XNM logoXNMConsulting Inc.
← All articles

Internal Audit on a Real Budget: Building Assurance Without an Empire

May 25, 2026 · 2 min read
Internal Audit on a Real Budget: Building Assurance Without an Empire

Internal audit, in plain language, is the work of checking that your own controls are actually doing what you think they are doing. It is different from the external audit, which checks the financial statements. Internal audit checks the system. Many First Nations governments rely entirely on the external auditor for assurance — which is a bit like asking the inspector who comes once a year whether your fire alarm worked all night.

The good news is that internal audit does not require a department. It requires a standing committee, a written charter, an annual work plan, and a willingness to act on findings.

Recent context

The First Nations Financial Management Board provides templates and guidance for these structures — see their Finance and Audit Committee resources. Nations on the FMA path use them as a baseline; Nations outside the FMA can use them just as readily.

The governance and project-management angle

A right-sized internal audit function for a First Nation typically includes a Finance and Audit Committee of three to five members — usually one or two Councillors plus independent appointees with finance, audit, or capital project expertise. The Committee adopts an annual work plan of three to five focused reviews: a payroll spot check, a procurement file review, a capital project cost-to-complete review, a contract compliance review, and a controls walk-through. Each review produces a short written report with findings, recommendations, and management response. Council receives a summary annually.

How XNM helps

XNM Consulting helps Nations stand up Finance and Audit Committees, draft their charters, and run the first two or three audit cycles alongside the committee members until they are confident running the program themselves. We bring the methodology; the community keeps the authority.

Practical takeaways

  1. Charter the committee in writing. Mandate, composition, independence, reporting line, and authority to access records.

  2. Include independent members. At least one member with financial or audit expertise who is not a current Councillor.

  3. Adopt an annual work plan. Three to five reviews chosen by risk, not by tradition.

  4. Track management response. A finding without an assigned owner and due date is a finding that will repeat.

  5. Report annually to membership. A short, plain-language summary of work done and gaps closed.

FAQ

Is this not the external auditor's job?

The external auditor opines on financial statements. Internal audit examines whether controls work, whether policies are followed, and whether projects are delivering value. The two roles complement each other.

Can we outsource internal audit?

Yes, and many smaller Nations do — using a co-source model where the committee directs the work and an external firm executes specific reviews.

How do we keep the committee independent?

Independent appointees, a charter that protects the committee from interference, direct reporting to Council, and the right to engage external help when needed.

The bottom line

Internal audit is not about catching wrongdoing — it is about confirming that the controls Council has approved are actually working. A small committee with a tight plan delivers most of the assurance value larger organizations get from full departments. Build it once and you will rely on it for decades.

← Back to blog