WORKPAPER DOCUMENTATION

DEFINING THE NECESSARY AND NATURE OF AUDIT WORKPAPERS

Workpapers are the direct end product of the internal audit staffs work and effort. The workpapers demonstrate what was done what was found and what was confirmed. Elected officials, news media and the public in many instances only see, or rather ask to see the end product of the internal audit effort - the three or four paragraph report. The workpapers are usually ever examined, and the effort is usually never ever sees the light of day. That is until the documentation comes into question either by the commissioners court by the district attorney and/ or by a court of review or inquiry. Internal audit workpapers provide various levels of usefulness: A. During the audit adequately prepared workpapers provide 1. Guidance as to the objective of the examination 2. Guidance as to the sequence of steps and development of assurance 3. Documentation that the office being evaluated has conformed to statutory requirements 4. Documentation that accounting policies and procedures are being conform with, and 5. Documentation that the county auditors office has performed the duties of the office as required by existing state statutes. B. After the audit is completed the workpapers provide 1. Evidence that support the findings as reported 2. Evidence that the internal audit was performed following established and accepted methodology 3. Evidence concerning the need to conform to the state statutes 4. Evidence which can be relied on by the external auditors, and 5. In the event the auditee finds himself or herself in court trying to defend the findings, the workpapers provide an excellent defense and support for the reports findings. Professional internal auditing standards have over the years established some basic guidelines and requirements concerning the preparation and maintenance of adequate workpapers. There is currently no requirement in the state statues that indicates, You shall create and maintain workpapers to support audit findings. However, there are recognized professional standards that say that the quantity, form and content of workpapers may vary with the circumstances, but the workpapers should be sufficient to show that: 1. There was an objective to the internal review 2. That the review performed achieved the objective 3. That applicable standards of field work were observed 4. That records reviewed agreed with, or could be reconciled to financial information as reported 5. That planning and supervision appeared to be adequate 6. That there was sufficient understanding of the internal control structure, and
2

7. That the audit evidence obtained and the testing performed provided sufficient, competent and evidential matter to support the final report.

Each county auditors office is going to establish specific workpaper policies related to the type of engagement that is to undertaken. In many instances these policies are verbal and passed down from auditor to auditor. Thus, the process follows the old axiom of that is the way we have always done it. However, if an office is going to introduce some form of quality control in full filling its statutory responsibility, then the workpaper policy should be reduced to writing. A written policy sets the requirement for written internal review programs, which then allows the auditor to examine the nature, extent and timing of the work to be performed . In many instances having a checklist that the auditor can follow will provide some assurance that the process is followed consistently with each office. This presentation focuses on the internal auditor function in a county auditors office. All county auditor offices need to be cognizant of the fact that all federal grants require elaborate workpaper documentation. Accounting records are not sufficient in many instances. The nature of workpapers provide: 1. Documentation that departmental procedures were followed tests were performed information was obtained, and that a conclusion was developed 2. The foundation for the auditors opinion related to the review 3. Foundation for how much importance should be attributed to the evidence accumulated 4. Evidence as to how problems and errors noted were corrected and or resolved Workpapers and internal audit programs must be adaptable to the needs of the review being conducted. Not all offices function in the same manner. Not all offices are required to follow the same set of statutory standards. Not all grants require the same functionality to be present. As a result audit programs need to flexible. The workpapers as prepared should tell who ever is doing the reviewing and/or examination a story. They should communicate what was done and document what was found. A well prepared set of workpapers (i.e. complete and accurate) will be able to stand on its own that is to say they dont anyone to explain them to reviewer or to the jury. Workpapers are anything that the auditor conducting the review deems to be necessary to enable him/her to render a statement regarding the financial and/or operational objective that was being tested and reviewed. Workpapers might include, for example: A program of work An internal control evaluation A checklist of required steps An analytical review for some function Direct confirmations Copies of receipts Computer print outs

