What is internal auditing?
Internal auditing is an independent and objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Why are internal audits performed?
The primary objective of the Internal Audit Division is to provide oversight of county departments and give an independent assessment of county operations. We provide support to the Board of Supervisors and county management in meeting their missions and stewardship responsibilities to the constituents of this county, by conducting audits that provide reliable, independent, objective assessments of the adequacy and effectiveness of internal controls. Specifically, we perform audits for the following:
- To evaluate the effectiveness of a county department’s risk management, control, and governance processes. Internal audits are designed to provide assurance that a department has effective processes in place to identify, assess, and manage risks, and that it has adequate controls to mitigate those risks. Internal auditors evaluate these processes and controls to identify areas of weakness and make recommendations for improvement.
- To help improve a department’s operational efficiency and effectiveness. Internal audits help departments identify opportunities to improve their processes and operations, which can lead to increased efficiency, reduced costs, and better allocation of resources. By identifying inefficiencies, internal auditors can recommend process improvements that can help streamline operations and help make the organizations be more effective.
- To ensure compliance with laws and regulations: Internal audits help organizations ensure that they are complying with applicable laws, regulations, and internal policies. Internal auditors evaluate the department’s compliance with these requirements and make recommendations for improvement, helping the department avoid legal and regulatory risks.
- To evaluate the effectiveness of internal controls over the safeguarding of county assets.
- To provide assurance to stakeholders: Internal audits provide assurance to stakeholders, such as Board of Supervisors, departments’ management, and county citizens, that the county’s operations are effective, efficient, and compliant. By providing an objective and independent assessment of the county’s processes and controls, internal auditors can help build trust and confidence among stakeholders.
What auditing standards does the Riverside County Auditor-Controller Internal Audit Division follow?
The Internal Audit Unit of the Auditor-Controller’s Office follows the standards outlined in the International Professional Practices Framework as issued by the Institute of Internal Auditors.
How are departments selected for an audit?
California Government Code Section 25250 requires the Board of Supervisors to audit the financial accounts and records of all officers having responsibility for the care, management, collection or disbursement of county funds every two years. Government Code Section 26920 and 26922 requires a quarterly count of assets held by the Treasurer. Board Resolution 83-338 establishes the authority and declaring policy for the Auditor-Controller to audit county departments. As such, the Auditor-Controller through its Internal Audit Division ensures the scope of internal audits includes an examination of the organization’s system of internal controls and follow-up on prior audit findings and recommendations. Government Code Section 1236 directs employees that conduct audits of their respective agencies to conduct audits under the standards issued by the Institute of Internal Auditors (IIA) or the Comptroller General of the United States. Internal Audit adheres to the IIA standards.
What is the audit process?
The audit process consists of four phases.
- Planning: During this phase, the objectives and preliminary scope are determined through our research of the departments’ respective industries. Input from different parties involved with respective departments is requested to consider the risk associated with departments’ operations. An entrance meeting is held with the department management to share the preliminary audit scope and what is required during the audit.
- Fieldwork: This phase involves conducting walk through interviews and testing compliance with policies and procedures. Internal controls are also assessed and tested in the phase.
- Reporting of Results: In this phase, a summary of audit findings and recommendations is prepared and presented to management for discussion. Once the findings/recommendations are finalized, a report is issued to management.
- Follow-Up: This phase ensures that all audit recommendations have been satisfactorily implemented. Some verification procedures may be performed to ensure that recommendations have been adequately addressed.
What are the benefits of the audit?
Internal Audit assists all levels of the administration in achieving county objectives by bringing a systematic approach to evaluate and improve the effectiveness of risk management, control, and the administrative processes in the following areas:
- Compliance with policies, laws, and regulations
- Safeguarding of assets
- The reliability and integrity of financial and non-financial information
- Efficiency and effectiveness of operations and resource use
Internal Audit assesses each department's control environment and compliance with regulations. We provide recommendations and suggestions which can help county departments achieve their goals.
What are departments’ roles during an audit?
Departments’ responsibility is to make respective personnel available through the audit process for the Internal Audit Team to collect necessary information to accomplish the objectives of the audit. Once requests for information/documentation have been provided, the availability of appropriate personnel to address the request will be helpful in proceeding through the audit process. Additionally, availability for interviews and walk-throughs of operational processes and can include providing requested documentation, etc. Our team will be available to work onsite with department officials to collect documentation or arrange for receipt of information electronically.
What are the objectives of an internal audit function?
As an Internal Audit Division, we are part of the risk management process for the county by serving as a monitoring function of county departments and by giving an independent assessment of county operations. Additionally, our audits are focused on adding value and improving the departments’ operations by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management and control.
Internal Auditing covers a broad range of activities including:
- Testing transactions for compliance with accepted business practices.
- Review of internal controls over financial and non-financial operations.
- Operational audits which involve reviews directed towards improving efficiency, effectiveness, and cost savings.
