WICOMICO COUNTY INTERNAL AUDIT MANUAL OFFICE OF THE INTERNAL AUDITOR

Transcription

1 WICOMICO COUNTY INTERNAL AUDIT MANUAL 4 OFFICE OF THE INTERNAL AUDITOR 1

2 Table of Contents AUDIT MANUAL WICOMICO COUNTY Internal Auditor SECTION 100 ORGANIZATION AND RESPONSIBILITIES A. Objective and Scope of Internal Auditing B. Statement of Authority and Responsibility C. County Internal Auditor Meetings D. Reserved for Future Use E. Jurisdictional Responsibility F. Position Descriptions 200 RELATIONSHIP WITH AUDITEES A. General Philosophy B. Etiquette C. Auditee Assistance 300 GENERAL PROFESSIONAL STANDARDS A. Professional Judgment & Competence B. Code of Ethics C. Independence Obj ectivit I). Quality Control and Assurance 400 PERFORMING STANDARDS OF THE AUDIT A. Managing the Internal Audit Activity B. Nature of Work C. Engagement Planning D. Performing the Engagement E. Communicating Results F. Monitoring Progress G. Resolution to Senior Managements Acceptance of Risk 2

3 Table of Contents SECTION AUDIT MANUAL WICOMICO COUNTY Internal Auditor 500 OFFICE ADMINISTRATIVE POLICIES A, Responsibility B. Files and Materials C. Distribution of Audit Reports D. Record Retention E. Internal Auditor Expense 600 AUDIT ADMINISTRATION PROCEDURES A. Annual Audit Plan B. Special Requests for Audit Services C. Report Review Procedures D. Report Processing Procedures E. Auditee Response to Audit Reports F. Time Budget and Administration 700 PERSONNEL A. County Personnel Policies B. Professional Certifications C. Continuing Education 3

4 SECTION: ORGANIZATION AND MANUAL RESPONSIBILITIES DATE: 4/09 Section 100A OBJECTIVE AND SCOPE OF INDEX 1 OF 2 INTERNAL AUDITING ORGANIZATION AND RESPONSIBILITY The Internal Auditor performs an independent appraisal function established by the County Charter within Wicomico County Government to examine and evaluate its activities as a service to the County Government. The objective of the Internal Auditor is to assist the County Council, the County Executive and the County staff of the Wicomico County in the effective discharge of their responsibilities. To this end, internal auditing furnishes analysis, appraisals, recommendations, counsel, and information concerning the activities reviewed. The audit objective includes promoting effective control at a reasonable cost. The scope of internal auditing should encompass the examination and evaluation of the adequacy and effectiveness of Wicomico County s system of internal control and the quality of performance in carrying out assigned responsibilities. The defined purpose of the Internal Auditor The Internal Auditor s primary mission is to conduct audits and/or special studies to benefit the citizens of Wicomico County and the management of Wicomico County Government. The goal of the audit process is to promote effective and efficient program and financial management, and to ensure integrity in governance. The primary purpose of an audit is to evaluate operations with a view towards opportunities for improvement. The audit report, which is a combined effort of both the auditor and the administration, is the end result of the audit process. Recommendations from the report can be used as a basis for adjusting procedures, policies, or priorities in order to make operations as economical, effective and efficient as possible. All audits are conducted in accordance with government auditing standards and International Standards for the Professional Practice of Internal Auditing; as applicable, in compliance with Federal, State and local laws and regulations. (The Institute of Internal Auditor s Attribute Standard) Review the organization s activities to determine whether it is efficiently and effectively carrying out its function in accordance with management s instructions, policies, and procedures. 4

5 SECTION: ORGANIZATION AND MANUAL RESPONSIBILITIES DATE: 4/09 Section 100A OBJECTIVE AND SCOPE OF INDEX 2 OF 2 INTERNAL AUDITING ORGANIZATION AND RESPONSIBILITY Determine the adequacy and effectiveness of the system of internal controls in all areas of activity. Review the reliability and integrity of financial information and the means used to identify measure, classify, and report such information. Appraise the economy and efficiency, with which resources are employed, identify opportunities to improve operating performance, and recommend solutions to problems where appropriate. Review operations and plans to ascertain whether results are consistent with established objectives and goals, and whether the operations and plans are being carried out as intended. Coordinate audit efforts, where appropriate, with those of the external auditors. Review the planning, design, development, implementation, and operation of relevant computerbased systems to determine whether (a) adequate controls are incorporated in the systems; (b) thorough system testing is performed at appropriate stages; (c) system documentation is complete and accurate; and (d) needs of the users are met. Conduct periodic audits of computer systems software and make post-installation evaluations of relevant data processing systems to determine whether those systems meet their intended purposes and objectives. Report to those members of management who should be informed, or who should take corrective action, the results of audit examinations, the audit opinions formed, and the recommendations made, Evaluate the plans or actions taken to correct reported conditions for satisfactory disposition of audit findings. If corrective action is considered unsatisfactory, hold further discussions to achieve acceptable disposition. Provide adequate follow-up to ensure that proper corrective action is taken and that it is effective, 5

6 SECTION: ORGANIZATION AND MANUAL RESPONSIBILITIES DATE: 4/09 Section 100B STATEMENT OF AUTHORITY INDEX 1 OF 1 AND_RESPONSIBILITY AUTHORITY AND RESPONSIBILITY (The Institute of Internal Auditor s Attribute Standards) Authority The Internal Auditor will have full, free, and unrestricted access to records, personnel, and physical properties relevant to the performance of an audit. The Internal Auditor has neither authority over nor responsibility for the activities they audit. The Internal Auditor should have direct access to the audit committee since it tends to enhance the Internal Auditor s independence and objectivity. Responsibility The Internal Auditor accomplishes his/her purpose of assisting the council management by reviewing, examining, and evaluating activities, furnishing analyses and appraisals. and reporting findings and recommendations. This audit responsibility cannot relieve any operating manager of the requirement for ensuring proper control with his or her area of concern. 6

7 Section 100C MEETINGS SECTION: ORGANIZATION AND RESPONSIBILITIES COUNTY INTERNAL AUDITOR MEETINGS MANUAL DATE: 4/09 INDEX 1 OF 1 The Internal Auditor will meet at least quarterly with the Audit Committee. The meetings of the Audit Committee are subject to the Maryland Open Meetings Act and the Public Information Act. The Internal Auditor will attend all meetings. If the Internal Auditor is unable to attend a meeting, the committee will be notified that the meeting will be rescheduled. The Internal Auditor will submit a report of the Audit Committee meetings and attendance to the County Council by December 31St of each year. The quorum will be three committee members, with two being certified public accountants. 7

8 SECTION: ORGANIZATION AND MANUAL RESPONSIBILITIES DATE: 4/09 Section 100E JURISDICTIONAL INDEX 1 OF 1 RESPONSIBILITY JURISDICTIONAL RESPONSIBILITY All records and files pertaining to the receipt and expenditure of county funds by all officers, agents, and employees of the county, and all records and files pertaining to management and performance of the functions and activities of any office, department, or agency funded in whole or in part by county funds, and all offices, departments, institutions, boards, commissions, and other agencies thereof shall at all times be open to the inspection of the County Internal Auditor. If any agencies funded in whole or in part by county funds refuses an audit, the determination will be made to litigate or not. 8

9 POSITION DESCRIPTION County Internal Auditor, Wicomico County, Maryland Pursuant to Section 305 of the Wicomico County Charter the County Council shall appoint a County Internal Auditor who shall serve at the pleasure of the Council and shall receive such compensation as the Council may determine. The County Internal Auditor shall be a certified public accountant licensed under the laws of the State of Maryland. The role of the County Internal Auditor is to assist the County Council and the County Executive in providing assurance that the county s services are being provided efficiently, effectively, economically and in compliance with laws, regulations, policies and procedures. Independence and objectivity are essential to the effectiveness of the functions performed by the County Internal Auditor. In order to meet the standards of the profession, the County Internal Auditor must maintain an impartial and unbiased judgment when performing audits. To maintain independence, the County Internal Auditor does not set operating or financial policies related to the overall county. Independence is further ensured by the County Internal Auditor reporting directly to the County Council. The County Internal Auditor is responsible for assessing various functions and control systems in Wicomico County and for advising The County Council and the County Executive concerning their condition. The fulfillment of this accountability includes but is not limited to the following: Appraising the effectiveness and application of administrative and financial controls and reliability of data developed within the county. Evaluating sufficiency of and adherence to county plans, policies and procedures and compliance with governmental laws and regulations. Ascertaining the adequacy of controls for safeguarding county assets and, when appropriate, verifying the existence of assets. Performing special reviews requested by the County Council or the County Executive. Conducting appraisals of the effectiveness and efficiency in the use of county resources and making appropriate recommendations to the County Council and the County Executive. Coordinating audit planning and scheduling activities with the independent external auditors. Developing an annual audit plan for audit coverage that fulfills the responsibility of the County Internal Auditor. Providing written reports of audit findings and recommendations to the County Council and the County Executive for appropriate action. Evaluating plans or actions taken and corrected conditions reported for satisfactory disposition of audit findings. 9

10 AUDIT MANUAL Section 100F N SEC11ON: ORGANIZATION AND MANUAL RESPONSIBILITIES DATE: 4/09 POSITION DESCRIPTION INDEX 2 OF 2 POSITION DESCRIPTION Conducting operational and performance audits of any office, department or agency funded in whole or in part by county funds, as assigned and directed by the County Council, or the County Executive. Examining or auditing the accounts of any agency or organization that receives or disburses county funds by order to the County Executive or the County Council. Reporting the results of the County Internal Auditor s audits to the County Executive and the County Council. In performing his/her function, the Internal Auditor has no direct responsibility for or authority over, any of the activities reviewed. The internal audit review and appraisal process does not, therefore, relieve any other persons of the responsibilities assigned to them. In the performance of audits, with stringent accountabilities of safekeeping and confidentiality, the Office of the Internal Auditor shall have complete and timely access to all organizational activities, records, property, and personnel. 10

