> Commission Home > Our Departments > Central Administrative Services > Office of Internal Audit > Internal Audit FAQ's
Internal Audit FAQ's
What Is Internal Audit?
Just what do auditors do? How do they select their "auditee"? Many facilities don't give audits a second thought until they are selected for review. Here is some general information about the internal audit function at M-NCPPC.
As defined by the Institute of Internal Auditors (IIA), "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
The Office of Internal Audit exists by charter to assist Commission management and the Audit Committee in effectively fulfilling their responsibilities. We are charged with examining and evaluating the policies, procedures, and systems which are in place to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the economical and efficient use of resources. In simpler words, we're here to help.
The CIA has a dual-reporting relationship. The CIA reports to the Commission’s Chair and Vice-Chair functionally, while reporting to the Executive Director, Maryland-National Capital Park & Planning Commission (M-NCPPC or Commission) administratively. We're a small office with a big job.
External auditors can be government auditors or independent public accounting firms that the Commission hires. Independent public accounting firms review the Commission’s annual consolidated financial statements (CAFR) to ensure the information presented accurately portrays the Commission’s financial condition. Internal auditors sometimes look at the same data or perform some of the same steps as external auditors. If there is a problem, it's better to find it and fix it before external auditors review our practices.
Each year, the OIA performs a comprehensive risk assessment. With input from Commission management and key stakeholders, audit risk areas, such as purchase card processes, information systems or facilities are identified. The OIA then decides which areas to audit based on the results of the assessment and the audit resources available.
Primarily compliance with Commission policies and sound internal controls. M-NCPPC’s policies are designed to help ensure we all comply with applicable laws and regulations and operate efficiently. By following these policies we help protect the Commission from unnecessary risks and help ensure sound business practices are consistent throughout the Commission. Commission policies can be found here: http://insite.mncppc/Our_Organization/Agency-wide_Policy__Manuals__Guidance_and_Union_Agreements.html However, not all internal controls can be codified in policy. If we find control weaknesses, we regularly make recommendations to implement a control even though it may not be specifically required by policy.
We will make recommendations for improvement. The recommendations are realistic because we want you to implement them. It is the responsibility of management to weigh possible additional costs of implementing our recommendations in terms of benefits to be derived and the relative risks involved.
Yes! If you are concerned about an area in your department, we will try to make time for an examination of the area (Please see Management Advisory Services – Types of Services). However, our ability to perform the audit might be affected by our staffing levels, or year-end deadlines. We're also available to do presentations and training for your department.
We budget between 200 and 400 hours for a typical audit, depending on the size and complexity of the area. We normally have one auditor leading the audit, and auditors will sometimes have more than one audit in process at a time, so an audit could take from two months to six months to complete.
During the audit opening meeting, we will discuss the audit schedule and try to accommodate time constraints that you may have. Although 200 to 400 hours looks like a lot of time, much of our work is done behind the scenes. Many people operate under the erroneous belief that in doing an audit we will spend lots of time with you and take time away from your other obligations. We may need to meet key personnel on the audit two or three times for maybe an hour at a time over the audit period. We may spend equal amounts of time, and perhaps less, with others in the department, but we will not be monopolizing anyone's time in the department and much of our work such as audit planning and report writing, is done in our offices.
The OIA is required to send all final audit reports to the Audit Committee and to the Commission’s Chair and Vice-Chair along with management’s complete written response received in connection with the draft audit report. The OIA will also provide a copy of the final audit report to each Appointed Officer of the M-NCPPC and the affected Department Director(s).
All planned/performance audits that do not contain personal identifiable information are available for public access. The Office of General Counsel reviews all audit reports and with consultation with the Executive Committee, determines what reports will be published.
The Generally Accepted Government Auditing Standards (GAGAS) promulgated by the Government Accountability Office states that each audit organization performing audits in accordance with GAGAS must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years.
The Commission has implemented a Governance, Risk Management, and Compliance (GRC) hotline. The hotline or web reporting system is a confidential and anonymous solution for reporting illegal and unethical activities. It can be accessed toll-free at 1-800-363-5524 or http://www.reportlineweb.com/mncppc.