WORKPAPER CONTENT
No two auditors will prepare workpapers using the same structure; however there are some general rules that governmental internal auditors can agree on. Workpapers consist of anything that the auditor retains and or creates to document that the review conducted met certain established requirements and developed support for the fact that federal guidelines, state statutes, budgetary constraints, financial accountability, and/or county policy was being complied with. Properly designed workpapers can help to identify adequately performing control structure as well as inadequately performing controls. Properly designed workpapers can assist in evaluating the apparent risks that exist. Properly designed workpapers can provide the support for the suggestions to improve the offices internal control. Workpapers should: 1. Provide corroboration of the amounts appearing in financial reports and statements 2. Record the review conducted, the tests performed that are required for the particular engagement 3. Provide information that would allow the reviewer to evaluate the job performances of the personnel performing the review, and 4. Provide a starting point for the subsequent reviews to be performed. There are usually two types of workpaper files permanent and current. Permanent files are files that contain information and matters that are important to each years audit. Information that isnt expected to change materially from year to year. Examples would be location of the office, office policies, contractual agreements for service, required reports to be filed, statutory compliance check lists, copies of prior years reports, fixed asset responsibility, etc. Current files would constitute the workpapers the auditor prepares to support the conclusions for the report written. Current files include the audit program, the internal control evaluation, tests performed, analytical schedules developed, bank and account reconciliations, copies of support documents, computer print outs, memorandums as to discussions held, confirmations, review of budgetary compliance, etc. Every workpaper should contain as a minimum: 1. A heading that clearly designates the name of the office, the county, a description of the contents of the workpaper and the date(s) of the period being reviewed 2. An indication as to who prepared the workpaper and the date of preparation 3. If the schedule was prepared by the office, the indication using PBC indicates that the workpaper was prepared by client 4. The source where the information contained in the workpaper came from cash receipts ledger, court docket, disbursements journal, payroll ledger, etc., and 5. The nature and extent of the work performed should be indicated through narrative description, symbols, tick marks or combination there of. 6. Conclusions reached should be clearly stated and supported 7. That all doubts and or problems were resolved 8. Indexing and cross referencing
5

If tick marks are used, they can save the auditor time and space and standard tick marks should be adopted, and a legend of those tick marks should be available for the reviewer. Each tick mark should be clearly explained. Tick marks should be simple, distinctive and clear so that they can quickly written by the preparer and easily discerned by the reviewer. Some tick marks commonly used are: Footed Cross footed Calculation checked Agreed to ____________ Traced to financial report Traced to ____________ Examined supporting documents Examined cancelled check See footnote # ________

As a last issue, all workpapers should be indexed and cross-referenced where necessary. Indexing of work papers are going to vary from office to office. Many prefer an Alpha sequence, while others prefer a numerical. However, it is common to find both an alpha and numerical sequence of indexing being used. The following is an example of indexing: Section A B C D E F I L R X Z Section Area Reports Administration Communication Audit Program Planning Assets Internal Control Search for Unrecorded Liabilities Revenue Analysis Expenditure Analysis Other/Miscellaneous

Section Area General Reports 12 13 14 18 Administration 26 28 Communication 32 34 Audit Program 44 Planning Assets 62 Internal Control 72 73 74 75 78 Search For Liabilities 82 84 86 88 Revenue Analysis 142 144 148 Expenditure Analysis 172 176 Other/Miscellaneous issued.

Subject 10 Financial Reports Expenditure Report Original Budget Budget Adjustments Elements of Disclosure 20 Engagement Control Checklists Memos re: Matters of Concern Comm. Court Minutes 30 Confirmations Certifications 40 Time Sheets 50 60 Fixed Assets 70 Revenue Cycle Expenditure Cycle Purchasing Cycle Payroll Cycle Risk Analysis Communications With Depart.

Control Document Planning Memos Cash Control Environment

80 Expenditures Lease Analysis Prepaids Trust Accounts Search For Unrecorded Lib. 140 Substantive Test of Receipts Substantive Test of Docket Substantive Test of Revenue Review of Receivables 170 Expenditure Support Payroll Analysis 190 Budgetary Analysis

Other

As a general rule workpapers are not subject to open records purview until the report is As a general rule workpapers should be retained for a minimum of 7 years, and probably as long as 10 years.
7

DOCUMENTATION OF PLANNING AND SUPERVISION

The internal audit workpapers should demonstrate that the three generally accepted standards of fieldwork have been met planning and supervision, internal control evaluation, and evidential matter. The first standard only suggests that there needs to be documentation that the work of the review was adequately planned and that supervision had been provided. To meet the criteria of being able to demonstrate adequate planning and supervision does not require many specific workpaper requirements. Some of the more common and generally suggested are: 1. Audit Programs An audit program is essentially a list of procedures to be followed and is usually in writing. They are generally divided into logical segments as to the area of the reviews focus. The program allows the reviewer to be able to compare the level of work required to the level of work done. Some programs are highly detailed, while some are very general in nature and allow the auditor the ability to insert some flexibility. The program will usually require the staff person performing the function to sign off on those requirements completed, and cross reference the program to the workpaper supporting the function. 2. Preliminary Analytical Procedures It should always be a requirement that the auditor be required to apply analytical procedures in planning the audit. A basic premise in the application of analytical procedures is that plausible relationships among data may reasonably be expected to continue in the absence of known conditions to the contrary. Preliminary analytical procedures are intended to enhance the auditors understanding of the office being reviewed the offices transactions and events that have occurred since the last review. The analytical procedure process may alert the auditor to areas of risk that had not been present at the time of the last review. Analytical procedures will look for unusual transactions and events examined ratios and trends in a narrative or in the form of a worksheet. 3. Risk and Materiality Audit risk needs to be evaluated at the department level at the county level and at the auditors level. Risk is the concept that the auditor, the department, the county will unknowingly fail to catch an error, a mistake, an irregularity that is material to financial reports or the management of the department. Workpapers will often include documentation that the auditor considered the influence of audit risk in the application of procedures. The auditor will generally plan the greater portion of labor hours to be concentrated on those departments that present the greatest risk, and in those departments the areas that present the highest potential risk. Those areas of highest risk should always be documented and the auditors response to them. The audit strategy to address the risk should be clearly stated.

