A medium–sized organization reached out to one of our offices with a problem. A long-term employee responsible for the reconciliation of the organization’s deposit account retired. A little over a year after this retirement, another employee discovered the account had not been reconciled since that person’s departure. Something was amiss. But how to resolve this situation? The employee wondered if they needed an internal audit.
Determining if an internal audit is needed versus a forensic examination can easily be misunderstood. Both types of engagements can be extremely helpful to improve internal controls for any entity of any size. Deciding which type of engagement fits best depends on facts, circumstances, goals and objectives.
Your entity may actually need an internal audit if:
- Ethical or accuracy lapses have occurred and/or accountability is lacking.
- Specialized expertise is required to accomplish projects beyond regular operations.
- Risks in operations, compliance and reporting are unrecognized or are increasing due to significant changes in the industry, technology, laws and regulations.
- Existing policies and procedures may not be followed.
- Information technology data breaches have occurred or there is significant concern that such risk exists.
- Compliance with laws and regulations is a significant organizational risk and noncompliance may become a serious issue if not monitored and evaluated.
- Those charged with governance are focused on the "big picture," but remain concerned about what they may not know about the "little picture" (or vice versa).
- Communications internally have led to morale and turnover issues, while external communication quality has led to an air of skepticism from stakeholders about operations.
Your entity may actually need a forensic audit if:
- Suspicions exist of fraud or theft.
- Similarly to the above described issue, turnover has occurred and account balances are not what they should be (positively or negatively).
- Accounts that were thought to be in your entity’s name are not really owned by your entity.
- Reconciliation procedures result in timing differences or unidentified differences or don’t reconcile at all.
- Contractors that should have been paid have been unpaid and customers that should have paid have not.
- Theft of personally (or business) identifiable information has occurred (or systems have been "hacked").
- Labor and materials have resulted in poor quality products that are not selling (or worse, out of compliance with laws and regulations).
- A whistleblower hotline identified issues such as assets stolen or other defalcations.
While there are cases where you may need both a forensics examination and an internal audit, the key differential between the two types of services is time and objective of the project(s). An internal audit engagement is typically much more current and forward looking focusing on where the organization is today while simultaneously taking a consultative look at the future state of an organization’s inherent risks and what they are or should potentially be doing to control those risks.
A forensic examination is retrospective in nature with the focus on reconstructing how things should be and uncovering what may have happened. After considering these factors, the organization above determined that it wanted to look back in time to determine what happened and to reconcile their deposit account. It was agreed that a forensic examination was actually what they needed.