Call Us 727-530-1337
By Linda Mahnke
Most of us figure that a "clean" audit report from the CPA firm is sufficient to conclude that the organization is operating well and absent of fraud. This common misperception is utterly incorrect.
Have you ever read the attestations of such an audit report? First, the report makes clear that the preparation of the financial statements is the responsibility of the organization's management. The auditors only express an opinion on the financial statements; the audited organization develops them.
Next, let's think about the actual attestation: The financial statements are free of material misstatement. The attestation does not address whether or not the organization's actual practices are in agreement with management's policies and procedures - or even whether established procedures are good business practices. The opinion specifically addresses the organization-produced financial statements, without regard to how the numbers ended up in them.
A "clean" opinion is unqualified. It states that the scope of the audit was conducted in accordance with Generally Accepted Auditing Standards and without restrictions in scope. What's that in English? The auditors conduct tests of transactions and other audit steps. Note that they do not test 100% of every transaction entered into the general ledger. They test samples of transactions.
The opinion does not give assurance that no fraud exists in the organization. They test preventative and detective internal controls. Because auditors use sampling, they cannot address the non-existence of any fraud in any area of the organization. In summary, a CPA firm audit report on the financial statements gives assurance that the financial statements fairly represent the assets, liabilities, equities, income, expenses, and cash flows. It does not conclude that the organization is operating well and absent of fraud.
Risk Management, often known as operational re-engineering or some other name, assists in the implementation of changes in procedures. They "partner" with management and those responsible for specific functions, to make organizational development easier and attain the desired goals.
Although an Internal Audit (IA) function may include Risk Management, generally, IA is independent. As with independence of external auditors, the implementation of audit recommendations should not involve the auditors; subsequent audits must be independent of the auditor's pre-conceived notions - especially any resulting from the auditor's own implementation of the procedures being audited.
Although IA is usually performed by an employee of the organization, employment is neither required nor the trend for internal audits. Internal audits may be performed by an outside firm; however, the same auditors who perform the financial statements audit may not also perform IA. Whether a review is an "internal" audit depends upon the objective of the audit, not on the employer of the auditors.
IA reviews the following:
In summary, IA performs the scope of audit work and reports on the very topics that most people suppose are covered by the CPA firm's audit report of the financial statements. IA should report to the board of directors, or to an audit committee, which is a subset of the board of directors. The board has a fiduciary responsibility toward the organization, and appoints management. IA should have access to the board, to afford IA the freedom to report a finding that reflects badly on management, especially executive management.
For more information on IA, in general, visit the www.theiia.org web site. Note, also, that the Institute of Internal Auditors offers a certification program. Internal audits are often conducted by Certified Internal Auditors, Certified Information System Auditors, and other professionals that are not, necessarily, licensed Certified Public Accountants. An IA function that frequently reports to the owners of the organization makes sense for small businesses, as well as for publicly traded businesses that are required to have audited financial statements. Small businesses have less "cushion" for inefficient practices and undetected fraud. IA is also especially valuable for entities monitored or audited by the federal government. A finding by IA eliminates an unhappy surprise, and affords time to make changes - prior to a review by a government agency that provides funding through grants or contracts.
We've explored what an internal audit is and the difference between it and the audit of financial statements by a CPA firm. Let's analyze how we can benefit from specific types of internal audits.
An audit of operations evaluates the processes of a certain function or department. Management knows what procedures are best for their own functions and departments; their competency is not the focus of the audit. Internal auditors possess a fresh, outsider's perspective, unburdened by day-to-day urgencies. Often, audit findings are not a result of management not seeing the forest for the trees - but rather, management not seeing the forest for the forest fires. Management rarely has time to step back and analyze whether actual practices are as efficient and effective as possible.
The best recommendations to eliminate/mitigate audit findings come from the management and hands-on staff in the audited function/department.
An audit of compliance may encompass any or all of the following:
Each audit finding cites the source of the rule, evidence of non-compliance, and at least one recommendation to bring the company into compliance or diminish future risk.
In the case of recipients of grant or other contract funds from a government agency, compliance with all terms and conditions is especially ripe for audit. Risk is the combination of the (monetary and other) cost of a bad thing happening and the probability that it will happen. The risk in government contract/grant administration is high because:
This last point holds the lowest probability and the highest cost.
Note that companies which supply significant goods and services to government-funded recipients are also vulnerable. The terms and conditions are flowed down from the primary award document to all significant subrecipients and subcontractors.
Internal controls are the checkpoints for processes crossing the border from one function (or person or department) to another. Segregation of duties precludes:
Only after receipts are documented, should a different person make bank deposits. No one with access to create a check should perform a reconciliation intended, in part, to find unauthorized, cleared checks. Human Resources should be involved in the hiring process.
Conflict of interests precludes:
Purchases are competitive when practical, and based on adequate supporting documentation when not. The President's compensation is approved by the owners (or Board of Directors). Each credit card statement is supported with receipts showing what was purchased - not just that it was purchased - in order to assess the business purpose of each item.
Internal controls cover a wide range of risks. The goal of internal controls is to either prevent or detect a risk. Some irregularities, such as accidental error, cannot be completely prevented. Then, a control is in place to detect each significant risk.
The cost of performing internal audits varies with the risk (and the degree of risk acceptance). Typically, the first step is an overview of all functions and departments. For each worst-case possibility (or bad thing happening) found, a numerical value is assigned to the cost and another numerical value to the probability of the worst case occurring (given what the auditor learns from the overview). After multiplying these two values, the products of each possibility are ranked. Those with the highest risk, and the highest product, are reviewed first. How far down the list and the frequency of each audit, depends upon audit resources.
Large corporations usually retain a department of internal auditors and occasionally supplement this staff by co-sourcing. Small businesses usually retain outsourced internal auditors.
The lowest cost results from self-assessment. In other words, each department head, project manager, and employee continually evaluates the processes in which they take part. Control Self Assessment leads to contributors, who are aware and watchful of ways to improve what they do. This reduces audit findings and the amount of testing required, in addition to greatly reducing risk.
Statistically, even a small business harbors fraud. The question is not whether there is fraud going on in your company. We might not know specifically where (in the company) fraud is committed, or by whom. Whether a fraud audit or fraud investigation is warranted depends upon the cost of the fraud. Company reputation, employee morale, and other factors comprise the cost of fraud - in addition to money.
Management cannot terminate employment for fraudulent activities without the risk of a libel suit, in which management must prove the employee committed fraud to win in court. The burden of proof is on the party stating that the employee committed a fraud. The primary objective of a fraud investigation is to gather evidence for:
A typical internal audit is designed to gather evidence:
A fraud audit/investigation is not warranted without a starting point. For more information on examinations for fraud, visit www.cfenet.com. Due to the cost of performing a fraud audit/investigation, this type of review is initiated only after a particular irregularity is discovered. Audit steps - such as searching for alternate bank accounts, drop-box addresses, and changes in purchasing habits - are invasive and exhaustive. This type of audit is aggressive (to gather evidence of wrongdoing) as opposed to passive (to evaluate whether anomalies exist).
In any case - because auditors do not test 100% of everything - the audit report cannot attest that no fraud exists.