- AUDIT PROCEDURES -

Transcription

1 - AUDIT PROCEDURES - During the performance of work associated with the various phases of an audit, the potential exists for the creation and retention of a significant amount of supporting documentation and associated materials. The Internal Audit Department for the City of Boise will create and retain documentation in electronic format to the greatest extent possible in order to facilitate creation, storage, and subsequent access to those documents. The processes and procedures that are described below are all subject to this protocol unless otherwise specifically noted. Preparation and Performance Planning and Budgeting Generally accepted auditing protocols provide for the development and recordation of a work plan for each engagement being contemplated. Proper planning of audits and reviews is essential to the effective conduct and completion of the work. The Internal Auditor that is tasked to complete any audit or review is primarily responsible for the development of a plan of audit for the engagement. The Auditor shall remain cognizant of human resource requirements, and the time allotted to complete the work. Significant variances, actual or anticipated, should be communicated to the Director of Internal Audit so that any corrective actions that may be available can be implemented in a timely manner. Pre-Audit Procedures It is the goal of the Internal Audit Department to develop and maintain a comprehensive program of audits throughout the organization that are risk-based as to both scope and frequency. The Department s audits will range from organizational sub-units to entire departments, and from isolated activities to functional activities that range across organizational lines. In performing the work, efficient and effective methodologies should be employed. The type of review, extent of testing, and documentation requirements should therefore be tailored to the complexity of the area under review; and with the needs and expectations of the audit client in mind. To this end, a pre-audit review by the Auditor is necessary. The Auditor should develop a familiarity with the organization and functions of the unit to be audited. The type and extent of work to be performed should be determined and documented during the pre-engagement planning stage. Sources of information that may be employed during this stage of the audit include, but are not limited to the following: Operational, compliance, fraud, and other risks that are faced by the auditee. Objectives of the activity and the means of accomplishing those objectives. Control activities that are currently employed. Previous audit files. Reference materials available via written medium or over the Internet. Visitations with unit / activity management. Monitoring reports or other activities that have been undertaken by Internal Audit. 6

2 As a result of the planning activities, a program of anticipated audit work will be developed. The program will be based upon an assessment of major risks inherent to the auditee s business environment. Planned work will address specific objectives that have been established during the planning phase. Work steps planned should be adequate to ensure that sufficient, competent, and relevant information is gathered from which audit conclusions may be drawn. Secondarily, work steps should be planned in such a way as to provide some degree of assurance that indicators of fraud, waste, or abuse will be detected. All program(s) developed will be retained and utilized as reference materials in the future. The programs of audit that are created will be referred to as Standard Audit Work Programs. The Internal Auditor will communicate information relative to the planning, conduct, and reporting of the audit to management of the audited entity. Standard Audit Work Programs Each formal audit activity that is planned will be supported by a written audit program that is based upon the activity under review. Standard Audit Work Programs are descriptions of audit objectives, and of the work steps to be performed in order to address those objectives. Standard Audit Work Programs provide a number of advantages, including: A work product that is well planned and executed. Convenient method of furnishing and reinforcing instruction to subordinates. Enhanced level of consistency in the procedures performed. Maintenance of control over work in progress. Logical record of work performed. Minimization of the preparation of unnecessary work papers and potential duplications of effort. Work Programs should be considered as a guiding document only. Variances from established work steps are allowable, and should be actively pursued where the situation warrants, such as: Where changed circumstances within an audit client are encountered. Where insufficient or uncertain evidentiary materials are encountered. Where indications of fraud, waste, or abuse are encountered. Where there may be potential or actual legal proceedings involved. The nature of changed circumstances that are encountered will dictate the type and extent of variance, and the nature of the additional work that should be performed. Changes can be added to the program through the change process (as described in a following section) as necessary. As each step in a Work Program is completed, the work performed, the conclusions reached should be documented in the Work Program. Supporting work papers should be cross-referenced within the documentation, and indexed and numbered accordingly so they are associated to individual work steps in the Work Program. Refer to the section on Standard Format immediately below for additional guidance on work paper preparation. Completion of Work Papers The principal objective of work paper preparation is the documentation of the audit procedures performed. From those procedures flow the information and conclusions that will be contained in the audit report. Thorough, credible, and accurate work papers are foundational to the audit process and to fulfilling subsequent reporting responsibilities. 7

