Office of the County Auditor

Internal Audit Division

Press Enter to show all options, press Tab go to next option

Who are internal auditors?
Why does McHenry County have an internal audit function?
What's the difference between external and internal auditors?
How are departments selected for audit?
What are the steps when a department is selected for an audit?
How can I obtain an Internal Audit Report?
What is Fraud?
Categories of Fraud
What are Internal Controls?
What is a Red Flag?

Who are internal auditors?

As defined by the Institute of Internal Auditors (IIA), "internal auditors are 'business generalists' who specialize in efficiency and effectiveness for the good of the organization.

Their roles include monitoring, assessing, and analyzing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and management assurance that risks are held at bay and that the organization's governance is strong and effective. And, when there is room for improvement anywhere within the organization, internal auditors make recommendations for enhancing processes, policies, and procedures.”


Why does McHenry County have an internal audit function?

The internal audit function exists to assist management, the Finance and Audit Committee, and the County Board to effectively fulfill their responsibilities. It is charged with reviewing the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the economical and efficient use of resources.


What's the difference between external and internal auditors?

External auditors are independent public accounting firms that the County hires. Independent public accounting firms review the County’s annual financial statements to ensure the information presented accurately portrays the County’s financial condition. The external audit agenda is set by the audit firm based on the assessment of the risks of the accounts being materially misstated. The taxpayers, County Board, and bond rating agencies rely on the external independent auditor’s opinion of the County’s financial statements. The internal audit function resides within the County (i.e. they are County employees). It is designed to look at the key risks facing the County and how it is managing those risks effectively. It usually results in recommendations for improvement across departments.


How are departments selected for audit?

In order to develop an annual audit plan, a risk assessment is done to identify the audit population and priority of the audits. Risk assessment assigns a number or score to potential audit areas based upon specific risk factors related to a department’s operations, internal controls, and liability to the County. Major risk factors include:

  • The adequacy of internal controls
  • The nature of transactions
  • The nature of the operating environment
  • The physical and logical security of information, equipment, and location
  • The adequacy of management oversight and monitoring
  • The degree of turnover


What are the steps when a department is selected for an audit?

Initiating the Audit
The Elected Official/Department Head is notified that an audit is scheduled for their department.

Preliminary Survey
Background interviews and research will be conducted so that the internal auditor becomes familiarized with the area. In addition, risks and potential issues will be identified and the audit objectives, methodology and procedures will be determined.

Audit Fieldwork
Fieldwork consists of data collection, analysis and other activities designed to meet the audit objectives. More specific information to support and document audit findings is also collected during this phase.

Exit Conference
The auditee will be kept informed of how the audit is progressing, so there are no surprises during the exit conference. Prior to the preparation of the final draft, an exit interview is held with the Elected Official/Department Head to discuss all possible findings, conclusions and recommendations.

A draft report is first written, which communicates the auditor’s findings, conclusions, and recommendations. It is presented to the department for their response and any corrected actions planned based upon the findings. The internal auditor will ensure that all parties agree to the accuracy and fairness of the report. The auditee department will be asked to suggest any changes they feel will make the report more understandable. A final draft is then prepared by the Internal Auditor. The final internal audit report is presented to the Finance and Audit Committee and any recommended liaison committees. Final internal audit reports will be made available for release via a FOIA request pending any further investigations.

The Internal Audit Division conducts follow-up procedures to help ensure that the appropriate action has been taken to resolve problems identified in audits.


How can I obtain an Internal Audit Report?

Final Internal Audit Reports are available via Auditor's Office website following presentation at the Finance and Audit Committee.

What is Fraud?

Fraud Defined by Association of Certified Fraud Examiners (ACFE) - The use of one’s occupation for personal enrichment through deliberate misuse or misapplication of the organization’s resources or assets.

For fraud to occur there must be a 3 factors present. These factors are pressure, opportunity, and rationalization. If all three of these incentives are there, fraud is likely to occur.

The Fraud Triangle

Opportunity is an open door for solving a non-shareable problem in secret by violating a trust. Opportunity is generally provided through weaknesses in the internal controls. Some examples include inadequate or no:

  • Supervision and review
  • Separation of duties
  • Management approval
  • System controls

“The opportunity to commit and conceal the fraud is the only element over which the local government has significant control.”

Pressure may be anything from unrealistic deadlines and performance goals to personal vices such as gambling or drugs.

Rationalization is a crucial component of most frauds because most people need to reconcile their behavior with the commonly accepted notions of decency and trust. Some examples include:

  • "I really need this money and I'll put it back when I get my paycheck"
  • "I'd rather have the company on my back than the IRS"
  • "I just can't afford to lose everything - my home, car, everything"
  • "I'm borrowing and will pay it back later"
  • "The company is big enough that it won't miss it"
  • "It's for the greater good"
  • "I'm worth way more than they pay me"

Categories of Fraud

The ACFE defines Fraud in 3 different categories - corruption, asset misappropriation, and financial statement fraud. ACFE has created a fraud tree to show what sub-categories can occur.

Fraud Tree

Fraud arises from conflicts of interest and extends to the receipt of illegal gratuities. This type of fraud is difficult to detect and, unfortunately, not uncommon in government. Corruption often results in higher prices charged to and in lower quality delivered to governments.

Asset Misappropriation
This is the most common and recognizable kind of fraud and it features the greatest variety of schemes. The outright theft of cash or inventory is a form of asset misappropriation. Overpaying vendors or employees—or paying vendors and employees that don’t actually exist—is another.

Fraudulent Financial Statements
Since the compensation of government employees is generally not tied in to profits or share price, this form of fraud is less common in the public than the private sector. Still, fraudulent financial statements are employed by fraudsters in government to cover up other forms of fraud, such as asset misappropriation Also, governments can be the victims of fraudulent financial statements they receive from the private sector in connection with contractor vetting.


What are Internal Controls?

As defined by the Institute of Internal Auditors (IIA), internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following areas:

  • Compliance with policies, procedures, contracts, laws, and regulations
  • Accomplishment of goals and objectives
  • Reliability and integrity of financial data
  • Economical, effective, and efficient use of resources
  • Safeguarding of assets

Management is responsible for the design and ongoing maintenance and monitoring of internal controls. Internal audit evaluates and assesses the controls.

Types of Internal Controls

Preventive Controls - procedures designed to prevent errors/irregularities from occurring:

  • Authorization/approvals
  • Separation of duties
  • Management oversight
  • System access controls
  • Physical access controls
  • Required supporting documentation

Detective Controls – procedures designed to detect errors/irregularities after transaction processing:

  • Account reconciliation and review
  • Trend analysis
  • Budget vs. actual analyses
  • Effective monitoring
  • System audit trails
  • Exception reports
  • Complaints/tips/hotlines
  • Mandatory vacations
  • Job rotations

Internal Audit tests and evaluates the effectiveness of internal controls through inquiry, observation, business process walkthroughs, inspection of relevant documentation, and/or the re-performance of processes, specific procedures, calculations, etc. If internal controls are found to be lacking, internal auditors will work with the department to develop stronger controls. Sometimes stronger controls are cost prohibitive. When that is the reality, management will have to identify and rely on compensating controls or accept the risk that some achievement objective will not be met.

Organizational culture, starting with what is known as the "tone at the top," is critical. When management acts unethically, it signals to every employee that unethical behavior is acceptable. In contrast, tools like anti-fraud training, codes of conduct, a fraud policy, consistent policy enforcement and swift prosecution establish a culture in which it is understood that wrongdoing will not be tolerated. In such a culture, fraud rarely flourishes for long. Segregation of duties and management review are two of the most important features of an internal control plan.


What is a Red Flag?

A red flag is a set of circumstances that are unusual in nature or vary from the normal activity. It is a signal that something is out of the ordinary and may need to be investigated further. Remember that red flags do not indicate guilt or innocence but merely provide possible warning signs of fraud. Recognizing red flags is an important element in the fight against fraud. While a red flag doesn’t always mean that fraud is present, it means that it certainly can be and that some level of investigation should be undertaken.

Employees who notice that red flags are ignored may mistakenly believe that it is okay to game the system or that they won’t get caught.

Auditors, employees, and management need to be aware of red flags in order to monitor the situation and then take corrective action as needed.

General Red Flags:

  • Lack of segregation of duties in vulnerable area
  • Reluctance to provide information to auditors
  • Management decisions are dominated by an individual or small group
  • There is a weak internal control environment
  • Excessive number of checking accounts
  • Excessive number of year end transactions
  • Service contracts result in no product
  • Photocopied or missing documents
  • High employee turnover, especially in those areas which are more vulnerable to fraud
  • Accounting personnel are lax or inexperienced in their duties
  • Decentralization without adequate monitoring
  • Frequent changes in banking accounts
  • Frequent changes in external auditors
  • Company assets sold under market value
  • Unexpected overdrafts or declines in cash balances
  • Refusal by company or division to use serial numbered documents (receipts)
  • Compensation program that is out of proportion
  • Any financial transaction that doesn’t make sense - either common or business

Behavioral Red Flags:

  • Borrowing money from co-workers
  • Creditors or collectors appearing at the workplace
  • Excessive gambling
  • Significant personal debt and credit problems
  • Refusal to take vacation or sick leave
  • Excessive absenteeism
  • Bragging about significant purchases
  • Employee lifestyle: expensive cars, jewelry, homes, clothes
  • Rewriting records under the disguise of neatness of presentation

Accounts Receivable Red Flags:

  • Excessive number of voids, discounts and returns
  • Unauthorized bank accounts
  • Sudden activity in a dormant banking account
  • Taxpayer complaints that they are receiving non-payment notices
  • Discrepancies between bank deposits and posting
  • Abnormal number of expense items, supplies, or reimbursement to the employee
  • Excessive or unjustified cash transactions
  • Large number of write-offs of accounts
  • Bank accounts that are not reconciled on a timely basis

Purchasing Red Flags:

  • Vendors without physical addresses
  • Vendor addresses matching employee addresses
  • Purchasing agents that pick up vendor payments rather than have it mailed
  • Abnormal inventory shrinkage
  • Lack of physical security over assets/inventory
  • Charges without shipping documents
  • Payments to vendors who aren’t on an approved vendor list
  • High volume of purchases from new vendors
  • Purchases that bypass the normal procedures

Being aware that fraud can (and does) happen is the key to detection. The best defense against fraud is a good offense (for both deterrence and detection purposes). Without being aware that fraud is occurring – or that it could occur – an organization is unlikely to be successful in mitigating or moderating it. Mitigating fraud can be challenging because fraud morphs and changes over time, and the pace of change is accelerating with new technology.