INTERNAL

AUDIT
MANUAL

1|Page
Table of Contents

I. Foreword………………………………………………………………………………….Pg. 7

II. Definition of Internal Auditing………………………………………………………...Pg. 7

III. Benefits of an Internal Audit……………………………………………….................Pg. 7

Section A – Internal Audit Organization…………………………………………………Pg. 8

A1. Authority………………………………………………………….……………………..Pg. 8

A1.1 Mission Statement

A1.2 Executive Endorsement of Internal Audit Charter

A2. Department Standards………………………………………………….…………….Pg. 9

A2.1 Institute of Internal Auditors IPPF and Generally Accepted Government

Auditing Standards

A2.2 Ethics & Code of Conduct

A2.3 Rules of Conduct

A3. Department Structure………………………………………………………………..Pg. 11

A3.1 TONKS Organizational Chart

A3.2 Internal Audit Department Organization Chart

A4. Position Responsibilities………………………………………………………….…Pg. 12

A4.1 Director, Internal Audit

A4.2 Supervisor, Internal Audit

A4.3 Internal Auditor

A4.4 Investigative Auditor

2|Page
 A4.5 Information Systems Technology Auditor

A4.6 Business Analyst

A5. Internal Audit Office Policies and Procedures……………………….……………Pg. 15

A5.1 Internal Audit Contact Information

A5.2 Recruitment and Selection of Staff

A5.3 Probation

A5.4 Termination of Employment

A5.5 Employee Evaluations

A5.6 Training and Continuing Director

A5.7 Compensation

A5.8 Attendance

A5.9 Leave and Absence Policy

A5.10 Disciplinary Action

A5.11 Grievances

A5.12 Safety

A5.13 Employee Organizations

Section B – Audit Procedures and Techniques for Student Activity Fund and

Operational Audits……………………………………………………………..........Pg. 19

B1. Introduction…………………………………………………………………..Pg. 19

3|Page
B2. Auditing Procedures………………………………………………………………...Pg. 20

B2.1 Auditor Assignment

B2.2 Statement of Independence

B2.3 Planning Budget

B2.4 Engagement Letter

B2.5 In-Office Review

B2.6 Entrance Conference

B2.7 Risk Assessment

B2.8 Audit Program

B2.9 Audit Fieldwork and Tests

B2.10 Working Papers – Purpose, Organization and Format

B2.11 Audit Findings

B2.12 Exit Conference

B2.13 Supervisory Review

B2.14 Quality Control / Monitoring

B2.15 Threats

B3. Audit Report…………………………….…………………………………………….Pg. 27

B3.1 Audit Report Organization

B3.2 Audit Report Review

B3.3 Audit Report Filing

B3.4 Audit Report Numbering

4|Page
 B3.5 Audit Report Referencing

B3.6 Management Response

B3.7 Internal Audit Report Tracking

Section C – Audit Procedures and Techniques for Special Investigation

Audits …………………………………………….………………………………...….Pg. 30

C1. Introduction

C2. Application of Investigation Standards

C3. Identification of Circumstances Requiring Special Investigations

C4. Audit Techniques for Special Investigative Audits

C5. TONKS Compliance Hotline

C6. Evidence Gathering

C7. Investigation Audit Reporting

Section D – Audit Procedures and Techniques for Information Systems Technology

Audits………………………………………………………………………………………Pg. 38

D1. Introduction

D2. Identification of Audit Areas

D3. Auditing Procedures

D4. Audit Reports

5|Page
 Attachment Index

Attachment 1 Board Policy 8373, Internal Board Operations

Attachment 2 TONKS Organizational Chart

Attachment 3 Internal Audit Department Organizational Chart

Attachment 4 Statement of Independence

6|Page
I. Preface

Internal Audit responsibilities will be accomplished constant with the Generally Accepted
Government Auditing Standards and International Professional Practice Framework.
Auditors are required to study to the value standards (attributes of company and
personalities performing interior audit services), presentation standards (the landscape
of internal audit services and be in charge for valued criteria against which the
performance of these services can be measured) and implementation standards
(develops upon performance and attribute standards) as well as the strongly
recommended guidance.

II. Definition of Internal Auditing

The Institute of Internal Auditors Brings the following definition of Internal Auditing:

“Internal Auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization’s operations. It helps an
organization accomplish its objectives by bringing a systemic, disciplined approach to
evaluate and improve the effectiveness of risk management, controls and governance
processes.”

III. Benefits of an Internal Audit

The function of Internal Audit is to bring value to an organization. Some of the utmost
important benefits comprise but are not limited to the following:

 Identification of deviations from management's policies and procedures and

expectations
 Evaluation of internal controls to help ensure management’s assets are protected
from loss, misuse, and abuse
 Objective assessment of areas of interest to management
 Confirmation that controls and procedures are adequate
 Recognized improvements to accounting controls to prevent and detect fraud,
waste and abuse
 Identification of productivity enhancements

7|Page
  Recoveries of unbilled or under-billed revenues and duplicate payments
 Recoveries of vendor overcharges
 Recognized opportunities to automate procedures
 Assurance of automated computer controls
 Audits all oraginzation, offices, departments, programs, grants and special
requests
 Identification of efficiencies including best practices, cost savings and cost
avoidances

SECTION I - INTERNAL AUDIT ORGANIZATION

A.1 Authority

A1.1 Mission Statement and Internal Audit Charter Internal Audit’s mission is to
upkeep the organization system’s Board of Directors and management in the
operative discharge of their responsibilities. Moreover, Internal Audit will furnish
them with findings, analysis, recommendations, advisory services and
information concerning the relevant activities with the objective of adding value
and improving the organization system’s operations. Internal Audit shall evaluate
the organization system's controls to determine whether they are designed to
guard its assets and to facilitate the preparation of reasonable and consistent
reports to management. In due course, Internal Audit will assist the organization
system with achieving its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management,
controls and governance processes.

A1.2 Executive Endorsement of Internal Audit Charter Internal Audit’s authority

and responsibilities have been endorsed by the Board of Director through Board
Policy 7241, Internal Board Operations, Office of Internal Audit. (Attachment 1)

8|Page
A2. Department Standards

A2.1 Institute of Internal Auditor’s (IIA) Generally Accepted Auditing

Standards and International Professional Practices Framework

The department’s audits are completed based on specific auditing standards.

The term “audit standards” means the rules or principles established for defining
the level of quality for audit work completed. Audit standards are intended to
define the basis for reliable, unfailing, high quality, proficient audit results.
Internal Audit responsibilities are consistent with the Institute of Internal Auditor’s
International Professional Practices Framework (IPPF) and Generally Accepted
Auditing Standards (GAAS) which offer a structure for completing high quality
consulting and assurance engagements with integrity, competency,
independence and objectivity.

A2.2 Ethics and Code of Conduct

Consequently, internal auditors are anticipated to perform their work in

compliance with the obligatory standards and to maintain and apply the following
ethical principles:

 Integrity – Internal auditors are anticipated to evade any conciliation of

professional value for personal interest. The integrity of internal auditors
creates trust and thus brings the basis for reliance on their judgment.
 Objectivity - Internal auditors are anticipated to show the highest level of
professional objectivity in evaluating, gathering and communicating
information about the process or activity being inspected. Internal auditors
make a well-adjusted assessment of all the pertinent situations and are
not unduly prejudiced by others or by their own interests in making
judgments.
 Confidentiality - Internal auditors respect the ownership and importance
of information they acquire and do not release information without proper
authority except there is a professional or legal obligation to do so.

