Printer Friendly

Overcoming the obstacles to an effective internal control function.

The role of the internal auditor in government is a unique, difficult, and challenging one, beset by obstacles and presented with opportunities. The internal auditor is an essential component of a governmental agency's internal control structure and environment. It is fair to say that there is much confusion in government about what an internal auditor is and does. Thus, the stage is set for internal auditors to demonstrate and enhance the internal audit function as well as engage in a proactive effort to preserve the internal audit function and deflect non-audit tasks that threaten to sap the internal audit function of its viability and effectiveness.

This article will clarify the role of the internal auditor, focusing on the core characteristics of the internal audit function; provide a description of five significant obstacles that taken singly or together can vitiate the internal audit function, plus suggested remedies; and discuss confidentiality and a recommendation regarding that essential pre-requisite for effective internal audit work.

CLARIFYING THE ROLE OF THE INTERNAL AUDITOR

The core characteristics of the internal audit function require a brief presentation because in some circumstances some of the internal audit functions are carried out by government employees who do not have the title or the formal responsibilities of an internal auditor, while in other circumstances, government employees with the title of internal auditor and the putative internal audit responsibilities, do not perform internal audit functions.

The primary core characteristic is that the internal auditor reports directly to the head or the deputy head of the government agency, and that the internal auditor is in a staff role entirely independent of line or operational responsibilities and duties. In situations in which the agency has a governing board, the reporting relationship has been or is in the process of being transformed to require that the internal auditor report to the governing board or an audit committee of the governing board. In these circumstances, the internal auditor is located completely outside the hierarchical structure of the agency and is distinct from all staff and line functions. Instead of reporting to one individual, the internal auditor reports to a group.

The second core characteristic is that the internal auditor's independence is guaranteed in determining the areas to audit; the scope of the audit; the nature, timing, and extent of audit tests; and the reporting of background information, findings, and conclusions. The concept of independence extends to the hiring, promotion, and firing of internal audit staff, and to all final decisions relating to reporting results or referring matters to appropriate external authorities.

The third defining characteristic is that the internal auditor function as a super control for the agency. The primary mission of the internal auditor is to assess risk; determine whether internal controls exist to mitigate or eliminate the identified risk; assess the design of existing internal controls; determine whether the internal controls have been placed in operation; and test the implementation and effectiveness of the internal controls. As such, the internal auditor's role is that of the principal control point in the agency because the internal auditor function is to contribute to the overall control environment by assessing the existence, functionality, and effectiveness of all other material internal controls.

The fourth defining characteristic is that the work of the internal auditor is principally for the benefit of management. Findings and recommendations are furnished to management and are designed to enable management to strengthen the agency's internal controls and thereby enhance the control environment. Broadly speaking, the function of the control environment is to protect public resources from loss and to ensure that such resources are used efficiently and effectively.

The fifth core characteristic of governmental internal auditors is that the internal audit work is conducted pursuant to authoritative standards. The principal standard-setting bodies are the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Government Accountability Office. Of the three, the standards and guidance established by the GAO are the most applicable, because the GAO has a government, rather than a private sector, focus. The Yellow Book, published by the GAO, is comprehensive in terms of the types of audits included and the number of areas addressed by the standards, as well as in the explanatory information included with the standards.

In sum, the internal auditor functions as an in-house test engine, independent of the areas being audited, subject to authoritative standards, and reporting the results to management so that the overall performance of the agency can be improved.

OBSTACLES TO AN EFFECTIVE INTERNAL AUDIT FUNCTION

Five obstacles to an effective internal audit function are especially salient.

The first obstacle is an undefined or ill-defined internal audit function. Where this is the case, management often usurps the function by assigning non-internal audit responsibilities to the internal auditor. These new responsibilities may wholly or in part subsume the internal audit activities.

This action has a double negative effect. In the first place, the new non-audit responsibilities supplant the audit responsibilities and push them to the periphery or completely off the table. Since resources are finite, internal auditors then face a zero-sum calculation requiring the replacement of audit tasks with non-audit tasks. Sometimes, the non-audit tasks can be worked into the flow of ongoing audit work. However, in the second place, such management assignments tend to have a high, or the highest, priority attached to them. In these cases, the non-audit assignments have the maximum disruptive effect on the internal audit function, because all ongoing work is thrown aside to complete those assignments of highest priority to management.

Frequently, from top management's perspective, the internal auditor is a valuable resource in decision making because of the internal auditor's high-level position in the agency and because of his or her experience and expertise. Thus, the temptation is great, when all other operational personnel are fully engaged, to turn to the internal auditor for new and important management projects. Clearly, such a management capture of the internal auditor cuts the heart out of the internal audit function and renders it an activity in name only but not in substance.

The front-line defense against such an unfortunate development is management's understanding of, and commitment to, the internal audit function. It cannot be emphasized enough that since this danger emanates from top management, only top management can ensure that non-audit responsibilities are kept at bay.

