Rice AUDITING A-Z. A-Z..pdf4/25/19 1 AUDITING A-Z Randall Rice CPA CISA CIO DABFA CBM CGMA CITP...
Transcript of Rice AUDITING A-Z. A-Z..pdf4/25/19 1 AUDITING A-Z Randall Rice CPA CISA CIO DABFA CBM CGMA CITP...
-
4/25/19
1
AUDITING A-Z
Randall Rice CPA CISA CIO DABFA CBM CGMA CITPCounty Auditor, Galveston County
-
4/25/19
2
Auditing A-Z
uFailure in auditing is defined as spending too
much time looking at something no one cares
about.
uDo you spend your time doing meaningless things
by simply repeating the procedures of your
predecessors, who did what their predecessors
did, and so on?
u Is your report boring because you don’t have
anything relevant to say?
Definition of an Auditor
An independent professional who
concludes whether a subject matter
meets an agreed-upon criteria by
gathering evidence through
performing custom-designed audit
methodologies.
-
4/25/19
3
Basic Audit Functions u Identify the Audit Universe
uEstablish an Audit Plan
uPerform a Risk Assessment
uDetermine the Audit Calendar
uEstablish Audit Objectives and Scope
uCreate Tests to Gather Evidence
u Identify Failures to Comply with Controls
uReport Failures
Audit Universe
u Audit Universe must be defined before risk assessment can be done
u Largely determined by statutes; may be expanded
u Statutory minimum includes all county offices collecting money:
Accounts Payable Engineer Parking Facilities Social Services
Adult Probation Fire Marshall Parks and Recreation Sheriff-Bail Bond
Collection Improvement Grant Programs Personal Bond Office Sheriff-Commissary
Constables Health Department Pretrial Services Sheriff-Inmate Trust
County Attorney Housing Assistance Public Libraries Sheriff-Jail Operations
County Clerk Justice of the Peace Recycling Programs Tax Assessor/Collector
District Attorney Juvenile Probation Retiree Health Insurance
Toll Road Authority
District Clerk Law Library Right of Way Treasurer
Elections Medical Examiner Seized/Forfeited Assets
Vendor Documentation
-
4/25/19
4
Audit Universe
u Non-statutory audits include:
Administrative Services Fixed Assets Purchasing Contracts
Children’s Services Grant Subrecipient Monitoring Risk Management
Concessionaire Agreements Hospital District Scrap Auction and Sales
Construction Activity Insurance Sheriff’s Sales-Forfeited Assets
Economic Development Inventory Testing Assistance-External Auditors
Emergency Management Jury – Cash Payouts Health Benefit/Claims Paid
Emergency Medical Services Lease Agreements Vehicle Maintenance
FEMA Funding Port/Navigation District Volunteer Fire Department
Identify available resources
NAME TITLE AVAILABLETOTALHOURS
HOLIDAYHOURS
VACATIONHOURS
NON-AUDITHOURS
AVAILABLEAUDIT HOURS
Smith County Auditor 2,080 (80) (80) (1,200) 720
Jones Audit Manager 2,080 (80) (80) (320) 1,600
Thomas Auditor 2,080 (80) (120) (60) 1,820
Perkins Auditor 2,080 (80) (80) (60) 1,860
Wilson Auditor (PT) 1,040 (40) 0 (20) 980
TOTAL 9,360 (360) (360) (1,660) 6,980
-
4/25/19
5
Create the Audit Plan
u Identify the departments or processes to audit
uWhat are we concerned about? (The objectives)
uWhat will we audit? (The scope)
uWhat documents are needed? (The methodology, i.e., flowcharts, narratives, ICQ’s, etc.)
uWhat will we do? (The audit program)
uWhen do we start? (The audit calendar)
uHow long will it take? (The resources available)
Audit Flow - Follow the Arrows
-
4/25/19
6
Golden Rule of Risk Assessment
Auditor’s Prayer:
"Lord, if something is out there,
please let me find it.
