AUDIT MANUAL - BoardDocs

OFFICE OF INTERNAL AUDIT

AUDIT MANUAL

Dallas ISD Office of Internal Audit Audit Manual

1 Revised May 7, 2020

CONTENTS Chapter 1 ................................................................................................................................................ 3

General Information ................................................................................................................................ 3

Vision, Mission, Values, and Strategies .................................................................................................... 3

Vision ...................................................................................................................................................... 3

Mission.................................................................................................................................................... 3

Core Values: ............................................................................................................................................ 3

Chapter 2 ................................................................................................................................................ 6

Governance ............................................................................................................................................. 6

Internal Audit Charter.............................................................................................................................. 6

Audit Committee Charter ........................................................................................................................ 6

Professional Standards, Laws, and Policies............................................................................................... 6

Chapter 3 ................................................................................................................................................ 8

Annual Risk Assessment and Audit Plan ................................................................................................... 8

Risk Assessment ...................................................................................................................................... 8

Annual Internal Audit Plan ....................................................................................................................... 9

Chapter 4 .............................................................................................................................................. 10

Internal Audit Engagements .................................................................................................................. 10

Assignments .......................................................................................................................................... 10

TeamMate ............................................................................................................................................. 11

Data Analytics ....................................................................................................................................... 11

The Audit Process .................................................................................................................................. 11

Planning ................................................................................................................................................ 12

Entrance Conference ............................................................................................................................. 13

Fieldwork .............................................................................................................................................. 14

Audit Evidence ...................................................................................................................................... 16

Audit Working Papers ............................................................................................................................ 16

Audit Tests and Sampling....................................................................................................................... 19

Sampling ............................................................................................................................................... 19

Example Attribute Test – Expenditures .................................................................................................. 19

Review Process and Coaching Notes ...................................................................................................... 20

Reporting .............................................................................................................................................. 21

Issues & Audit Recommendations.......................................................................................................... 21



Audit Report Follow-up ......................................................................................................................... 25

Security and Control of Workpapers ...................................................................................................... 26

Quality Assurance and Improvement ..................................................................................................... 27

Quality Assurance Steps for Projects...................................................................................................... 29

Chapter 5 .............................................................................................................................................. 31

Administrative Procedures .................................................................................................................... 31

Professional Certification, Organizations, and Meetings ........................................................................ 31

New Employee Orientation ................................................................................................................... 31

Preparing Individual Development/Training Plans ................................................................................. 32

Employee Performance Planning and Appraisal Process ........................................................................ 33

Personal Conduct and Independence..................................................................................................... 34

Timekeeping System.............................................................................................................................. 35

District Record Retention Policy ............................................................................................................ 36

General Housekeeping Policies .............................................................................................................. 38

Audit Manual Revisions ......................................................................................................................... 38

Chapter 6 .............................................................................................................................................. 39

Investigations and Fraud Indicators ....................................................................................................... 39

Fraud ..................................................................................................................................................... 39

Investigations ........................................................................................................................................ 39



CHAPTER 1

GENERAL INFORMATION VISION, MISSION, VALUES, AND STRATEGIES

VISION - To help Dallas ISD become a premier urban school district by partnering in risk management.

MISSION - To build strong internal controls throughout the District by providing risk-based and objective assurance, consulting and investigative services designed to add value and improve operations of the District.

CORE VALUES:

Integrity: We exhibit trust, fairness, honestly, respect, and ethical behavior in our service to the District.

Objectivity: We perform our duties in an independent and unbiased manner based on facts obtained from informed analyses of the issues and a clear understanding of the operations.

Quality: We provide excellent services to the District’s management, staff, and students to improve operations in a value–added manner.

Innovation: We develop creative and innovative approaches to key issues facing the District.

Confidentiality: We take confidentiality seriously and do not disclose information gathered during the audit to anyone outside audit without the appropriate authority.

Collaboration: We work alongside District employees to provide services that are effective and efficient.



The Institute of Internal Auditors has created a value proposition based on the three core elements of value delivered by internal auditing to the organization:

Assurance: Internal auditing provides assurance on the District’s governance, risk management, and control processes to help the District achieve its strategic, operational, financial, and compliance objectives.

Insight: Internal auditing is a catalyst for improving the District’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes.

Objectivity: With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice.

Strategic Planning and Assessment

The Office of Internal Audit will align its mission with the overall mission of Dallas ISD.

Each year a Strategic Plan will be reviewed and updated as part of the annual audit planning process. The current plan will be maintained on the shared drive under Administration/Strategic Plan.

In addition, an annual assessment will be prepared and reported to the Audit Committee.

Website

Information regarding the office can be found at the following website, which should be updated periodically: https://www.dallasisd.org/Domain/112 . The executive assistant and staff are responsible for ensuring the website is up-to-date, and any significant changes should be approved by the CAE.

https://www.dallasisd.org/Domain/112



Organization Chart

The organization chart is maintained in Oracle.

Performance Measures

Performance metrics are tracked according to departmental directives by the CAE and reported to the Audit Committee. Metrics are maintained on the Internal Audit shared drive under Performance Metrics. Customer Surveys

As part of the performance metrics, customer surveys are sent out after each audit by the lead auditor. The results are compiled at the end of the year and reported to the Audit Committee. Appropriate action is taken as needed based on customer responses.

External Audits

In accordance with Internal Auditing Standard 2050 - Coordination and Reliance, Internal Audit is responsible for sharing information, coordinating activities, and working with other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts. As part of the coordination effort, the CAE reports external audit activity to the Audit Committee. External auditors include:

• Texas Education Agency - Internal Audit coordinates as necessary with the TEA on audits and projects.

• External Financial Auditor – Internal Audit will assist the external financial auditors when possible. All work done for external auditors will be approved by the CAE.

• Other external contracted auditors – Internal Audit will assist other external auditors if possible. The annual E-Rate audit is one example of this support.



CHAPTER 2

GOVERNANCE

INTERNAL AUDIT CHARTER The purpose, authority, and responsibility of the internal audit activity are formally defined in a charter, consistent with the IIA International Standards for the Professional Practice of Internal Auditing. The Internal Audit Charter can be found in Board Policy CFC (Exhibit). Staff should review the Charter keep the latest version accessible.

AUDIT COMMITTEE CHARTER The purpose of the Audit Committee is to provide structured, systematic oversight of the organization’s risk management and internal control practices. The committee assists the Board of Trustees by providing advice and guidance on the adequacy of the District’s initiatives for:

• Risk management • Internal control framework • Oversight of internal and external audits • Financial statements and public accountability reporting

The Audit Committee charter can be found in Board Policy BDB (Exhibit).

Staff should review the Charter and keep the latest version accessible.

Committee Members

Membership in the Audit Committee is made up of three members of the Board of Trustees who are appointed by the Board President and two external advisory members. Meetings

Meetings are held four times a year, or as needed. The CAE along with the audit committee chair will set the agenda. Meeting materials should be distributed to the committee members at least one week prior to the meeting.