Before addressing risk assessment the internal auditor should indicate how materiality is going to be addressed. Materiality should be considered and addressed during the planning of the review to determine the nature, timing and extent of tests to be performed. In addressing the scope of the review the level of events should be reduced to a level which would provide the reviewer with a low risk of over looking an element or a happen stance that would dramatically effect the financial or management review that is being conducted. Setting a level of materiality insures that the auditor will do enough work to find misstatements. There is no authoritative rule of thumb or measure of materiality materiality is strictly based on professional judgment. Risk assessment should be performed on each office individually and attributes should be classified as either inherent risks or control risks. Steps to be taken could be broken down as follows: GENERAL RISK ASSESSMENT STEPS DEFINE THE AUDIT UNIVERSE CHOOSE HOW TO DEFINE RISK CHOOSE A CONTROL OR RISK MODEL ASSESS INHERENT AND CONTROL RISK TO DETERMINE VULNERABILITY ASSESS THE AUDITABILITY OF HIGH VULNERABILITY AREAS

DEFINE THE AUDIT UNIVERSE DEFINE THE MANNER IN WHICH THE UNIVERSE IS TO BE DEFINED THE MORE COMMON METHODS USED BY INTERNAL AUDITORS FOR DEFINING THE UNIVERSE ARE: 1. PROGRAMS 2. STRATEGIES 3. CONTROL SYSTEMS GENERAL TYPES OF INTERNAL AUDITS TO BE CONDUCTED 1. 2. 3. 4. 5. FULL PROGRAM AUDITS CONTROL SYSTEM AUDITS INVESTIGATIVE AUDITS PERFORMANCE EVALUATIONS QUICK RESPONSE AUDITS

PRIMARY AUDIT FOCUS 1. 2. 3. COMPLIANCE ASPECTS RELIABILITY OF DATA SAFE GUARDING OF ASSETS

SELECTION OF AN AUDIT OBJECTIVE (RANK, RISK & AUDITABILITY) 1. VULNERABILITY (The Mission May Not Be Accomplished) 2. INHERENT RISK (The Nature and/or The Culture Of The Audit Objective Has Risks Without Controls) 3. CONTROL RISKS (Probability That The Inherent Risks Will Become A Reality: Probability That Controls Are Put In Place And Will Not Accomplish The Mission) 4. AUDITABILITY (Skills, Time, and Evidence) INTERNAL AUDITING - BASIC RISK FACTORS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. ETHICAL CLIMATE PRESSURE ON MANAGEMENT PERSONNEL INTEGRITY, COMPETENCE NUMBER OF PERSONNEL NUMBER OF TRANSACTIONS SIZE OF THE ASSETS COMPLEXITY/VOLATILITY OF ACTIVITIES STATUTORY REGULATIONS LEVEL OF COMPUTERIZATION GEOGRAPICAL LOCATION ADEQUACY OF INTERNAL CONTROLS MANAGEMENT CULTURE ACCEPTANCE OF AUDIT FINDINGS & CORRECTIVE ACTION TAKEN TIME LAPSE SINCE LAST AUDIT

KEY ACCOUNTABILITY CONTROL SYSTEMS Departmental and Assessment Management Policy Management Performance Management Information Management Resource Management
10

