Internal Auditing: The Inside Story

1
Internal AuditingThe Inside Story

• Presented by Sheila M. Roberts, CPA, CIA
• Orange County Comptroller
• County Audit Division
• May 20, 2008

2
Generally Accepted Government Auditing Standards
2007 Yellow Book

• 1.20 GAGAS requirements apply to the types of
  audit and attestation engagements that may be
  performed under GAGAS as follows
• Financial audits chapters 1 through 5 apply.
• b. Attestation engagements chapters 1 through 3
  and 6 apply.
• c. Performance audits chapters 1 through 3 and
• 7 and 8 apply.

3
Applicable Standards

• AICPA Statements on Auditing Standards (SAS) and
  Statements on Standards for Attestation
  Engagements (SSAE)
• YB 1.16 For performance audits, auditors may use
  other professional standards in conjunction with
  GAGAS, such as the following
• International Standards for the Professional
  Practice of Internal Auditing, The Institute of
  Internal Auditors, Inc.
• Guiding Principles for Evaluators, American
  Evaluation Association
• The Program Evaluation Standards, Joint Committee
  on Standards for Education Evaluation and
• Standards for Educational and Psychological
  Testing, American Psychological Association.

4
General Standards

• Yellow Book Chapter 3
• Independence
• Professional Judgment
• Competence
• Quality Control and Assurance

5
Performance Audit Objectives

• 1.28 Performance audit objectives may vary widely
  and include assessments of program effectiveness,
  economy, and efficiency internal control
  compliance and prospective analyses. These
  overall objectives are not mutually exclusive.
  Thus, a performance audit may have more than one
  overall objective. For example, a performance
  audit with an initial objective of program
  effectiveness may also involve an underlying
  objective of evaluating internal controls to
  determine the reasons for a programs lack of
  effectiveness or how effectiveness can be
  improved.

6
Objectives

• Examples of audit objectives related to internal
  control include an assessment of the extent to
  which internal control provides reasonable
  assurance about whether
• Organizational missions, goals, and objectives
  are achieved effectively and efficiently
• Resources are used in compliance with laws,
  regulations, or other requirements
• Resources, including sensitive information
  accessed or stored outside the organizations
  physical perimeter, are safeguarded against
  unauthorized acquisition, use, or disposition
• Management information, such as performance
  measures, and public reports are complete,
  accurate, and consistent to support performance
  and decision making
• The integrity of information from computerized
  systems is achieved and
• Contingency planning for information systems
  provides essential back-up to prevent unwarranted
  disruption of the activities and functions that
  the systems support.

7
Performance Effectiveness

• 1.29 Program effectiveness and results audit
  objectives are frequently interrelated with
  economy and efficiency objectives. Audit
  objectives that focus on program effectiveness
  and results typically measure the extent to which
  a program is achieving its goals and objectives.
  Audit objectives that focus on economy and
  efficiency address the costs and resources used
  to achieve program results.

8
Examples of Performance Audit Objectives

• Assessing the extent to which legislative,
  regulatory, or organizational goals and
  objectives are being achieved
• Assessing the relative ability of alternative
  approaches to yield better program performance or
  eliminate factors that inhibit program
  effectiveness
• Analyzing the relative cost-effectiveness of a
  program or activity
• Determining whether a program produced intended
  results or produced results that were not
  consistent with the programs objectives
• Determining the current status or condition of
  program operations or progress in implementing
  legislative requirements

9
Examples of Performance Audit Objectives

• Determining whether a program provides equitable
  access to or distribution of public resources
  within the context of statutory parameters
• Assessing the extent to which programs duplicate,
  overlap, or conflict with other related programs
• Evaluating whether the audited entity is
  following sound procurement practices
• Assessing the reliability, validity, or relevance
  of performance measures concerning program
  effectiveness and results, or economy and
  efficiency
• Assessing the reliability, validity, or relevance
  of financial information related to the
  performance of a program

10
Examples of Performance Audit Objectives

• Determining whether government resources (inputs)
  are obtained at reasonable costs while meeting
  timeliness and quality considerations
• Determining whether appropriate value was
  obtained based on the cost or amount paid or
  based on the amount of revenue received
• Determining whether government services and
  benefits are accessible to those individuals who
  have a right to access those services and
  benefits
• Determining whether fees assessed cover costs
• Determining whether and how the programs unit
  costs can be decreased or its productivity
  increased and
• Assessing the reliability, validity, or relevance
  of budget proposals or budget requests to assist
  legislatures in the budget process.

