What is internal auditing?
The Institute of Internal Auditors (IIA) definition is:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
I just had other auditors in my area; why are you performing another audit?
In addition to being audited by the Internal Audit Division, your operation may also be audited by external auditors. External auditors could include the N.C. Office of the State Auditor, Federal Auditors, Environmental Health and Safety Auditors or compliance auditors.
While we try to eliminate or reduce duplication of effort by coordinating our schedule with these other auditors, we have no control over their audit plans and our contact with them varies. Consequently, your operation may occasionally be reviewed more than once during the year.
In addition, employees from the Budget and Finance Division may perform “audits” of your area. However, these engagements are very narrowly focused (often only on a small group of transactions) and are not as substantial as those performed by the Internal Audit Division.
How are audits chosen?
Each year, the Internal Audit Division prepares an assessment of risk exposures that may affect the Department. An audit plan is then developed based on this assessment. The objective of the audit plan is to provide senior management with information needed to mitigate those risks.
The Internal Audit Division has prepared a plan which includes cyclical internal control reviews of Department programs as well as engagements focused on areas or processes identified in the annual risk assessment. A variety of factors are used to prioritize these engagements including dollar materiality, quality of internal controls, degree of change or stability, complexity, and length of time since the last engagement. Available staff hours are also considered. The audit plan is revised and changed throughout the year based on emerging risks and available resources.
Every year the Chief Audit Officer provides senior management with an audit plan for review and approval.
What are internal controls?
Internal controls are key processes for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting and compliance with laws, regulations and policies. Effective internal control systems are designed to ensure resource use is consistent with laws, regulations, and policies and to safeguard resources from waste, loss and misuse.
Is the Internal Audit Division responsible for maintaining the Department’s internal control system?
No. Department management is responsible for maintaining an adequate internal control system. Internal Audit independently evaluates the adequacy of existing internal control systems by analyzing and testing controls, and makes recommendations, when necessary, to improve controls based on the results.
What should I expect during an audit?
You will be notified in advance that we will be starting an engagement in your division and we will request to schedule an entrance conference. The purpose of the entrance conference is to introduce you to our team, explain the engagement and the process. During the entrance conference, please ask questions, express your concerns and make any special requests you might have.
After the entrance conference, auditors will begin their survey process.
The survey process includes, but is not limited to:
- A review of your operation’s goals and objectives,
- A review of your standard operating procedures,
- Formal and informal meetings or discussions with employees in your area to gain an understanding of your operations,
- Walkthroughs of key processes and systems and
- A final audit risk assessment based on the information provided.
Following this, we will hold a meeting with you to discuss what we have learned to date and our next steps with respect to fieldwork.
Fieldwork includes, but is not limited to:
- A formal information request, and
- On/Off site testing of key in-scope processes.
Once fieldwork is complete, we will prepare a draft of any observations and recommendations. We will then schedule a meeting to discuss these observations with you. Again, during the meeting, it is important that you communicate any concerns and identify errors. If you disagree with an observation, we will ask you to provide extra information to support your side and will re-perform work if necessary. Following the meeting, we will prepare and issue the final report (including management action plans).
Observations classified as high-risk are followed-up on based on established completion dates.
Will I be kept informed during the audit process and will I have a chance for input before the audit report is issued?
Yes. During the engagement, the assigned auditor(s) will keep you and your employees informed of progress. Auditors may discuss some observations with you or your staff during the engagement. However, all observations will be discussed with you during our meeting at the end of fieldwork.
During fieldwork, please ask questions and talk to the auditors. Please make time for them while they are performing your engagement. Our auditors understand you are busy and have jobs to do. They will try to stay out of your way as much as possible. If you would like more frequent updates or are simply curious, just ask.
Take advantage of the post fieldwork meeting. Ask questions and don’t be afraid to disagree with an observation. The purpose of the meeting is to communicate observations we see as risks to the Department and resolve any mistakes or misunderstandings. We will make reasonable efforts to work with you. Please remember that as much as we would like not to issue observations, the Internal Audit Division has an obligation to other stakeholders. Therefore, we are required to report on some key observations.
Is having an audit observation bad?
No. Having the Internal Audit Division put an observation in your report is not bad. Having an observation in an external audit report is bad. Having fraud occur in your area is very bad. Having inefficient operations is a waste of resources.
Our observations are simply meant to provide you with information so larger issues might be prevented.
My report has a lot of observations, are my operations that bad?
