What is Internal Audit?

When I am asked, “What does an internal auditor do?” my response is usually, “How much time do you have for me to answer that question?” 

As a long time internal auditor (35 years), I have often been disappointed by the perception of management (and others) regarding the purpose and value of internal audit. Ask management about internal audit and their response if usually that audit reviews financial statement and processes.  Sometimes, this is the fault of the internal audit shop itself – restricting its audits finance-related topics and audits that are easy such as accounts payable and P-Card.  

First, I would argue that financial statement audit are the purview of external auditors, not internal auditors.   But I would also argue that internal audit should be address more than financial risk.  Operational, Environmental, Legal, HR, strategic and other risks can be more damaging to an organization that financial risk and should be included in internal audit’s universe and a part of their risk-based plan.

To give you an example of the variety of topics internal audit can and should consider, I reviewed my notes on the analytics I have performed during my career in internal audit – as either in-house auditor or consultant supporting internal audit.  The types of work included:

  • P-Card – identify split payments and personal purchases (yes internal audit should still be looking at financial risk)
  • Fleet – identify low MPG (illegal use of fuel car to fill personal vehicles) and high repairs (e.g. 3 mufflers in year)
  • Pay – validate payroll against timesheets – identified $300K error in Overtime; verify pay rates by classification (identified clerk making $37K more than pay rate for clerks); duplicate payments; regular and acting pay; incompatible allowances or bonuses; manager claiming overtime
  • Criminal Parole – analysis of effectiveness of Re-Offender Program
  • Unit readiness – army unit readiness to be deployed
  • Police effectiveness – analysis of conviction rates to identify best-practices
  • Transportation – analysis of most efficient truck sizes (cubic feet) to address standard routes
  • Coroner’s office – analysis of cause of death to assess health program effectiveness
  • Road repair – analysis of repair costs, road type and age, accident rates –  to assess economy of repair program
  • Laboratory tests – analysis of laboratory services levels (time to process samples) against contract service level agreement
  • Telecommunications – analysis of digital traffic on leased long distance lines to identify under-used lines (cost reduction)
  • Separation of duties – identify user performing incompatible duties (e.g. create vendor, enter goods receipt and invoice)
  • HR Staffing – analysis of staffing process to identify significant bottlenecks
  • Employee Leave – analysis to identify leave liability (economic value of unused leave)
  • Contracting – overpayment (unit price) for items; splitting to avoid contracting requirements; and nepotism
  • Medical claims – to identify cases of employee fraud (duplicates, selling of extra medication, invalid procedures)
  • Pension – identify payments after death; miscalculated pensionable years and pension rates
  • Stock trader – analysis of unusual patterns by stock trader

My point is, there is much more to internal audit than looking at financial risk.  Internal auditors can provide more value by assessing other risks, programs, and activities.  I hope this makes you think about your internal auditors in a different way.  And if you are a Chief Audit Executive, that you will endeavor to expand the ranges of audit topics.

Dave Coderre, CAATS

This article has 2 Comments

  1. Dear Dave,
    I am a new employee in the Internal Audit dept of my organization and I realized that I needed more guide manoeuvring than I had thought. I agree that audits should review all types of risk. If I have learned anything within my short venture into this aspect of management, it is that every risk should be identified, evaluated and mitigated.
    My organization does try its best in these areas and I am currently in a unit that handles more of IT audit and fraud analytics. However, it is beyond me what exactly I should be watching out for.
    I still cannot say if my organization does all the above-listed assurances you have set out, but I would like to know more.

    1. Many internal audit organization struggle with their development of a risk-based audit plan. Identifying, assessing and understanding the risks associated with the achievement of organizational objectives is difficult. And, even if done, will not always be accepted by senior management as where audit should spend its time.
      You have recognized that there is room for improvement in your organization which is an important step in moving forward. I would encourage you to check out the many resources offered by the IIA and the insights espoused at conferences and trainings. Internal audit is a life-long learning challenge and opportunity. Good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *