This is especially true for public or aspiring public entities. Just like every other discipline in the industry, corporate internal audit departments are operating with very reduced staffing levels, having on average 1 to 5 people (mostly up to 3), so it is virtually impossible to get to every hotel in the portfolio.

This creates a high level of exposure for organizations and compels us to re-imagine how to audit, implement, and review internal controls, manage risks, and ensure compliance.

By using a robust self-audit and risk assessment process that includes identifying and leveraging existing control processes and data analytics, any company can get better coverage and compliance along with more real-time information about how their internal controls are operating.

Internal audit should therefore pivot from a traditional rotating visit approach to a risk-focused and data-driven framework that utilizes and leverages all existing control processes to get more effective audit coverage.

I recommend a pyramid approach consisting of four levels:

1) Self-Audits:

At every property, we can usually find the baseline level of internal controls that should be audited at least quarterly on a rotating basis. Utilizing a self-audit tool, with controls organized by the department, a hotel can validate that the controls are working as designed. A robust self-audit process and a proactive, continuous process improvement approach to managing issues identified during self-audits will improve awareness of the importance of controls and better compliance. An added benefit is that hotels that operate with this control framework consistently score well on guest and associate satisfaction surveys. This approach also shows up on the bottom line through less fraud and more efficient management of costs such as food, beverage, and labor. In addition, the environment of continuous improvement makes associates at the baseline level more engaged, better-trained, and ultimately happier – which results in less turnover and happier guests.

2) Peer Audits:

On top of self-audits, it is a good idea to involve a peer hotel once a year, to audit and validate how the controls are working. The goal is to identify any weaknesses in the existing controls, as well as to share best practices and advice on further improvement and training. Peer audits should be viewed as an opportunity for the most promising associates to be part of the process. They should be informative rather than punitive as the objective behind them is for each hotel to gain a new, fresh perspective of hotel operations and ways to address risk and controls.

3) Ops Visit Audits:

At least annually, the regional ops team(s) should be required to carry out a high-level, one-day audit. This type of audit involves a review of high-risk controls examining the overall control environment and ensuring a robust self-audit and continuous process improvement culture is evident at the hotel. Results should be shared with the hotel and remediation plans documented and followed up on until complete.

4) Dashboards:

Dashboards should be developed to capture all of the results from the self-audits, peer audits, and ops visits along with other data points such as guest and associate survey results, employee turnover, prior-year audit results, risk scoring, etc. They should also include financial data such as:

a. Write-offs

b. Credit card credits and chargebacks

c. Food and beverage costs

d. Large budget vs. actual variances

e. OTA billing not being kept current

Utilizing this tiered approach and leveraging the existing levels of staffing for self-audits, regional reviews and dashboards provides the corporate internal audit and finance groups with an efficient tool to evaluate risk and controls across their overall operations.

Dashboard data along with traditional financial data such as cash reconciliation issues, AR write-offs, chargebacks, revenue adjustments cash on hand, etc., can be evaluated against similar hotels to identify outliers that may indicate control issues. Follow-up via a regional finance call or desk audit, property visit, or internal audit can also be part of a new control framework that reacts to control issues proactively and can help determine where scarce audit, operations, and third-party resources should be allocated.

This approach requires a deliberate and purposeful culture change for the entire company. To be successful, it also needs to be backed by Executive Sponsorship, Corporate and Hotel Finance Groups as well as Operations Leadership. Such support will help build a program capable of identifying and reducing risk for the company while achieving a better and more comprehensive understanding of how internal controls are working throughout the company

Neil Grammer
Consultant Strategic Solution Partners, CPA & Executive Managing Member of Grammer & Associates