PROFESSIONAL STANDARDS, LAWS, AND POLICIES



The Office of Internal Audit adheres to the following professional standards, laws, and policies. All staff members are expected to review the following standards, laws, and policies and adhere to them in the performance of their audit work. International Professional Practices Framework

The Office of Internal Audit adheres to The International Professional Practices Framework (IPPF). The IPPF is the conceptual framework that organizes authoritative guidance promulgated by The Institute of Internal Auditors. IPPF guidance includes: Mandatory Guidance:

• Core Principles for the Professional Practice of Internal Auditing – articulate internal audit effectiveness

• Definition of Internal Auditing – states the fundamental purpose, nature, and scope of internal auditing

• Code of Ethics • Standards – principle focused and provide a framework for performing and

promoting internal auditing. They are mandatory requirements that all auditors are expected to adhere to.

Recommended Guidance:

• Implementation Guidance – to assist internal auditors in applying the Standards • Supplemental Guidance (Practice Guides) – provides detailed processes and

procedures Code of Ethics

Audit is committed to maintaining the highest ethical standards in fulfilling its responsibilities. Audit team members are expected to uphold the highest ethical standards. As outlined on the IIA’s website1, Internal Audit staff must follow the IIA’s Code of Ethics in performing their job responsibilities.

1 https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx

https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx

https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx

https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Mandatory-Guidance.aspx

https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Strongly-Recommended-Guidance.aspx

https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx



CHAPTER 3

ANNUAL RISK ASSESSMENT AND AUDIT PLAN The Office of Internal Audit prepares an annual risk assessment and audit plan each year during the third quarter. The overall objective is to prepare a plan using a risk-based approach to ensure that areas and activities specific to Dallas ISD with the greatest risk are identified for consideration to be audited, consistent with the Internal Audit Charter and the Strategic Plan.

RISK ASSESSMENT Based on Performance Standard 2120 – Risk Management

The objective of the risk assessment is to optimize the assignment of audit resources through a comprehensive understanding of the District and the risks associated within each business activity.

The Office of Internal Audit risk assessment rates activities on the following:

Impact of risk- The impact of a risk is the effect a single occurrence of the risk will have upon the achievement of the District’s goals and objectives. It is an estimate of the severity of adverse effects, the magnitude of a loss, or the potential opportunity cost should a risk be realized. Impact considers what the effects would be to the District if the risk is to occur.

High impact (3) - If the risk happens, we will probably not achieve our objective or to do so will require major damage control (showstopper)

Medium impact (2) - If the risk happens, we will have to do extra work or we will be inefficient, but we can still achieve our goal or objective

Low impact (1) - If the risk happens, we will be aware of it, but it will have little or no effect upon operations or the achievement of the objective

Probability of risk- The probability of a risk is the likelihood that the risk will become a reality. It is the extent to which an area may be exposed or unprotected in relation to various risk factors after consideration of existing controls. Probability considers how likely a risk is to occur under your current established controls

High probability (3) - It will happen often Medium probability (2) - It is likely to happen but not often Low probability (1) - It is unlikely to happen at all

http://www.utdallas.edu/strategicplan/

http://www.utdallas.edu/strategicplan/



ANNUAL INTERNAL AUDIT PLAN Based on Standard 2010 – Planning

The efforts of the audit staff will be assigned based on that annual internal audit plan. The plan is created by the CAE prior to the beginning of each fiscal year. Using this plan as a guide, the complete audit effort is monitored through the year for effectiveness towards meeting the plan’s goals.

The plan is created using the annual risk assessment. Combining these elements, the CAE creates a comprehensive plan to allocate hours to cover those risks identified in red on the risk assessment as well as those yellows and greens deemed necessary.

The annual internal audit plan is approved by the District’s audit committee.



CHAPTER 4

INTERNAL AUDIT ENGAGEMENTS

Once the annual audit plan is approved, the Internal audit put the plan into TeamMate. Projects are categorized as follows:

• Assurance Engagements • Consulting Engagements • Required Engagements • Investigations • Reserves for Unanticipated Projects • Follow-up

ASSIGNMENTS The CAE is responsible for assigning staff to the various engagements, typically on a quarterly basis. Assignments vary based on staff availability, client availability, and externally imposed due dates for certain required engagements. Staff size will vary based on the engagement.

Working Papers and Audit Programs

Working papers are generally maintained in TeamMate. Standard audit programs for planning, project leader review, CAE review, and reporting procedures are maintained and periodically updated in TeamStores and are loaded upon assignment of the engagement.

Assurance Engagements

Fieldwork audit programs are based on a risk assessment which is conducted during planning. The risk assessment document will be in the TeamMate template.

Consulting Engagements

Audit plans and programs are based on a consulting agreement which is in the TeamMate template.

Investigations

Investigation strategies are discussed in the Audit Manual and are in the TeamMate template.

Follow-up

Follow-up procedures are conducted on a quarterly basis depending on the estimated implementation dates given by management. Follow-ups are conducted typically by the



project leader or audit staff assigned to the audit and are done prior to each Audit Committee meeting. Follow-up documentation is maintained in TeamCentral.

TEAMMATE TeamMate allows auditors to adequately organize working papers, audit findings, and audit processes and procedures. It increases the efficiency of documented fieldwork and allows auditors to effectively document working papers in a manner that can be easily interpreted by outside readers. Through TeamMate, the status of the audit can be tracked, and the security and confidentiality of working papers can be maintained more effectively than hardcopy working papers. TeamMate procedures are set by the CAE. TeamMate Manuals and Job Aids are maintained on the shared drive. Audit staff are expected to review these materials upon hire and when questions arise regarding TeamMate procedures. For assistance with any problems with TeamMate, contact a TeamMate Champion Key things to remember in TeamMate:

Don’t sign off on a working paper unless you’ve completed it. Ensure all information is filled in (purpose, procedures, etc.). Perform spell check. Hyperlink to appropriate working papers and issues. Emails should be saved as a text or pdf file. Don’t include unnecessary files. Keep all work in TeamMate – NOT on your personal computers – as you go.

Even if unfinished. The project leader auditor understands that any work designated with a yellow triangle means that the work is unfinished.

Submit timesheets in TEC no later than Mondays at 5:00 p.m. Address coaching notes in a timely manner.

DATA ANALYTICS The Office of Internal Audit uses IDEA for data analytics. Due to the evolving nature of analytics, these procedures are outlined in the IDEA folder on the shared drive.

THE AUDIT PROCESS The following pages outline our basic procedures for performing audits. Additional processes may be needed to ensure sufficient audit coverage.



*Helpful Hints:

• For best results, work with the client (auditee). Remember they are the experts in the area you are auditing, not you. Rely on their expertise to help drive the audit process.

• Keep your client informed of your progress and communicate potential issues as they arise. Nobody likes surprises, and your potential issue may not be an issue at all. Stick to the audit program to help avoid scope creep. Any deviations need prior approval from your supervisor.