The second obstacle is fraud investigations. This may appear paradoxical, because fraud prevention and detection are specific internal audit responsibilities. In many agencies, indications of fraud are referred not to the internal auditor, who may or may not be informed of the matter, but to internal affairs, in-house security, the police, the local district attorney general, or the U.S. attorney general (if federal funds are involved). In other agencies, the internal auditor is expected to analyze documents, conduct interviews, and amass the evidence necessary for disciplinary action, recovery of funds or property, and successful prosecution.

Fraud investigations, unlike audits, are resource intensive, time consuming, and subject to different and complex legal and evidentiary standards. Just as management's non-audit assignments supplant legitimate internal audit activities, so do protracted fraud investigations. Consequently, it is critical that the internal auditor, in conjunction with top management, develop appropriate protocols for resolving fraud cases, including guidelines relating to when to engage outside assistance and when to refer the matter for investigation to law enforcement agencies.

The third obstacle is the effect of the Sarbanes-Oxley Act of 2002. Although Sarbanes-Oxley is only applicable to publicly traded companies, the principles embodied in the law are applicable to many other situations, including government. In fact, there is some sentiment that government agencies should be held to the same, if not higher, standards specified in Sarbanes-Oxley. One of the key elements of Sarbanes-Oxley is the requirement of independent audit committees for boards of directors. Other government jurisdictions are considering or have enacted legislation that parallels Sarbanes-Oxley in this respect. In Tennessee, for example, the Tennessee General Assembly enacted the State of Tennessee Audit Committee Act of 2005.

The underlying conceptual approach of Sarbanes-Oxley is that agency management is responsible for conducting and documenting regular periodic risk assessments. The results of the risk assessments are to be used by management to design appropriate internal controls to mitiRate the identified risks. The backbone of the entity's operations is an effective system of internal controls designed to safeguard the agency's assets and to ensure that the agency's financial information is correct.

In its risk assessment efforts, management may utilize internal auditors to assist in the risk assessment, but the use of internal auditors does not excuse management from its direct responsibility to understand the risk assessment and its implications. Although internal auditors may be involved in the risk assessment, the final assessment needs to be made solely by top management. In this regard, the potential obstacle is that management may delegate the final assessment responsibility to the internal auditor.

There is great temptation for top management to use internal auditors in this manner because internal auditors are in the risk assessment business and they conduct risk assessments as a means to establishing annual or multi-year audit schedules and as an integral part of planning individual audits. Internal auditors must be alert to the improper delegation of top management responsibilities to the internal auditor. Besides reminding management of its responsibilities, the appropriate and sufficient safeguard against this devolution of tasks is management's understanding and commitment to the mission and independence of the internal auditor.

Another underlying conceptual cornerstone is that agency management is responsible for the design, implementation, and monitoring of internal controls. The internal controls of the agency are the primary factors that protect the entity from fraud, waste, abuse, and misstatements in the agency's financial statements. To be effective, internal controls must be well designed, thoroughly documented, appropriately implemented, and regularly monitored. As with risk assessments, management may utilize internal auditors to assist in efforts to design and monitor internal controls. Also, as with risk assessments, there is great temptation for top management to use internal auditors because internal auditors are in the test control business and conduct tests of controls routinely during audits.

Monitoring controls, a management responsibility, differs from testing controls, an internal audit function. Monitoring controls is an ongoing continuous process, while testing is specifically targeted to particular issues and selected controls. Moreover, auditors are specifically prohibited by professional standards from auditing controls that they themselves have designed. Consequently, in the realm of designing controls, the internal auditor's contributions must be limited to providing information related to risks, control failures and deficiencies, and possible controls to be considered. An internal auditor cannot participate in the final selection or the detailed design of internal controls. As with risk assessments, reminding management of its responsibilities and management's understanding and commitment to the internal audit function are essential to prevent mission creep, if not leap, for the internal auditor.

The fourth obstacle is the assignment of sexual harassment and discrimination cases to the internal auditor. In both areas, the internal auditor is particularly iii suited to conduct such reviews, which detract from audit responsibilities. The internal auditor is ill suited because such reviews require specialized training, protocols, and documentation distinct from audit training, procedures, and documentation. Internal auditors are rarely, if ever, furnished training and information pertaining to sexual harassment and discrimination matters. Such cases should be handled separately from the internal auditor, by different staff, following appropriate protocols, and subject to the applicable legal requirements.

The fifth obstacle is the new or expanded responsibility for monitoring or auditing external contracts. It is common for one of the traditional responsibilities of the internal auditor to be monitoring or auditing the performance of vendors with whom the agency has contracts. As with the other obstacles discussed above, the danger to the internal auditor is that what should be a small and manageable component of the work becomes over time the principal focus. This may result because the external audit workload is primarily dependent on two variables: the planned audit work per contract and the number of contracts to be audited. Naturally, as the number of contracts increases, so does the amount of time and the audit resources that need to be devoted to the external audit effort.

Recent experience shows that more government services and functions are being contracted out. Moreover, in some cases, the external audit of contracts, which used to be the responsibility of a separate external contract-monitoring group, has been decentralized and delegated to government agencies. Within an agency, the tendency has been to attach the external audit function to the internal audit function because the internal audit function has already been established, and both functions are audit based.

