WORKPAPER DOCUMENTATION

DEFINING THE NECESSARY AND NATURE OF AUDIT WORKPAPERS

Workpapers are the direct end product of the internal audit staffs work and effort. The workpapers demonstrate what was done what was found and what was confirmed. Elected officials, news media and the public in many instances only see, or rather ask to see the end product of the internal audit effort - the three or four paragraph report. The workpapers are usually e er e!amined, and the effort is usually ne er e er sees the light of day. That is until the documentation comes into "uestion either by the commissioners court by the district attorney and# or by a court of re iew or in"uiry. Internal audit wor !a!er" !ro#ide #ariou" le#el" o$ u"e$ulne""% $. %uring the audit ade"uately prepared workpapers pro ide 1. &uidance as to the ob'ecti e of the e!amination (. &uidance as to the se"uence of steps and de elopment of assurance ). %ocumentation that the office being e aluated has conformed to statutory re"uirements *. %ocumentation that accounting policies and procedures are being conform with, and +. %ocumentation that the county auditors office has performed the duties of the office as re"uired by e!isting state statutes. ,. $fter the audit is completed the workpapers pro ide 1. E idence that support the findings as reported (. E idence that the internal audit was performed following established and accepted methodology ). E idence concerning the need to conform to the state statutes *. E idence which can be relied on by the e!ternal auditors, and +. -n the e ent the auditee finds himself or herself in court trying to defend the findings, the workpapers pro ide an e!cellent defense and support for the reports findings. .rofessional internal auditing standards ha e o er the years established some basic guidelines and re"uirements concerning the preparation and maintenance of ade"uate workpapers. There is currently no re"uirement in the state statues that indicates, /0ou shall create and maintain workpapers to support audit findings.1 2owe er, there are recogni3ed professional standards that say that the "uantity, form and content of workpapers may ary with the circumstances, but the workpapers should be sufficient to show that4 1. There was an ob'ecti e to the internal re iew (. That the re iew performed achie ed the ob'ecti e ). That applicable standards of field work were obser ed *. That records re iewed agreed with, or could be reconciled to financial information as reported +. That planning and super ision appeared to be ade"uate 5. That there was sufficient understanding of the internal control structure, and
(

6. That the audit e idence obtained and the testing performed pro ided sufficient, competent and e idential matter to support the final report.

Each county auditors office is going to establish specific workpaper policies related to the type of engagement that is to undertaken. -n many instances these policies are erbal and passed down from auditor to auditor. Thus, the process follows the old a!iom of /that is the way we ha e always done it.1 2owe er, if an office is going to introduce some form of "uality control in full filling its statutory responsibility, then the workpaper policy should be reduced to writing. $ written policy sets the re"uirement for written internal re iew programs, which then allow" t&e auditor to e'a(ine t&e nature) e'tent and ti(in* o$ t&e wor to +e !er$or(ed . -n many instances ha ing a checklist that the auditor can follow will pro ide some assurance that the process is followed consistently with each office. T&i" !re"entation $o,u"e" on t&e internal auditor $un,tion in a ,ount- auditor." o$$i,e/ $ll county auditor offices need to be cogni3ant of the fact that all federal grants re"uire elaborate workpaper documentation. $ccounting records are not sufficient in many instances. T&e nature o$ wor !a!er" !ro#ide% 1. %ocumentation that departmental procedures were followed tests were performed information was obtained, and that a conclusion was de eloped (. The foundation for the auditors opinion related to the re iew ). 7oundation for how much importance should be attributed to the e idence accumulated *. E idence as to how problems and errors noted were corrected and or resol ed Workpapers and internal audit programs must be adaptable to the needs of the re iew being conducted. 8ot all offices function in the same manner. 8ot all offices are re"uired to follow the same set of statutory standards. 8ot all grants re"uire the same functionality to be present. $s a result audit programs need to fle!ible. The workpapers as prepared should tell who e er is doing the re iewing and#or e!amination a story. They should communicate what was done and document what was found. $ well prepared set of workpapers 9i.e. complete and accurate: will be able to stand on its own that is to say they dont anyone to e!plain them to re iewer or to the 'ury. Workpapers are anything that the auditor conducting the re iew deems to be necessary to enable him#her to render a statement regarding the financial and#or operational ob'ecti e that was being tested and re iewed. Workpapers might include, for e!ample4 $ program of work $n internal control e aluation $ checklist of re"uired steps $n analytical re iew for some function %irect confirmations ;opies of receipts ;omputer print outs