9|Page
  Professional Behavior – High expectations for the auditing profession
include obedience with all important legal, regulatory and professional
obligations and circumvention of any conduct that might dishonor the
auditor’s work.
 Competency - Internal auditors apply the skills, knowledge and
experience needed in the enactment of internal audit services.
 Public Interest – Public interest is denoted as the collective well-being of
the of entities work for by auditors and community people. By observing to
the above-mentioned code of ethics in carrying out their responsibilities,
auditors are honoring the public trust.

A2.3 Rules of Conduct for Internal Auditors Internal Audit shows compliance with
ethical principles and a code of conduct by adhering to the following rules:

1. Integrity - Internal auditors:

1.1. Shall abide the law and make admissions expected by the law and the
profession.

1.2. Shall carry-out their work with diligence, honesty and responsibility.

1.3. Shall respect and contribute to the legitimate and ethical objectives of the
organization

1.4. Shall not eloquently be a party to any illegal doings, or engage in acts that
are dishonorable to the organization or to the profession of internal auditing.

2. Objectivity - Internal auditors:

2.1. Shall not receive anything that be presumed to impair or may impair their
professional judgment.

2.2. Shall not partake in relationship or any activity that be presumed to impair or
may impair their fair assessment. This involvement includes those activities or
relationships that may be in conflict with the interests of the organization.

10 | P a g e
 2.3. Shall communicate all quantifiable facts known to them that, if not
communicated, may misrepresent the reporting of activities under examination.

3. Confidentiality - Internal auditors:

3.1. Shall not utilize information for personal interest or in any manner that would
be contrary to the law or unfavorable to the ethical and legitimate objectives of
the organization.

3.2. Shall be vigilant in the safety and use of information obtained in the course
of their duties.

4. Competency - Internal auditors:

4.1. Shall constantly improve their effectiveness and proficiency and excellence
of their services.

4.2. Shall perform internal audit services in accordance with the IPPF

4.3. Shall participate only in those services for which they have the essential
skills, experience, and knowledge.

A3. Department Structure

The Internal Audit Department reports functionally to the members of the Board of
Director and administratively to the Chief Executive Officer. The Internal Audit staff has
no direct authority or responsibility for any of the activities reviewed or audited.

Presently the Internal Audit Department is staffed with the Director of Internal Audit,
Supervisor of Internal Audit, 7 Staff Internal Auditors, 1 Investigative Auditor, 2 Property
Audit Technicians, 1 Lead Property Auditor, 1 Business Analyst, and 1 Information
Technology Auditor.

A3.1 Organizational Chart (Attachment 2)

A3.2 Internal Audit Department Organization Chart (Attachment 3)

11 | P a g e
A4. Position Responsibilities

A4.1 Chief Audit Executive (CAE) – Responsibilities/Duties the Director coordinates,

plans, and directs the daily events of the department by carrying-out the following:

 Manages and leads Internal Auditors in whole company and audit specific risk
assessments designed to deliver value to organization.
 Brings leadership direction to operations and development of Internal Audit
groundwork, projects and resources.
 Administers fraud and other examinations directed by the other Internal Auditors
and Investigative Auditor as assigned.
 Supervises the maintenance and progress of a cohesive entity-wide internal audit
risk assessment database and approach.
 Reports Internal Audit accomplishments and conclusions to the members of the
Board of Directors.
 Cooperates frequently with executive staff to guarantee important business risks
are addressed and identified.

A4.2 Supervisor, Internal Audit – Responsibilities/Duties the Supervisor give

directions staff performance and operational audits of wavering scope and complexity.
Additional duties include the following:

 Proactively lead the efforts in audit planning.

 Express audit position to the Internal Audit Director.
 Supports with defining internal audit consent timeframe and project scope.
 Formulate audit procedures to ensure proper fieldwork completed as per audit
plan.
 Perform specific audits for individual accounts.
 Oversee staff and review their performance.
 Teach auditors and assist to resolve problems with organization or operating
field.
 Review audit work papers to ensure clearness and well-ordered documentation.

12 | P a g e
  Frame appropriate decisions relative to procedures and acceptable internal
controls on the basis of audit work performance and information of operations.
 Assure key controls are verified and every imperative risk are addressed to
conclude that financial transactions observe the existing contracts, laws, policies
of the Board and standard accounting principles.
 Designate staff auditors to perform professional training programs for company
staff as required.
 Executes back-up sense of duty in the nonattendance of the Internal Audit
Director.

A4.3 Internal Auditor –Responsibilities/Duties Internal Auditors strategize and execute

designated analyses and audits of operations and investigations. Additional
responsibilities include the following:

 Evaluation and Inspection of the financial procedures and/or proceedings of

organization to assure that they are being operated economically and efficiently
and in observance with BOD guidelines.
 Establishment of training, advisory services and assistance to organization staff,
etc.
 Preparation of recommendations and audit findings for corrective action;

A4.4 Investigative Auditor –Responsibilities/Duties the Investigative Auditor performs

monitors the hotline of whistleblower and investigations. Additional responsibilities
include the following:

 Assesses a variation of confidential matters including

 conducting investigations of fraud,
 waste,
 abuse,
 mismanagement,
 misappropriations,
 irregularities,
 Allegations, etc.

13 | P a g e
  Executes internal compliance audits, organization operational or financial audits
and assists on special projects as mandated by the Internal Audit Director
 Reevaluates and reviews and bring up-to-date the Entity-wide Risk Assessment

A4.5 Information Systems Technology (IST) Auditor –Responsibilities/Duties the

Information Systems Technology Auditor strategies and performs designated
Information Technology (IT) audits. Additional responsibilities include the following:

 Holds a variety of confidential substances including:

 Conducting audits of departments to determine the competence of IT
related internal controls in reacting to risks of the system’s technology
network. The IT Auditor reviews IT systems controls guidelines and
measures in performing the responsibilities;
 Evaluating the degree of success of IT and financial objectives and
acceptable auditing and accounting principles.
 Helps and provisions Interior, Investigative and Auditors of Property with audit
assignments that contain an IT element.
 Coaches, Monitors and delivers analysis and information to management on
technology concerns; reviews IT procedures, policies and systems connecting to
information technology and commends developments for improved quality and
cost efficiency.

A4.6 Business Analyst – Responsibilities/Duties the Business Analyst supports

associates of the Board of Director by looking over and examining use of allocated
resources. Additional responsibilities include the following:

 Partakes with Internal Audit for the Board in collecting data, scrutinizing
information and Brings related services heading toward the evaluation and
compilation of financial evidence for Board Members;
 Contributes individually in multifaceted analyses or projects and/or as a team
member in extra compound procedural and financial analysis projects. This
includes:

14 | P a g e
  program budgeting system development
 payroll and
 Accounting.
 Delivers support to staff auditors by assisting and Brings analytical support with
organization audits as needed.
 Brings general support to the Staff and Internal Audit Director.

