Work papers are the essential evidence to support the auditor's conclusions within an audit report. They are developed to ensure workpapers present a full and complete record of work performed for each audit. The work papers must present an accurate and complete record of the work performed.

8.132 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions.

8.133 Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report.

8.134 Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors’ professional judgment.

Work papers are prepared neatly, clearly and concisely. All the information in the work papers is treated as "Board Private" or in accordance with government security requirements, as appropriate. All Savannah-Chatham County Public School System private information, including work papers, programs, payroll data, etc., is always safeguarded. Proper care is taken to ensure confidential information is properly secured. Materials taken out of the offices (e.g., to functional areas) should be locked up when unattended. If it becomes necessary to release copies of work papers, all confidential and/or personally identifying information is first redacted. That information may include (but is not limited to) the following:

• Social Security numbers.
• Student identification numbers.
• Student or employee addresses and/or telephone numbers.
• Any other information that may unnecessarily indicate the identity of a student or employee of the organization.

The information may be redacted by any method deemed effective to obscure the confidential information without destroying the legibility of the entire document. The original document must remain intact as part of the work papers.

The volume of schedules and the number of work paper files will vary with the size and complexity of the examination. They should be assembled so that the primary information for final report preparation is readily accessible. Each major section of the examination should be represented by a lead schedule. The organization of these papers should flow logically from the work program to which they are cross-referenced. Work papers should be organized and prepared to bring important details to the attention of the people using and reviewing them.

Construction of all schedules, their purpose, adaptability, and underlying logic should be as consistent and uniform as feasible to facilitate orderly documentation and analysis of the accomplishment of the audit objectives.

For each work paper, or the first one in a closely related group:

1. On the first page of each work paper, include a descriptive heading that gives the title of the work paper, and the audit number.
2. Use the label “Source:” to identify the source of the information.
3. Use the label “Purpose:” to show the purpose of the work paper; the purpose can then be described with a narrative (ex. To document procedures for ….; To list all paid invoices and provide a basis for selecting transactions to test; To record the results of tests of …; To record the results of interview with … concerning….; To complete audit step B.4.1; etc.).
4.  In each case, the purpose should derive from an audit step in the program or from a conclusion drawn on a work paper that was in turn derived from an audit step, etc.
5. Generally, Purpose, Source should be on the first page of the work paper.
6. Reference statements of fact or citations of conditions in the first draft report back to the supporting work papers. Major revisions to the draft might need re-indexing.
7. In the upper right-hand corner of the first page of each set of workpapers, include the initials of the preparer, the date of preparation, audit number assigned in the timekeeping system, the work paper number, the page number and the total number of pages there are in the set of work papers. Subsequent workpapers should keep the work paper number page number and the total number of pages there are in the set of workpapers.

The work papers must be indexed during the course of the work in such a manner that any analysis, or any section of the examination, may be found quickly. Each schedule should have an index letter and/or number consistently located to facilitate reference.

While no specific indexing format is required, complexity of referencing and cross-referencing requires particular care in assigning numbers.

A standardized index should be prepared to serve as the Table of Contents. Each section of work papers is to be designated by a letter of the alphabet in ascending sequence. Letters A-E are reserved for the five required sections as indicated below:

1. Audit Reports (Final, Draft, and related correspondence)
2. Planning and Supervision
3. Assignment Administration
4. Preliminary Survey
5. Audit Program
6. , G., H., etc. Should be used for major segments of the audit as indicated by the Audit Program.

Effective audits depend heavily on testing and sampling. It is imperative that the work papers clearly indicate the reasons behind decisions for testing certain types or groups of transactions, the period selected for testing, and the extent of all tests. For example, in a judgmental sample, if certain months are selected for testing transactions, the work papers should outline the basis of and reasons for selecting these months. Data concerning the volume of transactions and other information considered in determining sample sizes should also be included.

When an audit step is performed repetitively on data included in the body of a schedule, tick marks are to be used to identify the work performed. For example, a series of amounts listed as being expense reimbursements to employees may be traced to properly approved expense reports, supported by paid hotel bills, etc. Rather than write this description after each amount, a "tick mark" is selected, explained once at the bottom of the schedule, and used after each amount to indicate that the audit step has been satisfactorily completed. Tick marks should be used to facilitate review of the work papers.

Tick marks may vary throughout the work papers as necessary to indicate work done. They should be simple and distinctive. The use of too many tick marks on a single schedule is confusing and should be avoided. Coded references, such as circled numbers, can be used to reduce the need for intricately designed tick marks. If the same tick marks are to be used on a series of schedules, they may be repeated. Otherwise, all tick marks must be clearly explained on every sheet where they appear.

In some instances, it may be appropriate to use standard tick marks for a whole section of the work papers. They must be recorded in such a way that anyone reviewing the papers may have the tick marks in front of him/her.

Work paper notes made by auditors may vary widely in complexity. This requires flexibility, but all notes should comply with the following general principles:

1. They must be clear, concise, and understandable. Extraneous phone numbers, names and comments in the left margin or in other portions of the work papers that are not clearly tied to factual information, opinions, or conclusions are not to be included in the work papers.
2. They must indicate the sources of all information and the names and positions of any employees whose opinions are quoted.
3. They must reach a conclusion. Under no circumstances should open questions remain in the papers, either in the form of a (?) on the schedule or of a note which doesn't clearly state the writer's opinion.
4. Notes appearing in the work papers must be consistent. Any inconsistencies noted by the reviewer must be reconciled and corrected.
5.  Explanatory information must be added to the work papers in those instances where conclusions drawn, or recommendations documented have changed. This may happen as a result of new information or evidence that has surfaced from the time of the initial recording to the acceptance of the function's corrective action response.
6. If a conclusion is changed by the auditor for any reason, the note must be amplified so that the revised conclusion is adequately supported. A notation such as an "O.K.," "No," or 'Too Small" besides the comments is not sufficient.

The completed work papers for each section of an examination must contain a conclusion or an opinion based on the work done. It should be worded in a manner which clearly indicates that the auditor understood the objective of his tests. Work papers must include comments as to the effect of findings developed during the examination. The conclusion or opinion should reflect these observations.

A conclusion or opinion must be responsive to the audit objectives and may refer to but should not repeat the detailed procedures in the audit program or a summary statement of internal controls. If the tests disclose errors, the effect of these errors must be weighed in stating an opinion. The opinion of the writer as the propriety of the account or adequacy of procedures being evaluated should be clearly stated.

A brief statement as to the basis for the conclusion or opinion is also appropriate. This statement should relate the opinion reached to the audit work that was done. For example, "Based upon the detailed testing performed in accordance with the attached program it is my opinion that . . .”

When all the evidence pertinent to the conclusion or opinion is not contained in the work papers, specific reference must be documented in the work papers as to where it can be found.

Care should be exercised not to draw conclusions or express opinions or make comments beyond the scope of competence and responsibility. If the auditor encounters situations where a system or function that he/she is evaluating involves a technical knowledge that goes beyond his/her area of expertise, he/she should arrange, if appropriate, the assistance of personnel who have this technical background.

Reference numbers are necessary for referencing information between schedules. Work papers are structured to carry data forward from detail supporting documentation to summary documentation.

Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings when internal control is significant to the audit objectives.

Audit findings are pertinent statements of fact and emerge by comparing what should be with what exists. They should include the following components:

• Criteria, or what should be;
• Condition, or what is;
• Cause, the reason for the difference between criteria and condition;
• Effect, the impact of the difference on operations, or the risk or exposure created by the difference; and
• Recommendations, which are the steps that should be taken to eliminate the cause and/or remove or reduce the impact or risk.

Generally, a finding involves observations of the following:

• A deviation from established company policy or practice;
• An error in the performance of a corporate procedure;
• A deviation from relevant laws or regulations;
• An unusual item considering the nature of the business;
• An item that could be accomplished more efficiently or effectively; or
• An instance where goals or objectives may not be achieved.

Findings must be adequately documented in work papers. They should be written up as part of the summary and should contain:

• A one-way reference to the supporting documentation included in the work papers;
• A clear, concise description of the exception;
• A determination of whether the exception is the result of a weakness in internal controls;
• A thorough and complete recommendation and a disposition regarding audit scope and final report.

The Reportable Issue Form (if applicable) provides a useful tool for collecting information that may be reported and for ensuring that all necessary elements are identified. Reportable Issue Forms must be referenced to the supporting work papers. Whenever possible, include a brief summary of management’s response (verbal or written) when informed of the condition.

Work papers are to be reviewed by the Auditor in Charge or the Senior Director, Internal Audit, who should prepare review notes. The notes represent a reviewer's critical comments on the adequate completion of the audit work. The reviewer should provide their evidence review by initialing each work paper, usually near the preparer’s initials.

It is essential that the review be completed as soon as possible after the work papers are completed. A current review enables the reviewer to evaluate the work to ensure that:

1. The program reaches the planned objectives in a timely manner.
2. All necessary audit steps have been programmed and carried out.
3. Internal control has been adequately evaluated.
4. All internal control weaknesses and strengths are directly correlated with extensions of audit scope or reasons why scope extensions were not considered necessary -- each weakness should also be included to facilitate writing the report.
5. Each schedule indicates the source of information.
6. Each schedule accomplishes its intended purpose.
7. Explanations and opinions are clear and concise.
8. Programs and schedules have been properly initialed and tick marks properly placed.
9. All opinions are adequately supported and documented.
10. Program steps or schedules do not contain (i) unresolved points and (ii) statements or opinions which the reviewer believes are not in accord with the facts, or not well founded, or are otherwise inappropriate;
11. Important points are summarized.

In reviewing work papers, it is usually necessary to prepare review notes as a list of those items that, in the reviewer's opinion, (i) require additional work or documentation; (ii) need clarification; (iii) will serve as a teaching device for the auditor; or (iv) are to be followed up at a later time. The list should be discussed with the auditor and then given to him/her with the work papers for appropriate action.

The auditor should “clear” the review notes and if necessary, indicate comprehensively and clearly what was done to clear them. If needed, this can be shown either by a notation inserted next to each point explaining what has been done to develop the information necessary to take care of the matter adequately, or by a cross-reference to the section or sections of the work papers that satisfy the requirement. The auditor should make any necessary or requested adjustments directly to work papers.

The work papers must be reviewed, and review notes cleared prior to releasing the Audit Report.

It is essential that each member of the staff working on an audit be satisfied with the scope or extent of the specific work performed, including the attention given to indications that irregularities or deficiencies might exist. This procedure is based on the consideration that every member of the organization has not only the right, but the duty to express his or her opinion on the adequacy of the scope of an examination and the opinions reached on the basis of that examination.

Any staff member having a question or reservation along these lines has a responsibility to discuss the matter with the Senior Director, Internal Audit. Any viewpoint expressed will receive careful consideration with the objective that all points will be clarified, and the staff members are fully satisfied with the scope of the work and the report. This can be discussed in the Exit Conference with the auditor in charge of the audit.

If an auditor's point is overruled, the reviewer must be careful to state the reasons for not accepting an auditor's views. It is particularly important that such reasons be carefully thought out, accurately recorded, and properly dated.

This checklist is intended to aid Internal Audit staff members in reviewing work papers prepared by other staff members. There is no specific time requirement for such a review, but it is included as an item on our Audit Process checklist as a reminder. Work papers should be reviewed for the items listed below, and the reviewer should provide some written notes.

1. Each work paper (or the first page of a series of work papers) should contain the following:
   • Preparer’s initials;
   • Date prepared;
   • Audit number;
   • Work paper number;
   • the page number and the number of pages on the first page of an electronic workpaper and/or on each page of a non-electronic workpaper (except for large documents where no reference to a specific page number is warranted); Note: The above items should generally be added to the upper right-hand corner of the page for consistency.
   • the purpose of the work paper, referenced back to the appropriate step in the audit program, to the conclusion or results from some other work paper, or to something else that makes it clear why the step was needed (it is not necessary to restate a step from the audit program, or from another source if it is clearly stated on that source, so long as it is clearly referenced);
   • Source and/or scope to show where the information came from;
2. Computations either by human or by computer formula computation are reviewed for mathematical accuracy. Computer spreadsheets do not need to be recalculated, but some review should be done to make sure the numbers make sense.
3. The reviewer should be comfortable that what is included in the work papers makes sense in terms of the audit objectives and program and the issues that surface during the audit.

Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for addressing the audit objectives and supporting their findings and conclusions. In assessing the appropriateness of evidence, auditors should assess whether the evidence is relevant, valid, and reliable. In determining the sufficient of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions to the extent that would persuade a knowledgeable person that the findings are reasonable. When auditors use information provided by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information. Auditors should evaluate the objectivity, credibility, and reliability of testimonial evidence (GAS 8.90-8.94).

Sufficient, appropriate evidence is essential to provide a reasonable basis for an opinion and is obtained by designing and performing audit procedures or tests. Auditors must determine, based on experience and judgment, whether the evidence is "useful" evidence (appropriate) and whether "enough" useful evidence has been examined (sufficient).

Appropriateness is the measure of the quality of evidence. It encompasses the relevance, validity and reliability of the evidence. Relevant evidence is information that has a logical relationship to the issue addressed. Each piece of evidence obtained should be evaluated in terms of its usefulness for either corroborating or contradicting an assertion of compliance. The relevance of evidence is measured by the extent to which it meets that purpose.

Validity refers to the degree to which the evidence is based on sound logic or accurate information. The validity of each piece of evidence, along with its source, must be evaluated to determine its usefulness in proving or disproving an assertion.

Evidence must also be reliable if it is to be useful. Reliability refers to the consistency of results when information is tested; it assures that evidence is reasonably free from error or bias and faithfully represents what it purports to represent. The reliability of evidence is influenced by several factors:

• Independence of the source. Evidence obtained from sources outside of the function under review usually provides greater assurance of reliability than that secured within the function.
• Qualification of the source. For evidence to be reliable, it must come from people who are competent and have the qualifications to make the information free from error.
• Objectivity of the evidence. Evidence is objective if it requires little judgment to evaluate its accuracy. Evidence obtained by the Internal Audit staff by direct physical examination, observation, computation or inspection is generally more objective than evidence obtained indirectly or based on opinion.

It is essential for the auditor to ensure that all evidence obtained is reliable for the purposes for which the auditor intends to use it. When auditors identify limitations or uncertainties in evidence that are significant to the audit findings and conclusions, additional procedures should be applied, as appropriate. Additional procedures may include:

• Seeking independent, corroborating evidence from other sources.
• Redefining the audit objectives or limiting the audit scope to eliminate the need to use the evidence.
• Presenting the findings and conclusions so that the supporting evidence is sufficient and appropriate and describing the limitations or uncertainties of the evidence if such disclosure is necessary to avoid misleading users about the findings or conclusions.
• Determining whether to report the limitations or uncertainties as a finding, including any related, significant control deficiencies.

The auditor’s twofold objective is to achieve the necessary level of assurance to support the opinion and to perform the audit as efficiently as possible. In addition to considering the relevance, validity and reliability of evidence, the Internal Audit staff must also consider its availability, timeliness, and cost. Sometimes a desirable form of evidence is simply not available. Fortunately, there is usually more than one source or method of obtaining evidence. The Internal Audit staff should choose the type or methods of evidence that provide the required level of assurance at the lowest cost.

Determining the sufficiency of evidence is a question of deciding how much evidence is enough to achieve the needed level of assurance. The amount of evidence required depends in part on the thoroughness of the search for evidential matter, in part on the ability to evaluate it objectively and in part on the level of assurance necessary to support the opinion in an audit. It may be necessary to rely on evidence that is persuasive rather than convincing. In making these decisions, the Internal Audit staff should consider the risk of forming an inappropriate opinion and justify omitting any test solely because it is difficult or expensive to perform.

The sufficiency of evidence required to support the findings and conclusions is a matter of professional judgment. A large volume of evidence does not compensate for the lack of reliability, validity or relevance. The auditor should refrain from developing a conclusion until sufficient, appropriate evidence has been obtained to remove all substantial doubt

Professional judgment includes exercising reasonable care and professional skepticism. Reasonable care includes acting diligently in accordance with applicable professional standards and ethical principles. Professional skepticism is an attitude that includes a questioning mind and critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty.

Auditors should determine whether other auditors have conducted, or are conducting, audits that could be relevant to the current audit objectives. If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors’ qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives.

Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments performed to conclude on the validity and reliability of specific evidence. When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should perform additional procedures, as appropriate.

The Internal Audit staff has a number of alternative procedures from which to choose in planning the examination: deciding on the nature, timing, and extent of audit tests to be performed; what procedures to perform; when to perform them; and how much testing to do. These decisions will be influenced by answers to questions such as: which will provide a higher level of assurance; which is more efficient; what are the risks?

Viewed in terms of their purpose, all auditing procedures, also referred to as "tests," can be classified as one of two types: compliance and substantive tests. Compliance tests are performed to determine how well the system of internal control is functioning. Their purpose is to provide evidence that the system of controls is operating as prescribed and complies with established policies and procedures. Substantive tests consist of tests of the details of transactions and analytical review procedures. The purpose of substantive tests is to prove the validity of an assertion or, conversely, to discover errors or discrepancies.

Although the purpose may be either to test the system of control (compliance) or to find errors or discrepancies (substantive), the same test can often serve both purposes. This is helpful in situations where the results of compliance tests indicate that the system is not working, and further tests may need to be performed to determine the extent of errors or discrepancies.

A list of possible tests that Internal Audit staff may use (but is not limited to) and whether they are normally considered compliance, substantive, or both is shown below.

Inquiry entails asking questions. The questions may be oral or written and are directed to those responsible for performing the procedure being evaluated. For example, the evaluator can familiarize himself/herself with the procedures by reading company policies, procedures, or instructions. He/she then questions those employees responsible for performing the procedures on how they do their job. The evaluator can determine if the procedures are understood and being followed by comparing the employees' answers to the questions with the procedures called for by the work instructions.

The documentation of this test is a written narrative that states that the evaluator read the procedure, questioned certain employees, and explained the nature of the questions asked and the responses received, along with the evaluator's opinion as to whether compliance was adequate.

Observation involves direct visual viewing of employees in their work environment and of other facts and events. Watching employees perform their assigned tasks can help the evaluator assess whether a procedure is operating effectively. For example, a chemical processing procedure requires that the temperature of a certain processing tank be monitored every five minutes. The evaluator can periodically observe the employee performing the task to determine if the procedure is followed. The documentation of this test is a written narrative that states that the evaluator observed certain employees on this date(s) performing the task in question for a period of time to determine that the task was being performed adequately and consistently. The same documentation would be prepared for an observation of a process or event.

Examination/inspection is usually performed on the output of a process, e.g., a part, a document, a report. The output is examined to determine that it agrees with the expected result. The techniques used may include counting, scanning, reading, scrutinizing, comparing, tracing, vouching, inspecting, and re-performing. For example, the procedure for authorizing timecards requires both the employee's and supervisor's signatures. The evaluator can take a sample of timecards and examine them for both signatures to determine that the procedure is followed.

The documentation of this test is a written summary of the output that was examined, the characteristics of the output that were examined, the nature of any exceptions noted and the evaluator's opinion as to whether compliance was adequate.

Confirmation involves obtaining a representation of a fact or condition from a third party, preferably in writing. An example is a letter from the public accountants of a bank requesting verification of the balance of the individual's account. The confirmation occurs when the individual returns the letter stating that the balance is correct or that there is an error.

The documentation of this test is the returned letter indicating the response of the third party. It is extremely important that all confirmations sent be returned with a response. Every effort should be made to ensure a high response rate.

Analytical reviews involve ratio and trend analysis. Analytical review procedures are tests of information made by studying and comparing relationships among data and trends in the data. The purpose of analytical review procedures, as they relate to gathering evidence, is to corroborate the logical interrelationships that exist among information and to identify and obtain explanations for all significant changes or abnormalities.

Examples of four general types of comparisons are:

• Comparison of current data with data for comparable prior periods;
• Comparison of current data with anticipated results, e.g., budgets and forecasts;
• Study of the relationships of elements of information that would be expected to conform to a predictable pattern based on the operating unit's experience;
• Comparison of operating unit data with similar information regarding the industry.

Analytical review procedures are usually based on the assumption that there are causal relationships among the data; this may not be the case. For this reason, auditors should be cautious in using analytical review procedures as a primary test.

Frequently a sample of items (such as transactions or files) must be selected. Generally, the selection should be designed to be representative and random (each item in the population has an equal chance of being selected). The size of the sample should be intended to provide appropriate reliability at the chosen confidence level but generally should not be less than 30. Stratification of the universe may be used to focus on the most important items.

With automated techniques and data retrieval, it is frequently possible to review much larger samples than with strictly manual approaches. Where possible, the entire universe should be tested. For example, the average number of days to process all transactions in a file may be as easy and quick to compute using automated techniques as the average number of days to process a sample of transactions selected from that file.

The nature of samples that are used to gather audit evidence should be clearly described in the scope.

It is essential for the auditor to ensure that data obtained from computer-based systems is reliable for the purposes for which the auditor intends to use it. Government Auditing Standards states:

“The effectiveness of significant internal controls frequently depends on the effectiveness of information systems controls. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and /or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. When evaluating information systems controls is an audit objective, auditors should test information systems controls to the extent necessary to address the audit objective.”

Work papers are the essential evidence to support the auditor's conclusions within an audit report. They are developed to ensure workpapers present a full and complete record of work performed for each audit. The work papers must present an accurate and complete record of the work performed.

8.132 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions.

8.133 Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report.

8.134 Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors’ professional judgment

Work papers are prepared neatly, clearly and concisely. All the information in the work papers is treated as "Board Private" or in accordance with government security requirements, as appropriate. All Savannah-Chatham County Public School System private information, including work papers, programs, payroll data, etc., is always safeguarded. Proper care is taken to ensure confidential information is properly secured. Materials taken out of the offices (e.g., to functional areas) should be locked up when unattended. If it becomes necessary to release copies of work papers, all confidential and/or personally identifying information is first redacted. That information may include (but is not limited to) the following:

• Social Security numbers.
• Student identification numbers.
• Student or employee addresses and/or telephone numbers.
• Any other information that may unnecessarily indicate the identity of a student or employee of the organization.

The information may be redacted by any method deemed effective to obscure the confidential information without destroying the legibility of the entire document. The original document must remain intact as part of the work papers.

The volume of schedules and the number of work paper files will vary with the size and complexity of the examination. They should be assembled so that the primary information for final report preparation is readily accessible. Each major section of the examination should be represented by a lead schedule. The organization of these papers should flow logically from the work program to which they are cross-referenced. Work papers should be organized and prepared to bring important details to the attention of the people using and reviewing them.

Construction of all schedules, their purpose, adaptability, and underlying logic should be as consistent and uniform as feasible to facilitate orderly documentation and analysis of the accomplishment of the audit objectives.

For each work paper, or the first one in a closely related group:

1. On the first page of each work paper, include a descriptive heading that gives the title of the work paper, and the audit number.
2. Use the label “Source:” to identify the source of the information.
3. Use the label “Purpose:” to show the purpose of the work paper; the purpose can then be described with a narrative (ex. To document procedures for ….; To list all paid invoices and provide a basis for selecting transactions to test; To record the results of tests of …; To record the results of interview with … concerning….; To complete audit step B.4.1; etc.).
4. In each case, the purpose should derive from an audit step in the program or from a conclusion drawn on a work paper that was in turn derived from an audit step, etc.
5. Generally, Purpose, Source should be on the first page of the work paper.
6. Reference statements of fact or citations of conditions in the first draft report back to the supporting work papers. Major revisions to the draft might need re-indexing.
7. In the upper right-hand corner of the first page of each set of workpapers, include the initials of the preparer, the date of preparation, audit number assigned in the timekeeping system, the work paper number, the page number and the total number of pages there are in the set of work papers. Subsequent workpapers should keep the work paper number page number and the total number of pages there are in the set of workpapers.

The work papers must be indexed during the course of the work in such a manner that any analysis, or any section of the examination, may be found quickly. Each schedule should have an index letter and/or number consistently located to facilitate reference.

While no specific indexing format is required, complexity of referencing and cross-referencing requires particular care in assigning numbers.

A standardized index should be prepared to serve as the Table of Contents. Each section of work papers is to be designated by a letter of the alphabet in ascending sequence. Letters A-E are reserved for the five required sections as indicated below:

1. .Audit Reports (Final, Draft, and related correspondence)
2. Planning and Supervision
3. Assignment Administration
4. Preliminary Survey
5. Audit Program
6. F., G., H., etc. Should be used for major segments of the audit as indicated by the Audit Program

Effective audits depend heavily on testing and sampling. It is imperative that the work papers clearly indicate the reasons behind decisions for testing certain types or groups of transactions, the period selected for testing, and the extent of all tests. For example, in a judgmental sample, if certain months are selected for testing transactions, the work papers should outline the basis of and reasons for selecting these months. Data concerning the volume of transactions and other information considered in determining sample sizes should also be included.

When an audit step is performed repetitively on data included in the body of a schedule, tick marks are to be used to identify the work performed. For example, a series of amounts listed as being expense reimbursements to employees may be traced to properly approved expense reports, supported by paid hotel bills, etc. Rather than write this description after each amount, a "tick mark" is selected, explained once at the bottom of the schedule, and used after each amount to indicate that the audit step has been satisfactorily completed. Tick marks should be used to facilitate review of the work papers.

Tick marks may vary throughout the work papers as necessary to indicate work done. They should be simple and distinctive. The use of too many tick marks on a single schedule is confusing and should be avoided. Coded references, such as circled numbers, can be used to reduce the need for intricately designed tick marks. If the same tick marks are to be used on a series of schedules, they may be repeated. Otherwise, all tick marks must be clearly explained on every sheet where they appear.

In some instances, it may be appropriate to use standard tick marks for a whole section of the work papers. They must be recorded in such a way that anyone reviewing the papers may have the tick marks in front of him/her

Work paper notes made by auditors may vary widely in complexity. This requires flexibility, but all notes should comply with the following general principles:

1. They must be clear, concise, and understandable. Extraneous phone numbers, names and comments in the left margin or in other portions of the work papers that are not clearly tied to factual information, opinions, or conclusions are not to be included in the work papers.
2. They must indicate the sources of all information and the names and positions of any employees whose opinions are quoted.
3. They must reach a conclusion. Under no circumstances should open questions remain in the papers, either in the form of a (?) on the schedule or of a note which doesn't clearly state the writer's opinion.
4. Notes appearing in the work papers must be consistent. Any inconsistencies noted by the reviewer must be reconciled and corrected.
5.  Explanatory information must be added to the work papers in those instances where conclusions drawn, or recommendations documented have changed. This may happen as a result of new information or evidence that has surfaced from the time of the initial recording to the acceptance of the function's corrective action response.
6. If a conclusion is changed by the auditor for any reason, the note must be amplified so that the revised conclusion is adequately supported. A notation such as an "O.K.," "No," or 'Too Small" besides the comments is not sufficient.

The completed work papers for each section of an examination must contain a conclusion or an opinion based on the work done. It should be worded in a manner which clearly indicates that the auditor understood the objective of his tests. Work papers must include comments as to the effect of findings developed during the examination. The conclusion or opinion should reflect these observations.

A conclusion or opinion must be responsive to the audit objectives and may refer to but should not repeat the detailed procedures in the audit program or a summary statement of internal controls. If the tests disclose errors, the effect of these errors must be weighed in stating an opinion. The opinion of the writer as the propriety of the account or adequacy of procedures being evaluated should be clearly stated.

A brief statement as to the basis for the conclusion or opinion is also appropriate. This statement should relate the opinion reached to the audit work that was done. For example, "Based upon the detailed testing performed in accordance with the attached program it is my opinion that . . .”

When all the evidence pertinent to the conclusion or opinion is not contained in the work papers, specific reference must be documented in the work papers as to where it can be found.

Care should be exercised not to draw conclusions or express opinions or make comments beyond the scope of competence and responsibility. If the auditor encounters situations where a system or function that he/she is evaluating involves a technical knowledge that goes beyond his/her area of expertise, he/she should arrange, if appropriate, the assistance of personnel who have this technical background.

Reference numbers are necessary for referencing information between schedules. Work papers are structured to carry data forward from detail supporting documentation to summary documentation

Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings when internal control is significant to the audit objectives.

Audit findings are pertinent statements of fact and emerge by comparing what should be with what exists. They should include the following components:

• Criteria, or what should be;
• Condition, or what is;
• Cause, the reason for the difference between criteria and condition;
• Effect, the impact of the difference on operations, or the risk or exposure created by the difference; and
• Recommendations, which are the steps that should be taken to eliminate the cause and/or remove or reduce the impact or risk.

Generally, a finding involves observations of the following:

• A deviation from established company policy or practice;
• An error in the performance of a corporate procedure;
• A deviation from relevant laws or regulations;
• An unusual item considering the nature of the business;
• An item that could be accomplished more efficiently or effectively; or
• An instance where goals or objectives may not be achieved

Findings must be adequately documented in work papers. They should be written up as part of the summary and should contain:

• A one-way reference to the supporting documentation included in the work papers;
• A clear, concise description of the exception;
• A determination of whether the exception is the result of a weakness in internal controls;
• A thorough and complete recommendation and a disposition regarding audit scope and final report.

The Reportable Issue Form (if applicable) provides a useful tool for collecting information that may be reported and for ensuring that all necessary elements are identified. Reportable Issue Forms must be referenced to the supporting work papers. Whenever possible, include a brief summary of management’s response (verbal or written) when informed of the condition.

Work papers are to be reviewed by the Auditor in Charge or the Senior Director, Internal Audit who should prepare review notes. The notes represent a reviewer's critical comments on the adequate completion of the audit work. The reviewer should evidence his/her review by initialing each work paper reviewed on the work paper, usually near the preparer’s initials.

It is essential that review be completed as soon as possible after the work papers are completed. A current review enables the reviewer to evaluate the work to ensure that:

1. The program reaches the planned objectives in a timely manner;

2. All necessary audit steps have been programmed and carried out;

3. Internal control has been adequately evaluated;

4. All internal control weaknesses and strengths are directly correlated with extensions of audit scope or reasons why scope extensions were not considered necessary -- each weakness should also be included to facilitate writing the report;

5. Each schedule indicates the source of information;

6. Each schedule accomplishes its intended purpose;

7. Explanations and opinions are clear and concise;

8. Programs and schedules have been properly initialed and tick marks properly placed;

9. All opinions are adequately supported and documented;

10. Program steps or schedules do not contain (i) unresolved points and (ii) statements or opinions which the reviewer believes are not in accord with the facts, or not well founded, or are otherwise inappropriate;

11. Important points are summarized.

In reviewing work papers, it is usually necessary to prepare review notes as a list of those items that, in the reviewer's opinion, (i) require additional work or documentation; (ii) need clarification; (iii) will serve as a teaching device for the auditor; or (iv) are to be followed up at a later time. The list should be discussed with the auditor and then given to him/her with the work papers for appropriate action.

The auditor should “clear” the review notes and if necessary, indicate comprehensively and clearly what was done to clear them. If needed, this can be shown either by a notation inserted next to each point explaining what has been done to develop the information necessary to take care of the matter adequately, or by a cross-reference to the section or sections of the work papers that satisfy the requirement. The auditor should make an

The work papers must be reviewed, and review notes cleared prior to releasing the Audit Report.

It is essential that each member of the staff working on an audit be satisfied with the scope or extent of the specific work performed, including the attention given to indications that irregularities or deficiencies might exist. This procedure is based on the consideration that every member of the organization has not only the right, but the duty to express his or her opinion on the adequacy of the scope of an examination and the opinions reached on the basis of that examination.

Any staff member having a question or reservation along these lines has a responsibility to discuss the matter with the Senior Director, Internal Audit. Any viewpoint expressed will receive careful consideration with the objective that all points will be clarified, and the staff member fully satisfied with the scope of the work and the report. This can be discussed in the Exit Conference with the auditor in charge of the audit .

If an auditor's point is overruled, the reviewer must be careful to state the reasons for not accepting an auditor's views. It is particularly important that such reasons be carefully thought out, accurately recorded, and properly dated.

Purpose: This checklist is intended to aid Internal Audit staff members in reviewing work papers prepared by other staff members. There is no specific time requirement for such a review, but it is included as an item on our Audit Process checklist as a reminder. Work papers should be reviewed for the items listed below, and the reviewer should provide some written notes.

1. Each work paper (or the first page of a series of work papers) should contain the following:

· Preparer’s initials;

· Date prepared;

· Audit number;

· Work paper number;

· the page number and the number of pages on the first page of an electronic workpaper and/or on each page of a non-electronic workpaper (except for very large documents where no reference to a specific page number is warranted);

Note: The above items should generally be added to the upper right-hand corner of the page for consistency.

· the work paper title;

· the purpose of the work paper, referenced back to the appropriate step in the audit program, to the conclusion or results from some other work paper, or to something else that makes it clear why the step was needed (it is not necessary to restate a step from the audit program, or from another source if it is clearly stated on that source, so long as it is clearly referenced);

· source and/or scope to show where the information came from;

· the purpose and source/scope should be either on the first or last page, or there should be a notation on those pages as to where they can be found. Some work papers may have these elements embedded in them; in those cases, they just need to be labeled.

2. Computations should be reviewed for mathematical accuracy. Computer spreadsheets do not need to be recalculated, but some review should be done to make sure the numbers make sense.

3. The reviewer should be comfortable that what is included in the work papers makes sense in terms of the audit objectives and program and the issues that surface during the audit.

Auditors should issue audit reports communicating the results of each completed performance audit. Auditors should issue the audit report in a form that is appropriate for its intended use, either in writing or in some other retrievable form.

The report is the primary vehicle to inform management of the findings and observations of the IA staff. It presents an opportunity to make a positive contribution to the operating unit's business by suggesting methods for strengthening controls and improving operations. To gain acceptance, reports must be completely factual and accurate. Every statement, figure, or reference must be based upon adequate evidence documented in the work papers. This helps to maintain a reputation for reliability and justify a high level of confidence by management in the findings.

The report must be clear and to the point. This requires a thorough understanding of the subject and the ability to organize and express the ideas that flow from the review findings. The report must also be concise. While some subjects may require detailed explanations and discussions, every effort should be made to organize the facts and draw meaningful conclusions in the fewest possible words without diluting the meaning or significance of the report.

Management requires information on a timely basis. The impact of the report will be weakened if it is not received in a timely manner. Promptness should not conflict with adequate preparation - both are important. The report can frequently be started before completing the fieldwork. As portions of the review are completed, applicable sections of the report may be drafted. Use of the Reportable Issue Form will help in this regard. Organized work papers will also facilitate the extraction of information for the report.

The tone of the report is important. It should be authoritative, objective, constructive, and persuasive. A standard report format has been developed to assist in preparation of the report and to ensure consistency and understanding.

The organization of the report should be dependent on the nature of the information presented. The following discussion relates to specific sections of the report that should be considered as part of the audit report unless otherwise noted.

Reports should be addressed TO the Board of Education, THROUGH the Superintendent, the appropriate Chief Officer(s), and the managers (if applicable) who are responsible for the activity under review and for implementing the recommended changes. The DATE should be the date the report is presented to the Audit Committee. The SUBJECT line should identify the audit by name. It should also identify whether the report is a draft or final report.

Reports should be dated as of the date of the Audit Committee meeting where the draft report is expected to be presented. This is consistent with the Generally Accepted Accounting Standards (GAAS) concept that reports should be dated as of the last day of fieldwork, because until the Audit Committee reviews the report, we cannot be certain whether all necessary fieldwork on the issues is complete. If the Audit Committee requires that additional work be performed in the audit, the date should be revised to reflect the completion of that work, or the date the report will come back before the Audit Committee.

This section should state the objectives of the audit. The objectives should be phrased in terms of the business objectives for the unit under review and should indicate operational or performance components of the audit. It may also be appropriate to cite the business risks that were considered as the objectives were developed.

Generally, an opinion will be provided only if the report is a financial or financial-related report, an attestation report, or if the audit objectives otherwise lead to an opinion. The opinion should provide the auditor’s overall conclusions in terms of the objectives of the audit. The opinion expressed should include internal controls as appropriate and should be consistent with the conditions presented in the report and maybe an overview statement of those conditions.

This section should provide a summary of each of the conditions. Each of the attributes of a finding or condition should be briefly described. Page numbers for the report sections where the condition is described in more detail should be included.

The background should provide relevant explanatory information about the organizational units and activities reviewed. In this context, “relevant” means necessary for the reader to get an understanding of the audit. The background section should be kept as brief as it is consistent with providing clarity and completeness. Background information that is relevant to a specific condition should be included with the detail of that condition rather than in this section. This section will also include a brief description of any prohibited or confidential information that was omitted from the report, along with an explanation of the reason for the omission.

Positive Findings related to objectives can be notated within this section or within the condition section.

The scope section should briefly describe the audited activity and what was done to conduct the audit. Generally, this section should inform the reader why the audit was done and what it was expected to achieve. The scope should include:

• the calendar dates of the audited period;
• any samples that were used;
• a general description of the methods used to test controls and collect evidence;
• relevant timeframes for testing and for conducting audit fieldwork; and
• any other specific information that is appropriate.

The scope section should provide the reader with a general understanding of the depth of coverage of the work performed and the relationship between the audit universe and what was audited. To accomplish that, it may be necessary to describe anything that was not done if there is a risk of misunderstanding on the reader’s part.

Include in the scope section a reference to Government Auditing Standards (and/or any other audit standards followed). Reports that comply with all applicable GAGAS standards should include the following unmodified GAGAS compliance statement:

Internal Audit conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that the audit be planned and performed to obtain sufficient, appropriate evidence to provide a reasonable basis for the findings and conclusions based on the audit objectives. Internal Audit believes that the evidence obtained provides a reasonable basis for the findings and conclusions based on the audit objectives.

If the report does not comply with all applicable GAGAS standards, reports should include, at a minimum, a statement that the audit did not follow GAGAS standards (See GAS 9.05).

This section should also note any limitations on the availability of evidence or uncertainties with the reliability or validity of evidence if the evidence is significant to the findings

This section provides the details on the attributes of each finding. The conditions should include a brief status update from any previous audits concerning the same topic.

This section also includes the recommendations and management’s response to the recommendations. Recommendations should be set out under separate captions and should be directed at removing the causes of the condition cited. Separate recommendations to different units or activities should be made when appropriate. Management’s response to each recommendation should be included. Responses should be summarized if necessary and should include the time frame for corrective action. This response should be included at the end of each condition.

During the assessment of each control, deficiencies in internal control may be identified. A deficiency in internal control exists when the design, implementation, or operation of a control does not allow management or personnel to achieve control objectives and address related risks. A deficiency in design exists when a necessary control is missing or is not properly designed so that even if the control operates as designed, the control objective will not be met. A deficiency in implementation exists when a control is properly designed but not implemented correctly in the internal control system. A deficiency in operating effectiveness exists when a properly designed control does not operate as designed or the person performing the control does not have the necessary competence or authority to perform the control effectively (GAS 8.53).

When internal control is significant within the context of the audit objectives, audit staff should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed (GAGAS 9.29). If some but not all internal control components are significant to the audit objectives, the audit staff should identify as part of the scope those internal control components and underlying principles that are significant to the audit objectives.

When audit staff detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, audit staff should refer to that written communication in the audit report (GAGAS 9.31).

GAS 9.35-9.68 has additional reporting requirements. Audit staff will review those requirements as part of report preparation.

Audit reports should be as concise as possible. Details should be sufficient to fully explain the condition, to present a convincing basis for taking the recommended action, and to provide sufficient detail for management to clearly understand the action that should be taken.

Reports should be balanced. When the auditor determines that controls are effective, or that some aspects of functional operations are efficient, or that there are best practices that can be cited, it should be reported.

Reports should be presented in a straightforward manner and should avoid inflammatory language.

The factual content should be verified as the draft report is being prepared. The exit conference and the review of the draft report are the final tests of factual content. Draft reports should be reviewed by and concurred with by the Senior Director, Internal Audit prior to issuance. This includes any “Discussion Drafts” as well as the final draft report.

Prior to the Audit Committee’s review of the report, the factual content of the report should be reviewed by managers that have direct responsibility over items that have been identified as findings. This discussion will occur within the Exit Conference of the report.

Changes to the report, based on challenges by functional management, shall be made only when they are substantiated as a result of evidence in existence or through additional audit work. These changes should be identified in the draft report and indexed as appropriate to work papers

Discussion Drafts - It may be desirable to distribute a “Discussion Draft” to managers prior to transmitting the draft report. This would be the case if there are issues in the report that were not fully discussed with management prior to the completion of fieldwork or if issues that were previously discussed are presented in a materially different fashion. Once management has reviewed the discussion draft and any agreed to changes have been made, the draft should be issued for comment.

Draft reports for Management’s Comments – Draft reports should be issued via email to the managers who are responsible for a response with copies to the appropriate Chief Officers, Network Superintendents, In-House Attorney, and the Superintendent.

The email should identify the time frame within which we are expecting a response. The standard is no more than 30 days, but a shorter time frame may be used if management agrees to that.

The email should contain a request that the response be provided at the end of each condition.

If management wishes to provide information in addition to the report, it will be attached to the report as an appendix.

Draft Reports to the Audit Committee - Management’s Response should be incorporated into the draft report, and the draft reports should be presented to the Audit Committee for their review. The draft should be dated as of the date it will be presented to the Audit Committee, or the date of completion of any subsequent work directed by the Audit Committee. As previously stated, the draft should generally be transmitted to the responsible managers with a copy to the appropriate Chief Officers, In-House Attorney, and the Superintendent.

Reports to the Board - When the Audit Committee has reviewed and approved the report the word “draft” should be removed from the report with a signature page. Although it is technically still a “draft report” until the Board accepts it, removing the word draft from it demonstrates that it is complete when it is presented to the Board members. The resolution establishing the Board’s Office of Internal Auditor specifies that draft reports will be issued to the Board at the next Board meeting after approval by the Audit Committee.