11 GENERAL PHILOSOPHY The main purpose of the relationship with the various County departments, programs, or activities being audited is to aid auditees by making useful recommendations for improvements in such areas as organizational and operational structure, internal controls, reporting tools, etc. In performing this work, the Internal Auditor usually must rely heavily on the auditee s assistance in gathering the necessary information, This should be kept in mind on all audits. Auditees should be treated in a professional manner, even if the treatment is not reciprocated. If an auditor feels that an auditee is being unduly abusive or uncooperative, the matter should be brought to the attention of the County Council and the County Executive for resolution. 11

12 AUDIT MANUAL SECTION: RELATIONSHIP WITH MANUAL AUDITEES DATE: 4/09 Section 200B ETIQUETTE INDEX 1 OF 1 ETIQUETTE Etiquette is a code of behavior that defines the Internal Auditor s interaction with management auditees. Etiquette is simply a set of good standards that provides guidelines for courteous, considerate behavior. A. An audit memorandum must always be sent to the appropriate department head one week in advance of the audit date to allow for the adequate preparation of the audit. B. The entrance interview should be held with the management responsible for the area to be audited and also with the person requesting the audit. C. The Internal Auditor should notify those persons in charge of all areas to which there will be the need of access in conducting an audit as to why access to their area s are needed and what records will be needed. D. All correspondence on the audit should be sent to the manager of the area being audited. 12

13 SECTION: RELATIONSHIP WITH MANUAL AUDITEES DATE: 4/09 Section 200C AUDITEE ASSISTANCE INDEX 1 OF 1 AUDITEE ASSISTANCE The Auditee s primary duty is to fulfill his/her daily assignments. However, Assistance from auditee employees is often needed in the performance of the Internal Auditor s work. Patience is required in order for an employee to assist the Internal Auditor for a reasonable amount of time. If the employee will be needed for a significant amount of time, the Internal Auditor shall notify the departmental manager of the information and assignment needed to be done so that the auditee s work can be prioritized. 13

14 SECTION: GENERAL MANUAL PROFESSIONAL STANDARDS DATE: 4/09 Section 300A PROFESSIONAL JUDGEMENT & INDEX 1 OF 3 COMPETENCE PROFESSIONAL JUDGEMENT & COMPETENCE (The Institute of Internal Auditor s Attribute Standards) Proficiency and Due Professional Care Engagements must be performed with proficiency and due professional care. Proficiency Internal Auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Knowledge, skills, and other competencies is a collective term that refers to the professional proficiency required of Internal Auditors to effectively carry out their professional responsibilities. Internal Auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organizations. Internal Auditors must obtain competent advice and assistance if the Internal Auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. Internal Auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Internal Auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all Internal Auditors are expected to have the expertise of an Internal Auditor whose primary responsibility is information technology auditing. 14

15 COMPETENCE SECTION: GENERAL MANUAL PROFESSIONAL STANDARDS DATE: 4/09 Section 300A PROFESSIONAL JUDGEMENT & INDEX 2 OF 3 PROFESSIONAL JUDGEMENT & COMPETENCE (The Institute of Internal Auditor s Attribute Standards) The Internal Auditor must decline the consulting engagement or obtain competent advice and assistance if the Internal Auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement Due Professional Care Internal Auditors must apply the care and skill expected of a reasonably prudent and competent Internal Auditor. Due professional care does not imply infallibility. Internal Auditors must exercise due professional care by considering the: Extent of work needed to achieve the engagements objectives; Relative complexity, materiality, or significance of matters to which assurance procedures are applied; Adequacy and effectiveness of governance, risk management, and control processes; Probability of significant errors, fraud, or noncompliance; and Cost of assurance in relation to potential benefits. In exercising due professional care Internal Auditors must consider the use of technology-based audit and other data analysis techniques. Internal Auditors must be alert to the significant risks that might affect objectives. operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. Internal Auditors must exercise due professional care during a consulting engagement by considering the: Needs and expectations of clients. including the nature. timing. and communication of engagement results: is

16 SECTION: GENERAL PROFESSIONAL STANDARDS MANUAL DATE: 4/09 Section 300A PROFESSIONAL JUDGEMENT & INDEX 3 OF 3 COMPETENCE PROFESSIONAL JUDGEMENT & COMPETENCE (The Institute of Internal Auditor s Attribute Standards) relative complexity and extent of work needed to achieve the engagemencs objectives; and Cost of the consulting engagement in relation to potential benefits. Continuing Professional Development Internal Auditors must enhance their knowledge, skills, and other competencies through continuing professional development. 16

17 AUDIT MANUAL I SECTION: GENERAL MANUAL PROFESSIONAL STANDARDS DATE: 4/09 Section 3008 ETHICS INDEX 1 ofij CODE OF ETHICS fuhe Institute of Internal Auditor s Code of Ethics) Principles Internal Auditors are expected to apply and uphold the following principles: Integrity-The integrity of Internal Auditors establishes trust and thus provides the basis for reliance on their judgment. Objectivity-Internal Auditors exhibit the highest level of professional objectivity in gathering. evaluating, and communicating information about the activity or process being examined. Internal Auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments while maintaining professional skepticism when they evaluate all documentation, When the auditor adopts such an attitude, the auditor does not accept evidence gathered at its face value: rather, the auditor evaluates the evidence bearing in mind: the evidence may be misleading, the documentation may be incomplete, or the person providing the evidence may be either incompetent or motivated to provide evidence that is misleading or incomplete. the possibility of Fraud Confidentiality-Internal Auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Competency-Internal Auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. 17

18 AUDIT MANUAL,_iNZ\ SECTION: GENERAL MANUAL PROFESSIONAL STANDARDS DATE: 4/09 Section 30DB ETHICS INDEX 2 OF 3 CODE OF ETHICS (The Institute of Internal Auditor s Code of Ethics) Rules of Conduct Integrity Internal Auditors: Shall perform their work with honesty. diligence, and responsibility. Shall observe the law and make disclosures expected by the law and the profession. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. Shall respect and contribute to the legitimate and ethical objectives of the organization. Objectivity Internal Auditors: Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment, This participation includes those actiities or relationships that ma be in conflict with the interests of the organization. Shall not accept anything that may impair or be presumed to impair their professional judgment. Shall disclose all material facts known to them that. if not disclosed. may distort the reporting of acti ities under re iev. Confidentialit. Internal Auditors: 18

19 AUDIT MANUAL SECTION: GENERAL MANUAL i PROFESSIONAL STANDARDS DATE: 4/09 Section 3008 ETHICS INDEX 3 OF 3 CODE OF ETHICS 1The Institute of Internal Auditor s Code of Ethics) Shall be prudent in the use and protection of information acquired in the course of their duties. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. Competency Internal Auditors: Shall engage only in those services for which they have the necessary knowledge, skills, and experience. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing. Shall continually improve their proficiency and the effectiveness and quality of their services. 19

20 AUDIT MANUAL,/Ø!NZ\ SECTION: GENERAL MANUAL, PROFESSIONAL STANDARDS DATE: 4/09 Section 300C INDEPENDENCE/OBJECTIVITY INDEX 1 OF 3 4 INDEPENDENCE/OBJECTIVITY (The Institute of Internal Auditor s Attribute Standards) Independence and Objectivity The internal audit activity must be independent, and the Internal Auditor must be objective in performing his/her work. Interpretation: Independence is the freedom from conditions that threaten the ability of the internal audit activity or the Internal Auditor to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the Internal Auditor has direct and unrestricted access to all senior management. Threats to independence must be managed at the individual auditor. engagement. functional, and organizational levels. Objectivity is an unbiased mental attitude that allows Internal Auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that Internal Auditors do not subordinate their judgment on audit matters to others, Threats to objectivity must be managed at the individual auditor, engagement, functional. and organizational levels. The Internal Auditor must report to the County Council. The Internal Auditor must confirm to the audit committee, at least annually, the organizational independence of the internal audit activity. The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. 20

21 AUDIT MANUAL /Ø1NZ\ Section 300C / ftz SECTION: GENERAL MANUAL PROFESSIONAL STANDARDS DATE: 4/09 INDEPENDENCE/OBJECTIVITY INDEX 2 OF 3 INDEPENDENCE/OBJECTIVITY (The Institute of Internal Auditor s Attribute Standards) Direct Interaction with the County Council The Internal Auditor must communicate and interact directly with the County Council. Individual Objectivity The Internal Auditor must have an impartial, unbiased attitude and avoid any conflict of interest. In order to maintain objectivity & independence, the Internal Auditor s committee shall meet with the County Council as a body and shall take direction from the County Council as a body. Interpretation: Conflict of interest is a situation in which an Internal Auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the Internal Auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual s ability to perform his or her duties and responsibilities objectively. Impairment to Independence or Objectivity If independence or objectivity is impaired in fact or appearance. the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. 21

22 AUDIT MANUAL Section 300C O1.31bI7. SECTION:GENERAL I MANUAL PROFESSIONAL STANDARDS DATE: 4/09 INDEPENDENCE/OBJECTIVITY INDEX 3 OF 3 INDEPENDENCE/OBJECTIVITY (The Institute of Internal Auditor s Attribute Standards) Interpretation: Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding. The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity s and the Internal Auditor s responsibilities as described in the Section 305 of the County Charter. Internal Auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an Internal Auditor provides assurance services for an activity for which the internal Auditor had responsibility within the previous year. Assurance engagements for functions over which Internal Auditors have responsibility must be overseen by a party outside the internal audit activity. Internal Auditors may provide consulting sen ices relating to operations for which they had previous responsibilities. if Internal Auditors have potential impairments to independence or objectivit relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement. 22

23 AUDIT MANUAL SECTION: GENERAL MANUAL PROFESSIONAL STANDARDS DATE: 4/09 Section 300D QUALITY CONTROL AND INDEX 1 OF 4. ASSURANCE QUALITY CONTROL AND ASSURANCE (The Institute of Internal Auditor s Attribute Standards) Quality Assurance and Improvement Program The Internal Auditor must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Interpretation: A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether Internal Auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments. Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity and Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices. 23