A.5 Internal Audit Office Policies and Procedures Important policies and
procedures that are pertinent within the Internal Audit Office are as follows:

A5.1 Contact Information - The Internal Audit Office can be communicated as

follows: Internal Audit Department TONKS Administration Building 0824
Organization Lane Upper Winston, MD 20772 (301) 2480-7887 The office hours
are 8:30 am through 6:30 pm Monday - Saturday

A5.2 Probation – Recently hired staff will be subject to a provisional period that
is resolute by Human Resources at hire. Usually this period is 5 months. Staff will
be considered regular employees at the end of this period unless otherwise
informed.

A5.3 Recruitment and Selection of Staff - Internal Audit staff are designated
based upon Board of Director policies that necessitate that application be
submitted in answer to advertised beginnings. The screening process may
include interviews and written tests as soon as deemed necessary. Promotions
are made in the similar method.

A5.4 Termination of Employment - Staff are capable to submit resignation

within HR module. Nevertheless, as a professional consideration, it is requested
that the Director of Internal Audit is informed personally at least 20 calendar days
earlier to resignation. Involuntary terminations are directed at the direction of
(HR) Human Resources. Employees dwindling to report to work for 4 consecutive
work days short of authorized leave are subject to termination. The employee
may be returned only in the occurrence that it is strong-minded that mitigating
situations prevented contact with Director of Internal Audit.

15 | P a g e
 A5.5 Employee Evaluations – Human Resources (HR) necessitates that
employees are assessed yearly. Staff assessments are completed by the Internal
Audit Supervisor for staff auditors. The Director of Internal Audit Director will
evaluate the other staff members.

A5.6 Training and Continuing Director - GAGAS require that staff directing
and handling audits earn 80 hours continuing Director semiannually, in which 24
of it must be straight related to government auditing. IPPF Attribute Standard
1230 also necessitates internal auditors to improve their knowledge, skills and
other competencies through (CPD) continuing professional development by
completing a minimum of 40 CPEs once a year. Staffs are obligatory to
individually make arrangements to assure that this requirement is achieved.
Training openings comprising conferences, training manuals, online courses,
webinars, and internal training occasions may be accessible to assist in this
effort.

A5.7 Compensation - Staff compensation is resolute by Human Resources

upon hiring. Granting pay increases may be recommended during the staff
assessment procedure, the Director of Internal Audit does not have power to
administer compensation.

A5.8 Attendance – Staff are anticipated to be accessible during business hours

performing Internal Audit assignments unless on accredited leave. Staff must
work a least of 8 hours day-to-day. However, consigned responsibilities may
encompass beyond the ordinary work day and work week. Each staff is allowed
to a 16 duty-free lunch period of at least 35 minutes. The lunch time may be
corresponding and determined by the Director of Internal Audit. Internal Audit
does not established a telecommuting procedure as it has not been recognized
by the Board of Directors..

A5.9 Leave and Absence Policy - Internal Audit staff receive yearly and sick
leave days that may be permitted for use at the discretion of the Internal Audit
Director. Staff must be aware of assignments and responsibilities when

16 | P a g e
 demanding leave. The Director of Internal Audit will accept time off while taking
into account these factors. Consent of leave time does associate to an extension
of time for accomplishment of responsibilities. Staff will be likely to reach
prearranged cutoff date unless the Director has approved to an extension. Staff
should not contemplate submission of a leave request as a spontaneous
privilege to yield time off even though they have existing leave balance.
Managerial consent is an important component of the leave management
procedure.

 Yearly Leave: Internal Auditors are obligatory to submit requests for

yearly leave using Attendance and Oracle Time. These requests are
prerequisite to be submitted at minimum 3 work days before the date of
the requested leave. Annual leave requests submitted less than 2 work
days is subject to renunciation and should be circumvented. This is
particularly the case with similar day leave requests. Staff should properly
plan for nonattendances. Inadvertent yearly leave should be demanded on
a limited consent and basis will be well thought-out by the Director reliant
on situations. Internal Audit staff is obligatory to communicate verbally to
the Director of Internal Audit their reason to request yearly leave earlier to
submission in Oracle. Internal Audit staff should guarantee that leave
requested has been accepted before it is taken. Leave taken that has not
been approved will be considered. Yearly leave will not be approved that
exceeds the quantity of the employee’s received leave.
 Sick Leave: Internal Auditors may demand sick leave to be used in
advance or as unplanned leave. Unplanned sick leave must be called in
proceeding to the scheduled arrival time of the employee. The call must
be placed to the Director of Internal Audit, Business Analyst or Supervisor.
A voicemail should be left for the Director if none of them is available.
Each time the employee has awareness that the Director is on leave, an
email should also be sent to the employee’s supervisor. It requires a
signed physician’s certificate if sick leave extending past 3 days. The said
document must be offered on the date the employee returns to work. It will

17 | P a g e
 result in the extended leave being considered LWOP if failure to present
this document. Sick leave beyond 10 days must be demanded over and
done with Absence Management.
 Internal Audit Calendar: Every permitted leave need to be passing in on
the shared Internal Audit calendar. The Director or Business Analyst will
enter called-in leave on the calendar.

A5.10 Disciplinary Action: Internal Audit staffs are obligated to follow

department standards including code of conduct and professional ethics as
described in Section A2. Staff members are also subject to the professional
requirements set forth by Organization for all employees. Ins and outs for
disciplinary action that could possibly result in termination contain but are not
limited to the following:

 Incompetence or other unsatisfactory performance

 Unapproved absence
 Insubordination
 Violation of administrative regulation and department rules
 Acceptance of gratuities
 Any conduct that reflects unfavorably on Organization and the Internal
Audit Department
 Excessive lateness
 Theft or Abuse of Organization property

A5.11 Grievances: Staff with grievances or complaints should first consider

resolving the issue with their immediate supervisor. If at that level the problem
cannot be settled, it should be escalated to the Director of Internal Audit and
finally to the appropriate official of Human Resources if the matter remains
troubled. The Internal Audit staff is not denoted by collective negotiating units.

A5.12 Safety: Staff is accountable for maintaining and observing safety

measures in the assignment of their area. It should be reported to supervisory
staff at once if unsafe conditions exist to make sure the condition is fixed. Internal

18 | P a g e
 Audit staffs are given a secure right of entry to the Internal Audit office facility. It
is each employee’s accountability to maintain access keys, combinations, and
codes provided. Personnel are also accountable for safeguarding access to
equipment such as laptops that have been supplied for performing tasks on
audit.

A5.13 Employee Organizations: Employee is encouraged to join professional

organizations that improve job skills and knowledge. Especially Internal Audit
staff is encouraged to line with the (IIA) Institute of Internal Auditors, Association
of Certified Fraud Examiners and the Association of Local Government Auditors.
The cost of memberships will fund by the Internal Audit Office at the discretion of
the Director of Internal Audit.

