I have just had an interesting conversation with a CPA. (that sounds kind of strange in itself. However, she is an interesting person)
She tried to explain what an internal auditor in a large company or Government Agency does.
Turns out it is far more than checking the books for someone syphoning off cash.
In fact, an IA audits business practices throughout the company. They audit HR, or Legal, or even Logistics. In those cases they don’t look at money at all. They audit the operations of the department to make sure everyone is following procedures. Are all the HR clerks filling out the proper forms? Does Purchasing always get 3 bids before buying anything? things like that.
Not at all what an IA would do in my mind. I thought an auditor would check the financial operations and check the bank statements etc. Money things only.
So, in your experience do IAs:
just check financial transactions
check all operations of the organization?
I worked for 35 years and never heard of 2.
Of course I always thought that “all” meant every one. Show how much I know about the world of accounting. (an audit of all transactions means examine a statistically valid sample of the transactions, not every transaction)
I do a lot of reporting for auditors every year. This includes our own internal audit team and the government audit office. And, while many of the reports do cover financial aspects of the business, some cover procedural matters - ensuring that business processes intended to mitigate risk are followed. Some audits are designed solely to validate system inputs, functions and outputs.
But as I say of auditors their only purpose is to come along behind the person that did all the actual work and say, “I wouldn’t have done it like that.”
I’ve done internal audits but not of the accounting part, of the Management System part (specifically under ISO 9000 and ISO 12000). Those two ISO systems, one for managing Quality (not “specification checks” but “customer satisfaction”) and Environmental policies, were specifically designed so that it’s easy to have them together. ISO 9000 is based on the following:
figure out what is it you do and how you do it
write it out
follow the procedure
when the procedure and what you’re doing do not match, update one or the other. You may need a new procedure, you may need to train your people, or you may need to update the procedure.
As simple as it sounds, very often people either write manuals which describe not what is but what they dream of after enough opium, or they get bogged down in the idea that “if the norm requires this in triplicate, doing it in quintuplicate will be better”… the job of the IA is to review things the same way an external auditor would, then to update the manuals and/or train people as necessary. Any problems you find through an internal audit will be cheaper to find, fix and check fixed than when an external auditor is involved.
My little bro is an auditor for a company we’ve all heard of. He has his BS in chemistry and his MS in statistics. He catches people doing things they aren’t allowed to do, financially. His biggest catch was a trio of guys who had rigged the bidding process and had skimmed several million dollars. He also caught someone who had accidentally charged a $30 purchase on her company card instead of her personal card. The company prosecuted in both situations.
When my brother visits a city, his reputation precedes him. He hires a locksmith to change/add locks to areas where he is working, primarily as an intimidation maneuver.
Yeah, you can pretty much “audit” anything with rules or repetition.
I don’t know if I’ve ever met someone who has formally called themselves an “internal auditor” as their job title, but it sounds like the sort of job someone working at Deloitte or KPMG might have who didn’t work in a Tax, Audit (financial statements) or Technology practice area. Which I guess just leaves “Advisory” services. Or it might be rolled up into a functional area like “Compliance”, “Procurement”, “Information Security” or whatever.
I would imagine an “internal auditor” would go around making sure that the company is in compliance with regulatory requirements like Sorbanes Oxley or GDPR.
I’m going to call bullshit on that. Accidently charging $30 of personal expenses on your corporate card is not a) intentional nor b) material. The typical procedure in such a case is to just reject the expense.
I’ve worked in places that were ISO 9000 compliant, and I disagree. In practice, what it’s based on is: Write a procedure. Do whatever it is you do in the job. Train your people that if an auditor of any sort asks them how they handle a situation, to say “I look it up in the database/web page/book of procedures which is here”. Qualify for the certification so that the business can advertise that they are compliant with it.
The idea of actually following the stuff that’s in ISO-required procedures, or of making them match what is actually required to get the job done has never been a part of ISO-9000 compliance anywhere that I’ve seen.
I have been assigned to produce reports for auditors.
This was when I worked as a programmer in Computing Services.
Audit requests were high priority. Whatever data they wanted had to be pulled from the database, sorted, grouped, and summarized however they wanted. No questions asked.
Some of the requests had me a bit confused about what they were checking. I just cranked out the reports and assumed the auditors had their reasons.
Sometimes an audit would finish with recommendations for a report to be run regularly by payroll or the controller’s office. I’d get tasked with supplying the report and they would run it as required.
I always thought of auditors as a 2nd set of eyes. It’s so easy to overlook a potential problem in the collection of financial data or the way it’s tracked. The auditors were there to spot these issues and make sure they were resolved.