And, if it is there and I don't find it,
don't let anyone else find it.“
Risk components
u Three types of risk
uControl
u Inherent
uDetection
uControl Risk - risk an error may occur in an account balance or class of transactions and that could be
material...[and] will not be prevented or detected
on a timely basis by the internal control structure.
This is a function of the effectiveness of internal
controls.
-
4/25/19
7
Risk components
u Inherent Risk - susceptibility of an account balance or
class of transactions to an error that could be
material
uDetection Risk - risk procedures will lead to a
conclusion that error in an account balance or class
of transactions could be material. This is a function
of the effectiveness of audit procedures.
Risk factors (See handouts 1-2 for sample evaluation of risks and problem areas for Justice of the Peace and numerical assignment of risks for several JP offices.)
u Frequency and quality of auditing:
uYou control the effect of this risk, based on how often and
how well the audit is performed.
u Size and complexity of auditee's operations:
uGenerally, the larger and more complex, the more risk errors
or fraud can be material, because there is more exposure.
u Managerial attitudes and morale in the auditee's office:
uManager does nothing or everything, ineffective
communication, lacks integrity, overly oppressive.
-
4/25/19
8
Risk factors
u Employee attitudes and morale in the auditee's office.
u In an office where the employees are truly overworked, or
just think they are overworked, or even if they are
unhappy for other reasons, it is easy to rationalize setting
aside some of the cash receipts for themselves.
u External factors such as the press, controversy, politics,
etc.
uThis can produce high visibility risk. If the press is pursuing
a problem in an official's office - the county auditor better
find it before they do!
Allocation of audit resources
u After determining available man-hours and assessing
the risk, prepare a table using the audit plan with
the audit risk and total audit hours to be used for
each auditee.
uNote
uJust because audit risk on a particular auditee is
high, a large amount of time should not be
arbitrarily assigned to its audit.
-
4/25/19
9
Allocation of audit resources
uRemember:
uTime assigned based on time required to complete the
steps in an audit program.
uThe following matrix is an example and in no way
indicates the hours allocated are reasonable for any
given auditee.
uAlso, audit risk is shown as high, moderate or low. You
could decided to rank using 1 to 10. Any approach is
acceptable as results are justifiable.
AUDITEE AUDITRISKTOTAL HOURS SMITH JONES THOMAS PERKINS WILSON
Tax Assessor High 1,420
County Clerk Moderate 1,080
District Clerk Low 700
Justice of the Peace, Pct. 1 High 960
Justice of the Peace, Pct. 2 Low 720
Sheriff -Commissary High 680
Sheriff - Bail Bonds Low 620
Juvenile Probation Moderate 400
CUSHION FOR REQUESTED OR FRAUD AUDITS
N/A 400
TOTALS 6,980 0 0 0 0 0
-
4/25/19
10
AUDITEE AUDITRISKTOTAL HOURS SMITH JONES THOMAS PERKINS WILSON
Tax Assessor High 1,420 185 500 580 155County Clerk Moderate 1,080 75 200 580 225
District Clerk Low 700 30 100 570
Justice of Peace Pct. 1 High 960 80 200 670 10
Justice of Peace Pct. 2 Low 720 10 100 430 180
Sheriff - Commissary High 680 50 180 300 150Sheriff - Bail Bonds Low 620 10 120 400 90Juvenile Probation Moderate 400 40 40 150 170
Cushion For Requested Or Fraud Audits N/A 400 240 160
TOTAL 6,980 720 1,600 1,820 1,860 980
Audit Protocol – what to do in what order
Planning Phase
1. Planning Memo/Narrative
2. Assign Staff
3. Initial Client Contact
4. Complete Analytical Review
5. Pre-fieldwork Meeting
6. Entrance Conference
7. Engagement Letter
8. Prepare/Update Audit Program
Fieldwork Phase
9. Start Fieldwork
10. Conduct Internal Control Review
11. Conduct Interviews
12. Document Interviews
13. Evaluate Controls
14. Tollgate Meeting
15. Test Work
16. Complete Workpapers
17. Work Paper Review/Clearance
18. Findings and Recommendations
-
4/25/19
11
Audit Protocol – what to do in what order
Report Phase
19. Draft Audit Report
20. Review Draft Report – Audit
Manager
21. Review Draft Report – County
Auditor
22. Exit Conference
23. Client’s Responses
Publication Phase
25.Printing
26.Distribution
27.Final Audit Report
28.Physical Files
29.Electronic Files
Post Audit Phase
30.Post Audit Evaluation
31.Update Risk Assessment
Tools and techniques
uPreliminary Survey – accumulate information about office or function audited. Clarify expected outcomes, including:uPurpose of that specific audituEngagement objectives, scope and timinguProcesses to be auditeduArea objectives, related risks and controlsuInternal audit resources to be useduRelevant standards and statutes
-
4/25/19
12
Analytical Reviewu Examination of operations of auditee to find significant
or unusual relationships or changes.
u Allows auditor to step back and look at the forest, not just the trees and leaves:
uDoes the forest look like a forest should look?
uAre there “holes” in the forest where they should not be, or are there trees where “holes” should be?
uHas the forest grown since last viewing?
uHas the mix of trees changed, indicating a new direction?
Analytical Review
u At Galveston County, we flowchart each office and then use
that to look at the “forest.”
u In a JP office, we look and graph 5 years of data to see
what changes have occurred:
Citations filed in the court Number/Amount of refunds issued
Number/Amount of fines
collected
Number of employees
Fines dismissed Staff turnover
Number of receipts issued Cash collections compared to
check collections
-
4/25/19
13
Review of past audit documentsuProvides familiarity with area being auditeduOffers overview of what to expectuShows how others have approached the auditu Identifies problems found and reporteduReveals status of actions taken or not takenuReveals strengths previously identifiedu Identifies other activities for evaluation
Document and review current items Organizational information Project plans
Recent changes in the organization, including major system changes
Budget information, operating results, and financial data reviewed
Job descriptions Performance Reports
Authority and responsibility External audit results
Attorney General Opinions or Letter Responses
Commissioners Court agenda items affecting auditee
Objectives and goals for the organization overall
Risk management evaluations
Procedural manuals, instructions and directives, especially for state associations
Public documents relating to the area under audit
-
4/25/19
14
Preliminary surveyPrepare a one- or two-page report summarizing the operation reviewed, the work performed, an initial opinion about the risks and controls, and recommendations for staffing the engagement. The summary includes:
uSignificant engagement issues and reasons for in-depth reviewuEngagement objectives and proceduresuMethodologies to be used, such as CAAT (computer aided audit
tools) and sampling techniquesuPotential critical control points and/or control deficienciesuWhen applicable, reasons for not continuing the engagement or
for significantly modifying engagement objectives
Audit Objectives and Scopeu Audit Objectives
uWhat the audit is intended to accomplish
u Identifies the audit subject matter and performance aspects
uThink of objectives as questions about the program that you will answer based on the evidence obtained and assessed against criteria
u Audit Scope
uBoundary of the audit
uDefines subject matter to be assessed and reported on
u Objective and scope defines what the audit is and is not
-
4/25/19
15
Audit Methodology
uDescribes nature and extent of audit procedures
for gathering and analyzing evidence
uAudit procedures are the specific steps and tests
performed to address the audit objectives
uDesign methodology to obtain reasonable assurance
the evidence collected is sufficient and appropriate
to support your findings and conclusions and to
reduce risk to an acceptable level
u See handouts 3-7 for Audit Programs, interview questions, and ways to gather audit
evidence
Internal Control Evaluation
uAdequate internal control evaluation is the
backbone of audit planning.
u It is the primary basis for assessing the various risks
related to each auditee.
u Internal controls are not a guarantee, because a
system of internal controls should be cost
effective.
uThe cost should not outweigh the benefits.
-
4/25/19
16
Internal Control Evaluation
Evaluation is to give assurance that controls:
u are established by management
u consist of documented policies and procedures
u actually function as designed and can accurately:
uProvide reliable information
uSafeguard assets and records
uEncourage adherence to prescribed policies,
procedures, laws and regulations
uPromote operational efficiency
uAccomplish established objectives and goals
Control Activities
uCompliance is not optional
uControl breakdowns still occur because of
uError
uBad judgment
uCollusion
uManagement override
-
4/25/19
17
Types of Controls
uPersonneluTraining
uPerformance Indicators
uOrganization controls: uSegregation of Duties
uWell-Designed Policies & Procedures
uTrained Backups
uPhysical Access
uData Processing:u Input / Output
uControl Totals
uAccess
uMonitoring: uOn-going
uActive Reviews
Conduct sampling
u If available, use CAAT’s for 100% transaction tests.
u If not, use samples to select a subset that provides a
reasonably accurate reflection of whole population.
uSampling is 1) Statistical or 2) Judgmental (non-
statistical)
uSampling selection is influenced by audit objective,
type of data, nature of the population, and practical
considerations such as cost and time.
uSpell out sampling technique in the scope statement.
-
4/25/19
18
Sampling
u Samples are selected according to the auditor’s informed
assessment of how many samples will be required to yield a
reasonably reliable result given the type of population and
audit objective.
u Sampling may be carried out:
uSystematically (e.g., every nth item, beginning with
number x)
uUnsystematically (e.g., pulling files from a file cabinet with
no selection criteria)
uAccording to the auditor’s judgment (e.g., picking large or
unusual items from a computer report)
Judgmental Sampling
uAdvantages/disadvantages of non-statistical sampling:
uGives the auditor the flexibility to use professional judgment to select the items that most need
testing
uCan be designed to achieve cost-effective, reasonably reliable results
uMay lead to auditing too many, or too few, items
uDepends on experience and insight of auditor for its effectiveness
-
4/25/19
19
Narratives
u Should address, but not be limited to, the following
subjects:
uWho or what initiates a transaction.
uDivision of tasks into logical, understandable parts.
uSegregation of incompatible duties between
personnel.
uFlow of documents from their creation to disposition.
The disposition of all copies of a multi-copy document
should be addressed.
uWho records transactions.
FlowchartinguA flowchart is a symbolic representation for a
system or a series of sequential processes.
Preparation of flowchart enables an auditor to
quickly appraise the effectiveness of internal
controls and complements the detailed written
narratives of procedures or questionnaires.
uThere is a handout (#8) of most common
flowchart symbols used.
-
4/25/19
20
Flowcharting
u Basic concepts of systems flowcharting:
uBasic flowcharting symbols are adequate, with
interjection of limited custom symbols, to prepare a
complete and effective systems flowchart.
uEvery flowchart must begin with terminal symbols
indicating where the process begins and where it ends.
uThe annotation symbol is used when a further
explanation is made for a process, document, file, etc.
uWhenever document is created or comes into a
flowchart it must be followed through to disposition. It
must either be filed, delivered, mailed or destroyed.
Gather audit evidenceu Inquiry
uObservation
u Inspection
uVouching
uTracing
uRe-perform
uAnalytical procedures
uConfirmation
NOTE: see handout for a description and examples of gathering audit evidence.
We will not look at using the computer to gather evidence. That is another class. See the SmartSheet for assistance on this aspect of auditing.
-
4/25/19
21
Evidence sources
uAudit evidence. Facts used to support audit opinions, conclusions, and recommendations – can be physical,
documentary, representational, or analytical.
uPhysical evidence. This is generally considered more reliable than the testimony of a person. It includes
statements of observers, photographs, charts, maps,
graphs, or other pictures.