SECTION B - AUDIT PROCEDURES AND TECHNIQUES FOR ORGANIZATION

ACTIVITY FUND AND OPERATIONAL AUDITS

B1 Introduction

This portion of the manual proposes procedures and policies to be used in the
enactment of an internal audit from the point it is assigned up to the issuance of the
audit report. The Director of Audit is principally responsible for every phase described
here, including examination of staff auditor fieldwork. Staff auditors work in the direction
of the Director of Audit, who commends every audit program, work files and work files.
The Director of Audit is accountable for error of work done by the whole Internal Audit
staff. The Internal Audit Director formulates an annual audit plan that shows all activities
to be audited and the projected time for completion. Risk analysis model is used in
establishing audit priorities. The model uses numerous measures to assess functions
inside the organization system that stance the greatest risk to the Board of Director.
Requests from the CEO as well as the Board of Director are also considered in
formulation of the audit plan.

19 | P a g e
B2. Auditing Procedures The following are fundamental steps for carrying out an
internal audit:

B2.1 Auditor Assignment – Staff auditors are obligated to provide quarterly

plans of organizations to be audited together with their quarterly reports. Plans
are performed by auditors based semi-yearly risk assessments.

B2.2 Statement of Independence – Every member of the staff audit is required

to sign and complete a Statement of Independence (see attachment 4) to
document that she or he is free from any external and personal impairment to
independence for each audit. Staff Audit is required to report impairments to
independence to the Director of Audit, either implied or actual, before the start of
assigned audit. Another auditor is designated to the engagement if impairment is
identified.

B2.3 Planning Budget – Afore any work is performed on an assigned audit, a

initial time allocation should be attained from the Director of Audit for special
request and operational assignment engagement. Hours budgeted for
engagements that are part of the audit plan are prearranged, though hours could
be altered at the discretion of the Director of Audit if believed necessary. Though
the budget planning should be developed with a momentous amount of hours
allotted to fieldwork, it should be appropriate to the audit engagement as a whole.
For means of controlling the time allotted adequately, the budget should be
departmentalizing into the following categories:

 Planning,
 Fieldwork,
 Report Writing and Editing,
 Supervisory Review,
 Exit Conference and
 Auditee’s Action Plan.

20 | P a g e
 B2.4 Engagement Letter –An engagement letter should be handed to the top
management accountable for administration of the particular process area,
before beginning the audit when carrying out an operational audit to provide
courtesy and advance notice to the client organization. The letter should pinpoint
the:

 Precise area to be audited,

 names of audit staff assigned,
 notification of the entrance meeting, and
 Any other pertinent information.

Engagement letters are merely sent for IT audits and operational. Organization
audits are routine and numerous. Typically an engagement letter is not sent
whenever special investigation and entity activity fund audits are performed.

B2.5 In-Office Review – An in-office review is essential for the in charge auditor
to gain understanding about the focus area to be audited before the entrance
conference. At this period, the in-charge auditor should start examining
background information regarding the internal control environment and auditee’s
process requirements. Past year workpapers and audit reports may be
reevaluated and should also be held a planning meeting with the audit team to
talk over the assignment of audit. The outcomes of this course should allow audit
staff to determine the audit scope and objectives and make relevant inquiries
throughout the entrance conference.

B2.6 Entrance Conference – The entrance conference with the client should
establish the cooperative manner of the audit. Auditors should be candid and
open about the audit scope and objectives. The assigned Internal Audit staff
should be making known to the client and the auditor should request:

 work space,
 access to needed files, and
 Any other necessary needs at that period.

21 | P a g e
 The process of audit should be clarified as well as the issuance of the audit
report and process for discussion of findings.

B2.7 Risk Assessment – Auditing standards necessitate that auditors should

attain an adequate understanding of the entity and its internal control, including
its nature of operation, to evaluate the material misstatement risk of the financial
statements either due to fraud or error, and to design the timing, nature and
extent of additional procedures of audit. The objectives of fraud risk surveys and
internal control are to collect sufficient data for the auditor to be able to
understand the flow of financial and other information, be familiar to the function,
identify the risks and design of controls inside the organization, and develop a
suitable audit program to consider audit risks. The opening survey should result
in documentation in the form of:

 Narratives,
 flowcharts,
 internal control evaluations, and
 Other key items.

For operational audits the In-Charge auditor should identify the following:

 Recognized goals and whether they are operative in achieving the

objectives
 Expectations of the process or activity,
 The objectives that have been established,
 Important policies, procedures, laws and regulations affecting the auditee,
 Processes or activities developed to ensure objectives are accomplished
effectively and economically,
 Inefficiencies or uneconomical practices,
 How resources are protected,
 How the process or activity is performed, monitored and measured
 Method for reporting results of the process or activity and

22 | P a g e
  Financial profile of the activity to include how much is spent to achieve
goals

The audit program should include steps to identify and assess fraud risks. The
auditor should also consider the risks for fraud (individuals’ incentives or
pressures, opportunity for fraud to occur). An organizational chart as well as
statements of responsibilities of the auditee should be obtained. As the
preliminary survey is conducted, the auditor may identify areas that should be
pursued or tested.

B2.8 Audit Program – An audit program is a comprehensive plan for

implementing an audit. It aids as a guide of planned procedures for the auditor to
keep an eye on. Its purpose is to control and organize work steps designed to be
receptive to the audit risks and or objectives in compliance with set auditing
standards. Following an appropriate, complete audit program helps keep the
auditors on track and precludes them from tracking immaterial items. The audit
program should be ready after the initial risk assessment and prior to any test
work. Any changes to the audit program must also be ratified in writing by the
Supervisor of Audit. Every audit process should aid in answering the audit
objectives and each objective should be addressed in the steps or process. Audit
program procedures should be in adequate fact to let an experienced auditor to
perform testwork with standard administration.

B2.9 iAudit iFieldwork iand iTests i

a.) iobtaining isufficient, iappropriate ievidence i– iGovernment iAuditing

i Standards irequire iauditors ito iobtain isufficient, iappropriate ievidence ito iprovide
i a ireasonable ibasis ifor itheir ifindings iand iconclusions. iIn iassessing isufficiency
i of ievidence, iauditors ishould idetermine iwhether ienough ievidence ihas ibeen
i obtained ito ipersuade ia iknowledgeable iperson ithat ithe ifindings iare ireasonable.
i Appropriateness iis ithe imeasure iof iquality iof ithe ievidence ifor iproviding isupport
for ifindings iand iconclusions irelative ito ithe iaudit iobjectives. iAuditors ishould iuse
i

i professional ijudgment ito idetermine ithe isufficiency iand iappropriateness iof

23 | P a g e
 i audit ievidence itaken ias ia iwhole. iWhen iauditors iidentify ilimitations ior
i uncertainties iin ievidence ithat iis isignificant ito iaudit ifindings iand iconclusions,
i they ishould iapply iadditional iprocedures isuch ias iseeking iindependent,
i corroborating ievidence ifrom iother isources. iThe inature iand itypes iof ievidence
i to isupport iauditors’ ifindings iand iconclusions iare ialso imatters iof ithe iauditors’
i professional ijudgment ibased ion iaudit iobjectives iand iaudit irisk. iTestimonial
i evidence imay isometimes ibe iuseful iin iinterpreting ior icorroborating
i documentary ior iphysical iinformation. iDocumentary ievidence imay ibe iused ito
i help iverify, isupport, ior ichallenge itestimonial ievidence. iInternal iAuditors ishould
i attempt ito iobtain idocumentary ievidence iwhenever ifeasible ito isupport iaudit
i conclusions. iSome iconsiderations ifor iauditors iwhen iobtaining isufficient,
i appropriate ievidence iare ithe ifollowing: i