WORKPAPER CONTENT
8o two auditors will prepare workpapers using the same structure< howe er there are some general rules that go ernmental internal auditors can agree on. Workpapers consist of anything that the auditor retains and or creates to document that the re iew conducted met certain established re"uirements and de eloped support for the fact that federal guidelines, state statutes, budgetary constraints, financial accountability, and#or county policy was being complied with. .roperly designed workpapers can help to identify ade"uately performing control structure as well as inade"uately performing controls. .roperly designed workpapers can assist in e aluating the apparent risks that e!ist. .roperly designed workpapers can pro ide the support for the suggestions to impro e the offices internal control. Workpapers should4 1. .ro ide corroboration of the amounts appearing in financial reports and statements (. =ecord the re iew conducted, the tests performed that are re"uired for the particular engagement ). .ro ide information that would allow the re iewer to e aluate the 'ob performances of the personnel performing the re iew, and *. .ro ide a starting point for the subse"uent re iews to be performed. There are usually two types of workpaper files permanent and current. Per(anent files are files that contain information and matters that are important to each years audit. -nformation that isnt e!pected to change materially from year to year. E!amples would be location of the office, office policies, contractual agreements for ser ice, re"uired reports to be filed, statutory compliance check lists, copies of prior years reports, fi!ed asset responsibility, etc. Current files would constitute the workpapers the auditor prepares to support the conclusions for the report written. ;urrent files include the audit program, the internal control e aluation, tests performed, analytical schedules de eloped, bank and account reconciliations, copies of support documents, computer print outs, memorandums as to discussions held, confirmations, re iew of budgetary compliance, etc. E ery workpaper should contain as a minimum4 1. $ heading that clearly designates the name of the office, the county, a description of the contents of the workpaper and the date9s: of the period being re iewed (. $n indication as to who prepared the workpaper and the date of preparation ). -f the schedule was prepared by the office, the indication using /.,;1 indicates that the workpaper was /prepared by client1 *. The source where the information contained in the workpaper came from cash receipts ledger, court docket, disbursements 'ournal, payroll ledger, etc., and +. The nature and e!tent of the work performed should be indicated through narrati e description, symbols, tick marks or combination there of. 5. ;onclusions reached should be clearly stated and supported 6. That all doubts and or problems were resol ed >. -nde!ing and cross referencing
+

-f tick marks are used, they can sa e the auditor time and space and standard tick marks should be adopted, and a legend of those tick marks should be a ailable for the re iewer. Each tick mark should be clearly e!plained. Tick marks should be simple, distincti e and clear so that they can "uickly written by the preparer and easily discerned by the re iewer. ?ome tick marks commonly used are4 7ooted ;ross footed ;alculation checked $greed to @@@@@@@@@@@@ Traced to financial report Traced to @@@@@@@@@@@@ E!amined supporting documents E!amined cancelled check ?ee footnote A @@@@@@@@

$s a last issue, all workpapers should be inde!ed and cross-referenced where necessary. -nde!ing of work papers are going to ary from office to office. Bany prefer an $lpha se"uence, while others prefer a numerical. 2owe er, it is common to find both an alpha and numerical se"uence of inde!ing being used. The following is an e!ample of inde!ing4 Se,tion $ , ; % E 7 C = E F Se,tion Area =eports $dministration ;ommunication $udit .rogram .lanning $ssets -nternal ;ontrol ?earch for Dnrecorded Ciabilities =e enue $nalysis E!penditure $nalysis Gther#Biscellaneous

Se,tion Area General =eports 1( 1) 1* 1> $dministration (5 (> ;ommunication )( )* $udit .rogram ** .lanning $ssets 5( -nternal ;ontrol 6( 6) 6* 6+ 6> ?earch 7or Ciabilities >( >* >5 >> =e enue $nalysis 1*( 1** 1*> E!penditure $nalysis 16( 165 Gther#Biscellaneous issued.

Su+0e,t 1H 7inancial =eports E!penditure =eport Griginal ,udget ,udget $d'ustments Elements of %isclosure (H Engagement ;ontrol ;hecklists Bemos re4 Batters of ;oncern ;omm. ;ourt Binutes )H ;onfirmations ;ertifications *H Time ?heets +H 5H 7i!ed $ssets 6H =e enue ;ycle E!penditure ;ycle .urchasing ;ycle .ayroll ;ycle =isk $nalysis ;ommunications With %epart.

;ontrol %ocument .lanning Bemos ;ash ;ontrol En ironment

>H E!penditures Cease $nalysis .repaids Trust $ccounts ?earch 7or Dnrecorded Cib. 1*H ?ubstanti e Test of =eceipts ?ubstanti e Test of %ocket ?ubstanti e Test of =e enue =e iew of =ecei ables 16H E!penditure ?upport .ayroll $nalysis 1IH ,udgetary $nalysis

Gther

$s a general rule workpapers are not sub'ect to open records pur iew until the report is $s a general rule workpapers should be retained for a minimum of 6 years, and probably as long as 1H years.
6

DOCUMENTATION OF P1ANNING AND SUPER2ISION

The internal audit workpapers should demonstrate that the three generally accepted standards of fieldwork ha e been met !lannin* and "u!er#i"ion, internal ,ontrol e#aluation, and e#idential (atter. The first standard only suggests that there needs to be documentation that the work of the re iew was ade"uately planned and that super ision had been pro ided. To meet the criteria of being able to demonstrate ade"uate planning and super ision does not re"uire many specific workpaper re"uirements. ?ome of the more common and generally suggested are4 3/ Audit Pro*ra(" $n audit program is essentially a list of procedures to be followed and is usually in writing. They are generally di ided into logical segments as to the area of the re iews focus. The program allows the re iewer to be able to compare the le el of work re"uired to the le el of work done. ?ome programs are highly detailed, while some are ery general in nature and allow the auditor the ability to insert some fle!ibility. The program will usually re"uire the staff person performing the function to sign off on those re"uirements completed, and cross reference the program to the workpaper supporting the function. 4/ Preli(inar- Anal-ti,al Pro,edure" -t should always be a re"uirement that the auditor be re"uired to apply analytical procedures in planning the audit. $ basic premise in the application of analytical procedures is that plausible relationships among data may reasonably be e!pected to continue in the absence of known conditions to the contrary. .reliminary analytical procedures are intended to enhance the auditors understanding of the office being re iewed the offices transactions and e ents that ha e occurred since the last re iew. The analytical procedure process may alert the auditor to areas of risk that had not been present at the time of the last re iew. $nalytical procedures will look for unusual transactions and e ents e!amined ratios and trends in a narrati e or in the form of a worksheet. 5/ Ri" and Materialit$udit risk needs to be e aluated at the department le el at the county le el and at the auditors le el. =isk is the concept that the auditor, the department, the county will unknowingly fail to catch an error, a mistake, an irregularity that is material to financial reports or the management of the department. Workpapers will often include documentation that the auditor considered the influence of audit risk in the application of procedures. The auditor will generally plan the greater portion of labor hours to be concentrated on those departments that present the greatest risk, and in those departments the areas that present the highest potential risk. Those areas of highest risk should always be documented and the auditors response to them. The audit strategy to address the risk should be clearly stated.

