Download Audit Planning and Conduct: A Guide for Citywide Risk Assessment and Requested Audits and more Study notes Auditing in PDF only on Docsity!
Section 5
Audit Process: Audit Planning To Fieldwork
Section 5 documents how the Office of the City Auditor complies with standards related to reasonable assurance, significance, audit risk, and planning. This section provides guidance on the how to apply those standards in conducting audits based on the Citywide Risk Assessment model or requested audits. Specifically, this section will cover the initial planning phase of the audit (preliminary survey) that begins with start the audit, preliminary survey and risk assessment, and development of the audit program. The purpose of audit planning process is to generate information and ideas to better understand the audit subject, determine the audit objective, and to develop the audit field work program. Planning also involves estimating the time and resources necessary to complete the audit. The evidence gathered in background research and later fieldwork is documented in the working papers. Key outputs of audit planning include an audit planning memorandum; audit scope statement; risk and vulnerability assessment document; and field work audit program.
AUDIT PLANNING PROCESS
The audit planning process can be divided into the following three phases: 1) starting the project, 2) preliminary survey (planning the audit and conducting risk assessment), and 3) developing the audit program. These steps are followed by fieldwork and reporting. Details of each of the steps are noted below:
Audit Start
o City Auditor assigns staff to audit.
o City Auditor and audit team hold a project initiation and expectation meeting.
o Job start letter sent to agency or department director.
o If requested audit, Audit staff research audit topic-program, policy, or agency.
o Conduct entrance conference with agency.
Preliminary Survey & Risk Assessment
o Obtain and review relevant background documents.
o Define audit scope.
o Assess risk: understand program and significance; identify major threats; consider management controls to mitigate threats; and complete vulnerability assessment through rating internal controls and assessing threat levels.
o Identify sources and reliability of evidence.
o Assess staffing and resources for the audit.
Audit Program Development
o In-charge drafts field work audit program to include the audit plan and the workplan that details specific tasks for meeting the audit objectives.
o City Auditor approves the Audit Program.
Fieldwork
o Fieldwork conducted.
o Audit Finding Development.
o Report Draft.
PRELIMINARY SURVEY—Audit Planning and Risk Assessment
Obtain and Review Relevant Background Information
Once an entrance conference has been held, the in-charge auditor obtains and reviews relevant information related to the audit request. This may include obtaining information regarding the auditee’s mission, goals and objectives, organizational structure, policies and procedures, processes, resources, outputs, and outcomes. The auditor’s goal is to understand the program to be audited and to finalize the audit objectives. To accomplish these tasks, auditors should undertake a preliminary audit program to do the following:
- Review any resolution, committee and Independent Budget Analyst reports, testimony, and other pertinent documents, such as committee hearing notes and reports relating to the audit subject;
- Review the City Charter, ordinances, contracts, grant agreements, program memoranda, annual reports, recent budget requests, testimony, internal reports, policy and procedure manuals, and organizational charts relating to the audit subject;
- Review relevant literature, including identifying criteria and related audits conducted by other local government auditors;
- Interview agency staff;
- Review agency files and key memorandums and reports related to the audit;
- Observe and document agency activities related to the audit;
- Review the results of previous audits and attestation engagements that directly relate to the current audit objectives. Preliminary information about agency operations is gathered expediently and should be relevant to the audit topic. The key objective is to understand completely and competently the key issues of the program or entity being audited. After obtaining and reviewing the relevant background information has been, the
auditor should write an Audit Planning Memorandum that summarizes key audit topic information
and potential audit scope. It should help define the audit scope by establishing key audit questions to answer, identifying potential sources of evidence. This process is intended to keep the planning process to a minimum by focusing on what we are going to do, why we are going to do it, and how we are going to do it. If done properly, the scoping work will help the team focus its risk assessment work around the tentative
scope, methodology and objectives of the audit. A meeting will be held to review and approve the Audit
Planning Memorandum. The memorandum is reviewed by the Audit Manager and City Auditor.
Risk Assessment
Once the scoping statement is completed, auditors need to identify and assess the risks associated with the agency, program, or policy under audit. The purpose of risk assessment is to identify and rate the threats facing the program or agency under audit, identify and assess the controls or procedures in place to prevent or mitigate such threats, and perform a vulnerability assessment of the audit risks and controls.
Purpose
- To identify the threats facing the program or contract under audit; identify the controls or procedures the City has in place to prevent, eliminate or minimize the threats.
