The recent announcement of President Joe Biden’s Pandemic Anti-Fraud Proposal, committing $1.4 billion to help the public sector combat fraud, raises a lot of questions for state, local, and tribal governmental entities. Most questions center around how the public sector can avoid fraud, waste, and abuse and mitigate risk in the future. Having an established internal audit function in place is an effective way to help a governmental entity do just that.
The Government Finance Officers Association recommends that every government consider the feasibility of establishing a formal internal audit function. If this isn’t feasible or will overburden current staff, it suggests governments outsource their internal audit function to a reputable accounting firm.
If you’re looking to establish an internal audit function or fine-tune the one you have, ask yourself these five questions.
1. Do You Have a Written Charter?
An effective internal audit function starts with a written charter outlining the function’s purpose, authority, and its reporting relationships to the governing board and management. The charter should define an objective and incorporate components such as reporting requirements, independence considerations, and establishing outsource relationships and other resource needs, to name a few. The charter should consider the entity’s size and complexity.
2. How Do You Use Your Risk Assessment?
Regulatory authorities have emphasized the importance of developing entitywide comprehensive risk assessments and maintaining assessments specific to key compliance and operational functions.
To develop an effective internal audit risk assessment, the entity’s risk profile and strategic plan need to be considered. Once addressed, the most important step is identifying risks within the audit universe. If you don’t identify a risk, then you can’t measure and manage it. To effectively do this, you need a thorough understanding of the entity’s operations and activities, so solicit input from appropriate personnel during the process.
Measure all auditable areas for inherent and residual risk. It’s important to identify the controls being relied upon to evaluate residual risk as this is pertinent in the design of testing procedures.
3. What Is an Appropriate Cycle for You?
The frequency and depth of the audits should be commensurate with the entity’s risk level. Areas identified as high risk should be considered for auditing at least annually; lower risk areas may be limited to a biennial or triennial audit cycle; or it may be appropriate to not test an area at all. You don’t need to test every audit area each year. The audit function requires risk-based audit planning. This approach can help efficiently and effectively use resources while identifying areas for improvement.
The audit procedure’s design should align with the identified risks. Testing procedures are driven by the controls that are most relied upon. You also need to consider past results. Audit procedures that have resulted in previously reported findings should be included in the procedures’ design and may warrant larger sample sizes.
4. Who Will Execute the Plan?
The internal audit plan, including risk assessment, should be presented to and approved by the entity’s management or audit committee at least annually. Those responsible for performing internal audit procedures need to possess the necessary skills and remain independent from the organization’s process. As a result, many entities find it necessary to outsource some or all testing to third parties. It’s important to note that outsourcing doesn’t absolve the board and senior management of its responsibilities for having an effective internal control system.
5. How Will You Stay Accountable?
Internal audit testing should be accompanied by written reports that clearly communicate the scope and findings. It is management’s responsibility to respond to these results by developing a remediation plan. It’s equally important to hold management accountable by designing audit procedures to test the execution of areas being remediated.
These are just a few concepts to consider when assessing your internal audit program. An effective internal audit program helps achieve the desired objectives and is efficient. If appropriately administered, it also will help identify opportunities for process improvements, promote a culture of compliance, create accountability, and reduce fraud, waste, and abuse.
Professionals at Forvis Mazars have the experience and skills to provide tailored resources that can help you reduce the risk of fraud, waste, and abuse. We offer a variety of internal audit and risk management services that include helping clients establish an internal audit function, outsourcing, co-sourcing, and transformation services for existing internal audit functions. We also offer IT risk and compliance, grants compliance, forensic accounting, and analytics services, should you need help addressing issues that arise.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars or fill out the Contact Us form below.