Workpaper Documentation

8/8/2019 Workpaper Documentation

http://slidepdf.com/reader/full/workpaper-documentation 1/26

WORKPAPER DOCUMENTATION

1



DEFINING THE NECESSARY AND NATURE OFAUDIT WORKPAPERS

Workpapers are the direct end product of the internal audit staff’s work and effort. Theworkpapers demonstrate what was done – what was found – and what was confirmed. Electedofficials, news media and the public in many instances only see, or rather ask to see the end

product of the internal audit effort - the three or four paragraph report. The workpapers areusually ever examined, and the effort is usually never ever sees the light of day. That is until thedocumentation comes into question – either by the commissioners’ court – by the districtattorney – and/ or by a court of review or inquiry.

Internal audit workpapers provide various levels of usefulness:

A. During the audit adequately prepared workpapers provide1. Guidance as to the objective of the examination2. Guidance as to the sequence of steps and developmentof assurance3. Documentation that the office being evaluated has

conformed to statutory requirements4. Documentation that accounting policies and proceduresare being conform with, and5. Documentation that the county auditor’s office has

performed the duties of the office as required by existing statestatutes.

B. After the audit is completed the workpapers provide1. Evidence that support the findings as reported2. Evidence that the internal audit was performedfollowing established and accepted methodology3. Evidence concerning the need to conform to the statestatutes4. Evidence which can be relied on by the externalauditors, and5. In the event the auditee finds himself or herself in courttrying to defend the findings, the workpapers provide an excellentdefense and support for the reports’ findings.

Professional internal auditing standards have over the years established some basicguidelines and requirements concerning the preparation and maintenance of adequateworkpapers. There is currently no requirement in the state statues that indicates, “You shallcreate and maintain workpapers to support audit findings.” However, there are recognized

professional standards that say that the quantity, form and content of workpapers may vary withthe circumstances, but the workpapers should be sufficient to show that:

1. There was an objective to the internal review2. That the review performed achieved the objective3. That applicable standards of field work were observed4. That records reviewed agreed with, or could be reconciled to financial

information as reported5. That planning and supervision appeared to be adequate

2



6. That there was sufficient understanding of the internal control structure,and

7. That the audit evidence obtained and the testing performed providedsufficient, competent and evidential matter to support the final report.

3



Each county auditor’s office is going to establish specific workpaper policies related tothe type of engagement that is to undertaken. In many instances these policies are verbal and

passed down from auditor to auditor. Thus, the process follows the old axiom of “that is the waywe have always done it.” However, if an office is going to introduce some form of qualitycontrol in full filling its statutory responsibility, then the workpaper policy should be reduced towriting. A written policy sets the requirement for written internal review programs, which thenallows the auditor to examine the nature, extent and timing of the work to be performed .

In many instances having a checklist that the auditor can follow will provide some assurance thatthe process is followed consistently with each office.

This presentation focuses on the internal auditor function in a county auditor’soffice.

All county auditor offices need to be cognizant of the fact that all federal grants requireelaborate workpaper documentation. Accounting records are not sufficient in many instances.

The nature of workpapers provide:1. Documentation that departmental procedures were followed – tests were

performed – information was obtained, and that a conclusion was developed2. The foundation for the auditor’s opinion related to the review3. Foundation for how much importance should be attributed to the evidence

accumulated4. Evidence as to how problems and errors noted were corrected and or resolved

Workpapers and internal audit programs must be adaptable to the needs of the review being conducted. Not all offices function in the same manner. Not all offices are required tofollow the same set of statutory standards. Not all grants require the same functionality to be

present. As a result audit programs need to flexible.

The workpapers as prepared should tell who ever is doing the reviewing and/or examination a story. They should communicate what was done and document what was found.A well prepared set of workpapers (i.e. complete and accurate) will be able to stand on its own – that is to say they don’t anyone to explain them to reviewer or to the jury.

Workpapers are anything that the auditor conducting the review deems to be necessary toenable him/her to render a statement regarding the financial and/or operational objective that was

being tested and reviewed. Workpapers might include, for example:A program of work An internal control evaluationA checklist of required stepsAn analytical review for some functionDirect confirmationsCopies of receiptsComputer print outs

4



WORKPAPER CONTENT

No two auditors will prepare workpapers using the same structure; however there aresome general rules that governmental internal auditors can agree on.

Workpapers consist of anything that the auditor retains and or creates to document thatthe review conducted met certain established requirements and developed support for the fact

that federal guidelines, state statutes, budgetary constraints, financial accountability, and/or county policy was being complied with. Properly designed workpapers can help to identifyadequately performing control structure as well as inadequately performing controls. Properlydesigned workpapers can assist in evaluating the apparent risks that exist. Properly designedworkpapers can provide the support for the suggestions to improve the offices internal control.

