Internal
audits

Supplier payments represent a large part of the company’s external costs. This means that there are considerable risks connected with purchasing and how the company handles supplier invoices and since the responsibility is often distributed among different functions, there is also an increased risk of procedures not being complied with. 

The purpose of an internal audit is to investigate the present position and recommend measures for streamlining risk management and internal control, thus contributing to the organisation’s more effective goal fulfilment and improved results. 

An internal audit means increased control of the business and quite simply gives you confidence that everything is going as it should. Risks of not having functioning internal control can have serious consequences and in the worst case can mean that the external audit results in an adverse auditor’s report, which can lead in turn to further investigation by the Swedish Tax Agency. Stress that is demanding of both time and costs and that a company would much rather avoid.  

Examples of procedures that an internal auditor investigates:

• Are there procedures for initial and ongoing control of suppliers?
  An internal auditor should ensure that there are procedures to ensure that the company’s suppliers comply with their mandatory tasks and requirements. 
• Are there procedures for monitoring changes in data?
  An internal auditor should ensure that there are procedures for monitoring changes in suppliers and that there is a system for being able to note these changes. 
• Are there procedures to ensure that the supplier register is up to date? 
  There should be a defined procedure for constantly scrutinising the supplier register and thus ensuring that it is up to date.
• Are there procedures to ensure that supplier invoices are checked and approved in accordance with defined rules?
  All types of transactions must be approved in at least two stages through scrutiny approval and decision approval. The approvals must not be given by the same person.   

Three lines of defence

To ensure that a company avoids risks in internal control, we normally talk about three lines of defence. The first line of defence refers to employees who handle day-to-day risk management and monitor that areas such as supplier payments and the supplier register comply with defined requirements. 

The second line of defence consists of the company’s rule compliance and risk functions. Their main task is to ensure that the company is run according to applicable laws and standards and to back up the first line of defence with advice. 

The purpose of the third and final line of defence is to investigate and evaluate the first and second lines of defence and this is where internal audits come in. Among other things, those responsible for the third line of defence run controls on the risk management system and find improvement measures to increase efficiency.