 Evidence iobtained iwhen iinternal icontrol iis ieffective iis igenerally imore
i reliable ithan iwhen iinternal icontrols iare iweak.
 The igreater ithe iaudit irisk, ithe igreater ithe iquantity iand iquality iof ievidence
i required. i
 Stronger ievidence imay iallow iless ievidence ito ibe iused. i
 Having ia ilarge ivolume iof iaudit ievidence idoes inot icompensate ifor ia ilack iof
i relevance, ivalidity, ior ireliability. i
 Evidence iobtained ithrough ithe iauditors’ idirect iphysical iexamination,
i observation, icomputation iand iinspection iis igenerally imore ireliable ithan
i evidence iobtained iindirectly. i
 Examination iof ioriginal idocuments iis igenerally imore ireliable ithan
i examination iof icopies. i
 Testimonial ievidence iobtained iunder iconditions iin iwhich ipersons imay
i speak ifreely iis igenerally imore ireliable ithan ievidence iobtained iunder
i circumstances iwhere ipersons imay ifeel iintimidated. i
 Testimonial ievidence iobtained ifrom ian iindividual iwho iis inot ibiased iand ihas
i direct iknowledge iabout ian iarea iis igenerally imore ireliable ithan ifrom
i someone iwho iis ibiased ior ihas iindirect ior ipartial iknowledge iof ian iarea.

24 | P a g e
  i Evidence iobtained ifrom ia iknowledgeable, icredible iand iunbiased ithird iparty
i is igenerally imore ireliable ithan ievidence ifrom isomeone iwho ihas ia idirect
i interest iin ithe iaudited ientity. i
 Evidence iis inot iconsidered isufficient iand iappropriate iwhen iusing ithe
i evidence icarries ian iunacceptably ihigh irisk ithat icould ilead ito ian iincorrect ior
i improper iconclusion. i

b.) iAudit iSampling i– iFrequently ia isampling iof iitems; ii.e. itransactions ior ifiles imust
i be iselected ifor itesting. iWhen isampling iis iused, ithe imethod iof iselection ithat iis
i appropriate iwill idepend ion iaudit iobjectives. iGenerally, ithe iselection ishould ibe
i designed ito ibe irepresentative iand irandom i(each iitem iin ithe ipopulation ihas ian
i equal ichance iof ibeing iselected.) iStratification i(selection iof iitems icontaining
i various icharacteristics) ishould ialso ibe iused iin ithe iselection. iThe isize iof ithe
i sample iselected ishould ibe idesigned ito iprovide iappropriate ireliability iof ithe
i condition iof ithe ipopulation, iusing ia igiven ilevel iof iconfidence. iThe isampling
i technique iused ias iwell ias ithe inature iof isamples ithat iare iused ito igather iaudit
i evidence ishould ibe iclearly idescribed iin ithe iscope. iSampling itechniques iavailable
i to ithe iauditor iare ithe ifollowing: i

 Statistical iSampling i– irequires iall isampling iunits iin ithe ipopulation ito ihave
i an iequal ichance iof ibeing iselected. iThe isample isize iis imathematically
i calculated ibased ion ia idesired iconfidence ilevel, idesired iprecision iand
i expected ierror irate. iThe isample iselection iis icomputed iusing ieither
i computer iprograms ior irandom inumber itables. i
 Judgmental iSampling i– iselection iis ibased ion iauditors’ isound iand iseasoned
i judgment. iSelections iare ibased ion ithe ivalue iof iitems, irelative irisk iand
i representativeness. i
 Random iSampling i(haphazard) i– iitems iare iselected iwithout iintentional ibias
i to iinclude ior iexclude icertain iitems iin ithe ipopulation. iWhile isample isizes iare
i predetermined, ithe iselection iof isampling iunits iis iselected iusing icomputer
i programs ior irandom inumber itables. i

25 | P a g e
 c.) iData iReliability i– iAudit istandards irequire idetermination ithat icomputer-
processed idata iis ireliable ienough ito ibe iused. iWhen ithe idata iis iintended ito ibe iused
i to isupport iengagement ifindings, iconclusions iand irecommendations, ireliability
i must ibe iassessed. iThis iwork iis irequired iwhether ithe idata iis iprovided ito ithe iauditor
i or ithe iauditor iextracts ithe idata. iInformation ican ibe iassessed iin ithe iform iof ireports
i or iinterviews iwith iindividuals iwho iare iknowledgeable iabout ithe idata iand ithe
i system. iThe iInformation iTechnology iAuditor imay ialso iassist iwith ithis iprocess. i

B2.10 iWorking iPapers i– iOrganization, iPurpose iand iFormat iAudit iStandards

i require ithat iInternal iAuditors imust idocument ipertinent iinformation ito isupport ithe
i audit iengagement iresults iand iconclusions. iThe iworkpaper ifile iis iprimarily ia irecord
i of ithe ievidential imaterial iprepared iand icollected iby ithe iauditor iin icarrying iout ithe
i plan ispecific ito ithe iaudit iundertaken. iIt iis ithe ibasis iupon iwhich ifindings irelevant ito
i the iaudit iare isupported. iEffective iOctober i1, i2020, iInternal iAudit itransitioned ifrom
i manual iworkpaper idocumentation ito ia isemi-electronic iform iof iworkpaper
i documentation. iWorkpapers iare idocumented iusing iAdobe iPro iand iare iihoused ion
i the idepartment’s isecured iG-drive.

Audit Report

The main objective of the audit report is to present the only acceptable means
of communicating the auditor’s entire task to management and key personnel
within the BOE. Nothing else produced by the auditor is probably seen by anyone
outside the Internal Audit Department and therefore, the audit report must
concisely report the total significance of the audit effort. A well-managed audit
report is important to maintain a reputation for reliability and to provide a high
level of confidence by management in the findings.

The report must be appropriate, clear and concise. Although there are subjects
that may require detailed explanations, every effort must be made to organize the
facts and provide meaningful conclusions in the fewest possible words without
diluting the significance of the report. The report must be clear enough so that
the independent of the audit can understand it. The audit report must also be

26 | P a g e
 accurate. Every statement, figure, or reference must be based on evidence
documented in the work papers. Moreover, auditors must use acceptable
grammar, sentence structure and context. The audit report must also be written
and presented in a neutral tone. The wording selection must be calm, objective,
thoughtful and dispassionate. Wording with negative connotations must be
avoided.

The use of individuals’ names, and other specific identifying information must be
avoided within the context of the report. However, this information may be
presented in the addendum.

Audit reports must also be prepared soon after the exit conference has
been conducted. The result of the report will be weakened if it is not
received promptly. Promptness must not conflict with adequate preparation, they
are both important. Properly written audit findings facilitate extraction of
information most probably for the audit report.