Workpapers should:

1. Provide corroboration of the amounts appearing in financial reports andstatements2. Record the review conducted, the tests performed that are required for the

particular engagement3. Provide information that would allow the reviewer to evaluate the job

performances of the personnel performing the review, and4. Provide a starting point for the subsequent review’s to be performed.

There are usually two types of workpaper files – permanent and current. Permanentfiles are files that contain information and matters that are important to each year’s audit.Information that isn’t expected to change materially from year to year. Examples would belocation of the office, office policies, contractual agreements for service, required reports to befiled, statutory compliance check lists, copies of prior years reports, fixed asset responsibility,etc.

Current files would constitute the workpapers the auditor prepares to support theconclusions for the report written. Current files include the audit program, the internal controlevaluation, tests performed, analytical schedules developed, bank and account reconciliations,copies of support documents, computer print outs, memorandums as to discussions held,confirmations, review of budgetary compliance, etc.

Every workpaper should contain as a minimum:

1. A heading that clearly designates the name of the office, the county, adescription of the contents of the workpaper and the date(s) of the period beingreviewed2. An indication as to who prepared the workpaper and the date of preparation

3. If the schedule was prepared by the office, the indication using “PBC”indicates that the workpaper was “prepared by client”4. The source where the information contained in the workpaper came from – cash receipts ledger, court docket, disbursements journal, payroll ledger, etc., and5. The nature and extent of the work performed should be indicated throughnarrative description, symbols, tick marks or combination there of.6. Conclusions reached should be clearly stated and supported7. That all doubts and or problems were resolved

5



8. Indexing and cross referencing

6



If tick marks are used, they can save the auditor time and space – and standard tick marksshould be adopted, and a legend of those tick marks should be available for the reviewer. Eachtick mark should be clearly explained. Tick marks should be simple, distinctive and clear so thatthey can quickly written by the preparer and easily discerned by the reviewer. Some tick markscommonly used are:

Footed

Cross footedCalculation checked

Agreed to ____________

Traced to financial report

Traced to ____________

Examined supporting documents

Examined cancelled check

See footnote # ________

As a last issue, all workpapers should be indexed and cross-referenced where necessary.Indexing of work papers are going to vary from office to office. Many prefer an Alphasequence, while others prefer a numerical. However, it is common to find both an alpha andnumerical sequence of indexing being used. The following is an example of indexing:

Section Section AreaA Reports

B AdministrationC CommunicationD Audit ProgramE PlanningF AssetsI Internal ControlL Search for Unrecorded LiabilitiesR Revenue AnalysisX Expenditure AnalysisZ Other/Miscellaneous

7



Section Area General SubjectReports 10 Financial Reports12 Expenditure Report13 Original Budget14 Budget Adjustments18 Elements of Disclosure

Administration 20 Engagement Control Checklists26 Memos re: Matters of Concern28 Comm. Court Minutes

Communication 30 Communications With Depart.32 Confirmations34 Certifications

Audit Program 40 Control Document44 Time Sheets

Planning 50 Planning Memos

Assets 60 Cash62 Fixed Assets

Internal Control 70 Control Environment72 Revenue Cycle73 Expenditure Cycle74 Purchasing Cycle75 Payroll Cycle78 Risk Analysis

Search For Liabilities 80 Expenditures82 Lease Analysis84 Prepaids86 Trust Accounts88 Search For Unrecorded Lib.

Revenue Analysis 140 Substantive Test of Receipts142 Substantive Test of Docket144 Substantive Test of Revenue148 Review of Receivables

Expenditure Analysis 170 Budgetary Analysis

172 Expenditure Support176 Payroll Analysis

Other/Miscellaneous 190 Other

As a general rule workpapers are not subject to open records purview until the report isissued.

As a general rule workpapers should be retained for a minimum of 7 years, and probablyas long as 10 years.

8



DOCUMENTATION OF PLANNING ANDSUPERVISION

The internal audit workpapers should demonstrate that the three generally acceptedstandards of fieldwork have been met – planning and supervision , internal control evaluation ,and evidential matter . The first standard only suggests that there needs to be documentation

that the work of the review was adequately planned and that supervision had been provided.To meet the criteria of being able to demonstrate adequate planning and supervision does

not require many specific workpaper requirements. Some of the more common and generallysuggested are:

1. Audit ProgramsAn audit program is essentially a list of procedures to be followed and is usuallyin writing. They are generally divided into logical segments as to the area of thereview’s focus. The program allows the reviewer to be able to compare the levelof work required to the level of work done. Some programs are highly detailed,

while some are very general in nature and allow the auditor the ability to insertsome flexibility. The program will usually require the staff person performing thefunction to sign off on those requirements completed, and cross reference the

program to the workpaper supporting the function.

2. Preliminary Analytical ProceduresIt should always be a requirement that the auditor be required to apply analytical

procedures in planning the audit. A basic premise in the application of analytical procedures is that plausible relationships among data may reasonably be expectedto continue in the absence of known conditions to the contrary. Preliminaryanalytical procedures are intended to enhance the auditor’s understanding of theoffice being reviewed – the office’s transactions and events that have occurredsince the last review. The analytical procedure process may alert the auditor toareas of risk that had not been present at the time of the last review. Analytical

procedures will look for unusual transactions and events – examined ratios andtrends in a narrative or in the form of a worksheet.

3. Risk and MaterialityAudit risk needs to be evaluated at the department level – at the county level – and at the auditor’s level. Risk is the concept that the auditor, the department, thecounty will unknowingly fail to catch an error, a mistake, an irregularity that ismaterial to financial reports or the management of the department. Workpaperswill often include documentation that the auditor considered the influence of auditrisk in the application of procedures. The auditor will generally plan the greater

portion of labor hours to be concentrated on those departments that present thegreatest risk, and in those departments the areas that present the highest potentialrisk. Those areas of highest risk should always be documented and the auditor’sresponse to them. The audit strategy to address the risk should be clearly stated.

9



Before addressing risk assessment the internal auditor should indicate how materiality isgoing to be addressed. Materiality should be considered and addressed during the planning of the review to determine the nature, timing and extent of tests to be performed. In addressing thescope of the review the level of events should be reduced to a level which would provide thereviewer with a low risk of over looking an element or a happen stance that would dramaticallyeffect the financial or management review that is being conducted. Setting a level of materialityinsures that the auditor will do enough work to find misstatements. There is no authoritative

rule of thumb or measure of materiality – materiality is strictly based on professional judgment .

Risk assessment should be performed on each office individually and attributes should beclassified as either inherent risks or control risks. Steps to be taken could be broken down asfollows:

GENERAL RISK ASSESSMENT STEPS

DEFINE THE AUDIT UNIVERSECHOOSE HOW TO DEFINE RISK

CHOOSE A CONTROL OR RISK MODELASSESS INHERENT AND CONTROL RISK TO DETERMINE VULNERABILITYASSESS THE AUDITABILITY OF HIGH VULNERABILITY AREAS

DEFINE THE AUDIT UNIVERSE

DEFINE THE MANNER IN WHICH THE UNIVERSE IS TO BE DEFINED

THE MORE COMMON METHODS USED BY INTERNAL AUDITORS FOR DEFINING THE UNIVERSE ARE:

1. PROGRAMS2. STRATEGIES3. CONTROL SYSTEMS

GENERAL TYPES OF INTERNAL AUDITS TO BE CONDUCTED

1. FULL PROGRAM AUDITS2. CONTROL SYSTEM AUDITS3. INVESTIGATIVE AUDITS4. PERFORMANCE EVALUATIONS5. QUICK RESPONSE AUDITS

10



PRIMARY AUDIT FOCUS

1. COMPLIANCE ASPECTS2. RELIABILITY OF DATA3. SAFE GUARDING OF ASSETS

SELECTION OF AN AUDIT OBJECTIVE (RANK, RISK & AUDITABILITY)

1. VULNERABILITY(The Mission May Not Be Accomplished)2. INHERENT RISK (The Nature and/or The Culture Of The Audit Objective Has Risks Without Controls)3. CONTROL RISKS(Probability That The Inherent Risks Will Become A Reality: Probability ThatControls Are Put In Place And Will Not Accomplish The Mission)4. AUDITABILITY(Skills, Time, and Evidence)

INTERNAL AUDITING - BASIC RISK FACTORS

1. ETHICAL CLIMATE2. PRESSURE ON MANAGEMENT3. PERSONNEL INTEGRITY, COMPETENCE4. NUMBER OF PERSONNEL5. NUMBER OF TRANSACTIONS6. SIZE OF THE ASSETS7. COMPLEXITY/VOLATILITY OF ACTIVITIES8. STATUTORY REGULATIONS9. LEVEL OF COMPUTERIZATION10. GEOGRAPICAL LOCATION11. ADEQUACY OF INTERNAL CONTROLS12. MANAGEMENT CULTURE13. ACCEPTANCE OF AUDIT FINDINGS & CORRECTIVE ACTION TAKEN14. TIME LAPSE SINCE LAST AUDIT

KEY ACCOUNTABILITY CONTROL SYSTEMS

Departmental and Assessment Management

Policy Management

Performance Management

Information Management

Resource Management

11



ACCOUNTABILITY RISK FACTORS

POLICY RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO DELIVER EXPECTEDRESULTS BECAUSE OF UNSTABLE OPERATIONS DUE TO CHANGES INMANAGEMENT, PERSONNEL AND/OR THE ENVIRONMENT, OR RESOURCES ARE

NOT EFFICIENTLY USED OR EFFECTIVELY CONTROLLED .

PERFORMANCE RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO DELIVER EXPECTED RESULTS BECAUSE IT DOES NOT USE PERFROMANCE INFORMATIONEFFECTIVELY TO MANAGE ITS OPERATIONS .

INFROMATION RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO MEETEXPECTED RESULTS BECAUSE MANAGEMENT INFORMATION IS NOTCOMMUNICATED OR USED EFFECTIVLY BY DECISION MAKERS .

RESOURCE MANAGEMENT RISK - THE RISK THAT AN ACTIVITY WILL FAIL TOACHIEVE EXPECTED RESULTS OR WILL NOT ESTABLISH AN ENVIRONMENT THATPROTECTS AGAINST FRAUD AND FINANCIAL DISASTER BECAUSE RESOURCESARE NOT MANAGED EFFICIENTLY AND EFFECTIVELY WITHIN ITS OPERATIONSOR WITHIN ITS JURISDICTION .

CONTROL ENVIRONMENT RISK - THE RISK THAT THE INTEGRITY, ETHICALVALUES, AND COMPETENCE OF THE PEOPLE DO NOT LAY A SOLID FOUNDATIONTO AQCHIEVE EXPECTED RESULTS

AUDITABILITY IS DETERMINED BY:

1. TIME FRAME2. INFORMATION3. AVAILABILITY OF DOCUMENTATION4. AUDIT SKILLS5. AUDIT EDUCATION6. AUDIT HOURS7. AUDIT MORALE

IN ORDER FOR THE RISK ASSESSMENT PROCESS TO BE SUCCESSFUL, ITMUST:

1. INVOLVE THE DEPARTMENT BEING AUDITED2. PRODUCE CREDIBLE RESULTS THAT ARE ACCEPTED BY BOTH THEAUDITORS AND MANAGEMENT.3. BE TIMELY SO THAT THE AUDIT PROCESS IS NOT HELD BACK WAITING FOR RESULTS.4. BE COST EFFECTIVE IN THAT THE RESULTING INFORMATION IS ATLEAST AS VALUABLE AS THE COST TO OBTAIN IT.

12



FIVE BASIC PHASES OF - PLANNING AN AUDIT

1. Gather information2. Conduct preliminary assessment3. Define and refine the audit objectives4. Develop the:

Audit scope

Audit methodologiesAudit fieldwork programs5. Estimate the audit budget and resources

STEPS TO BE TAKEN IN THE PRELIMINARY ASSESSMENT

1. Select which of the accountability control systems and subsystems are relevant tothe audit (within the initial audit scope).2. Assess which of the inherent risks and which of the control risks exist (be sure todocument risk assessment).3. Select the accountability control subsystem for which audit objectives will bedeveloped (be sure and identify the relevant performance aspects to be reviewed).4. Reassess audit ability5. Update risk and internal controls information (update permanent files, prepare

preliminary assessment document, and document audit ability).

DEFINE/REFINE - AUDIT OBJECTIVE

In speaking to the objective for an internal audit, the “ Yellow Book ” (accounting andaudit guidelines for federal grants) indicates that there needs to be a clear indication as to whatthe report related to the audit is to accomplish. Further, it is noted that the subject of the auditneeds to be clearly identified as well as the aspects of performance that are to be examined.Therefore:

THE AUDIT OBJECTIVE - ESTABLISHES BOUNDRIES FOR THE AUDIT BYCLEARLY STATING WHAT THE AUDIT IS TO ACCOMPLISH. ITIDENTIFIES THE SUBJECT OF THE AUDIT AND THE PERFORMANCEGOAL.

OPEN-ENDED OBJECTIVES SHOULD BE RESTATED AS CLOSED-ENDEDOBJECTIVES.

13



OPEN-ENDED OBJECTIVES:♦ Identify the subject; what is the audit to examine♦ Are vague in defining what the audit is to accomplish

CLOSED-ENDED OBJECTIVES:

♦ Are answerable♦ Identify what the audit is to examine♦ Clarify what the audit is to accomplish

1. IDENTIFY THE PRIMARY REPORT USER(S):What do they want to know?When they receive the information what are they going to do?

2. UNDERSTAND THE SUBJECT, PROBLEM AND/OR CONCERN?

The audit subject is usually an organization, a department, a program, aservice, an activity and/or a function, a management policy, and a

performance issue .

3. DECIDE WHAT PERFORMANCE ASPECTS ARE TO BE INCLUDED INTHE AUDIT.

Is there management oversight?

Is there a desire for customer satisfaction?

Is the payroll process efficient?

Are goals being established?

Is the legislative intent being followed?

Can the accuracy of the activity be evaluated?

4. WHEN ISSUES ARE ESTABLISHED, DETERMINE IF THE REASONFOR THE ISSUE IS DUE TO PROCESSING OF TRANSACTIONS OR THEACCOMPLISHMENT OF A GOAL.

(Control risks should be clearly linked to the risks that existto the county.)

5. DECIDE WHAT ELEMENTS OF THE FINDINGS ARE TO BEDEVELOPED WHICH ARE LINKED TO SUB-OBJECTIVES.

14



SUB-OBJECTIVES W ill address elements of the primary findings - will usuallyhelp to identify the nature of the data required – will tend to lead to major audit steps.

SUB-OBJECTIVES A re developed as a series of questions addressing each findingelement you decide to develop. A separate question should be written for eachfinding element.

EXAMPLES OF SUB-OBJECTIVES:

1. CONDITIONED BASED OBJECTIVE:What is the average response time for a 911 call out?

2. CRITERIA BASED OBJECTIVE:What was the unit cost to process a payroll check in FY 03?

3. EFFECT BASED OBJECTIVE:What is the difference between the legislative intent and thedepartment’s goals?

4. CAUSE BASED OBJECTIVES:What are the underlying factors that influence customer satisfactionwith the ability of the department to deliver service?

15



DOCUMENTATION REGARDING INTERNALCONTROL

The second standard of fieldwork that needs to be considered is that of internal control.The workpapers should have adequate documentation that the auditor had obtained a sufficientunderstanding of the existing internal control structure for the department being reviewed. The

extent to which internal control is established in the department will impact the nature, timingand extent of the tests that will need to be performed.

The workpapers should document:1. The understanding of the office’s internal control structure, and2. The auditor’s assessment of its effectiveness in detecting and/or preventing

material misstatements.

Basically the department’s internal control system consists of the policies and proceduresthat have been established to provide reasonable assurance that those specific objectives will beachieved. Policies and procedures may be established through statutes, may be established by

the commissioners’ court, may be established by the county auditor, and they may be created bythe elected official and/or department head.

Normally with a financial review the auditor will be concerned with those policies and procedures that are primarily concerned with the recording, processing, summarizing, andreporting of financial, and the affect an error will have.

The department’s internal control consists of three elements:1. The control environment2. The accounting system, and3. The control procedures

Each of these components needs to be understood in order to plan the review that is to take place.

The Control Environment – essentially reflects management’s attitude, awareness and actionsconcerning the importance of control. The factors that the auditor will need toconsider are:

1. Management’s philosophy (the operating style used)2. The department’s organizational structure3. The method of assigning authority and responsibility4. Personnel policies and practices5. Management’s control methods used for monitoring performance to include

internal auditing6. External influences that may impact the office, and7. Interaction with other offices in the county

These factors serve to make other control policies and procedures more effective. Whenmanagement is found to have a positive attitude towards controls and does not try to mitigate theeffectiveness of policies and procedures or to override the controls, the reviewer finds that thenature, timing and extent of the review can be reduced.

16



The Accounting System – consists of the methods and records which are used to identify,analyze, classify, record and report the department’s transactions and to maintain accountabilityfor related assets and liabilities. The auditor needs to understand the accounting system insufficient detail in order to understand:

1. The types of transactions that can occur within the department2. How those transactions are initiated

3. The accounting records, support documents, machine readable information, andspecific accounts in the financial system involved in the processing and reportingof the transaction

4. The accounting process from the initiation of the transaction to the inclusion inthe financial data

5. How the computer is used to process the data at each level, and6. The financial reporting process.

The Control Procedures – consist of those policies and procedures, in addition to the controlenvironment and the accounting system that management has established to provide reasonableassurance that its objectives will be achieved.

Examples of control procedures are:1. Segregation of duties2. Proper authorization, and3. Independent checks and balances.

The audit strategy is based on the reviewer’s understanding of the control procedures. If control procedures are weak, then it doesn’t make a lot of sense to waste time to test controls.However, if the auditor is able to test the control procedures and finds that they are strong andeffective, then he/she may decide that the substantive tests can be reduced. The understanding to

be obtained is developed through inquires of the department, review of the department’s manualsand documents, and observation of the department’s routines.

The reviewer must ascertain reliable information that confirms that the policies and procedures, the control procedures are not just in writing – they are being practiced. Thisconfirmation comes from:

1. Inquires2. Observations, and3. Hands on monitoring of transactions.

The understanding that the auditor comes to needs to be documented. The size and thecomplexity of the entity, as well as the nature of the department’s internal control structureinfluence the form and the extent of this documentation. A large department may have its owndocumentation of the internal control procedures that the auditor can copy and put in theworkpapers. For smaller departments the auditor may develop their understanding through theuse of flow charts and/or questionnaires. For really small departments the auditor may just use amemorandum – for small offices with one or two employees it is real difficult to put into placeeffective internal controls. Generally the more complex the department, the more extensive theinternal control, and the more extensive the auditor’s documentation.

17



The most commonly used methods of documentation are:1. Memorandums – narrative descriptions of the relevant control structure. Polices

and procedures. They are most useful when the matter being described isrelatively simple. They are less useful when the system becomes very complex.

2. Flowcharts – are useful when there is a system of internal control or operationalsystem that is very complex. A flowchart is a graphic depiction of operations and

decisions applied in the department’s structure. Flowcharts need not be elaborate – their advantage is that complex matters can often be made easier to understandin a graphic presentation.

3. Questionnaires – or sometimes referred to, as checklists are programs that allowthe auditor the ability to ask questions as to functionality and receive responsesfrom individuals. They are especially relevant when the auditor wants to makesure that specific items or procedures have been focused on and all relevantmatters have been considered. This form of documentation lends itself to besummarized more easily than memorandums and flowcharts. There are twogeneral types of questionnaires:

A. Opened-Ended Questionnaires – ask general questions and let the auditor answer with whatever information is relevant in the circumstances.

B. Closed-End Questionnaires – ask questions that must be answered yes or no.

C. Closed ended questionnaires are less flexible than open-endedquestionnaires, but they are more comprehensive. Closed endedquestionnaires are usually more useful with larger more complex offices,while open-ended questionnaires are better applied to the smaller office.

The auditor’s understanding of the control structure is required to be documented, but the procedures to be used to obtain this understanding are not. Thus, the auditor’s procedures doneto understand the design of the procedures done to see if the department’s control structure andto see that the department’s policies and procedures have been placed in operation need not bespecifically described.

Even so even if the procedures to obtain the knowledge of the internal control arerequired to documented, the auditor should document the procedures applied and the reasoningfor the judgment process that was applied. Any file memos as to the procedures followed or thedocuments examined should be dated and at least initialed by the individual making thestatement. A signed off audit program is a commonly used document which has a step by step

program for the auditor’s to use and the cycle that is to be followed.

Assessing Control Risk

After the auditor has obtained his understanding of the internal control structure, while heobtains it, it is not uncommon for the auditor to consider whether there are policies and

procedures in place that would reduce the risk of material misstatement, and if there are, whether it would be efficient to test them I order to reduce the scope of substantive tests.

18



If the auditor decides that he/she wants to take advantage of the existing internal controlstructure, i.e. existing policies and procedures, in an effort to reduce the amount of time requiredto do substantive testing – then there must be apply tests of the controls to see if the policies or

procedures (that are to be relied on) are designed and operating effectively. The tests must bedirected at determining whether the policy or procedure is suitably designed to prevent or detectmaterial misstatements and how effectively it is operating.

Tests of controls are concerned with how a control structure policy or procedure wasapplied – the consistency with which it was applied during the period under examination and bywhom the control was applied. These tests include inquires of appropriate personnel – inspection of documents – examination of reports – observation of applications – and,

performance evaluations. It should be remembered that tests of controls are undertaken onlywhen the auditor believes that by performing such tests that the substantive testing can reducethe need for substantive testing of the detailed documentation. Tests of controls are used in thehopes of being able to increase efficiency. Tests of controls are required if there is going to bereliance placed on the underlying controls and procedures. The more that the auditor is able todepend on the department’s internal control structure to prevent or detect material misstatement,the less substantive work that will be required to be performed.

Documenting The Control Risk Assessment

When the auditor is able to conclude that he/she is able to reduce substantive testing onthe effectiveness of the control structure, there needs to be documentation of the basis for thisdecision in the workpapers. That is, in addition to the understanding of the control structure thatis already documented, there needs to be documentation of the tests of the controls and their result that were performed.

The form and the content of this documentation are going to vary from office to officeand from department to department. But, is some form the documentation should include:

1. A written description of the tests performed2. The identity of the person performing the tests should be clear 3. An indication of the when the tests were performed and when they were

completed4. A description of the evidence that was examined (a copy in the file for an

example would be useful to the reader)5. An indication of the number of items that were tested6. The source of the items selected and how these items were determined for

selection, and7. A description of the exceptions noted and an explanation as to their disposition.

It is always good to document the type of misstatement that the control policy or procedure can be depended on to prevent and/or detect. It is not uncommon for theauditor to make a statement in the workpapers whether the controls tested worked asexpected and can be depended on. The more reliance the auditor can place on the controlstructure (i.e. there is a low assessment of risk) the more evidence that should bedocumented to support the reliance.

19



When the internal auditor is dealing with an office that only has two people in the office,then it is unlikely that the office will be able to effect adequate control measures that can berelied on. If the auditor is not going to place reliance on the internal control measures, then thereis not reason to test them. Thus, there is no dependence on the controls and/or procedures to

prevent and detect material misstatements.

Weaknesses In Internal ControlAny weaknesses noted in the internal control structure should be clearly noted in the

workpapers as reportable conditions and should be communicated to the department headand/or elected official, and should be reported in the letter of findings to the official. Reportableconditions are significant deficiencies in the design or operation of the internal control structurethat could adversely affect the department’s ability to record, process, summarize, or reportfinancial data consistent with accounting and financial procedures required by state statutes andor county policy. The deficiencies might involve any of the three components of the controlstructure – the control environment, accounting system, or the control procedures.

