So that we are all on the same page, let’s start with the definition of internal auditing:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
With a definition like that, who wouldn’t want to include internal auditing within their organization?
Needless to say, most community colleges do not have an internal audit department within their institution; the reason is that it is perceived as cost prohibitive. As a result, it’s usually the larger community colleges that maintain their own internal audit department. However, internal audit doesn’t need to be an all or nothing proposition.
For those institutions that do not have their own internal audit function and that don’t perform any internal audit activities, consider the following common myths and related realities.
Our college is too small to need an internal audit function – A dedicated internal audit department is not always needed. What is important is that internal audit-type activities are occurring. Regardless of size, making sure that internal controls are actually functioning as intended is critical for any organization. Whether it’s ensuring efficient processes, compliance with organizational policy, or reducing the risk of fraud, every college should be concerned about these tenants of good business practice, regardless of size. In fact, an unexpected occurrence, such as a fraudulent incident, may be more detrimental to a smaller college given its limited resources.
We have an internal audit department so we are in good shape – This may be true, but more than likely, a community college internal audit department is under-resourced and, therefore, may not have the necessary skill sets in-house for today’s high risk environment (i.e., IT audit). Complementing a small internal audit department with assistance from a professional services firm allows access to the expertise needed to address specific risks.
We have an external audit performed every year; that covers a review of internal controls, right? – An external audit focuses on auditing the college’s financial statements. While an external audit considers the college’s control environment and reviews certain internal controls surrounding the preparation of the college’s financial statements, the audit testing performed during an external audit engagement is not akin to internal audit-type testing.
We have a strong control environment and are operating efficiently, primarily because we have a workforce that has an average tenure of 20+ years – While an experienced workforce certainly can be an asset for any organization, it also can provide its own set of challenges and exposures. For example, employees may be doing things the way they’ve always been done regardless of whether these procedures are in line with new policy requirements; employees may not be reviewing processes for operating efficiencies; staff may have taken on additional financial responsibilities over the years without proper training to ensure competence; long-term staff, who may not have had proper training over the years, may be informally or incorrectly training new staff. These circumstances can lead to a weak control environment, which can open the door for fraud to occur. Many times, the perpetrator of a fraud incident has worked for an organization for a long time.
We have well-written policies and procedures which include strong internal controls – Not all policies and procedures are made the same. Well written policies and procedures do include internal controls. However, just because a good procedure exists, doesn’t always mean it’s being followed. Poorly followed policies and procedures result in a false sense of security and integrity from a controls perspective.
Considerations Going Forward
There are a variety of actions that a community college may pursue even though they are unable to fund an internal audit department. Some of the actions that a community college may pursue in order to strengthen internal controls and the control environment are:
- Develop and maintain a management self-assessment program that includes testing.
- Provide internal controls and risk assessment training for staff and faculty.
- Engage a professional services firm to assist with the development of a blended internal audit program for the college, whereby select internal audit-type activities are performed annually to achieve the desired level of risk tolerance and an enhanced control environment. Such a blended program may include the training mentioned above, traditional department or process audits, limited scope reviews, and management advisory services.
- For many community colleges, this approach can achieve the desired risk-based audit coverage for a fraction of the cost of maintaining an in-house internal audit department and for a fraction of the cost of the fines and penalties that may be assessed if exposures are not identified and managed.
Internal auditing strengthens an organization’s control environment, identifies control weaknesses, exposes inefficient processes, and assists in the achievement of objectives. So, what opportunities is your institution missing?
Steve leads Bonadio’s Higher Education Internal Audit Team. Prior to joining The Bonadio Group, Steve served as assistant vice president of Internal Auditing for the Rochester Institute of Technology.