Evidence sources
uDocumentary evidence. This is the most common type of audit evidence. It can be recorded in other media than
paper and includes, among other examples:
Letters Process flows, including flowcharts
Memos Program listings
E-mails Activity and control logs
Invoices (external) and accounting
records
Systems development
documentation
-
4/25/19
22
Evaluate evidence – ask four questions:
u Is it sufficient? Sufficient information is factual, adequate,
and convincing so that a prudent, informed person would reach
the same conclusion as the auditor.
u Is it reliable? Reliable information is the best attainable
information through the use of appropriate engagement
techniques.
u Is it relevant? Relevant information supports engagement
observations and recommendations and is consistent with the
objectives for the engagement.
u Is it useful? Useful information helps the organization meet its
goals.
Documentation / work papers
u Work papers, by definition, should contain the work done
during the engagement. That includes virtually everything
committed to paper or entered into a computer, from initial
plans through the final report – graphics and photos included –
and other physical or electronic documents.
u What is the best test of your work papers? They should
document the audit’s objectives and methods so thoroughly
that a new auditor added to the project at any point could fully
comprehend the engagement from the work papers and bring
the audit to a successful conclusion.
-
4/25/19
23
Sample file index
1 Audit work order Shows auditee, audit date, type, auditor, comments, time budget
2 Audit program Uses audit programs in permanent files for planning and tracking
3 Reportable conditions Point sheet with weaknesses, discrepancies, violations, etc.
5 Audit report Signed audit report and reply from auditee; no drafts here10 Notes for subsequent
auditsComments, pending legislation, extra attention needed
2x Copies of reportsgenerated by auditee
Reports from auditee to auditor’s office and reports issued to state or other agencies; cross reference to supporting work papers
3x General ledger analysis Trial balance and balance sheet analysis pages
Sample file index
4x Bank activity Bank recons and/or proofs of cash; misc. bank reports included
5x Cash counts Count forms with date, on hand, required cash balance, signed
60 Receipts tests Receipt work paper; if samples used, full documentation required
70 Disbursements tests Disbursement work paper; if samples used, documentation required
80 Confirmations Sample procedures, confirmations, responses, discrepancies
100 Fixed assets Fixed asset listing; notes on observations at auditee office
110 Payroll handout
-
4/25/19
24
Other filesuAdministrative Files. Administrative files contain
past and current audit calendars and a master file of blank audit forms. Current audit calendars show assigned audit dates. Historical calendars show audit schedules.
Other filesuPermanent Files. Permanent files accumulate data that
remains unchanged between audit periods and relates to
a particular auditee. Each auditee has a permanent
file. The permanent file serves four primary purposes:
u To refresh auditor's memory concerning auditee history.
u To serve as an audit summary for successor auditors when rotation occurs.
u To preserve work papers on items showing few or no changes over time.
u To serve as evidence of auditor's knowledge of the auditee. Knowledge allows the auditor to do an audit that meets auditing standards.
-
4/25/19
25
Permanent filesuOffice Overview. Describes statutory and non-statutory
office functions; receipt and disbursement descriptions trace funds from receipt to disbursement. Overview documentation shows amounts collected and disbursed to other fee officers, County, State or other entities. Flowcharts are here.
uPersonnel and Office Organization. Includes organization chart w/position titles, hierarchy of responsibility, accountability and authority and employee names to identify employees' position within the organizational structure.
Permanent files
u Contracts. Includes photocopies of all auditee office
contracts.
u Statutes. Includes copies of the code and association
documents for the auditee.
u Audit Programs. Master copy of full and limited scope audit
programs used.
u Systems Documentation. Includes sample forms and
documentation of systems.
u Audit Log. Summary of audits previously done on the auditee.
u Audit Reports. Copies of issued audit reports and responses.