ACCOUNTABILITY RISK FACTORS POLICY RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO DELIVER EXPECTED RESULTS BECAUSE OF UNSTABLE OPERATIONS DUE TO CHANGES IN MANAGEMENT, PERSONNEL AND/OR THE ENVIRONMENT, OR RESOURCES ARE NOT EFFICIENTLY USED OR EFFECTIVELY CONTROLLED . PERFORMANCE RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO DELIVER EXPECTED RESULTS BECAUSE IT DOES NOT USE PERFROMANCE INFORMATION EFFECTIVELY TO MANAGE ITS OPERATIONS. INFROMATION RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO MEET EXPECTED RESULTS BECAUSE MANAGEMENT INFORMATION IS NOT COMMUNICATED OR USED EFFECTIVLY BY DECISION MAKERS . RESOURCE MANAGEMENT RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO ACHIEVE EXPECTED RESULTS OR WILL NOT ESTABLISH AN ENVIRONMENT THAT PROTECTS AGAINST FRAUD AND FINANCIAL DISASTER BECAUSE RESOURCES ARE NOT MANAGED EFFICIENTLY AND EFFECTIVELY WITHIN ITS OPERATIONS OR WITHIN ITS JURISDICTION. CONTROL ENVIRONMENT RISK - THE RISK THAT THE INTEGRITY, ETHICAL VALUES, AND COMPETENCE OF THE PEOPLE DO NOT LAY A SOLID FOUNDATION TO AQCHIEVE EXPECTED RESULTS AUDITABILITY IS DETERMINED BY: 1. 2. 3. 4. 5. 6. 7. TIME FRAME INFORMATION AVAILABILITY OF DOCUMENTATION AUDIT SKILLS AUDIT EDUCATION AUDIT HOURS AUDIT MORALE

IN ORDER FOR THE RISK ASSESSMENT PROCESS TO BE SUCCESSFUL, IT MUST: 1. INVOLVE THE DEPARTMENT BEING AUDITED 2. PRODUCE CREDIBLE RESULTS THAT ARE ACCEPTED BY BOTH THE AUDITORS AND MANAGEMENT. 3. BE TIMELY SO THAT THE AUDIT PROCESS IS NOT HELD BACK WAITING FOR RESULTS. 4. BE COST EFFECTIVE IN THAT THE RESULTING INFORMATION IS AT LEAST AS VALUABLE AS THE COST TO OBTAIN IT.

11

FIVE BASIC PHASES OF - PLANNING AN AUDIT 1. 2. 3. 4. Gather information Conduct preliminary assessment Define and refine the audit objectives Develop the: Audit scope Audit methodologies Audit fieldwork programs 5. Estimate the audit budget and resources STEPS TO BE TAKEN IN THE PRELIMINARY ASSESSMENT 1. Select which of the accountability control systems and subsystems are relevant to the audit (within the initial audit scope). 2. Assess which of the inherent risks and which of the control risks exist (be sure to document risk assessment). 3. Select the accountability control subsystem for which audit objectives will be developed (be sure and identify the relevant performance aspects to be reviewed). 4. Reassess audit ability 5. Update risk and internal controls information (update permanent files, prepare preliminary assessment document, and document audit ability). DEFINE/REFINE - AUDIT OBJECTIVE In speaking to the objective for an internal audit, the Yellow Book (accounting and audit guidelines for federal grants) indicates that there needs to be a clear indication as to what the report related to the audit is to accomplish. Further, it is noted that the subject of the audit needs to be clearly identified as well as the aspects of performance that are to be examined. Therefore: THE AUDIT OBJECTIVE - ESTABLISHES BOUNDRIES FOR THE AUDIT BY CLEARLY STATING WHAT THE AUDIT IS TO ACCOMPLISH. IT IDENTIFIES THE SUBJECT OF THE AUDIT AND THE PERFORMANCE GOAL. OPEN-ENDED OBJECTIVES SHOULD BE RESTATED AS CLOSED-ENDED OBJECTIVES.

12

OPEN-ENDED OBJECTIVES: Identify the subject; what is the audit to examine Are vague in defining what the audit is to accomplish CLOSED-ENDED OBJECTIVES: Are answerable Identify what the audit is to examine Clarify what the audit is to accomplish 1. IDENTIFY THE PRIMARY REPORT USER(S): What do they want to know? When they receive the information what are they going to do? 2. UNDERSTAND THE SUBJECT, PROBLEM AND/OR CONCERN? The audit subject is usually an organization, a department, a program, a service, an activity and/or a function, a management policy, and a performance issue.

3. DECIDE WHAT PERFORMANCE ASPECTS ARE TO BE INCLUDED IN THE AUDIT. Is there management oversight? Is there a desire for customer satisfaction? Is the payroll process efficient? Are goals being established? Is the legislative intent being followed? Can the accuracy of the activity be evaluated? 4. WHEN ISSUES ARE ESTABLISHED, DETERMINE IF THE REASON FOR THE ISSUE IS DUE TO PROCESSING OF TRANSACTIONS OR THE ACCOMPLISHMENT OF A GOAL. (Control risks should be clearly linked to the risks that exist to the county.) 5. DECIDE WHAT ELEMENTS OF THE FINDINGS ARE TO BE DEVELOPED WHICH ARE LINKED TO SUB-OBJECTIVES.

