So that we are all on the same page, let us start with the definition of internal auditing:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
With a definition like that, who would not want to include internal auditing within their organization!?
Needless to say, many tax-exempt entities do not have an internal audit department within their organization; the reason often is that it is perceived as cost prohibitive. As a result, it is usually the larger organizations that maintain their own internal audit department. Internal audit does not need to be an all-or-nothing proposition, however.
For those institutions that do not have their own internal audit function and that do not perform any internal audit activities, consider the following common myths and the related realities.
Our organization is too small to need an internal audit function.—A dedicated internal audit department is not always needed. What is important is that internal audit-type activities are occurring. Regardless of size, making sure that internal controls are actually functioning as intended is critical for an organization. Whether it is ensuring efficient processes, compliance with organizational policy, or reducing the risk of fraud, all tax-exempt organizations should be concerned about these tenants of good business practice, regardless of size. In fact, an unexpected occurrence such as a fraud incident, may be more detrimental to a smaller organization given its limited resources.
We have an external audit performed every year; that covers a review of internal controls, right?—An external audit focuses on auditing the organization’s financial statements. While an external audit considers the organization’s control environment and reviews certain internal controls surrounding the preparation of the organization’s financial statements, the audit testing performed during an external audit engagement is not akin to internal audit-type testing.
We have a strong control environment and are operating efficiently, primarily because we have a workforce that has an average tenure of 10+ years.—While an experienced workforce certainly can be an asset for any organization, it also can provide its own set of challenges and exposures. For example, employees may be doing things the way they have always been done regardless of whether or not these procedures are in line with new policy requirements; employees may not be reviewing processes looking for operating efficiencies; staff may have taken on additional financial responsibilities over the years without proper training to ensure competence; and long-term staff, who may not have had proper training over the years, may be informally or incorrectly training new staff. These circumstances can lead to a weak control environment, which can open the door for undetected errors or fraud to occur. In many cases, the perpetrator of a fraud incident has worked for an organization for a long time.
We have well-written policies and procedures, which include strong internal controls.—Not all policies and procedures are created the same. Well written policies and procedures do include internal controls. Just because a good procedure exists, however, does not mean that it is being followed. Poorly followed policies and procedures result in a false sense of security and integrity from a controls perspective.
Considerations going forward
There is a variety of actions that a tax-exempt organization may pursue, even though it is unable to fund an insourced internal audit department. Some of the actions that an organization can follow in order to strengthen internal controls and the control environment are:
- Develop and maintain a management self-assessment program that includes testing.
- Provide internal controls and risk assessment training for staff.
- Engage a professional services firm to assist with the development of a blended internal audit program, whereby select internal audit-type activities are performed to achieve the desired level of risk tolerance and an enhanced control environment. Such a blended program may include the training mentioned above, traditional department or process audits, limited scope reviews, and management advisory services.
Internal auditing strengthens an organization’s control environment, identifies control weaknesses, exposes inefficient processes, and assists in the achievement of organizational objectives. What opportunities are your organization missing?
Steven Morse is a principal based out of our Rochester, NY office.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.