Part of Internal Audit is ensuring that the barn doors are closed before the horses walk out.
I used to own (a piece of) SOX-EAC for a large financial services firm that I worked at that any US doper (& many of our foreign dopers) would know of & many have actually used the services of.
EAC or Enterprise Access Controls is looking at who has access & ensuring that they need it. On a quarterly basis, I’d get a list of every user who had access to certain functions. Everyone who could request a payment (check, ACH, &/or wire) & everyone who could approve a payment. I had to verify that everyone on those lists still needed that functionality as well as the fact that no one person was on both lists (to prevent someone from both requesting a payment & then approving their own request).
Sure, it was easy to confirm that anyone who left the company had their access terminated, but what about someone who left the department for some internal posting. Given that they didn’t leave the company, they kept their access badge & email but do they still need access to request a payment in their new role of ___, which is totally unrelated to their old position. Even if they did, they’re approval didn’t come from our department anymore, it came from their new department, so we’d delete them & then their new department would request they be given access.
I gotta agree with msmith537 on this. Either the employee refused to reimburse when it came to light or the company wanted to get rid of the employee for some other reason & just used this as a convenient excuse to terminate & not need to pay unemployment.
I’m an administrator in a private university that has an active Internal Auditor. I’ve been involved in or on the receiving end of several internal audits. Although there was money involved directly or indirectly in each, that wasn’t necessarily the focus of the audit. It was more: Are there adequate policies and procedures in place to reduce risks and liabilities for the university, and are these policies and procedures being followed? In some cases the end result was a tightening up of procedures and, I think in all cases, some wrists being slapped and promises made to do better. The latter is checked by followup visits, say a year later.
As implied or said by others, part of the point is that, when the external auditors show up, they should find everything tight and shipshape.
About twenty years ago I served as a (volunteer) internal auditor for a union local. There were three or four of us. All we really did was go through the financial transactions. Even just doing spot checks, it took several days. (I think we did this once or twice per year.) We followed the procedure laid down by the national union (the largest one in the country); this certainly didn’t involve checking all operations of the local.
I doubt that would even stand up as misconduct if the employee actually filed for UI and appealed the initial decision. The original description used the word “accidentally” which means that either Kayaker is incorrectly reporting what the auditor found or it would not qualify as any kind of willful misconduct that would deny UI benefits. It would certainly constitute a clear reason for firing that would prevent being accused racial etc. bias in an EEOC lawsuit, but generally would not cause a problem for unemployment. In my experience, larger companies don’t really care that much about fighting UI claims, especially from office workers, but worry a LOT about having a solid reason to fire someone to avoid any risk of it appearing ‘protected class’ motivated.
OK, I chatted with my bro about the woman fired for inappropriate use of company funds. He had originally told me about her when telling me the highs&lows of his career. The high was actually catching the skimming of millions, the low was the woman who used the wrong credit card several times, once for a $30 item, but the total amount was around $300. He discovered it accidentally and assumed the woman would be permitted to pay back the money spent in error. They were judgement call types of spending and she was a good employee for years. They had instituted a zero tolerance policy and her firing was automatic. She recieved a fair severance package and the whole thing scared people into being very careful.
I talked to a friend of mine who is working at a local office of a large bank. Of course money is a big part of their internal audits. But since they are so highly regulated, the auditors also check to make sure procedures are followed. He has worked at several banks and he considered this one unusually manual and casual. Then the brought in a new internal auditor from another national bank. Wow! things tightened up a lot. Procedures are now followed every time-even when it doesn’t effect money.
So an IA job is about more than money.
I had it explained to me when I first heard about this that the first thing a new IA does is prioritize procedures and practices in terms of risk. The highest risk items get the most attention. In some businesses that means only the money is audited. In others, non-monetary procedures and practices might rise in priority due to safety or legal exposure.
This is an interesting concept to me. Essentially an IA, depending on the risk level, might check on the things the managers are supposed to do-essentially are the managers doing their job. I have never heard of this concept before. Learn something every day.
The people who should be checking petty cash claims are the approving line managers and then the accounts people who would issue a reimbursement. The auditor’s job is to make sure that this and other systems are working and are not inefficient or being abused.
If the canary in the cage suddenly drops dead their job is not to hold an autopsy on the ex-bird, but to identify that there is a bigger issue that needs immediate attention. A good auditor does not pursue a $20 claim for postage because its $20, but because it may be indicative of a problem that could be costing thousands, either through embezzlement, incompetence or inefficiency.