13

SUB-OBJECTIVES Will address elements of the primary findings - will usually help to identify the nature of the data required will tend to lead to major audit steps. SUB-OBJECTIVES Are developed as a series of questions addressing each finding element you decide to develop. A separate question should be written for each finding element. EXAMPLES OF SUB-OBJECTIVES: 1. CONDITIONED BASED OBJECTIVE: What is the average response time for a 911 call out? 2. CRITERIA BASED OBJECTIVE: What was the unit cost to process a payroll check in FY 03? 3. EFFECT BASED OBJECTIVE: What is the difference between the legislative intent and the departments goals? 4. CAUSE BASED OBJECTIVES: What are the underlying factors that influence customer satisfaction with the ability of the department to deliver service?

14

DOCUMENTATION REGARDING INTERNAL CONTROL

The second standard of fieldwork that needs to be considered is that of internal control. The workpapers should have adequate documentation that the auditor had obtained a sufficient understanding of the existing internal control structure for the department being reviewed. The extent to which internal control is established in the department will impact the nature, timing and extent of the tests that will need to be performed. The workpapers should document: 1. The understanding of the offices internal control structure, and 2. The auditors assessment of its effectiveness in detecting and/or preventing material misstatements. Basically the departments internal control system consists of the policies and procedures that have been established to provide reasonable assurance that those specific objectives will be achieved. Policies and procedures may be established through statutes, may be established by the commissioners court, may be established by the county auditor, and they may be created by the elected official and/or department head. Normally with a financial review the auditor will be concerned with those policies and procedures that are primarily concerned with the recording, processing, summarizing, and reporting of financial, and the affect an error will have. The departments internal control consists of three elements: 1. The control environment 2. The accounting system, and 3. The control procedures Each of these components needs to be understood in order to plan the review that is to take place. The Control Environment essentially reflects managements attitude, awareness and actions concerning the importance of control. The factors that the auditor will need to consider are: 1. 2. 3. 4. 5. Managements philosophy (the operating style used) The departments organizational structure The method of assigning authority and responsibility Personnel policies and practices Managements control methods used for monitoring performance to include internal auditing 6. External influences that may impact the office, and 7. Interaction with other offices in the county These factors serve to make other control policies and procedures more effective. When management is found to have a positive attitude towards controls and does not try to mitigate the effectiveness of policies and procedures or to override the controls, the reviewer finds that the nature, timing and extent of the review can be reduced.
15

The Accounting System consists of the methods and records which are used to identify, analyze, classify, record and report the departments transactions and to maintain accountability for related assets and liabilities. The auditor needs to understand the accounting system in sufficient detail in order to understand: 1. The types of transactions that can occur within the department 2. How those transactions are initiated 3. The accounting records, support documents, machine readable information, and specific accounts in the financial system involved in the processing and reporting of the transaction 4. The accounting process from the initiation of the transaction to the inclusion in the financial data 5. How the computer is used to process the data at each level, and 6. The financial reporting process. The Control Procedures consist of those policies and procedures, in addition to the control environment and the accounting system that management has established to provide reasonable assurance that its objectives will be achieved. Examples of control procedures are: 1. Segregation of duties 2. Proper authorization, and 3. Independent checks and balances. The audit strategy is based on the reviewers understanding of the control procedures. If control procedures are weak, then it doesnt make a lot of sense to waste time to test controls. However, if the auditor is able to test the control procedures and finds that they are strong and effective, then he/she may decide that the substantive tests can be reduced. The understanding to be obtained is developed through inquires of the department, review of the departments manuals and documents, and observation of the departments routines. The reviewer must ascertain reliable information that confirms that the policies and procedures, the control procedures are not just in writing they are being practiced. This confirmation comes from: 1. Inquires 2. Observations, and 3. Hands on monitoring of transactions. The understanding that the auditor comes to needs to be documented. The size and the complexity of the entity, as well as the nature of the departments internal control structure influence the form and the extent of this documentation. A large department may have its own documentation of the internal control procedures that the auditor can copy and put in the workpapers. For smaller departments the auditor may develop their understanding through the use of flow charts and/or questionnaires. For really small departments the auditor may just use a memorandum for small offices with one or two employees it is real difficult to put into place effective internal controls. Generally the more complex the department, the more extensive the internal control, and the more extensive the auditors documentation.
16

