| |
By Scott McConnell, Kentucky Employers' Mutual Insurance
The fundamental role of an internal audit department, regardless
of size, is to "add value" to their respective organization.
The method in which this is accomplished and how adding value is
defined is often what differentiates audit departments in any given
organization. Methodologies utilized are often determined by many
factors, including the business environment and the size of the
audit department in terms of personnel. What constitutes value to
the organization often depends on direction provided by management
and the Board of Directors. The purpose of this article is to provide
that insight as to the role I fulfill within my organization as
an audit department with a staff of one; methodologies I believe
are important for fulfilling responsibilities; and how I allocate
myself as a resource to the organization.
My role as an internal auditor at Kentucky Employers Mutual Insurance
is probably, in essence, very similar to that of any other size
audit function at another AASCIF fund. From my perspective, that
role is to minimize organizational risk, identify opportunities
for improving efficiency and effectiveness in the performance of
business processes, and to support management in any way possible
to the extent that my personal and professional integrity are not
compromised. In terms of my status in the organization, I am independent
of management by the fact that I have a direct reporting relationship
to the Board of Directors, but report on an administrative and day-to-day
basis to the CEO.
In a department of one, a primary concern that must be dealt with
is that of audit coverage and how I allocate myself as a resource.
Undoubtedly many, if not all, of the issues and risks encountered
by state funds larger than KEMI (with larger audit staffs) are also
the same issues and risks I must consider. To mitigate this concern,
I have adopted two audit protocols. First, I view myself as being
a partner with the external and Department of Insurance auditors
and always consider the nature and scope of their audit work when
prioritizing my efforts. Knowing their audits are primarily financial
and compliance oriented, I have tried to complement versus duplicate
their efforts by emphasizing operational reviews, thus broadening
the overall audit coverage. Secondly, I try to maintain an awareness
of all issues affecting the organization by attending relevant management
and staff meetings, and by developing excellent working relationships
with as many employees as possible. While both of these efforts
reduce the amount of time that can be allocated to the actual performance
of audits, they are both invaluable in improving the efficiency
and effectiveness of an audit.
Within a small department there is obviously also a need for multiple
job roles to be fulfilled by a single individual and include that
of clerical, staff and management. The concept of performing multiple
roles also extends to audit performance in the sense that audit
specialization is not possible with respect to the performance of
operational, financial, compliance or information technology audits.
Both of these realities require that some formalities inherent in
each of the above-mentioned roles be compromised in such a way that
the integrity and quality of the work performed is not sacrificed.
Time must also be allocated so that the main function of the position,
to perform internal reviews, is effectively and efficiently accomplished.
In summary, there can be a number of similarities and differences
between internal audit departments while fundamentally analogous
objectives are trying to be achieved. My role is similar to that
of any other auditor of a larger staff, but the methods utilized
to accomplish objectives undoubtedly vary. A greater portion of
my time in terms of available annual audit hours is probably spent
in developing employee relations and attending meetings relative
to audit departments with larger staffs. I also try to complement
the work of the external and DOI auditors by directing my efforts
to areas of organizational risk that neither of them focuses on.
|