3 When a program is complete, the individual responsible for completing that program will sign off on the work. This provides not only a permanent record of the work performed, the procedures followed, and conclusions reached; but also establishes an appropriate level of accountability as to the author of the conclusions drawn from the work. The documentation is then reviewed by the Director of Internal Audit. Any weaknesses or deficiencies identified during the Director s review will be addressed and rectified prior to final approval by the Director. Standard Format Work papers will, to the extent practical, be created and retained in electronic format for ease of both storage and accessibility. The requirements appearing below anticipate this final document retention methodology. As work steps within Work Programs are completed, the results are documented or written up. Audit Work Program templates have been created in Word / Table format. Write-ups are positioned immediately below each defined work step, and are contained within the same cell in the Table. Write-ups should contain: Work performed / Results A narrative of what the auditor did, observed, or learned through inquiry. Also, if specific staff members were consulted or interviewed, those individuals should be documented in this section. This is the body of the work. Specific, detailed narratives in support of each of the work steps contained within the Audit Work Program are documented here. Conclusion Conclusions, with respect to each audit step, should be documented within the textual write-up. Any conclusion so stated should relate directly to the objective(s) of the Work Program and the corresponding work step. Findings In the event that criticism will be assessed in connection with an audit step, the finding and any associated recommendations should be documented at each step as well. In order to make these comments more readily locatable, appropriate emphasis should be added (such as bolding, underlining, indenting, italicizing, etc ) Write-ups should be clearly and concisely presented. A third party, someone who was not present at the audit and may not be completely familiar with the area being audited, should be able to understand the work performed, and the resulting findings. Each step contained in an Audit Work Program should be fully addressed. Also, auditors should not limit themselves to a narrow focus. If the Auditor identifies an area that requires further investigation, then any additional work deemed necessary should be planned and completed. However, care should be taken to ensure that only relevant and/or material areas are subject to additional testing. An appropriate assessment of risks will help ensure that insignificant areas are avoided, and audit resources are properly utilized. Changes in scope must be approved by the Director of Internal Audit prior to the completion of work resulting from the change. Documentation - page numbering, tick-marks, etc.: Audit work papers and supporting documentation will exist in a combination of electronic and hardcopy formats. In order to ease the administrative burdens associated with hardcopy format, work papers will be created and retained in electronic format to the greatest extent possible. Numbering, cross-referencing, and indexing standards will apply equally to work papers in either format. For purposes of identification and access, electronic work papers will be referred to as EC, while hardcopy work papers will be referred to as HC. 8