24 AUDIT MANUAL SECTION: GENERAL MANUAL L3ujt PROFESSIONAL STANDARDS DATE: 4/09 Section 300D _/j:z, QUALITY CONTROL AND INDEX 2 OF 4 ASSURANCE QUALITY CONTROL AND ASSURANCE LFhe Institute of Internal Auditor s Attribute Standards) Interpretation: Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes. tools. and information considered necessary to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Periodic reviews are assessments conducted to e aluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework. External Assessments External assessments must be conducted at least once every fi e years by a qualified, independent reviewer or review team from outside the organization. The Internal Auditor must discuss with the audit committee: The need for more frequent external assessments and the qualifications and independence of the external reviewer or review team, including an potential conflict of interest. Interpretation: A qualified reviewer or reiew team consists of individuals ho are competent in the professional practice of internal auditing and the external assessment process. 1 he evaluation of the competency of the rev iewer and re jew team is a judgment that considers the professional 24

25 AUDIT MANUAL,,d!NZ3\ SECTION: GENERAL MANUAL Section 300D (cj PROFESSIONAL STANDARDS DATE: 4/09 QUALITY CONTROL AND INDEX 3 OF 4 ASSU RANCE QUALITY CONTROL AND ASSURANCE (The Institute of Internal Auditor s Attribute Standards) internal audit experience and professional credentials of the individuals selected to perform the review. The evaluation of qualifications also considers the size and complexity of the organizations that the reviewers have been associated with in relation to the organization for which the internal audit activity is being assessed, as well as the need for particular sector. industry, or technical knowledge. An independent reviewer or review team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. Reporting on the Quality Assurance and Improvement Program The Internal Auditor must communicate the results of the quality assurance and improvement to the executive and the County Council. Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management, the executive, and the County Council and considers the responsibilities of the internal audit activity and Internal Auditor as contained in the County Charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewe?s or review teams assessment with respect to the degree of conformance. Use of Conforms with the International Standards for the Professional Practice of Internal Auditing 25

26 AUDIT MANUAL SECTION: GENERAL MANUAL 91) PROFESSIONAL STANDARDS DATE: 4/09 QUALITY CONTROL AND INDEX 4 OF 4 Section 300D - ASSURANCE QUALITY CONTROL AND ASSURANCE (The Institute of Internal Auditor s Attribute Standards) The Internal Auditor may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the Internal Auditor must disclose the nonconformance and the impact to the executive and the County Council. 26

27 AUDIT MANUAL SECTION: PERFORMING MANUAL STANDARDS OFTHE AUDIT DATE: 4/09 Section 400A MANAGING THE INTERNAL INDEX 1 OF 3 AUDIT ACTIVITY MANAGING THE INTERNAL AUDIT ACTIVITY ihe Institute of Internal Auditor s Performance Standa) Managing the Internal Audit Activity The Internal Auditor must effectively manage the internal audit activity to ensure it adds value to the organization. The internal audit activity is effectively managed when: The results of the internal audit activity s work achieve the purpose and responsibility included in the internal audit charter; The internal audit activity conforms with the Definition of Internal Auditing and the Standards; and The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards. Planning The Internal Auditor must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization s goals. Interpretation: The Internal Auditor is responsible for developing a risk-based plan. The Internal Auditor takes into account the organization s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the Internal Auditor uses his/her own judgment of risks after consultation with senior management and the County Council. The internal audit activity s plan of engagements must be based on a documented risk assessment. undertaken at least annually. The input of senior management must be considered in this process. 27

28 AUDIT MANUAL c SECTION: PERFORMING MANUAL STANDARDS OF THE AUDIT DATE: 4/09 Section 400A MANAGING THE INTERNAL INDEX 2 OF 3 AUDIT ACTIVITY MANAGING THE INTERNAL AUDIT ACTIVITY (The Institute of Internal Auditor s Performance Standards) The Internal Auditor should consider accepting proposed consulting engagements based on the engagement s potential to improve management of risks, add value, and improve the organization s operations. Accepted engagements must be included in the plan. Communication and Approval The Internal Auditor must communicate the internal audit activity s plans and resource requirements. including significant interim changes. to the County Council for review and approval. The Internal Auditor must also communicate the impact of resource limitations. Resource Managemc The Internal Auditor must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. Interpretation: Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan. Policies and Procedures The Internal Auditor must establish policies and procedures to guide the internal audit activity. 28

29 SECTION: PERFORMING STANDARDS OF THE AUDIT MANAGING THE INTERNAL AUDIT ACTIVITY MANAGING THE INTERNAL AUDIT ACTIVITY (The Institute of Internal Auditor s Performance Standards) Interpretation: The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work. Co-ordination The Internal Auditor should share information and coordinate activities with external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. Reporting to County Council The Internal Auditor must report periodically to County Council on the internal audit activitvs purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues. including fraud risks, governance issues, and other matters needed or requested by the County Council. Interpretation: The frequency and content of reporting are determined in discussion with the County Council and depend on the importance of the information to he communicated and the urgency of the related actions to be taken by senior management. 29

30 I AUDIT MANUAL SECTION: PERFORMING MANUAL STANDARDS OFTHE AUDIT DATE: 4/09 Section 400B NATURE OF WORK INDEX 1 OF 4 NATURE OF WORK (The Institute of Internal Auditor s Performance Standards) Nature of Work The Internal Auditor must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. Governance The Internal Auditor must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the County Government: Ensuring effective organizational performance management and accountability: Communicating risk and control information to appropriate areas of the County Government; Coordinating the activities of and communicating information among the County Council, Internal Auditors. and management. The Internal Auditor must evaluate the design. implementation. and effectiveness of County s ethics-related objectives, programs. and activities. Fhe Internal Auditor must assess whether the information technology governance of Wicomico County sustains and supports the Coimtys strategies and objectives. Consulting engagement objectives must be consistent ith the oerall values and goals of the County. Risk Management The Internal Auditor nmst evaluate the effectiveness and contribute to the improvement of risk management processes. 30

31 AUDIT MANUAL ço 3. SECTION: PERFORMING MANUAL STANDARDS OF THE AUDIT DATE: 4/09 Section 400B NATURE OF WORK INDEX2OF4 NATURE OF WORK (The Institute of Internal Auditor s Performance Standards) Interpretation: Determining whether risk management processes are effective is a judgment resulting from the Internal Auditor s assessment that: Organizational objectives support and align with the organization s mission significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization s risk appetite and Relevant risk information is captured and communicated in a timely manner across the organization. enabling staff, management. and the board to carry out their responsibilities. Risk management processes are monitored through ongoing management activities. separate evaluations, or both. The Internal Auditor must evaluate risk exposures relating to the organization s governance. operations. and information systems regarding the: Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets: and Compliance with laws. regulations, and contracts. fhe Internal Auditor must evaluate the potential for the occurrence of fraud and ho the Entit manages fraud risk. During consulting engagements. Internal Auditors must address risk consistent with the engagement s objectives and he alert to the existence of other signiticant risks. 31

32 AUDIT MANUAL,4RZ\ SECTION: PERFORMING MANUAL 5 STANDARDS OF THE AUDIT DATE: 4/09 Section 400B NATURE OF WORK INDEX 3 OF 4 NATURE OF WORK (The Institute of Internal Auditor s Performance Standards) Internal Auditors must incorporate knowledge their evaluation of the County s risk management processes. of risks gained from consulting engagements into When assisting management in establishing or improving risk management processes, Internal Auditors must refrain from assuming any management responsibility by actually managing risks. Control The Internal Auditor must assist the County in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. The Internal Auditor must evaluate the adequacy and effectiveness of controls in responding to risks within the organization s governance. operations. and information systems regarding the: Reliability and integrity of financial and operational information: Effectiveness and efficiency of operations: Safeguarding of assets: and Compliance with laws, regulations, and contracts. Internal Auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. Internal Auditors should review operations and programs to ascertain the extent to which results are consistent ith established goals and objectives to determine hether operations and programs are being implemented or performed as intended. 32

33 NATURE OF WORK (The Institute of Internal Auditof s Performance Standards) During consulting engagements, Internal Auditors must address controls consistent with the engagement s objectives and be alert to significant control issues. Internal Auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the Countys control processes. 33

34 34 engagements. this understanding must be documented. objecti es, scope. respective responsibilities, and other client expectations. For significant Internal Auditors must establish an understanding with consulting engagement clients about establish a written understanding with them about objectives. scope. respective responsibilities, and other expectations. including restrictions on distribution of the results of the engagement and access to engagement records. When planning an engagement for parties outside the organization. Internal Auditors must The adequacy and effectiveness of the activity s risk management and control processes and control processes. compared to a relevant control framework or model: and by which the potential impact of risk is kept to an acceptable level: its performance; The objectives of the activity being reviewed and the means by which the activity controls The significant risks to the activity, its objectives, resources, and operations and the means The opportunities for making significant improvements to the activity s risk management In planning the engagement, Internal Auditors must consider: Planning Considerations engagement s objectives, scope, timing, and resource allocations. Internal Auditors must develop and document a plan for each engagement, including the Engagement Planning (The Institute of Internal Auditor s Performance Standards) ENGAGEMENT PLANMNG

35 ENGAGEMENT PLANNING (The Institute of Internal Auditor s Performance Standards) Engagement Objectives Objectives must be established for each engagement. Internal Auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. Internal Auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. Adequate criteria are needed to evaluate controls. Internal Auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate. Internal Auditors must use such criteria in their evaluation. If inadequate, Internal Auditors must work with management to develop appropriate evaluation criteria. Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client. Engagement Scope The established scope must be sufficient to satisfy the objectives of the engagement. fhe scope of the engagement must include consideration of relevant systems, records. personnel, and physical properties. including those under the control of third parties. If significant consulting opportunities arise during an assurance engagement. a specific written understanding as to the objectives, scope. respecti e responsibilities, and other expectations should he reached and the results of the consulting engagement communicated in accordance with consulting standards. 35

36 Section400C.. ENGAGEMENTPLANNING INDEX3OF3 36 Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement. its implementation. and any adjustments approved promptly. documenting information during the engagement. The work program must be approved prior to Work programs must include the procedures for identifying, analyzing. e aluating, and Internal Auditors must develop and document work programs that achieve the engagement objectives. Engagement Work Program objectives based on an evaluation of the nature and complexity of each engagement. time constraints, and available resources. Internal Auditors must determine appropriate and sufficient resources to achieve engagement Engagement Resource Allocation the client to determine whether to continue with the engagement. engagement is sufficient to address the agreed-upon objectives. If Internal Auditors develop reservations about the scope during the engagement, these reservations must be discussed with In performing consulting engagements. Internal Auditors must ensure that the scope of the fthe Institute of Internal Auditof s Performance Standards) ENGAGEMENT PLANNING crrrqc;_t STANDARDS OF THE AUDIT DATE: 4/09 AUDIT MANUAL SECTION: PERFORMING MANUAL

