Internal audit is a periodic review of whether a local government’s financial policies and internal controls are being followed in day-to-day operations. It generally involves looking at a sample of transactions, observing how key financial processes work, documenting compliance with established procedures, and evaluating their effectiveness.

Internal audit is widely recognized as a best practice, but it does not look the same in every unit. How it functions in practice depends on local priorities, available capacity, and the way it fits within existing oversight and management processes.

This post walks through what internal audit means in practice for North Carolina local governments, including how it fits with other oversight tools, what the law requires, and how local governments of different sizes can approach it realistically. It also provides links to resources on how to structure an effective internal audit program.

Where Internal Audit Fits in North Carolina’s Oversight Framework

North Carolina local governments and public authorities operate within a multi-layered oversight structure. Statutes impose baseline financial controls; units adopt internal control policies; finance officers execute daily controls; external auditors provide independent verification; and the Local Government Commission (LGC) monitors compliance and intervenes when problems rise to a systemic level. Internal audit fits into this structure not as a replacement for any of these functions, but as the connective tissue between them.

At the foundation are statutory controls, primarily in the Local Government Budget and Fiscal Control Act. Provisions such as daily deposits, pre-audit and disbursement certifications, budgetary requirements, and monthly reporting are not optional best practices—they are legal requirements. These statutes define what must happen but say relatively little about how a unit should test whether those requirements are actually being followed consistently across departments, funds, and systems.

That gap is partially filled by internal controls and, increasingly, by a formal internal control policy. Internal controls are the procedures, checks, approvals, reconciliations, and supervisory reviews embedded in day-to-day operations. An internal control policy documents management’s expectations, assigns responsibility, and creates a shared framework for compliance. But policies and controls, standing alone, are static. They describe what should happen, not whether it is happening or whether controls still make sense as staffing, technology, and operations change.

The annual independent (external) audit sits outside daily operations. Whether conducted as a GAAP (Generally Accepted Accounting Principles) financial audit alone or layered with Yellow Book (US GAO Government Auditing Standards) and Single Audit requirements, the external audit is retrospective and materiality-driven. Auditors test selected transactions and controls to support an opinion on the financial statements and, where applicable, compliance with major grant programs. By design, this work is not comprehensive, continuous, or operational. A clean audit does not mean controls are strong everywhere; it means nothing rose to the level of material misstatement or reportable noncompliance in the areas tested.

The LGC review process, including monitoring of audit reports and financial performance indicators of concern (FPICs) adds another layer. LGC oversight is triggered by indicators of fiscal stress, audit findings, missed filings, or statutory noncompliance. It is corrective and supervisory, not always preventive. By the time an FPIC is issued, control weaknesses have already manifested in missed deposits, unauthorized spending, accounting breakdowns, or governance failures.

This is where internal audit belongs. Its purpose is not to restate what the law already requires, duplicate the external audit, or function as an enforcement arm. Instead, internal audit operates in the space between requirements and outcomes. It asks whether statutory controls are being followed in practice, whether internal controls are working as designed, and whether control gaps are emerging before they become audit findings, LGC concerns, or public failures.

A well-designed internal audit function provides ongoing, risk-based review of compliance and controls. It can test processes the external auditor will not reach, examine areas that fall below materiality thresholds, and look across departments and fiscal years. Just as importantly, internal audit provides management and the governing board with timely, actionable information, allowing corrections to occur while problems are still manageable.

In short, statutory controls define the rules, internal controls operationalize them, external audits verify compliance after the fact, and LGC oversight responds when systems break down. Internal audit exists to reduce the likelihood that they ever do.

Statutory Internal Audit Requirement

North Carolina law is far more limited about internal audits than many people assume. There is only one express internal audit provision in State law. Under G.S. 159-32, officers and employees who collect or receive public money must deposit those funds in accordance with strict rules, maintain them securely, and report deposits to the finance officer. The statute then gives the finance officer explicit authority to audit the accounts of anyone who collects or receives money and requires those accounts to be audited at least annually.