- To identify the threats facing the program or contract under audit; identify the controls or procedures the City has in place to prevent, eliminate or minimize the threats. To determine the probability that noncompliance and abuse, which is individually or in the aggregate material, could
occur and not be prevented or detected in a timely manner by the internal controls in place; assess the internal control structure in accordance with SAS 55.
To develop audit procedures to see if the controls or procedures the City has in place to prevent, eliminate, or minimize identified threats are working; determine if additional audit procedures are necessary to document threats actually occurring.
The rationale for conducting a risk assessment is that auditors can limit testing and focus on those areas most vulnerable to noncompliance and abuse. This produces a more cost-effective and timely audit. In conducting a risk assessment, the auditor:
- Identifies the threats associated with the area or activity under review;
- Determines the inherent risk associated with the identified threats; and
- Assesses whether the existing internal controls will prevent, detect, or correct instances when threats actually occur.
The extent of audit testing is directly related to an assessment of the activity's degree of vulnerability. The higher the vulnerability, the more extensive the audit testing needs to be and vice versa. Thus, even though an activity may have a high degree of inherent risk, a strong system of internal controls can reduce the entity's exposure to a low or moderate level. Accordingly, the need to conduct detailed audit tests could be reduced to an appropriate level
The risk assessment work should be documented in the audit working papers. This assessment should serve as the foundation for the developing the detailed audit steps and tests to be performed in the Audit Program. The risk assessment should be documented in a completed risk matrix and relevant to the audit objectives. Auditors must perform the following steps.
Risk Assessment Audit Steps
- Based on information gathered in the Audit Planning Memorandum, prepare a tentative list of threats for the major audit objectives. If computer processed data is an important or integral part of the audit and the reliability of the data is crucial to accomplishing audit objectives, the auditor should include threats to computer processed data in this list. Auditors must consider the following factors. o Assess the risk that abuse or illegal acts could occur and materially impact the auditee’s compliance with laws, rules, or regulations or have a material effect on the auditee’s operations. Consider whether the auditee has controls that are effective in preventing or detecting illegal acts. See Section 10 for specific guidance. o If computer systems or computer-processed data are included as threats or as controls above, consult with the project supervisor to determine the need for EDP audit assistance. o Identify material and significant findings and recommendations from previous reports issued by the office on the agency or program that may require follow-up in the current project. An auditee’s failure to rectify outstanding issues and implement previous recommendations are considered threats.
- Meet with audit management to review the list of potential threats and include any additional threats to the list. Auditors may send this information to the auditee prior to the meeting. At the same meeting, auditors must document management’s internal controls (actual or potential controls) to mitigate the identified threats.
Threat Inherent Risk and Internal Control Rating Guide
The threat’s inherent risk is (^) if
The internal control is (^) If
HIGH
- Noncompliance or abuse may result in significant losses to the City of marketable assets (e.g., cash, securities, equipment, tools, supplies).
- Noncompliance or abuse will likely expose the City to adverse criticism in the eyes of its citizens.
- Incentives of noncompliance or abuse outweigh the potential penalties.
WEAK
- Management and/or staff demonstrate an uncooperative or uncaring attitude with regard to compliance, recordkeeping, or external review.
- Prior audits or the preliminary survey has disclosed significant problems.
- The Risk Matrix reveals that adequate and/or sufficient internal control techniques are not in place.
- Documentation of procedures is lacking or of little use.
MODERATE
- Noncompliance or abuse my result in moderate losses to the City of marketable assets (e.g., cash, securities, equipment, tools, supplies).
- Noncompliance or abuse will result in inefficient operations or substandard service to the citizens.
- Incentives of noncompliance or abuse are approximately equal to the potential penalties.
ADEQUATE
- Management and staff demonstrate a cooperative attitude with regard to compliance, recordkeeping, and external review.
- Prior audits or the preliminary survey has disclosed some problems but management has implemented remedial action and has satisfactorily responded to audit recommendations.
- The Risk Matrix reveals that adequate and/or sufficient internal control techniques are in place.
- Although deficient or outdated, documentation of procedures is still useful or can easily be updated.
LOW
- Noncompliance or abuse may result in low losses to the City of marketable assets (e.g., cash, securities, equipment, tools, supplies).
- Noncompliance or abuse will result in a disregard of an administrative procedure or authoritative standard.
- The potential penalties outweigh the incentives of noncompliance or abuse
STRONG
- Management and staff demonstrate a constructive attitude, including an eagerness to anticipate and forestall problems.
- Prior audits and the preliminary survey have not disclosed any problems.
- The Risk Matrix reveals that numerous and effective internal control techniques are in place.
- Procedures are well documented.
Vulnerability Assessment and Testing Extent
Inherent Risk Internal Controls
Vulnerability and Testing Extent
High
Weak Adequate Strong
High Moderate to High Low to moderate
Moderate
Weak Adequate Strong
Moderate to High Moderate Low
Low
Weak Adequate Strong
Low to moderate Low Very low
AUDIT PROGRAM DEVELOPMENT
Field Work Audit Program
Based on the results of the scope review, preliminary survey, and risk assessment, the auditor develops an audit program that consists of the audit objectives, scope, methodology, and related concerns. The audit program includes audit steps, tasks, and procedures to test if the identified controls or procedures the audited entity has in place to prevent, eliminate, or minimize identified threats are working as intended. The Audit Manager reviews the audit program and the City Auditor approves the document.
Auditors should follow the Audit Procedure Guidelines listed below in developing the specific audit steps listed in the audit program. Specifically, based on the risk and vulnerability assessment, the in-charge auditor will write the audit program to determine if the controls or procedures the audited entity has in place to prevent, eliminate, or minimize identified threats are working as intended. As the audit progress, the audit staff should document the key decisions about the audit objectives, scope, and methodology.
The Audit Program guides audit staff through the steps necessary to complete audit fieldwork. In fieldwork, auditors obtain and analyze program data and information to determine if the identified controls are working as intended. This is accomplished by completing the audit steps identified in the Audit Program. Audit steps may include interviewing officials, reviewing documents (e.g. internal memoranda, correspondence, reports, minutes, contracts), and gathering statistical data through database searches, analysis of secondary data sources, and surveys. The audit field work objective is to develop audit findings. The Audit Program template found in MKInsight will be used to document the planned audit steps.
Variations of audit programs
In certain instances, the need may arise to make modifications to the audit program to address expanded audit scope or to address new audit issues. The City Auditor will approve any significant departures from the Audit Program. Minor changes such as extensions of internal deadlines do not require formal approval by the City Auditor.
Auditors should extend audit procedures when there are indications that fraud or abuse significant to the audit objectives may have occurred. Auditors should document in the working papers and audit program when audit procedures are extended. If the potential fraud is not significant to the audit objectives, auditors may conduct additional work as a separate engagement or refer the matter to other parties with oversight responsibility. In fraud-related situations, our policy will be not to interfere with legal proceedings or investigations.
Developing Preliminary Findings Audit findings must contain condition, criteria, cause, effect, and recommendations. However, the elements needed for a finding depend entirely on the objectives of the audit. A finding or set of findings is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the finding’s elements. For each audit finding, a Finding Development Worksheet should be completed in MKInsight as shown below.
Condition What is? The situation that exists and has been documented during the audit.
Criteria What should be! The standards used to determine whether a program meets or exceeds expectations. Criteria provide a context for understanding the results of the audit. The audit plan, where possible, should state the criteria to be used. Criteria should be reasonable, attainable, and relevant to the matters being audited.
Effect The difference between the condition and criteria. What is the impact (actual or potential) in services, dollars, or people resulting from the stated condition. The harm that could occur from the condition.
Cause Who or how the problem or non-compliance with the criteria occurred.
Recommendations Specific actions that will rectify the cause of the condition.
Based on assessment of the information gained, auditors should determine the type and amount of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives. Throughout the course of the audit, the in-charge auditor, Audit Manager, and City Auditor should discuss proposed findings. When all of the elements of a finding have been met and audit work completed, the staff should present to the Supervisor a report outline including the above elements. The City Auditor will review and comment on the outline, make suggestions and then approve the development of a report draft. The auditor should follow the guidance provided in the attachment to Section 7 for writing the report. When auditors conclude that sufficient, appropriate evidence is not available, auditors should evaluate whether internal control or other program weaknesses are the cause.
Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions. Sufficiency refers to the amount of evidence gathered and presented. Appropriateness refers to the quality of evidence including its relevance to the audit objectives, reliability and validity. Auditors should evaluate whether the evidence taken as a whole is sufficient and appropriate for addressing the audit objectives and supporting findings and conclusions. Auditors should document their assessment. The specific steps to assess evidence will depend on the nature of the evidence, how it is used in the audit and the audit objectives. When auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, auditors should apply additional procedures to strengthen the evidence, redefine the audit objectives or scope to eliminate the need to use the evidence, or revise the findings and conclusions such that supporting evidence is sufficient and appropriate.
Audit Manual Section 6 covers the Office of the City Auditor’s policy regarding audit evidence. Section 6 addresses elements critical to a successful fieldwork process including types and tests of evidence, conducting interviews, audit sampling, preparation of audit working papers, securing and disclosing working papers, testing for compliance, and developing preliminary findings.
CITY OF SAN DIEGO
OFFICE OF THE CITY AUDITOR
AUDIT PROCEDURES GUIDELINES
There are many types of audit procedures which can be used to test transactions or processes. The audit objective determines the type of procedure to be used. The auditor must judge the evidence obtained through the audit procedures to make conclusions for each audit objective. The evaluation process requires professional judgment in determining the adequacy, efficiency, economy and effectiveness of what has been audited. Care must be taken in selecting the correct procedure to achieve the audit objective. The audit risks include: selecting an improper audit procedure, executing the procedure incorrectly, and incorrect evaluations.
The following general types of audit procedures are discussed below: Verification, Observation, Inquiry, and Analysis.
A. Verification
Verification is the confirmation of things such as: Assets; Records; Statements; Documents; Compliance with laws and regulations; effectiveness of internal controls; transactions; and processes. The purpose of verification is to establish the accuracy, reliability or validity of something. Following is a discussion of types of verification techniques:
- Count: An auditor will use this technique to verify the accounting records of a physical asset by physically counting the assets.
- Compare: An auditor will identify similar and/or different characteristics of information from two or more sources. Types of comparison include: (a) Comparison with prescribed standards; (b) Comparison of current operations with past or similar operations; (c) Comparison with written policies and procedures; (d) Comparison with laws or regulations; and (e) Comparison with other reasonable criteria.
Specific examples are:
- To compare a law requiring that a percentage of taxes will be used for a particular program with the accounting records showing the amount of taxes and how much was spent on the program.
- To compare the documentation of a transaction with the procedure for the transaction.
- Examine: To look something over carefully, such as a document, especially for the purpose of detecting flaws or irregularities. For example, an auditor may examine a document to verify that it has been executed by authorized persons.
- Inspect: To look something over carefully, such as a physical asset, especially for the purpose of detecting flaws or irregularities. For example, an auditor may inspect inventory to verify quality.
- Foot: To recompute the mathematical result of addition or subtraction of columns or rows of numbers in documents or records.
- Recompute: To check mathematical computations performed by others.
- Reconcile: The process of matching two independent sets of records and to show mathematically, with supporting documentation, the difference between the two records. For example, the beginning and ending balances in an account could be reconciled to document the transactions that account for the changes between the beginning and the end.
- Confirm: To obtain information from an independent source (third party) for the purpose of verifying information.
- Vouch: To verify recorded transactions or amounts by examining supporting documents. In vouching, the direction of testing is from the recorded item to supporting documentation. The purpose for vouching is to verify that recorded transactions represent actual transactions.
- Trace: Tracing procedures begin with the original documents and are followed through the processing cycles into summary accounting records. In tracing, the direction of testing is from supporting documentation to the recorded item. The purpose of tracing is to verify that all actual transactions have been recorded.
B. Observation
Observation is auditors seeing with a purpose, making mental notes and using judgment to measure what they see against standards in their minds. Experienced auditors may be better able to observe deviations from the norm. Observed deviations usually require confirmation through analysis or corroboration. Types of deficient conditions which can be observed include:
- Idle personnel, equipment, or facilities;
- Security violations;
- Dangerous conditions or safety violations; and
- Backlogs.
C. Inquiry
Auditors perform interviews with the auditee and related parties throughout the audit. Good oral communication skills on the part of the auditor assist in getting accurate and meaningful information from the interviewee. Auditors should use open-ended questions when possible. Depending on the type of information received in an interview, it may need to be confirmed through documentation.
D. Analysis
Analysis is the separation of an entity for the purpose of studying the individual parts of data. The elements of the entity can be isolated, identified, quantified, and measured. The quantification may require the auditor to perform detailed calculations and computations. Furthermore, the auditor can document ratios and trends, make comparisons and isolate unusual transactions or conditions.