37 AUDIT MANUAL,ØUFç SECTION: PERFORMING MANUAL STANDARDS OFTHE AUDIT DATE: 4/09 Section 400D PERFORMING THE INDEX 10F2 PERFORMING THE ENGAGEMENT (The Institute of Internal Auditor s Performance Standards) Performing the Engagement Internal Auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagemenf s objectives. Identifying Information Internal Auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagemenfs objectives. Interpretation: Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals. Anaisis and Evaluation Internal Auditors must base conclusions and engagement results on appropriate analyses and evaluations. Documenting Information Internal Auditors must document relevant information to support the conclusions and engagement results. The Internal Auditor must control access to engagement records. The Internal Auditor must obtain the appro al of senior management and or legal counsel prior to releasing such records to external parties. as appropriate. 37

38 PERFORMING THE ENGAGEMENT (The Institute of Internal Auditor s Performance Standards) The Internal Auditor must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organization s guidelines and any pertinent regulatory or other requirements. The Internal Auditor must develop policies governing the custody and retention of consulting engagement records. as well as their release to internal and external parties. These policies must be consistent with the organization s guidelines and any pertinent regulatory or other requirements. 38

39 COMMUNICATING RESULTS SECTION: PERFORMING STANDARDS OF THE AUDIT 39 Accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective communications are fair. impartial. and unbiased and are the result of a fairminded and balanced assessment of all relevant facts and circumstances. Clear communications significant and rele ant information, Concise communications are to the point and avoid are easily understood and logical, avoiding unnecessary technical language and providing all Interpretation: Communications must be accurate, objective, clear, concise. constructive, complete, and timely. Quality of Communications content depending upon the nature of the engagement Communication of the progress and results of consulting engagements will xary in form and When releasing engagement results to parties outside the organization, the communication must include limitations on distribution and use of the results. Internal Auditors are encouraged to acknowledge satisfactory performance in engagement communications. overall opinion and/or conclusions. Final communication of engagement results must. where appropriate, contain Internal Auditors Criteria for Communicating Communications must include the engagement s objectives and scope as well as applicable conclusions, recommendations, and action plans. Internal Auditors must communicate the engagement results. Communicating Results (The Institute of Internal Auditor s Performance Standards) COMMUNICATING RESULTS

40 COMMUNICATING RESULTS (The Institute of Internal Auditor s Performance Standards) unnecessary elaboration, superfluous detail, redundancy, and wordiness. Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed. Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions. Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action to meet the needs of the Internal Auditor. Errors and Omissions If a final communication contains a significant error or omission. the Internal Auditor must communicate corrected information to all parties who received the original communication. Use of Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing Internal Auditors may report that their engagements are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing. only if the results of the quality assurance and improvement program support the statement. Engagement Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing. the Code of Ethics or the Standards impacts a specific engagement. communication of the results must disclose the: Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved: Reason(s) for nonconformance: and Impact of nonconformance on the engagement and the communicated engagement results. 40

41 AUDIT MANUAL SECTION: PERFORMING MANUAL STANDARDSOFTHEAUDIT DATE:4/09 Section 400E COMMUNICATING RESULTS INDEX 3 OF 3 COMMUNICATING RESULTS (The Institute of Internal Auditor s Performance Standards) Disseminating Results The Internal Auditor must communicate results to the appropriate parties. Interpretation: The Internal Auditor or designee reviews and approves the final engagement communication before issuance and decides to whom and how it will be disseminated. The Internal Auditor is responsible for communicating the final results to parties who can ensure that the results are given due consideration. If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to parties outside the organization the Internal Auditor must: Assess the potential risk to the County; Consult with the County Council and or legal counsel as appropriate; and Control dissemination by restricting the use of the results. The Internal Auditor is responsible for communicating the final results of consulting engagements to clients. During consulting engagements. governance, risk management, and control issues may be identified. Whene er these issues are significant to the County, the) must be communicated to the County Council. 41

42 AUDIT MANUAL Section 400F j SECTION: PERFORMING MANUAL STANDARDSOFTHEAUDIT DATE:4/09 MONITORING PROGRESS INDEX 1. OF 1 MONITORTNG PROGRESS (The Institute of Internal Auditor s Performance Standards) Monitoring Progress The Internal Auditor must establish and maintain a system to monitor the disposition of results communicated to management. The Internal Auditor must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client. 42

43 AUDIT MANUAL,/Ø1RZ\ SECTION: PERFORMING MANUAL STANDARDS OFTHE AUDIT DATE: 4/09 Section 400F - RESOLUTION TO SENIOR INDEX 1 OF 1 MANAGEMENTS ACCEPTANCE OF RISK RESOLUTION TO SENIOR MANAGEMENTS ACCEPTANCE OF RISK (The Institute of Internal Auditor s Performance Standards) Resolution of Senior Management s Acceptance of Risks When the Internal Auditor believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the Internal Auditor must discuss the matter with and receive a response from senior management. If the decision regarding residual risk is not resolved, the Internal Auditor must report the matter to the County Council. 43

44 AUDIT MANUAL SECTION: OFFICE MANUAL ADMINISTRATIVE POLICIES DATE: 4/09 Section 500A RESPONSIBILITY INDEX 1 OF 1 RESPONSIBILITY The Internal Auditing policies will be within the framework of the County administrative guideline and requirements but The County Council is ultimately responsible for all office administration policies within the Internal Auditing function. 44

45 AUDIT MANUAL Section 5008 c,o 13 ).- SECTION: OFFICE MANUAL ADMINISTRATIVE POLICIES DATE: 4/09 FILES AND MATERIALS INDEX 1 OF 1 FILES AND MATERIALS For the Internal Auditor, the definition of files and materials is inclusive of any documentation or spreadsheets that include correspondence, books. CDs, microfilm, audit reports, work-papers, forms, discs, photographs. film, sound recordings, maps, drawings or other written or electronic documents, regardless of characteristics. SECURITY MEASURES OF FILES AND MATERIALS Any of the Files and Materials pertaining to the above will be stored in a locked environment and security measures will be taken with laptop computers that include signing off of the computer if the Internal Auditor is away from the computer for an extended period of time. FINAL AUDIT REPORTS A copy of all of the audit reports will be placed out on the Wicornico County Website within three months of audit completion. unless law prohibits their disclosure. 45

46 Section 500C DISTRIBUTION OF AUDIT INDEX 1 OF 1 46 be tracked. form labeled Report Distribution Checklist which will be filed in the work-paper file. When the external auditor reviews the file prior to completion, remove the checklist so that the report can Report Distribution Checklist: The distribution of all copies of reports should be listed on a submitted to the County Council for approval. Management is invited to the meeting when the proposed report is discussed. The report becomes final after the County Council approves it. Unless restricted by law, once approved, the report becomes public information and will be placed on our website within three months of completion. Final Report: The proposed final report. including managements response to the draft report. is findings and recommendations. Draft Report: This report is issued to the auditee requesting a written response to any audit an opportunity for management to correct any errors prior to issuance of the draft report. conference. It is designed to assure that facts and findings have been clearly stated, and provides Discussion Draft: This report is submitted to the department management prior to the exit DISTIBUTION OF AUDIT REPORTS ADMINISTRATIVE POLICIES DATE: 4/09 T AUDIT MANUAL /ØNZ\ SECTION: OFFICE MANUAL

47 FILE TYPE DESCRIPTION RETENTION 5 years after 47 Assistant Staff Auditor. set forth below to ensure files are maintained for a reasonable period. the auditor in charge of the project. Any file should be retained for as long as it is of continuing usefulness. A retention schedule is Annual report and audit Sets forth accomplishments for the fiscal year and the 7 years Program annual plan for the subsequent fiscal year. One copy is retained in central files. Publications Professional periodicals. One copy is retained in the library. 2 years Master copy of audit Master copy of each audit report produced by Internal Indefinite* reports Auditing. One copy is retained in central files. In-process project files In-process project files are stored in electronic format in a As long as project. Paper files for in-process projects are maintained by process directory that can be accessed by auditors assigned to the project is in Completed project files Electronic project files are to be printed out and filed in a 7 years binder, along with all paper files collected during the project. Electronic files are also to be archived in the electronic directory designated for that purpose. audit interest. lndefinite* Permanent files Documents, schedules or analyses that are of continuing Continuing education Official documentation for all staff members continuing 5 years correspondence received or sent by Internal Auditing. Auditing employee during their emploment. employed & one else is allowed in this file. unless approved by the education. Documentation is to be maintained by the Confidential files 1 This file is maintained for Internal Auditing use only. No Indefinite* County Internal Auditor. Future audit notes Information pertinent to pending or potential future audits. Indefinite* files. Folders are classified by audit area and retained in central Other records and All other miscellaneous files, such as travel expense 3 years correspondence reports, payment records, time reports, and official termination Personnel files Relevant information about each individual Internal While FILES AND MATERIALS RECORD RETENTION

48 j AUDIT MANUAL Section 500E 7 3 SECTION: AUDIT MANUAL ADMINISTRATION DATE: 4/09 PROCEDURES EXPENSE APPROVAL INDEX 1 OF 1 EXPENSE APPROVAL All Internal Auditor Vouchers and Timesheets will be approved by the County Council President. 48

49 ANNUAL AUDIT PLAN The Internal Auditor requires the following: The normal process the department head filling out the following: of calculating the risk assessments for all of the different areas will include Audit Questionnaire-This is inclusive of Organizational structure, departmental goals, policies and procedures, and a brief overview of the major operations within the structure. The questionnaire also requires a list of potential risks that the departmental manager may see in his area. any controls that may be in place to control these risks and any laws and regulations with which your department must comply with. Risk Assessment Survey- Probability-The odds that something could go wrong Exposure-The cost of something that goes wrong With the following possibilities: Financial Loss Legal and regulatory violations Negative Customer Impact Loss of Business Opportunities Public Embarrassment Inefficiencies in the business process Employee Re ie Process A Suggested Area for Audit form for the coming year. 49

