A conversation about the unsung heroes of efficiency, risk mitigation and compliance
May 2025 | By Moise Julot
May is designated internationally as Internal Audit Month by the Institute of Internal Auditors to raise awareness of the profession and its values.
Internal auditing plays an essential role in government efficiency by supporting organizational governance, internal control and effective risk management. Internal audit professionals focus on ensuring an organization’s goals and objectives are met. One way internal audit professionals contribute to the success of an organization is by assessing procedures and systems to ensure governance processes are effective and efficient.
Cheryl Scott
Like other government entities, the Texas Comptroller of Public Accounts has its own Internal Audit Division. For insight on the role of an internal auditor, Fiscal Notes sat down with its director, Cheryl Scott. With more than 30 years of service in state government, she is proud of the immense value internal auditors bring to ensuring operational efficiency, identifying risks and ensuring compliance with laws and regulations to meet the needs of the people and businesses that rely on the Comptroller’s office, a state agency that serves virtually every Texan.
Fiscal Notes: For the average Texan who may not be familiar with what you do, what is internal auditing?
Scott: I can give you the textbook answer in my sleep, which is that internal auditing is an independent, objective assurance and consulting activity designed to evaluate and improve the effectiveness of an organization's risk management, control and governance processes. But I will try to put it in layman’s terms and answer from the lens of someone who has not always been in internal auditing. Some core characteristics are:
Internal audits are performed by employees of the organization rather than outsourced contractors, so to help maintain our independence, we must report to the highest level of management or a board if there is one.
We continuously conduct audits of our organization, unlike external auditors who come in periodically as contracted.
The average person might be familiar with the work of external auditors, who often conduct financial audits; while we do some financial audits, internal auditors focus more on operational processes to see if there are inefficiencies or if there are sufficient control processes to ensure all risks are properly mitigated.
We're in state government, so we’re always going to be checking for compliance with applicable laws and regulations.
The safeguarding of our assets is a big priority. To ensure our assets are properly protected, we often start with our information technology (IT) systems. Essentially, every process that we conduct at the Comptroller’s office, and probably at every other state agency, is governed by some sort of IT system. IT auditors on my team assess whether controls are in place to ensure we don’t get hacked and lose data, and that we have proper backups.
General controls are the foundation of all our IT audits to make certain that vulnerability testing is occurring and that controls are put in place to maintain a top-notch security foundation for our data. That includes assessing things like agency staff training and making certain our IT staff keep up with certifications and continuing education courses.
Fiscal Notes: Efficiency in government is essential for fostering a good relationship between government and the public. How does Internal Audit’s work impact ordinary Texans?
Scott: I always view us as the watchdogs for the safety of your funds. We help ensure the controls are in place to reduce the risk of errors, chances of fraud and data breaches.
Any organization will have those people who say, “We always did it this way” — without researching to see if there is a better way of doing things. This mindset can introduce inefficiencies and failure to enhance controls when risk factors change.
Then there might be a new person who comes in and says, “You know what, those controls are burdensome, I'm not doing any of it.” When this happens, they introduce weaknesses into the process. It may be that while management has sound procedures, staff is not following them.
So, we're kind of that watchful eye to let management know what they put in place is actually being implemented, and we help them to strengthen controls that are in place.
We also help ensure compliance with laws. We are in a legislative session right now, and at the end of the session, new laws will come out. Divisions might not be aware of changes that might impact some of the processes. We help make certain that processes comply with all the new laws or rules.
Sometimes new risks enter our workplace, and we're not even aware of it. An internal auditor’s job is to help management identify emerging risks to ensure controls are in place to address them.
Fiscal Notes: Why are internal audits important for organizations? How do they support state government?
Scott: One of our primary steps in auditing is that we come in and learn the internal processes. Then, we research best practices relating to that process and any statutory requirements. Finally, we pair the internal processes with the information gathered. We ask questions like these:
If the statute says we do this, are we doing it?
If there are best practices that suggest we have this type of control, do we have that type of control in place?
Is this truly necessary?
Can we streamline that?
This is where an internal auditor’s independent view of processes is so critical. This independent view helps ensure when something new comes along that makes the process a little bit more efficient, it can be implemented. Sometimes it might just be a bottleneck that needs to be addressed, or it's a redundant or outdated practice.
Fiscal Notes: What education, training and other qualifications are required for someone interested in becoming an internal auditor?
Scott: Everything is always evolving. If you asked me this question around five years ago, I would have said a bachelor's degree in accounting, finance, economics, business administration or something in that area, because that's typically where we always thought to get our auditors. Today, we look for a bachelor's degree to show that [the candidate] can complete a task.
In the Comptroller’s office, we handle so many different things. Someone with a degree in communications or IT may be better in helping to do an audit of a particular division than someone with an accounting degree. If someone has a degree in an IT-related field, that can be used to help us identify risk and controls in the IT structure. We’ve got a Criminal Investigation Division — if someone has a law enforcement degree, and they want to come audit, that will help me as well.
We no longer tie ourselves to just the business degrees, but one thing that we do always try to preach is once you get in and you decide you do want to audit, certifications probably weigh more than your education.
We have certified internal auditors; we have certified information systems auditors; and we have certified public accountants. You know the saying, “The jack of all trades and the master of none.” Having that certification turns it back around and says, “We are the jack of all trades and the master of risks and controls.”
Editor’s note: This Q&A has been edited for length.
A REVIEW OF THE TEXAS ECONOMY