Operations: The Mysterious Function of Internal Audit

by Kevin Menke

What does an internal auditor do? The Institute of Internal Auditors (IIA) defines internal auditing as an “independent, objective, assurance and consulting activity that adds value to and improves an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” This definition complicates internal audit’s roles and responsibilities.

To make it easier to understand just what an internal auditor does, let’s break down each component of the IIA’s definition. The first component of the definition, “independence,” is being able to perform audit activities in an unbiased manner. That is, not letting your own feelings and beliefs determine the audit outcome or opinion. As auditors, opinions have to be free from conditions that threaten the ability to be unbiased. The next component, objective, is defined by the International Professional Practices Framework as an “unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires auditors not to impose their own judgement on audit matters to others.” In other words, auditors must keep their opinions discrete and not impose their beliefs and thoughts upon the facts of the audit.

The next component, “assurance and consulting,” refers to the opinions issued by auditors regarding the accuracy and completeness of what is being analyzed. For example, a CPA firm assures financial statements are accurate by using acceptable accounting standards and principles. The internal audit profession also has their own set of standards that have to be maintained when conducting audit engagements. This framework details the purpose, objectives and deliverables of internal audit and explains the methodology and standards used to provide independent assurance outcomes.

The “risk management and control” component is the internal audit activity where the evaluation of the effectiveness of internal controls takes place. Internal audit must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. Internal audit must also assist the organization in maintaining the effective controls by evaluating their effectiveness and efficiency and by recommending continuous improvement to these controls. These are completed during the audit’s fieldwork stage by observations, inquiries, and document reviews. This is where internal audit adds the most value. Offering recommendations to the casino or organization on strengthening internal controls that will minimize the risk of fraudulent activity will pay for itself exponentially over time. Of course, it’s impossible to know the exact amount it will save, and this is where casino organization’s management frequently see internal audit as a liability rather than an asset. Think of it in comparison to your personal checking account. The bank has internal controls in place such as checking identification, your signature, ATM personal identification numbers (PIN), and other controls that keep other individuals from accessing your funds. If these controls weren’t present, how much of your funds do you think you could lose?

By their nature, casinos are high-risk environments for fraud and scams. Examples of fraud and mismanagement victimizing casinos due to lax internal controls and substandard internal audit oversight include:

• Cash skimming by casino employees

• Slot machines denomination multiplier misconfiguration

• Faulty casino promotions, marketing fraud, player comp and reward program fraud

• Contract kickbacks, fictitious billing, and overbilling

• Marker manipulation and casino credit fraud through false account creation

• Sportsbook player collusion

• iGaming promotion fraud

The last component, “governance,” is the internal audit activity that assesses and makes recommendations for improving the governance process in its accomplishment of promoting appropriate ethics and values within the organization. Internal audit also ensures there is effective management and accountability, communications of risk and control information to appropriate areas of the organization and ensures coordination of activities between the board, external and internal auditors, and casino management. This is in essence making sure that management is aware of any issues within the casino or organization and making decisions to remedy these issues.

Although internal audit tends to be mysterious to most individuals of an organization, either because of having no interaction with auditors or having little knowledge of internal audit’s roles and responsibilities, it continues year after year to provide value to an organization. Although the true value of the internal audit function can never be accurately calculated because of the unknown – exactly how much fraud was prevented due to the recommended addition or strengthening of internal controls by the internal audit function. This trend will continue, and audit will become more important in the future as technology advances and fraudsters become more sophisticated in the ways they maneuver around internal controls. The internal audit professionals will need to continue to evaluate organizational control structures because of this and evolve their knowledge and skills to continue to deter fraudsters, thieves, and other criminals.

Kevin Menke is Director of Internal Audit at the Pokagon Band Gaming Commission. He can be reached by calling (269) 926-5479 or email [email protected].