50 considering internal controls due to error: inherent risk does not include an assessment of the risk *I1herent risk is the risk that the account or section being audited is materially misstated without whether the information would warrant an audit. The Audit Committee will establish risk*. he she is to call an audit committee meeting to review the information to determine Council will then initiate the voting process. The Audit Committee s report will he written with a recommendation and will be forwarded to the council as a whole. If the County Council or the Executive presents an opportunity for an audit. the determination will be made in the same process as folloed above. The County documentation to concur or non-concur and majority vote will determine the recommendation, If the Internal auditor is requested to perform or requests to perform an audit based on inherent Audit Request more than 40 hours to the County Council. require less than 40 hours, may be considered under assistance to others category and is not handled through a formal chain of command. The provision of such assistance to others shall communicated via a monthly report the first Wednesday of the month to the audit committee and Auditor mailbox. A summar listing of such requests shall also be documented and Any request for assistance initiated by an employee of the executive branch, that is anticipated to be communicated to the County Council members and the Audit Committee via the lnternai Assistance to others less than 40 hours through on at least a weekly basis the current requests inclusive of all status of current work. The through a password with the capability to access at any time. The Internal Auditor will have a special mailbox in which he/she will record/communicate County Council members as a whole and the audit committee will have access to the mailbox comply with the Charter provisions requiring the County Council to act as a body, it is deemed necessary and appropriate to establish the following protocol for effective lines of communication between the Internal Auditor and the County Council. In order to maintain the integrity and independence of the Office of the Internal Auditor and to SPECIAL REQUESTS FOR AUDITS Section 6008 SECTION: AUDIT MANUAL ADMINISTRATION DATE: 4/09 PROCEDURES SPECIAL REQUESTS FOR AUDITS INDEX 1 OF 3 50

51 of material misstatement due to fraud. The assessment of inherent risk depends on the professional judgment of the auditor. and it is done after assessing the business environment of the entity being audited. Inherent risk is typically assessed using a scale, with assessments being low, medium, or high or a numerical scale. Assessments of medium or high will require additional audit work performed to conclude that management s assertions are appropriate. Considerations which an auditor may include in assessing inherent risk include: A closed session may be required for specific audit requests: Closing a meeting is inclusive of: (Office of Attorney General of the open meetings compliance Board) Specific personnel matters i.e. Identifiable individuals, not categories of employees Legal Advice involving active interchange, not passi e presence Litigation If the Special Audit request or if the existing audit invohes a complaint or any potential information in which there is opportunity that a perpetrated fraud has occurred that pinpoints a specific employee or collusion or conspiracy among a group of employees. the Internal Auditor will request a closed x ork session immediately. *Inherent risk is the risk that the account or section being audited is materially misstated without considering internal controls due to error: inherent risk does not include an assessment of the risk of material misstatement due to fraud. The assessment of inherent risk depends on the professional judgment of the auditor, and it is done after assessing the business environment of the entity being audited. Inherent risk is typically assessed using a scale. with assessments being low. medium. or high or a numerical scale. Assessments of medium or high will require additional audit ork performed to conclude that managcmenfs assertions are appropriate. Considerations which an auditor may include in assessing inherent risk include: complexitx of determining the account amount (if it is an estimate or a financial statement disclosure) 51

52 52 Either the County Council or the County Executive may at any time order the examination or audit of the accounts of any agency or organization that receives or disburses county funds. The County Internal copies shall be made available to the public no later than three months after the completion of the audit. Auditor shall report the results of his/her audit to the County Executive and the County Council, and Executive shall proceed forthwith to collect the indebtedness. All actions of the County Council pursuant to this section shall be exempt from the executive veto. If, as a result of any such audit, an officer shall be found to be indebted to the county, the County managements overall risk awareness(reality of risk assessment response-no returned risk statement or balance sheet numbers) transactions, variable of transactions, value of assets) assessment triggers an audit) past history (including any major variances of increases or decreases in identified Income the circumstances of the entity s business environment (employee turnover, volume of

53 REPORT REVIEW PROCEDURES With the Internal Auditor only having one position. the review of the Quality Control System checklist (Example 10 of audit documentation) will be used to ensure adherence to the standards of Government Auditing Standards and The institute of Internal Auditors. The Audit committee will serve as a key control to governance for the Internal Auditor. They help the Internal Auditor validate that the Executive and Senior Management are fulfilling their financial and fiduciary responsibilities to the public. Such an organizational structure and reporting responsibility encourages an environment of free and unrestricted access enables the County Council and the public to gain assurance about the quality of financial reporting and audit processes. A Strong and effective audit committee through their planning, review. and monitoring activities, can recognize problem areas and take corrective action before such problems impact the County s financial statements. 53

54 AUDIT MANUAL Section 600D % cjth17 SECTION: AUDIT MANUAL ADMINISTRATION DATE: 4/09 PROCEDURES REPORT PROCESSING INDEX 1 OF 1 PROCEDURES REPORT PROCESSING PROCEDURES After review procedures have been accomplished, the report processing procedures will include the issuance of a draft report stamped Draft for Discussion and confidential and submitted to the County Council for review and along to the Auditee. The Auditee will be asked for a response to the findings. Once written responses are received, they will be given to the County Council along with any Auditor comments. The Final audit report will then be distributed. 54

55 AUDITEE RESPONSE TO AUDIT REPORT ts The auditee views about audit conclusions or recommendations will be included in the audit report. As part of the Internal Auditor s discussions with the auditee, the Internal Auditor should try to obtain agreement on the results of the audit and on a plan of action to improve operations. as needed. If the Internal Auditor and auditee disagree about the audit results, the audit report will state both positions and the reasons for the disagreement. The auditee s written response will be incorporated into the audit report. The auditee s response must specify a time frame for implementing the audit recommendations. 55

56 AUDIT MANUAL Section 600F SECTION: AUDIT MANUAL ADMINISTRATION DATE: 4/09 PROCEDURES BUDGET TIME AND INDEX 1 OF 2 ADMINISTRATION BUDGET TIME AND ADMINISTRATION To provide a basis for budgeting in the future, the time calculation for the annual audit plan will take into consideration: PROJECT VARIOUSTYPEOFTIME **AUDIT DIRECT AUDIT TIME Holiday Holiday Personal Leave Vacation Sick Training (outside CPE) Budget Preparation & Monitoring Performance Planning & Review Attend Meetings Status Reports / Time Sheets Professional Organizations Professional Reading Jury Duty Office Administration Office Management Administration Other Miscellaneous TOTALCHARGEABLE HOURS SUBTOTALNON-CHARGE O

57 ADMINISTRATION Section 600F will complete a report stating that there was insufficient information to complete the audit. If the Internal Auditor fails to get the results needed to complete the audit. the Internal Auditor If the Internal Auditor does not get the information needed to perform the intended duties. a meeting with the County Executive will be prompted. The Internal Auditor will notify the Council President if no response has been received. A response is expected within three business days from the request. information that will be needed. A written request for the documentation will be sent to the department director listing the During the work of an audit the auditor will be relying on the auditee to provide certain documentation. backup information, system information, or any other information needed to perform the proper tests of transactions and analysis to complete the audit. If sufficient information is not received, the following steps will be initiated: AUDITEE COMMUNICATION County Internal Auditor shall immediately notify the County Council at its next legislative If the requested information is not received within the reasonable time frame listed above, The session-day and shall immediately notify the County Executive of any irregular or improper procedure which she/he may discover. operating cycle not to exceed two weeks. A reasonable time frame will be allowed for response based on the current governmental through and intercompany mail. The Internal Auditor will send a request to the department manager of the area audited MANAGEMENT ADMINISTRATIVE COMMUNICATION The following guidelines of communication will be taken in order to plan an efficient budget and make the internal auditing department s time as effective as possible. BUDGET TIME AND ADMIN1STRATION AUDIT MANUAL SECTION: AUDIT MANUAL ADMINISTRATION DATE: 4/09 PROCEDURES BUDGET TIME AND INDEX 2 OF 2 S7

58 COUNTY PERSONNEL POLICIES Any specific questions relating to the County personnel policies and procedures should be researched in the Personnel Manual Revised and adopted October

59 PROFESSIONAL CERTIFICATION As per the County Charter, the County Internal Auditor shall be a certified public accountant licensed for the practice of his or her profession under the laws of this state. 59

60 AUDIT MANUAL SECTION: PERSONNEL MANUAL DATE:4/09 Section 700C CONTINUING EDUCATION INDEX 1 OF 1 CONTINUING EDUCATION Continuing Education requirements include 80 hours every two years FOR A licensed Certified Public Accountant. The Subject matter that qualifies as CPE ensures reasonable knowledge about the current practice of accountancy by certified public accountants to ensure a high standard of practice in the profession. Qualified subject matter can be presented through programs discussing the various specialized areas of the CPA profession. CPE can be earned through the following: Professional development programs Technical sessions of professional societies or chapters College courses Formal, organized, in-firm educational programs of certified public accountancy firms Governmental seminars Seminars or symposiums related to the practice of accountancy 60

61 Wicomico County Internal Audit Department 21 Suggested Area for Audit ii 15 Audit Memorandum 1 Audit Questionnaire 2 Notes to Audit Risk Assessment 4 Entrance Interview Documentation 3 Audit Risk Assessment 5 Planning Results 6 (Sample) Testing Audit Program 8 Draft Audit Condition Draft Audit Report (Pre-IIAA Approval) Transmittal Memorandum Auditors Comments Format Draft Follow-Up Report Format Report Quality Control Checklist Audit Planning Control Checklist Review of Audit Engagement (N.A.LGA.) Checklist for Distribution of Audit Report Notification of Follow-Up Memorandum (6-Month) Draft Audit Report Auditors Comments Transmittal Memorandum Opinion Letter (Sample)- Financial Statement Audit Response Schedule Audit Documentation Examples OUWZ ).