4 Work papers support the information that has been documented in the corresponding write-ups contained within the Standard Audit Work Programs. Work paper documents are not necessarily meant to stand alone, i.e. to be documented with all associated details. The details should be fully documented within the write-ups. Supporting work papers serve as the primary evidentiary support for the write-ups. The most common exception to this is the documentation on pro-formas, or spreadsheets. These work papers may be, and frequently are documented in such a way as to stand alone in certain circumstances. Work paper pages should be numbered in a logical fashion, and should display an acceptable degree of parallelism throughout an audit file regardless of format. Work paper pages are typically numbered on the bottom margin in a fashion that is identifiable with the associated audit program. For example, page 3 of WORK PROGRAM1.4 could be numbered as 1.4/3, or 1.4_3/8 where page 3 of a total of 8 is referred to. Supporting work paper pages should be referred to as HC or EC as appropriate in order to identify the document format, to assist in cross-indexing documentation, to facilitate locating supporting documentation, and to lend value and support to the write-up. Legends should be created whenever tick-marks are used throughout a series of work papers. Both tick-marks and legends should be kept as simple as possible in order not to obscure the value of the work or the findings being documented. For ease of identification, Exception items (audit findings) should be uniquely identified. Exception items in work-papers (i.e. spreadsheets / pro-formas) are most easily identified when numbered with multiple characters, such as X-1, X-2, etc, to identify different types of errors. The Auditor should ensure that all work papers are thoroughly and accurately completed prior to the culmination of audit field work. Standard Audit Work Programs should be properly documented in order to evidence the fact that final review and approval by the Director of Internal Audit has occurred. Communicating Results Internal Audit activities are undertaken as a service to management, to the City Council, and therefore to the citizens of the City of Boise. In order to provide an appropriate level of service to these parties, timely and effective communication of results must be maintained. The three types of communication protocols utilized are: (1)The interim Audit Finding / Worksheet; (2)The Exit Review; and, (3)The formal Audit Report. Audit Findings / Worksheets During the course of an audit or review, management should be kept apprised of any weaknesses, deficiencies, or other causes for concern as they are identified. Findings / Worksheets are the vehicle used to facilitate this communication. Worksheets are typically a short (one-page) document that presents the information to be communicated in a succinct fashion. They are typically directed to the manager directly responsible for the area of concern, and to the one-over manager. Worksheets should be issued as soon after discovery and validation of the issue as is possible. There should never be surprises at the end of an audit or review timely issuance of Worksheets will ensure there aren t, and will also help promote positive and productive relationships with management. The worksheet should document the varying levels of perceived severity: 9

5 Practice Criticize - This worksheet type is rarely utilized - only when the finding is exceptionally bad and is a result of management s complete or willful disregard for policies, regulations, safety, etc Based on the severity of the situation, immediate contact with executive management and / or the City Council may be warranted. In either event, separate, prominent mention in the formal Audit Report is mandatory. Repeat Finding This worksheet type is used when the same finding was assessed at the prior audit and management has failed to take effective remedial action. Repeat Findings warrant prominent mention in the formal Audit Report in a manner that is consistent with the gravity of the condition being criticized. Moderate Risk or High Risk Findings Moderate or High Risk Findings are issued when the finding has, will, or could place the organization, or its employees at significant or material levels of risk. Senior management needs to be made aware of these issues so that appropriate corrective action can be pursued. These findings typically reach a level of severity that mandates their inclusion, in detail, in the formal Audit Report. Low Risk Finding This worksheet is used when an audit finding is discovered that should be discussed with management, but is clearly immaterial or inconsequential from both a qualitative and quantitative standpoint. Low Risk findings may or may not be included in the formal Audit Report, depending on the perceived importance of communicating the information to report recipients. Other Area of Concern Other Area findings are utilized in situations where the department being audited is not being criticized. However, a condition has been discovered that senior or executive management should be made aware of. It may be a gap in responsibilities, an area that requires research by the City Attorney, a recommendation for a systemic policy change, a weakness in another department that has affected the auditee, etc These findings are typically communicated to the appropriate level of management; either via an interim finding, or as a separate section in the formal Audit Report. Worksheets will be issued in a standard format, and should contain specific informational elements. Heading Audit-specific information should be contained within this section (i.e. Client / Audit Information, Area of Concern, Level of Risk Assessed, Auditor, etc...). Body The body of the Worksheet should contain the following information. Criteria A brief description of what should be, given policies, procedures, etc Condition A description of what was discovered during audit testing or review. Cause A statement detailing the cause for the deficient condition. Effect What could occur as a result of the weakness that was identified. Recommendation What type of corrective action should be taken. Mitigation Any corrective action taken to date. 10