>

,efore addressing risk assessment the internal auditor should indicate how (aterialit- is going to be addressed. Bateriality should be considered and addressed during the planning of the re iew to determine the nature, timing and e!tent of tests to be performed. -n addressing the scope of the re iew the le el of e ents should be reduced to a le el which would pro ide the re iewer with a low risk of o er looking an element or a happen stance that would dramatically effect the financial or management re iew that is being conducted. ?etting a le el of materiality insures that the auditor will do enough work to find misstatements. T&ere i" no aut&oritati#e rule o$ t&u(+ or (ea"ure o$ (aterialit- 6 (aterialit- i" "tri,tl- +a"ed on !ro$e""ional 0ud*(ent. =isk assessment should be performed on each office indi idually and attributes should be classified as either inherent risks or control risks. ?teps to be taken could be broken down as follows4 GENERA1 RISK ASSESSMENT STEPS %E7-8E T2E $D%-T D8-JE=?E ;2GG?E 2GW TG %E7-8E =-?K ;2GG?E $ ;G8T=GC G= =-?K BG%EC $??E?? -82E=E8T $8% ;G8T=GC =-?K TG %ETE=B-8E JDC8E=$,-C-T0 $??E?? T2E $D%-T$,-C-T0 G7 2-&2 JDC8E=$,-C-T0 $=E$?

DEFINE THE AUDIT UNI2ERSE %E7-8E T2E B$88E= -8 W2-;2 T2E D8-JE=?E -? TG ,E %E7-8E% T2E BG=E ;GBBG8 BET2G%? D?E% ,0 -8TE=8$C $D%-TG=? 7G= %E7-8-8& T2E D8-JE=?E $=E4 1. .=G&=$B? (. ?T=$TE&-E? ). ;G8T=GC ?0?TEB? GENERA1 TYPES OF INTERNA1 AUDITS TO 7E CONDUCTED 1. (. ). *. +. 7DCC .=G&=$B $D%-T? ;G8T=GC ?0?TEB $D%-T? -8JE?T-&$T-JE $D%-T? .E=7G=B$8;E EJ$CD$T-G8? LD-;K =E?.G8?E $D%-T?

PRIMARY AUDIT FOCUS 1. (. ). ;GB.C-$8;E $?.E;T? =EC-$,-C-T0 G7 %$T$ ?$7E &D$=%-8& G7 $??ET?

SE1ECTION OF AN AUDIT O78ECTI2E 9RANK) RISK : AUDITA7I1ITY; 1. JDC8E=$,-C-T0 9The Bission Bay 8ot ,e $ccomplished: (. -82E=E8T =-?K 9The 8ature and#or The ;ulture Gf The $udit Gb'ecti e 2as =isks Without ;ontrols: ). ;G8T=GC =-?K? 9.robability That The -nherent =isks Will ,ecome $ =eality4 .robability That ;ontrols $re .ut -n .lace $nd Will 8ot $ccomplish The Bission: *. $D%-T$,-C-T0 9?kills, Time, and E idence: INTERNA1 AUDITING < 7ASIC RISK FACTORS 1. (. ). *. +. 5. 6. >. I. 1H. 11. 1(. 1). 1*. ET2-;$C ;C-B$TE .=E??D=E G8 B$8$&EBE8T .E=?G88EC -8TE&=-T0, ;GB.ETE8;E 8DB,E= G7 .E=?G88EC 8DB,E= G7 T=$8?$;T-G8? ?-FE G7 T2E $??ET? ;GB.CEE-T0#JGC$T-C-T0 G7 $;T-J-T-E? ?T$TDTG=0 =E&DC$T-G8? CEJEC G7 ;GB.DTE=-F$T-G8 &EG&=$.-;$C CG;$T-G8 $%ELD$;0 G7 -8TE=8$C ;G8T=GC? B$8$&EBE8T ;DCTD=E $;;E.T$8;E G7 $D%-T 7-8%-8&? M ;G==E;T-JE $;T-G8 T$KE8 T-BE C$.?E ?-8;E C$?T $D%-T

KEY ACCOUNTA7I1ITY CONTRO1 SYSTEMS De!art(ental and A""e""(ent Mana*e(ent Poli,- Mana*e(ent Per$or(an,e Mana*e(ent In$or(ation Mana*e(ent Re"our,e Mana*e(ent
1H