11

• WHAT ARE WE GOING TO LOOK AT?
• WHY ARE WE LOOKING AT IT?

12
(No Transcript)
13
Entrance Conference

• Explanation of audit process
• Request for basic information we will need in our
  survey
• Request for auditor liaison
• Request for housing and connectivity

14
Survey

• Finding answers to
• Whats going on?
• When is it happing?
• Whos doing what when?
• How is it being done?
• Why is it being done?
• Should it be done?

15
Survey

• How to get the answers
• Inquiry and observation
• Performing a walk-through of the clients
  accounting system (or any other system) to gain
  an understanding of how transactions are
  processed
• Review of other external audit reports and
  management letters
• Review of reports produced by the entity
• Review of Board Minutes
• Review of Policies and Procedures Manuals
• Researching other peer organizations operations,
  policies and best practices.

16
Example of Internal Control Analysis
17
Risk Analysis

• Uses the results of survey information
• Brainstorming
• It documents the methodical assessment of areas
  to be included in the review
• Shapes the audit plan and audit programs

18
What goes into a Risk Assessment?

• Definition descriptions of functional areas of
  the entity under review.
• Identify possible adverse events/situations that
  may effect the functional area.
• Identify internal control weaknesses that would
  effect or cause the situation to occur.
• Identify compensating controls that may exist to
  mitigate the risk, prevent the situation from
  occurring or detecting any occurrence.

19
What goes into a Risk Assessment?

• Determining the likelihood that a negative event
  may occur.
• Determining the consequence of an adverse event
  occurring.
• Determining the level of risk.
• Determining the audit test objectives and the
  tests needed to verify recorded performance and
  operations, to detect exceptions, and identify
  trends.

20
Occurrence of Risk Matrix
21
Consequence of Risk Matrix
22
RISK ANALYSIS MATRIX
23
Example of Risk Matrix
Taken from a Contract Performance Audit
24
Fieldwork

• Test Objective
• What are we trying to determine?
• What are we trying to validate, verify, or
  account for?
• Test Criteria
• What is the authority, policy, and/or procedure?
• What is the best practice or benchmark?

25
Testing and Sampling -

• SAS 39 does not require specific documentation
  of audit sampling applications, However, the
  following are examples of items the auditor
  should consider documenting for audit sampling in
  either a test of controls or for a substantive
  test of details.

26

• Test of Controls
• Description of prescribed control being tested
• Objectives of the test
• Definition of the population and the sampling
  unit
• Definition of an exception
• Method of sample size determination
• Method of sample selection
• Evaluation of the sample and a summary of the
  overall conclusion

• Substantive Tests of Details
• Objectives of the test and description of other
  procedures related to those objectives
• Definition of the population and the sampling
  unit
• Definition of a misstatement
• Audit sampling technique used
• A description of the performance of the sampling
  procedures and a list of misstatements identified

27
Basics for Developing Sampling Plans

• After defining the Sampling Unit, Population, and
  the Exceptions, the Auditor must decide on the
  Sample Selection Types
• Judgmental Basis
• (Auditor chooses size and items in sample with no
  set methodology)
• Interval Basis
• Stratified Basis
• (Population grouped by characteristics)
• Random Basis
• (Each item has an equal chance of being selected
  from the total population based on a random
  number generator and a reference formula to the
  total population)

28
Basics for Developing Sampling Plans

• Was the test objective appropriate?
• Were the population and sampling unit defined
  appropriately for the test objective?
• Were exceptions, misstatements, or deviations
  defined appropriately?
• Were tests performed to provide reasonable
  assurance that the sample was selected from the
  appropriate population?