The most commonly used methods of documentation are: 1. Memorandums narrative descriptions of the relevant control structure. Polices and procedures. They are most useful when the matter being described is relatively simple. They are less useful when the system becomes very complex. 2. Flowcharts are useful when there is a system of internal control or operational system that is very complex. A flowchart is a graphic depiction of operations and decisions applied in the departments structure. Flowcharts need not be elaborate their advantage is that complex matters can often be made easier to understand in a graphic presentation. 3. Questionnaires or sometimes referred to, as checklists are programs that allow the auditor the ability to ask questions as to functionality and receive responses from individuals. They are especially relevant when the auditor wants to make sure that specific items or procedures have been focused on and all relevant matters have been considered. This form of documentation lends itself to be summarized more easily than memorandums and flowcharts. There are two general types of questionnaires: A. Opened-Ended Questionnaires ask general questions and let the auditor answer with whatever information is relevant in the circumstances. B. Closed-End Questionnaires ask questions that must be answered yes or no. C. Closed ended questionnaires are less flexible than open-ended questionnaires, but they are more comprehensive. Closed ended questionnaires are usually more useful with larger more complex offices, while open-ended questionnaires are better applied to the smaller office. The auditors understanding of the control structure is required to be documented, but the procedures to be used to obtain this understanding are not. Thus, the auditors procedures done to understand the design of the procedures done to see if the departments control structure and to see that the departments policies and procedures have been placed in operation need not be specifically described. Even so even if the procedures to obtain the knowledge of the internal control are required to documented, the auditor should document the procedures applied and the reasoning for the judgment process that was applied. Any file memos as to the procedures followed or the documents examined should be dated and at least initialed by the individual making the statement. A signed off audit program is a commonly used document which has a step by step program for the auditors to use and the cycle that is to be followed. Assessing Control Risk After the auditor has obtained his understanding of the internal control structure, while he obtains it, it is not uncommon for the auditor to consider whether there are policies and procedures in place that would reduce the risk of material misstatement, and if there are, whether it would be efficient to test them I order to reduce the scope of substantive tests.
17

If the auditor decides that he/she wants to take advantage of the existing internal control structure, i.e. existing policies and procedures, in an effort to reduce the amount of time required to do substantive testing then there must be apply tests of the controls to see if the policies or procedures (that are to be relied on) are designed and operating effectively. The tests must be directed at determining whether the policy or procedure is suitably designed to prevent or detect material misstatements and how effectively it is operating. Tests of controls are concerned with how a control structure policy or procedure was applied the consistency with which it was applied during the period under examination and by whom the control was applied. These tests include inquires of appropriate personnel inspection of documents examination of reports observation of applications and, performance evaluations. It should be remembered that tests of controls are undertaken only when the auditor believes that by performing such tests that the substantive testing can reduce the need for substantive testing of the detailed documentation. Tests of controls are used in the hopes of being able to increase efficiency. Tests of controls are required if there is going to be reliance placed on the underlying controls and procedures. The more that the auditor is able to depend on the departments internal control structure to prevent or detect material misstatement, the less substantive work that will be required to be performed. Documenting The Control Risk Assessment When the auditor is able to conclude that he/she is able to reduce substantive testing on the effectiveness of the control structure, there needs to be documentation of the basis for this decision in the workpapers. That is, in addition to the understanding of the control structure that is already documented, there needs to be documentation of the tests of the controls and their result that were performed. The form and the content of this documentation are going to vary from office to office and from department to department. But, is some form the documentation should include: 1. A written description of the tests performed 2. The identity of the person performing the tests should be clear 3. An indication of the when the tests were performed and when they were completed 4. A description of the evidence that was examined (a copy in the file for an example would be useful to the reader) 5. An indication of the number of items that were tested 6. The source of the items selected and how these items were determined for selection, and 7. A description of the exceptions noted and an explanation as to their disposition. It is always good to document the type of misstatement that the control policy or procedure can be depended on to prevent and/or detect. It is not uncommon for the auditor to make a statement in the workpapers whether the controls tested worked as expected and can be depended on. The more reliance the auditor can place on the control structure (i.e. there is a low assessment of risk) the more evidence that should be documented to support the reliance.
18

When the internal auditor is dealing with an office that only has two people in the office, then it is unlikely that the office will be able to effect adequate control measures that can be relied on. If the auditor is not going to place reliance on the internal control measures, then there is not reason to test them. Thus, there is no dependence on the controls and/or procedures to prevent and detect material misstatements. Weaknesses In Internal Control Any weaknesses noted in the internal control structure should be clearly noted in the workpapers as reportable conditions and should be communicated to the department head and/or elected official, and should be reported in the letter of findings to the official. Reportable conditions are significant deficiencies in the design or operation of the internal control structure that could adversely affect the departments ability to record, process, summarize, or report financial data consistent with accounting and financial procedures required by state statutes and or county policy. The deficiencies might involve any of the three components of the control structure the control environment, accounting system, or the control procedures. If the condition is reported orally to the department head and/or elected official then the initial conversation should be well documented. The communication should always be followed up in writing. Conditions that have been reported in prior years, and which have not been corrected, should be re-iterated until the department head and/or elected official has clearly acknowledged the risk and has stated reasons for not correcting. Managements acknowledge is always critical. Thus, it is not an uncommon practice to allow the department head and/or elected official the opportunity to respond to the finding in the report.