6 Basis - The Basis area of the worksheet should identify the support for the findings. This may be whom the auditor talked to, dates of observations, or may refer to copies of documentation that illustrates the issue(s). In the event that conditions are discovered that raise significant legal or regulatory questions, standard communication and reporting protocols may be deferred or foregone. Issues of this nature will be escalated to the Director of Internal Audit, and subsequently to the appropriate legal authorities. The intent of this escalation is to preserve the integrity of any documentation, evidence, or case that may be commenced as a result of the finding. Exit Review At the culmination of fieldwork, an Exit Review should be scheduled with department, and one-over management. The Exit Review provides all interested parties with an opportunity to review, in summary form, the results of the audit. It is an excellent vehicle for ensuring that there are no misunderstandings with respect to any findings developed during the course of fieldwork. The Exit Review should be documented as to participants, findings reviewed, and the results of any actions management may have undertaken to correct deficiencies during the course of the fieldwork. Information relative to the Exit Review will be incorporated into the body of the formal Audit Report. Formal Audit Reports Written Audit Reports are issued as soon after completion of audit fieldwork as is practical. These documents serve to formally communicate the results of the audit or review undertaken, and are directed immediately to department management and senior management, and to the City Council both as soon as they are released, and via regularly scheduled quarterly meetings. The reports will also be made available to the general public on the City s web site. Therefore, the content of the reports must be carefully considered, and must be presented in an accurate and professional manner clear, concise, and timely. The established reporting schedule may not be adhered to when issues of sufficient gravity are discovered, and are deserving of immediate communication to those in governance positions. The Auditor is responsible for drafting the report and managing the report-creation process through to final approval and release. The Draft is reviewed with the Director of Internal Audit. It is also reviewed with responsible management, and final language agreed upon prior to issuance. Management s input is sought in order to foster an atmosphere of collaboration however, report content must be carefully guarded in order to ensure that issues are not de-emphasized, obscured, or excluded. Once final language is agreed upon, the report is approved for issuance by the Director of Internal Audit. The standard format used for Audit Reports is described below. Report Heading The first page of the Audit Report contains a heading section that serves to identify the audit, important dates associated with the audit, and the Internal Auditor responsible for the task. Specific information that appears in this section of the report includes: The specific area or function that was the subject of the audit. The Division or Department charged with responsibility for the area or function that was subject to the audit. The Audit Date - typically the date on which formal audit work commenced. The date the Audit Report was issued. The Internal Auditor responsible for both the audit, and the Report. 11

7 The Director of Internal Audit responsible for review and approval of the Report. Introduction The Introduction section of the report typically contains information pertinent to the audited area or function. This may include a general description of the function, its major deliverables, or any other information that serves to enlighten report readers as to the significance of the area or its impact to the organization. The Introduction section, or alternatively the Scope and Methodologies section (below), will include information relative to the purpose or objectives of the audit, and any associated limitations. The Introduction section should also disclose any significant facts or issues, such as limitations relative to findings or audit evidence, that had a significant impact on the report or its contents. Finally, if the audit was conducted in compliance with specific standards (such as Government Auditing Standards ), declaration of that fact should be included within the appropriate section as well. Scope and Methodologies The Scope section of the Audit Report should include specific information relative to the objective(s) of the audit, the methodologies that were employed to achieve those objectives, and a statement of the scope of the work. Objectives should be clearly communicated in order to ensure that no room exists for misinterpretation. Methodologies used to achieve the objectives should also be clearly stated. Information relative to the scope should be adequate to ensure that the depth, and the coverage of the work performed are clearly delineated. Evaluation and Comments Each audit will be evaluated or graded, and will receive one of five ratings. The Evaluation and Comments section of the report will clearly communicate the rating received utilizing one of the following: High Satisfactory No significant weaknesses or deficiencies were noted during the audit. If any issues were noted, they were clearly insignificant or inconsequential. The audited area displays a high degree of control and management oversight is effective. Satisfactory Reportable issues may exist within the audited area, but they are not deemed to be representative of pattern or practice within the area. Issues are typically of an isolated nature. Overall, systems of internal control are effective, and management oversight is adequate and supportive of the accomplishment of goals and objectives. Low Satisfactory Reportable issues exist within the audited area, and are encountered frequently enough to lose the appearance of isolated. Systems of internal control appear to be marginally adequate at best. Management oversight is not always effective to ensure the quality of operations. Needs Improvement Weaknesses or deficiencies are encountered on a relatively frequent basis within the audited entity or function. Issues noted, and their frequency, are suggestive of a pattern or practice of inadequate oversight. Internal control mechanisms may not be universally in place, implemented, or actively observed. Management oversight is weak, or is not always effective. Unsatisfactory Material or significant deficiencies are noted within the operations under review. Issues may pose risks that are either mission-critical or mission-fatal. Management has failed to implement appropriate internal controls. Management oversight is ineffective, absent, or willfully avoided. 12