ACCOUNTA7I1ITY RISK FACTORS PO1ICY RISK < T2E =-?K T2$T $8 $;T-J-T0 W-CC 7$-C TG %EC-JE= EE.E;TE% =E?DCT? ,E;$D?E G7 D8?T$,CE G.E=$T-G8? %DE TG ;2$8&E? -8 B$8$&EBE8T, .E=?G88EC $8%#G= T2E E8J-=G8BE8T, G= =E?GD=;E? $=E 8GT E77-;-E8TC0 D?E% G= E77E;T-JEC0 ;G8T=GCCE%/ PERFORMANCE RISK < T2E =-?K T2$T $8 $;T-J-T0 W-CC 7$-C TG %EC-JE= EE.E;TE% =E?DCT? ,E;$D?E -T %GE? 8GT D?E .E=7=GB$8;E -87G=B$T-G8 E77E;T-JEC0 TG B$8$&E -T? G.E=$T-G8?/ INFROMATION RISK < T2E =-?K T2$T $8 $;T-J-T0 W-CC 7$-C TG BEET EE.E;TE% =E?DCT? ,E;$D?E B$8$&EBE8T -87G=B$T-G8 -? 8GT ;GBBD8-;$TE% G= D?E% E77E;T-JC0 ,0 %E;-?-G8 B$KE=? / RESOURCE MANAGEMENT RISK < T2E =-?K T2$T $8 $;T-J-T0 W-CC 7$-C TG $;2-EJE EE.E;TE% =E?DCT? G= W-CC 8GT E?T$,C-?2 $8 E8J-=G8BE8T T2$T .=GTE;T? $&$-8?T 7=$D% $8% 7-8$8;-$C %-?$?TE= ,E;$D?E =E?GD=;E? $=E 8GT B$8$&E% E77-;-E8TC0 $8% E77E;T-JEC0 W-T2-8 -T? G.E=$T-G8? G= W-T2-8 -T? ND=-?%-;T-G8/ CONTRO1 EN2IRONMENT RISK < T2E =-?K T2$T T2E -8TE&=-T0, ET2-;$C J$CDE?, $8% ;GB.ETE8;E G7 T2E .EG.CE %G 8GT C$0 $ ?GC-% 7GD8%$T-G8 TG $L;2-EJE EE.E;TE% =E?DCT? AUDITA7I1ITY IS DETERMINED 7Y% 1. (. ). *. +. 5. 6. T-BE 7=$BE -87G=B$T-G8 $J$-C$,-C-T0 G7 %G;DBE8T$T-G8 $D%-T ?K-CC? $D%-T E%D;$T-G8 $D%-T 2GD=? $D%-T BG=$CE

IN ORDER FOR THE RISK ASSESSMENT PROCESS TO 7E SUCCESSFU1) IT MUST% 1. -8JGCJE T2E %E.$=TBE8T ,E-8& $D%-TE% (. .=G%D;E ;=E%-,CE =E?DCT? T2$T $=E $;;E.TE% ,0 ,GT2 T2E $D%-TG=? $8% B$8$&EBE8T. ). ,E T-BEC0 ?G T2$T T2E $D%-T .=G;E?? -? 8GT 2EC% ,$;K W$-T-8& 7G= =E?DCT?. *. ,E ;G?T E77E;T-JE -8 T2$T T2E =E?DCT-8& -87G=B$T-G8 -? $T CE$?T $? J$CD$,CE $? T2E ;G?T TG G,T$-8 -T.

11

FI2E 7ASIC PHASES OF < P1ANNING AN AUDIT 1. (. ). *. &ather information ;onduct preliminary assessment %efine and refine the audit ob'ecti es %e elop the4 $udit scope $udit methodologies $udit fieldwork programs +. Estimate the audit budget and resources STEPS TO 7E TAKEN IN THE PRE1IMINARY ASSESSMENT 1. ?elect which of the accountability control systems and subsystems are rele ant to the audit 9within the initial audit scope:. (. $ssess which of the inherent risks and which of the control risks e!ist 9be sure to document risk assessment:. ). ?elect the accountability control subsystem for which audit ob'ecti es will be de eloped 9be sure and identify the rele ant performance aspects to be re iewed:. *. =eassess audit ability +. Dpdate risk and internal controls information 9update permanent files, prepare preliminary assessment document, and document audit ability:. DEFINE=REFINE < AUDIT O78ECTI2E -n speaking to the ob'ecti e for an internal audit, the /Yellow 7oo 1 9accounting and audit guidelines for federal grants: indicates that there needs to be a clear indication as to what the report related to the audit is to accomplish. 7urther, it is noted that the sub'ect of the audit needs to be clearly identified as well as the aspects of performance that are to be e!amined. Therefore4 THE AUDIT O78ECTI2E < ESTA71ISHES 7OUNDRIES FOR THE AUDIT 7Y C1EAR1Y STATING WHAT THE AUDIT IS TO ACCOMP1ISH/ IT IDENTIFIES THE SU78ECT OF THE AUDIT AND THE PERFORMANCE GOA1/ OPEN<ENDED O78ECTI2ES SHOU1D 7E RESTATED AS C1OSED<ENDED O78ECTI2ES/

1(

OPEN<ENDED O78ECTI2ES% -dentify the sub'ect< what is the audit to e!amine $re ague in defining what the audit is to accomplish C1OSED<ENDED O78ECTI2ES% $re answerable -dentify what the audit is to e!amine ;larify what the audit is to accomplish 3/ IDENTIFY THE PRIMARY REPORT USER9S;% What do they want to knowO When they recei e the information what are they going to doO 4/ UNDERSTAND THE SU78ECT) PRO71EM AND=OR CONCERN> The audit sub'ect is usually an organi3ation, a department, a program, a ser ice, an acti ity and#or a function, a management policy, and a performance issue/

