Internal Audit
Contact Us:
208 Bull Street
Savannah, GA 31401
(912) 395-5844
Audit Resources
- Audit Plans
- Peer Review Reports
- Audit Manual
- Internal Audit Department By-Laws
- Audit Committee Charter
Audit Plans
Peer Review Reports
Audit Manual
Audit Manual
- Introduction
- I. AUTHORITY
- II. AUDIT STANDARDS AND ETHICAL PRINICIPLES
- III. RESPONSIBILITIES
- IV. ANNUAL AUDIT PLANNING AND DEPARTMENTAL FILES
- V. AUDIT PLANNING AND SURVEY
- VI. AUDIT PROGRAM
- VII. AUDIT EVIDENCE AND TESTS
- VIII. WORK PAPERS
- IX. THE EXIT CONFERENCE
- X. THE AUDIT REPORT
- XI. FRAUD AND MISAPPROPRIATION
- XII. NON-AUDIT SERVICES
- XIII. QUALITY CONTROL & PEER REVIEW OF DEPARTMENT FUNCTION
- XIV. BUSINESS PROCESS REVIEWS
Introduction
The Audit Manual and Operating Procedures is a general guideline for daily audit activity operations. It is not intended to replace or supplant audit standards as promulgated by relevant professional associations or SCCPSS policy. Those standards and policies are discussed in Section II and remain the comprehensive rules or principles. This manual is not exhaustive or all-inclusive. Each audit conducted is unique and presents its own challenges and idiosyncrasies. This manual provides general guidelines for a wide range of audit activities. However, auditors are required to make professional judgments during each audit based on the information available. Those decisions must be made in accordance with professional standards and SCCPSS policy and should not be hindered by this manual. Questions or concerns that cannot be satisfactorily answered by this manual and/or the professional audit standards referenced in Section II should be directed to the Senior Director of Internal Audit for review.
I. AUTHORITY
- A. RESOLUTION ESTABLISHING THE OFFICE OF INTERNAL AUDITOR
- B. AUDIT COMMITTEE CHARTER
- C. OPERATING PROCEDURES FOR ACADEMIC AUDITOR
A. RESOLUTION ESTABLISHING THE OFFICE OF INTERNAL AUDITOR
The office was established by a resolution of the Board of Education in 1991. The Resolution was revised in January 1997 at the suggestion of the Audit Committee to specify the standards that will apply to internal audits, and to add a section on Reporting on Irregularities. The revised resolution was adopted by the Board in March 1997. Some changes from the statements in the resolution have taken place since 1997. The authority for these changes is the Audit Committee, in accordance with the Charter described below. These changes include the composition of the Audit Committee and the fact that audits would be done in accordance with Government Auditing Standards.
B. AUDIT COMMITTEE CHARTER
The Board of Education provided a charter to establish an Audit Committee in 1991. The Charter is reviewed by the Audit Committee each year to determine if changes are needed, and any changes are presented to the Board for approval. The most current revision to the charter was made in March 2022. A listing of current Audit Committee members and scheduled meeting dates are available on the District’s public website ( www.sccpss.com ) under the Board tab.
C. OPERATING PROCEDURES FOR ACADEMIC AUDITOR
Procedures for the operation of the Academic Auditor were written in June 1998 to parallel the resolution establishing the office of internal auditor. Since the position and the function were new, the procedures were written in draft form with the intention that after a year or so of operation they would be reviewed, revised as needed, and finalized. The procedures remained in draft form until March 2004 when they were reviewed and changed to final. Minor changes have been made over time to keep the procedures current.
II. AUDIT STANDARDS AND ETHICAL PRINICIPLES
- A. AUDIT STANDARDS AND ETHICAL PRINCIPLES APPLICABLE AUDIT STANDARDS
- B. ETHICAL PRINCIPLES (GAS 3.06)
A. AUDIT STANDARDS AND ETHICAL PRINCIPLES APPLICABLE AUDIT STANDARDS
The term "audit standards" means the rules or principles established for determining the level of quality for audit work performed. Audit standards provide a framework for performing work with competence, integrity, objectivity and independence. Prior to 2000, the Internal Audit Department followed the standards developed and 6 | Page Savannah-Chatham Internal Audit Department County Board of Education
Operating Procedures published by the Institute of Internal Auditors. However, during that year the Department began to move toward following the Government Auditing Standards (The GAO “Yellow book”) published by the Government Accountability Office. The first audit done under the Government Auditing Standards and citing them in the report (GAS 2.16) was begun in May 2002. For purposes of these operating procedures, “standards” means the current version of the Government Auditing Standards. These audit standards are the standards Internal Audit will follow in conducting its work, and they should be cited in the audit report. In keeping with the standards, any instances where they are not followed should be disclosed. The most current version of the Government Auditing Standards was revised in 2021. Any standards required by the 2021 revision are incorporated into this manual by reference, if not specifically noted. In addition, Internal Audit staff must comply with applicable Board of Education Policies on ethics (GAGA - Ethics for Government Service, and GAG – Staff Conflict of Interest). Internal Audit staff should also be knowledgeable concerning other Board Policies dealing with ethics (GBU – Professional Personnel Ethics, and DJ – Expenditure of Funds). Policy DJ is also referenced in Section XII of this manual.
B. ETHICAL PRINCIPLES (GAS 3.06)
III. RESPONSIBILITIES
- A. Internal Audit Department Organization Chart
- B. Responsibilities and Position Descriptions
- C. Relationships with Outside Auditors
- D. Coordination with Outside Reviewers
- E. Relationships with Operating Units
- F. Staff Professional Development (GAS 4.16-4.18)
- G. Competence of Staff (GAS 4.02-4.04)
A. Internal Audit Department Organization Chart
B. Responsibilities and Position Descriptions
Each Internal Audit staff member is responsible for helping to ensure that these operating procedures, as well as the policies and directives of the Board of Education, are carried out during the conduct of audit work. Responsibilities of the Senior Director, Academic Auditor, Senior Internal Auditor, and Internal Audit Assistant are included in the position’s job description. Specific responsibilities of the Senior Director that cannot effectively be delegated are:
• Development of the Internal Audit Plan.
• Approval of the objectives of audit assignments. Internal Audit Department Operating Procedures
• Review and approval of internal audit programs and audit scope.
• Review of work papers prepared by other staff.
• Review of audit reports prior to submission to the Audit Committee.
C. Relationships with Outside Auditors
Coordination of Audit Coverage
Internal audit work should be coordinated with the work of the external audit firm to ensure maximum coverage and eliminate unnecessary overlap or duplication. Generally, this can be accomplished by sharing the annual audit plan with the external auditor and by discussing internal audit areas with the external auditor. Testing done by the external auditor may be of value in planning internal audits. In addition, internal audit coverage may affect the reliance external auditors can place on internal controls. In some cases, the external auditors may be aware of control issues that may not be included in their report or management letter, but that may be helpful in planning internal audit coverage of an area. Internal Auditors should review the external audit reports and management letters, and discuss audit areas with the external auditors when planning internal audits. Internal Audit staff should freely share information with the external auditors.
Performance of audit steps for external auditors.
Internal Auditors may be requested to assist the external auditors by performing audit steps as part of the annual external audit. Audit Committee approval should be obtained for such activity since it has a definite impact on completing the audit plan. Time to be spent on such assistance should be included in the audit plan when it is known.
Coordination of Requests for Proposal and selection of firm for external audits.
The Audit Committee is responsible for selecting the successful bidder from responses to Requests for Proposal on the external audit(s). The Internal Audit Department is responsible for ensuring that a complete RFP is prepared and that it includes all elements required by the State Auditor. Development of the RFP should be coordinated with Finance, since they are most directly affected by the annual audit, and with Purchasing, since they are the area with the expertise and responsibility for bids and proposals. Generally, a long Audit Committee meeting should be planned to review responses to RFPs and to make the selection. Bid awards generally cover a one-year period with options to renew for up to three additional years.
D. Coordination with Outside Reviewers
Internal Audit should be advised when federal, state or other auditors or reviewers are reviewing District activities. Generally, Internal Audit should participate in any entrance or exit conferences. Internal Audit should make certain the Audit Committee is aware of the review and its outcome, of any risks that are identified in conjunction with the review, and of any management action that results from the review. This is communicated through the annual Summary of Audits Report. Internal Audit should also make certain that review results and risks identified are considered in audit planning.
E. Relationships with Operating Units
Internal Audit staff must conduct themselves so as to deserve each operating unit’s cooperation, respect and confidence in the fairness of the results of the audit. All Internal Audit staff members are responsible for maintaining effective working relationships with operating units. In general, “maintaining effective working relationships” means:
• Recognizing that audit activities may impact a unit’s operations, and planning and conducting audit work to minimize disruptions as much as is reasonable and consistent with due care;
• Seeking and considering unit management’s input on audit issues;
• Keeping unit managers as informed as is reasonable on the progress of the audit and the nature of findings being developed;
• Working to “partner” with unit managers in improving operations.
Maintaining effective relationships does not require an absence of adversarial situations, or the subordination of auditor judgment to management’s requests or concerns. Whenever feasible, active participation by personnel within the functions being reviewed should be encouraged. This should result in strengthening communication between the function and the Internal Audit staff in terms of identifying findings and determining effective corrective action. However, care should be taken that work accomplished by the functional participants doesn't compromise the audit's objectivity or independence.
At the end of each audit, a Customer Satisfaction Survey will be sent to management that are listed in the final audit report to assess the Internal Audit Department’s professionalism, fairness within the report, and effectiveness in establishing and maintaining a working relationship with the staff being audited.
F. Staff Professional Development (GAS 4.16-4.18)
All Internal Audit staff members should meet the professional expectation for continued professional development. Staff members who hold professional licenses or certificates are expected to ensure that the training they receive complies with the requirements of those licenses and certificates.
All staff members will meet the Qualifications standard of the Government Auditing Standards, which specifies that government auditors will receive at least 80 hours of continuing professional education (CPE) every two years and a total of 24 of those 80 hours will be in government auditing or the government environment. At least 20 hours of CPE should be completed each year. The Department will maintain documentation of each auditor’s CPE. Each year, as part of developing the proposed budget, staff members will specify those courses or course areas where they plan to obtain training the next year, including the training vendor, the location and the dates. Training plans will be reviewed with the Senior Director to ensure they meet professional development needs and expectations.
Proposed and actual training will be tracked as part of monitoring compliance with Government Auditing Standards.
G. Competence of Staff (GAS 4.02-4.04)
The Senior Director will assign auditors to conduct the engagement who, before beginning work on the engagement collectively possess the competence needed to address the engagement objectives and perform their work in accordance with GAGAS. The Senior Director will assign auditors who before beginning work on the engagement possess the competence needed for their assigned roles. The District will have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement.
IV. ANNUAL AUDIT PLANNING AND DEPARTMENTAL FILES
- A. Responsibility
- B. Risk Assessment
- C. Audit Plan
- D. Audit and Project Budgets
- E. Timekeeping
- F. Internal Audit Department Files
A. Responsibility
The Savannah-Chatham County Board of Public Education Audit Committee has overall responsibility for defining requirements and for review and approval of the Annual Audit Plan. The Senior Director of Internal Audit has responsibility for preparation of the annual plan in accordance with any requirements and guidelines established by the Audit Committee and the Board. The Senior Director of Internal Audit also has the responsibility for execution of the plan. The staff member designated as the Auditor in Charge of each audit has the responsibility for formalizing the planning for that assignment and for seeing that the plan for the assigned audit is effectively carried out within the framework agreed to by the Senior Director. Auditors must use professional judgment in planning and conducting the engagement and in reporting the results. (GAS 3.109)
B. Risk Assessment
A periodic assessment of risks should be undertaken as a basis for developing the audit plan. Ideally, the risk assessment should be conducted on an annual basis. Risk assessments should consider not only quantifiable factors, such as size, audit frequency and dollars throughout, but also more difficult to quantify factors, such as the internal control environment and the risks of failing to accomplish Board goals. The risk assessment process should be considered prior to each cycle and adapted as needed to reflect a current understanding of risk factors.
C. Audit Plan
An audit plan is to be developed each year, with priorities based on the risk assessment. Audit plans should be approved by the Audit Committee each year and should also be provided to Board members. Audit plans should be designed to include not only audits, but also non-audit services. Regular reports showing progress against the audit plan should be submitted to the Audit Committee. The format of audit plan reports should show some measure of progress, such as staff days against budgeted staff days, and should account for all Internal Audit staff time, including administrative time. Audit plans should also show estimated target timelines.
D. Audit and Project Budgets
E. Timekeeping
Internal Audit staff members should track the time they spend on each audit or non-audit service project in order to provide a basis for audit time budgets and for planning other activities. Time to be tracked includes time spent on audits, non- audit service projects, and other activities. A timekeeping database in Access has been established to assist in tracking time. The database includes a form for each staff member to input time and reports for collecting time in a way that it can be included in the Internal Audit Plan Status Report.
F. Internal Audit Department Files
Internal Audit Department files should be maintained for the following categories:
• Project files with the backup for projects completed during the current and previous seven fiscal years (three most recent years in storage file in office. The remaining four years in the basement storage files;
• Internal Audit Report Files with copies of each issued internal audit report and with follow-up activity on the audits during the current and at least the seven previous fiscal years. The three most recent years in storage file in office. The remaining four years in the basement storage files;
• External Financial Audit Report files are maintained electronically under the Internal Audit Department Audit Report tab on the public website. The paper copies are maintained by the Finance Department.
• Audit Committee files with records of Audit Committee meetings during the current and at least the seven previous calendar years. The three most recent years in storage file in office. The remaining four years in the basement storage files.
Additional note: The permanent Audit Committee Files are stored with the Board Office. • Internal Audit Department Administrative and Planning Files;
• Background Files with notes on potential audit issues for Board functions/activities. Documents that are older than the time frames specified above should be removed to secure storage or destroyed in accordance with the approved Record Retention Schedule for the District.
V. AUDIT PLANNING AND SURVEY
- A. Purpose
- B. Preliminary Planning
- C. Notification (GAS 8.20-8.22)
- D. Entrance Conference
- E. Survey
- F. Audit Planning Memo (GAS 8.33)
- G. Post-Survey Conference
- H. Supervision (GAS 5.36-5.37 & GAS 8.87)
- I. Audit Process Checklist
A. Purpose
The purpose of the preliminary planning and survey steps is to gather sufficient data to permit effective planning and audit program preparation. The extent of the preliminary planning and survey will be influenced, in part, by the nature of the audit and the time elapsed since previous audits. The auditor should ensure that the survey work undertaken is sufficient to enable adequate audit planning and whether to use an existing audit program or to develop a new program.
Independence and Professional Proficiency (GAS 8.31). An important part of audit planning is ensuring that the audit can be properly staffed. This includes determining that the staff members to be assigned are collectively proficient to perform the audit, or that outside technical assistance is obtained if needed. This also includes determining that the staff members are independent within the meaning of the Government Auditing Standards (GAS 3.18-3.20). To document these determinations, an Independence and Professional Proficiency Statement Form should be prepared for each audit assignment. Staff members must consider actual and potential impairments to independence, including both Independence of Mind (GAS 3.21a) and Independence in Appearance (GAS 3.21b). Any threats to independence will be evaluated by the Senior Director, using the conceptual framework provided by GAS 3.27 through 3.34. If they cannot be resolved prior to any substantial work on the audit, the audit assignment must be terminated, or the impairments must be identified in the audit report. Because of the critical nature of independence, failure to disclose circumstances that might impair independence will result in disciplinary action.
Staff members must also consider the impact of any previously performed non-audit services on the audit. If services previously provided during a non-audit service or consulting engagement constitute a threat to independence, such concerns must be noted on the Professional Proficiency statement and handled in the same manner as any other threat to independence (GAS 3.64).
If a threat to independence is initially identified after the audit report is issued, the Senior Director of Internal Audit must evaluate the threat’s impact on the audit and on GAGAS compliance (GAS 3.34) If the newly identified threat had an adverse impact on the audit report, i.e., the report would have been written differently if the threat was identified earlier, the Senior Director of Internal Audit must communicate that fact to the appropriate officials and all known users of the report. The report must be removed from the public website and replaced with a notification that the report is no longer reliable. The Senior Director must then determine if additional fieldwork may be completed to overcome the independence threat, or if the report may be re-issued.
Use of Outside Specialists (GAS 8.32). Outside specialists are subject to the same independence and proficiency requirements as audit staff. The Independence and Professional Proficiency Statement Form should also be used if outside professionals are engaged, although it may be modified if needed for specific circumstances. If outside professionals are not free from actual or potential impairments, they cannot be engaged.
B. Preliminary Planning
Preliminary planning normally involves gathering background data and doing general risk analysis. Internal Audit staff should gather information about the function(s) under review, the overall control environment, policies, procedures, and any contract requirements. The information gathering may be facilitated by obtaining work papers from any previous audits and by referring to the Internal Audit Department’s Audit Issue Area files.
As part of the planning process staff will adequately plan the work necessary to address the audit objectives and document the audit plan.
· Auditors plan the audit to reduce audit risk to an acceptably low level.
· Auditors should access significance and audit risk. Auditors should apply for addressing the audit objectives. Planning is a continuous process throughout the audit.
· Auditors design the methodology to obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives and to reduce audit risk to an acceptably low level.
· Auditors identify and use suitable criteria based on the audit objectives.
As part of the planning process, Internal Audit Staff will determine and document whether internal control is significant to the audit objectives. If it is determined that internal control is significant to the audit objectives, the Internal Audit Staff will obtain an understanding of such internal control. (GAS 8.39-8.40).
The Internal Audit Staff will evaluate and document the significance of identified internal control deficiencies within the context of the audit objectives.
Examples of information that may be needed are:
· Background information, e.g., brochures, annual reports, etc.
· Contract requirements such as grant documents, applicable laws, etc.
· Board Policies and Procedures.
· Chart of Accounts.
· Departmental Organization Chart.
· Identification of key personnel.
· Departmental instructions. Flow chart of departmental procedures (e.g., Transactional Flow Analysis)
· Statistical/Performance Data.
· Current status of any legal proceedings or investigations related to the audit objectives. (GAS 8.27)
At the completion of this preliminary planning phase, a survey program (a preliminary audit program) should be developed to establish what will be done during the survey. A standard Audit Survey Checklist has been developed for this purpose.
Also, preliminary estimated staff days (and any other resources) needed and preliminary estimated report issuance date should be determined. These estimates can be refined when the Audit Planning Memo (Chapter V, Section E is developed.
C. Notification (GAS 8.20-8.22)
Prior to beginning the audit survey (Chapter V, Section E), functional management should be notified that there will be an audit, when they are expected to be involved, and what the general nature of the audit will be. It is generally useful to complete as
much of the preliminary planning as possible before sending out the audit notification. However, formal notification may be necessary in order to obtain all of the documents needed to complete the preliminary planning. Preliminary audit objectives should be developed and approved by the Senior Director of Internal Audit and should be included in the notification to management and the Superintendent. Notification should also include the date the audit will begin and may include estimated audit completion or draft report issuance dates.
A document entitled “The Internal Audit Process” has been developed to provide functional management with a description of what to expect during an audit and should be included with the notification.
D. Entrance Conference
After potential objectives and areas of risk have been determined, an entrance conference with the function should be arranged. The Internal Audit staff should be prepared to discuss:
· Why the project was selected.
· Internal Audit perception of the function's responsibilities for operations or assets.
· Control objectives to be evaluated.
· Specific types of risk being considered.
· Control standards that have been identified as being applicable.
· Control techniques in use by the department.
· Recent changes in controls.
· Prior findings, concerns, and control problems.
· Items from the list in B above that are still needed or additional items that are
needed to effectively plan the audit.
E. Survey
An audit survey is a process for gathering information on the activities being examined without detailed verification. A document entitled Audit Survey checklist has been developed to ensure relevant background information is obtained in the following areas:
· Understand the activity under review.
· Identify business risks for the activity (risks for this purpose may be financial, operational and/or performance, depending on the audit objectives).
· Obtain information for use in performing the audit.
· Identify areas warranting special emphasis.
· Determine whether further auditing work is appropriate.
· Provide the basis for developing an audit program.
· Ensure the audit activity does not interfere with current legal proceedings and/or investigations.
A survey may involve use of the following procedures:
· Discussions with auditee staff.
· Interviews with individuals affected by the activity.
· On-site observations.
· Review of management reports and studies.
· Analytical auditing procedures.
· Limited or probe samples of transactions or files.
· Flowcharts.
· Functional “walk-throughs” of specific activities.
· Documenting key control activities.
· Internal Control Questionnaire (For all audits after April 2022) The results of the survey should be summarized in work papers.
F. Audit Planning Memo (GAS 8.33)
At the completion of the survey, an Audit Planning Memo should be prepared. The Audit Planning Memo should identify:
· The title of the audit.
· A general description of the auditee, including its size, budget and funding information, organization, and reporting structure.
· The audit period.
· The planned scope of the audit (See Chapter X, Section B for information that should be included in the scope of an audit).
· A statement of the audit objectives.
· Special audit techniques that may be necessary.
· Any anticipated special problems/considerations relevant to the audit.
· Preliminary estimates of staff days and other resource requirements. Estimated report issuance date.
· Reasons for discontinuing audit work, if applicable.
The Audit Planning Memo should include the information needed for the objectives, scope and background sections of the audit report and may be developed as the draft form of these sections. The Audit Planning Memo also provides the basis for the detailed audit program, which should be developed at the completion of the survey.
The audit program should follow logically from the Audit Planning Memo.
G. Post-Survey Conference
After the survey, a conference may be necessary (i) to communicate changes in audit objectives; (ii) to explain the audit approach; (iii) to agree upon specific levels of functional participating; and (iv) to obtain concurrence on standards to be used in measuring performance. This conference will usually occur following the generation of the audit program. A follow-up conference is required when the audit scope, objectives, risk analysis, and/or approach are significantly changed over what was communicated at the entrance conference.
H. Supervision (GAS 5.36-5.37 & GAS 8.87)
Contacts between the Auditor in Charge and the Senior Director or other supervisors will take place from the time planning for an audit begins and will continue throughout the audit. Evidence of supervisory reviews should be contained in the work papers, generally in the form of the supervisor’s initials on the work papers as discussed in Chapter VIII. Evidence of supervisory contacts during the planning and survey stages and also during report writing should also be maintained in the work papers. This evidence could be in the form of memos, notes, e-mails, or through discussions. These types of interactions are documented in the supervisory Log. All staff will be supervised by Senior Director.
I. Audit Process Checklist
VI. AUDIT PROGRAM
An audit program is a detailed plan for completing an audit. It is developed using information gathered during the survey. Its purpose is to organize and control the work leading to the report. It also indicates that the examination was (1) responsive to management's objectives and (2) was performed in accordance with prescribed auditing standards.
- A. Audit Objectives
- B. Audit Procedures (GAS 8.71-8.72)
- C. Changes to Audit Programs
- D. Review and Approval of Audit Programs
A. Audit Objectives
Audit programs should be developed to carry out specific audit objectives. Preliminary objectives should be developed during the preliminary planning and survey phases of an audit, and may be refined or adjusted as the audit progresses. The objectives of an audit usually include some combination of the following:
1. To determine whether internal controls are adequate, or whether policies and procedures provide adequate internal controls; (for this purpose, “internal controls” include financial controls and management controls, and “adequate” means they satisfy the control objectives noted in A.2. below.)
2. To determine whether internal controls are functioning as intended;
3. To determine whether the auditee is in compliance with relevant policies and procedures (and/or laws and regulations);
4. To determine whether operations are economical and efficient; and
5. To determine whether operations are effective in achieving goals and objectives. Additional specific objectives may be added as appropriate.
The objectives for the audit should be identified at the beginning of planning for the audit and should be approved by the Senior Director, Internal Audit
B. Audit Procedures (GAS 8.71-8.72)
Audit procedures are developed after the survey is conducted. The procedures specify what is to be done to gather the evidence needed to complete the audit objectives.
Audit program procedures should clearly link to the purpose on the work papers that are intended to carry out those procedures. Obviously, not all procedures can be anticipated at the audit program development stage, but these additional procedures should be clearly linked to conclusions drawn on work papers that are developed directly from the audit program. These conclusions that additional steps are needed should in turn become the purpose of the work papers to carry out those additional steps.
The Internal Audit Staff will assess the risk of fraud occurring that is significant within the context of the audit objectives. Assessing the risk of fraud is an ongoing process throughout the audit.
As the audit procedures are performed, the audit program should be initialed and dated in the appropriate place by the individual performing the work. The effectiveness of audit programs can be enhanced by referencing program steps to work paper schedules or summaries that (1) identify the items selected for audit, (2) summarize the characteristics tested, and (3) indicate the findings.
These schedules or summaries should in turn be referenced to detail work papers that provide the needed information.
C. Changes to Audit Programs
Auditors must be alert to any and all conditions that may require additions, deletions, or other adjustments to the audit program. All proposed changes should be brought to the attention of the Senior Director, Internal Audit and made when appropriate.
If the steps that are conducted during an audit vary significantly from those expected when the program was prepared, the program should be modified for the additional work necessary. Care must be exercised to ensure that a complete explanation is recorded in the work papers for any program step that is deleted, added, or changed, either through links from conclusions on one work paper to purposes on another, or in modifications to the audit program. All revisions in the basic program should be dated and approved by the Senior Director, Internal Audit and communicated to affected management.
D. Review and Approval of Audit Programs
VII. AUDIT EVIDENCE AND TESTS
- A. Sufficient Appropriate Evidence and Professional Judgement (GAS 8.90-8.94)
- B. Audit Tests (GAS 8.49-8.53)
- C. Selection of Items to Test
- D. Testing Reliability of Computer Data (GAS 8.59-8.62)
A. Sufficient Appropriate Evidence and Professional Judgement (GAS 8.90-8.94)
Sufficient, appropriate evidence is essential to provide a reasonable basis for an opinion and is obtained by designing and performing audit procedures or tests. Auditors must determine, based on experience and judgment, whether the evidence is "useful" evidence (appropriate) and whether "enough" useful evidence has been examined (sufficient).
Appropriate Evidence (GAS 8.77-8.78)
Appropriateness is the measure of the quality of evidence. It encompasses the relevance, validity and reliability of the evidence. Relevant evidence is information that has a logical relationship to the issue addressed. Each piece of evidence obtained should be evaluated in terms of its usefulness for either corroborating or contradicting an assertion of compliance. The relevance of evidence is measured by the extent to which it meets that purpose.
Validity refers to the degree to which the evidence is based on sound logic or accurate information. The validity of each piece of evidence, along with its source, must be evaluated to determine its usefulness in proving or disproving an assertion.
Evidence must also be reliable if it is to be useful. Reliability refers to the consistency of results when information is tested; it assures that evidence is reasonably free from error or bias and faithfully represents what it purports to represent. The reliability of evidence is influenced by several factors:
· Independence of the source. Evidence obtained from sources outside of the function under review usually provides greater assurance of reliability than that secured within the function.
· Qualification of the source. For evidence to be reliable, it must come from people who are competent and have the qualifications to make the information free from error.
· Objectivity of the evidence. Evidence is objective if it requires little judgment to evaluate its accuracy. Evidence obtained by the Internal Audit staff by direct physical examination, observation, computation or inspection is generally more objective than evidence obtained indirectly or based on opinion.
It is essential for the auditor to ensure that all evidence obtained is reliable for the purposes for which the auditor intends to use it. When auditors identify limitations or uncertainties in evidence that are significant to the audit findings and conclusions, additional procedures should be applied, as appropriate. Additional procedures may include:
· Seeking independent, corroborating evidence from other sources.
· Redefining the audit objectives or limiting the audit scope to eliminate the need to use the evidence.
· Presenting the findings and conclusions so that the supporting evidence is sufficient and appropriate and describing the limitations or uncertainties of the evidence, if such disclosure is necessary to avoid misleading users about the findings or conclusions.
· Determining whether to report the limitations or uncertainties as a finding, including any related, significant control deficiencies.
Sufficient Evidence (GAS 8.108-8.110)
The auditor’s twofold objective is to achieve the necessary level of assurance to support the opinion and to perform the audit as efficiently as possible. In addition to considering the relevance, validity and reliability of evidence, the Internal Audit staff must also consider its availability, timeliness, and cost. Sometimes a desirable form of evidence is simply not available. Fortunately, there is usually more than one source or method of obtaining evidence. The Internal Audit staff should choose the type or methods of evidence that provide the required level of assurance at the lowest cost.
Determining the sufficiency of evidence is a question of deciding how much evidence is enough to achieve the needed level of assurance. The amount of evidence required depends in part on the thoroughness of the search for evidential matter, in part on the ability to evaluate it objectively and in part on the level of assurance necessary to support the opinion in an audit. It may be necessary to rely on evidence that is persuasive rather than convincing. In making these decisions, the Internal Audit staff should consider the risk of forming an inappropriate opinion and justify omitting any test solely because it is difficult or expensive to perform.
The sufficiency of evidence required to support the findings and conclusions is a matter of professional judgment. A large volume of evidence does not compensate for the lack of reliability, validity or relevance. The auditor should refrain from forming an opinion until sufficient, appropriate evidence has been obtained to remove all substantial doubt.
Professional Judgment
Professional judgment includes exercising reasonable care and professional skepticism. Reasonable care includes acting diligently in accordance with applicable professional standards and ethical principles. Professional skepticism is an attitude that includes a questioning mind and critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty.
B. Audit Tests (GAS 8.49-8.53)
The Internal Audit staff has a number of alternative procedures from which to choose in planning the examination: deciding on the nature, timing, and extent of audit tests to be performed; what procedures to perform; when to perform them; and how much testing to do. These decisions will be influenced by answers questions such as: which will provide a higher level of assurance; which is more efficient; what are the risks?
Viewed in terms of their purpose, all auditing procedures, also referred to as "tests," can be classified as one of two types: compliance and substantive tests. Compliance tests are performed to determine how well the system of internal control is functioning. Their purpose is to provide evidence that the system of controls is operating as prescribed and complies with established policies and procedures. Substantive tests consist of tests of the details of transactions and analytical review procedures. The purpose of substantive tests is to prove the validity of an assertion or, conversely, to discover errors or discrepancies.
Although the purpose may be either to test the system of control (compliance) or to find errors or discrepancies (substantive), the same test can often serve both purposes. This is helpful in situations where the results of compliance tests indicate that the system is not working, and further tests may need to be performed to determine the extent of errors or discrepancies.
A list of possible tests that Internal Audit staff may use (but is not limited to) and whether they are normally considered compliance, substantive, or both is shown below.
Inquiry (Compliance)
Inquiry entails asking questions. The questions may be oral or written and are directed to those responsible for performing the procedure being evaluated. For example, the evaluator can familiarize himself/herself with the procedures by reading company policies, procedures, or instructions. He/she then questions those employees
responsible for performing the procedures on how they do their job. The evaluator can determine if the procedures are understood and being followed by comparing the employees' answers to the questions with the procedures called for by the work instructions.
The documentation of this test is a written narrative that states that the evaluator read the procedure, questioned certain employees, and explained the nature of the questions asked and the responses received, along with the evaluator's opinion as to whether compliance was adequate.
Observation (Compliance)
Observation involves direct visual viewing of employees in their work environment and of other facts and events. Watching employees perform their assigned tasks can help the evaluator assess whether a procedure is operating effectively. For example, a chemical processing procedure requires that the temperature of a certain processing tank be monitored every five minutes. The evaluator can periodically observe the employee performing the task to determine if the procedure is followed. The documentation of this test is a written narrative that states that the evaluator observed certain employees on this date(s) performing the task in question for a period of time to determine that the task was being performed adequately and consistently. The same documentation would be prepared for an observation of a process or event.
Examination/Inspection (Compliance/Substantive)
Examination/inspection is usually performed on the output of a process, e.g., a part, a document, a report. The output is examined to determine that it agrees with the expected result. The techniques used may include counting, scanning, reading, scrutinizing, comparing, tracing, vouching, inspecting, and re-performing. For example, the procedure for authorizing timecards requires both the employee's and supervisor's signatures. The evaluator can take a sample of timecards and examine them for both signatures to determine that the procedure is followed.
The documentation of this test is a written summary of the output that was examined, the characteristics of the output that were examined, the nature of any exceptions noted and the evaluator's opinion as to whether compliance was adequate.
Confirmation (Substantive)
Confirmation involves obtaining a representation of a fact or condition from a third party, preferably in writing. An example is a letter from the public accountants of a bank requesting verification of the balance of the individual's account. The confirmation occurs when the individual returns the letter stating that the balance is correct or that there is an error.
The documentation of this test is the returned letter indicating the response of the third
party. It is extremely important that all confirmations sent be returned with a response. Every effort should be made to ensure a high response rate.
Analytical Review (Substantive)
Analytical reviews involve ratio and trend analysis. Analytical review procedures are tests of information made by studying and comparing relationships among data and trends in the data. The purpose of analytical review procedures, as they relate to gathering evidence, is to corroborate the logical interrelationships that exist among information and to identify and obtain explanations for all significant changes or abnormalities.
Examples of four general types of comparisons are:
· Comparison of current data with data for comparable prior periods;
· Comparison of current data with anticipated results, e.g., budgets and forecasts;
· Study of the relationships of elements of information that would be expected to conform to a predictable pattern based on the operating unit's experience;
· Comparison of operating unit data with similar information regarding the industry.
Analytical review procedures are usually based on the assumption that there are causal relationships among the data; this may not be the case. For this reason, auditors should be cautious in using analytical review procedures as a primary test.
C. Selection of Items to Test
Frequently a sample of items (such as transactions or files) must be selected. Generally, the selection should be designed to be representative and random (each item in the population has an equal chance of being selected). The size of the sample should be intended to provide an appropriate reliability at the chosen confidence level, but generally should not be less than 30. Stratification of the universe may be used to focus on the most important items.
With automated techniques and data retrieval, it is frequently possible to review much larger samples than with strictly manual approaches. Where possible, the entire universe should be tested. For example, the average number of days to process all transactions in a file may be as easy and quick to compute using automated techniques as the average number of days to process a sample of transactions selected from that file.
The nature of samples that are used to gather audit evidence should be clearly described in the scope.
D. Testing Reliability of Computer Data (GAS 8.59-8.62)
It is essential for the auditor to ensure that data obtained from computer-based systems is reliable for the purposes for which the auditor intends to use it.
Government Auditing Standards state:
“The effectiveness of significant internal controls frequently depends on the effectiveness of information systems controls. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and /or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls.
Auditors should obtain a sufficient understanding of information
systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. When evaluating information systems controls is an audit objective, auditors should test information systems controls to the extent necessary to address the audit objective.”
VIII. WORK PAPERS
Department policy is to prepare work papers whose quality will fully meet professional auditing standards, and which provide a comprehensive record of the work performed
- A. Purpose
- B. Organization of Work Papers
- C. Format
- D. Indexing
- E. Basis for Decisions on Scope
- F. Tick Marks
- G. Work Paper Notes
- H. Conclusions and Opinions
- I. Referencing
- J. Audit Findings (Conditions) (GAS 8.116-8.117)
- K. Review of Work Papers
- L. Disputed Issues
- Checklist for Internal Audit Staff Review of Work Papers
A. Purpose
The work papers are the evidence essential to support the auditor's opinion, including his/her representation as to compliance with the generally accepted auditing standards. Department policy is to present a full and complete record of each audit by ensuring the following:
· The work papers must present an accurate and complete record of the work performed. They will identify (i) what procedures were followed; (ii) what records were examined; (iii) what inquiries were made; (iv) what confirmations were undertaken, etc. When testing and sampling is involved, the work papers must include a record of the items tested and support for the judgment exercised by the Internal Audit staff in determining sample selection.
· Adequate planning and supervision are to be documented in the work papers by the audit programs and signatures resulting from the supervisory review of the papers.
· Information covering the nature and extent of the audit of the system of internal control and its effect on operations should appear in the work papers.
· The work papers identify how exceptions or unusual matters were resolved or treated.
· The work papers offer persuasive evidence in support of the development of findings and forming of the conclusions and opinion.
· The work papers include only data that is sufficient and appropriate to provide a sound basis for findings.
· Work papers are prepared neatly, clearly and concisely.
· The work papers are prepared recognizing that in the future, someone who has had no previous connection with the audit may examine the papers and the findings or may use them as a general guide for a subsequent examination, or that they may be used as legal evidence.
· All of the information in the work papers is treated as "Board Private" or in accordance with government security requirements, as appropriate.
· All Savannah-Chatham County Public School System private information, including work papers, programs, payroll data, etc., is safeguarded at all times. Proper care is taken to ensure confidential information is properly secured. Materials taken out of the offices (e.g., to functional areas) should be locked up when unattended.
· If it becomes necessary to release copies of work papers, all confidential and/or personally identifying information is first redacted. That information may include (but is not limited to) the following:
o Social Security numbers.
o Student identification numbers.
o Student or employee addresses and/or telephone numbers.
o Any other information that may unnecessarily indicate the identity of a student or employee of the organization.
The information may be redacted by any method deemed effective to obscure the confidential information without destroying the legibility of the entire document. The original document must remain intact as part of the work papers.
B. Organization of Work Papers
The volume of schedules and the number of work paper files will vary with the size and complexity of the examination. They should be assembled so that the primary information for final report preparation is readily accessible. Each major section of the examination should be represented by a lead schedule or summary and supporting
schedules or memoranda as appropriate. The organization of these papers should flow logically from the work program to which they are
cross-referenced. Work papers should be organized and prepared to bring important details to the attention of the persons using and reviewing them.
C. Format
Construction of all schedules, their purpose, adaptability, and underlying logic should be as consistent and uniform as feasible to facilitate orderly documentation and analysis of the accomplishment of the audit objectives.
For each work paper, or the first one in a closely related group:
1. On the first page of each work paper, include a descriptive heading that gives the title of the work paper, and the audit number.
2. Use the label “Source:” to identify the source of the information.
3. Use the label “Purpose:” to show the purpose of the work paper; the purpose can then be described with a narrative (ex. To document procedures for ….; To list all paid invoices and provide a basis for selecting transactions to test; To record the results of tests of …; To record the results of interview with … concerning….; To complete audit step B.4.1; etc.).
4. In each case, the purpose should derive from an audit step in the program or from a conclusion drawn on a work paper that was in turn derived from an audit step, etc.
5. Generally, Purpose, Source should be on the first page of the work paper.
6. Reference statements of fact or citations of conditions in the first draft report back to the supporting work papers. Major revisions to the draft might need re-indexing.
7. In the upper right-hand corner of the first page of each set of workpapers, include the initials of the preparer, the date of preparation, audit number assigned in the timekeeping system, the work paper number, the page number and the total number of pages there are in the set of work papers. Subsequent workpapers should keep the page number and the total number of pages there are in the set of workpapers.
D. Indexing
The work papers must be indexed during the course of the work in such a manner that any analysis, or any section of the examination, may be found quickly. Each schedule should have an index letter and/or number consistently located to facilitate reference. While no specific indexing format is required, complexity of referencing and cross- referencing requires particular care in assigning numbers.
A standardized index should be prepared to serve as the Table of Contents.
Each section of work papers is to be designated by a letter of the alphabet in ascending sequence. Letters A-E are reserved for the five required sections as indicated below:
A. Audit Reports (Final, Draft, and related correspondence)
B. Planning and Supervision
C. Assignment Administration
D. Preliminary Survey
E. Audit Program
F. , G., H., etc. Should be used for major segments of the audit as indicated by the Audit Program.
E. Basis for Decisions on Scope
Effective audits depend heavily on testing and sampling. It is imperative that the work papers clearly indicate the reasons behind decisions for testing certain types or groups of transactions, the period selected for testing, and the extent of all tests. For example, in a judgmental sample, if certain months are selected for testing transactions, the work papers should outline the basis of and reasons for selecting these months. Data concerning the volume of transactions and other information considered in determining sample sizes should also be included.
F. Tick Marks
When an audit step is performed repetitively on data included in the body of a schedule, tick marks are to be used to identify the work performed. For example, a series of amounts listed as being expense reimbursements to employees may be traced to properly approved expense reports, supported by paid hotel bills, etc. Rather than write this description after each amount, a "tick mark" is selected, explained once at the bottom of the schedule, and used after each amount to indicate that the audit step has been satisfactorily completed.
Tick marks should be used to facilitate review of the work papers. Tick marks may vary throughout the work papers as necessary to indicate work done. They should be simple and distinctive. The use of too many tick marks on a single schedule is confusing and should be avoided. Coded references, such as circled numbers, can be used to reduce the need for intricately designed tick marks. If the same tick marks are to be used on a series of schedules, they may be repeated. Otherwise, all tick marks must be clearly explained on every sheet where they appear.
In some instances, it may be appropriate to use standard tick marks for a whole section of the work papers. They must be recorded in such a way that anyone reviewing the papers may have the tick marks in front of him/her.
G. Work Paper Notes
Work paper notes made by auditors may vary widely in complexity. This requires
flexibility, but all notes should comply with the following general principles:
1. They must be clear, concise, and understandable. Extraneous phone numbers, names and comments in the left margin or in other portions of the work papers that are not clearly tied to factual information, opinions, or conclusions are not to be included in the work papers.
2. They must indicate the sources of all information and the names and positions of any employees whose opinions are quoted.
3. They must reach a conclusion. Under no circumstances should open questions remain in the papers, either in the form of a (?) on the schedule or of a note which doesn't clearly state the writer's opinion.
4. Notes appearing in the work papers must be consistent. Any inconsistencies noted by the reviewer must be reconciled and corrected.
5. Explanatory information must be added to the work papers in those instances where conclusions drawn, or recommendations documented have changed. This may happen as a result of new information or evidence that has surfaced from the time of the initial recording to the acceptance of the function's corrective action response.
6. If a conclusion is changed by the auditor for any reason, the note must be amplified so that the revised conclusion is adequately supported. A notation such as an "O.K.," "No," or 'Too Small" beside the comments is not sufficient.
H. Conclusions and Opinions
The completed work papers for each section of an examination must contain a conclusion or an opinion based on the work done. It should be worded in a manner which clearly indicates that the auditor understood the objective of his tests. Work papers must include comments as to the effect of findings developed during the examination. The conclusion or opinion should reflect these observations.
A conclusion or opinion must be responsive to the audit objectives and may refer to but should not repeat the detailed procedures in the audit program or a summary statement of internal controls. If the tests disclose errors, the effect of these errors must be weighed in stating an opinion. The opinion of the writer as the propriety of the account or adequacy of procedures being evaluated should be clearly stated.
A brief statement as to the basis for the conclusion or opinion is also appropriate. This statement should relate the opinion reached to the audit work that was done. For example, "Based upon the detailed testing performed in accordance with the attached program it is my opinion that . . .”
When all the evidence pertinent to the conclusion or opinion is not contained in the work
papers, specific reference must be documented in the work papers as to where it can be found.
Care should be exercised not to draw conclusions or express opinions or make comments beyond the scope of competence and responsibility. If the auditor encounters situations where a system or function that he/she is evaluating involves a technical knowledge that goes beyond his/her area of expertise, he/she should arrange, if appropriate, the assistance of personnel who have this technical background.
I. Referencing
J. Audit Findings (Conditions) (GAS 8.116-8.117)
Audit findings are pertinent statements of fact and emerge by comparing what should be with what exists. They should include the following components:
· Criteria, or what should be;
· Condition, or what is;
· Cause, the reason for the difference between criteria and condition;
· Effect, the impact of the difference on operations, or the risk or exposure created by the difference; and
· Recommendations, which are the steps that should be taken to eliminate the cause and/or remove or reduce the impact or risk.
Generally, a finding involves observations of the following:
· A deviation from established company policy or practice;
· An error in the performance of a corporate procedure;
· A deviation from relevant laws or regulations;
· An unusual item considering the nature of the business;
· An item that could be accomplished more efficiently or effectively; or
· An instance where goals or objectives may not be achieved.
Findings must be adequately documented in work papers. They should be written up as part of the summary and should contain:
· A one-way reference to the supporting documentation included in the work papers;
· A clear, concise description of the exception;
· A determination of whether the exception is the result of a weakness in internal controls;
· A thorough and complete recommendation and a disposition regarding audit scope and final report.
The Reportable Issue Form (if applicable), provides a useful tool for collecting information
that may be reported and for ensuring that all necessary elements are identified. Reportable Issue Forms must be referenced to the supporting work papers. Whenever possible, include a brief summary of management’s response (verbal or written) when informed of the condition.
K. Review of Work Papers
Work papers are to be reviewed by the Auditor in Charge or the Senior Director, Internal Audit who should prepare review notes. The notes represent a reviewer's critical comments on the adequate completion of the audit work. The reviewer should evidence his/her review by initialing each work paper reviewed on the work paper, usually near the preparer’s initials.
It is essential that review be completed as soon as possible after the work papers are completed. A current review enables the reviewer to evaluate the work to ensure that:
1. The program reaches the planned objectives in a timely manner;
2. All necessary audit steps have been programmed and carried out;
3. Internal control has been adequately evaluated;
4. All internal control weaknesses and strengths are directly correlated with extensions of audit scope or reasons why scope extensions were not considered necessary -- each weakness should also be included to facilitate writing the report;
5. Each schedule indicates the source of information;
6. Each schedule accomplishes its intended purpose;
7. Explanations and opinions are clear and concise;
8. Programs and schedules have been properly initialed and tick marks properly placed;
9. All opinions are adequately supported and documented;
10. Program steps or schedules do not contain (i) unresolved points and (ii) statements or opinions which the reviewer believes are not in accord with the facts, or not well founded, or are otherwise inappropriate;
11. Important points are summarized.
In reviewing work papers, it is usually necessary to prepare review notes as a list of those items that, in the reviewer's opinion, (i) require additional work or documentation; (ii) need clarification; (iii) will serve as a teaching device for the auditor; or (iv) are to be followed up at a later time. The list should be discussed with the auditor and then given to him/her with the work papers for appropriate action.
The auditor should “clear” the review notes and if necessary, indicate comprehensively and clearly what was done to clear them. If needed, this can be shown either by a notation inserted next to each point explaining what has been done to develop the information necessary to take care of the matter adequately, or by a cross-reference to the section or sections of the work papers that satisfy the requirement. The auditor should make an
The work papers must be reviewed, and review notes cleared prior to releasing the Audit Report.
L. Disputed Issues
It is essential that each member of the staff working on an audit be satisfied with the scope or extent of the specific work performed, including the attention given to indications that irregularities or deficiencies might exist. This procedure is based on the consideration that every member of the organization has not only the right, but the duty to express his or her opinion on the adequacy of the scope of an examination and the opinions reached on the basis of that examination.
Any staff member having a question or reservation along these lines has a responsibility to discuss the matter with the Senior Director, Internal Audit. Any viewpoint expressed will receive careful consideration with the objective that all points will be clarified, and the staff member fully satisfied with the scope of the work and the report. This can be discussed in the Exit Conference with the auditor in charge of the audit .
If an auditor's point is overruled, the reviewer must be careful to state the reasons for not accepting an auditor's views. It is particularly important that such reasons be carefully thought out, accurately recorded, and properly dated.
Checklist for Internal Audit Staff Review of Work Papers
Purpose: This checklist is intended to aid Internal Audit staff members in reviewing work papers prepared by other staff members. There is no specific time requirement for such a review, but it is included as an item on our Audit Process checklist as a reminder. Work papers should be reviewed for the items listed below, and the reviewer should provide some written notes.
1. Each work paper (or the first page of a series of work papers) should contain the following:
· Preparer’s initials;
· Date prepared;
· Audit number;
· Work paper number;
· the page number and the number of pages on the first page of an electronic workpaper and/or on each page of a non-electronic workpaper (except for very large documents where no reference to a specific page number is warranted);
Note: The above items should generally be added to the upper right-hand corner of the page for consistency.
· the work paper title;
· the purpose of the work paper, referenced back to the appropriate step in the audit program, to the conclusion or results from some other work paper, or to something else that makes it clear why the step was needed (it is not necessary to restate a step from the audit program, or from another source if it is clearly stated on that source, so long as it is clearly referenced);
· source and/or scope to show where the information came from;
· the purpose and source/scope should be either on the first or last page, or there should be a notation on those pages as to where they can be found. Some work papers may have these elements embedded in them; in those cases, they just need to be labeled.
2. Computations should be reviewed for mathematical accuracy. Computer spreadsheets do not need to be recalculated, but some review should be done to make sure the numbers make sense.
3. The reviewer should be comfortable that what is included in the work papers makes sense in terms of the audit objectives and program and the issues that surface during the audit.
IX. THE EXIT CONFERENCE
The auditor should meet with appropriate representatives from functional management to discuss the results of the audit at completion of the field work. At this time, the findings are brought to their attention in a Discussion Draft Report for comment and consideration. This should be preceded by factual reviews with individuals who have responsibility over areas of identified findings. Generally, these factual reviews should occur throughout the field work as a particular area is completed. If these factual reviews are complete, management should already be largely aware of the issues that may be reported.
The following points should be considered prior to presenting the findings at an exit conference:
· Internal Audit staff should: (i) be sure of the facts, (ii) have studied any problems thoroughly, (iii) be prepared to answer questions, and (iv) have discussed each point in advance with the individuals directly involved with the procedure or system in question.
· Findings should be offered in a constructive manner. The more significant findings should be discussed first. All findings should be disclosed to management regardless of their significance.
· All points of fact that may be in controversy must be resolved prior to issuing the report. The Exit Conference is an opportunity to discuss any factual differences. Disagreements over interpretations of non-factual matters may remain at the conclusion of the Exit Conference and may be noted in the report. Management may include their interpretation of these matters in their Management Response
X. THE AUDIT REPORT
- A. General
- B. Organization of the Report
- C. Report Style
- D. Factual Content Review
- E. Draft Reports
- F. Final Reports
- G. Management Response
- H. Audit Report File
- I. Assignment Closeout Checklist
- J. Subsequent Events
- L. Follow-Up
A. General
The report is the primary vehicle to inform management of the findings and observations of the IA staff. It presents an opportunity to make a positive contribution to the operating unit's business by suggesting methods for strengthening controls and improving operations. To gain acceptance, reports must be completely factual and accurate. Every statement, figure, or reference must be based upon adequate evidence documented in the work papers. This helps to maintain a reputation for reliability and justify a high level of confidence by management in the findings.
The report must be clear and to the point. This requires a thorough understanding of the subject and the ability to organize and express the ideas that flow from the review findings. The report must also be concise. While some subjects may require detailed explanations and discussions, every effort should be made to organize the facts and draw meaningful conclusions in the fewest possible words without diluting the meaning or significance of the report.
Management requires information on a timely basis. The impact of the report will be weakened if it is not received in a timely manner. Promptness should not conflict with adequate preparation - both are important. The report can frequently be started before completing the fieldwork. As portions of the review are completed, applicable sections of the report may be drafted. Use of the Reportable Issue Form will help in this regard. Properly organized work papers will also facilitate the extraction of information for the report.
The tone of the report is important. It should be authoritative, objective, constructive, and persuasive. A standard report format has been developed to assist in preparation of the report and to ensure consistency and understanding.
B. Organization of the Report
The organization of the report should be dependent on the nature of the information presented. The following discussion relates to specific sections of the report that should be considered as part of the audit report unless otherwise noted.
Addressee (Required)
Reports should be addressed TO the Board of Education, THROUGH the Superintendent, the appropriate Chief Officer(s), and the managers (if applicable) who are responsible for the activity under review and for implementing the recommended changes. The DATE should be the date the report is presented to the Audit Committee. The SUBJECT line should identify the audit by name and any identifying number. It should also identify whether the report is a draft or final report.
Date of Report (Required)
Reports should be dated as of the date of the Audit Committee meeting where the draft report is expected to be presented. This is consistent with the Generally Accepted Accounting Standards (GAAS) concept that reports should be dated as of the last day of fieldwork, because until the Audit Committee reviews the report, we cannot be certain as to whether all necessary fieldwork on the issues is complete. If the Audit Committee requires that additional work be performed on the audit, the date should be revised to reflect the completion of that work, or the date the report will come back before the Audit Committee.
Audit Objectives (Required)
This section should state the objectives of the audit. The objectives should be phrased in terms of the business objectives for the unit under review and should indicate operational
or performance components of the audit. It may also be appropriate to cite the business risks that were considered as the objectives were developed.
Generally, this section should inform the reader why the audit was done and what it was expected to achieve.
Audit Opinion (if applicable)
Generally, an opinion will be provided only if the report is a financial or financial-related report, an attestation report, or if the audit objectives otherwise lead to an opinion. The opinion should provide the auditor’s overall conclusions in terms of the objectives of the audit. The opinion expressed should include internal controls as appropriate and should be consistent with the conditions presented in the report and may be an overview statement of those conditions.
Executive Summary (if applicable)
This section should provide a brief summary of each of the conditions. Each of the attributes of a finding or condition should be briefly described. Page numbers for the report sections where the condition is described in more detail should be included.
Background (Required)
The background should provide relevant explanatory information about the organizational units and activities reviewed. In this context, “relevant” means necessary for the reader to get an understanding of the audit. The background section should be kept as brief as is consistent with providing clarity and completeness. Background information that is relevant to a specific condition should be included with the detail of that condition rather than in this section. This section will also include a brief description of any prohibited or confidential information that was omitted from the report, along with an explanation of the reason for the omission.
Positive Findings related to objectives should be notated within this section.
Audit Scope and Methodology (Required)
The scope section should briefly describe the audited activity and what was done to conduct the audit. It should include:
· the calendar dates of the audited period;
· any samples that were used;
· a general description of the methods used to test controls and collect evidence;
· relevant timeframes for testing and for conducting audit fieldwork; and
· any other specific information that is appropriate.
The scope section should provide the reader with a general understanding of the depth of coverage of the work performed and the relationship between the audit universe and what was audited. To accomplish that, it may be necessary to describe anything that was not done if there is a risk of misunderstanding on the reader’s part.
Include in the scope section a reference to Government Auditing Standards (and/or any
other audit standards followed). Reports that comply with all applicable GAGAS standards should include the following unmodified GAGAS compliance statement:
Internal Audit conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that the audit be planned and performed to obtain sufficient, appropriate evidence to provide a reasonable basis for the findings and conclusions based on the audit objectives. Internal Audit believes that the evidence obtained provides a reasonable basis for the findings and conclusions based on the audit objectives.
If the report does not comply with all applicable GAGAS standards, reports should include, at a minimum, a statement that the audit did not follow GAGAS standards. A statement indicating which standards were not followed is preferred.
This section should also note any limitations on the availability of evidence or uncertainties with the reliability or validity of evidence if the evidence is significant to the findings.
Audit Conditions/Findings (If applicable)
This section provides the details on the attributes of each finding. The Conditions should include a brief status update from any previous audits concerning the same topic. This section also includes the recommendations and management’s response to the recommendations.
a. Recommendations should be set out under separate captions and should be directed at removing the causes of the condition cited. Separate recommendations to different units or activities should be made when appropriate.
b. Management’s response to each recommendation should be included. Responses should be summarized if necessary and should include the time frame for corrective action. This response may be included as an attachment to the report, called a Management Action Plan (MAP).
Reporting on Internal Control (Required)
a. When internal control is significant within the context of the audit objectives, audit staff should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed.
If some but not all internal control components are significant to the audit objectives, the audit staff should identify as part of the scope those internal control
components and underlying principles that are significant to the audit objectives.
When audit staff detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, audit staff should refer to that written communication in the audit report.
Reporting Requirements
GAS 9.35-9.68 has additional reporting requirements. Audit staff will review those requirements as part of report preparation.
C. Report Style
Audit reports should be as concise as possible. Detail should be sufficient to fully explain the condition, to present a convincing basis for taking the recommended action, and to provide sufficient detail for management to clearly understand the action that should be taken.
Reports should be balanced. When the auditor determines that controls are effective, or that some aspects of functional operations are efficient, or that there are best practices that can be cited, it should be reported.
Reports should be presented in a straightforward manner and should avoid inflammatory language.
D. Factual Content Review
Prior to the Audit Committee’s review of the report, the factual content of the report should be reviewed with managers that have direct responsibility over items that have been identified as findings.
As much as possible, the factual content should be verified as the draft report is being prepared. The exit conference and the review of the draft report are the final tests of factual content.
Changes to the report, based on challenges by functional management, shall be made only when they are substantiated as a result of evidence in existence or through additional audit work. These changes should be identified in the draft report and indexed as appropriate to work papers.
Draft reports should be reviewed by and concurred with by the Senior Director, Internal Audit prior to issuance. This includes any “Discussion Drafts” as well as the final draft report.
E. Draft Reports
1. Discussion Drafts - It may be desirable to distribute a “Discussion Draft” to managers prior to actually transmitting the draft report. This would be the case if there are issues in the report that were not fully discussed with management prior to the completion of fieldwork or if issues that were previously discussed are presented in a materially different fashion. Once management has reviewed the discussion draft and any agreed to changes have been made, the draft should be issued for comment.
2. Draft reports for Management’s Comments – Draft reports should be issued via email to the managers who are responsible for a response with copies to the appropriate Chief Officers, Associate Superintendents, and the Superintendent.
The email should identify the time frame within which we are expecting a response. The standard is no more than 30 days, but a shorter time frame may be used if management agrees to that.
The email should contain a request that the response be provided in the form of a Management Action Plan. A copy of the Management Action Plan should be attached to the draft report.
Management should be advised that their response to each recommendation will be included in the Management Action Plan. If management wishes to provide information in addition to that included in the Management Action Plan, it will be included after each recommendation or attached to the report.
3. Draft Reports to the Audit Committee - Management’s Response should be incorporated into the draft report, the Management Action Plan attached, and the draft should be presented to the Audit Committee for their review. The draft should be dated as of the date it will be presented to the Audit Committee, or the date of completion of any subsequent work directed by the Audit Committee. As previously stated, the draft should generally be transmitted to the responsible managers with a copy to the appropriate Chief Officers, Associate Superintendents, and the Superintendent.
4. Reports to the Board - When the Audit Committee has reviewed and approved the report the word “draft” should be removed from the report with a signature page. Although it is technically still a “draft report” until the Board accepts it, removing the word draft from it demonstrates that it is complete when it is presented to the Board members. The resolution establishing the Board’s Office of Internal Auditor specifies that draft reports will be issued to the Board at the next Board meeting after approval by the Audit Committee. The Board may request a presentation of the report at an informal meeting prior to formal Board meeting where the report is presented.
5. Other Report Circumstances- (GAS 9.64-9.66) - If the report refers to the omitted
information, the reference may be general and not specific. If the omitted information is not necessary to meet the audit objectives, the report need not refer to its omission.
Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.
Additional circumstances associated with public safety, privacy, or security concerns could justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that misuse of this information could cause. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. In some instances, it may be appropriate to issue both a publicly available report with the sensitive information excluded and a limited use report. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate omitting certain information. Considering the broad public interest in the program or activity under audit assists auditors when deciding whether to exclude certain information from publicly available reports.
A copy of a referenced draft report should be included in the supporting work papers.
F. Final Reports
G. Management Response
Functional management should be provided ample opportunity to provide a response, but generally no more than 30 days. Senior management may provide additional direction on response time. The response should indicate the action being taken on all reportable conditions and scheduled dates for when the corrective actions will be completed. The response is in the form of a Management Action Plan. Upon receipt of the response, Internal Audit staff will determine whether individual corrective actions agreed to by functional management appear to be an effective response to the supporting recommendation. If responses are not acceptable, the auditor should engage in additional discussions with functional management to resolve any differences.
H. Audit Report File
I. Assignment Closeout Checklist
An Assignment Closeout Checklist has been developed to help ensure that each audit assignment complies with all applicable Government Auditing Standards.
The checklist should be completed by the Senior Director of Internal Audit prior to the time that an audit report is presented to the Audit Committee
J. Subsequent Events
If the auditors discover, after the report is issued, that the evidence used to support findings or conclusions is not sufficient and/or appropriate as described earlier, the Senior Director of Internal Audit must communicate that to the appropriate District officials, Audit Committee, Board of Education, and/or other known users of the original report. The report must be removed from the public website and replaced with a notification that the report is no longer reliable. The Senior Director must then determine if additional fieldwork may be completed to obtain sufficient, appropriate evidence including any revised findings or conclusions; or to re-post the original report if the additional audit work does not result in a change in findings or conclusions.
After the Board of Education approval, send a Customer Satisfaction Survey to the reporting parties for feedback.
L. Follow-Up
A Summary of Audits Report has been developed to serve as the follow-up report for both internal and external audits. The report reflects the auditors’ recommendations along with management’s action plan and date of completion. The auditors conduct interviews with management to determine the completion of management actions, requesting proof when applicable. The Summary of Audits Report is reported to the Board of Education yearly and maintained on the District public website continuously.
XI. FRAUD AND MISAPPROPRIATION
The prevention of fraudulent acts depends primarily upon operating management by its establishment of effective controls. Internal Audit assists management in the deterrence of fraudulent acts by reviewing management controls and reporting on their adequacy with recommendations for improvements.
The type and extent of preventive measures against fraud should be determined by the nature of the operation and by an evaluation of the cost of a particular control in relation to the protection it affords. However, Internal Audit must always be aware that fraud may exist and be alert for those situations that (due to inadequacy of the control{s}) might permit unauthorized diversion of assets. Audit staff should continually be sensitive to any indications of fraud and pursue the underlying causes of disorganized and unintelligible records, erasures, alterations, unusual transactions, and the like.
- A. Board Policy
- B. Internal Audit Operating Procedures for Identifying, Reporting, and Investigating Irregularities
- C. Investigative Standards
- D. Ethics Hotline Program
- E. Handling and Responding to Ethics Hotline Reports
A. Board Policy
B. Internal Audit Operating Procedures for Identifying, Reporting, and Investigating Irregularities
The Internal Audit Department adopted the following procedures for handling suspected irregularities or misappropriation of Board funds. These Internal Audit Operating Procedures are intended to provide more detailed guidance for carrying out investigations under Board Policy DJ.
The Internal Audit Department is responsible for conducting all investigations arising from notification, either by an employee or by the Superintendent, of a suspected irregularity or misappropriation.
When notified, the Internal Audit Department will conduct a preliminary inquiry into the irregularity or misappropriation, involving Campus Police and the Board Attorney as needed to determine whether a full investigation is warranted. The Senior Director, Internal Audit will notify the Board President, Superintendent of Schools, and Chairperson of the Audit Committee that a potential irregularity/misappropriation exists and will inform them that a preliminary investigation is underway.
In any instance where the preliminary investigation shows there is apparent fraud or misappropriation, the Senior Director, Internal Audit will consult with the Board Attorney and Campus Police regarding the next steps to be taken. The Senior Director will inform the Board President, Superintendent, and Audit Committee Chairperson as to whether or not further investigation will be required. If further investigation is not appropriate, the Internal Audit Department will fully brief the parties, as well as area management, on the findings of the preliminary review and recommendations for any necessary administrative actions.
If a full investigation is warranted, Internal Audit will consult with the Board Attorney and Campus Police to determine the nature of the investigation and to determine what other resources may be necessary to complete the investigation. This includes determining whether and when a referral should be made to other law enforcement authorities and at what point any associated internal audit work should be terminated. The results of the investigation will be communicated to area management along with recommendations for appropriate action to be taken.
The Senior Director, Internal Audit will report the results of the investigation and any recommended actions to the Board President, the Superintendent of Schools, and the Chairperson of the Audit Committee. If the investigation reveals that there is or was an
irregularity or misappropriation of Board assets, the Senior Director, Internal Audit will also report the results of the investigation to the Chief Financial Officer to alert him/her to a possible break-down in internal controls. Corrective actions for such breakdowns will be determined by the Chief Financial Officer.
C. Investigative Standards
D. Ethics Hotline Program
The Board has implemented an Ethics Hotline program that provides a toll-free phone number to a third- party contractor that can be used for anonymous reports from employees or others when they believe that a fraud or misappropriation or similar workplace incident has occurred. Reports may also be made through a secure website.
Handout materials have been prepared and are available from the Internal Audit Department.
E. Handling and Responding to Ethics Hotline Reports
Reports to the Ethics Hotline are received by a third-party vendor selected through the RFP process. They are written up in the form of a call report. The vendor notifies the Senior Director, Internal Audit and/or a designated staff member in the Internal Audit Department of the report. Reports can be accessed via a secure website with a username and password supplied by the vendor.
The reports may be anonymous and may be made to a toll-free number 24 hours a day and 7 days a week. Reports may also be made by accessing a secure website. Reporters answer a series of questions (who, what, when, where, why, how) to determine the substance of the report. Both the toll-free phone number and the website address are available on the public website and the District’s intranet.
Call reports are assigned an identifying number by the vendor. Anonymous reporters may select a Personal Identification Number (PIN) for identity verification when calling back or logging on to the website for a response. The Senior Director, Internal Audit, Senior Internal Auditor or Academic Auditor reviews the report as soon as possible after it is received. Every effort is made to provide a reply to the reporter on the disposition of the report as soon as possible. If the matter in the report cannot be resolved quickly, an interim reply is provided stating that the matter is under review.
If contact information is provided, Internal Audit will directly contact the reporter. Internal Audit’s action to the call report is based on the following guidelines:
· If the matter relates to the safety of students or staff, the matter is immediately brought to the attention of District level administrators, and/or Campus Police.
· If the report describes a matter that deals with a violation of policy or law or the misuse of District resources, and the matter can be substantiated to some extent by Internal Audit through interviews or reviews of records, the actions described in Board Policy DJ will be followed.
· If the report cannot be substantiated:
Ø The general nature of the matter reported may be discussed with the responsible administrator or the next highest level.
Ø In some cases, the matter may be taken directly to a individual named in a call report to help determine if the matter is in fact a violation of policy or law or misuse of resources. However, the named individual’s supervisor will not be informed unless the matter can be substantiated.
Ø If there are multiple reports about the same or related matters naming the same individuals, and they appear to be from different reporters, the matter will generally be taken to the responsible administrator, or the administrator at the next highest level.
Ø If the matter report in a call report does seem to relate to violations of law or policy or misuse of resources that cannot be substantiated with the information provided but could possibly be substantiated if more information was provided, a response will be provided requesting that any additional information available on the matter be provided by the reporter.
Ø If our investigation shows that there is no substantiation to the allegation, no further action will be taken, and the report will be closed.
· If the report is of Human Resources nature, Internal Audit will attempt to substantiate the information provided by the reporter and share the report with the Human Resources Department.
Ø If contact information is provided, Internal Audit will directly contact the reporter.
Ø At any time of the reporting process the reporter has retained a lawyer, no further investigation will be conducted and the report will be closed.
· At any time of the reporting process the reporter has retained a lawyer or counsel, no further review will be conducted and the report will be closed.
XII. NON-AUDIT SERVICES
From time to time, Internal Audit will be called on to perform reviews that are not audits as defined by the Yellow Book, the Government Auditing Standards.
Non-Audit Services that involve less than two days of Internal Audit staff effort should be recorded under the “Consulting and Advising” category for time tracking purposes and reported in the Audit Plan Status Report under that category. If the Non-Audit Service involves more than two days of Internal Audit staff time, a separate category should be set up for it in the time tracking system and it should be under the Non-Audit Service category in the Audit Plan Status Report. If the Non-Audit Service will take more than 15 days, the review then becomes an audit and must follow auditing standards. The Board President and/or the Chair of the Audit Committee will be advised as soon as possible and the audit will be discussed with the Audit Committee at the next meeting to obtain a ratification.