No. The list of observations we provide to you may seem overwhelming and make you feel as if your operations are poor. However, don’t view them as such. First, not all items are included in the final report. Some are provided only for your information. Second, we try to perform a comprehensive and detailed review. Doing so will always generate a long list of issues. We take the view that you are our client and we owe it to you to deliver this type of review so that you have the best information available to make wise decisions.
Will good things I do be pointed out?
Yes! Typically, auditors will identify these practices while performing their audit fieldwork. However, if there is something you are very proud of or want to share, please bring it to the auditors’ attention. We may include it in your report, share it with others as a best practice or recommend the Department adopt it organization wide.
Do I have to implement the auditors’ recommendations?
Yes and no. Obviously, if we have included an observation in a formal audit report it is something that needs to be addressed. However, you do not necessarily need to accept the specific recommendations of the Internal Audit Division.
Our recommendations are provided because we don’t want to identify problems without offering solutions. If you have a different way of reasonably addressing the observation to mitigate the risk, then that is perfectly acceptable. Also, keep in mind that we generally try to provide a recommendation that can be implemented with the resources you currently have.
How long does an audit take?
Engagements may last several days or several months and will vary in length depending on an operation’s size, complexity and the specific audit objectives. Not all the time devoted to the engagement will be evident to you because of the amount of preparation, analysis, and related work needed to document the effort. In fact, most of our time is spent within our office reviewing and testing your documentation. The availability of documentation and the responsiveness of your personnel to requests and questions also impact the time required to complete an engagement.
How can employees help the Internal Audit Division?
You can help with the following:
- Document and maintain procedures in easily accessible manuals. Include current organizational charts, detailed position descriptions and duty lists.
- Develop an understanding of internal control structures: why, when, and how to separate duties; how to cross-check to ensure the accuracy of records; how to keep control accounts and reconcile data; and how to control automated systems for processing data.
- Maintain "audit trails" – the documents or evidence accompanying and supporting references to transactions or actions authorized by management. Adequate audit trails include:
- Requiring signature approvals
- Developing efficient forms or computerized processes to document important, routine decisions
- Maintaining memoranda documenting important and unusual decisions.
- Conduct and document your own quality control reviews, including action taken to address problems and adhere to requirements to retain documents.
Finally, if you suspect or know that someone is involved in some irregularity, please report the individual immediately by contacting the Internal Audit Division. See the Fraud, Waste and Abuse reporting form for various ways of communicating with the Internal Audit Division concerning these matters. You have a responsibility as a member of the Department to report irregularities.
Can I ask the Internal Audit Division for assistance when I’m not being audited?
Always! While our division’s mission is principally accomplished through formal assurance engagements, there is no need for you to rely solely on these engagements to utilize the resources of our division. The Internal Audit Division acts as an in-house consultant on internal control matters and will be happy to provide you with information and suggestions on controls in specific areas.
Why would I want to request an audit?
An assurance engagement is very beneficial to assess operations within your area and identify areas for improvement or change. This assistance may be especially helpful if you have recently assumed a new or additional supervisory role, have implemented (or are planning to implement) a new process or IT system or a key employee has left.
Are auditors looking for fraud when performing audits?
Unless they are performing an investigation, auditors are not specifically searching for the existence of fraud. During a routine assurance engagement, they are more concerned with ensuring adequate systems of internal control exist to reduce fraud risks. However, procedures performed are meant to detect potential fraud and assess your operation’s exposure to fraud risks.
What should I do if I suspect someone is committing fraud?
If you suspect fraud or other questionable acts in your operation, contact the Internal Audit Division immediately. Do not try to investigate or resolve the activity yourself.
Who audits the auditors?
The Institute of Internal Auditors requires an external review (Quality Assurance Review) be performed on the Internal Audit Division at least once every five years. These reviews can be performed by an external review team or can be a self-assessment with independent validation by a qualified reviewer. These reviews cover compliance with IIA Standards including independence and objectivity, audit planning and coverage, audit documentation and reporting and staffing.
Do you have a student internship program?
Yes! We typically have one intern in our office throughout the year. Interns are given the opportunity to work on a variety of engagements and learn the entire audit process from beginning to end. We are interested in students majoring or mastering in the following fields of study:
- Political Science,
- Public Administration,
- Public Policy,
- Public Affairs,
- Business Administration,
- Information Technology,
- Information Systems,
- Management,
- Organizational Management,
- Accounting,
- Finance,
- Agriculture Business,
- Agriculture Economics,
- Economics,
- Management Analysis,
- Operations Analysis,
- Statistics, or
- a related degree.
If you have interest in this opportunity, feel free to stop by our office or give us a call for more information.