Internal Audits

Internal audits use observations of actual practices and documented audit trails to evaluate the efficiency and effectiveness of operations. The components of risk are:

What could happen, and
The likelihood that it will happen.

"What could happen" addresses monetary and non-monetary costs.

Practice good business with strong internal controls. Minimize questioned costs and maximize future work with the customer with strong compliance.

Companies are better served by outsourcing internal audits (as opposed to assigning staff), when resources are:

Not sufficient to expand responsibilities,
Not technically trained in performing operational and compliance audits, or
Likely to negatively affect working relationships after high-impact, unfavorable conclusions.

Significant findings with practical recommendations are reported to executive management. For an organization with at least one USG award, internal audit reports are accessible by DCAA; implementing recommendations reduces DCAA findings.

Internal audits assess the efficiency, effectiveness, and compliance of operations. The person managing a particular function is often too busy putting out forest fires to notice and chop down an inflammatory tree. The outsider, looking in, can more objectively see, "What is wrong with this picture?" Trained professionals, not assigned to the subject function, conduct internal audits. The manager or director overseeing the function continually conducts self-assessments; internal audits evaluate specific risks that do not stand out during day-to-day activities. Risks can be monetary, but can also cost the organization public relations, lost opportunities, high employee turn-over, and other negative repercussions. Operations with the highest risk and the highest probability of that risk occurring are audited most frequently. Low-risk and/or low probability might more cost-effectively rely on self-assessments of management.