Internal Audit 101: What every credit union employee needs to know about this essential department
The word “auditor” gets tossed around a lot in the credit union industry. With various audit requirements and different groups of auditors coming and going, it is genuinely confusing! As someone who has held many different audit positions over my career, I’m here to help! Let’s delve into what Internal Audit does in the most basic of terms, explore the purpose of external auditors and various consultants, and clear up some common misperceptions. The more our industry understands what Internal Audit does, and does not do, the better we can all work together and meet the needs of our members.
Definition of Internal Auditing
So, what is Internal Audit? The Institute of Internal Auditors (or IIA) defines internal auditing as the following:
Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
All sorts of businesses and industries have Internal Audit functions. At a retail company, Internal Audit may perform inventory counts, observe clerks balance and close their sales registers, or ensure security cameras are operational. At a manufacturing company, Internal Audit may perform market research to ensure raw materials costs are appropriate, observe assembly line workers to ensure product safety, or compare productivity with industry standards.
As a credit union employee, you have almost certainly encountered Internal Audit! Most employees know about branch audits, where auditors observe controls and security procedures, perform surprise cash counts, and inspect the facility and grounds. Other popular projects include testing loan files, reviewing new member accounts, examining expenses to uncover waste and fraud, and assessing your credit union’s compliance with different rules and regulations. These are just a handful of many popular and necessary audit projects that protect your members and assets.
The Chief Audit Executive
An individual with a leadership title, which the IIA Standards refer to as the “Chief Audit Executive”, typically leads the Internal Auditor department. I have clients in this role referred to as “Chief Audit Officer,” “Audit Manager,” “VP of Internal Audit,” and many other examples. Regardless of title, the IIA clearly defines the Chief Audit Executive’s role and responsibility. These skilled professionals create an audit plan which responds directly to the risks your credit union faces. They assign audit projects to their team members based on skill set, and complete high-risk projects themselves, to maximize department resources. They are ultimately responsible for everything audit-related, such as reviewing workpapers, tracking issues, and being the department figurehead. Ideally, the Chief Audit Executive has a dual reporting role to the CEO (administrative) and Supervisory Committee (functional).
The Supervisory Committee
The Supervisory Committee is made up of volunteer members who oversee the audit function and make key decisions. It’s very common for a board member to sit on this committee to help ensure Internal Audit’s goals are aligned with the credit union overall. Only the Supervisory Committee may hire and fire the Chief Audit Executive, as Internal Auditors would not be very effective if their auditees could get them terminated!
Another common Supervisory Committee and audit responsibility specific to credit unions is investigating member complaints. While consumer complaints will always be part of running any business, in this industry it is essential that our member-owners have a voice and a way to be heard. This often-challenging task falls on the Supervisory Committee, who represent all your members.
The Financial Statement Auditors
If you have worked in an accounting position, you have certainly interacted with the group that audits the financial statements every year and issues an opinion. This is commonly referred to as “external audit.” It may seem unusual that even with an audit department in-house, your credit union must outsource certain audit projects. The financial statements are extremely important and many stakeholders rely on their accuracy; members, regulators, and third-party financial institutions, to name a few.
The external auditors’ purpose is to issue an opinion on whether or not the financial statements represent fairly, in all material respects, the financial position of your credit union as of the audit date. While many Internal Auditors are highly skilled accountants and could do a great job auditing financial statements, there would be the issue of the opinion being accepted. If you were looking at the financials of a company you were going to invest in or loan money to, would you accept the opinion of someone on the inside? Probably not. It’s a matter of who is appropriate to issue an opinion, not who is qualified.
Internal Audit Outsourcing
There are some audit projects that the Supervisory Committee will choose to outsource. Common examples are Information Technology audits, compliance audits, and security assessments. These projects sometimes require skills or knowledge that the average auditor does not possess, such as ethical hacking, compliance expertise, or a background in law enforcement. Also, outsourcing allows the credit union to bring in help on a temporary basis, completing more audits without hiring more staff. Outsourcing enables credit unions to have experts on hand for relatively low cost.
Regulators are NOT Auditors!
Another tricky but essential concept for credit unions to understand is that the Internal Audit function is not the same as our regulators (the NCUA and state regulatory bodies). Your regulatory examiners work for the government. They are required to perform certain testing at regular intervals, covering many functions and processes at the credit union. Their purpose is to make sure, to the best of their ability, that the credit union is not taking any unnecessary risks that would cause future losses to the share insurance fund. While Internal Audit certainly cares about the safety and soundness of the credit union and limiting the risk of such losses, our ultimate purpose is much larger.
Who Audits the Auditors?
One question I’ve been asked is “Who audits the auditors?!” Usually, this is asked in a joking fashion, and folks are surprised to learn that there are auditors for auditors. The IIA requires that all audit functions perform self-assessments regularly and engage external assessments every five years, at a minimum. This is called a Quality Assurance Review, or QAR, and I perform many of these projects as an assurance consultant. What do we do to meet the QAR requirements? It’s really simple; we review work, observe processes, and interview stakeholders just like any audit. Then we issue an opinion and offer our advice to make your audit function even better!
Internal Audit Cannot Write or Enforce Policies
It is also very important to explain what Internal Audit does not, or cannot do. One common misconception is that Internal Audit “writes” or “approves” policies for your credit union. There is a very important reason why this is incorrect. Remember that word “independent” from the IIA’s definition of internal auditing? If Internal Audit were to write the policies, we would be auditing our own work! Internal Audit will gladly review your policy, tell you what they think, and offer advice and perspective. But your leadership must write and be responsible for their own policies.
A Typical Day in Internal Audit
Often, credit union employees are curious about Internal Audit, and wonder what exactly the job is like from their perspective. I would like to de-mystify the profession a bit. The typical workday for an auditor is… not typical! Internal Audit will work on their assigned projects, sit in on meetings, interview subjects, assist the Supervisory Committee, auditors, or regulators, follow up on past audit issues, and work on any number of tasks. Then, an investigation can come up or a fraud can be discovered, and their day does a complete 180! This is a great profession for those of us with short attention spans, because we are constantly juggling projects, moving on to new assignments, and putting out fires. I wouldn’t have it any other way!
