What do Internal Audits Offices Do?
Primarily IAO identifies and evaluates internal controls. But what exactly does that mean?
The Institute of Internal Auditor (IIA) defines control and control processes as follows:
- A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
- Control processes are the policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
- Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objective in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
- When you came to work today, did you lock the doors to your house? If you did, that's your own "internal control" to safeguard the assets you own.
- Do you keep the PIN number for your ATM card in a safe place? (i.e. away from the card itself.) If you do, that's an internal control the bank recommends to protect your funds from being stolen.
- Do you balance your bank statements each month? If you do, then you are ensuring the accuracy of the transactions entered on the account statement.
- Do you plan the shortest possible route to complete errands? If you do, then you are promoting operational efficiency.
- Do you file annual income tax returns? If you do, then you are in compliance with federal and state tax regulations.
Key points about internal controls include:
achievement of objectives.
At DWR, internal controls serve the following purposes:
Generally, there are two types of internal controls. They are:
Preventative Controls -- Designed to discourage errors or prevent irregularities from occurring. They are proactive controls that help prevent a loss. Examples: Separation of duties, proper authorization, adequate documentation, and physical control over assets.
Detective Controls -- Designed to find errors or irregularities after they have occurred. Examples: Reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.
The COSO Report further defines five interrelated components of internal control:
- Control Environment. This sets the tone of the organization and is the foundation for all other components.
- Risk Assessment. Management establishes activity-level objectives and mechanisms for identifying and analyzing risks related to their achievement.
- Control Activities. Polices and procedures that ensure management's directives are carried out and help ensure that necessary actions are taken to address risks to achievement of the entity's objectives.
- Information and Communication. Information identified, captured, and communicated in a form and timeframe to enable people to carryout their responsibilities.
- Monitoring. The process that assesses the quality of the system's performance over time, which includes ongoing monitoring activities, separate evaluations or a combination of the two.
Who is responsible for internal controls?
The auditors, right? No. Every DWR employee plays an important part in the Department's internal controls system. Ultimately, DWR Directorate has final responsibility and accountability to ensure that effective controls are designed, implemented, adhered to, and maintained. The day-to-day responsibility for maintaining effective internal controls is delegated to management within DWR.
In practice, this means that each program area must ensure that effective internal controls are established, documented, operating as intended, and kept current. Therefore, every DWR employee must come to understand the important role of internal controls within his/her Office, Division, and DWR as a whole. Finally, IAO is here to assist the Directorate and management with internal controls by providing independent audits and consultations designed to evaluate and enhance the effectiveness of the DWR's internal control environment.
U.S. standards and governing bodies for internal control work are:
- Information System Audit and Control Association (ISACA)
- Government Accounting Standards Board (GASB)
- General Accounting Office (GAO )
- American Institute of Certified Public Accountants (AICPA)
- Institute of Internal Auditors (IIA)