19

DOCUMENTING SUBSTANTIVE TESTS

The internal auditor detects material misstatements in financial statements by applying substantive tests. The tests are designed based on the auditors assessment of risk that material misstatements will occur and that the department will not catch the error. This is commonly referred to as inherent and control risks. The higher the risk of misstatement occurring undetected by the client, the more evidence the auditor will need to accumulate. The accumulation of evidence supporting the amounts in the financial statements is by far the most time consuming part of the audit and documentation of substantive tests generally accounts for the bulk of the workpapers that are prepared. Thus, the third standard of fieldwork states: Sufficient competent evidential matter is to be obtained through inspection, observation, inquires, and confirmation to afford a reasonable basis for an opinion regarding the financial information under examination. Evidential matter is obtained through two general classes of auditing procedures that comprise substantive tests: 1. Tests of detailed transactions, and 2. Analytical procedures Books of original entry and other records maintained by the department such as ledgers, journals, cost allocations, and reconciliations may in part support the monthly and/or quarterly reports those records do not constitute what is considered evidential matter. Documentation must be collected that will corroborate the information shown in the above-mentioned documents. Corroborating evidential mater includes: 1. 2. 3. 4. 5. 6. Cancelled checks Receipts Invoices Contracts Independent confirmations Information independently obtained or developed through inquiry, observation, or inspection.

Auditors choose from a wide range of methods and techniques to test the validity of accounting information and reports. Some of the more commonly used techniques are: 1. Documenting the process used to develop the financial information, then testing the information entered into the process 2. Comparing the accounting data and information to data that is collected outside of the department, and 3. Comparing the accounting information to the auditors expectations, which have been derived through logical analysis.

20

Competence Of Evidential Matter To be competent, evidential matter must be both reliable and relevant. Reliability of evidential matter will always depend on the circumstances under which it is obtained. However, there are some generalizations that are commonly held to be true (but one must understand that there are exceptions to every rule): 1. Greater assurance to the accuracy of information can be assigned to evidence that is obtained independently and outside of the department that is being examined. 2. Financial information that is created within a department that has strong internal controls (or in some cases just satisfactory internal controls) provide more assurance as to accuracy than those produced in an environment with less than satisfactory conditions. 3. Direct personal knowledge obtained by the auditor through physical examination, computation and inspection is more reliable than data obtained indirectly. The relevance of evidential matter has to do with whether the information bears on the accounting or reporting data in question. While the relevance of evidential matter to a specific circumstance is generally clear, in some cases, particularly those involving the estimated outcomes of future events, the auditor needs to particularly careful in considering whether the correct factors are considered in arriving at the conclusion. Sufficiency of Evidential Matter Once the internal auditor has considered the evidential matter and has found it to be relevant and reliable, he/she must then determine whether or not the data collected is sufficient that is there is enough data that will allow for a basis to be developed related to the finding and that the data will support the finding. As a rule of thumb, the evidential matter must be sufficient to reduce to an acceptable low level the risk that the internal auditor will fail to detect a material misstatement in the financial data and related reports. Evidential matter may be developed through the use of substantive testing. The sufficiency of evidential matter will depend on: 1. The nature of the elements under examination 2. The relative size of the population and the auditors judgment as to materiality 3. The auditors assessment as to the inherent and control risks within the department i.e. risk of material misstatement, and 4. The nature of the evidential matter obtained persuasiveness of the evidence collected and the risk that it may be interrupted incorrectly. The internal auditor has to always be cognizant of the economics and the timeliness of an internal audit. For a finding and a solution to be economically useful, it must be developed and rendered in a reasonable length of time. There is a rational relationship between the cost of obtaining evidence and its usefulness. Evidential matter that is to be collected has a cost to the taxpayers. That is not to say that the matter of difficulty and expense involved in testing a particular attribute is not in and of itself a valid basis for omitting an otherwise necessary step in the internal audit function.