8 The report author may also include other relevant comments within this section of the Audit Report. Issues that may be worthy of comment include, but are not limited to, trends, patterns, practices, improvements in the area or function, quality of management or staff, etc Positive comments are encouraged where justified. These types of observations serve to enhance the relationship between Internal Audit and the audited entity. Findings and Recommendations - This section of the Audit Report presents details of the audit findings. The Findings should provide the reader(s) with credible evidence that relates directly to the objectives of the audit. To the extent possible, Findings will be developed utilizing the elements of Criteria, Condition, Cause, and Effect. Findings are meant to communicate the results of all audit work that was performed, including issues related to internal control, fraud, illegal acts, abuse, etc, In instances where reporting findings would jeopardize the conduct of on-going investigative efforts by law enforcement, reporting may be deferred or altered as necessary in order to ensure those efforts are not impeded. In the event that audit findings deal with privileged or confidential information, that information may be rightfully excluded from the detail of the report made available to the general public. However, the nature and basis for the omission should be disclosed. Limited-use versions of the report that include the omitted detail may be distributed to those individuals authorized access to the sensitive information. Where it is feasible to do so, the Internal Auditor may make recommendations for corrective action. The recommendations may be either specific or general as appropriate to the particular issue. Recommendations should flow logically from the findings, and should be on-point with respect to their cost, benefit, and relevance to the finding(s). Each Finding should also include a Management Response if a formal response has been received as of the date of the report. Management of the audited entity should be encouraged to provide their views relative to the audit findings, conclusions, recommendations, as well as planned corrective actions. Appropriate to the situation, the responses may be included verbatim, or may be summarized. If summarized, management should be provided with an opportunity to review the summarization in order to ensure it fairly characterizes their views. If management elects not to respond to Findings contained within the report, that fact should also be disclosed. The Internal Auditor may also include additional comments in rebuttal to management responses if findings or recommendations are questioned. Concluding Remarks The report may also include a section where the report s author can include closing, or concluding remarks. This section of a report is entirely optional, but can be used to summarize and communicate overall views, to reinforce the need for corrective action, to express appreciation to the auditee for assistance provided, to recognize interim progress, etc Management Participants This section of the report should document members of the management team that have been included in the audit process, and in the subsequent Exit Review and report-creation processes. The Internal Auditor is responsible for ensuring that qualitative aspects of the reporting process are followed. Reports should be timely, complete, accurate, objective, convincing, clear, and concise. In the event a report is discovered to contain erroneous or incomplete information after it has been issued, it may be withdrawn and re-issued as appropriate to the circumstances. 13

9 As noted in the section immediately preceding, responses to audit issues will be incorporated into the body of the audit report. In addition, status reports that detail progress made on corrective actions that are in-process will be provided to the Audit Committee and / or the City Council at regularly scheduled intervals. Refer to the following section titled Follow-up Activities. Storage and Retrieval of Work Product At the culmination of each engagement all work papers, worksheets, and reports should be finalized and placed in a condition that is conducive to retention in the desired format. Proper retention of these documents is vital since they represent the formal record of work accomplished during an audit. It is also vital that these documents be easily accessible in subsequent time periods in order to fulfill various information requests that may arise. In order to provide for uniformity, the following guide should be used when stacking and finalizing the work papers. Naming Conventions: In order to facilitate the storage and retrieval of work product, a systematic naming convention will be utilized. Audits that are included in the annual plan will be uniquely tasknumbered so as to reflect the fiscal year and the task number assigned. Audit Reports, Findings, Work Programs, and associated documentation will be retained in electronic and/or hardcopy files that are named similarly. Thus, all documentation associated with the first audit scheduled for fiscal year 2009 would be retained in files named as where 09 reflects the fiscal year, and 01 corresponds to the first scheduled audit planned for that fiscal year. Refer to the section immediately below for an illustrative example. Electronic Work Papers: To the extent practical, work product will be created and retained in electronic format. This will include work papers, pro-formas, Standard Audit Work Programs, Worksheets, and formal Audit Reports. These documents will be retained secure against alteration, and will be saved on the City s intranet in directories that are reserved specifically for Internal Audit. Documents will be stacked in hierarchal fashion via the use of directories, and successive levels of sub-directories in a logical fashion that corresponds to the format of the individual work papers being retained. In order to facilitate retrieval of electronic documents, standard naming conventions will be employed as noted immediately above. The following example is illustrative of the method to be employed for presumed task #09-01: Audit Report (The Audit Report, and any associated documentation relative to follow-up activities will be retained in the main directory created for the audit. Alternatively, these may be included in the Administrative folder see below.) Administrative (Pre-planning documentation, and documents of general interest will be retained in a single sub-directory.) Findings (All Worksheets associated with the audit will be retained in a single subdirectory.) WP (Standard Audit Work Program and all numbered supporting papers.) 14