Other Report Circumstances - (GAS 9.64-9.66) - If the report refers to the omitted information, the reference may be general and not specific. If the omitted information is not necessary to meet the audit objectives, the report need not refer to its omission.

Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing such information and distribute the report only to people authorized by law or regulation to receive it.

Additional circumstances associated with public safety, privacy, or security concerns could justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that misuse of this information could cause. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. In some instances, it may be appropriate to issue both a publicly available report with the sensitive information excluded and a limited use report. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate omitting certain information. Considering the broad public interest in the program or activity under audit assists auditors when deciding whether to exclude certain information from publicly available reports.

A copy of a referenced draft report should be included in the supporting work papers.

Once the Board approves a report, it should be posted to the Internal Audit Department page of the District’s public website. The report will remain on the public website for seven years.

Functional management should be provided with ample opportunity to provide a response, but generally no more than 30 days. Senior management may provide additional direction on response time. The response should indicate the action being taken on all reportable conditions and scheduled dates for when the corrective actions will be completed. Upon receipt of the response, Internal Audit staff will determine whether individual corrective actions agreed to by functional management appear to be an effective response to the supporting recommendation. If responses are not acceptable, the auditor should engage in additional discussions with functional management to resolve any differences.

A file containing the issued audit report should be maintained in the Internal Audit Department electronic files.

An Assignment Closeout Checklist has been developed to help ensure that each audit assignment complies with all applicable Government Auditing Standards. The checklist should be completed by the Senior Director of Internal Audit prior to the time that an audit report is presented to the Audit Committee

If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors’ publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions.

After the Board of Education approval, Internal Audit will send a Customer Satisfaction Survey to the reporting parties for feedback.

A Summary of Reports has been developed to serve as the follow-up report for both internal and external audits. The report reflects the auditors’ recommendations along with management’s action plan and date of completion. The auditors conduct interviews with management to determine the completion of management actions, requesting proof when applicable. The Summary of Reports is reported to the Board of Education yearly and maintained on the District public website.

To establish the appropriate responsibilities for dealing with the fraud or misappropriation, the Board has adopted Board Policy DJ, Expenditure of Funds, and the related Administrative Regulation.

The Internal Audit Department adopted the following procedures for handling suspected irregularities or misappropriation of Board funds. These Internal Audit Operating Procedures are intended to provide more detailed guidance for conducting investigations under Board Policy DJ.

The Internal Audit Department is responsible for conducting all investigations arising from notification, either by an employee or by the Superintendent, of a suspected irregularity or misappropriation.

When notified, the Internal Audit Department will conduct a preliminary inquiry into the irregularity or misappropriation. The Controller for the District will be notified of the preliminary inquiry. If it is determined by the Internal Audit Department that a more depth investigation is needed, the Internal Audit will notify the Board President, Superintendent of Schools and applicable management, that a potential irregularity/misappropriation exists and will inform them that an investigation is underway.

In any instance where the investigation shows there is apparent fraud or misappropriation, the Senior Director, Internal Audit will consult with the Board Attorney and Campus Police regarding the next steps to be taken. This includes determining whether and when a referral should be made to other law enforcement authorities and at what point any associated internal audit work should be terminated. The Senior Director will inform the Board President, Superintendent and the Controller of the results through a report as well as the Chief Officer to alert him/her of weaknesses within the internal controls. Internal Audit will make recommendations for process improvement. The Chief Officer will determine corrective actions for such breakdowns. If further investigation is not appropriate, the Internal Audit Department will fully brief the parties, as well as area management, on the findings of the preliminary review and recommendations for any necessary administrative actions.

The Board has implemented a Hotline program that provides a toll-free phone number to a third- party contractor that can be used for anonymous reports from employees or others when they believe that fraud or misappropriation or similar workplace incidents have occurred. Reports may also be made through a secure website.

The reports may be anonymous and may be made to a toll-free number 24 hours a day and 7 days a week. Reports may also be made by accessing a secure website. Reporters answer a series of questions (who, what, when, where, why, how) to determine the substance of the report. Both the toll-free phone number and the website address are available on the public website and the District’s intranet. Internal Audit will respond 72 hours unless it is a safety issue.

An audit organization conducting engagements in accordance with GAGAS must establish and maintain a system of quality management that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements.

In GAGAS (5.03), a system of quality management consists of the following components: governance and leadership; independence, legal, and ethical requirements; acceptance, initiation, and continuance of engagements; engagement performance; resources; and information and communication. It also includes two components that are processes. The risk assessment process includes assessing and responding to risks to achieving the quality objectives. The monitoring and remediation process includes (1) providing relevant, reliable, and timely information about the design, implementation, and operation of the system of quality management; (2) taking appropriate actions to respond to and remediate identified deficiencies in the system of quality management; and (3) enabling the audit organization to assess compliance with professional standards and with policies and procedures it has established to address quality risks.

5.04 - GAGAS establishes a risk-based approach to designing, implementing, and operating the system of quality management in an interconnected and coordinated manner. This risk-based approach involves the following:

1. establishing the desired outcomes relative to the components of the system of quality management (referred to as quality objectives);
2. identifying and assessing risks to achieving the quality objectives (referred to as quality risks); and
3. designing and implementing responses to address quality risks.

5.05 - An audit organization conducting engagements in accordance with GAGAS must design, implement, and operate a system of quality management that provides it with reasonable assurance that the audit organization and its personnel

1. fulfill their responsibilities in accordance with professional standards and applicable laws and regulations and
2. perform and report on engagements in accordance with such standards and requirements.

5.13 -The audit organization should assign a. responsibility and accountability for the system of quality management to a senior-level official within the audit organization and b. operational responsibility for the system of quality management or specific aspects of the system of quality management to a specific individual or individuals.

5.14 - The audit organization should determine that the individual or individuals in paragraph 5.13

1. possess the appropriate experience, knowledge, influence, and authority within the audit organization;
2. have sufficient time and resources to fulfill the assigned responsibility;
3. have a sufficient understanding of this chapter and other applicable GAGAS requirements, as well as application guidance and other explanatory material, to understand the objectives of the system of quality management and to apply the related requirements properly; and
4. understand the assigned roles and are held accountable for fulfilling them.

5.15 - The audit organization should determine that those assigned operational responsibility for the system of quality management or aspects of the system of quality management are in direct communication with the senior-level official assigned responsibility and accountability for the system of quality management.

5.19 - The audit organization should design and implement a risk assessment process that establishes quality objectives, identifies and assesses quality risks, and designs and implements responses to address the quality risks.

5.20 - The audit organization should establish the quality objectives specified by this chapter. The audit organization should also establish any additional quality objectives that the audit organization considers necessary to achieve the objective of the system of quality management.

5.21 - The audit organization should identify and assess quality risks. To identify and assess quality risks, the audit organization should

1. obtain an understanding of the conditions, events, circumstances, actions, or inactions that may adversely affect the achievement of the quality objectives and
2. consider how, and the degree to which, the conditions, events, circumstances, actions, or inactions may adversely affect the achievement of the quality objectives.

5.22 - The audit organization should design and implement responses to address the quality risks.

5.23 - The audit organization should identify, analyze, and respond to changes in the nature and circumstances of the audit organization or its engagements that could affect the quality objectives, quality risks, or responses to address quality risks.

5.45 - The audit organization should establish quality objectives that address its governance and leadership as follows:

1. The audit organization demonstrates a commitment to quality through a culture that exists throughout the audit organization.
2. Leadership is responsible and accountable for quality.
3. Leadership demonstrates a commitment to quality through its actions and behaviors.
4. The organizational structure and assignment of roles, responsibilities, and authority are appropriate to enable the design, implementation, and operation of the audit organization’s system of quality management.
5. Resource needs are planned for, obtained, allocated, and assigned in a manner consistent with the audit organization’s commitment to quality.

5.47 - The audit organization should establish the following quality objectives that address fulfilling responsibilities in accordance with independence and legal and ethical requirements relevant to performing GAGAS engagements:

1. The audit organization and its personnel
   1. understand the independence and legal and ethical requirements to which the audit organization and its engagements are subject and
   2. fulfill their responsibilities in relation to the independence and legal and ethical requirements to which the audit organization and its engagements are subject.
2. Service providers who are subject to the independence and legal and ethical requirements to which the audit organization and its engagements are subject
   1. understand the independence and legal and ethical requirements that apply to them and
   2. fulfill their responsibilities in relation to the independence and legal and ethical requirements that apply to them.