Consequently, the internal auditor may be solely responsible for internal auditing one day and the next day be responsible for both internal auditing and external auditing of numerous contracts, with little or no additional staff provided. Further, in some situations the agency may have a requirement that no contract can be renewed until the external audit has been completed. In these situations, the internal auditor may find that all his or her efforts are devoted to external auditing. Needless to say, such a development negates the internal audit function. As with the other obstacles, the best proactive approach requires a clear vision by management of the function and value of the internal auditor, a thorough understanding of the various work demands, and an absolute commitment by top management to maintain the vitality and effectiveness of the internal auditor.

PROTECTING CONFIDENTIAL INFORMATION

One of the most problematic issues that needs to be addressed by government internal auditors is that of the confidentiality of complainants, working papers, and draft reports. Many government jurisdictions have long-standing open records or freedom of information acts that open all or most government records, with few exceptions, to public inspection. These acts resulted from overwhelming public support for open government and complete transparency of government operations. In many, if not most, cases, the work of the internal auditor has not been exempted from open records acts. Thus, the notes from the internal auditor's interview with a witness or suspect may be requested by, and must be provided to, private citizens as well as television, newspaper, and Web log reporters. It is not usual (and it is becoming more common) for public documents, such as letters, memoranda, invoices, payment records, and personnel files, to be posted in their entirety on media Web sites as companion material to investigative reports.

Generally, the governmental external auditor has been granted an exception for its work under the Open Records Act or its equivalent. However, the governmental internal auditor has not been afforded that protection to the same degree. In many cases, the Open Records Act is silent as to the work of the internal auditor.

Given the lack of protection of internal audit work products, the internal auditor, in conjunction with the agency's legal counsel and top management, should conduct a thorough review of the confidentiality provisions relating to the internal audit function, and, if possible, strengthen those provisions through legislation, rules and regulations, and policies. Clearly, the exposure of a complainant's name and the nature of his or her complaint, against the wishes of a complainant who desires confidentiality, will chill the channels of communication of wrongdoing to the internal auditor, if not foreclose them altogether.

Documents that are public records under normal circumstances should be disclosed promptly and in accordance with applicable laws. However, audit files, which reflect work in process, should not be available for public inspection. The final word for the internal auditor is the issued report, and the completed report should contain the findings, recommendations, and supporting documentation for the auditor's conclusions. Of course, the claim of confidentiality should not extend to court proceedings, where the information can be legitimately provided pursuant to a valid subpoena.

SUMMARY

The internal audit function is defined by specific parameters relating to reporting, independence, standards, and mission as a means to fulfilling its destiny as a super control of invaluable benefit to management. Standing in the way of an effective internal audit function are five obstacles or impediments. A common theme is top management's inclination to assign non-audit tasks to the internal auditor. Since top management is the cause of the problem, the solution is top management's full understanding of and commitment to the internal audit function. In addition to these concerns, the internal auditor should be sensitive to the issue of confidentiality of audit files and draft reports, and should work diligently to appropriately protect confidential information. Overall, the internal auditor, unfettered, is an integral part of a governmental agency's efforts to design, implement, maintain, assess, and recalibrate its internal control structure to ensure the efficient and effective use of public resources, safeguard public assets, fairly present financial information, and detect and prevent fraud, waste, and abuse. |

GFOA ON THE INTERNAL AUDIT FUNCTION

GFOA makes the following recommendations regarding the internal audit function in government:

1. Every government should consider the feasibility of establishing a formal internal audit function, because such a function can play an important role in helping management maintain a comprehensive framework of internal controls.

2. The internal audit function should be established formally by charter, enabling resolution, or other appropriate legal means.

3. The internal auditors should conduct their work in accordance with the professional standards contained in GAO's Yellow Book

4. The head of the internal audit function, at a minimum, should possess a college degree and appropriate relevant experience. It is also highly desirable that this person hold some appropriate form of professional certification, such as Certified Public Accountant, Certified Internal Auditor, or Certified Information Systems Auditor.

5. All reports of the internal auditor, as well as the annual internal audit work plan, should be made available to the agency's audit committee or its equivalent.

Source: Establishment of an Internal Audit Function, GFOA Recommended Practice (1997), http://www.gfoa.org/services/rp /caafr/caafr-establishmentinternal-audit.pdf.

GLEN MCKAY is assistant director of the State of Tennessee's Department of Audit.
COPYRIGHT 2006 Government Finance Officers Association
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2006 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:role of internal auditor, internal audit function
Author:McKay, Glen
Publication:Government Finance Review
Geographic Code:1USA
Date:Feb 1, 2006
Words:3015
Previous Article:Understanding internal control.
Next Article:Who's minding the store? New York State's ongoing quest to strengthen internal control.
Topics:


Related Articles
Internal audit's new role: put together a top-notch department.
A strategic player: hiring and inspiring a chief audit executive.
The evolving role of internal auditors.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters