Friends of Bob Mendes - Nashville

View Original

General thoughts about Metro's internal audit function

Bob Mendes

I'll warn you right now...this post will be hard to keep interesting. But as Metro's Internal Audit function has been more in the forefront on issues like Collier Engineering, various MNPS allegations, and looking into the former mayor, I need to get some thoughts out. In this post, I'm going to cover some basic information about Metro's internal audit function, what traits I think make for successful internal audit, and then some areas of possible improvement. If I have time today, I plan to work on a second post about the ongoing Collier and MNPS investigations being conducted by the Internal Auditor.

Here are some basics:

  • The Metro Auditor is set up under the Charter to be independent. The Auditor serves an 8 year term. I believe (but am not sure) that the current term runs through 2022. The Auditor reports to but is not controlled by the Metro Audit Committee.

  • The Metro Audit Committee has 6 members, who are the Director of Finance, the Vice Mayor, two Council members selected by the Council, a person chosen by the Nashville Area Chamber of Commerce, and a person chosen by the Nashville Chapter of the Tennessee Society of Certified Public Accountants. Council Member John Cooper and I are the two CM's picked by the Council to be on the Audit Committee.

  • There are three key functions for internal audit -- work with the external third-party auditors in preparing Metro's annual financial audit, conduct periodic internal audits of Metro's key functions, and conduct investigations as necessary of allegations of wrongdoing that impact Metro's finances.

  • Two of these functions are predictable. Working with external auditors on the annual financial audit and conducting periodic internal audits of each department can be scheduled easily at least a year in advance.

  • The third main function -- handling investigations of alleged wrongdoing -- is not predictable. Sometimes, there's not a lot of this. Sometimes, there is a lot to do.

What does it take to be a good internal auditor?

My basic description is that you want someone who has good accounting experience, a very practical operational understanding of the government, and a willingness to call out bad acts when necessary. It's critical to be well-balanced with these traits to be successful. For example, without a solid, practical operational understanding, internal audit findings tend toward being over-careful and unworkable. And then departments will just ignore findings and recommendations. Also, without a willingness to call out bad acts, then internal audit tends toward just moving paper around and not ever improving government.

For an additional data point, here's a brief article summarizing a report from the Institute of Internal Auditor’s Audit Executive Center. The article indicates that when internal auditors are hired business acumen and critical thinking are valued substantially more than traditional audit and accounting skills. This matches my impression that, yes of course, you need your internal auditor to be good at debits and credits. But more importantly, understanding operations and being able to think through what is an operational snafu that can be redesigned and what is a bad act is critical to a good internal audit function.

Areas of improvement

In my 3+ years on the Audit Committee, here are some of the areas of improvement that I have noticed. Some have improved. Some are a work in progress.

  • Enterprise Risk Management:

    • This is an industry term to describe having a formal process for an organization to identify all areas of risk, and then grade those risks. Once this is done, the result is used to decide where to allocate your internal audit resources.

    • To make up an exaggerated example...if Metro were to have a single, unbacked-up computer that stored all of its information about property assessments and property tax collections, the risk of losing that information would be graded as very high. In theory, that would mean that the processes around collecting and storing that data would be at the top of the list for an internal audit.

    • Many organizations build a ground up ERM assessment annually to inform the internal audit plan for the next year. Metro doesn't do this. Metro relies on industry publications and studies, and experience/anecdotal evidence, to build a risk assessment. Metro would need to invest in an ERM software package to improve this.

  • Follow-up on findings:

    • There should be long-term follow-up on any findings from an internal report. When I joined the Audit Committee in 2015, that wasn't happening.

    • So prior to 2015, an audit report could have a finding, the department could promise to fix the issue, and if the department then ignored the issue, there was never any follow-up or further reporting.

    • At the request of the Audit Committee, we now get reports twice a year (I think it is twice??) on audit items that are unresolved or where the department has pushed back an implementation date. This provides dramatically more oversight.

  • Rejected findings:

    • From previous experience, I expect that departments will accept the internal auditor's recommendations and promise an implementation date for the fix. When I joined the Audit Committee in 2015, there were way too many recommendations that were being rejected by the department or where no implementation date was promised.

    • To me, that meant that departments probably didn't have respect for that "business acumen" component of the internal audit function. Rejected findings likely meant that the department was basically saying that internal audit didn't know what it was talking about.

    • At the request of the Audit Committee, all findings now have an implementation date for the fix. That's good.

    • Also, departments are rejecting audit findings less often now. To accomplish this, in late 2015 or early 2016, the Audit Committee started asking the Auditor and the department heads to talk more and work out their differences, if possible. As word got around Metro that rejected findings were going to get more attention from the Audit Committee, more of these differences got ironed out.

  • Reports not timely online: Over the last several years, the Audit Committee has leaned on the Auditor to more promptly and more completely get all reports online. To be perfectly honest, my experience has been that mundane reports get posted quickly and controversial ones do not. As recently as last month, a series of reports were issued within days of each other. The most controversial one was the only one to not be posted when I checked. I had to ask about it before it was posted. This is better than it used to be, but not where I'd like it.

What does it all mean?

This Audit Committee work is drudgery. But it is critically important. My work to push for a better enterprise risk management assessment, to force more communication and problem-solving, to require follow-up reporting on unresolved findings, and to get all reports online quickly is the highest value, lowest attention work I've done during this term. You should know that David Briley (when he was on the committee as Vice Mayor) and John Cooper (who is the other CM on the committee) have been strong, reliable allies in this work.

This post is to provide background context for my next post about the current ongoing investigations. What I would like you to takeaway is that, in my opinion, there is some evidence that the Metro departments don't always have a great opinion about the practical business acumen of the internal audit function. There is also some evidence that the audit function has typically shied away from controversy. I think these observations are important context for understanding the current investigations.