5.48 - The audit organization should

1. establish policies and procedures for identifying, evaluating, and addressing threats to compliance with independence requirements and applicable legal and ethical requirements and appropriately responding to the causes and consequences of any breaches of these requirements and
2. at least annually, obtain written affirmation of compliance with its policies and procedures on independence from all personnel required to be independent

5.51 - The audit organization should establish a quality objective that addresses the acceptance, initiation, and continuance of engagements as follows: The audit organization accepts, initiates, and continues engagements only if it

1. complies with professional standards, independence requirements, and applicable legal and ethical requirements;
2. acts within its legal mandate or authority; and
3. has the capabilities, including time and resources, to do so.

5.54 - The audit organization should establish quality objectives that address the performance of engagements as follows:

1. Engagement teams understand and fulfill their responsibilities in connection to engagements, including the overall responsibility of an engagement partner or director for
   1. managing and achieving quality on the engagement and
   2. being sufficiently and appropriately involved throughout the engagement.
2. The nature, timing, and extent of direction and supervision of engagement teams and review of the work performed are appropriate based on the nature and circumstances of the engagements and the resources assigned or made available to the engagement team.
3. Engagement teams exercise appropriate professional judgment, which includes exercising reasonable care and professional skepticism.
4. Consultation on difficult or contentious matters is undertaken and, as appropriate, documented. Conclusions agreed to from the consultation are implemented and, as appropriate, documented.
5. Differences of opinion within the engagement team, or between the engagement team and individuals performing activities within the audit organization’s system of quality management, are brought to the attention of officials at the appropriate level of the audit organization; resolved; and, as appropriate, documented.
6. Engagement documentation of the work performed, results obtained, and conclusions reached is assembled on a timely basis and is appropriately maintained and retained to meet the needs of the audit organization and comply with professional standards, independence requirements, and applicable legal and ethical requirements.
7. Audit procedures and audit reports are appropriate in the context of the engagement objectives.

5.55 - The audit organization should take the following steps:

1. Assign responsibility to the engagement partner or director for determining that they have taken overall responsibility for managing and achieving quality on the engagement.
2. Assign responsibility to the engagement partner or director for determining that independence and ethical requirements have been fulfilled for each engagement prior to issuing the audit report.
3. If an engagement is terminated before it is completed and an audit report is not issued, document the results of the work to the date of termination and why the engagement was terminated.
4. If auditors change the engagement objectives during the engagement, document the revised engagement objectives and the reasons for the changes.
5. Determine if an engagement quality review is an appropriate response to address one or more quality risks.
6. Design and implement policies and procedures that address the requirements in 5.55a through 5.55e

5.74 - The audit organization should establish quality objectives that address appropriately obtaining, developing, using, maintaining, allocating, and assigning resources in a timely manner to enable the design, implementation, and operation of a system of quality management as follows:

1. Personnel are hired, developed, and retained who have the competence and capabilities to consistently perform quality engagements and carry out responsibilities related to the operation of the audit organization’s system of quality management.
2. Personnel develop and maintain the appropriate competence to perform their roles and are held accountable or recognized for doing so through timely evaluation, compensation, promotion, and/or other incentives. \
3. Auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements.
4. The audit organization has sufficient resources to consistently perform quality engagements and enable the operation of the audit organization’s system of quality management.
5. Individuals assigned to engagements or to perform activities within the system of quality management have appropriate competence and capabilities, including sufficient time, to perform their duties.
6. Appropriate technological and intellectual resources are obtained or developed, implemented, maintained, and used to enable the operation of the audit organization’s system of quality management and the performance of engagements.
7. Human, technological, or intellectual resources from service providers are appropriate for use in the audit organization’s system of quality management and in performing engagements.


 

5.81 - The audit organization should establish quality objectives that address obtaining, generating, or using information regarding the system of quality management and communicating information to enable the design, implementation, and operation of the system of quality management as follows:

1. The audit organization’s information system identifies, captures, processes, and maintains relevant and reliable information that supports the system of quality management.
2. Relevant and reliable information is communicated to personnel and engagement teams to enable them to understand and carry out their responsibilities within the system of quality management or engagements.
3. Personnel and engagement teams communicate relevant and reliable information to the audit organization when performing activities within the system of quality management or engagements.
4. Relevant and reliable information is communicated to external parties.

5.87 - The audit organization should establish a process to monitor the design, implementation, and operation of the system of quality management to provide a basis for identifying deficiencies and remediating them on a timely basis.

5.90 - The audit organization should design and perform monitoring and remediation activities to

1. provide relevant, reliable, and timely information about the design, implementation, and ob.
2. take appropriate actions to respond to identified deficiencies so that they are remediated on a timely basis; and
3. enable it to assess compliance with professional standards and with policies and procedures it has established to address quality risks

5.91 - The audit organization should establish policies and procedures that address the objectivity of the individuals performing the monitoring and remediation activities and require those individuals to have sufficient competence, authority, and time to perform these activities.

5.109 - The audit organization should evaluate findings concerning the system of quality management to determine whether deficiencies exist, including in the monitoring and remediation process.

5.110 - The audit organization should evaluate the severity and pervasiveness of identified deficiencies in the system of quality management by investigating their underlying causes and evaluating their effect, both individually and in the aggregate, on the system of quality management.

5.119 - The audit organization should design and implement remedial actions that respond to the results of the analysis of underlying causes to address identified deficiencies in the system of quality management.

5.120 - The audit organization should evaluate the remedial actions to determine whether they are effective in addressing the identified quality management deficiencies and their related underlying causes.

5.121 - If the audit organization’s evaluation indicates that the remedial actions are not effective in addressing the quality management deficiencies, the audit organization should modify the remedial actions such that identified deficiencies and their related underlying causes are addressed. Quality Management Findings About a Particular Engagement

5.122 - The audit organization should respond to circumstances when quality management findings indicate that there is an engagement for which

1. a description of the monitoring activities performed;
2. the identified deficiencies, along with information about their severity and pervasiveness; and
3. the remedial actions to address identified deficiencies

5.126 - The audit organization should communicate the matters described in paragraph

5.125 to engagement teams and others within the system of quality management to enable the audit organization and appropriate personnel to take prompt remedial action related to deficiencies in accordance with their responsibilities.

5.128 - The senior-level official assigned responsibility and accountability for the audit organization’s system of quality management should evaluate the system of quality management. The evaluation should be undertaken as of a point in time and performed at least annually. Based on this evaluation, the senior-level official should conclude and document one of the following:

1. The system of quality management provides the audit organization with reasonable assurance that the objective of the system of quality management is being achieved.
2. Except for matters related to identified deficiencies that have a severe but not pervasive effect on its design, implementation, and operation, the system of quality management provides the audit organization with reasonable assurance that the objective of the system of quality management is being achieved.
3. The system of quality management does not provide the audit organization with reasonable assurance that the objective of the system of quality management is being achieved.

5.129 - When evaluating and concluding on the system of quality management, the senior-level official assigned responsibility and accountability for the system of quality management should consider

1. the audit organization’s quality management risk assessment process, including its quality objectives, quality risks, and responses and the extent to which the audit organization’s responses address the quality risks, and
2. the results of the monitoring and remediation process.

5.132 - The audit organization should document its system of quality management in a manner sufficient to

1. Identification of the
   1. senior-level official assigned responsibility and accountability for the system of quality management, as discussed in paragraph 5.13a, and
   2. individual or individuals assigned operational responsibility for the system of quality management, as discussed in paragraph 5.13b.
2. The audit organization’s quality management risk assessment, including its quality objectives, quality risks, and a description of the responses and how the audit organization’s responses address the quality risks, as discussed in paragraphs 5.19 through 5.23.
3. Regarding the monitoring and remediation process

5.133 - The audit organization should include the following in its documentation of its system of quality management:

1. support personnel’s consistent understanding of the system of quality management, including an understanding of their roles and responsibilities with respect to the system of quality management and performing engagements;
2.  support the consistent implementation and operation of the responses to address quality risks; and
3. Regarding the monitoring and remediation process
   1. evidence of the monitoring activities performed, as discussed in paragraph 5.90;
   2. the evaluation of findings, and identified deficiencies and their related underlying causes, as discussed in paragraphs 5.109 and 5.110;
   3. remedial actions to address identified deficiencies and the evaluation of the design and implementation of such remedial actions, as discussed in paragraphs 5.119 and 5.120; and
   4. communications about monitoring and remediation, as discussed in paragraphs 5.125 and 5.126.
4. The conclusion and the basis for the conclusion reached pursuant to paragraph 5.128.