B3.1 Audit Report Organization – the audit report package has two
main elements, namely; transmittal memorandum and the auditor’s report
described below. An addendum must also be attached naming
individuals referenced in the audit report.

a.) The Transmittal Memorandum is a cover letter addressed to accountable

management personnel informing them that the audit was done and completed.
The memo must be addressed to the Director of the area audited and the
Executive level staff person, as well as that staff person’s Director. Organization
audits are typically addressed to the respective Instructional Director, it is
addressed from the Director of Internal Audit. The body of the memo must
contain the name of the audited entity as well as the scope of activities audited.
Moreover, it must indicate as to whether deficiencies were noted and request
a response to the audit in the form of a Management Action Plan. Mostly,
organizations audits require a response/action plan be submitted within 30 days
of the date of the memorandum. Also, other audits may require a 15 day

27 | P a g e
 response most especially when missing funds are identified. The memo must
include the date that it was prepared. CEO must be copied on the memo and
other staff may also be copied but depending on the nature of the audit.

b.) The Audit Report – must provide a thorough explanation of the

work completed, each report must contain a summary/background, objective,
scope, findings and recommendations, and opinion.

• Summary/Background – must contain accurate information to provide the

reader with an adequate understanding of the audited activity and objective of
the audit. There must be relevant explanatory information about the activities
reviewed. This section must be kept brief, clear and complete.

• Audit Objective – it mainly states what the report is to accomplish. It often

involves determining the audit subject and the aspect of performance involved.
All audit objectives documented in the audit plan must be specifically stated
here.

• Audit Scope – this section must contain a description of the auditor’s

examination and the time period covered by the audit. It must include calendar
dates of the period audited, descriptions of samples and methods used for audit
testing and other specific information that is appropriate. A brief description of
any exclusion must also be included to prevent any misunderstanding on the
reader’s part.

• Findings and Recommendations – this section present the details of findings

included on the audit finding sheets. Well-developed findings must have the
condition, criteria, cause, effect and recommendation. Another section
addressing the status of deficiencies noted in prior audits must also be included
as audit follow-up.

• Opinion – provides a statement of conclusion particularly on the subject matter

audited. It usually contain some statement as to whether internal controls require
strengthening based on audit results.

28 | P a g e
 B3.2 Audit Report Review – Following the initial supervisory review of the audit
presentation and work papers, a second independent review must probably be
done prior to distribution. At a minimum this review must consist of determining
as to whether the reviewer can gain an understanding of the audit results. Also,
the reviewer must determine that the memorandum is properly addressed, the
report is grammatically correct, meets standards and the report is mathematically
correct. This review is normally done by the Internal Audit Director prior to issuing
the report.

B3.3 Audit Report Filing – A “file copy” of the report must be organized
and filed with the associated work papers within the “Audit Work papers”
folder on the G-share. A second “Chron copy” (hard copy) must be
filed chronologically in a separate folder.

B3.4 Audit Report Numbering –Reports for audits that are not organizations
activity funds are assigned numbers by the Audit Director. Report numbers
are assigned by year, type and number: For example, R16-001 or S16-001.
The R identifies an audit engagement included on our audit plan or “regular” and
the “S” indicates “special” audits which are probably not a part of our
regularly scheduled audits as indicated on the plan, but requested due
to fraudulent activity, a specific concern. The number “001” indicates that the first
audit for the year and subsequent audits will be numbered consecutively.

B3.5 Audit Report Referencing – Audit findings and recommendations

which probably the core of the audit report are adequately supported, referenced
and signed by the auditor. These findings are presented in a separate section of
the audit work papers.

B3.6 Management Response – Written responses to audit reports normally due

within 15 – 30 days depending on the type of audit. The audit response in the
form of an action plan is due within 30 days of the date on the audit report
memorandum for organization activity fund audits. An acceptable response must

29 | P a g e
 provide a specific corrective action that will be taken to address each audit
finding and recommendation in the report.

The response must also clearly state agreement or disagreement with the
finding being addressed. The response must be prepared most probably by the
person to whom the audit report memorandum was addressed and must also
contain their original signature. The response is required to be recorded on the
audit response template and provided to the Business Analyst in Microsoft Word
within the prescribed timeframe. Also, the signed action plan may be submitted
electronically in a pdf format.

But if the response provided by management is not adequate, Internal

Audit will provide an audit clarification. At this point, no additional response
is required from management.

B3.7 Internal Audit Report Tracking - Audit reports that are issued are
recorded on an Internal Audit tracking document. The objective of this system is
to monitor management responses and determine whether they have been
returned timely and that each finding was properly addressed. Executive level
staff must be notified when audit responses are not received.

SECTION C - AUDIT PROCEDURES AND OTHER TECHNIQUES FOR

SPECIAL INVESTIGATION AUDITS

C1. Introduction

The Internal Audit Department is responsible specifically in conducting all

investigations arising from notification, either by an employee, CEO or
other interested individuals of a suspected irregularity or misappropriation.
An investigation is not so typical purpose type of audit. Special Investigation
audits include TONKS Hotline Investigations. Audit procedures must be
conducted with applicable standards set forth by professional associations
representing internal auditors such as the Institute of Internal Auditors (IIA) and

30 | P a g e
 Association for Certified Fraud Examiners. Auditors must also be mindful of
Generally Accepted Government Auditing Standards.

C2. Application of Investigation Standards

Investigation standards shall apply with the following circumstances:

• The main purpose is to gather, develop, examine and/or evaluate evidence to

determine if there has been an improper act committed, and

• Allegations of an improper act which carry with them the probability of

legal action, as to whether in the form of hearings, litigation or criminal
proceedings. Any illegal costs may basically be referred to the Maryland States
Attorney’s Office for further review or prosecution.

C3. Identification of Circumstances Requiring Special Investigations

Matters related to fraud that are governed by applicable audit standards; IIA or
GAGAS, include the following:

• An examination for the purpose of improvement of controls within an allegation

of an improper act,

• Auditing for fraud in the absence of an allegation, or reasonable suspicion,

and (Student Activity Fund and Operational audits must include steps to help
assess and identify fraud)

• Enhancing fraud prevention or detection programs. While the specific reason

for initiating an investigation will vary, there must be an adequate evidence for
suspecting a possible improper act. Matters referred to Internal Audit for
investigations that do not have an adequate evidence for suspecting a possible
improper act may be appropriately reviewed as an advisory service to
management. When these matters result from the exercise of management

31 | P a g e
 judgment, they are rarely susceptible to investigation and most probably not
appropriate for review as a Special Investigation audit. There are some example
of these matters may be “fairness” of compensation, adequacy of supervision,
co-worker relationships, etc. Activities that will typically be classified as Special
Investigations include but are not limited to the following:

• Frauds/Embezzlement – mainly involves missing or stolen cash receipts,

cash larceny, cash swapping, kickbacks, bribery, etc.

• Improper Use of TONKS Resources – unauthorized and/or

inappropriate purchases using TONKS resources, falsely claiming entitlement to
an undue benefit, unauthorized and/or inappropriate use of TONKS name, logo,
tax identification or exempt status and/or inappropriate use of TONKS specifically
owned vehicles, computers, or other assets

• Payroll Time/Charge Abuse – involves receipt of pay for time not worked,
employee receipt of payroll fringe benefits for themselves or someone falsely
reported as a relative, non-recording of vacation and sick-time used;
ghost employees, etc.