In practical terms, this means that every unit, regardless of size, must have some internal review of revenue handling that ties cash and deposits back to actual transactions. In a small organization, that may involve the finance officer periodically reviewing deposit logs, cash drawer reconciliations, and receipt records and confirming that recorded receipts align with underlying activity, such as permit applications, utility payments, or other routine counter transactions. In a larger organization, it may require more formal procedures, delegated reviews, or documented testing. Either way, this responsibility is mandatory.

At the same time, this authority is narrow. It applies to revenue collection and cash handling only. It does not require internal audits of procurement, payroll, utilities, grants, or capital projects.

Beyond the Statutory Requirements

Beyond the revenue-handling reviews required by G.S. 159-32, internal audit is largely a matter of local choice. The form it takes varies significantly based on the size and complexity of the unit. Although internal controls are mandatory, there is no statutorily prescribed process for routinely verifying that those controls are being implemented properly or remain effective. In practice, internal audit or internal review fills that gap.

In small units, internal audit may be informal but should be intentional. The finance officer may periodically review high-risk areas such as cash handling, purchasing cards, or payroll using a structured checklist, document what was reviewed and what was found, and report issues to the manager or governing board. At this scale, the value of internal audit comes from consistency, follow-through, and documentation rather than technical sophistication.

In mid-sized municipalities, counties, and public authorities, internal audit typically functions as a defined management activity that is separate from day-to-day transaction processing but does not rise to the level of a standalone department. Units may assign partial internal audit responsibility to a staff member, rotate internal review duties among senior finance or management staff, or periodically use outside reviewers for higher-risk areas. An internal audit policy and an annual review plan clarifies roles, reduces overlap with other oversight functions, and makes it easier for management and boards to act on findings.

In larger cities and counties, internal audit is often formalized as a distinct function with a dedicated internal auditor or internal audit staff. These units commonly use risk-based audit plans, conduct more comprehensive reviews, and issue formal reports that are provided to the manager and, in some cases, directly to the governing board. At this scale, internal audit becomes a core governance and risk-management tool rather than an ad hoc compliance exercise.

Some governing boards, particularly in larger or more complex units, choose to establish an audit committee to support this work. Where they exist, their role is typically advisory, providing a focused forum for reviewing internal audit plans and reports, monitoring management’s response to findings, and coordinating communication among internal auditors, external auditors, and senior management. In smaller or mid-sized units, boards may use an audit committee more selectively, such as to review the annual external audit or oversee targeted internal reviews, without creating a permanent internal audit structure.

No single internal audit process is inherently better than another. What matters is that the approach is proportional to the organization, focused on areas of real risk, and designed to produce information that management and governing boards can use to improve compliance, operations, and accountability.

Internal Audit Functions

In practice, effective internal audit work is concrete and hands-on, built around direct testing of transactions and regular interaction with staff across the organization. Designing an internal audit process should start with a realistic assessment of the organization’s size, complexity, and available capacity.

Internal audit looks at processes as complete systems, not just isolated steps. It compares how a function is supposed to work under written policies and procedures with how it actually works in daily operations, and notes where controls are unclear, impractical, or not being followed. For example, an internal audit of utility billing may look not only at a sample of bills, but also at how meters are read, how billing adjustments are approved, how delinquencies are managed, and who has access to the billing system. 

Equally important is direct engagement with staff. Internal audit relies on staff explanations and process walkthroughs to understand how work actually happens, not just how it is described in policies. This helps identify informal workarounds, misunderstood or impractical controls, and process gaps, and often brings finance, operations, IT, and management into the same discussion about how internal controls function in practice.

Thus, the real value of internal audit lies in closing the gap between policy and practice—identifying where internal controls are weak, unclear, or outdated, and where targeted changes can reduce risk or improve efficiency without adding unnecessary burden.

Common Challenges and How to Address Them

The most common challenge with internal audit is not technical capacity, but authority. In many units, the staff performing internal audit or internal review lack clear authority to require participation, obtain information, or ensure that identified issues are addressed. This challenge is especially pronounced in decentralized organizations, such as counties with independently elected officials, appointed boards, or semi-autonomous departments. Without an explicit mandate, internal audit lacks the authority needed to ensure cooperation and corrective action.