If the condition is reported orally to the department head and/or elected official then theinitial conversation should be well documented. The communication should always be followedup in writing. Conditions that have been reported in prior years, and which have not beencorrected, should be re-iterated until the department head and/or elected official has clearlyacknowledged the risk and has stated reasons for not correcting. Management’s acknowledge isalways critical. Thus, it is not an uncommon practice to allow the department head and/or elected official the opportunity to respond to the finding in the report.

20



DOCUMENTING SUBSTANTIVE TESTS

The internal auditor detects material misstatements in financial statements by applyingsubstantive tests. The tests are designed based on the auditor’s assessment of risk that materialmisstatements will occur and that the department will not catch the error. This is commonlyreferred to as inherent and control risks. The higher the risk of misstatement occurringundetected by the client, the more evidence the auditor will need to accumulate.

The accumulation of evidence supporting the amounts in the financial statements is by far the most time consuming part of the audit and documentation of substantive tests generallyaccounts for the bulk of the workpapers that are prepared. Thus, the third standard of fieldwork states:

Sufficient competent evidential matter is to be obtained through inspection,observation, inquires, and confirmation to afford a reasonable basis for anopinion regarding the financial information under examination .

Evidential matter is obtained through two general classes of auditing procedures thatcomprise substantive tests:

1. Tests of detailed transactions, and2. Analytical procedures

Books of original entry and other records maintained by the department such as ledgers, journals, cost allocations, and reconciliations may in part support the monthly and/or quarterlyreports – those records do not constitute what is considered evidential matter. Documentationmust be collected that will corroborate the information shown in the above-mentioneddocuments. Corroborating evidential mater includes:

1. Cancelled checks2. Receipts3. Invoices4. Contracts5. Independent confirmations6. Information independently obtained or developed through inquiry, observation, or

inspection.

Auditors choose from a wide range of methods and techniques to test the validity of accounting information and reports. Some of the more commonly used techniques are:

1. Documenting the process used to develop the financial information, then testingthe information entered into the process

2. Comparing the accounting data and information to data that is collected outside of the department, and

3. Comparing the accounting information to the auditor’s expectations, which have been derived through logical analysis.

21



Competence Of Evidential Matter

To be competent, evidential matter must be both reliable and relevant . Reliability of evidential matter will always depend on the circumstances under which it is obtained. However,there are some generalizations that are commonly held to be true (but one must understand thatthere are exceptions to every rule):

1. Greater assurance to the accuracy of information can be assigned to evidence thatis obtained independently and outside of the department that is being examined.2. Financial information that is created within a department that has strong internal

controls (or in some cases just satisfactory internal controls) provide moreassurance as to accuracy than those produced in an environment with less thansatisfactory conditions.

3. Direct personal knowledge obtained by the auditor through physical examination,computation and inspection is more reliable than data obtained indirectly.

The relevance of evidential matter has to do with whether the information bears on theaccounting or reporting data in question. While the relevance of evidential matter to a specificcircumstance is generally clear, in some cases, particularly those involving the estimatedoutcomes of future events, the auditor needs to particularly careful in considering whether thecorrect factors are considered in arriving at the conclusion.

Sufficiency of Evidential Matter

Once the internal auditor has considered the evidential matter and has found it to berelevant and reliable, he/she must then determine whether or not the data collected is sufficient – that is there is enough data that will allow for a basis to be developed related to the finding andthat the data will support the finding. As a rule of thumb, the evidential matter must be sufficientto reduce to an acceptable low level the risk that the internal auditor will fail to detect a materialmisstatement in the financial data and related reports. Evidential matter may be developedthrough the use of substantive testing. The sufficiency of evidential matter will depend on:

1. The nature of the elements under examination2. The relative size of the population and the auditor’s judgment as to materiality3. The auditor’s assessment as to the inherent and control risk’s within the

department – i.e. risk of material misstatement, and4. The nature of the evidential matter obtained – persuasiveness of the evidence

collected and the risk that it may be interrupted incorrectly.

The internal auditor has to always be cognizant of the economics and the timeliness of aninternal audit. For a finding and a solution to be economically useful, it must be developedand rendered in a reasonable length of time . There is a rational relationship between the costof obtaining evidence and its usefulness. Evidential matter that is to be collected has a cost tothe taxpayers. That is not to say that the matter of difficulty and expense involved in testing a

particular attribute is not in and of itself a valid basis for omitting an otherwise necessary step inthe internal audit function.

22



Types of Substantive Tests

There are two types of substantive tests – tests of details and analytical procedures .