-
4/25/19
26
So – Let’s Review the
A-Z of Auditing
Before any audit program is started:
uYour role is to:
u be independent
u gather knowledge and information
u report the results of findings, analyses and recommendations
uUnderstand the audit universe:
u statutory and mandatory audits
u non-statutory audits
uEstablish the audit plan for the year:
u determine available resources and assignments
u update the risk assessment
u prepare analytical review of each auditee
-
4/25/19
27
Now – Do the Auditu Determine Audit Objectivesu Prepare Preliminary Review
uUnderstand officeuReview prior auditsu Interview office holder
u Perform the Field WorkuReview internal controlsuDevelop audit programuPerform audit program stepsu Identify and evaluate findingsuPerform additional audit procedures
Complete the Audit
uPerform Substantive Tests:
uAccount balances are valid and proper
uTransactions are valid and proper
uReceipts and disbursements in accounts are valid
and properly classified
uReach Conclusions:
uKeep conclusions simple and to the point
uLogically organize the evidence
uPresent the basis for the conclusion
-
4/25/19
28
Elements of a finding
u Auditor’s focus – risks, negative events and issues to be fixed
u For each finding, ask these questions:
uWhat is the current state of affairs? (the “condition”
uWhat should be the current state of affairs? (the “criteria”)
uWhat has caused the current state of affairs? (the “cause”)
uWhy is the current state of affairs undesirable? (the “effect”)
uWhat should be done to correct the current state of affairs?
(the “recommendation”)
Prepare the Audit ReportuReview reportable conditions point sheets
uWrite preliminary audit report
uHold an exit conference and present preliminary audit report
uRequest acknowledgement letter from auditee
u Issue audit report signed by county auditor
-
4/25/19
29
Wrap up the audit
uClosure
uRequest audit effectiveness questionnaire from
auditee to rate audit staff (see handout)
uFile cleanup
uFinal review
uFiling work papers
Audit AuthoritiesGAO –Yellow Book (GAS & GAGAS)
® Primarily for External Auditors of Federal money
® Good guidance for County Auditors where Applicable
GASB – GAAP State & Local Government
u Mainly for preparation of CAFR
AICPA – (SAS) for CPAs Auditing
u Mainly for CPA firms writing Audit Opinions
® Good guidance for County Auditors where Applicable
Institute of Internal Auditors (IIA) – Red Book
u For all internal auditors (corporate & non-profit)
u Good guidance for County Auditors where Applicable
-
4/25/19
30
Auditing A-Z
u TACA Handbook for the County Auditor in Texas
u Available on SmartSheet for all County Auditor offices
u Chapter 8 – Auditing
u Audit Statutes and Responsibilities
u Audit Authority
u Audit and Approval of Claims
u Chapter 9 – Sample Audit Programs
u Over 200 audit programs for different offices
u Most are in Word
u Easily adaptable to your county
CH. 8 Auditing
u 8-1 Introduction to Auditing
u 8-2 County Auditor’s Audit Function
u 8-3 Audit Standards
u 8-4 Internal Control Environment
u 8-5 Tools and Techniques for Internal Audit Engagements
u 8-6 Documentation Work Papers
u 8-7 The Audit Engagement
u 8-7.1 Sample Audit Work Plan Checklist
u 8-7.2 Sample Audit Effectiveness Questionnaire
-
4/25/19
31
Ch. 9 Sample Audit Programsu Accounts Payableu Child Protective Services
u Collection Improvement
u Community Supervision
u Constable Offices
u Continuous Auditing
u Control Self Assessmentu County Attorney
u County Clerk
u District Attorneyu District Clerk
u Engineering
u Fixed Assets
u Fleet
u Fraud Risk
u GASB Audit u Grants
u Human Resources
Ch. 9 Sample Audit Programsu Indigent Defense
u Information Technology
u Internal Audit Programs
u Internal Controls
u Justice of the Peace
u Juvenile Probation
u Parks and Recreation
u Payroll
u Purchasing
u Risk Assessment
u Road and Bridge
u Security
u Sheriffs Office
u Social Services
u Tax Assessor-Collector
u Treasurer
u Unclaimed Property