The governing board is the only body positioned to resolve this challenge. Through its policy-setting and budgetary authority, the board establishes whether internal audit is an expected part of the unit’s fiscal management framework. When the board clearly communicates through policy, budget decisions, and consistent messaging that internal audit applies to all departments, offices, employees, and officials, participation becomes a standard expectation rather than a matter of discretion.

Clear structure is equally important. Effective internal audit requires defined roles and responsibilities, including who conducts reviews, who receives the results, who has authority to require corrective action, and how disagreements are resolved. Without this clarity, findings can stall between departments, management, and the board, even when the underlying issues are well understood.

Communication across departments also matters. Internal audit works best when departments understand what will be reviewed, why it matters, and how the information will be used. Regular and transparent communication helps prevent internal audit from being perceived as punitive or ad hoc and reinforces its role as a routine part of maintaining required internal controls.

Internal audit findings only matter if there is a clear expectation that management will respond and that corrective action will be tracked. Many effective units formalize this expectation through written management responses, defined timelines, and periodic reporting to the governing board. This feedback and follow-up loop gives internal audit practical effect and makes it a functioning part of the unit’s overall fiscal management system.

These structural issues are often compounded by practical constraints, particularly staffing and capacity. Most local governments do not have the resources to support a dedicated internal audit position, and internal audit responsibilities must be absorbed by existing staff. When this work is not explicitly recognized, prioritized, and appropriately scoped, it is easily deferred in favor of daily operational demands, even when the underlying risks remain.

Finally, perception plays an important role. Internal audit is sometimes misunderstood as an effort to identify individual wrongdoing rather than to evaluate systems, processes, and controls. That perception can discourage cooperation and limit the quality of information shared with reviewers. Clear, consistent messaging from management and the governing board that internal audit is about strengthening systems and reducing risk, not assigning blame, can significantly improve participation and effectiveness.

Taken together, these challenges reinforce the same point: internal audit is most effective when it is clearly authorized, adequately supported within existing resource constraints, and consistently framed as a system-focused management and governance tool rather than a discretionary or punitive exercise.

Practical Resources to Guide Internal Audit Practices

Although North Carolina local governments are not subject to a comprehensive statutory internal audit framework, there is no shortage of guidance to inform how an internal audit function can be designed and carried out. These resources should be adapted to the unit’s needs rather than adopted wholesale. (Note that some of these resources require membership or subscription.)

One commonly cited resource is the North Carolina Statewide Internal Audit Manual, published by the Office of State Budget and Management. The manual applies only to State agencies and does not govern counties, municipalities, or public authorities. Local governments are not expected to follow its requirements. However, it provides a clear internal audit lifecycle—risk assessment, planning, fieldwork, reporting, and follow-up—that translates well to local government settings. Its treatment of audit independence, internal audit charters, documentation, and management responses is particularly useful for larger units or those seeking to formalize an internal audit function.

At the national level, guidance from the Institute of Internal Auditors (IIA) is widely used in the public sector. IIA’s public-sector practice guides emphasize proportionality, risk-based planning, and clear governance relationships, and are especially helpful for governments that employ a dedicated internal auditor or contract for internal audit services.

The Government Finance Officers Association (GFOA) also offers internal audit guidance tailored to state and local governments. GFOA’s materials are particularly accessible for finance officers and managers because they connect internal audit to broader financial management, internal controls, and board oversight.

Another useful source is the Association of Local Government Auditors (ALGA), which publishes model internal audit charters, audit committee guidance, and examples of how local governments structure audit functions. These resources are especially helpful for mid-sized and large units considering whether to create or expand an internal audit role.

The U.S. Government Accountability Office’s Government Auditing Standards (the “Yellow Book”) can also provide useful context. Many local governments encounter these standards through external audit requirements, and understanding their treatment of internal controls and risk assessment can help internal audit efforts align with external audit expectations.

Local governments, particularly smaller units, may also consult their external auditors for practical input. While external auditors cannot perform internal audit work or make management decisions, they can share insights about common risk areas, control weaknesses seen in peer governments, and ways internal audit work can complement the annual financial audit.

Finally, here is an internal audit checklist for small units that might serve as a helpful starting point.