posted October 26, 2016
Internal Auditing without the Internal Auditor
by Matthew Miller, CPA, Senior Associate
Every organization has, or should have, an internal control structure that allows the organization to work efficiently, while reducing risks of theft or fraud. Some of these organizations are large enough to employ their own internal auditors or an entire department. However, many organizations do not have the resources to hire an internal auditor, and in most cases it isn’t necessary.
But without an internal auditor, how can a smaller organization test its controls in an objective way? First, let’s define internal audit. According to the Association of Certified Fraud Examiners, the internal audit function helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Generally, organizations will have an internal auditor perform these functions and report to management throughout the year to identify weaknesses and offer suggestions. This is similar to an external audit in some ways, but is much for detailed and focused based on the needs of the organization.
Now that we have a brief understanding of what internal audit is, there are two more questions: How can this be implemented without an internal auditor, and who will perform the function? We’ll start with the “who,” and then move to the “how.” In the end, an internal auditor would report to management or those in charge of governance.Management can select employees to perform different aspects of the internal audit function throughout the year. Because an internal auditor would spend the majority of their time reviewing controls and writing reports to present to management, this task can’t be assigned to only one or two people – it would just create the internal auditor role that a small organization can’t accommodate.
Instead, a group of employees focused on very specific controls throughout the organization can be effective. Department heads could be ideal, as they would have the most understanding of what the proper controls to ensure they are functioning correctly. However, if management feels the existing controls may not be sufficient, an employee unrelated to the specific area would serve as an unbiased observer, and could offer insight that would otherwise go unnoticed by those performing the functions. For example, an employee who handles cash receipts as their primary job duty could be so caught up in the motions that they fail to see a more efficient way to perform a task, or they may fail to see that they perform too many functions that add risk to the organization. Sometimes another set of eyes can shed light on these deficiencies.
So how do we put this into action? Employees already have to do their normal job duties and have a finite amount of working time. One way could be to spread the work over the course of a month, quarter, or even the entire year. Going back to our cash receipt example from above, a department head or other designated employee can observe cash handling procedures periodically over time. At first they can gain an understanding of the current controls in place, and how job duties should be performed if they don’t already have that knowledge. Next would follow observation and some review of paperwork. Were receipts created when they were required? Are there proper approvals on documents? Does cash deposited equal cash receipted? The idea is that in a smaller organization there isn’t much to review – maybe two or three employees handle cash, making observation and review a small task.
The goal is to take on the role of an internal auditor throughout the organization. The importance of reviewing and improving internal controls cannot be overlooked. Even a small organization can utilize internal audit procedures without hiring a dedicated employee or department.
The content of these pages is for general information purposes only and does not constitute advice. Heinfeld, Meech & Co., P.C. tries to provide content that is true and accurate as of the date of writing; however, we give no assurance or warranty regarding the accuracy, timeliness, or applicability of any of the contents.