5/ DECIDE WHAT PERFORMANCE ASPECTS ARE TO 7E INC1UDED IN THE AUDIT/ -s there management o ersightO -s there a desire for customer satisfactionO -s the payroll process efficientO $re goals being establishedO -s the legislati e intent being followedO ;an the accuracy of the acti ity be e aluatedO ?/ WHEN ISSUES ARE ESTA71ISHED) DETERMINE IF THE REASON FOR THE ISSUE IS DUE TO PROCESSING OF TRANSACTIONS OR THE ACCOMP1ISHMENT OF A GOA1/ 9Control ri" " "&ould +e ,learl- lin ed to t&e ri" " t&at e'i"t to t&e ,ount-/; @/ DECIDE WHAT E1EMENTS OF THE FINDINGS ARE TO 7E DE2E1OPED WHICH ARE 1INKED TO SU7<O78ECTI2ES/

1)

SU7<O78ECTI2ES Will address elements of the primary findings - will usually help to identify the nature of the data re"uired will tend to lead to ma'or audit steps. SU7<O78ECTI2ES Are de eloped as a series of "uestions addressing each finding element you decide to de elop. $ separate "uestion should be written for each finding element. EAAMP1ES OF SU7<O78ECTI2ES% 3/ CONDITIONED 7ASED O78ECTI2E% What is the a erage response time for a I11 call outO 4/ CRITERIA 7ASED O78ECTI2E% What was the unit cost to process a payroll check in 70 H)O 5/ EFFECT 7ASED O78ECTI2E% What is the difference between the legislati e intent and the departments goalsO ?/ CAUSE 7ASED O78ECTI2ES% What are the underlying factors that influence customer satisfaction with the ability of the department to deli er ser iceO

1*

DOCUMENTATION REGARDING INTERNA1 CONTRO1

The second standard of fieldwork that needs to be considered is that of internal control. The workpapers should ha e ade"uate documentation that the auditor had obtained a sufficient understanding of the e!isting internal control structure for the department being re iewed. The e!tent to which internal control is established in the department will impact the nature, timing and e!tent of the tests that will need to be performed. The workpapers should document4 1. The understanding of the offices internal control structure, and (. The auditors assessment of its effecti eness in detecting and#or pre enting material misstatements. ,asically the departments internal control system consists of the policies and procedures that ha e been established to pro ide reasonable assurance that those specific ob'ecti es will be achie ed. .olicies and procedures may be established through statutes, may be established by the commissioners court, may be established by the county auditor, and they may be created by the elected official and#or department head. 8ormally with a financial re iew the auditor will be concerned with those policies and procedures that are primarily concerned with the recording, processing, summari3ing, and reporting of financial, and the affect an error will ha e. The departments internal control consists of three elements4 1. The control en ironment (. The accounting system, and ). The control procedures Each of these components needs to be understood in order to plan the re iew that is to take place. T&e Control En#iron(ent 6 essentially reflects managements attitude, awareness and actions concerning the importance of control. The factors that the auditor will need to consider are4 1. (. ). *. +. Banagements philosophy 9the operating style used: The departments organi3ational structure The method of assigning authority and responsibility .ersonnel policies and practices Banagements control methods used for monitoring performance to include internal auditing 5. E!ternal influences that may impact the office, and 6. -nteraction with other offices in the county These factors ser e to make other control policies and procedures more effecti e. When management is found to ha e a positi e attitude towards controls and does not try to mitigate the effecti eness of policies and procedures or to o erride the controls, the re iewer finds that the nature, timing and e!tent of the re iew can be reduced.
1+

T&e A,,ountin* S-"te( consists of the methods and records which are used to identify, analy3e, classify, record and report the departments transactions and to maintain accountability for related assets and liabilities. The auditor needs to understand the accounting system in sufficient detail in order to understand4 1. The types of transactions that can occur within the department (. 2ow those transactions are initiated ). The accounting records, support documents, machine readable information, and specific accounts in the financial system in ol ed in the processing and reporting of the transaction *. The accounting process from the initiation of the transaction to the inclusion in the financial data +. 2ow the computer is used to process the data at each le el, and 5. The financial reporting process. T&e Control Pro,edure" consist of those policies and procedures, in addition to the control en ironment and the accounting system that management has established to pro ide reasonable assurance that its ob'ecti es will be achie ed. E!amples of control procedures are4 1. ?egregation of duties (. .roper authori3ation, and ). -ndependent checks and balances. The audit strategy is based on the re iewers understanding of the control procedures. -f control procedures are weak, then it doesnt make a lot of sense to waste time to test controls. 2owe er, if the auditor is able to test the control procedures and finds that they are strong and effecti e, then he#she may decide that the substanti e tests can be reduced. The understanding to be obtained is de eloped through in"uires of the department, re iew of the departments manuals and documents, and obser ation of the departments routines. The re iewer must ascertain reliable information that confirms that the policies and procedures, the control procedures are not 'ust in writing they are being practiced. This confirmation comes from4 1. -n"uires (. Gbser ations, and ). 2ands on monitoring of transactions. The understanding that the auditor comes to needs to be documented. The si3e and the comple!ity of the entity, as well as the nature of the departments internal control structure influence the form and the e!tent of this documentation. $ large department may ha e its own documentation of the internal control procedures that the auditor can copy and put in the workpapers. 7or smaller departments the auditor may de elop their understanding through the use of flow charts and#or "uestionnaires. 7or really small departments the auditor may 'ust use a memorandum for small offices with one or two employees it is real difficult to put into place effecti e internal controls. &enerally the more comple! the department, the more e!tensi e the internal control, and the more e!tensi e the auditors documentation.
15