During most internal audit procedures both types of testing are generally used. Theinternal auditor will choose the procedure based on:

1. Materiality2. Risk of misstatement3. Production of persuasive evidence4. Comparative efficiency

Tests of detail are audit procedures in which amounts that make up an account balanceor class of transactions are compared to corroborating information. These tests are usuallydirected at balance sheet accounts and used to test the existence, ownership, and valuation of assets and the amount and responsibility for liabilities. Tests of details can be directed at bothrevenue and expenditure accounts in an effort to document the classification accuracy of each. Atest of details will usually include one or more of the following:

1. Vouching (invoices, receipts, budgetary authorization, etc.)2. Account analysis3. Reconciliations4. Confirmations5. Observation, and6. Recalculation

Analytical procedures are commonly referred to as substantive tests of financialinformation consisting of observation and comparisons of relationships among data, such asfluctuations or trends noted in various ratios, percentages, quantities and dollars. Somecommonly used analytical procedures include comparisons of financial information between:

1. Current period and prior period2. Current period this year to same period in prior year(s)3. Current period year to date and prior year to date4. Budget and actual5. Similar departments6. Revenue and expense to produce the revenue

Analytical procedures lend themselves to provide easy analysis of income and expenseand developing techniques for insuring that everything that should have been recorded wasrecorded. When applying analytical procedures the internal auditor should:

1. Consider the relationship between the data that is collected and the expected result2. Compare what is expected to that recorded and reported by the department3. Obtain sufficient understanding of events that will help to explain any differences,

and4. Obtain supporting evidence to corroborate the explanation.

23



It is not uncommon for an internal auditor in a county to perform substantive testing at periodic times during the year on any and all departments. The auditor needs to always consider the activity as previously tested in relationship to the activity currently being tested. In additionthe auditor should include in their normal set of procedures the following:

1. Comparative review of data from test period to test period

2. Insuring that the general ledger and the subsidiary ledger agree3. Always tracing entries to their source, and4. Ascertaining that all recommended adjustments have been made.

Some elements to remember about substantive testing:

1. Substantive testing can be reduced and may be eliminated.2. Substantive testing and the test of controls may be combined into one function.3. Substantive testing is not just number crunching – they include:

Confirming accounts receivableReviewing commissioners’ courts’ minutesInvestigating fluctuations in account balancesTesting support for uncollected accountsObserving physical inventoryComputing debt requirements from original documents

4. Vouching should include the review of cancelled checks, contracts, purchaseorders

5. Account analysis is the systematic detailing of the components as recorded in thegeneral ledger and/or subsidiary ledger

6. Reconciliations involve the verification of an account balance

24



TYPES OF WORKPAPERS

Workpapers can be simply defined as anything the internal auditor uses to document theresults of the examination and the scope of the procedures performed. They will also confirmand/or deny the fact that the financial reports and underlying data for the financial reports of thedepartment agree and/or reconcile. Working papers generally include:

1. General ledger activity reports2. Copies of departmental reports3. An audit program4. Documentation as to the understanding of the internal control structure5. Designated tests to be performed to confirm the understanding6. Notes, memorandums, copies of documents, minutes, contracts, invoices,

purchase orders, etc.7. Schedules (either prepared by the auditor or prepared by the department that

support the distributions to the general ledger and subsequent reports.

Workpapers generally present a logical flow to the information and data. Workpapersshould be able to tell the reader and/or reviewer a story without the need for additional oralcommunication and explanation. The workpapers should be compiled in the form of a pyramid – the findings to the front and the detail to the back. A contents page should be used to give thereader the ability to find transaction work quickly. If “tick marks” are used, it is customary tohave a legend at the front of commonly used “tick marks.”

The contents page would be followed then by the report of findings; followed by anyother communication (written and oral) that occurred during the examination; followed by anyinternal memos and general observations; followed by a worksheet delineating any adjustmentsand/or reclassifications that are proposed (each adjustment should be referenced to the support

documents in the workpapers); followed by the evaluation of internal control; followed by a risk assessment; followed by the audit program; followed by detailed tests; followed by analyticalreview; and followed by any substantive testing, reconciliations, and/or recalculations.

Depending on the county auditor’s instructions and or the culture of the county, when theinternal auditor is performing an analysis of expenditure accounts, a detailed analysis shouldalways be performed on:

1. Single expenditures in excess of $5,0002. Multiple expenditures with the same vendor that exceed $25,0003. Legal expenses

4. Professional fees5. Maintenance and repair in excess of $ __________ 6. Rents

25



All workpapers should have a clear indication as to:

1. The department being examined2. The title of the workpaper 3. A brief description of the workpapers’ contents4. A statement as to the source of the data obtained

5. The period being covered by the examination6. Who prepared the workpaper, when it was prepared and who reviewed thedocument

7. Any documents which are prepared by the department should be clearly labeled asto who prepared the document and when

8. Any adjustments that are being proposed and documentation for such, and9. Any reference to other documents

Always remember :

If you don’t write it down – it was never said – it was never done!Internal audit work papers should always tell a story.

Consider the thought – that if a bus hit you today – would someone else be able to follow behind you.

Workpaper Documentation

Documents

Transcript of Workpaper Documentation