• Misappropriation of Assets – mainly deals with misappropriation of equipment

inventory, supply inventory, computers, or laptops

• Fraudulent Disbursement of Cash – involves fraudulent disbursement of

expense and travel reimbursements, fictitious refunds, billing schemes,
or establishment of outside fictitious vendors or companies.

C4. Audit Techniques for Special Investigative Audits

Policies and procedures that are applicable to the performance of audit

techniques used to conduct Special Investigative (SI) Audits is different from
Organization Activity Fund (OAF) and Operational Audits. There are some of the
techniques performed routinely for SAF and operational audits, but excluded for
SI audits include but are not limited to the following:

32 | P a g e
 • 4.1 Planning Budget - A planning budget as described in B2.3 is not typically
done for special investigation audits. There is normally minimal
advance notification of the need to perform SI audits. Moreover, there is a
requirement for reporting of audit results as promptly as possible. This makes it
not prudent to provide a planning budget as required of more routine audits
that are included on the audit planning schedule.

• 4.2 Entrance Letter – Special Investigation audits are not preceded by issuance
of an Entrance Letter as presented in B.24. Due to the necessity for maintaining
confidentiality and audit timing, this process must not be conducted.

• 4.3 Entrance Conference – An Entrance Conference as described in B2.6

is typically not conducted for SI audits for purposes mainly on
maintaining confidentiality. Depending on the nature of the situation
investigated, staff with a “need to know” may be alerted most especially in cases
involving safety and security.

• 4.4 Audit Program – An Audit Program will surely not be developed

containing the audit steps to be conducted during the investigation as described
in B2.8. Most SI audits are not routine engagements. Audit timing and necessity
to maintain confidentiality over audit processes performed to finish the
investigation make it not prudent to perform this procedure for SI audits.

• 4.5 Exit Conference – An Exit Conference as presented in B2.12 may not be

conducted for SI audits. Due to the nature of the results of the investigation, only
those determined to have a “need to know” may be informed once the
investigation report is totally completed. Usually communication of results will
only be in the form of the investigation presentation.

• 4.6 Audit Report – An audit report as explained in B3 is not always done for
every special investigation conducted. The format for communication of results
mostly varies on the circumstances. A SI report addressed only to those

33 | P a g e
 appointed by the Audit Director to have a “need to know” is done for hotline
allegations that are deemed to be credible.

C5. TONKS Compliance Hotline

TONKS has implemented a Compliance Hotline program that has a toll-free

phone number to a third party contractor that can be utilized for anonymous calls
from employees or others when they probably believe that a
fraud, misappropriation or similar workplace incident has occurred. TONKS is
currently using Global Compliance as the contractor for the hotline services. The
phone number to call in a report is 1-866-646-2512. Confidential reports may
also be made online through a web link on the TONKS website.

https://TONKS.alertline.com/gcs/welcome. Employees and others who call

the hotline may select to remain anonymous. If anonymity is requested, no
attempt will be made to recognize the caller. Information given must be treated
as confidential and privileged to the extent permitted by applicable law.

Hotline Investigations must be considered in a confidential manner. Reports

and correspondence will only be distributed to the Investigator, CEO or BOE
when authorization of the Director of Internal Audit. The Director of Internal Audit
and Investigative Auditor are accountable for ensuring confidentiality over
hotline documents to maintain the integrity of the hotline program.

The hotline vendor interviewer has the following responsibilities when answering
a call:

• Information that are provided is confidential.

• TONKS has a bylaw that will protect employees from retaliation for disclosing
what the employee believes evidences certain unlawful, wasteful, or hazardous
practices.

34 | P a g e
 • Caller may leave name and number just in case there are additional information
is needed. If caller wants to remain anonymous, an identification number will
automatically be provided at the end of the interview.

• Ask caller to give as much detail as possible to explain the activity that
is taking place including department/subject involved; description of activity;
dates, times and places; identification of corroborating evidence and names of
possible credible witnesses.

• Assign a number (sequentially) to each caller and provide that specific

number to them. Ask caller to call back within 10 business days just in case the
Internal Audit needs additional information after the preliminary investigation. Ask
caller if they would like a report on the results of the investigation.

The hotline investigator has the listed responsibilities once they are notified of the
hotline call:

● Record immediately the call on the hotline database

● Discuss the hotline information received with the Director of Internal Audit

● Perform proper investigation, if warranted

● Provide specifically periodic reports to the BOE

● Issue letter or report once investigation is completed

● Follow-up on completion of any needed remedial actions

● File investigation documentation accordingly, in a locked file drawer in the

Investigative Auditor’s office.

C6. Evidence Gathering

The following guidelines must be followed for conducting investigations:

a.) Working Papers – Special investigation work papers must follow

the standards that require documentation of relevant information to support

35 | P a g e
 the conclusions and audit engagement results. Care must be taken to
gather evidence so as not to compromise its admissibility as evidence and
with consideration for the potential of its use in a legal action, whether in the
form of hearings, litigation or criminal proceedings. Often in the case of
a deposition or trial, the auditor that gathered the evidence is
personally accountable for giving testimony as to the means and authority for
gathering the evidence. There are specific documentation commonly found in
work paper files will not be present for special investigation audits.

b.) Interviews – Interviews are conducted for the purpose of getting

information pertinent to the investigation. Two Internal Audit staff members must
be present in all interviews of material witnesses and there must be
a documented record of the interview. Interview documentation must include the
substance of the interview, names of the interviewer and interviewee, the time
and date of the interview.

c.) Witness Statements – Statements prepared by witnesses must be signed

in such a way to acknowledge authorship. Written statements must be
prepared in ink or typewritten. All statements must be maintained on file as
prepared and must not be altered in any possible way.

d.) Investigation Audit Work paper Reviews – Investigation Audit work papers
will be checked in the same manner as noted in Section B2.13. All work
papers will be reviewed by the Audit Director or Supervisory staff to make sure
that there is sufficient evidence to support conclusions and to justify the
objectives of the Investigation.

Involvement of Outside Agencies – If it appears that a crime may have been

committed, Security Services, the Office of General Counsel and law
enforcement officials may be consulted to identify appropriate action regarding
the investigation and legal proceedings. Investigative Auditors may lend
assistance to the extent their expertise is needed specifically in the analysis of
accounting records. Matters regarding suspected of abuse are reported to

36 | P a g e
 Security Services, Office of General Counsel and Child Protective Services for
investigation and follow-up.

C7. Investigation Audit Reporting

A Special Investigation Audit Report is prepared whenever it is identified that

a loss has been sustained or a important weakness in internal control is
identified. A report will only be done for TONKS Hotline calls when the
allegations are deemed as potentially reliable by the Director of Internal Audit.
The Audit Report will address the allegations, findings and recommendations for
further corrective action. Special Investigation audits must include elements
such as the following:

• Background – a statement as to how allegations were reported to IA

• Objectives – a statement as to what the investigation intended to accomplish.