The most commonly used methods of documentation are4 1. Me(orandu(" narrati e descriptions of the rele ant control structure. .olices and procedures. They are most useful when the matter being described is relati ely simple. They are less useful when the system becomes ery comple!. (. Flow,&art" are useful when there is a system of internal control or operational system that is ery comple!. $ flowchart is a graphic depiction of operations and decisions applied in the departments structure. 7lowcharts need not be elaborate their ad antage is that comple! matters can often be made easier to understand in a graphic presentation. ). Bue"tionnaire" or sometimes referred to, as checklists are programs that allow the auditor the ability to ask "uestions as to functionality and recei e responses from indi iduals. They are especially rele ant when the auditor wants to make sure that specific items or procedures ha e been focused on and all rele ant matters ha e been considered. This form of documentation lends itself to be summari3ed more easily than memorandums and flowcharts. There are two general types of "uestionnaires4 $. Gpened-Ended Luestionnaires ask general "uestions and let the auditor answer with whate er information is rele ant in the circumstances. ,. ;losed-End Luestionnaires ask "uestions that must be answered yes or no. ;. ;losed ended "uestionnaires are less fle!ible than open-ended "uestionnaires, but they are more comprehensi e. ;losed ended "uestionnaires are usually more useful with larger more comple! offices, while open-ended "uestionnaires are better applied to the smaller office. The auditors understanding of the control structure is re"uired to be documented, but the procedures to be used to obtain this understanding are not. Thus, the auditors procedures done to understand the design of the procedures done to see if the departments control structure and to see that the departments policies and procedures ha e been placed in operation need not be specifically described. E en so e en if the procedures to obtain the knowledge of the internal control are re"uired to documented, the auditor should document the procedures applied and the reasoning for the 'udgment process that was applied. $ny file memos as to the procedures followed or the documents e!amined should be dated and at least initialed by the indi idual making the statement. $ signed off audit program is a commonly used document which has a step by step program for the auditors to use and the cycle that is to be followed. A""e""in* Control Ri" $fter the auditor has obtained his understanding of the internal control structure, while he obtains it, it is not uncommon for the auditor to consider whether there are policies and procedures in place that would reduce the risk of material misstatement, and if there are, whether it would be efficient to test them - order to reduce the scope of substanti e tests.
16

-f the auditor decides that he#she wants to take ad antage of the e!isting internal control structure, i.e. e!isting policies and procedures, in an effort to reduce the amount of time re"uired to do substanti e testing then there must be apply tests of the controls to see if the policies or procedures 9that are to be relied on: are designed and operating effecti ely. The tests must be directed at determining whether the policy or procedure is suitably designed to pre ent or detect material misstatements and how effecti ely it is operating. Tests of controls are concerned with how a control structure policy or procedure was applied the consistency with which it was applied during the period under e!amination and by whom the control was applied. These tests include in"uires of appropriate personnel inspection of documents e!amination of reports obser ation of applications and, performance e aluations. -t should be remembered that tests of controls are undertaken only when the auditor belie es that by performing such tests that the substanti e testing can reduce the need for substanti e testing of the detailed documentation. Tests of controls are used in the hopes of being able to increase efficiency. Tests of controls are re"uired if there is going to be reliance placed on the underlying controls and procedures. The more that the auditor is able to depend on the departments internal control structure to pre ent or detect material misstatement, the less substanti e work that will be re"uired to be performed. Do,u(entin* T&e Control Ri" A""e""(ent When the auditor is able to conclude that he#she is able to reduce substanti e testing on the effecti eness of the control structure, there needs to be documentation of the basis for this decision in the workpapers. That is, in addition to the understanding of the control structure that is already documented, there needs to be documentation of the tests of the controls and their result that were performed. The form and the content of this documentation are going to ary from office to office and from department to department. ,ut, is some form the documentation should include4 1. $ written description of the tests performed (. The identity of the person performing the tests should be clear ). $n indication of the when the tests were performed and when they were completed *. $ description of the e idence that was e!amined 9a copy in the file for an e!ample would be useful to the reader: +. $n indication of the number of items that were tested 5. The source of the items selected and how these items were determined for selection, and 6. $ description of the e!ceptions noted and an e!planation as to their disposition. -t is always good to document the type of misstatement that the control policy or procedure can be depended on to pre ent and#or detect. -t is not uncommon for the auditor to make a statement in the workpapers whether the controls tested worked as e!pected and can be depended on. The more reliance the auditor can place on the control structure 9i.e. there is a low assessment of risk: the more e idence that should be documented to support the reliance.
1>

When the internal auditor is dealing with an office that only has two people in the office, then it is unlikely that the office will be able to effect ade"uate control measures that can be relied on. -f the auditor is not going to place reliance on the internal control measures, then there is not reason to test them. Thus, there is no dependence on the controls and#or procedures to pre ent and detect material misstatements. Wea ne""e" In Internal Control $ny weaknesses noted in the internal control structure should be clearly noted in the workpapers as re!orta+le ,ondition" and should be communicated to the department head and#or elected official, and should be reported in the letter of findings to the official. =eportable conditions are significant deficiencies in the design or operation of the internal control structure that could ad ersely affect the departments ability to record, process, summari3e, or report financial data consistent with accounting and financial procedures re"uired by state statutes and or county policy. The deficiencies might in ol e any of the three components of the control structure the control en ironment, accounting system, or the control procedures. -f the condition is reported orally to the department head and#or elected official then the initial con ersation should be well documented. The communication should always be followed up in writing. ;onditions that ha e been reported in prior years, and which ha e not been corrected, should be re-iterated until the department head and#or elected official has clearly acknowledged the risk and has stated reasons for not correcting. Banagements acknowledge is always critical. Thus, it is not an uncommon practice to allow the department head and#or elected official the opportunity to respond to the finding in the report.