- Evaluating risk exposure relating to the achievement of the organization’s strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations that have a significant impact on the organization.
- Evaluating the internal controls for the safeguarding of assets and verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the management.
What are internal controls?
Internal control is a process, designed and adopted by management to meet its missions, goals, and objectives through planning, organizing, directing, and controlling program operations. In addition, its processes are established by management to safeguard assets, maintain the reliability and integrity of financial and non-financial information, promote the efficiency and effectiveness of operational processes, and ensure compliance with laws, regulations, and policies.
Who is responsible for internal controls in Riverside County?
Departments’ management (department heads or designee) are directly responsible for designing, assessing, implementing, and monitoring the internal controls.
Why are internal controls important in any organization?
Internal controls are processes that should be designed to provide management reasonable assurance of achieving efficiency and effectiveness of operations, compliance with laws and regulations, reliability of financial and non-financial information, and safeguarding of assets. However, it only provides reasonable and not absolute assurance since it is recognized that internal controls have inherent limitations such as cost, human error, and intentional efforts to bypass the internal controls.
What types of audits will the Auditor-Controller’s Office Internal Audit Division conduct?
California Government Code Section 25250 requires the Board of Supervisors to audit the financial accounts and records of all officers having responsibility for the care, management, collection or disbursement of county funds every two years, as stated earlier. Government Code Section 26920 and 26922 requires a quarterly count of assets held by the Treasurer. The Auditor-Controller ensures the scope of internal audits includes an examination of the organization’s system of internal controls and follow-up on prior audit findings and recommendations. Below are examples of current types of audits conducted by Internal Audit:
- Mandated: These audits are conducted for each county department every two years, it is risk based and can include operational, financial, and compliance audits as well as other management elements deemed appropriate for audit by the Auditor-Controller.
- Treasury Verification: These are mandated by Government Code Section 26920 and 26922 which requires asset verification and a quarterly a count of assets held by the Treasurer.
- Follow-Up: These audits focus on the management actions taken to implement recommendations noted in prior years’ “mandated” audit reports.
Who audits Internal Audits?
In accordance with the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing (Standards), external quality assurance assessments must be conducted at least once every five years. These assessments conclude as to conformance with the Code of Ethics and the Standards, and may include operational and strategic comments.
What factors weaken internal controls?
Examples of factors that weaken internal controls are as follows:
- Lack of segregation of duties: When one person has control over multiple aspects of a process, it becomes easier for errors, fraud, or other irregularities to occur.
- Insufficient documentation: When documentation is not complete, accurate, or up to date, it becomes more difficult to monitor and detect errors or irregularities.
- Inadequate training or supervision: When employees are not properly trained or supervised, they may not understand their roles and responsibilities or how to comply with policies and procedures, which can lead to errors or misconduct.
- Poorly designed policies and procedures: Policies and procedures that are overly complex or difficult to understand can create confusion and make it harder for employees to comply with them.
- Lack of monitoring and oversight: When internal controls are not regularly monitored and tested, it becomes easier for errors or irregularities to go undetected.
- Pressure or incentives to circumvent controls: When employees feel pressure to meet targets or goals that may be unrealistic or incentivized in a way that encourages them to bypass controls, they may be more likely to engage in misconduct.
- Information technology weaknesses: When IT systems are not secure or do not have appropriate controls in place, they can be vulnerable to hacking, data breaches, and other security risks that can weaken internal controls.
How does internal auditing differ from external auditing?
Internal auditing is conducted by employees or contractors of an organization and focuses on evaluating and improving internal processes and controls. External auditing is conducted by independent auditors who are not employees of the organization and focuses on providing an opinion on the accuracy and reliability of the organization's financial statements. While both internal and external auditing may involve evaluating risks and controls, they have different objectives, scopes, and methodologies.
How do internal auditors evaluate and assess risks?
Internal auditors evaluate and assess risks by identifying and analyzing the risks that an organization faces in respect to its overall mission and specific set of objectives and evaluating the effectiveness of the controls in place to mitigate those risks. This includes conducting risk assessments, performing walkthroughs and control testing, and evaluating the design and operating effectiveness of controls.
How can internal audit help with compliance and regulatory requirements?
Internal audit can help an organization comply with laws, regulations, and internal policies as follows:
- Assessing compliance risks: Internal audit can help identify areas of the organization that are at risk of non-compliance with regulatory requirements. This can involve reviewing policies and procedures, conducting risk assessments, and assessing the effectiveness of existing controls.
- Evaluating the effectiveness of controls: Internal audit can assess the effectiveness of existing controls designed to ensure compliance with regulatory requirements. This can involve reviewing documentation, testing controls, and identifying areas where improvements can be made.
- Making recommendations for improvement: Internal audit can identify areas where the organization's compliance controls can be improved. This can involve making recommendations for new controls, process improvements, or changes to existing policies and procedures.