The Maryland-National Capital Park and Planning Commission

Internal Audit FAQs

Here are some of the most frequently asked questions about the internal audit function at M-NCPPC.

What Is Internal Audit?

As defined by the Institute of Internal Auditors (IIA), "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

What are the roles of internal auditors?

Internal Auditors' roles include monitoring, assessing, and analyzing organizational risk and controls, and reviewing and confirming compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization's corporate governance is strong and effective. When there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures."

Why does M-NCPPC have an internal audit function?

The Office of Internal Audit exists by charter to assist M-NCPPC and the Audit Committee in effectively fulfilling their responsibilities. We are charged with examining and evaluating the policies, procedures, and systems which are in place to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the economical and efficient use of resources. In simpler words, we're here to help.

Where does the audit function fit in the organization?

The Chief of Internal Audit (CIA) has a dual-reporting relationship. The CIA reports to the Commission’s Chair and Vice-Chair functionally, while reporting to the Executive Director  administratively.

What's the difference between external and internal auditors?

External auditors can be government auditors or independent public accounting firms that the agency hires. Independent public accounting firms review the annual M-NCPPC consolidated financial statements to ensure the information presented accurately portrays the agency's financial condition. Internal auditors sometimes look at the same data or perform some of the same steps as external auditors. If there is a problem, it's better to find it and fix it before external auditors review our practices.

How are units selected for audit?

Each year, the OIA performs a comprehensive risk assessment. With input from management and key stakeholders, audit risk areas, such as purchase card processes, information systems or facilities are identified. The OIA then decides which areas to audit based on the results of the assessment and the audit resources available.  The final audit plan is approved by the Audit Committee.

What are internal auditors looking for?

Internal auditors primarily look for compliance with Commission policies and sound internal controls.  By following these policies we help protect the agency from unnecessary risks and help ensure sound business practices are consistent throughout all departments.  However, not all internal controls can be codified in policy. If we find control weaknesses, we make recommendations to implement a control, even though it may not be specifically required by policy.

What if something isn't handled correctly?

We will make recommendations for improvement. The recommendations are realistic because we want you to implement them. It is the responsibility of management to weigh possible additional costs of implementing our recommendations in terms of benefits to be derived and the relative risks involved.

Can a department request an audit?

Yes! If you are concerned about an area in your department, we will try to make time for an examination of the area. (Please see Management Advisory Services for information.) We're also available to do presentations and training for your department.

How long does an audit take?

We budget between 200 and 400 hours for a typical audit, depending on size and complexity. We normally have one auditor leading the audit, and auditors will sometimes have more than one audit in process at a time, so an audit could take from two to six months to complete.

What if I don't have the time to deal with the auditors?

During the audit opening meeting, we will discuss the audit schedule and try to accommodate time constraints that you may have (e.g., short-staffed, budget season, etc.).  Many people think an auditor will spend lots of time with you and take time away from your other obligations. However, much of our work is done behind the scenes.  We may need to meet key personnel on the audit two or three times for maybe an hour at a time over the audit period. We may spend equal amounts of time, and perhaps less, with others in the department, but we will not be monopolizing anyone's time, and much of our work (such as audit planning and report writing) is done in our offices.

Who will receive my audit report?

The OIA is required to send all final audit reports to the Audit Committee and to the Commission’s Chair and Vice-Chair along with management’s complete written response received in connection with the draft audit report. The OIA will also provide a copy of the final audit report to each Appointed Officer of the M-NCPPC and the affected Department Director(s).

Who audits the Audit Office?

The Generally Accepted Government Auditing Standards (GAGAS) by the Government Accountability Office states that each audit organization performing audits in accordance with GAGAS must have an external peer review at least once every 3 years.
The Association of Local Government Auditors completed a peer review of the OIA for the period June 1, 2013, to July 31, 2014. Click the link to read the Peer Review results:  Internal Audit Results of August 29, 2014 Peer Review

If I call you with information about a possible irregularity, will my identity be kept a secret?

M-NCPPC has a confidential hotline. The system is anonymous for reporting illegal and unethical activities. Call toll-free at 1-800-363-5524 or visit

If you contact us directly, your identity will be kept confidential within the legal limits of the law. We will not reveal our sources to the person being investigated; and we always try to corroborate any accusations with our own observation.