4/25/19

1

AUDITING A-Z

Randall Rice CPA CISA CIO DABFA CBM CGMA CITPCounty Auditor, Galveston County

4/25/19

2

Auditing A-Z

uFailure in auditing is defined as spending too

much time looking at something no one cares

about.

uDo you spend your time doing meaningless things

by simply repeating the procedures of your

predecessors, who did what their predecessors

did, and so on?

u Is your report boring because you don’t have

anything relevant to say?

Definition of an Auditor

An independent professional who

concludes whether a subject matter

meets an agreed-upon criteria by

gathering evidence through

performing custom-designed audit

methodologies.

4/25/19

3

Basic Audit Functions u Identify the Audit Universe

uEstablish an Audit Plan

uPerform a Risk Assessment

uDetermine the Audit Calendar

uEstablish Audit Objectives and Scope

uCreate Tests to Gather Evidence

u Identify Failures to Comply with Controls

uReport Failures

Audit Universe

u Audit Universe must be defined before risk assessment can be done

u Largely determined by statutes; may be expanded

u Statutory minimum includes all county offices collecting money:

Accounts Payable Engineer Parking Facilities Social Services

Adult Probation Fire Marshall Parks and Recreation Sheriff-Bail Bond

Collection Improvement Grant Programs Personal Bond Office Sheriff-Commissary

Constables Health Department Pretrial Services Sheriff-Inmate Trust

County Attorney Housing Assistance Public Libraries Sheriff-Jail Operations

County Clerk Justice of the Peace Recycling Programs Tax Assessor/Collector

District Attorney Juvenile Probation Retiree Health Insurance

Toll Road Authority

District Clerk Law Library Right of Way Treasurer

Elections Medical Examiner Seized/Forfeited Assets

Vendor Documentation

4/25/19

4

Audit Universe

u Non-statutory audits include:

Administrative Services Fixed Assets Purchasing Contracts

Children’s Services Grant Subrecipient Monitoring Risk Management

Concessionaire Agreements Hospital District Scrap Auction and Sales

Construction Activity Insurance Sheriff’s Sales-Forfeited Assets

Economic Development Inventory Testing Assistance-External Auditors

Emergency Management Jury – Cash Payouts Health Benefit/Claims Paid

Emergency Medical Services Lease Agreements Vehicle Maintenance

FEMA Funding Port/Navigation District Volunteer Fire Department

Identify available resources

NAME TITLE AVAILABLETOTALHOURS

HOLIDAYHOURS

VACATIONHOURS

NON-AUDITHOURS

AVAILABLEAUDIT HOURS

Smith County Auditor 2,080 (80) (80) (1,200) 720

Jones Audit Manager 2,080 (80) (80) (320) 1,600

Thomas Auditor 2,080 (80) (120) (60) 1,820

Perkins Auditor 2,080 (80) (80) (60) 1,860

Wilson Auditor (PT) 1,040 (40) 0 (20) 980

TOTAL 9,360 (360) (360) (1,660) 6,980

4/25/19

5

Create the Audit Plan

u Identify the departments or processes to audit

uWhat are we concerned about? (The objectives)

uWhat will we audit? (The scope)

uWhat documents are needed? (The methodology, i.e., flowcharts, narratives, ICQ’s, etc.)

uWhat will we do? (The audit program)

uWhen do we start? (The audit calendar)

uHow long will it take? (The resources available)

Audit Flow - Follow the Arrows

4/25/19

6

Golden Rule of Risk Assessment

Auditor’s Prayer:

"Lord, if something is out there,

please let me find it.

And, if it is there and I don't find it,

don't let anyone else find it.“

Risk components

u Three types of risk

uControl

u Inherent

uDetection

uControl Risk - risk an error may occur in an account balance or class of transactions and that could be

material...[and] will not be prevented or detected

on a timely basis by the internal control structure.

This is a function of the effectiveness of internal

controls.

4/25/19

7

Risk components

u Inherent Risk - susceptibility of an account balance or

class of transactions to an error that could be

material

uDetection Risk - risk procedures will lead to a

conclusion that error in an account balance or class

of transactions could be material. This is a function

of the effectiveness of audit procedures.

Risk factors (See handouts 1-2 for sample evaluation of risks and problem areas for Justice of the Peace and numerical assignment of risks for several JP offices.)

u Frequency and quality of auditing:

uYou control the effect of this risk, based on how often and

how well the audit is performed.

u Size and complexity of auditee's operations:

uGenerally, the larger and more complex, the more risk errors

or fraud can be material, because there is more exposure.

u Managerial attitudes and morale in the auditee's office:

uManager does nothing or everything, ineffective

communication, lacks integrity, overly oppressive.

4/25/19

8

Risk factors

u Employee attitudes and morale in the auditee's office.

u In an office where the employees are truly overworked, or

just think they are overworked, or even if they are

unhappy for other reasons, it is easy to rationalize setting

aside some of the cash receipts for themselves.

u External factors such as the press, controversy, politics,

etc.

uThis can produce high visibility risk. If the press is pursuing

a problem in an official's office - the county auditor better

find it before they do!

Allocation of audit resources

u After determining available man-hours and assessing

the risk, prepare a table using the audit plan with

the audit risk and total audit hours to be used for

each auditee.

uNote

uJust because audit risk on a particular auditee is

high, a large amount of time should not be

arbitrarily assigned to its audit.

4/25/19

9

Allocation of audit resources

uRemember:

uTime assigned based on time required to complete the

steps in an audit program.

uThe following matrix is an example and in no way

indicates the hours allocated are reasonable for any

given auditee.

uAlso, audit risk is shown as high, moderate or low. You

could decided to rank using 1 to 10. Any approach is

acceptable as results are justifiable.

AUDITEE AUDITRISKTOTAL HOURS SMITH JONES THOMAS PERKINS WILSON

Tax Assessor High 1,420

County Clerk Moderate 1,080

District Clerk Low 700

Justice of the Peace, Pct. 1 High 960

Justice of the Peace, Pct. 2 Low 720

Sheriff -Commissary High 680

Sheriff - Bail Bonds Low 620

Juvenile Probation Moderate 400

CUSHION FOR REQUESTED OR FRAUD AUDITS

N/A 400

TOTALS 6,980 0 0 0 0 0

4/25/19

10

AUDITEE AUDITRISKTOTAL HOURS SMITH JONES THOMAS PERKINS WILSON

Tax Assessor High 1,420 185 500 580 155County Clerk Moderate 1,080 75 200 580 225

District Clerk Low 700 30 100 570

Justice of Peace Pct. 1 High 960 80 200 670 10

Justice of Peace Pct. 2 Low 720 10 100 430 180

Sheriff - Commissary High 680 50 180 300 150Sheriff - Bail Bonds Low 620 10 120 400 90Juvenile Probation Moderate 400 40 40 150 170

Cushion For Requested Or Fraud Audits N/A 400 240 160

TOTAL 6,980 720 1,600 1,820 1,860 980

Audit Protocol – what to do in what order

Planning Phase

1. Planning Memo/Narrative

2. Assign Staff

3. Initial Client Contact

4. Complete Analytical Review

5. Pre-fieldwork Meeting

6. Entrance Conference

7. Engagement Letter

8. Prepare/Update Audit Program

Fieldwork Phase

9. Start Fieldwork

10. Conduct Internal Control Review

11. Conduct Interviews

12. Document Interviews

13. Evaluate Controls

14. Tollgate Meeting

15. Test Work

16. Complete Workpapers

17. Work Paper Review/Clearance

18. Findings and Recommendations

4/25/19

11

Audit Protocol – what to do in what order

Report Phase

19. Draft Audit Report

20. Review Draft Report – Audit

Manager

21. Review Draft Report – County

Auditor

22. Exit Conference

23. Client’s Responses

Publication Phase

25.Printing

26.Distribution

27.Final Audit Report

28.Physical Files

29.Electronic Files

Post Audit Phase

30.Post Audit Evaluation

31.Update Risk Assessment

Tools and techniques

uPreliminary Survey – accumulate information about office or function audited. Clarify expected outcomes, including:uPurpose of that specific audituEngagement objectives, scope and timinguProcesses to be auditeduArea objectives, related risks and controlsuInternal audit resources to be useduRelevant standards and statutes

4/25/19

12

Analytical Reviewu Examination of operations of auditee to find significant

or unusual relationships or changes.

u Allows auditor to step back and look at the forest, not just the trees and leaves:

uDoes the forest look like a forest should look?

uAre there “holes” in the forest where they should not be, or are there trees where “holes” should be?

uHas the forest grown since last viewing?

uHas the mix of trees changed, indicating a new direction?

Analytical Review

u At Galveston County, we flowchart each office and then use

that to look at the “forest.”

u In a JP office, we look and graph 5 years of data to see

what changes have occurred:

Citations filed in the court Number/Amount of refunds issued

Number/Amount of fines

collected

Number of employees

Fines dismissed Staff turnover

Number of receipts issued Cash collections compared to

check collections

4/25/19

13

Review of past audit documentsuProvides familiarity with area being auditeduOffers overview of what to expectuShows how others have approached the auditu Identifies problems found and reporteduReveals status of actions taken or not takenuReveals strengths previously identifiedu Identifies other activities for evaluation

Document and review current items Organizational information Project plans

Recent changes in the organization, including major system changes

Budget information, operating results, and financial data reviewed

Job descriptions Performance Reports

Authority and responsibility External audit results

Attorney General Opinions or Letter Responses

Commissioners Court agenda items affecting auditee

Objectives and goals for the organization overall

Risk management evaluations

Procedural manuals, instructions and directives, especially for state associations

Public documents relating to the area under audit

4/25/19

14

Preliminary surveyPrepare a one- or two-page report summarizing the operation reviewed, the work performed, an initial opinion about the risks and controls, and recommendations for staffing the engagement. The summary includes:

uSignificant engagement issues and reasons for in-depth reviewuEngagement objectives and proceduresuMethodologies to be used, such as CAAT (computer aided audit

tools) and sampling techniquesuPotential critical control points and/or control deficienciesuWhen applicable, reasons for not continuing the engagement or

for significantly modifying engagement objectives

Audit Objectives and Scopeu Audit Objectives

uWhat the audit is intended to accomplish

u Identifies the audit subject matter and performance aspects

uThink of objectives as questions about the program that you will answer based on the evidence obtained and assessed against criteria

u Audit Scope

uBoundary of the audit

uDefines subject matter to be assessed and reported on

u Objective and scope defines what the audit is and is not

4/25/19

15

Audit Methodology

uDescribes nature and extent of audit procedures

for gathering and analyzing evidence

uAudit procedures are the specific steps and tests

performed to address the audit objectives

uDesign methodology to obtain reasonable assurance

the evidence collected is sufficient and appropriate

to support your findings and conclusions and to

reduce risk to an acceptable level

u See handouts 3-7 for Audit Programs, interview questions, and ways to gather audit

evidence

Internal Control Evaluation

uAdequate internal control evaluation is the

backbone of audit planning.

u It is the primary basis for assessing the various risks

related to each auditee.

u Internal controls are not a guarantee, because a

system of internal controls should be cost

effective.

uThe cost should not outweigh the benefits.

4/25/19

16

Internal Control Evaluation

Evaluation is to give assurance that controls:

u are established by management

u consist of documented policies and procedures

u actually function as designed and can accurately:

uProvide reliable information

uSafeguard assets and records

uEncourage adherence to prescribed policies,

procedures, laws and regulations

uPromote operational efficiency

uAccomplish established objectives and goals

Control Activities

uCompliance is not optional

uControl breakdowns still occur because of

uError

uBad judgment

uCollusion

uManagement override

4/25/19

17

Types of Controls

uPersonneluTraining

uPerformance Indicators

uOrganization controls: uSegregation of Duties

uWell-Designed Policies & Procedures

uTrained Backups

uPhysical Access

uData Processing:u Input / Output

uControl Totals

uAccess

uMonitoring: uOn-going

uActive Reviews

Conduct sampling

u If available, use CAAT’s for 100% transaction tests.

u If not, use samples to select a subset that provides a

reasonably accurate reflection of whole population.

uSampling is 1) Statistical or 2) Judgmental (non-

statistical)

uSampling selection is influenced by audit objective,

type of data, nature of the population, and practical

considerations such as cost and time.

uSpell out sampling technique in the scope statement.

4/25/19

18

Sampling

u Samples are selected according to the auditor’s informed

assessment of how many samples will be required to yield a

reasonably reliable result given the type of population and

audit objective.

u Sampling may be carried out:

uSystematically (e.g., every nth item, beginning with

number x)

uUnsystematically (e.g., pulling files from a file cabinet with

no selection criteria)

uAccording to the auditor’s judgment (e.g., picking large or

unusual items from a computer report)

Judgmental Sampling

uAdvantages/disadvantages of non-statistical sampling:

uGives the auditor the flexibility to use professional judgment to select the items that most need

testing

uCan be designed to achieve cost-effective, reasonably reliable results

uMay lead to auditing too many, or too few, items

uDepends on experience and insight of auditor for its effectiveness

4/25/19

19

Narratives

u Should address, but not be limited to, the following

subjects:

uWho or what initiates a transaction.

uDivision of tasks into logical, understandable parts.

uSegregation of incompatible duties between

personnel.

uFlow of documents from their creation to disposition.

The disposition of all copies of a multi-copy document

should be addressed.

uWho records transactions.

FlowchartinguA flowchart is a symbolic representation for a

system or a series of sequential processes.

Preparation of flowchart enables an auditor to

quickly appraise the effectiveness of internal

controls and complements the detailed written

narratives of procedures or questionnaires.

uThere is a handout (#8) of most common

flowchart symbols used.

4/25/19

20

Flowcharting

u Basic concepts of systems flowcharting:

uBasic flowcharting symbols are adequate, with

interjection of limited custom symbols, to prepare a

complete and effective systems flowchart.

uEvery flowchart must begin with terminal symbols

indicating where the process begins and where it ends.

uThe annotation symbol is used when a further

explanation is made for a process, document, file, etc.

uWhenever document is created or comes into a

flowchart it must be followed through to disposition. It

must either be filed, delivered, mailed or destroyed.

Gather audit evidenceu Inquiry

uObservation

u Inspection

uVouching

uTracing

uRe-perform

uAnalytical procedures

uConfirmation

NOTE: see handout for a description and examples of gathering audit evidence.

We will not look at using the computer to gather evidence. That is another class. See the SmartSheet for assistance on this aspect of auditing.

4/25/19

21

Evidence sources

uAudit evidence. Facts used to support audit opinions, conclusions, and recommendations – can be physical,

documentary, representational, or analytical.

uPhysical evidence. This is generally considered more reliable than the testimony of a person. It includes

statements of observers, photographs, charts, maps,

graphs, or other pictures.

Evidence sources

uDocumentary evidence. This is the most common type of audit evidence. It can be recorded in other media than

paper and includes, among other examples:

Letters Process flows, including flowcharts

Memos Program listings

E-mails Activity and control logs

Invoices (external) and accounting

records

Systems development

documentation

4/25/19

22

Evaluate evidence – ask four questions:

u Is it sufficient? Sufficient information is factual, adequate,

and convincing so that a prudent, informed person would reach

the same conclusion as the auditor.

u Is it reliable? Reliable information is the best attainable

information through the use of appropriate engagement

techniques.

u Is it relevant? Relevant information supports engagement

observations and recommendations and is consistent with the

objectives for the engagement.

u Is it useful? Useful information helps the organization meet its

goals.

Documentation / work papers

u Work papers, by definition, should contain the work done

during the engagement. That includes virtually everything

committed to paper or entered into a computer, from initial

plans through the final report – graphics and photos included –

and other physical or electronic documents.

u What is the best test of your work papers? They should

document the audit’s objectives and methods so thoroughly

that a new auditor added to the project at any point could fully

comprehend the engagement from the work papers and bring

the audit to a successful conclusion.

4/25/19

23

Sample file index

1 Audit work order Shows auditee, audit date, type, auditor, comments, time budget

2 Audit program Uses audit programs in permanent files for planning and tracking

3 Reportable conditions Point sheet with weaknesses, discrepancies, violations, etc.

5 Audit report Signed audit report and reply from auditee; no drafts here10 Notes for subsequent

auditsComments, pending legislation, extra attention needed

2x Copies of reportsgenerated by auditee

Reports from auditee to auditor’s office and reports issued to state or other agencies; cross reference to supporting work papers

3x General ledger analysis Trial balance and balance sheet analysis pages

Sample file index

4x Bank activity Bank recons and/or proofs of cash; misc. bank reports included

5x Cash counts Count forms with date, on hand, required cash balance, signed

60 Receipts tests Receipt work paper; if samples used, full documentation required

70 Disbursements tests Disbursement work paper; if samples used, documentation required

80 Confirmations Sample procedures, confirmations, responses, discrepancies

100 Fixed assets Fixed asset listing; notes on observations at auditee office

110 Payroll handout

4/25/19

24

Other filesuAdministrative Files. Administrative files contain

past and current audit calendars and a master file of blank audit forms. Current audit calendars show assigned audit dates. Historical calendars show audit schedules.

Other filesuPermanent Files. Permanent files accumulate data that

remains unchanged between audit periods and relates to

a particular auditee. Each auditee has a permanent

file. The permanent file serves four primary purposes:

u To refresh auditor's memory concerning auditee history.

u To serve as an audit summary for successor auditors when rotation occurs.

u To preserve work papers on items showing few or no changes over time.

u To serve as evidence of auditor's knowledge of the auditee. Knowledge allows the auditor to do an audit that meets auditing standards.

4/25/19

25

Permanent filesuOffice Overview. Describes statutory and non-statutory

office functions; receipt and disbursement descriptions trace funds from receipt to disbursement. Overview documentation shows amounts collected and disbursed to other fee officers, County, State or other entities. Flowcharts are here.

uPersonnel and Office Organization. Includes organization chart w/position titles, hierarchy of responsibility, accountability and authority and employee names to identify employees' position within the organizational structure.

Permanent files

u Contracts. Includes photocopies of all auditee office

contracts.

u Statutes. Includes copies of the code and association

documents for the auditee.

u Audit Programs. Master copy of full and limited scope audit

programs used.

u Systems Documentation. Includes sample forms and

documentation of systems.

u Audit Log. Summary of audits previously done on the auditee.

u Audit Reports. Copies of issued audit reports and responses.

4/25/19

26

So – Let’s Review the

A-Z of Auditing

Before any audit program is started:

uYour role is to:

u be independent

u gather knowledge and information

u report the results of findings, analyses and recommendations

uUnderstand the audit universe:

u statutory and mandatory audits

u non-statutory audits

uEstablish the audit plan for the year:

u determine available resources and assignments

u update the risk assessment

u prepare analytical review of each auditee

4/25/19

27

Now – Do the Auditu Determine Audit Objectivesu Prepare Preliminary Review

uUnderstand officeuReview prior auditsu Interview office holder

u Perform the Field WorkuReview internal controlsuDevelop audit programuPerform audit program stepsu Identify and evaluate findingsuPerform additional audit procedures

Complete the Audit

uPerform Substantive Tests:

uAccount balances are valid and proper

uTransactions are valid and proper

uReceipts and disbursements in accounts are valid

and properly classified

uReach Conclusions:

uKeep conclusions simple and to the point

uLogically organize the evidence

uPresent the basis for the conclusion

4/25/19

28

Elements of a finding

u Auditor’s focus – risks, negative events and issues to be fixed

u For each finding, ask these questions:

uWhat is the current state of affairs? (the “condition”

uWhat should be the current state of affairs? (the “criteria”)

uWhat has caused the current state of affairs? (the “cause”)

uWhy is the current state of affairs undesirable? (the “effect”)

uWhat should be done to correct the current state of affairs?

(the “recommendation”)

Prepare the Audit ReportuReview reportable conditions point sheets

uWrite preliminary audit report

uHold an exit conference and present preliminary audit report

uRequest acknowledgement letter from auditee

u Issue audit report signed by county auditor

4/25/19

29

Wrap up the audit

uClosure

uRequest audit effectiveness questionnaire from

auditee to rate audit staff (see handout)

uFile cleanup

uFinal review

uFiling work papers

Audit AuthoritiesGAO –Yellow Book (GAS & GAGAS)

® Primarily for External Auditors of Federal money

® Good guidance for County Auditors where Applicable

GASB – GAAP State & Local Government

u Mainly for preparation of CAFR

AICPA – (SAS) for CPAs Auditing

u Mainly for CPA firms writing Audit Opinions

® Good guidance for County Auditors where Applicable

Institute of Internal Auditors (IIA) – Red Book

u For all internal auditors (corporate & non-profit)

u Good guidance for County Auditors where Applicable

4/25/19

30

Auditing A-Z

u TACA Handbook for the County Auditor in Texas

u Available on SmartSheet for all County Auditor offices

u Chapter 8 – Auditing

u Audit Statutes and Responsibilities

u Audit Authority

u Audit and Approval of Claims

u Chapter 9 – Sample Audit Programs

u Over 200 audit programs for different offices

u Most are in Word

u Easily adaptable to your county

CH. 8 Auditing

u 8-1 Introduction to Auditing

u 8-2 County Auditor’s Audit Function

u 8-3 Audit Standards

u 8-4 Internal Control Environment

u 8-5 Tools and Techniques for Internal Audit Engagements

u 8-6 Documentation Work Papers

u 8-7 The Audit Engagement

u 8-7.1 Sample Audit Work Plan Checklist

u 8-7.2 Sample Audit Effectiveness Questionnaire

4/25/19

31

Ch. 9 Sample Audit Programsu Accounts Payableu Child Protective Services

u Collection Improvement

u Community Supervision

u Constable Offices

u Continuous Auditing

u Control Self Assessmentu County Attorney

u County Clerk

u District Attorneyu District Clerk

u Engineering

u Fixed Assets

u Fleet

u Fraud Risk

u GASB Audit u Grants

u Human Resources

Ch. 9 Sample Audit Programsu Indigent Defense

u Information Technology

u Internal Audit Programs

u Internal Controls

u Justice of the Peace

u Juvenile Probation

u Parks and Recreation

u Payroll

u Purchasing

u Risk Assessment

u Road and Bridge

u Security

u Sheriffs Office

u Social Services

u Tax Assessor-Collector

u Treasurer

u Unclaimed Property