10 (Each Standard Audit Work Program and its associated documentation should be contained in a separate sub-directory if the volume of documentation warrants doing so.) Hardcopy Documents: Where it is necessary to do so, work papers that exist in hardcopy format only will be retained in that format in a standard file folder that is appropriately labeled to identify with the task number assigned. Documents so retained will be properly organized and numbered so as to correspond with the logical organization of the Standard Audit Work Program(s) being supported. Tabbing or other demarcations will be utilized within the hardcopy pages to an appropriate extent in order to facilitate location / retrieval of the documents. Retention Periods: Retention periods are specified below under the heading Record Retention and Security. Auditor Responsibilities Internal Audit and audit-related activities should be carried out in a professional manner, and according to accepted standards of practice within the internal audit industry. In order to ensure this level of performance, all personnel assigned to the function must share responsibility for the success of the function, and for the completion of all assigned tasks in a professional manner. Internal Auditor: The Internal Auditor is generally responsible for the following: Disclosing or declaring any impairments to independence or objectivity that may exist. Performing assigned tasks in an independent and self-directed fashion. Completing assigned tasks in a timely, thorough, accurate and well-documented manner. Submitting all completed work papers to the Director of Internal Audit for final review and approval. Completing other tasks as may be assigned. Conducting activities in a professional manner at all times; avoiding those situations that would submit the function or the Auditors to criticism by the auditee or the public. Assuming a friendly and cooperative demeanor with the auditee s staff. Disagreements should be reported to the Director of Internal Audit. Conducting work so as to minimize disruption of the auditee s workflow or ability to service their customers. Becoming acquainted with the premises, the responsible employees, and the location of records early in the audit. Asking the auditee for any files that may be needed. Auditees should be made aware that the auditor has those files. Safeguarding all files / records that have been entrusted to the auditor s possession. Returning all files / records to the person they were obtained from. Maintaining all records in the same or better condition in which they are found. Retaining all records on premises - never removing vital documents from the premises. Returning all documents taken to the auditor s work area to the auditee custodian by the end of the day if such return is requested. 15

