The Maryland-National Capital Park and Planning Commission

Internal Audit FAQ's

What Is Internal Audit?

Just what do auditors do? How do they select their "auditee"? Many facilities don't give audits a second thought until they are selected for review. Here is some general information about the internal audit function at M-NCPPC.

Who are internal auditors?

As defined by the Institute of Internal Auditors (IIA), "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Internal Auditors' roles include monitoring, assessing, and analyzing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization's corporate governance is strong and effective. And, when there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures."

Back to Top

Why does M-NCPPC have an internal audit function?

The Office of Internal Audit exists by charter to assist Commission management and the Audit Committee in effectively fulfilling their responsibilities. We are charged with examining and evaluating the policies, procedures, and systems which are in place to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the economical and efficient use of resources. In simpler words, we're here to help.

Back to Top

Where does the audit function fit in the organization?

The CIA has a dual-reporting relationship. The CIA reports to the Commission’s Chair and Vice-Chair functionally, while reporting to the Executive Director, Maryland-National Capital Park & Planning Commission (M-NCPPC or Commission) administratively. We're a small office with a big job.

Back to Top

What's the difference between external and internal auditors?

External auditors can be government auditors or independent public accounting firms that the Commission hires. Independent public accounting firms review the Commission’s annual consolidated financial statements (CAFR) to ensure the information presented accurately portrays the Commission’s financial condition. Internal auditors sometimes look at the same data or perform some of the same steps as external auditors. If there is a problem, it's better to find it and fix it before external auditors review our practices.

Back to Top

How are units selected for audit?

Each year, the OIA performs a comprehensive risk assessment. With input from Commission management and key stakeholders, audit risk areas, such as purchase card processes, information systems or facilities are identified. The OIA then decides which areas to audit based on the results of the assessment and the audit resources available.

Back to Top

What are internal auditors looking for?

Primarily compliance with Commission policies and sound internal controls. M-NCPPC’s policies are designed to help ensure we all comply with applicable laws and regulations and operate efficiently. By following these policies we help protect the Commission from unnecessary risks and help ensure sound business practices are consistent throughout the Commission. Commission policies can be found here: http://insite.mncppc/Our_Organization/Agency-wide_Policy__Manuals__Guidance_and_Union_Agreements.html However, not all internal controls can be codified in policy. If we find control weaknesses, we regularly make recommendations to implement a control even though it may not be specifically required by policy.

Back to Top

What if something isn't handled correctly?

We will make recommendations for improvement. The recommendations are realistic because we want you to implement them. It is the responsibility of management to weigh possible additional costs of implementing our recommendations in terms of benefits to be derived and the relative risks involved.

Back to Top

Can a department request an audit?

Yes! If you are concerned about an area in your department, we will try to make time for an examination of the area (Please see Management Advisory Services – Types of Services). However, our ability to perform the audit might be affected by our staffing levels, or year-end deadlines. We're also available to do presentations and training for your department.

Back to Top

How long does an audit take?

We budget between 200 and 400 hours for a typical audit, depending on the size and complexity of the area. We normally have one auditor leading the audit, and auditors will sometimes have more than one audit in process at a time, so an audit could take from two months to six months to complete.

What if I don't have the time to deal with the auditors?

What if it's a bad time for an audit because (choose one):
  1. we're short-staffed
  2. the finance manager just quit
  3. it's budget season
  4. one week until the kids are out of school
  5. we're trying to close out the year.

During the audit opening meeting, we will discuss the audit schedule and try to accommodate time constraints that you may have. Although 200 to 400 hours looks like a lot of time, much of our work is done behind the scenes. Many people operate under the erroneous belief that in doing an audit we will spend lots of time with you and take time away from your other obligations. We may need to meet key personnel on the audit two or three times for maybe an hour at a time over the audit period. We may spend equal amounts of time, and perhaps less, with others in the department, but we will not be monopolizing anyone's time in the department and much of our work such as audit planning and report writing, is done in our offices.

Back to Top

Who will receive my audit report?

The OIA is required to send all final audit reports to the Audit Committee and to the Commission’s Chair and Vice-Chair along with management’s complete written response received in connection with the draft audit report. The OIA will also provide a copy of the final audit report to each Appointed Officer of the M-NCPPC and the affected Department Director(s).

Back to Top

What audit reports are available for public access?

All planned/performance audits that do not contain personal identifiable information are available for public access. The Office of General Counsel reviews all audit reports and with consultation with the Executive Committee, determines what reports will be published.

Back to Top

Who audits the Audit Office?

The Generally Accepted Government Auditing Standards (GAGAS) promulgated by the Government Accountability Office states that each audit organization performing audits in accordance with GAGAS must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years.
The Association of Local Government Auditors completed a peer review of the OIA for the period June 1, 2013, to July 31, 2014. Based on the results of the review, the OIA’s internal quality control system was suitably designed and operating effectively to provide reasonable assurance of compliance with Government Auditing Standards.

Back to Top

If I call you with information about a possible irregularity, will my identity be kept a secret?

The Commission has implemented a Governance, Risk Management, and Compliance (GRC) hotline. The hotline or web reporting system is a confidential and anonymous solution for reporting illegal and unethical activities. It can be accessed toll-free at 1-800-363-5524 or
If you contact us directly, your identity will be kept confidential within the legal limits of the law. We will not reveal our sources to the person being investigated; and we always try to corroborate any accusations with our own observation.

Back to Top