5.134 - The audit organization should establish a period of time for document retention for the system of quality management that is sufficient to enable the audit organization and its peer reviewer to monitor the design, implementation, and operation of the system of quality management or for a longer period if required by law or regulation

5.142 - An audit organization using engagement quality reviews should establish policies and procedures that set forth the eligibility criteria to be appointed as an engagement quality reviewer or an assistant to an engagement quality reviewer. The policies and procedures should require that any engagement quality reviewer and any assistants to an engagement quality reviewer not be members of the engagement team and

1. have the competence and capabilities, including sufficient time, and the appropriate authority to perform the engagement quality review and
2. comply with applicable legal and ethical requirements, including those addressing threats to the objectivity of the engagement quality reviewer.

5.143 - An audit organization using engagement quality reviews should establish policies and procedures that address circumstances in which the engagement quality reviewer’s eligibility to perform the engagement quality review is impaired and the appropriate actions to be taken by the audit organization. The audit organization should include in such policies and procedures notification to appropriate individuals within the audit organization if the engagement quality reviewer becomes aware of circumstances that impair the engagement quality reviewer’s eligibility.

5.145 - An audit organization using engagement quality reviews should establish policies and procedures regarding the performance of the engagement quality review that address the following:

1. Read and obtain an understanding about information communicated to the engagement quality reviewer by the
   1. engagement team regarding the nature and circumstances of the engagement and the entity and
   2. audit organization related to its monitoring and remediation process, in particular, identified deficiencies that may relate to, or affect, the areas involving significant judgments made by the engagement team.
2. The responsibilities of the engagement partner or director in relation to the engagement quality review, including that
   1. the engagement partner or director is precluded from releasing the audit report until after having received notification from the engagement quality reviewer that the engagement quality review is complete and
   2. documentation is provided to the engagement quality reviewer to permit completion of the engagement quality review
3. Circumstances when the nature and extent of engagement team discussions with the engagement quality reviewer about a significant judgment give rise to a threat to the engagement quality reviewer’s objectivity and appropriate actions to take in these circumstances.

5.146 - In performing an engagement quality review, the engagement quality reviewer should do the following:

1. Read and obtain an understanding about information communicated to the engagement quality reviewer by the
   1. the engagement partner or director is precluded from releasing the audit report until after having received notification from the engagement quality reviewer that the engagement quality review is complete and
   2. documentation is provided to the engagement quality reviewer to permit completion of the engagement quality review.
2. Discuss with the engagement partner or director and, if applicable, other members of the engagement team, significant matters and significant judgments made in planning, performing, and reporting on the engagement. 
3. Based on the information obtained in paragraph 5.146 (a) and (b), review selected engagement documentation relating to the engagement team’s significant judgments and evaluate the following:
   1. The basis for making those significant judgments, including, when applicable to the type of engagement, the engagement team’s exercise of professional skepticism. Review (1) for audits of financial statements, the financial statements
   2. Whether the engagement documentation supports the conclusions reached.
   3. Whether the conclusions reached are appropriate.
4. Evaluate whether appropriate consultation has taken place on difficult or contentious matters or matters involving differences of opinion and the conclusions arising from those consultations.
5. Evaluate the basis for
   1. the engagement partner’s or director’s determination that the engagement partner’s or director’s involvement has been sufficient and appropriate throughout the engagement such that the engagement partner or director has the basis for determining that the significant judgments made and the conclusions reached are appropriate given the nature and circumstances of the engagement and
   2. the engagement partner’s or director’s determination that independence and ethical requirements have been fulfilled.
6. Review
   1. for audits of financial statements, the financial statements and the auditor’s report thereon, including, if applicable, the description of the key audit matters;
   2. for reviews of financial statements or financial information, the financial statements or financial information and the audit report thereon; or
   3. for other engagements, the audit report, and when applicable, the subject matter information.

5.147 - If an engagement quality reviewer has concerns that the engagement team’s significant judgments or conclusions are not appropriate, the engagement quality reviewer should notify the engagement partner or director. If such concerns are not resolved to the engagement quality reviewer’s satisfaction, the engagement quality reviewer should notify appropriate individuals in the audit organization that the engagement quality review cannot be completed.

5.153 - When an engagement quality review is performed, the engagement quality reviewer should document

1. the names of the engagement quality reviewer and individuals who assisted with the engagement quality review;
2. that the procedures required by the audit organization’s policies on engagement quality reviews have been performed;
3. that the engagement quality reviewer is not aware of any unresolved matters that would cause the engagement quality reviewer to believe that the significant judgments that the engagement team made and the conclusions it reached were not appropriate;
4. the notifications required in accordance with paragraphs 5.147 and 5.152; and
5. the date of completion of the engagement quality review.

5.155 - Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization’s system of quality management was suitably designed and (2) the organization is complying with its system of quality management so that it has reasonable assurance that it is fulfilling its responsibilities in accordance with professional standards and performing and reporting in conformity with such standards in all material respects.

5.156 - Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization’s peer review requirements and the requirements listed throughout paragraphs 5.161 through 5.175. a. American Institute of Certified Public Accountants b. Council of the Inspectors General on Integrity and Efficiency c. Association of Local Government Auditors d. International Organization of Supreme Audit Institutions e. National State Auditors Association

5.161 - The peer review team should perform an assessment of peer review risk to help determine the number and types of engagements to select for review.

5.162 Based on the risk assessment, the peer review team should select engagements that provide a reasonable cross section of all types of work subject to the reviewed audit organization’s system of quality management, including one or more engagements conducted in accordance with GAGAS.

5.167- The peer review team should use professional judgment in deciding on the type of peer review rating to issue; the ratings are as follows:

1. Peer review rating of pass: A conclusion that the audit organization’s system of quality management has been suitably designed and complied with to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards in all material respects. 
2. Peer review rating of pass with deficiencies: A conclusion that the audit organization’s system of quality management has been suitably designed and complied with to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards in all material respects with the exception of a certain deficiency or deficiencies described in the report.
3. Peer review rating of fail: A conclusion, based on the significant deficiencies described in the report, that the audit organization’s system of quality management is not suitably designed to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards in all material respects, or that the audit organization has not complied with its system of quality management to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards in all material respects.

5.168 - The peer review team should determine the type of peer review rating to issue based on the observed matters’ importance to the audit organization’s system of quality management as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate.

5.169 - The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows:

1. If the peer review team’s evaluation of observed matters does not identify any findings (more than a remote possibility that the reviewed audit organization would not perform, report, or both in conformity with professional standards), or identifies findings that are not considered to be deficiencies, the peer review team issues a pass rating.
2. If the peer review team’s evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report.
3. If the peer review team’s evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report.

5.172 - An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance.

5.173 - An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public.

5.174 - Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested:

1. the audit organization’s most recent peer review report and
2. any subsequent peer review reports received during the period of the contract.

5.175 - Auditors who are using another audit organization’s work should request a copy of that organization’s most recent peer review report, and the organization should provide this document when it is requested.

The following are the steps to be followed for Business Process Reviews:

1. The Internal Control Questionnaire (ICQ) will be sent to the principal for him/her to review and complete prior to our site visit.
2. The site visit will be scheduled by the Auditor in Charge.
3. The site visit will be conducted and should include:
   1. A preliminary discussion (entrance conference) with the principal to complete and discuss the ICQ. The plan for the review is communicated. The entire ICQ should be discussed in general, but with specific reference to any “no” answers or notations made by the principal. Also, once the plan is communicated to the principal, we should ask whether there are areas where the principal has a specific concern, including any areas that may not be listed in the ICQ. Any concerns that emerge from this discussion should be factored into the audit program for the school.
   2. The tests of transactions in accordance with the audit program and worksheets.
   3. An exit briefing at the completion of the review, where the principal is informed of any issues identified and the recommendations we anticipate making. This briefing should also include a discussion of any area where we note inconsistencies between what is noted in the ICQ and what we found during our transaction testing. Since our tests are generally of transactions from the prior year and the ICQ should reflect controls during the current year, there are likely to be differences. The discussion should help to ensure that steps to correct any of the deficiencies we found have been taken.
4. The development of the draft report, which is reviewed by the Senior Director, Internal Audit and sent to the principal for response.
5. A close-out briefing to review and discuss the response provided by the principal may be beneficial but is not required if the response satisfactorily addresses the control issues
6. An independent review of the workpapers and reference report should follow the same reporting requirements as audits.
7. An Assignment Closeout must be completed.
8. Transmit Draft Report to the Audit Committee for approval. Once approved. transmit to the Board for approval.
9. Once the Board Approval Send the Customer Satisfaction Survey to principals for feedback.

A follow-up review, if needed, will be scheduled within one year after the initial review. This allows time for the principal to implement the recommendations made during the initial review.

At the Audit Committee’s request, additional follow-up visits may be completed until satisfactory progress is achieved.