• Document, document, document. You MUST be able to support your results and conclusions with documented audit evidence.

• Audit reports, just like the audit process, are based on facts and not opinions.

PLANNING The purpose of planning is to develop and document a plan for the engagement, including the objectives, scope, timing and resource allocation. Refer to Standard 2200, Engagement Planning. These steps are outlined in the TeamMate planning procedures, with specific instructions which are standard for each audit performed. One of the problems in performing effective planning is the failure to complete all phases of the planning prior to preparing the formal audit program and beginning the fieldwork. Planning must be approved by the project leader and Chief Audit Executive (CAE) prior to beginning fieldwork. Planning is broken down into four separate phases:

• Planning the Audit • Gaining an Understanding of the Audit Area • Risk Assessment • Development and Approval of the Audit Program

While the steps are standardized, the results should be unique to the audit area. (1) Planning the Audit includes the following:

• Administrative Procedures • Assignment • Project Plan (follow procedures for milestones listed in this audit step) • Audit Notification • Entrance Conference

(2) Gaining an Understanding of the Audit Area includes the following:

• Review of prior audits • Asking other auditors



• Preliminary research • Brainstorming • Financial, Operating, and IT Information • Walk-throughs, tours, interviews • If a departmental audit, this will also include data analytics, departmental operating

information, strategic and operating objectives, and surveys.

(3) Risk Assessment includes the following: • Preparation of a risk assessment document (maintained in TeamStores) that

serves as a basis for development of the audit plan. Standard audit programs for fieldwork should never be used for risk-based audits, unless otherwise approved by the CAE.

(4) Development and Approval of the Audit Program includes the following: • Presenting a plan that includes the results of the risk assessment and proposed

audit procedures to the CAE for approval.

ENTRANCE CONFERENCE The Chief Audit Executive, project leader, and audit staff should meet with the client during the planning phase to discuss the audit process. The client should include management and key supervisory personnel as determined by management. The entrance conference provides the opportunity to begin building good relationships. Points that should be discussed during the opening conference include:

• Discussion of Internal audit (mission, reporting, charter, etc.) • Tour of operations • Contact personnel • Scope and objectives • Auditors assigned • Estimated completion date • Process of communication - discuss how clients will be apprised of audit status

and/or changes in estimated completion dates • Current business operations/conditions of the activity being reviewed, including

recent changes in management, major systems, etc. • Distribution of audit report and results • Concerns • Audit report process • Follow-up process

The entrance conference should be documented in the working papers, including those attending, dates, issues discussed, client concerns, etc.



FIELDWORK Audit Programs

The audit program is a detailed plan for the work to be performed during the audit and is typically based on the “Gaining and Understanding and Risk Assessment” planning procedures. The audit program should be prepared in a Word document format after performing the planning steps and maintained in TeamMate under the Development of the Audit Program section. A well-constructed program is essential to completing the audit project in an efficient manner to ensure that the audit objectives are achieved. A well-constructed program provides:

• Procedures for identifying, analyzing, evaluating, and documenting information during the engagement.

• A systematic plan for each phase of the work that can be communicated to all staff on the audit.

• A means by which the audit supervisor/manager can review and compare performance with approved plans.

• Assistance in training inexperienced staff members and acquainting them with the scope, objectives, and work steps of an audit.

• The basis for a summary record of work performed. • Assistance in familiarizing successive audit staff with the nature of work previously

carried out. The program consists of specific directions for carrying out the assignment. It should contain a statement of the objectives of the operation being reviewed.

Evaluating Internal Controls

Internal controls are evaluated in accordance with the COSO framework. Under the COSO Internal Control-Integrated Framework, internal control is broadly defined as “a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations.” COSO defines internal control as having five components:

Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is a foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of employees, management's philosophy and operating style.

Risk Awareness: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the

http://www.coso.org/default.htm



identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Information, Communication, and Reporting: Pertinent information must be identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to allow informed business decision-making and external reporting. Effective communication must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

Monitoring: Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

The evaluation of the system of internal controls should provide reasonable, but not absolute, assurance that the fundamental elements of the system are sufficient to accomplish their intended purpose. The study and evaluation should be adequately documented and properly supported by results of tests, observations, and inquiries. Ideally, all internal control strengths identified as key controls should be evaluated and tested. Internal control weaknesses need not be tested and should instead be brought to management’s attention after verification of the weakness. The project leader will help the team guide this process.



AUDIT EVIDENCE Audit evidence may be physical, documentary, testimonial, or analytical. It should be included in the working papers only to the extent necessary to support the audit objectives, results, and conclusions. Physical evidence – is obtained through direct inspection or observation of people, property, or events. It can be documented by photographs, charts, maps, physical samples, memoranda summarizing the matters inspected or observed, and other sources. The value of physical evidence is often limited by the number of observations made, the biases of the observer, and the impact of the observation.

Documentary evidence – consists of “created information” such as emails, letters, contracts, accounting records, invoices, correspondence, memoranda, and management information on performance. It is usually more reliable, more objective, easier to assemble, and easier to document than other kinds of evidence.

Analytical evidence – compiled by staff and includes computations, comparisons, rational arguments, interpretations, testing, and separation of information into components. The quality of analytical evidence depends on the accuracy and reliability of the data used, the level of detail, and the logic applied in the analysis.

Testimonial evidence – obtained through responses to inquiries, surveys, or interviews. Testimonial evidence is usually the weakest form of evidence and generally not used to support key audit findings. Testimonial representations may be included in report but must be attributed. Whenever possible, important information from interviews is corroborated with additional evidence.

AUDIT WORKING PAPERS Working papers serve both as tools to aid the auditor in performing his work, and as written evidence of the work done to support the auditor's results and conclusions. Section 2300 of the IIA’s Standards indicates that information included in working papers should be sufficient, competent, relevant, and useful to achieve the engagement’s objectives and provide a sound basis for audit findings and recommendations. Working papers can be in many forms, including write-ups of interviews, email correspondence, testing spreadsheets, copies of pertinent policies or forms,



documentation of sample selection procedures using IDEA/ACL/Query, audit programs, reports, links to websites, etc.

• Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor.

• Competent information is reliable and the best attainable through the use of appropriate audit techniques.

• Relevant information supports audit findings and recommendations and is consistent with the objectives for the audit.

• Useful information helps the organization meet its goals. Our department uses TeamMate electronic working papers. Regardless of the methodology used for documenting audit results, the quality, techniques and types of working papers employed should adhere to the professional standards noted above. Working Paper Efficiencies and Characteristics of Quality

• Auditors should note that a separate working paper is not always necessary in TeamMate. For example, an audit procedure that can easily be documented in the TeamMate procedures is more efficient than preparing a separate working paper and hyperlinking it to the TeamMate procedure.

Qualities of Good Working Papers

Concise Accurate Well-organized Understandable Not too verbose; just the facts Objectives of working paper tie to conclusion Conclusion supported by results Prepare documentation as you go – do not wait more than a couple of days to

prepare *Remember – working papers can be subpoenaed – don’t put anything in there that you could not support in a court room. Working Paper Techniques

Tickmarks - The auditor makes frequent use of a variety of symbols to indicate work that has been done. These symbols are commonly referred to as tickmarks. As these tickmarks have no special or uniform meaning in themselves, an explanation of each tickmark should be made on the schedule on which it appears. Examples of commonly used tickmarks are: (no exception noted for attribute tested); X (exception noted for attribute tested); N/A (not applicable to attribute tested).



Hyperlinking - Hyperlinking within working papers should be complete and accurate. Working papers should be hyperlinked to the exceptions/issues (ISS in TeamMate). The exceptions should be hyperlinked to the report. Any procedures/results should be hyperlinked to the work performed. Elements of Working Papers

All working papers should have the following elements: Source:

Where did the information come from? An example would be: The source of our information was found at www.Dallasisd.org\xxxxx. Purpose:

The objective of each working paper. Why the working paper was created? An example of a good purpose would be: “To determine if controls exist over purchasing cards to ensure compliance with District policies and procedures regarding proper authorization over purchasing cards.” Procedure:

A description of what the audit did to satisfy the audit objective. Procedures would include:

• If a test, the methodology used to select the sample, make the calculation, etc. Note that if you are sampling you should follow the AICPA sampling procedures.

• If a test, what areas you will test. • If an interview, who attended, when, where, what questions were asked, etc.

An example would be: “We tested purchasing card expenses to determine if the expenses were authorized per District procedures. To select our sample, we selected every 10th purchasing card transaction for the month of February for Department X as listed on their cardholder activity report. We compared the authorized signature to the authorized approval list.”

Results:

What were the results of your procedures? An example of a good results statement would be: “In performing the procedures, we noted that 10 of the 20 purchasing card expenses tested did not have the appropriate authorization.” Results should be succinct and not state what you did – only what your exceptions were. If your testing indicated no issues noted, then simply state that.

http://www.dallasisd.org/



Conclusion:

The conclusion is tied to the purpose and should form an opinion as to the purpose. An example would be: “Based on the results of the audit procedures performed, we conclude that controls do not exist over purchasing cards to ensure compliance with District policies and procedures over authorization.”

AUDIT TESTS AND SAMPLING There are numerous types of testing used during an audit. The types of tests used or developed is dependent on the audit, its risks, and how the auditors choose to test the controls surrounding the risks. The type of testing frequently used at Dallas ISD for certain compliance audits is attribute testing, but other methods can be used. The project leader is repsonsible for determining the type of sampling used after consulting with the supervisor/CAE.

SAMPLING Though there are many forms and methods of sampling. Typically, judgmental and random sampling are used after the population is determined using either queries, Idea, or Excel. The number of items pulled in a sample is dependent on the overall size of the data and the amount of time it may take to test the particular data. Consult your supervisor to determine the sample size. In addition you can refer to the AICPA’s Audit Sampling guide in sampling and testing. A copy of the guide is located in the office, with a summary located at the “Auditor Resources Folder” on the Shared Drive. Remember to document the following:

• Description of the control being tested • Objectives • Population • Sampling unit • How completeness of the population was considered • Definition of a deviation • Acceptable level of risk • Method of sample size determination • Method of sample selection • Description on how sampling procedure was performed • Overall evaluation and conclusion

EXAMPLE ATTRIBUTE TEST – EXPENDITURES In many audits, auditors conduct “expenditure testing” where a sample of a department or area’s expenditures (transactions) are selected and tested according to attributes.

Attributes generally tested during expenditure testing are as follows:



a. The expense is properly authorized b. The expense is accurate and contains adequate supporting

documentation c. The expense is reasonable to the mission of Dallas ISD d. The expense is properly coded (account and cost center) e. Expense complies with applicable laws, rules, policies, etc. If the expense

is a contract/grant charge, then it complies with the contract/grant Auditors will review each transaction in the sample pulled for the above listed attributes and note whether or not the transaction meets the above attributes. Testing spreadsheets are created per the auditor’s preference. The goal is to make the testing spreadsheet complete and easy to follow so that a future auditor could perform the same testing. It is better to be more detailed as you are the auditor with full understanding of what you are testing. Adequately reflect your understanding in writing in the testing spreadsheet.

Review Process and Coaching Notes The project leader is responsible for reviewing the work performed by the interns and staff. Coaching notes may be prepared based on the review for the purpose of providing feedback and suggestions to the staff. Coaching notes can also be prepared by the staff to ask questions of the supervisors. The following include some of the purposes of coaching notes:

• to alert and remind the staff to things that still need to be done • to ask questions and/or to request additional clarification • to provide feedback for future audits • to praise work

Workpaper Review

Effective processes include the review of all workpapers by the Team Lead and Audit Management. Using TeamMate the following review processes are conducted:

• Time budget conducted and reviewed • Planning Memo sent and followed • Audit Program created and approved • Audit Program steps are completed and signed off • Workpaper headings are complete and accurate (Sources identified, and

Nature/Purpose indicated) • Tick marks are defined and cross referenced • Neat and legible workpapers are utilized • Workpapers are necessary • Sampling plans documented



• Tests documented are complete and have a reasonable result • Numerical schedules are footed • Cross-referencing is adequate to draw stated conclusions and results • Audit evidence is sufficient to substantiate report • Objectives stated in planning are accomplished • ‘Notes to Future Auditors’ are documented • Draft report reviewed for substance, grammar and punctuation • Reviewer comments and coaching notes have all been addressed and cleared • Weaknesses communicated to the auditee • Exit conference conducted and documented • Auditee responses included in the draft report. • Audit Recommendation Database has been updated

Coaching notes are always intended to be a means of constructive feedback and should not be regarded as criticism.

REPORTING Audit report procedures are outlined in the standard audit procedures under Reporting. These procedures outline how to document and prepare the following:

• Documentation of Issues • Exit Conferences • Communications with Management • Audit Reporting

ISSUES & AUDIT RECOMMENDATIONS All audit recommendations should have five elements, and TeamMate is designed to ensure that these elements are captured within the Audit Summary - Issues section of the working papers. Note that within TeamMate, the Finding Summary tab should be a brief summary of the finding without the detail that is contained in the Condition tab. 1. Condition (Finding) 2. Criteria 3. Cause 4. Effect 5. Recommendation 1. Condition (Finding -what is wrong?)

A situation that exists. If the finding is properly identified, the client will have no reasonable basis to disagree with the facts that the auditor has gathered. The information regarding the finding should be sufficient, competent, and relevant, and withstand challenge. It must represent the total population or system under review.



Example: The department, with expenses totaling over $7 million, has not reconciled its accounts in over six months.

2. Criteria (What standard is used?)

The standards used to determine if expectations are met. In a few cases, there might not be criteria. In those cases the project leader should be consulted to determine sufficient criteria for the recommendation, such as “best practices.”

Example: Dallas ISD policy (cite policy) requires accounts to be reconciled within 30 days after month end.

3. Cause (Why did it happen?)

Cause explains why something happened. At times, a cause may not be easily identifiable. In those cases, management can be asked.

Example: The department has experienced a 76% turnover in administrative staff in the previous two years causing a delay in the account reconciliation process.

4. Effect (What happened or could happen because the condition differed from the criteria?)

This element helps convince clients and management that the undesirable condition, if permitted to continue, would cause harm in some manner. If dollar values are available, they should always be included.

Example: With over 7 million dollars in transactions not being reconciled, the probability of error or fraud is increased.

5. Recommendations (What should be done?)

This final attribute identifies suggested remedial action and answers the question: "What should be done?" The relationship between the audit recommendation and the underlying cause of the condition should be clear and logical. If a relationship exists, the recommended action will most likely be feasible and appropriately directed. Recommendations in the audit report should state precisely what needs to be changed or fixed. How the change will be made is the client's responsibility. Recommendations should be directed to the individual responsible for taking corrective action.

Example: The department should train the new administrator and allocate time over the next two months to complete reconciliations on all accounts for the



previous two years. This action will ensure appropriateness in charges and strengthen the internal control environment for the department.

In TeamMate, each finding contains a hyperlink in the “Refs” tab and not within the body of the other tabs. In addition: Impact

Issue Disposition: Should be rated as Reportable or Discussion Item/Verbal.

Level of Reportable Finding: This should be N/A for verbal findings, and Priority, High, Medium, or Low as outlined in the most current report template definitions.

Properties

Key Words should be selected from the drop-down menu. You must have at least one, but in some instances may have three.

Title

The title of an issue should be stated in the form of a recommendation and match the final audit report.

Type

The type should match the type stated in the project profile and audit plan.

Level

For a description of risk factors, refer to the guidance at

The project leader should ensure that the wording matches the final report. Recommendations

• The recommendation should match the final audit report. • Management’s responses should be input by the project leader upon receipt. • The estimated date of implementation should be included on the implementation

tab. • Do not change the “State” unless the audit recommendation was implemented

during the course of the audit. • Under Implementation, check the “Track in TeamCentral” ONLY on reportable,

final recommendations that will later be tracked. • Contacts should be added using the “Get” function. If a responsible party is not in

the database, contact the department’s TeamMate Champion. Milestones



Upon completion of the report, the Project Leader should ensure that the milestones are completed as well as the Custom tab.

Confidential Reports

Most audit reports are considered public documents after they have been approved by the Audit Committee.

However, some audit reports are considered confidential and will not be reported online. There are reasons why a report would be exempt from public disclosure:

1. It is Attorney Client Privileged and was conducted at the direction of an attorney, per Federal Rules of Evidence, Rule 501 and Texas Rules of Evidence

2. It discloses information related to security or infrastructure for computers, per Govt. Code Sec. 552.139

3. It is a protected Environmental, Health and Safety audit, per Texas Environmental, Health and Safety Privilege Act, Govt. Code, Sec. 552.125

There are other subject areas that could cause the report to be confidential:

• Homeland Security Act provisions • Safety and Security audit of institution facilities (for example, DKR stadium) • Medicaid fraud • W-2 tax information

The CAE is responsible for submitting the Audit Committee unless the audit report meets the requirements for confidentiality.

Exit Conference The purpose of the exit conference is to inform management of the organization audited about the audit results and the report process, reach agreement on recommendations, and learn of corrective action measures planned or taken to correct any deficiencies disclosed by the audit. If the audit resulted in no recommendations, an exit conference may be waived if the client agrees. The project leader should discuss all audit issues with the CAE before the exit conference is held. The client should expect no surprises during the meeting, as any issues should have already been discussed. Prior to the exit conference, a presentation strategy should be developed. Related issues may be combined, and a presentation sequence should be developed. Both reportable issues as well as verbal comments should be discussed at the exit conference. The project leader is responsible for scheduling the exit conference. The goal is to have supervisory and management personnel at the meeting. The project leader will determine who may be needed at the exit conference in addition to the CAE and Deputy CAE. The project leader should review the audit objectives, scope, and reporting



process before discussing the audit recommendations. Where practical, audit recommendations should then be discussed by the individual who developed the audit recommendations or audited that area. Consideration should also be given to noting any commendable practices or procedures observed. The exit conference discussion should be documented in the review section of TeamMate. Reporting Resources

• Dallas ISD Office of Internal Audit Writing Style Guide: (To be completed)

AUDIT REPORT FOLLOW-UP

As required by the IIA's Standards for the Professional Practice of Internal Auditing, internal auditors “should establish a follow-up process to ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.” One of our primary responsibilities as professional auditors is determining that the auditee takes corrective action on recommendations. This applies in all cases except where "senior management has accepted the risk of not taking action."

Being an integral part of the internal audit process, follow-up should be scheduled along with the other steps necessary to perform the audit. However, specific follow-up activity depends on the results of the audit and can be carried out at the time the report draft is reviewed with concerned management personnel or after the issuance of the report.

To facilitate the follow-up process, Internal Audit maintains within Team Central the outstanding audit comments. This database tracks identifying information about each Internal Audit report or close-out letter along with a summary of each finding in the report or letter, the position responsible for taking corrective action, and the estimated completion date for corrective action. Audit comments issued by external audit groups should be loaded into the database when they are received. The database will also track whether a finding has been corrected, what was done to correct the issue, whether corrective actions should be tested, and the date corrective action was complete.

Once an audit is complete and recommendations have been agreed upon, follow-up is performed based on the estimated due dates set by the client and agreed upon by audit.

For follow-up dates, Team Central tracking will be used.

Procedures

1. The CAE will monitor the due dates of the recommendations in relation to the Audit Committee meetings. The quarterly follow-up will begin about six weeks before each Audit Committee meeting for outstanding recommendations, with a due date of up to four weeks before the meeting. For example, if the Audit



Committee is meeting October 1st, then auditors will follow-up on recommendations due up to August 31.

2. The CAE will assign the project leader of the audit with the task of following up on the audit recommendations, copying the CAE. If the project leader is not available, then an auditor who is familiar with the audit should conduct the follow-up. All communication and documentation related to implementing the recommendations will be put in Team Central.

3. All high-risk recommendations require a higher level of follow-up work, such as retesting, meeting with responsible parties to observe processes, or other verification deemed appropriate. For medium and low risk recommendations, an email from the responsible party will suffice asserting that the recommendation has been completed. Auditors are encouraged to obtain documentation for medium and low risk recommendations when feasible.

4. Once the follow-up audit work is completed, the auditors performing the work

should notify the CAE of the status.

SECURITY AND CONTROL OF WORKPAPERS Based on Performance Standard 2330 – Documenting Information

Physical Control

Workpapers are the auditors' property and should be kept under their control. The auditors should know exactly where manual workpapers and supporting documents are during the conduct of the audit. When not in use, they should be kept in a locked file or otherwise secured so they are not readily available to persons unauthorized to use them. Access to electronic workpapers in TeamMate is controlled by passwords.

Storage

The official database for all files is the TeamMate electronic workpaper system. The department’s paper copies retained by the auditor are strictly for use during the project or audit. After completion of the audit, the TeamMate project will be finalized. At that point no further information can be added to the project. The lead auditor and audit management are responsible to ensure that all appropriate workpaper are referenced and stored within TeamMate prior to finalization. The audit library system of project files is for only those projects or audits that the Chief Audit Executive authorizes.



Retention

Workpapers should be retained in accordance with the District’s record retention policy found at CPC (Legal) and CPC (Local) http://pol.tasb.org/Policy/Code/361?filter=CPC .

Security

Workpapers are confidential and are always to be kept secure. Workpapers are not to be distributed outside of Internal Audit without the written permission of the Chief Audit Executive. Workpapers are exempted from the “Open Records Act.” If distribution is approved, each workpaper should be noted with “CONFIDENTIAL: Audit workpapers. NOT FOR PUBLIC RELEASE.” Texas Government Code Title 5. Open Government Chapter 552 Subchapter A Section 552.116 Exemption: Audit Working Papers

QUALITY ASSURANCE AND IMPROVEMENT Based on Attribute Standard 1300 – Quality Assurance and Improvement Program, Yellow Book Section 3.82

The Chief Audit Executive is responsible for maintaining a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program is designed to help Internal Audit add value and improve the organization’s operations.

Internal Audit activity has adopted a process to monitor and assess the overall effectiveness of the quality program. The process includes both internal and external assessments. Internal assessments include ongoing reviews of the performance of the internal audit activity and periodic reviews performed through self-assessment and by others in the organization with knowledge of internal auditing practices. External assessments are conducted in accordance with the IIA Standards.

To meet this goal there are three things to do. First, we must determine what our audit clients want and need. Second, we must meet those needs on time. Finally, and perhaps most important, we must continuously refine the process (our audit practices) of conducting our audit examination.

To continue to improve our audit performance and our contribution to the overall company performance, we have adopted the practice of:

1. Evaluating the technical aspects of each audit project. Specific criteria have been established for grading audit performance. These cover workpaper preparation, soundness of recommendations, and the communication of audit results.

2. Requiring supervisors and managers to evaluate and grade workpapers in several areas including: how well audit scopes and programs address risk areas and risk mitigation activities, how well auditors expand their scope in response to problems noted, clarity of the documentation of audit results, and

http://pol.tasb.org/Policy/Code/361?filter=CPC



how well the recommendation(s) address the cause of the deficiency being reported.

3. Requesting that auditees respond to a questionnaire about the audit process. Questions cover such topics as how well we communicated audit objectives before the audit, how well auditors solicited and responded to the audit client's ideas, and the breadth of the updates during the audit. And the last question asks for three specific changes that we could make to improve the overall audit process.

External assessments, such as quality assurance reviews, are conducted at least once every 5 years by a qualified, independent reviewer (team) from outside the organization.



QUALITY ASSURANCE STEPS FOR PROJECTS Based on Attribute Standard 1300 – Quality Assurance and Improvement Program, Yellow Book Section 3.82

Using TeamMate each project will be assessed for quality. The following parameters will be used for audit quality assurance.

Project Completion and Supervision

1 Have all audit program steps have been completed and signed off by both preparer and reviewer?

2 Have all Coaching notes been adequately addressed or cleared?

3 Have the audit’s objectives been accomplished?

Audit Report and Issues

4 Are the issues documented in the TeamMate workpapers synchronized with the final report as to finding, recommendation, implementation date, tracking in TeamCentral where applicable?

5 Are the issues supported by sufficient, factual, adequate and convincing information so that a prudent, informed person would reach the same conclusions as the auditor?

6 Are reportable issues cross-referenced to the Annotated Final Report (Word) version in the TeamMate “B” section of the workpapers?

Organization and Content

7 Are the workpapers organized so that an experienced auditor with no prior connection to the audit to follow the flow of the audit?

8 Are workpapers able to “stand alone”? (This means that an individual independent of the preparer should be able to determine, for each workpaper, the purpose and conclusion of the document, and how that individual work paper relates to the rest of the workpapers.)

9 Are workpapers concise and serve a useful purpose (i.e. Are program step summary conclusions supported by a single workpaper)?

10 Has irrelevant audit material has been removed from the file?

11 Is cross-referencing across and within workpapers complete and accurate? (e.g., No orphan workpapers)

Individual Workpaper Standards

12 Do workpapers contain a lead sheet or other area documenting the following:



a. Headings - Appropriate headings so they are readily identifiable? (i.e., number and name of audit, audit procedure step, etc.)

b. Source – person, system, location of population and/or other related data related to the testing procedures, date provided by client?

c. Purpose - nature/purpose of audit work performed clearly indicated?

d. Scope – Boundaries of the testing parameters (i.e. population of data, time period, specific accounts, departments, functions)?

e. Sampling Methodology – 100% or technique used to select the data tested from a population?

f. Procedure – description of specific procedures performed?

g. Results – summary explanation or quantification of the results of specific procedures performed?

h. Conclusion – application of the auditor’s judgment, competency, analysis and evaluation of the information gathered during the testing procedure?

13 Are numerical schedules/calculations footed, cross-footed and verified?

14 Are tick marks on workpapers clearly defined and used appropriately and consistently throughout the workpaper?

On a periodic basis (e.g. quarterly, or more frequently as needed) a project will be selected for an in-depth quality review.



CHAPTER 5

ADMINISTRATIVE PROCEDURES

PROFESSIONAL CERTIFICATION, ORGANIZATIONS, AND MEETINGS Based on Attribute Standard 1230 – Continuing Professional Development

To increase the professionalism and credibility of the audit staff, the Internal Audit Department promotes and encourages auditor participation in the following professional certifications:

• CIA – Certified Internal Auditor

• CPA – Certified Public Accountant

• CISA – Certified Information System Auditor

• CTSBS – Certified Texas School Board Business Specialist

• CTSO – Certified Texas School Business Official

• RTSBA – Registered Texas School Business Administrator

Additionally the department encourages staff to consider the following secondary certifications:

• CCSA – Certification in Control Self-Assessment

• CGAP – Certified Government Accounting Professional

• CRMA- Certification in Risk Management Assurance

• CFE – Certified Fraud Examiner

The department allows staff members time to sit for any of the certification examinations.

Professional development through certification, membership, and participation in professional organizations is encouraged. Internal Audit Department funds are available and budgeted to support this activity. Staff members are encouraged to actively attend the Dallas IIA or ISACA Chapter meetings.

NEW EMPLOYEE ORIENTATION Based on Attribute Standard 1200 – Proficiency and Due Professional Care

All new staff members will be afforded the opportunity to become familiar with the district, the Office of Internal Audit, general responsibilities, and the contacts needed to function efficiently.



Internal Audit has developed an Orientation Plan and Checklist to provide new staff transition directives and overview within the Internal Audit department. Topics addressed in the Orientation Plan:

• IIA Standards

• GAO Auditing Standards

• Internal Audit Charter

• Internal Audit Committee Charter

• Internal Audit Manual

• Auditor’s Independence Statement

• General Administrative Policies

• Departmental Contacts

• Audit Procedures

• DISD Employee Handbook

• Current DISD Employee Calendar

Complete knowledge and mastery of the orientation topics are not expected of new staff members at the completion of orientation. However, in the post-orientation period, new employees should understand the basic work rules of the Office. New employees should also grasp Internal Auditing's role and responsibilities, the sources of information and reference materials within the Institution, who can provide the information they seek, and how to become an informed participant. New staff members should be encouraged to make notes and ask questions throughout the orientation process.

Business Cards

Business cards may be ordered by the administrative assistant. The CAE should approve and proof the business card prior to final submission for printing.

PREPARING INDIVIDUAL DEVELOPMENT/TRAINING PLANS

The objective of individual development/training plans is maintenance and improvement of the skills, knowledge, techniques and personal characteristics necessary for state-of-the-art internal auditing and as emphasized by Standard 1210 Proficiency which states that “internal auditors must possess the knowledge, skills, and other competencies



needed to perform their individual responsibilities.” A related objective is personal growth of the individual within the District.

As part of the Annual Performance Appraisal Process, an individual development/training plan will be developed or updated for the upcoming fiscal year for each Department staff member. Training plans should contain at least 40 hours of training for the year.

The individual development/training plans will focus on four related objectives. These objectives are:

• quality audit performance;

• demonstrable skills, knowledge, techniques and personal characteristics useful to the Institution and the auditing function;

• Meeting annual development/training goals; and

• Continuous growth of the individual within the organization. Everyone’s development/training plan will be reassessed and updated annually. This annual update will essentially repeat the process used to prepare the existing development/training plan. The existing development/training plan will serve as a foundation for the current plan. Due to budget restrictions it is possible that not all training will be in the best interest of the Office of Internal Audit. The Chief Audit Executive has final authority to approve or deny requested training. Each auditor will maintain a copy of all training certificates received and will provide the Office with a copy of the certificate as well. The Office will maintain a file on all employee training. Employees are responsible for self-reporting their training hours to their respective associations and State Boards each year and maintaining good standing for their license and certifications . The Chief Audit Executive should be made aware of significant deviations or training milestones not met, and the reasons for under-achievement.

EMPLOYEE PERFORMANCE PLANNING AND APPRAISAL PROCESS

The District values excellence in education and the support services that make it possible. We believe that an ongoing performance management process supports these values by providing a method for employees to understand what is expected, know how they are doing, and see how to sustain excellence.



Overview of the Appraisal Process

Planning Performance: All employees should be clearly informed of the responsibilities and standards upon which their job performance will be evaluated. At or near the start of each appraisal period, the supervisor and employee should meet to discuss the employee’s essential tasks and responsibilities, establish appropriate performance expectations, and clarify how the employee’s performance will be monitored.

Monitoring Performance: Throughout the appraisal period, the supervisor should observe, document, and communicate regularly with the employee about current performance and progress toward achieving or maintaining identified performance expectations.

Reviewing and Discussing Performance: Near the end of the appraisal period, the supervisor should review the employee’s work during the time under consideration; evaluate performance results with the expectations identified in the performance plan; complete the performance appraisal record; and discuss the outcomes with the employee in a private meeting.

PERSONAL CONDUCT AND INDEPENDENCE

The following guidelines are established regarding personal conduct and the confidentiality of audit or business information acquired through audit assignments.

As a member of the Internal Audit Staff, you are representing the highest level of management. Conduct yourself in a manner that reflects favorably upon you and those you represent. You are expected to exercise professional skill, integrity, maturity of behavior, and tact in your relations with others.

In general, you are encouraged to be friendly with all District employees without affecting your objectivity. You should guard against any conduct or mannerisms that present an impression that you consider yourself a "home office expert" sent to check on employees in the field. As far as possible, take the position of an independent/objective analyst and advisor. Avoid the image of policing.

In the course of your assignments, you will be in contact with personnel at all levels of authority and position. At all times independence in mental attitude is to be maintained. Reports resulting from your efforts should always contain full and unbiased disclosure of all but minor audit findings. Although you report to the Internal Audit Activity, you have responsibilities to both management and the personnel being audited.

Much of your work is confidential; therefore, be discreet on and off the job in discussing current or past audits or your personal assessments of audit customers. Judgment should



be exercised in the security of audit work papers, programs, company records, and information always.

Avoid extremes of dress or personal grooming. The following attire is considered inappropriate for the work environment: torn or tattered clothing, shorts, T-shirts, tank tops, halter tops or other revealing clothing; leggings, jumpsuits, sweatshirts, sweatpants, jeans (jeans maybe allotted on special occasion as approved by the CAE), spandex, leggings and athletic garments are not to be worn to the office during work hours.

Professional footwear should always be worn. Slippers, flip-flops, house shoes and or other similar footwear are not considered professional attire. For further guidance see the Districts Employee Standards of Conduct DH (Regulation).

TIMEKEEPING SYSTEM

The District requires all employees to clock in through the biometric time keeping system daily. This system will be utilized for District timekeeping purposes and will be used as the method of record. Below are explanations of different types of time entries:

Auditors are also responsible for recording their time charged to projects and other activities on a weekly basis in the TeamMate timekeeping system. This is used for Office of Internal Audit efficiency monitoring purposes only and is not the official method of timekeeping for record). Audit Time Audit time is hours used in performing audits or projects. Most of the time will be in this category. Audit/project time is tracked by an assigned number. Administrative Time Administrative time is charged for time working on an activity that is not a part of an existing audit engagement. This time is to cover the weekly staff meeting, completing time entry, and professional reading. Other administrative time should be authorized by audit management. Training Training time is used for any training that staff attends that directly relates to the auditing profession or the institution. Hours logged in the system should match the hours on the certificate. Upon entry, a copy of the certificate should be given to the administrative assistant. Leave Leave time is defined in the District’s DEC policies, specifically DEC (Regulation). The regulation is located online at: http://pol.tasb.org/Policy/Code/361?filter=DEC

http://pol.tasb.org/Policy/Code/361?filter=DEC



DISTRICT RECORD RETENTION POLICY The Office of Internal Audit will follow the record retention schedules dictated in CPC (Local) & CPC (Legal) http://pol.tasb.org/Policy/Code/361?filter=CPC CPC (Legal)

RETENTION SCHEDULES

In developing the District’s records retention schedule, the records management officer shall ensure it is consistent with the applicable minimum retention schedules adopted by TSLAC, i.e., Local Schedule GR—Records Common to All Governments, Local Schedule EL—Records of Elections and Voter Registration, Local Schedule TX—Records of Property Taxation, and Local Schedule SD—Records for Public School Districts. 13 TAC 7.125

Note: The TSLAC records retention schedules are available at www.tsl.state.tx.us/slrm/recordspubs/localretention.html.