There is a separate timekeeping category for Non-Audit Services- Investigations and those matters are handled per the Investigations Section of the Audit Manual.
Before undertaking any Non-Audit Service, regardless of the number of days it will take, audit staff should first consider whether the service would be one that would impair independence as described in GAS 3.64.
Before audit staff agrees to provide non-audit services they should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience and that the individual understands the services to be provided sufficiently to oversee them. (GAS 3.73).
Audit staff should document consideration of management’s ability to effectively oversee non-audit services to be provided. (GAS 3.74).
In cases where management is unable or unwilling to assume these responsibilities (for example, the audited entity does not have an individual with suitable skill, knowledge, or experience to oversee the non-audit services provided, or is unwilling to perform such functions because of lack of time or desire), audit staff should conclude that the provision of these services is an impairment to independence. (GAS 3.75).
Audit staff providing non-audit services to management should obtain an agreement from such management that will perform the following functions in connection with the non-
audit service:
· Assumes all management responsibilities;
· Oversees the service, by designating an individual, preferably within senior management, who possesses suitable skill, knowledge, or experience;
· Evaluates the adequacy and results of the services provided; and
· Accepts responsibility for the results of the services. (GAS 3.76)
In connection with non-audit services, audit staff should establish and document their understanding with the audited entity’s management or those charged with governance, as appropriate, regarding the following:
· Objectives of the non-audit services ;
· Services to be provided ;
· Audited entity’s acceptance of its responsibilities as discussed above;
· The auditors’ responsibilities, and;
· Any limitations on the provision of non-audit services.
Auditors should conclude that management responsibilities that the audit staff performs for management are impairments to independence. If the audit staff were to assume management responsibilities, the management participation threats created would be so significant that no safeguards could reduce them to an acceptable level. (GAS 3.78
XIII. QUALITY CONTROL & PEER REVIEW OF DEPARTMENT FUNCTION
The Internal Audit Department will comply with the following requirements:
- A. Requirement: Quality Control and Assurance
- B. Requirement: System of Quality Control
- C. Requirement: Leadership Responsibilities for Quality within the Audit Organization
- D. Requirements: Initiation, Acceptance, and Continuance of Engagements
- E. Requirements: Human Resources
- F. Requirements: Monitoring of Quality
- G. Peer Review Requirements
A. Requirement: Quality Control and Assurance
GAS (5.03)
An audit organization’s system of quality control encompasses the organization’s leadership, emphasis on performing high-quality work, and policies and procedures designed to provide reasonable assurance of complying with professional standards and applicable legal and regulatory requirements. The nature, extent, and formality of an audit organization’s quality control system will vary based on the audit organization’s circumstances, such as size, number of offices and geographic dispersion, knowledge and experience of its personnel, nature and complexity of its engagement work, and cost-benefit considerations.
B. Requirement: System of Quality Control
GAS (5.04) An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures.
C. Requirement: Leadership Responsibilities for Quality within the Audit Organization
GAS (5.05) The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality.
GAS (5.06) The audit organization should establish policies and procedures designed to provide reasonable assurance that those assigned operational responsibility for the audit organization’s system of quality control have sufficient and appropriate experience and ability, and the necessary authority, to assume that responsibility.
GAS (5.08) The audit organization should establish policies and procedures on independence and legal and ethical requirements that are designed to provide reasonable assurance that the organization and its personnel maintain independence and comply with applicable legal and ethical requirements.
GAS (5.09) At least annually, the audit organization should obtain written affirmation of compliance with its policies and procedures on independence from all of its personnel required to be independent.
D. Requirements: Initiation, Acceptance, and Continuance of Engagements
GAS (5.12 The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it:
1. complies with professional standards, applicable legal and regulatory requirements, and ethical principles;
2. acts within its legal mandate or authority; and
3. has the capabilities, including time and resources, to do so.
E. Requirements: Human Resources
GAS (5.15) The audit organization should establish policies and procedures for human resources that are designed to provide the organization with reasonable assurance that it has personnel with the competence to conduct GAGAS engagements in accordance with professional standards and applicable legal and regulatory requirements.
GAS (5.16) The audit organization should establish policies and
procedures to provide reasonable assurance that auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements, including maintaining documentation of the CPE completed and any exemptions granted.
F. Requirements: Monitoring of Quality
GAS (5.42) The audit organization should establish policies and procedures for monitoring its system of quality control.
GAS (5.43) The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization.
GAS (5.44) The audit organization should analyze and summarize the results
of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following:
1. a description of the monitoring procedures performed;
2. The conclusions reached from the monitoring procedures; and
3. when relevant, a description of systemic, repetitive, or other deficiencies and of the actions taken to resolve those
deficiencies.
GAS (5.45) The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization’s system of quality control to determine and implement appropriate actions to address the deficiencies.
This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization’s system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances.
GAS (5.46) The audit organization should establish policies and procedures that require retention of engagement documentation for a period of time sufficient to permit those performing monitoring procedures and peer review of the organization to evaluate its compliance with its system of quality control or for a longer period if required by law or regulation.
G. Peer Review Requirements
(GAS 5.60-5.61 & 5.84) A periodic external component that should include a self-assessment using review tools such as those provided by the Institute of Internal Auditors or the Association of Local Government Auditors and must include a peer review by an external organization. Based on the resolution establishing the Office of Internal Auditor, the external review should take place every three years.
XIV. BUSINESS PROCESS REVIEWS
A. Purpose
Business Process Reviews are a combination of a survey-based self-assessment by the principal and a limited test of transactions by Internal Audit, culminating in a report to the principal that conveys the results of the review and provides space for the principal’s response. Although they are narrowly focused with a significant training component, they are a compliance audit under Government Auditing Standards.
Background information for these reviews and general instructions are included in the School Sites Internal Control Questionnaire. Standard forms are used for each Business Process Review. While the questions and forms may be revised periodically to reflect current conditions and processes, the background and rationale for the survey and tests remain constant.
Business Process Reviews are conducted when a change in a principal of a school occurs, every 4 years after the first review or at the request of the principal.
The term “review” is used because, although these are compliance audits under Government Auditing Standards, that term better conveys to the users that these are much smaller in scope than the audits they are familiar with and are intended to convey issues that are of less individual significance than those in most internal audit reports.
The results of the reviews for each year are summarized collectively in a report to District management. They are to aid in identifying areas where additional training is needed for principals. School staff may be needed to identify strengths and weaknesses in the District’s internal control structure for the area reviewed.
B. Sequence of Review Steps
Following are the steps to be followed for Business Process Reviews:
1. The Internal Control Questionnaire (ICQ) will be sent to the principal for him/her to review and complete prior to our site visit.
2. The site visit will be scheduled by the Auditor in Charge.
3. The site visit will be conducted and should include:
a. A preliminary discussion (entrance conference) with the principal to complete and discuss the ICQ. The overall plan for the review is communicated. The entire ICQ should be discussed in general, but with specific reference to any “no” answers or notations made by the principal. Also, once the plan is communicated to the principal, we should ask whether there are areas where the principal has a specific concern, including any areas that may not be listed in the ICQ. Any concerns that emerge from this discussion should be factored into the audit program for the school.
b. The tests of transactions in accordance with the audit program and worksheets.
c. An exit briefing at the completion of the review, where the principal is informed of any issues identified and the recommendations we anticipate making. This briefing should also include a discussion of any areas where we note inconsistencies between what is noted in the ICQ and what we found during our transaction testing. Since our tests are generally of transactions from the prior year and the ICQ should reflect controls during the current year, there are likely to be differences. The discussion should help to ensure that steps to correct any of the deficiencies we found have actually been taken.
4. The development of the draft report, which is reviewed by the Senior Director, Internal Audit and sent to the principal for response.
5. A close-out briefing to review and discuss the response provided by the principal may be beneficial but is not required if the response satisfactorily addresses the control issues.
These steps may be modified as appropriate if specific circumstances warrant.
C. Follow-Up
A follow-up review, if needed, will be scheduled within one year after the initial review. This allows time for the principal to implement the recommendations made during the initial review.
At the Audit Committee’s request, additional follow-up visits may be completed until satisfactory progress is achieved.
Internal Audit Department By-Laws
A RESOLUTION establishing the Office of Internal Auditor for the Savannah-Chatham County Public School System (SCCPSS) and setting forth the conditions and specifics under which said office shall function
WHEREAS management and employees in the public sector are responsible for taxpayer remitted resources and should be held accountable for their use, and
WHEREAS no overall indicator of performance measurement such as profit in the private sector exists in the Savannah-Chatham County Public School System (SCCPSS), and
WHEREAS expanded scope auditing independently reviews, evaluates and reports on the financial condition, the accuracy of financial record-keeping, compliance with acceptable laws, policies, guidelines and procedures, and efficiency and effectiveness of operations, and
WHEREAS it is vital that government exercise its power and perform its duties in compliance with law, policy, and established procedures and apply good judgment and sound management practices, and
WHEREAS the independent and public accountability of the auditor can be assured by provision of an independent, legislatively appointed or ratified auditor,
NOW THEREFORE BE IT RESOLVED THAT:
1. The Office of the Internal Auditor for the Savannah-Chatham County Public School System (SCCPSS) is hereby established.
BE IT FURTHER RESOLVED THAT:
2. The auditor shall be employed upon the recommendation of the Superintendent and approval by the Board of Public Education. The Audit Committee Chair or his/her designee and the Board of Public Education President shall serve as part of the hiring panel for this position.
3. The auditor shall be a person able to manage a professional audit staff, analyze financial records, and evaluate operations for economy, efficiency, and program results.
4. The auditor shall not be actively involved in partisan political activities or the political affairs of SCCPSS.
5. The auditor must maintain a professional license or certification in finance or auditing and meet all qualifications defined within the District's job description.
6. Removal of the Auditor will follow established District procedures with input from the Board of Education President per the line of authority as established in Board Policy CD. A subsequent majority vote of the Board will be required.
7. An audit committee is hereby established to consult with the auditor regarding technical issues and to work to assure maximum coordination between the work of the auditor and the needs of the Board and the Superintendent. Representatives from non-governmental industries will serve on the audit committee. Two (2) members of the Board, appointed by the Board, shall also serve on the audit committee.
8. The auditor and the auditor’s office will adhere to the Government Auditing Standards, or to other Professional Audit Standards as approved by the Audit Committee, in conducting its work, and will be considered independent as defined by those standards.
The auditor and the auditor’s office are charged with the following responsibilities:
- Section One - Reporting Relationships
- Section Two - Assistants and Employees
- Section Three - Scope of Audits
- Section Four - Annual Audit Plan
- Section Five - Funding
- Section Six - Records
- Section Seven - Access to Records and Property
- Section Eight - Agency Response
- Section Nine: Agency Reports to the Board
- Section Ten - Report of Irregularities
- Section Eleven - Quality Assurance Review
Section One - Reporting Relationships
Section Two - Assistants and Employees
The auditor shall have such assistants and employees as are necessary to perform duties required by the Board. The assistants and employees will be interviewed by the auditor and approved by the Board on the recommendation of the Superintendent. The auditor will follow the normal SCCPSS hiring procedures.