62 , Enclosures Please return these forms to me by Suggested Area for Audit form for FY 2010 Types of Audits and Reviews Risk Assessment Survey Audit Questionnaire that you suggest for audit. audit work plan. I also plan to meet with selected managers. Please let me know if there are any areas concerns/potential risks which your office may face. your assistance in updating our list of major programs, activities, and functions and identifying specific As required by the Office of the Internal Auditor, I am developing our Annual Audit Plan and request Subject: Risk Assessment for Annual Audit Plan From: To: Date: Wicomico County Internal Auditor I would greatly appreciate your assistance in this effort and will use the results to develop our FY 10 I have enclosed the following documents: If you have any questions, please call me at X1773,

63 Wicomico County Intema Auditor -Provide specific goals that have been established and describe any performance measures used to assess progress toward meeting the goals. 1. Please identify and briefly describe the major programs, activities, or functions in your 2. For each program. activity or function listed above: area. List them in order of significance. PART 1 QUESTIONS RISK ASSESSMENT SURVEY Exam 1e2

64 Exam 1e2 RISK ASSESSMENT SURVEY CONT. Wicomico County Internal Auditor -What programs, activities, or functions concern you the most and why? -Identify any actions that are being taken to address these concerns.

65 Wicomico County Internal Auditor plan to implement in the near future in any of the areas in which you are responsible. 4. Please describe any information systems that hae been recently implemented or that you planned. 3. Describe any significant changes to your organization that recently occurred or are -Have any of these programs, activities, or functions been audited by external auditors in the last 5 years? Please provide details of the organization who performed the audit and when. RISK ASSESSMENT SURVEY CONT.

66 and EXAMPLE 3 Wicomico County Internal Auditor DOCUMENTATION FOR ENTRANCE INTERVIEW Date: Individuals present: Tentative objectives and scope: Criteria to be used by auditor in measuring performance: Significant compliance requirements: Potential users of audit report and associated needs: The aboe ert discussed iith agleed upon Other items discussed:

67 EXAMPLE 4 8G1 Wicomico County Internal Auditor Risk Assessment Work-papers Note Identified Attribute Risk Factors Susceptibility-The auditor must consider the opportunity and any warning signs, as well as the competency and quality of personnel when assigning the susceptibility factor. Significance-The auditor must consider the service, activity and size of the program in relation to other programs and the materiality of the dollar value and the number of transactions of the identified opportunity or risk. Sensitivity- The auditor must consider the potential of public or politically charged issues and opportunity for vulnerability to the media all inclusive of management s interest and goals. Internal Control-The auditor must determine on a scale of 1, 2, or 3 the control procedures that are in place, with a 1 being at the maximum procedures in place and a 3 being the minimum procedures are in place The perceived risk being the greatest at a 3 A total overall rating is determined based on the rating classification below Rating Risk Level 4-6 LowRisk 7-9 Moderate Risk 10 * 12 High Risk Audit tests are planned to ascertain whether controls in place are working as indicated in the risk assessment once the risk factor is assigned. The items with the highest risk are tested unless stated differently in the methodology section of the Planning results work paper on w/p_.

68 Wicomico County Internal Auditor RISK ASSESSMENT SURVEY RISK EVALUATIONS The Risk Assessment Survey is a tool used to identify, evaluate and prioritize a group of inherent risks which could significantly impact the County s exposure potential and can serve as a tool to strengthen internal controls. The risk assessment survey is used to identify the inherent risks of programs, functions, and activities within the Wicomico County government. Please fill out the following survey to determine which risks may pertain to your area of responsibility. The risks listed on the following survey can cause, but are not limited to, the following lists of exposure possibilities: Financial loss Legal and regulatory violations/censorship Negative customer impact Loss of business opportunities Public embarrassment Inefficiencies in the business process xrariances This risk evaluation will be the defining mechanism that will help to assess the probability of each factor occurring with its exposure potential within your area of responsibility and can serve as a mechanism to strengthen internal controls. The Internal Auditor s work plan for FY 10 will be created from the results of this survey. Please consider the two elements below when completing the evaluation: 1. What are the odds something can go wrong? - (Probability) 2. WFat is the cost if something does go wrong? (Exposure) (Risk is defined as the probability times the exposure>

69 Exam le 5 Wicomico County Internal Auditor RISK ASSESSMENT SURVEY ACCESS RISK Risk Score Probability Exposure Low Risk Moderate Risk High Risk N/A El El El El El El El El Access risk comprises a broad array of potentially damaging events that may be caused or made possible by inadequate governance of access to the County s information assets or other physical assets. Such events range from customer information, passwords, computer hardware and software, confidential financial information, legal information, cash, checks, and other physical assets. The stakes involved in access-related risk have risen dramatically in recent years as organizations have become thoroughly operationalized by technology. When evaluating access risk the nature and relative value of the Countys assets need to be considered. BUSINESS INTERRUPTION RISK Risk Score Probability Exposure Low Risk Moderate Risk High Risk N/A fl El El L El Business interruption risk considers loss of critical functions caused by fires and explosions, earthquakes, windstorms. bomb threats hazardous vaste spills vorkplace fatalities terrorism, and other serious risks can drive a considerable impact on County customers as well as other County operations.

70 Wicomico County Internal Auditor RISK ASSESSMENT SURVEY CREDIT RISK Risk Score Low Risk Moderate Risk High Risk N/A Probability E E Exposure fl Credit risk considers the potential that Debit card transactions, checks, credit cards. etc. received from citizens may not be good. There is an element of risk in each check received. When defining policies and procedures, the County must consider what level of risk is acceptable. CUSTOMER SATISFACTION RISK Risk Score Probability Exposure LowRisk Moderate Risk High Risk N/A EZ Customer satisfaction risk that the County s ices and/or actions do not consistently meet or exceed customer expectations because of lack of focus on customer needs. A customer can be an internal or external to the County. When the customer is internal, assessment should also consider ho problems with internal ices would impact the level of service offered to the outside customer. sen of customer service risk sen INFORMATION TECHNOLOGY PROCESSING sk Sco obablit Low Rsk Moderate Risk High Risk N/A Exposure [he risk that the Count does not have an technology infrastructure (e.g., hardware, net orks. software, people and processes) to effecti\ely support the current and future needs of the business in an efficient. and well-controlled fashion. [his is inclusive of data integrity risk which addresses the impact if inaccurate data is used to make inappropriate management decisions and cause embarrassment outside of the Count to customers. etc. reiiamrs. effecti e information cost-effectie

71 Exam le 5 sscore obabtexj FRAUD RISK 1Scor bityexpos FLOAT RISK FENANCIAL REPORT MISTATEMENT RISK ASSESSMENT SURVEY Wicomico County Internal Auditor Risk Score Probability Exposure Low Risk Moderate Risk High Risk N/A r L Low Risk Moderate Risk manipulate or destro compan\ records. Externally, customers High Risk - N/A. Internally, employees may misappropriate company assets. or communication lines, obtaining confidential company information, misdirectmg inventories or assets. etc. and... non-customers may perpetrate a fraud by tapping into tr_ r Both internal and external fraud risks need to be considered. are not met on a timely basis. Receivables, Payables and Float risk considers the opportunity cost (lost revenues) if funds are not processed or invested in a timely manner. This risk also addresses the cost (additional expenses) if obligations suspense accounts are subject to float risk. gement Letter. of negative comments on the Financial Statements or El El created from the General Ledger. This risk includes the impact systems and the various external financial reports that are Low Risk El El prospective investors and lenders include material Moderate Risk El El misstatements or omit material facts, making them misleading. High Risk El El N/A The risk that financial reports issued to existing and This risk focuses specifically on the County s financial

72 Exam le 5 Wicomico County nternal Auditor RISK ASSESSMENT SURVEY LEGAL AND REGULATORY RISK I Risk Score Probability ExDosure Low Risk Moderate Risk High Risk N/A El In evaluating legal and regulatory risk, consider whether the product. service, or function is subject to legal and regulatory requirements. regulatory requirements may be federal, state or local. The relative risk level of an objective may be high if the related law/regulation is currently on the most dangerous violation list. Legal risk also considers the likelihood of the company being sued under a civil action for breach of contract. negligence. misrepresentation. product liability, unsafe premises, etc. PHYSICAL HARM RISK Moderate Risk High Risk N/A ZbabilitEpdsu El Physical harm risk considers the risk of harm to both employees and customers while in the Company premises or while performing company business, This risk also applies to company assets such as computers or other equipment which may be damaged due to misuse or improper set-up and storage, or negotiable instruments and other documents which may be damaged or destroyed. MANAGEMENT EXPERIENCE RISK Risk Score Low Risk Moderate Risk High Risk N,A TThis risk considers the effect of inexperienced management. Please identify your experience and training in our current position and similar positions using the following criteria: HIGH=l-2 years exp.: Medium=3-5 ears exp.: Lo over 5 vrs exp.

73 Exam le 5 Wicomico County Internal Auditor RISK ASSESSMENT SURVEY STAFF TURNOVER RISK Risk Score Probability Exoosure Low Risk Moderate Risk High Risk N/A A measure of risk due to the turnover rate related to the number of employees with significant responsibilities (i.e., financial responsibilities, key management positions, security related positions, computer software/hardware control related positions, etc.). Has employee turnover been excessive during the past 5 years in your area? N/A None. If other than N/A (i.e. low. med. or high), please identify your turnover rate and the position(s) affected. EMPLOYEE UTILIZATION RISK Risk Score Probability Exposure L OW R k Moderate Risk High Risk N/A The risk that the County does not have an effective way to measure maximized employee output and work flow to reduce opportunity for idle capacity in a efficient and cost effective manner. This is inclusive of performance reviews which can be used for providing a legal basis for documentation of negative performance. OTHER CONSIDERATIONS Risk Score Probability Exposure LowRisk Please list any other risks not already identified. Moderate Risk High Risk N/A

74 Exam le 5 Wicomico County Internal Auditor RISK ASSESSMENT SURVEY OVERALL RATING Risk Score Probability Exposure Overall Risk Based on the evaluation of: What can go wrong? Low Risk El El El (Probability); and what is the cost if what can go Moderate Risk El El El wrong, does go wrong? (The exposure); evaluate the High Risk El El El N!A overall magnitude of the risk in the area/function. Evaluate the Probability and Exposure, and then El El El combine the two for an estimate of Overall Risk of business mission failure. ADDITIONAL COMMENTS

75 Exam le 5 Wicomico County Internal Auditor RISK ASSESSMENT SURVEY SIGNATURE SURVEY SURVEY COMPLETED BY: SIGNATURE NAME AND TITLE DIVISION/DEPARTMENT/OFFICE COMPLETION DATE

