What is Internal Audit?

When I am asked, “What does an internal auditor do?” my response is usually, “How much time do you have for me to answer that question?” 

As a long time internal auditor (35 years), I have often been disappointed by the perception of management (and others) regarding the purpose and value of internal audit. Ask management about internal audit and their response if usually that audit reviews financial statement and processes.  Sometimes, this is the fault of the internal audit shop itself – restricting its audits finance-related topics and audits that are easy such as accounts payable and P-Card.  

First, I would argue that financial statement audit are the purview of external auditors, not internal auditors.   But I would also argue that internal audit should be address more than financial risk.  Operational, Environmental, Legal, HR, strategic and other risks can be more damaging to an organization that financial risk and should be included in internal audit’s universe and a part of their risk-based plan.

To give you an example of the variety of topics internal audit can and should consider, I reviewed my notes on the analytics I have performed during my career in internal audit – as either in-house auditor or consultant supporting internal audit.  The types of work included:

• P-Card – identify split payments and personal purchases (yes internal audit should still be looking at financial risk)
• Fleet – identify low MPG (illegal use of fuel car to fill personal vehicles) and high repairs (e.g. 3 mufflers in year)
• Pay – validate payroll against timesheets – identified $300K error in Overtime; verify pay rates by classification (identified clerk making $37K more than pay rate for clerks); duplicate payments; regular and acting pay; incompatible allowances or bonuses; manager claiming overtime
• Criminal Parole – analysis of effectiveness of Re-Offender Program
• Unit readiness – army unit readiness to be deployed
• Police effectiveness – analysis of conviction rates to identify best-practices
• Transportation – analysis of most efficient truck sizes (cubic feet) to address standard routes
• Coroner’s office – analysis of cause of death to assess health program effectiveness
• Road repair – analysis of repair costs, road type and age, accident rates –  to assess economy of repair program
• Laboratory tests – analysis of laboratory services levels (time to process samples) against contract service level agreement
• Telecommunications – analysis of digital traffic on leased long distance lines to identify under-used lines (cost reduction)
• Separation of duties – identify user performing incompatible duties (e.g. create vendor, enter goods receipt and invoice)
• HR Staffing – analysis of staffing process to identify significant bottlenecks
• Employee Leave – analysis to identify leave liability (economic value of unused leave)
• Contracting – overpayment (unit price) for items; splitting to avoid contracting requirements; and nepotism
• Medical claims – to identify cases of employee fraud (duplicates, selling of extra medication, invalid procedures)
• Pension – identify payments after death; miscalculated pensionable years and pension rates
• Stock trader – analysis of unusual patterns by stock trader

My point is, there is much more to internal audit than looking at financial risk.  Internal auditors can provide more value by assessing other risks, programs, and activities.  I hope this makes you think about your internal auditors in a different way.  And if you are a Chief Audit Executive, that you will endeavor to expand the ranges of audit topics.

Dave Coderre, CAATS