In an environment of fiscal restraint and increasing public scrutiny over outcome-based spending, the role of internal auditors within municipalities cannot be understated.
Through independent, objective assurance and insights, the internal auditor can evaluate and recommend improvements for processes and controls. Within these activities, the internal auditor can determine if risks are appropriately identified and mitigated, financial information is accurate and timely and resource and asset acquisition and use are optimized.
Internal auditors also provide assurance around new and emerging risks, such as changing regulations and disruptors like cyber threats, artificial intelligence, blockchain and robotic process automation and deliver timely insights to help drive strategic planning. The function is highly valuable to mid-to large-sized municipalities with complex financial and service challenges, as internal audit delivers advice that addresses hot-button issues with practical, internally relevant solutions.
Determine the Role
Internal auditors enable municipalities to meet their strategic objectives in the most efficient and effective manner, enhancing transparency and boosting credibility with key stakeholders — their constituents. But for the function to be truly effective, both council and audit committee must agree on the need and scope of internal audit activities. Management must also understand internal audit’s role and authority in assessing governance, risk management and control processes.
The municipality should also examine the resourcing model best suited for its internal audit resources and needs:
- Managed in-house with a dedicated internal audit leader and complement of team members
- Outsourced to an external firm
- Co-sourced with an external provider when additional support is required.
Processes
While they report directly to council, the internal auditor does not make decisions; they provide analysis, make recommendations and can identify opportunities to improve management control, as well as financial and operating results. To do so, the internal auditor applies a systematic, disciplined approach to identifying and managing risk at all key levels of an organization. The following are key activities an internal auditor undertakes to ensure the success of the organization.
Full Review of Policies and Programs – While council is attuned to the public’s satisfaction with the municipality’s services and programs, the adequacy and economy of policies and programs under which those programs and services are delivered are often are overlooked. A governance audit can assess how relevant and effective existing policies and programs are, as well as ensure they enable the municipality’s strategic objectives to be met with a focus on value for money. Internal audit also typically undertakes program or service assessments determining whether business functions and programs/services are organized and managed effectively to achieve municipal objectives and deliver on policy requirements — identifying opportunities to enhance organization structure, process and control design or resource optimization.
Pinpoint and Prioritize Risk – The internal auditor looks at areas of highest risk — and highest value, both internal and external. In addition to assessing internal controls and processes, the internal auditor evaluates risks connected with external issues such as environmental, third-party vendors and reputational. They can then offer insights on how to allocate resources to best manage risk, identify new trends and make recommendations for improvement.
Communication – Clear and consistent communication enables both internal auditor and council to do their jobs. The internal auditor should report to council regularly on how risk management and governance practices are performing, as well as recommend possible improvements. Internal audit should also develop a relationship with municipal management through regular meetings and presentation of audit results — developing a reputation as a trusted advisor management can rely on to deliver impactful, yet practical solutions. They also should liaise with other assurance areas (e.g. health and safety, engineering project management, etc.) to coordinate and collaborate to see where internal audit can help, while also coordinating audit schedules to avoid redundancies.
Conflict
Conflict can arise as council priorities may not always align with those of municipal managers. The difference arises as a result of council members being focused on meeting constituent needs within often challenging financial constraints, whereas managers want effective and efficient processes that enable optimal service delivery. An example of such conflict would be legacy systems that need upgrades to make them efficient — a managerial concern — but the upgrades are costly — a council concern and decision.
External Auditors
While municipalities can choose whether to have an internal audit function, they are mandated to undergo external audits every four to five years. The internal auditor would work with the external auditor, not only to confirm the quality of the municipality’s internal controls, but to create an efficient audit schedule that avoids redundant questioning and audit fatigue.
By coordinating with the external audit function, there also may be opportunities to conduct internal audit engagements to help reduce the scope of the external audit. This can help eliminate duplicating efforts, reduce external auditor fees and make the audit approach more effective and efficient.
Best Practices for Internal Audit
- Work closely with council and management to develop an annual audit plan.
- Regularly identify emerging risks and assist management in developing appropriate responses and action plans to manage priority risks.
- Deliver meaningful assessments and practical recommendations through internal audit projects and insights.
- Communicate clearly, openly and consistently with council and management to become a trusted advisor to both.
- Coordinate with other compliance and assurance functions (internal and external) to assess municipal controls and monitoring functions, including the external auditor.
At MNP, our team can work with you to develop an internal audit solution tailored to help you achieve effective corporate governance and provide senior management with timely and reliable business intelligence.
For more information, contact:
Geoff Rodrigues, National Leader, Internal Audit Services, at 416.596.1711 or [email protected], or
Mariesa Carbone, National Enterprise Risk Services Leader and Post-Secondary Education Lead at 780.451.4406 or [email protected].