29
Basics for Developing Sampling Plans

• Did the design of the sampling application
  provide for an appropriate risk level?
• If additional substantive tests were planned in
  designing the sampling procedure, did these tests
  support the assertions about the transactions
  beings tested?
• Were planned procedures applied to all sample
  items? If not were unexamined items considered
  in the evaluation?

30
Basics for Developing Sampling Plans

• Were all deviations or misstatements discovered
  properly evaluated?
• If the test was a test of controls, did it
  support the planned assessed level of control
  risk? If not, were related substantive tests
  appropriately modified?
• If the test was a substantive test, did it
  support the account balance? If not, were
  appropriate steps taken?
• Was the audit objective of the test met?

31
Sampling Models
32
Sampling Models
33
Conclusions from Sampling Models
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
Finding Sheets a.k.a. Creating the Recommendation

• Condition (description of the exception and
  circumstance)
• Criteria (laws, rules, regulations, policy,
  procedures, guidelines, performance measures, and
  best practices used in comparison to actual)
• Cause (what allowed the condition to occur,
  exist, or continue)
• Effect (consider operational and performance
  control, service, safety and monetary aspects of
  the condition)
• Recommendation (what actions can management take
  to prevent, detect and/or correct the condition
  in the future)

39
Communicating Results

• Dont be afraid to ask the auditors what is the
  objective of the test.
• Keep the liaison and management involved and
  informed.
• Attend the pre-exit.
• It is the auditors opportunity to present the
  exceptions and recommendations
• It is managements opportunity to discuss the
  recommendation in detail and to provide
  additional input
• Alternative actions that management is willing to
  take.

40
Writing the Report

• Auditors Logic
• What is the control?
• How should it be tested?
• How well is the control working?
• What exceptions or weaknesses exist?
• What should be done?

• Readers Logic
• What are the results?
• What and how big are the problems?
• Why does it matter?
• How did it happen?
• What has been done or will be done to correct
  this?

41
Managements Response

• Clearly state do you agree, disagree, or
  partially agree with the recommendation.
• Provide a brief description of the action that
  has or will be taken to implement the
  recommendation.
• Provide information on why you disagree or why
  the recommendation is not possible to implement.

42
Public Records Law 119.07, (6) F.S.

• (6)  An exemption contained in this chapter or in
  any other general or special law shall not limit
  the access of the Auditor General, the Office of
  Program Policy Analysis and Government
  Accountability, or any state, county, municipal,
  university, board of community college, school
  district, or special district internal auditor to
  public records when such person states in writing
  that such records are needed for a properly
  authorized audit, examination, or investigation.
  Such person shall maintain the exempt or
  confidential status of that public record and
  shall be subject to the same penalties as the
  custodian of that record for public disclosure of
  such record.

43
119.0713  Local government agency exemptions
from inspection or copying of public records

• (3)  The audit report of an internal auditor
  prepared for or on behalf of a unit of local
  government becomes a public record when the audit
  becomes final. As used in this subsection, the
  term "unit of local government" means a county,
  municipality, special district, local agency,
  authority, consolidated city-county government,
  or any other local governmental body or public
  body corporate or politic authorized or created
  by general or special law. An audit becomes final
  when the audit report is presented to the unit of
  local government.

44
119.0713  Local government agency exemptions
from inspection or copying of public records.--

• Audit work papers and notes related to such audit
  report are confidential and exempt from s.
  119.07(1) and s. 24(a), Art. I of the State
  Constitution until the audit is completed and the
  audit report becomes final

45
Other Sources of Information

• Statement on Auditing Standards 39, Audit
  Sampling
• AICPA Auditing Practice Release Audit Sampling
• Handbook of Sampling for Auditing and Accounting,
  by Herbert Arkin

• 2007 Yellow Book
• (GAGAS by GAO)
• International Standards for the Professional
  Practice of Internal Auditing, The Institute of
  Internal Auditors, Inc.