11 Additional Responsibilities: The Internal Auditor also bears the following, higher-level responsibilities: Developing a familiarity with the organization and functions of the unit to be audited. Preplanning the audit in accordance with the scope and complexity of the function or the activity to be audited. Ensuring that an assessment of risks is incorporated into, or forms the basis of all audit work planned and performed. Accepting responsibility and accountability for the audit work performed on assigned projects. Managing the audit in relation to time and resource budgets. Ensuring that audit findings and recommendations made during the course of the audit are reported timely to management. Ensuring that all Worksheets issued are properly constructed, supported, and communicated. As work papers are completed, ensuring that all objectives have been accomplished and all conclusions are properly supported. Ensuring that the audit or review is conducted with the least amount of disruption to the auditee as is possible. Conducting an Exit Review or briefing at the culmination of field work. Drafting and seeking approval of a formal Audit Report. Finalizing the audit file(s), and ensuring that all supporting documentation is properly retained. Performing follow-up work as necessary subsequent to the audit. Follow-up Activities Standards and practice common to the industry require that follow-up activities occur after the completion of each audit or review. The purpose of the follow-up is to ascertain whether management is actively pursuing any corrective actions deemed to be necessary. If so, the determination is made as to whether satisfactory progress is being made toward rectifying identified weaknesses or deficiencies. Follow-up activities, similar to other audit-related activities, must be properly managed in order to provide the highest level of value possible to the organization. Open Items: At the culmination of each audit or review, any moderate, high-level, repeat, or practice criticize findings are identified and documented as open items. All Findings are considered to be open until such time as successful resolution by the auditee has occurred. Resolution is verified through the conduct of various follow-up activities as appropriate to the severity or gravity of the issue involved. Follow-up Activities: Follow-up activities can take any of several forms. The type of finding, nature of the risk, and measurability of corrective actions may all play a part in the type of follow-up activity that is pursued. Inquiry can be used to gain assurances from management that progress is being realized, or that a specific issue has been rectified. Inquiry may be sufficient assurance that corrective action is complete where the risk or exposure levels are such that more exhaustive steps are not deemed to be necessary. Observation or visual review may be used where the issue is such that this method of follow-up will yield a reasonable level of assurance that progress is being made, or correction is complete. 16

12 Limited testing should be pursued where the gravity of the situation is such that a higher level of assurance is deemed to be necessary. Limited testing of specific attributes will provide Internal Audit with an objective basis for concluding that corrective action has been effective. Audits or reviews involve a more substantial commitment of resources to the follow-up process, and thus are most appropriate where material, or critical issues are involved. This process is also appropriate and/or encouraged where an auditable activity is deemed to be unsatisfactory due to widespread patterns or practices of control weakness or deficiency. Status Reporting: The status of all unresolved items is reported to the City Council or the Audit Committee at regularly scheduled intervals. Changes to Work programs The Auditor should consider if there are any improvements that can be made to any Standard Audit Work Program currently being utilized. In the event that an area being tested has experienced recent change, then established audit steps may require modification. The Auditor is responsible for ensuring that any needed changes are identified, and the Standard Audit Work Program is altered as necessary. Once drafted, changes to the Work Programs should be reviewed with the Director of Internal Audit prior to finalization and implementation. Once finalized, new generation Work Programs should replace the current generation document. All versions of the document should be updated to reflect the change. If changes are deemed to be minor or inconsequential in nature, further documentation is not required. If work programs are substantially altered, then the changes and the reasoning behind those changes should be documented via a memo to file. The memo should be placed in the current year s audit file for easy access and reference for Audit management. Consulting Activities Internal auditing has undergone a significant paradigm shift in recent years. The value of the expertise that is typically resident in assurance-related departments is more widely recognized, and is more highly valued in today s business climate. Accordingly, Internal Auditors may be called on from time to time to provide consulting type services, or to become involved in other value-added type activities. Standards of conduct common to the industry provide for this eventuality, and specify the type and depth of activities that may be engaged in without crossing the line into areas more properly left to line management of the organization. Given the broad range of activities that may be involved in consulting engagements, a set of specific procedural guides will not apply. Rather, the nature and extent of work, and the types of documentation that may be retained are variable. However, consulting activities should be conducted in a fashion that is consistent with the following broad guidelines. Services may be provided in areas where the Internal Auditor had previous responsibilities. However, potential impairments to either independence or objectivity should be disclosed to the client. Careful consideration should be given to the fact that the Internal Auditor may be precluded from performing subsequent audits in areas where consulting services have been provided. Services 17

