Internal audit department: add CAM reconciliation audit to annual control scope
Internal audit teams review contract compliance, financial controls, and how well operations run. Commercial lease CAM reconciliation review fits all three. CAM means common area maintenance: the shared costs a landlord bills back to tenants. A reconciliation is the landlord's year-end true-up of estimated charges against actual costs. Reviewing it is a contract compliance test. It checks that landlord billing matches the signed lease. It is also a financial controls review. It checks that variable lease cost under ASC 842 is booked correctly. And it shows whether your cost process catches billing errors. I built CAMAudit to handle the heavy document work. That frees your auditors for the judgment work: risk, evidence, and what to recommend. This article shows how to add CAM reconciliation audit to your annual scope. It covers how to set up the tests and how to write findings that meet IIA workpaper standards.
Contract compliance audit: An audit procedure that verifies amounts billed by a third party conform to the terms of an executed contract. Commercial lease CAM reconciliation audit is a contract compliance audit: the auditor compares the landlord's billed charges against the lease provisions that specify allowable expense categories, calculation methodologies, and caps. Findings are documented as variances between contract terms and actual billing.
CAM overcharge risk in the internal audit universe
A risk-based audit universe ranks subjects by dollar size, control risk, and strategic value. Commercial lease CAM charges show up in all three.
Financial materiality. Take a company with 20 NNN lease locations. NNN means a net lease where the tenant pays its share of taxes, insurance, and CAM. Say CAM runs $8 per square foot per year. Say each tenant space is 5,000 square feet. That is $800,000 in CAM exposure a year. A 5% overcharge across the portfolio is $40,000 a year. That is material for most mid-market companies. It belongs in an audit finding.
Control risk. Most companies have no set process to check landlord billing against the lease. AP teams confirm the math and approve payment. AP means accounts payable. They rarely run a lease-compliance check. With no preventive control, errors run the full lease term. An audit is the only thing that catches them.
Strategic relevance. Under ASC 842, variable lease cost is a P&L line. Steady CAM overcharges mean the company reports too much variable lease cost. That is more than the lease requires. It is a reporting accuracy issue. Internal audit is well placed to find it and raise it.
IIA Standards alignment
The IIA Standards set the frame for scoping CAM audit as an internal audit activity:
- Standard 2100 (Nature of Work): Internal audit reviews and helps improve risk, control, and governance. Contract compliance review fits here.
- Standard 2120 (Risk Management): Internal audit checks how well risk processes work. No set CAM review is a risk gap.
- Standard 2130 (Control): Internal audit checks whether controls answer the risks they face. No lease-compliance control over CAM billing is a control gap.
CAM findings can use the IIA finding format: condition, criteria, cause, effect, recommendation. They go in the annual audit report.
Testing procedures for CAM reconciliation review
The table below maps CAMAudit's detection rules to standard audit tests:
| CAMAudit detection rule | Audit test objective | Evidence produced |
|---|---|---|
| Management fee overcharge | Verify fee percentage vs. lease cap | Dollar variance, lease citation |
| Pro-rata share error | Verify denominator and tenant SF vs. lease | Percentage variance, building area calculation |
| CAM cap violation | Verify annual increase vs. cumulative cap | Year-over-year increase calculation, cap provision citation |
| Gross-up violation | Verify occupancy threshold and expense pool | Occupancy rate comparison, methodology citation |
| Base year error | Verify base year expenses vs. lease-defined methodology | Base year comparison, exclusion list check |
| Controllable expense cap overcharge | Verify controllable CAM increase vs. cap | Controllable expense calculation, cap provision citation |
| Excluded service charges | Verify that excluded categories are not billed | Line-item classification against exclusion list |
| Landlord overhead pass-through | Verify no administrative costs in CAM pool | Overhead category identification and lease citation |
Each test gives a dollar variance and a lease clause citation. That is the standard format for audit workpapers. The condition is the amount billed. The criterion is the lease clause that sets the right amount.
Risk-based prioritization for CAM audit scope
You cannot audit every lease location every year. A risk-scoring model finds the top-priority ones:
| Risk factor | Weight | Scoring criteria |
|---|---|---|
| Annual CAM exposure | High | Score 3 for >$75k, 2 for $25k-$75k, 1 for <$25k |
| Years since last audit | High | Score 3 for 5+ years, 2 for 3-4 years, 1 for 1-2 years |
| Lease complexity | Medium | Score 3 for multiple amendments + cap + gross-up, 2 for standard NNN, 1 for simple gross lease |
| Landlord profile | Medium | Score 3 for large institutional REIT, 2 for mid-size private, 1 for single-property owner |
| Prior findings history | High | Score 3 if prior findings exist, 1 if no prior findings |
Locations that score 10 or above are the annual audit priority. This keeps your team focused on the highest-risk locations.
"Internal audit teams are already doing contract compliance testing in AP and procurement. CAM reconciliation is contract compliance for the occupancy cost line. After testing reconciliation samples through CAMAudit, the detection output maps directly to standard audit workpaper format." - Angel Campa, Founder, CAMAudit
Workpaper documentation standards
Document CAM findings to IIA workpaper standards. A complete CAM finding workpaper has five parts:
Condition. The amount the landlord billed for that line or calculation. Example: "Management fee of $47,500 was billed for the period January through December 2024."