76 .-_ EXAMPLE 6 Wicomico County Internal Auditor AUDIT RISK ASSESSMENT Specific Control Technique or Control Absence WP Assessment Risk Overall Final Risk Internal Audit Control Factor Objectives of Control Reference Susceptibility Significance Sensitivity Control Rating Testing Rating H_... H I

77 EXAMPLE 7 Wicomico County Internal Auditor Audit: Time Frame: AUDIT PROCEDURES W/P Done Reviewed Reference by A. Planning 1. Mail notification of audit letter. Attach audit questionnaire for completion by department head requesting background information and inquiring about risks. controls. requirements, etc. 2. If our office has previously audited this area. review most recent audit report and work papers. Determine whether other auditors have performed reviews of the area planned for audit and obtain copies of audit reports and work papers as applicable. If it is the intent to place reliance on the work of other auditors. perform appropriate tests to provide a sufficient basis for that reliance. 3. Afier reviewing background information and responses to questionnaire, prepare agenda for and schedule entrance intervie with department head for the purpose of clarifying this information as necessary and discussing and obtaining agreement on pertinent aspects of the audit. Document results on Entrance Inter ie Worksheet. 4. Interview other key staff to gain a further understanding of relevant management controls. Perform walk-through as appropriate. 5. if recurring audit. determine status of prior tear report recommendations and managements reason for any recommendations not implemented. Test implemented controls as considered necessary. Document in work paper Section D. 6. Document control system using flowcharts and/or narraties. (If recurring audit. update permanent file.) Confirm understanding of operations and controls v ith appropriate staff and revise documentation as necessary

78 the significance of the risk factors to the audit objectives. Include in work paper file in order of importance. When possibility of non-compliance with laws and regulations, potential users of the audit report and the adequacy of work paper through Overall Rating column, feasible. state financial effect. 9. Submit work papers generated by steps 1 thru 8 above to 11. Finalize audit objectives and scope. Review with 12. Prepare detailed audit program reflecting each testing 2. Prepare drafi audit findings using standard forms. 1. Complete Final Control Rating column of Audit Risk I/A Director for approval. C. Audit Completion B. Testing (see separate audit program) objecti es, include tests to assess its reliability. Submit to to be used. Document on Planning Results work paper. 10. Discuss risk assessment with I/A Director and management controls. Prepare Audit Risk Assessment Audit Committee for review. determine which controls will be subject to testing. Complete Audit Testing column of Audit Risk Assessment work paper for those controls to be tested. Department head. Prepare summary of audit methodology objective and associated audit procedures. If computer processed data is considered significant to audit Assessment work paper for controls tested. 7. Perfonri analytical reviews, as appropriate. 8. Identify major risk factors, taking into consideration the AUDIT PROCEDURES Audit: Time Frame: Wicomico County Internal Auditor V4/P Done Reviewed Reference by by

79 EXAMPLE 7 Wicomico County internal Auditor Audit: Time Frame: AUDIT PROCEDURES WIP Done Reviewed Reference by by 3. Identify and document any issues requiring further study. 4. Prepare overall conclusion stating results of audit relative to each audit objective. 5. Prepare audit report in standard format. (See IIAA Procedures for Distribution 6. of Information notebook.) If any information deemed significant is prohibited from inclusion in the report due to federal. state or local laws or regulations. include a statement in report describing the nature of the omitted information and the applicable requirement. 7. Submit work papers and report to I/A Director for review. 8. Prepare report cover memo and send with report marked to appropriate auditee management and staff 9. Conduct exit interview to discuss draft report. Document date, individuals present and items discussed. 00. Follow-up - Non-recurring approximately 1 year after initial recommendations. or draff Audits (To be completed more timely for recommendations considered critical.) 1. Determine status of prior year report recommendations and rnanagemenfs reasons for any recommendations not implemented. Test implemented controls as considered necessary.

80 Wicomico County Internal Auditor c) Summary reports issued by the County d.) Progress meeting minutes b.) Certificates of Substantial Completion a.) Signed contracts assure that major Capital Projects will be completed within the number of days allotted by the contract. which had construction work during the past three years. existence of: FY 05 through FY 08 by looking at the date. for each fiscal year. construction phases beginning and ending between approved budgets and the Capital projects fund, listing all Projects Manager. c.) Daily Logs (Field Inspection Reports) a.) Project Schedules b.) Schedules of Value (i.e. budget vs. actual to year) Verify inclusion of all projects with the Appropriate date and the actual completion date by reviewing the following documents: construction projects, their budgets and expenditures to 3. Determine all of the major construction projects with e.) Construction photographs 2. For the sample of projects selected, verify the 4. For each project, determine the planned completion 1. Select a sample of projects from the budget listing, Testing Objective 1: To determine if procedures AUDIT PROCEDURES Done Reviewed Reference by by Audit: Time Frame: Financial-Related/Performance Audits SAMPLE TESTING AUDIT PROGRAM EXAMPLE 8

81 EXAMPLE 8 Audit: Wicomico County Internal Auditor SAMPLE TESTING AUDIT PROGRAM Financial-Related/Performance Audits Time Frame: Testing Objective 2: 1. Testing Objective 3: Testing Objective 4: Testing Objective 5: 1

82 EXAMPLE 9 Wicomico County nternal Auditor Audit Name: FY Draft Audit Condition Condition: Criteria: Effect: Cause: Recommendation: W P Reference: Is This Issue Classified As A: Report Condition Report Comment Verbal Comment Condition Comment (give a brief explanation as to why a verbal comment only)

83 EXAMPLE 10 Wicomico County Internal Auditor REVIEW OF AUDIT ORGANIZATION S QUALITY CONTROL SYSTEM N.A.L.G.A. Peer Review Guide (5/04) The peer review team, typically the review team leader, uses this form in evaluating whether the audit organization s system of internal quality control is suitably designed to reasonably assure compliance with applicable standards contained in Government Auditing Standards, 2007 Revision, (GAS). The items in this form are abbreviated from the full text included in the Description of Quality Control System form. In completing this form, the review team should consider the full text included in the Description of Quality Control System form and relevant GAS, which is referenced in each item. The review team should review the audit organization s completed Description of Quality Control System form, interview audit organization management and staff, and review reports, work papers. records, files, etc., as deemed appropriate to assess whether adequate internal controls were in place during the review period to reasonably assure compliance with relevant GAS. For each item. the review team should indicate on the form whether yes adequate controls were in place or no adequate controls were not in place during the period under review. There may be some items in this form that are not applicable to the audit organization. In such cases, the review team should indicate that the item is N A. The column on the far right of the form should be used by the review team to provide explanatory information or comments such as references to policies and procedures or other goerning documents. descriptions of test worl the reason why a particular item does not apply to the audit organization. existing compensating controls. etc. Those items marked no on this form should be recorded on the Summary of Exception form relating to the standard under review Guidance has been added to certain financial/attestation standards so that exceptions in these areas will be grouped with similar performance audit standards on the Summar of Exception forms. (See footnotes to items #1 1 through #14 on this form.) F or each exception on the Summary of Exception forms, the review team should indicate the degree of likelihood that audit quality may ha e been impacted. The team will then review the exceptions to identify potential weaknesses in the organization s internal quality control system and to assess the organization s overall level of compliance with GAS. The audit organization is asked to provide a completed Description of Quality Control System form to each member of the review team at least one month prior to his or her scheduled arrival. This allows the review team to preliminarily assess the audit organization s system of internal qualitx control and begin completing this form. Audit Organization Under Review: Date Form Completed: Name ofreviewer(s) Completing Form:

84 Internal Auditor Wicomico County EXAMPLE 10 (ha 1220) (GAS ) justif an departures. in applying GAS and 4. l Tse professional judgment PROFESSIONAL JUDGMEN I 3.Be free from organizational (GAS 3.21)(TIA 1110): (GAS ) or through (GAS ) (GAS 3.27) and documenting (GAS ) to 3rd parties, through to management, by meeting all statutory safeguards B. When reporting interna1l A. When reporting externally Impairments. appropriate reporting or other statutory safeguards organizational structure Conditions allowing Organizational independence (GAS ) impairments. 2. Be free from external (ha 1100) (GAS , ) monitor compliance. personal impairments and I.Identify and resolve INDEPENDENCE GENERAL STANDARDS:

85 Internal Auditor Wcomico County EXAMPLE 10 (ha 1312) three ears. (Five sears ha) (GAS ) 10. Have external peer re v iew every (HA 1311) (GAS ) QUALITY CONTROL control system, 9. Have appropriate internal qua1it (ha 1230) (GAS 3.45, 3.46) auditors maintain 80 hours CPE every two years. 8. Audit organizations ensure that (ha 1220) (GAS 3,43) audits or attestation engagements have knowledge of relevant standards. 7. Auditors performing financial (ha 1210) (GAS 3.42) skills, and experience. adequate knowledge, 6. Staff and consultants have (ha 1210) and evaluating staff. in applying GAS and (GAS 3.40) 5. Have a process for COMPETENCE recruiting. hiring. continuously developing,

86 EXAMPLE 10 and violations that are (GAS ) material fraud, illegal acts significant to audit objectives. 14. Design work to detect ETC. FRAUD. ILLEGAL ACTS, from prior audits/engagements. (GAS ,10-6,12) 13. Follo up on findings FOLLOW UP ) (GAS testing and reporting. 12. Communicate planned AUDITOR COMMUNICATION (ha 2010) and similar GAS. (GAS ) 11. Follow AICPA standards AICPA STANDARDS STANDARDS: FINANCIAL AND ATTESTATION Wicomico County Internal Auditor

87 Internal Auditor Wicomico County o JJ EXAMPLE 10 (GAS ) Law compliance, regulations. agreements. and provisions of contracts or grant 20. Report on internal control (GAS ) disclose when not followed. 19. Cite GAS in report. (GAS 6.27) standards for attestation engagements. 1 8B. Follow AICPA audits. (GAS 5.03) standards for financial 1 8A. Follow AICPA REPORTING GAS ) issuance. work prior to report 17. Adequately document DOCUMENTATION (GAS , ) investigations or legal proceedings. 16. Do not interfere with (GAS 4.17, 4.19, 6.15, 6.19) material abuse, 15. Be alert for indications of