13 should not be performed if doing so would impact the scope or depth of future audits planned or reasonably contemplated. Services may not be provided if doing so would impair the Auditor s independence or objectivity with respect to future engagements. The same level of due professional care required in audit engagements also applies to consulting activities. All standards of practice that pertain to audit activity similarly pertain to Consulting activities. The nature, extent, and timing of both work performed, and reporting should be considered, agreed upon, and communicated to management of the entity. Consulting activities and the objectives to be attained should be consistent with the overall goals and values of the organization. Objectives for consulting engagements should be agreed upon with the client. The work performed should be sufficient to achieve the agreed-upon objectives. Work programs should be created and documented that reflect the nature and extent of activities to be performed. The level and type of communication required by the client will vary; standardized reporting protocols typically will not be in evidence in these engagements. Interim and final communications should be reviewed by the Director of Internal Audit, and approved prior to release. Issues identified during consulting engagements should be treated in a manner similar to issues identified during regular audits or reviews. Record Retention and Security Reports and work papers that are produced in conjunction with audit related activities are valuable organization properties; they should be accorded an adequate level of protection, security, confidentiality, and retention. In-Process Work Papers: During the course of audits and reviews, auditors come into possession of a considerable amount of information that is either confidential, or could be highly sensitive. Accordingly, all work papers that are accumulated or created during the course of an audit, and all client documents should be properly secured when not under the direct control of the Auditor. During non-business hours, these types of records should be stored out of sight at a minimum. If possible, highly sensitive information should be stored in a locking desk drawer or file cabinet. The Internal Auditor should also consider returning client records to the client s possession during non-business hours if the client has superior storage capabilities. Maintaining security and confidentiality are the primary considerations in every instance. Completed Audit Files: Once audits have been completed and all required reviews have been accomplished, electronic files will be protected and retained on the Internal Audit Department s common drives on the intranet. Hardcopy audit files will be maintained in locking facilities during nonbusiness hours. Internal Audit staff will have access to the files at their discretion, but must ensure that the files are properly secured while in their possession. Internal Audit staff also must ensure that audit files are returned to their permanent domicile once they are no longer needed. Files should be removed from their domicile only when a defined need exists to do so. 18

14 Two generations of audit files will be maintained on site at any one time. Within accessible storage only the current year s, and the immediately preceding year s files will be maintained and will be readily accessible. All earlier generations will be stored, or otherwise archived until such time as their retention period has expired. Retention: In order to satisfy evidentiary, legal, and regulatory requirements, the retention of all audit work papers and documentation is years. Audit Report retention is years. Information Release: Due to the need to control these documents on an on-going basis, authority to release anything other than the formal Audit Report is reserved to the Director of Internal Audit or his/her designate. Audit Reports will be released to the City s web site upon their presentation to the City Council. All supporting and associated documentation will be released only upon receipt of a bona fide information request, and only on the Director s approval. Quality Assurance Consistent with both industry- and government-established auditing standards, the Internal Audit Department will implement policies and procedures sufficient to ensure that all audit-related activities receive an appropriate level of supervisory oversight. Processes that are incorporated into the department s activities will provide a reasonable degree of assurance that governing standards are adhered to. Work Processes: Procedures will be established to ensure that, as work is accomplished during each phase of an audit, that work is accomplished at a level that is consistent with standard. These procedures will include, but will not be limited to guidance and control documents, such as checklists and other established protocols; and monitoring activities carried on by the Director of Internal Audit. The desired outcome will be to ensure that all applicable qualitative and quantitative standards are being met as work progresses. Work Product Review: As alluded to in earlier sections of this document, procedures have been established that provide for the review and approval of all work product at various stages of completion. Additionally, final review and approval of audit documentation, and the resulting Audit Report will be accomplished by the Director of Internal Audit under these procedures. The formal Audit Report will also be subjected to review and approval by the Audit Committee and/or the City Council prior to the public release of that document. Staff Supervision: The Director of Internal Audit will be responsible for supervising the Internal Auditor(s) during the completion of all audit-related activities, and also during the performance and completion of non-audit related activities (more commonly referred to as consulting services). This will be accomplished through a combination of on-the-job training, individual oversight, and monitoring protocols that will be sufficient to ensure that established standards and expectations are being achieved or exceeded. 19

15 Peer Reviews: The Director of Internal Audit may arrange for the performance of Peer Reviews by disinterested third parties on a periodic basis. When requested, the Reviews will be conducted in order to satisfy industry-related audit standards that have been established by industry groups such as the Institute of Internal Auditors. 20