1I

DOCUMENTING SU7STANTI2E TESTS

The internal auditor detects material misstatements in financial statements by applying substanti e tests. The tests are designed based on the auditors assessment of risk that material misstatements will occur and that the department will not catch the error. This is commonly referred to as inherent and control risks. The higher the risk of misstatement occurring undetected by the client, the more e idence the auditor will need to accumulate. The accumulation of e idence supporting the amounts in the financial statements is by far the most time consuming part of the audit and documentation of substanti e tests generally accounts for the bulk of the workpapers that are prepared. Thus, the third standard of fieldwork states4 Su$$i,ient ,o(!etent e#idential (atter i" to +e o+tained t&rou*& in"!e,tion) o+"er#ation) inCuire") and ,on$ir(ation to a$$ord a rea"ona+le +a"i" $or an o!inion re*ardin* t&e $inan,ial in$or(ation under e'a(ination. E idential matter is obtained through two general classes of auditing procedures that comprise substanti e tests4 1. Tests of detailed transactions, and (. $nalytical procedures ,ooks of original entry and other records maintained by the department such as ledgers, 'ournals, cost allocations, and reconciliations may in part support the monthly and#or "uarterly reports those records do not constitute what is considered e idential matter. %ocumentation must be collected that will corroborate the information shown in the abo e-mentioned documents. ;orroborating e idential mater includes4 1. (. ). *. +. 5. ;ancelled checks =eceipts -n oices ;ontracts -ndependent confirmations -nformation independently obtained or de eloped through in"uiry, obser ation, or inspection.

$uditors choose from a wide range of methods and techni"ues to test the alidity of accounting information and reports. ?ome of the more commonly used techni"ues are4 1. %ocumenting the process used to de elop the financial information, then testing the information entered into the process (. ;omparing the accounting data and information to data that is collected outside of the department, and ). ;omparing the accounting information to the auditors e!pectations, which ha e been deri ed through logical analysis.

(H

Co(!eten,e O$ E#idential Matter To be competent, e idential matter must be both relia+le and rele#ant. =eliability of e idential matter will always depend on the circumstances under which it is obtained. 2owe er, there are some generali3ations that are commonly held to be true 9but one must understand that there are e!ceptions to e ery rule:4 1. &reater assurance to the accuracy of information can be assigned to e idence that is obtained independently and outside of the department that is being e!amined. (. 7inancial information that is created within a department that has strong internal controls 9or in some cases 'ust satisfactory internal controls: pro ide more assurance as to accuracy than those produced in an en ironment with less than satisfactory conditions. ). %irect personal knowledge obtained by the auditor through physical e!amination, computation and inspection is more reliable than data obtained indirectly. The rele ance of e idential matter has to do with whether the information bears on the accounting or reporting data in "uestion. While the rele ance of e idential matter to a specific circumstance is generally clear, in some cases, particularly those in ol ing the estimated outcomes of future e ents, the auditor needs to particularly careful in considering whether the correct factors are considered in arri ing at the conclusion. Su$$i,ien,- o$ E#idential Matter Gnce the internal auditor has considered the e idential matter and has found it to be rele ant and reliable, he#she must then determine whether or not the data collected is sufficient that is there is enough data that will allow for a basis to be de eloped related to the finding and that the data will support the finding. $s a rule of thumb, the e idential matter must be sufficient to reduce to an acceptable low le el the risk that the internal auditor will fail to detect a material misstatement in the financial data and related reports. E idential matter may be de eloped through the use of substanti e testing. The sufficiency of e idential matter will depend on4 1. The nature of the elements under e!amination (. The relati e si3e of the population and the auditors 'udgment as to materiality ). The auditors assessment as to the inherent and control risks within the department i.e. risk of material misstatement, and *. The nature of the e idential matter obtained persuasi eness of the e idence collected and the risk that it may be interrupted incorrectly. The internal auditor has to always be cogni3ant of the economics and the timeliness of an internal audit. For a $indin* and a "olution to +e e,ono(i,all- u"e$ul) it (u"t +e de#elo!ed and rendered in a rea"ona+le len*t& o$ ti(e. There is a rational relationship between the cost of obtaining e idence and its usefulness. E idential matter that is to be collected has a cost to the ta!payers. That is not to say that the matter of difficulty and e!pense in ol ed in testing a particular attribute is not in and of itself a alid basis for omitting an otherwise necessary step in the internal audit function.