88 EXAMPLE 10 (GAS ) make available to public. appropriate officials and 24. Submit reports to (GAS , ) information. requirement for omitted 23. Report the nature of and (GAS , ) responsible officials. 22. Report views and plans of (GAS , ) violations and abuse. control, fraud, illegal acts, deficiencies in internal 21. Report significant Internal Auditor Wicomico County

89 Wicomico County Internal Auditor EXAMPLE 10 abuse: dont interfere illegal acts. x iolations or (GAS 7.26) in estigations. \ith legal proceedings or pursuing possible fraud. 29. Fxercise due care in (ha 2120.A2) abuse. (GAS 7.25k transactions indicative of 28. Be alert to situations or (ha 2120) are significant to audit (GAS objecti es. significant illegal acts. violations and fraud that 27. Design work to detect (ha 2100) audit objectives: test if relying upon them: consider test results in designing audit procedures. internal controls significant to the (GAS ) 26. Obtain understanding of (ha 2010) (GAS 7.07) 25. Plan work adequately. PLANNING STANDARDS: PERFORMANCE

90 Internal Auditor Wicomico County ff1un EXAMPLE 10 (ha 2310) (GAS ) competent, and rele ant evidence for findings and conclusions. 34. Obtain sufficient. EVIDENCE (ha 2200) (GAS ) written audit plan. 33. Prepare and update a (GAS 7.39, ,06) Follow appropriate requirements if audit testing and reporting. terminated before completed. 32. Communicate planned work and assess its reliability before using. (GAS ) 3 1. Identify previous audit (GAS ) to audit objectives. findings from previous audits that directly relate 30. Follow up on significant

91 EXAMPLE 10 (G\S acts. violations. abuse. 40. Report likely fraud. illegal (GAS ) significant deficiencies tbund. internal controls and any 39. Report scope of work on (ILk C2) including findings. conclusions, and recommendations ,29) (GAS Report audit results. (ha 2420) and methodology (GAS ) 37. Report objectives, scope. (ha 2410) (GAS ) report. 36. Prepare written audit REPORTING (ha C1) to planning, conducting, and reporting on the audit. (GAS ) audit documentation related 35. Prepare and maintain DOCUMENTATION

92 Internal Auditor Wicomico County o Jn7,,. EXAMPLE 10 (ha 2410.A3) (GAS 8,54-8,57) public. appropriate officials and make available to the 47. Submit report to (GAS ) clear and concise. complete. accurate. objective, convincing, 46. udit report should be (GAS ) reporting. timely; consider interim 45. Audit report should be (GAS ) infonnation. requirement for omitted 44. Report the nature of and (HA 2600) (GAS ) responsible officials. 43. Report views and plans of (GAS 8,07, 8.30) disclose when not followed. 42. Cite GAS in report, (GAS 8.17, 8.21) communication regarding deficiencies found. Document all Communication letter in audit report. 41. Refer to management

93 Internal Auditor Wicomico County X1773. If you have any questions concerning the above process. please contact me at other than direct staff with the findings. reconimendations that I have listed in the report. Please take the opportunity to review the report prior to the meeting. It is important that you do not share the content of the report with anyone to schedule the exit interview which will be the opportune time to discuss in detail the audit. I have attached the draft of the audit report and I will be contacting you I want to take the time to thank you for the cooperation and assistance during the Subject: Date: From: To: DRAFTA UDIT REPORT TRANSMITTAL MEMORANDUM MEMORANDUM

94 Internal Auditor Wicomico County Date: Sent to: POST AUDIT SURVEY Date: Sent to: FINAL UNBOUND (File copy in work papers) Distribute w/cover memo. Date: Sent to: FINAL BOUND (Save Original as Office copy) Distribute w!cover memo. Date: AUIMTOWS COMMENT (IF ANY) Distribute w/memo to auditee before meeting, at meeting or after meeting Sent to: Date: Sent to: report. APPROVED FOR RESPONSE Director signs transmittal letter. include copy of letter as part of final bound Date: needed, type cover memo and file copy in work papers. Sent to: DRAFT 2 Stamp each page Draft for Discussion, and CONFIDENTIAL and add draft #. If further explanation Date: Sent to: work papers. DRAFT I Stamp each page Draft for Discussion and CONFIDENTIAL. Type cover memo and file copy in (START DATE, ISSUE DATE, NUMBER OF HOURS, TYPE OF AUDIT. O,FS, C, IS, ICR) (NAME OF REPORT) REVIEW OF EXAMPLE 12

95 Internal Auditor State results ol audit including iihether or no! each audit ob/ective was met. Conclusion - example 1. (i.e. disbursements, payroll checks) and Example offirst sentence - Audit procedures performed included selecting samples of Methodology Scope of Audit Include time period covered and what portions of ñtnction were audited Example of/irst sentence The objectives of our audit were to determine that. Objectives understand the conditions recommendations. include brie/description ol function and an injrniation necessary to enable the reader to Background internal controls.) included for allfinancial-related and performance audits. Background, Objectives, Scope and Methodology to be includedfor any financial statement audits that also include a review of (Background, Objectives, Scope, Methodology, Conclusion and Summary (i/applicable) to be lower right.) ofstandardalcpa opinion is attached as Exhibit 2.2. Date of last day offield work Independent Auditor s Report (centered as first line; use onlyforfinancial statements audits should appear at lower left under opinion letter; Interagency InternalAudit Authority at First Page typed on black and white letterhead w/county seal and address only. Number report pages consecutively including exhibits but excluding the title page Title Page EXAMPLE 13

96 Wicomico County lnterna Auditor $41 1, Description: 2 Etc. a. b atlt of (OflditIOfl ii. Etc. Recommendation: xxxxxxxxxxxxxxxx Commendation: xxxxxxxxxxxxxxxx Condition: xxxxxxxxxxxxxxxx I. Title of Condition (Finding) Conditions and Recommendations tif an ) Status: Status of Advisory Comments from Report Dated... (ifanvi Status: Description: Title of Finding report I possible Status of Recommendations from Report Dated... ( ifany) (number to correspond with prior onl one condition/advisory coinment Summarize each recommendation Summary (allfinancial-related and performance reports unless there are ito conditions or EXAMPLE 13

97 Wicomico County Internal Auditor WJCOMJCO couvry JVTER4L A (DIT DEJ4RTfENT DRAFT FOR DISCUSSION ONLY CONFIDENTIAL II. Title of condition all others it is the day the director signs workpapers) (Date of reportforfinancial statement audits is the datefield work is completed. For Date 1. Advisory Comments (ifany) EXAMPLE 13

98 Internal Auditor Wicomico County (Refer to alpha number in report) comments are offered to clarify recommendations stated in the audit report. In view of the responses received from the staff, the following auditor s (REPORT TITLE) AUDITOR S COMMENT FORMAT WICOMICO COUNTY AUDITOR COMMENTS EXAMPLE 14

99 Internal Auditor Wicomico County If you hae any questions. please call me at Xl 773. Attached is a copy of the Auditors Comments pertaining to the above report. This document is supplied so that final comments are documented. This documentation is sent to you for informational purposes only. in recognition of the verbal responses supplied by the auditee after their written response was Subject: Auditors Comments Date: From: To: EXAMPLE 15

100 Internal Auditor Wicomico County If you have any questions, please call the me at X1773. practice to follow-up on recommendations from prior audits. We will be contacting you in Subsequent to receiving your response, we may schedule a visit to review further documentation for recommendations that have been implemented. several months requesting the status of each recommendation from the above report, including any supporting documentation. In accordance with generally accepted auditing standards (GAGAS), Section 1.28, it is our Subject: Follow-up: Date: From: To: MEMORANDUM SAMPLE MEMO -6- MONTH FOLLOW-UP AUDIT EXAMPLE 16

101 Internal Auditor Wicomico County AUDIT AND DATE REPORT ON RESULTS OF FOLLOW-UP INTERNAL AUDITOR Auditor s Comments: Status: Recommendation lib: appropriate.) Auditor s Comments: (Example: We continue to recommend,..or other as followed by description) Status:(State Partially Implemented, Not Implemented, or No Longer Applicable Recommendation ha: (Use wording from original report) Condition II: (Title from original report) recommendations that remain outstanding are described below. The recommendations that were fully implemented involved (briefly describe). The status of Our original audit report included recommendations for (example:) Follow-up work conducted during (month. year) indicated that of these recommendations have been fully implemented, have been partially implemented, and were not implemented. AUDIT AND DATE FORMAT FOR DRAFT FOLLOW- UP REPORTS DRAFT FOR DISCUSSION ONLY CONFIDENTIAL EXAMPLE 17

102 iunature Date Article.Sections through of the Annotated Code of Maryland. 30, in conformity with generally accepted accounting principles and consistent with Department revenues and expenditures of Wicomico County. Maryland, for the year ended June In my opinion, the statement referenced above presents fairly, in all material respects, Health standards require that I plan and perform the audit to obtain reasonable assurance about Government Auditing Standards, issued by the Comptroller General of the United States. Those whether the financial statements are free of material misstatement.an audit includes examining. assessing the accounting principles used and significant estimates made by management as well expenditures for compliance with Article #_ of the Annotated Code of Maryland. obtained an understanding of internal controls and assessed control risk. I believe that This audit provides a reasonable basis for our opinion. as evaluating the overall financial statement presentation. As part of the audit, I also tested on a test basis. evidence supporting the amounts and disclosures in the financial statements, I have conducted this audit in accordance with generally accepted auditing standards and We have audited the accompanying Statement of Health Care Revenues and Expenditures of the statement based on my audit. INDEPENDENT AUDITOR S REPORT Wicomico County, Maryland for the year ended June 30, The financial information contained in this statement as well as compliance with applicable laws and regulations is the responsibility of Wicomico County management. My responsibility is to express an opinion on 123 Needle Avenue Suite 17 Department of Health Service Baltimore MD State of Maryland Mr. Robert Hope SAMPLE OPINION LETTER - FINANCIAL STA TEMENTA UDIT Internal Auditor Wicomico County

103 i. Recommendation Implementation Number Yes No Person Responsible Dates Agree? Recommendation RESPONSE SCHEDULE Wicomico County Internal Auditor EXAMPLE 19