21

Types of Substantive Tests There are two types of substantive tests tests of details and analytical procedures. During most internal audit procedures both types of testing are generally used. The internal auditor will choose the procedure based on: 1. 2. 3. 4. Materiality Risk of misstatement Production of persuasive evidence Comparative efficiency

Tests of detail are audit procedures in which amounts that make up an account balance or class of transactions are compared to corroborating information. These tests are usually directed at balance sheet accounts and used to test the existence, ownership, and valuation of assets and the amount and responsibility for liabilities. Tests of details can be directed at both revenue and expenditure accounts in an effort to document the classification accuracy of each. A test of details will usually include one or more of the following: 1. 2. 3. 4. 5. 6. Vouching (invoices, receipts, budgetary authorization, etc.) Account analysis Reconciliations Confirmations Observation, and Recalculation

Analytical procedures are commonly referred to as substantive tests of financial information consisting of observation and comparisons of relationships among data, such as fluctuations or trends noted in various ratios, percentages, quantities and dollars. Some commonly used analytical procedures include comparisons of financial information between: 1. 2. 3. 4. 5. 6. Current period and prior period Current period this year to same period in prior year(s) Current period year to date and prior year to date Budget and actual Similar departments Revenue and expense to produce the revenue

Analytical procedures lend themselves to provide easy analysis of income and expense and developing techniques for insuring that everything that should have been recorded was recorded. When applying analytical procedures the internal auditor should: 1. Consider the relationship between the data that is collected and the expected result 2. Compare what is expected to that recorded and reported by the department 3. Obtain sufficient understanding of events that will help to explain any differences, and 4. Obtain supporting evidence to corroborate the explanation.

22

It is not uncommon for an internal auditor in a county to perform substantive testing at periodic times during the year on any and all departments. The auditor needs to always consider the activity as previously tested in relationship to the activity currently being tested. In addition the auditor should include in their normal set of procedures the following: 1. 2. 3. 4. Comparative review of data from test period to test period Insuring that the general ledger and the subsidiary ledger agree Always tracing entries to their source, and Ascertaining that all recommended adjustments have been made.

Some elements to remember about substantive testing: 1. Substantive testing can be reduced and may be eliminated. 2. Substantive testing and the test of controls may be combined into one function. 3. Substantive testing is not just number crunching they include: Confirming accounts receivable Reviewing commissioners courts minutes Investigating fluctuations in account balances Testing support for uncollected accounts Observing physical inventory Computing debt requirements from original documents 4. Vouching should include the review of cancelled checks, contracts, purchase orders 5. Account analysis is the systematic detailing of the components as recorded in the general ledger and/or subsidiary ledger 6. Reconciliations involve the verification of an account balance

23

TYPES OF WORKPAPERS
Workpapers can be simply defined as anything the internal auditor uses to document the results of the examination and the scope of the procedures performed. They will also confirm and/or deny the fact that the financial reports and underlying data for the financial reports of the department agree and/or reconcile. Working papers generally include: 1. 2. 3. 4. 5. 6. General ledger activity reports Copies of departmental reports An audit program Documentation as to the understanding of the internal control structure Designated tests to be performed to confirm the understanding Notes, memorandums, copies of documents, minutes, contracts, invoices, purchase orders, etc. 7. Schedules (either prepared by the auditor or prepared by the department that support the distributions to the general ledger and subsequent reports. Workpapers generally present a logical flow to the information and data. Workpapers should be able to tell the reader and/or reviewer a story without the need for additional oral communication and explanation. The workpapers should be compiled in the form of a pyramid the findings to the front and the detail to the back. A contents page should be used to give the reader the ability to find transaction work quickly. If tick marks are used, it is customary to have a legend at the front of commonly used tick marks. The contents page would be followed then by the report of findings; followed by any other communication (written and oral) that occurred during the examination; followed by any internal memos and general observations; followed by a worksheet delineating any adjustments and/or reclassifications that are proposed (each adjustment should be referenced to the support documents in the workpapers); followed by the evaluation of internal control; followed by a risk assessment; followed by the audit program; followed by detailed tests; followed by analytical review; and followed by any substantive testing, reconciliations, and/or recalculations. Depending on the county auditors instructions and or the culture of the county, when the internal auditor is performing an analysis of expenditure accounts, a detailed analysis should always be performed on: 1. 2. 3. 4. 5. 6. Single expenditures in excess of $5,000 Multiple expenditures with the same vendor that exceed $25,000 Legal expenses Professional fees Maintenance and repair in excess of $ __________ Rents

24

All workpapers should have a clear indication as to: 1. 2. 3. 4. 5. 6. The department being examined The title of the workpaper A brief description of the workpapers contents A statement as to the source of the data obtained The period being covered by the examination Who prepared the workpaper, when it was prepared and who reviewed the document 7. Any documents which are prepared by the department should be clearly labeled as to who prepared the document and when 8. Any adjustments that are being proposed and documentation for such, and 9. Any reference to other documents Always remember: If you dont write it down it was never said it was never done! Internal audit work papers should always tell a story. Consider the thought that if a bus hit you today would someone else be able to follow behind you.

25