A Day in the Life of an Internal Auditor
Office of Performance and Transformation's Communication Representative Monica Drake follows different State of Michigan employees throughout the year.
Internal auditors are often confused for Office of the Auditor General (OAG) staff. But the Office of Internal Audit Services (OIAS) and the OAG are two very different offices – even though both employ auditors.
For one, when the OAG conducts post financial and performance audits of departments and agencies, their results are public. But, at the OIAS, all reports are private – only to be seen by the specific department and OIAS.
Internal Auditor Laura Koenigsknecht, CPA, said, “OIAS serves as an advisor for departments. Our goal is to help prevent a problem before it starts. We also identify current problems and help come up with solutions for how the department can address them. We help departments design secure processes to reduce their risk associated with specific business processes.”
Koenigsknecht works on one to four projects at a time – usually either a consulting engagement or a follow-up – and each project lasts about two or three months. Typically, an engagement begins when a department or agency requests help from an internal auditor or when OIAS receives notice that a department has implemented a solution to a material weakness. Once that occurs, an engagement will have a manager and possibly multiple auditors assigned to it based on complexity.
“For a consulting engagement, we work with the agency to figure out the highest risk processes where we could add the most value. We begin learning about the processes we’re going to be looking at by meeting with staff from that area and asking for any procedures or documents to help us understand. One of the best parts about working for OIAS is the number of processes I’ve gotten to learn and experiences I’ve had across numerous departments,” said Koenigsknecht. “At the end of an engagement we’ll meet with the agency and, depending on the type of engagement, we can provide them with recommendations or opportunities for improvement.”
Koenigsknecht also helps departments with their Internal Control Evaluations (ICE). Each department is required, per Michigan Compiled Laws Section 18.1485, to evaluate its system and biennially issue an ICE report, which states self-identified material weaknesses discovered during the evaluation, repeating material weaknesses reported in previous reports which have not been sufficiently addressed, and submitting a plan and timeline for correcting these deficiencies.
“We have recently updated our Financial Management Guide (FMG) to help departments complete their self-assessment of their internal controls. OIAS’ role for ICE is evaluating the department’s self-assessment of their internal controls. We provide guidance and templates in our FMG that departments can use to complete ICE. We have changed our guidance to encourage and help departments self-assess on an ongoing basis, instead of just biennially when their ICE documentation is due,” she said.
Koenigsknecht said that the ICE report gives departments the opportunity to self-assess what they do, what could go wrong, and what’s in place to mitigate these possible problems. Part of the ICE evaluation is the completion of the “Risk, Control Activities, and Monitoring” (RCAM) – a worksheet that helps a department identify risks, how likely they are to occur, and any controls and monitoring activities they have in place to prevent those risks. Departments then form an overall conclusion related to their current efforts to prevent the identified risks from occurring.
As an analogy to explain risks and controls, Koenigsknecht gave us the example of the process of making a peanut butter and jelly sandwich.
“The business objective is to make a PB&J. So, you have to think about what could possibly go wrong during the process of making the sandwich. You could not have the necessary supplies. That’s a risk,” said Koenigsknecht.
“So, if someone was looking to improve their process, a control would be to keep a grocery list to ensure they have all of the ingredients. As a monitoring activity, another person could compare biweekly what ingredients are in the house versus what ingredients are on the grocery list. This would help ensure the grocery list is used and supplies are added to the list timely.”
“A risk is what could go wrong. Controls prevent risks. Monitoring activities measure the effectiveness of the controls. A material weakness is when there was a risk and there was nothing to prevent that risk from occurring.”
Koenigsknecht has worked with the OIAS for a year and a half. She said she always enjoyed working with numbers, so she knew she wanted a career in the accounting field.
“This job gives me the ability to use my accounting skills and to also interact and engage with others,” she said.
She decided she wanted to work as an internal auditor because “We don’t just tell departments, ‘Here’s your problem, good-bye.’ Instead, we tell them, ‘Here’s your problem and here’s how you can go about fixing it.’’”
“I like the idea of being able to help people find solutions to their problems.”