• Investigative activities – it mainly provides the scope of investigation

• Key Determinations – a statement of facts which are gathered relative to

allegations made

• Conclusion – a statement as to whether allegations could be substantiated

based on key determinations

• Recommendations – a proposed action to be taken by management as a

result of the investigation

37 | P a g e
 SECTION D: AUDIT PROCEDURES AND TECHNIQUES FOR
INFORMATION TECHNOLOGY AUDITS

D1. Introduction

Information Technology (IT) audits are performed by the IT Auditor which is

under the direction of the Internal Audit Director. Most of these audits are those
that are included in the annual audit plan. IT audits address a variety of
confidential matters which includes the audits of organizations for the main
purpose of determining the adequacy of IT systems controls, assessing the
degree of accomplishment of financial and IT objectives, for the compliance with
accounting, auditing and TONKS established policies and procedures, etc. These
audits are mainly conducted in accordance with applicable standards set forth by
professional associations representing internal auditors such as the Institute of
Internal Auditors (IIA), and the Information Systems Audit and Control
Association (ISACA). The auditor must also be mindful of Generally Accepted
Government Auditing Standards.

D2. Identification of Audit Areas

Selection of planned specific IT Audit coverage will be evaluated and

determined based on the annual risk assessment process as presented in
section B1. This assessment encompasses that includes IT audits for areas
determined to be high risk based upon the same criteria and weighting used in
identifying operational audits to be audited. There are consideration which will be
given to TONKS financial and operational technology components related to
administration, inter/intranet, and regulatory risks. Audits of IT processes may
also be conducted as a portion of a special investigative or operational audit.

D3. Auditing Procedures

Generally, IT audits will be conducted using the same procedures described in

Section B2. In most instances supervisory review of these audits will be
conducted by the Internal Audit Director.

38 | P a g e
 D4. Audit Reports

Guidance for preparing IT audit reports may be located in Section B3. Reporting
on IT operations may also be encompassed within an audit presentation instead
of separated when the IT auditor has only reviewed a related component for an
operational or investigative audit.

39 | P a g e
 ATTACHMENT 1

TONKS PUBLIC ORGANIZATIONS

Board of Director

Upper Marlboro, Maryland

BOARD OF DIRECTOR POLICY

INTERNAL BOARD OPERATIONS
Office of Internal Audit
Policy No. 8373

Purpose

The Board of Director of TONKS has established the Office of Internal Audit as
an independent office that reports directly to the Board. The primary objective of
the Office of Internal Audit is to assist the Board of Director in effectively
discharging its duties and responsibilities for oversight of the management of the
(TONKS). To accomplish this objective, the Office of Internal Audit shall complete
audits of TONKS and furnish the Board of Director with analyses,
recommendations, counsel, and information concerning the activities audited or
reviewed. The Office of Internal Audit shall also facilitate and support any audit
processes and assist external auditors to the extent required by the Board of
Director and/or federal, state or local authorities. In addition, the Office of Internal
Audit may conduct special audits requested by the Board of Director and/or the
Chief Executive Officer, as authorized by the Board of Director.

Organization

A. The authority and responsibilities of the Office of Internal Audit shall be

established by the Board of Director. The Director of Internal Audit reports
directly to the Board of Director and has access to the Board Chair, Board Vice-
Chair and the Chief Executive Officer. To ensure independence and objectivity,

40 | P a g e
 Board approval is required for the hiring, removal or replacement of the Director
of Internal Audit. The Board of Director shall be responsible for annually
evaluating the Director of Internal Audit. All employees in the Office of Internal
Audit are responsible for assisting and acting in a confidential capacity to the
Board of Director and the Chief Executive Officer.

B. The Office of Internal Audit shall have the following authority:

1. Complete access to all TONKS Organizations, records, including personnel

records, documents and files in any form;

2. Authority to request assistance and receive full cooperation from appropriate

TONKS personnel in obtaining the information listed in Item 1 above;

3. Authority to interview TONKS staff and employees to obtain information

pursuant to audit investigations; and

4. Access and inspection rights to all TONKS assets, property and facilities
owned, leased or borrowed by TONKS and the authority to request assistance
from appropriate TONKS personnel in locating assets, property and facilities.

C. The Office of Internal Audit shall maintain its independence and objectivity at
all times and avoid conflicts of interest. In performance of duties, no staff member
of the Office of Internal Audit shall have any direct responsibility or authority over
any of the activities audited. The Office of Internal Audit shall not draft or
implement procedures, prepare records, or engage in any other activity that it
would normally review and evaluate, which could be construed as compromising
its independence and objectivity. However, such objectivity shall not be
considered as compromised when the Office of Internal Audit recommends
standards for internal controls, recommendations to modify or change existing
policies, administrative procedures, labor agreement provisions, and/or practices
and procedures.

Scope of Work

41 | P a g e
 A. The Office of Internal Audit shall evaluate the reliability and integrity of
financial and operational information and the means used to identify, measure,
classify, and report such information.

B. The Office of Internal Audit shall determine proper compliance by TONKS staff
with Board Policies, Administrative Procedures, applicable laws and regulations,
and grant(s) requirements, where failure to comply would have significant impact
on TONKS.

C. The Office of Internal Audit may evaluate the security and accountability over
TONKS assets and resources, and as appropriate, verify the existence of such
assets and resources.

D. The Office of Internal Audit shall recommend improvements to TONKS

operations, programs, activities, and information systems to improve
management, economy and efficiency in operations.

E. The Office of Internal Audit shall conduct special reviews and investigations as
directed by the Board of Director and may seek assistance from legal counsel as
designated by the Board.

F. The Office of Internal Audit shall conduct investigations of reported fraud,

waste and abuse in response to complaints received via the hotline and other
methods of communication.

G. The Office of Internal Audit shall provide support to the Board of Director. This
support includes analysis of Board Office appropriations, assistance with review
during the annual budget development process, and other pertinent requests
from the Board Chair.

Reporting

A. The Office of Internal Audit shall prepare draft audit reports and provide to
appropriate TONKS management following the conclusion of each
operational audit. Management shall be required to respond to the findings

42 | P a g e
 and recommendations included in the draft audit report within 15 to 30
business days as determined by the Director of Internal Audit. The response
should include actions management intends to implement to properly address
each audit finding and recommendation, along with a time table to complete
such actions. A final audit report shall be prepared and issued by the Director
of Internal Audit that will address management’s responses. Internal Audit will
inform Executive staff and the Chief Executive Officer when management
does not provide a response.

Copies of the final audit report shall be provided to the Board of Director, Chief
Executive Officer, and Executive and management staff as appropriate. Student
activity fund reports issued with management responses attached are considered
final reports.

The Office of Internal Audit shall conduct follow-up audits to ensure that
management implements corrective actions.

B. The Office of Internal Audit shall provide an annual summary report of

significant audit findings and recommendations for each Organization year on or
by September 30. The report shall also include the audit plan for the subsequent
Organization year. The Office of Internal Audit also provides quarterly reports of
its activities to the Board of Director.

C. Beginning Organization Year 2020/2021, Internal Audit shall be audited by an

independent external audit and thereafter shall be audited every three (3) years.

Policy Adopted

9/18/20

43 | P a g e
 ATTACHMENT 2

44 | P a g e
 ATTACHMENT 3

45 | P a g e
 ATTACHMENT 4

46 | P a g e