization to improve business performance.

Getting that improvement may require overcoming myths and misconceptions about internal audit:

How to build a coalition for internal audit

Building support for internal audit is about clear communication of the new function’s role and potential benefits — starting with the CEO.

“I think there's one person that you have to get on board, and that's the president or CEO,” Ross said.

In some cases, the chief executive may recognize the need and drive the conversation. In others, the CFO (or whoever the executive sponsor is) may need to make the case, as Ross suggested: “Here’s why I believe now is the time we should establish an internal audit function and here’s the potential ROI. We all agree these are important topics that need attention, so if not now, when? If not internal audit, then who?”

Once the CEO is in agreement, they must put their weight behind the effort. After this initial approval, the implementation of an internal audit function is no longer an idea up for discussion; it’s a mandate to be fulfilled.

With the chief executive’s support, alignment from other C-suite leaders and the board will be easier to achieve in a process that will clear the way for a smooth launch.

“If I’m advocating for establishing an internal audit function, I would make sure to socialize this with my peers on the senior leadership team,” Ross said. “However, it's not an ask. It's informing and getting buy-in. It’s providing education to others who might not be as knowledgeable about an internal audit function, especially for private companies — about what the ‘art of the possible’ is.”

Be sure to identify allies early. The general counsel, CIO and of course the board can be key supporters, helping navigate through skepticism and resistance. However, those same senior leaders and others may fear that internal audit will encroach on their domains and meddle in their workflow. 

Expanding the engagement campaign

These early conversations aren’t just about winning people over — they’re about exploring the real potential of the new internal audit function. The new internal audit function won’t just be looking for errors and driving compliance to policy; it will generate ideas and help implement positive change that make the organization more efficient and innovative.