Criteria. The lease clause that sets the right billing method. Example: "Section 4.2(b) of the executed lease dated [date] limits management fees to 3% of controllable CAM expenses."
Cause. Why the overcharge happened. Example: "The landlord applied the management fee to the gross CAM expense pool rather than the controllable expense subset as required by the lease."
Effect. The dollar variance and the period it covers. Example: "The management fee overcharge for 2024 is $8,750 ($47,500 billed vs. $38,750 allowable). If this methodology has been applied since lease commencement in 2020, the cumulative exposure over 4 years is approximately $35,000."
Recommendation. What the audit committee or management should do. Example: "Management should issue a formal dispute to the landlord within the lease's audit window, requesting a credit for the 2024 overcharge and a recalculation of prior years under the correct methodology."
CAMAudit gives you the condition and criteria parts on its own. The auditor writes the cause, effect, and recommendation. Those rely on judgment and client context.
Implementation approach for internal audit departments
You can run CAM audit in one of three ways:
Direct deployment. Your team builds the skill in house. It uploads documents, reviews findings, and drafts workpapers. This gives the most control. It fits large companies with their own real estate audit staff.
Co-source with an external advisor. Your team works with a real estate advisory firm. That firm holds a white-label CAMAudit subscription. The advisor uploads documents and does the first findings review. Your auditor checks the findings and adds them to the workpaper. This fits teams that lack lease expertise.
Fully outsourced. An advisory firm with a white-label subscription runs the full audit. It delivers the findings as a client product. Your team checks the output and issues the finding. This asks the least of your team.
For most mid-market companies, co-source works best. The advisor brings lease expertise. Your auditor brings company context, audit standards, and the authority to raise findings.
Frequently Asked Questions
Is CAM reconciliation audit within scope for an internal audit department?
Yes. CAM reconciliation audit falls within the standard internal audit scope of lease compliance testing and occupancy cost controls. The Institute of Internal Auditors (IIA) Standards recognize operational audit, contract compliance audit, and financial controls review as core internal audit activities. CAM reconciliation is a contract compliance audit: the internal audit team verifies that amounts billed by the landlord conform to the terms of the executed lease.
How does CAM overcharge risk appear in a risk-based audit universe?
CAM overcharges represent a financial reporting risk (variable lease cost under ASC 842 is misstated), a contract compliance risk (landlord is billing outside lease terms), and an occupancy cost budget risk (the company is paying more than contractually obligated). All three risk dimensions are relevant to an internal audit risk assessment. The risk is material for companies with large NNN lease portfolios where total annual CAM exposure is significant.
What testing procedures does CAMAudit support for an internal audit CAM review?
CAMAudit automates CAM detection checks covering management fee percentage compliance, pro-rata share denominator verification, CAM cap annual increase compliance, gross-up threshold and methodology compliance, base year expense verification, controllable expense cap compliance, excluded service category review, landlord overhead pass-through detection, GL reconciliation, timing, allocation, and capex treatment. Each check produces a finding with a quantified variance and a specific lease clause citation, which is the standard evidence format for audit workpapers.
How should an internal audit team document CAM overcharge findings?
Internal audit findings documentation should include: (1) condition: the amount billed and the specific reconciliation line item; (2) criteria: the lease provision that establishes the correct billing methodology; (3) cause: why the overcharge occurred (calculation error, miscategorization, or deliberate methodology choice); (4) effect: the dollar amount of the variance and the exposure period; and (5) recommendation: a credit request, lease amendment discussion, or future reconciliation monitoring procedure. CAMAudit output provides the condition and criteria elements; the auditor documents cause, effect, and recommendation.
What is the IIA position on contract compliance auditing as a core internal audit activity?
The IIA Standards (specifically Standard 2100 (Nature of Work)) define internal audit scope to include evaluating and contributing to the improvement of risk management, control, and governance processes. Contract compliance audit is explicitly within this scope: verifying that vendor and landlord billing conforms to executed contract terms is a controls evaluation. CAM reconciliation audit is contract compliance audit applied to the lease obligation.
How should CAM audit be prioritized within an internal audit risk universe?
Priority is driven by materiality and control risk. Locations with annual CAM exposure above $50,000 are material for most mid-size companies. Locations where prior audits have not been performed for 3 or more years have elevated control risk because errors accumulate. Locations where the landlord is a large REIT or institutional owner that manages thousands of tenants simultaneously present elevated systematic billing risk. A risk scoring matrix using these three factors identifies the highest-priority locations for annual audit coverage.
Can internal audit use CAMAudit as a substantive test tool rather than a reliance tool?
Yes. CAMAudit outputs quantified variances with lease citations, which is substantive test evidence rather than control reliance evidence. The internal auditor uses the CAMAudit findings as primary audit evidence (condition and criteria), then performs additional procedures to assess cause, evaluate materiality, and draft the recommendation. CAMAudit does not replace professional judgment; it automates the document-intensive detection step so the auditor can focus on the higher-judgment elements of the finding.