Section Three - Scope of Audits
a. The auditor shall have responsibility to conduct audits of all District departments, schools, office of the boards, committees, activities and/or agencies of the Board to independently determine whether:
- activities and programs being implemented have been authorized by the Board, state law or applicable federal law or regulations;
- activities and programs are being conducted in a manner contemplated to accomplish the objectives intended by the Board, state law or applicable federal law or regulations;
- activities or programs efficiently and effectively serve the purpose intended by the Board, state law or applicable federal law or regulations;
- activities and programs are being conducted and funds expended in compliance with applicable laws;
- revenues are being properly collected, deposited and accounted for;
- resources, including funds, property and personnel, are adequately safeguarded, controlled and used in an effective and efficient manner in compliance with applicable law;
- financial and other reports are being provided that disclose fairly and fully all information that is required by law, that is necessary to ascertain the nature and scope of programs and activities and that is necessary to establish a proper basis for evaluating the programs and activities;
- during the course of audit work, there are indications of fraud, abuse or illegal acts; and
- there are adequate operating and administrative procedures and practices, systems or accounting internal control systems and internal management controls which have been established by management.
b. Audits shall be conducted in accordance with the Government Auditing Standards of the U.S. Government Accountability Office as applicable to financial, operational, compliance and performance audits.
c. The auditor shall not conduct nor supervise an audit of an activity for which he/she was responsible or within he/she was employed during the preceding two years.
Section Four - Annual Audit Plan
At the beginning of each fiscal year, the auditor shall submit an annual audit plan to the Audit Committee for review. In the selection of audit areas, the determination of audit scope, and the timing of audit work, the auditor should consult with federal and state auditors and independent auditors so that the desirable audit coverage is provided, and the audit effort may be properly coordinated. After the Committee reviews and approves the plan, it shall be prepared for recommendation to the Board., The recommendation will be scheduled during a subsequent regular meeting and the plan shall become effective upon the Board’s action. This plan may be amended during the year via approval by the Audit Committee.
The Board President or the Superintendent of Schools may request the Internal Audit to perform audits that are not included in the annual audit plan. After consultation with and approval by the Audit Committee and the Board, an audit requested by the Superintendent or Board President may be amended for inclusion in the annual audit plan.
Additionally, the auditor may initiate and conduct any other audit deemed necessary to undertake. The auditor shall notify the Board President, Superintendent, and Audit Committee Chairperson of any such amendments
Section Five - Funding
Section Six - Records
The auditor shall retain a complete file of each audit report and each report of other examinations, investigations, surveys and reviews conducted by the Department. The files should include audit workpapers and other supportive material directly pertaining to the audit report or activity. Files will be maintained on-site for at least three (3) years and maintained off-site a minimum of four (4) additional years (seven years in total).
Section Seven - Access to Records and Property
All officers and employees of the Board of Public Education shall furnish the auditor with requested information and records within their custody regarding powers, duties, activities, organization, property, financial transactions and methods of business required to conduct an audit or otherwise perform audit duties. In addition, they shall provide access for the auditor to inspect all property, equipment and facilities within their custody.
Section Eight - Agency Response
A preliminary draft of the audit report will be forwarded to the audited department/program/area and the Superintendent for review and comment regarding factual content before it is released. The auditee must respond in writing specifying agreement with audit findings and recommendations or reasons for disagreement with findings and/or recommendations, plans for implementing solutions to identified problems and a timetable to complete such activities. The response must be forwarded to the auditor within thirty days after receipt of the draft report. The auditor will include the full text of the auditee’s response in the report.
Section Nine: Agency Reports to the Board
a. The auditor shall submit each audit report with the supporting management action plan in draft form to the Audit Committee for review of factual content and proper audit coverage and procedures. The Audit Committee will approve each audit report for release to the Board.
b. Once reviewed and approved for release by the Audit Committee, the final draft of the report will be issued to the Board within one week. The Board President will attempt to ensure each report is reviewed and approved by the Board at the next regularly scheduled public meeting of the Board.
Section Ten - Report of Irregularities
If the auditor detects or is informed of apparent violations of law, apparent instances of misfeasance, malfeasance or nonfeasance by an employee, the auditor shall initiate an investigation of these activities. If an employee or management detects or is informed of apparent violations of law, apparent instances of misfeasance, malfeasance or nonfeasance by an employee, the appropriate area management and the Superintendent should immediately inform the Senior Director of Internal Audit. The Senior Director shall inform the Board President, Superintendent and the Audit Committee Chairperson that a potential irregularity or misuse of funds has been identified and that a preliminary investigation has been initiated.
The auditor shall perform the preliminary investigation, obtaining assistance from other departments or other agencies as deemed necessary to determine whether a full investigation is warranted. If a full investigation is warranted, the auditor shall inform the Board President, Superintendent and Audit Committee Chairperson. If a full investigation is not deemed necessary, the auditor shall inform the appropriate management of the preliminary findings of the investigation and provide any recommended corrective actions as applicable.
If a full investigation is warranted, it will be conducted by Internal Audit with assistance from other departments or other agencies as deemed necessary to determine whether actual malfeasance, misfeasance or nonfeasance has occurred. The investigation shall be conducted without interference by other employees. The results of the investigation will be communicated to the Board President, Superintendent, and appropriate management along with recommendations for further action.
Section Eleven - Quality Assurance Review
The Internal Audit activities of the Auditor’s office shall be subject to a Quality Assurance Review at least once every three years by a professional, non-partisan objective group utilizing guidelines endorsed by the Institute of Internal Auditors. A copy of the written report of this independent review shall be furnished to each member of the Audit Committee and the Board President.
The Quality Assurance Review will be used to evaluate the quality of audit effort and reporting. Specific review areas shall include staff qualifications, adequacy of planning and supervision, sufficiency of workpaper preparation and evidence, and the adequacy of systems for reviewing internal controls, fraud and abuse, program compliance and automated systems. The Quality Assurance Review should also assess the form, distribution, timeliness, content and presentation of internal audit reports.
Approved by the Audit Committee of the Board of Education on January 29, 1997. Approved by the Board of Education on March 5, 1997.
Subsequent changes have occurred throughout the years. Most recent change occurred in December 2023.
Audit Committee Charter
This Charter identifies the purpose, authority and responsibilities of the SCCPSS’s Audit Committee (the “Committee”).
PURPOSE
The purpose of the Committee is to provide on behalf of the Board of Education (the “Board”), oversight of the District’s financial reporting and accounting practices, review of the adequacy of internal accounting and control systems, and review of the systems and processes for meeting the Board’s goals as they relate to delivering educational services through regular communication with the independent auditors, internal audit management, the Academic Auditor, financial management, and other appropriate District personnel.
AUTHORITY AND MEMBERSHIP
The Committee is composed of six representatives from the community and two members of the Board. In addition, the Board President serves as a voting ex-officio member of the Committee. If the Board President cannot be present for a meeting, one of the remaining Board Officers can serve as a voting ex-officio member of the Committee. The Committee reports to the Board.
The members from the community are recommended to the Board by the President and approved by the Board. Members from the community serve a three-year term and may be recommended for one successive term of three years after their initial appointment. These two terms are in addition to any unexpired term a member is appointed to complete. The Chairperson shall be a member from the community, appointed annually by the Board President and serving a calendar year term.
The Committee has the discretion to recommend audits as it may deem appropriate and to employ, with the approval of the Superintendent and within the Audit Department’s budget, whatever additional advisors and consultants it deems necessary for the fulfillment of its duties.
Although Audit Committee members voluntarily contribute their time and expertise, regular attendance at Committee meetings is necessary for the Committee to be effective in meeting its oversight responsibility. If a member is going to miss more than 50% of the meetings in a year, the member should consider whether his or her other commitments will allow them to effectively serve on the Board’s Audit Committee. If the circumstances are due to health reasons or out of jurisdiction engagements, the call-in option will be available as along as a quorum is present in person as defined in Ga. Code § 50-14-1(g).(3). If unusual or emergency circumstances require a member to frequently miss the meetings, the member should discuss the circumstances with the Board President. Members may be asked to withdraw from the Committee if they are frequently unable to attend the meetings.
MEETINGS
The Audit Committee will meet based on a schedule established at the beginning of each year and adopted by the Committee. All meetings are subject to the Open Meetings Act, O.C.G.A. Section 50-14-1 et seq.
Scheduled meetings may be cancelled, with the approval of the Chair and the concurrence of the Board President, if there is not enough on the agenda to warrant a meeting. Additional meetings may be called if there are matters that must be covered prior to the next scheduled meeting.
Five Committee members shall constitute a quorum for the purposes of taking action and voting on Committee decisions. The Board President may be counted when determining whether a quorum is present
RESPONSIBILITIES
1. Financial Reporting and Accounting Practices
The responsibility of the Committee in the area of financial reporting and accounting practices is to provide reasonable assurance that financial disclosures made by management accurately portray the District’s financial condition, results of operations and plans and long-term commitments. To accomplish this, the Committee at its discretion will:
* Provide oversight of the external audit coverage, including:
à Periodic nomination of independent public accountants in consultation with the Superintendent for Board Consideration, based on a review of responses to an RFP developed for that purpose, and as followed by the District’s Purchasing processes, and which includes provisions for contract renewal.
à Review with the independent public accountants the work plan and results of the audit engagement, and any non-audit services to be provided by the accountant.
à Assessment of the auditor’s independence.
* Review Board accounting policies and policy decisions.
* Assess the impact of significant regulatory changes and accounting and reporting developments.
* Review with management and the independent public accountants any significant reporting or operational issues that were discussed during the reporting period and determine how they were resolved.
* Review with management the issues and responses whenever a second opinion regarding a material issue is sought from an independent public accountant.
* Review the letter of management representations given to the independent public accountants.
* Review the audit reports and management letter issued by the independent public accountants.
2. Internal Accounting and Control Systems, and Systems and Processes for Meeting Board’s Goals
The responsibility of the Committee in the area of internal control is to provide reasonable assurance that the District is maintaining an effective system of internal control, including IT security and control is in compliance with pertinent laws and regulations, and is conducting its affairs ethically. To accomplish this, the Committee at its discretion will:
* Provide oversight of the Internal Audit function by:
à Reviewing, approving, and monitoring audit plans, budgets and staffing levels for recommendation and approval by the Board of Education.
à Reviewing audit results and approving internal audit reports for recommendation and approval by presentation to the Board of Education.
à Participating in the Board’s appointment, appraisal of, and termination of the Senior Director of Internal Audit (Auditor) as stipulated by the Bylaws of the Audit Department.
* Assess the extent to which the planned audit scope of Internal Audit and the independent public accountant can be relied on to detect fraud or weaknesses in internal controls and assess management’s response to reported weaknesses or compliance deficiencies.
* Use information from the external auditors, the internal auditors, and District management to assess the extent to which the District’s internal control structure is adequate to prevent or timely detect unacceptable levels of risk in District operations.
* Review Board policies relating to compliance with laws and regulations, ethics, conflict of interest, and the investigation of misconduct or fraud.
* Consider the results of reviews by outside organizations, and the implications for the District’s systems of control.
* Make recommendations to the Board regarding academic, financial and operational risks.
* Review the quality assurance practices (including the recommendations of the Quality Assurance Review)of the Internal Audit department and the independ
* Gain an understanding of the different aspects of the District’s business and academic programs to ensure a general understanding of operations and functional areas as well as the business and performance risks.
* Report Committee activities to the Board on a regular basis.
* Review this charter annually and propose to the Board any recommended changes.