(1

T-!e" o$ Su+"tanti#e Te"t" There are two types of substanti e tests te"t" o$ detail" and anal-ti,al !ro,edure". %uring most internal audit procedures both types of testing are generally used. The internal auditor will choose the procedure based on4 1. (. ). *. Bateriality =isk of misstatement .roduction of persuasi e e idence ;omparati e efficiency

Te"t" o$ detail are audit procedures in which amounts that make up an account balance or class of transactions are compared to corroborating information. These tests are usually directed at balance sheet accounts and used to test the e!istence, ownership, and aluation of assets and the amount and responsibility for liabilities. Tests of details can be directed at both re enue and e!penditure accounts in an effort to document the classification accuracy of each. $ test of details will usually include one or more of the following4 1. (. ). *. +. 5. Jouching 9in oices, receipts, budgetary authori3ation, etc.: $ccount analysis =econciliations ;onfirmations Gbser ation, and =ecalculation

Anal-ti,al !ro,edure" are commonly referred to as substanti e tests of financial information consisting of obser ation and comparisons of relationships among data, such as fluctuations or trends noted in arious ratios, percentages, "uantities and dollars. ?ome commonly used analytical procedures include comparisons of financial information between4 1. (. ). *. +. 5. ;urrent period and prior period ;urrent period this year to same period in prior year9s: ;urrent period year to date and prior year to date ,udget and actual ?imilar departments =e enue and e!pense to produce the re enue

Anal-ti,al !ro,edure" lend themsel es to pro ide easy analysis of income and e!pense and de eloping techni"ues for insuring that e erything that should ha e been recorded was recorded. When applying analytical procedures the internal auditor should4 1. ;onsider the relationship between the data that is collected and the e!pected result (. ;ompare what is e!pected to that recorded and reported by the department ). Gbtain sufficient understanding of e ents that will help to e!plain any differences, and *. Gbtain supporting e idence to corroborate the e!planation.

((

-t is not uncommon for an internal auditor in a county to perform substanti e testing at periodic times during the year on any and all departments. The auditor needs to always consider the acti ity as pre iously tested in relationship to the acti ity currently being tested. -n addition the auditor should include in their normal set of procedures the following4 1. (. ). *. ;omparati e re iew of data from test period to test period -nsuring that the general ledger and the subsidiary ledger agree $lways tracing entries to their source, and $scertaining that all recommended ad'ustments ha e been made.

?ome elements to remember about substanti e testing4 1. ?ubstanti e testing can be reduced and may be eliminated. (. ?ubstanti e testing and the test of controls may be combined into one function. ). ?ubstanti e testing is not 'ust number crunching they include4 ;onfirming accounts recei able =e iewing commissioners courts minutes -n estigating fluctuations in account balances Testing support for uncollected accounts Gbser ing physical in entory ;omputing debt re"uirements from original documents *. Jouching should include the re iew of cancelled checks, contracts, purchase orders +. $ccount analysis is the systematic detailing of the components as recorded in the general ledger and#or subsidiary ledger 5. =econciliations in ol e the erification of an account balance

()

TYPES OF WORKPAPERS
Workpapers can be simply defined as anything the internal auditor uses to document the results of the e!amination and the scope of the procedures performed. They will also confirm and#or deny the fact that the financial reports and underlying data for the financial reports of the department agree and#or reconcile. Working papers generally include4 1. (. ). *. +. 5. &eneral ledger acti ity reports ;opies of departmental reports $n audit program %ocumentation as to the understanding of the internal control structure %esignated tests to be performed to confirm the understanding 8otes, memorandums, copies of documents, minutes, contracts, in oices, purchase orders, etc. 6. ?chedules 9either prepared by the auditor or prepared by the department that support the distributions to the general ledger and subse"uent reports. Workpapers generally present a logical flow to the information and data. Workpapers should be able to tell the reader and#or re iewer a story without the need for additional oral communication and e!planation. The workpapers should be compiled in the form of a pyramid the findings to the front and the detail to the back. $ contents page should be used to gi e the reader the ability to find transaction work "uickly. -f /tick marks1 are used, it is customary to ha e a legend at the front of commonly used /tick marks.1 The contents page would be followed then by the report of findings< followed by any other communication 9written and oral: that occurred during the e!amination< followed by any internal memos and general obser ations< followed by a worksheet delineating any ad'ustments and#or reclassifications that are proposed 9each ad'ustment should be referenced to the support documents in the workpapers:< followed by the e aluation of internal control< followed by a risk assessment< followed by the audit program< followed by detailed tests< followed by analytical re iew< and followed by any substanti e testing, reconciliations, and#or recalculations. %epending on the county auditors instructions and or the culture of the county, when the internal auditor is performing an analysis of e!penditure accounts, a detailed analysis should always be performed on4 1. (. ). *. +. 5. ?ingle e!penditures in e!cess of P+,HHH Bultiple e!penditures with the same endor that e!ceed P(+,HHH Cegal e!penses .rofessional fees Baintenance and repair in e!cess of P @@@@@@@@@@ =ents

(*

$ll workpapers should ha e a clear indication as to4 1. (. ). *. +. 5. The department being e!amined The title of the workpaper $ brief description of the workpapers contents $ statement as to the source of the data obtained The period being co ered by the e!amination Who prepared the workpaper, when it was prepared and who re iewed the document 6. $ny documents which are prepared by the department should be clearly labeled as to who prepared the document and when >. $ny ad'ustments that are being proposed and documentation for such, and I. $ny reference to other documents Alwa-" re(e(+er4 -f you dont write it down it was ne er said it was ne er doneQ -nternal audit work papers should always tell a story. ;onsider the thought that if a bus hit you today would someone else be able to follow behind you.

(+