DESTRUCTION OF RECORDS

A District record may be intentionally destroyed under any of the following conditions:

1. The record is listed on a records control schedule filed with TSLAC and either its retention period has expired, or it has been microfilmed or electronically stored in accordance with legal standards.

2. The record appears on a list of obsolete records approved by TSLAC.

3. A destruction request is filed with and approved by TSLAC for a record not listed on an approved control schedule.

4. The district court issues an expunction order for the destruction or obliteration of the records, pursuant to state law.

5. The records are defined as exempt from scheduling or filing requirements or listed as exempt in a records retention schedule issued by TSLAC.

Local Gov’t Code 202.001

EXCEPTIONS

A District record the subject matter of which is known by the custodian to be the subject of litigation shall not be destroyed until the litigation is settled. A District record that is subject to a request under Chapter 552, Government Code, shall not be destroyed until the request is resolved. Local Gov’t Code 202.002

PRESERVATION OF RECORDS

http://pol.tasb.org/Policy/Code/361?filter=CPC

http://www.tsl.state.tx.us/slrm/recordspubs/localretention.html



The Board shall determine a time for which information that is not currently in use will be preserved, subject to any applicable rule or law governing the destruction and other disposition of local government records or public information. Gov’t Code 552.004

The Board shall preserve the certified agenda or recording of a closed meeting for at least two years after the date of the meeting. If an action involving the meeting is brought within that period, the certified agenda or recording shall be preserved while the action is pending. Gov’t Code 551.104(a)

MICROFILMING

District records may be maintained on microfilm in addition to or instead of paper or other media, subject to the requirements of Chapter 204 of the Local Government Code and rules adopted by TSLAC. Local Gov’t Code 204.002

ELECTRONIC STORAGE

District records may be stored electronically in addition to or instead of source documents in paper or other media, subject to the requirements of Chapter 205 of the Local Government Code and rules adopted by TSLAC. Local Gov’t Code 205.002

FEDERAL INVESTIGATIONS AND BANKRUPTCY

Anyone who knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any bankruptcy case, or in relation to or contemplation of any such matter or case, shall be fined, imprisoned not more than 20 years, or both. 18 U.S.C. 1519

CPC (Local)

The Superintendent of Schools shall oversee the performance of records management functions prescribed by state and federal law:

• Records Management Officer, as prescribed by Local Government Code 203.023 • Records Administrator, as prescribed by Local Government Code 176.001 and

176.007 [See BBFA and CHE] • Officer for Public Information, as prescribed by Government Code 552.201–.204

[See GBAA] • Public Information Coordinator, as prescribed by Government Code 552.012

[See BBD]



GENERAL HOUSEKEEPING POLICIES

Good workplace organization bears a direct relationship to orderly and efficient work habits.

Desks and tables should be kept aligned and desktops and drawers should be kept clean and orderly. When out of the office, material in work areas should be straightened.

Care is to be exercised to avoid exposure of confidential or potentially sensitive documents and data files. Personal computers and network files should also be secured.

Use cabinets, racks, and bookcases only as intended. Cabinets and files can be kept up to standard by removing and replacing material carefully and by not leaving material on top.

Framed or mounted paintings, diplomas, citations, etc., may be hung on walls in enclosed areas.

A No Smoking policy has been adopted in order to create an environment conducive to good working conditions and good health.

Eating areas should be maintained in a clean and orderly condition.

AUDIT MANUAL REVISIONS The Internal Audit Manual should be periodically reviewed and updated at least annually.



CHAPTER 6

INVESTIGATIONS AND FRAUD INDICATORS

FRAUD When fraud is suspected during an audit or any other activity, the CAE should be immediately notified.

INVESTIGATIONS Investigations are an objective review of evidence related to a complaint or allegation. Internal Audit is typically responsible for investigations of “significant suspected fraudulent activity” CFC (Local).

Summaries of hotline calls and investigations will be reported to the Audit Committee. The log includes:

• Outside Hotline (Navex Global) reports, their status and final disposition sufficient to ensure audit committee reporting.

• Requests for investigation, calls, or emails made directly to the Office of Audit and Consulting Services.

• Potential fraud noted in conducting audits or other audit activities.

Investigation Assignment

The CAE is responsible for assigning staff to significant suspected fraudulent activity and is considered the project manager for these investigations. Investigation Strategy

Every fraud investigation will vary greatly in the objectives, scope, and details. However, the following are general procedures that should be reviewed prior to the beginning of each investigation and followed to the extent possible when conducting the investigation.

1. Upon assignment of an investigation, a strategy should be developed in consultation with the CAE. An investigation template from TeamMate TeamStore will be for investigations.

2. Investigations will be documented in TeamMate. a. Planning – this section includes the allegation and planned investigation

procedures. b. Fieldwork – this section includes the details of the procedures performed.

Investigation Guidelines

The following guidelines should always be adhered to:



General 1. All investigative work must be conducted with the utmost professionalism and

discretion. 2. All information obtained during the investigation is to be considered confidential

to the extent allowed by law. The information should be shared with others only when it is necessary to further the investigation.

3. To the extent possible, written correspondence should include a notation informing the reader of its confidentiality.

Interviews

It is best to conduct interviews with another individual if possible. In the event of a criminal investigation, District Police should be consulted. Depending on the investigation, a member of the Human Resources team may also be involved. Evidence

In most circumstances, copies of documentation can be used as evidence; however, for criminal violations, original documents should be obtained and secured by Internal Audit. A chain of custody form should be completed when custody is taken and should be continuously updated. A sample form is located under Auditor Resources, and this should be included as part of the working papers in its final format. Texas Public Information Act

All state agencies are required to follow Texas Government Code, Chapter 552, Public Information. Audit working papers may be excepted from the provisions of the Act. Texas Education Code, Section 51.971, Compliance Program, states that certain information can be excepted from public disclosure. Resources

• The Association of Certified Fraud Examiners: https://www.acfe.com/fraud-resources.aspx

• The IIA Fraud Resources: https://na.theiia.org/standards-guidance/topics/pages/fraud.aspx

Investigations Results

Results of investigations will vary depending on the investigation. Consult with the CAE before determining the distribution. In some cases, especially involving criminal activity, the results may be reported directly to the Police.

Summaries of investigation results will be shared at a high level on a case by case basis to the Audit Committee.

https://www.acfe.com/fraud-resources.aspx

https://www.acfe.com/fraud-resources.aspx

https://na.theiia.org/standards-guidance/topics/pages/fraud.aspx

https://na.theiia.org/standards-guidance/topics/pages/fraud.aspx

AUDIT MANUAL - BoardDocs

Documents

Transcript of AUDIT MANUAL - BoardDocs