Chapter 4 – Audit Risk Assessment and Audit Plan

Using the identified audit universe, prepare a matrix of engagements performed for each auditable unit. It is helpful to maintain at least three to five years of data to facilitate scheduling future engagements.

• 
  Provides the framework for monitoring the internal control structure of the STA by operational area and provides the foundation for the risk assessment process
  

• 
  Allows Internal Audit to communicate with each division or office of the STA in a standardized manner to monitor the STA’s internal controls
  

• 
  Provides a mechanism for confirming whether all processes have been captured
  

• 
  Provides a means for monitoring historic audit coverage for all functions and activities of the STA
  

• 
  Demonstrates compliance with the standards and laws that may govern the internal audit function
  

• 
  Considered an Internal Audit best practice
  

• 
  Applicable statutes, rules, and regulations
  

• 
  Policies and procedures, manuals, guidelines
  

• 
  Prior Audits--external, internal, federal--that relate to the area
  

• 
  Internal control certifications
  

• 
  List of information technology systems used
  

• 
  Interview notes
  

• 
  System narratives
  

• 
  Any changes to the auditable units
  

• 
  New programs or initiatives
  

• 
  Rapid growth or significant increases in funding or expenditures
  

• 
  Turnover of key management or key personnel
  

• 
  Reviews or audits by a federal agency; e.g., FHWA, FTA, FRA, FAA, NHTSA, FMCSA, GAO
  

• 
  Media exposure
  

• 
  Law changes
  

• 
  Administrative rule changes
  

• 
  Information technology that was developed or had major modifications in the last year or any that are currently in process or planned
  

• 
  Any fraudulent activity, improper conduct, blatant disregard for procedures, suspected or improper use of assets or state resources
  

• 
  Any processes or programs they would like Internal Audit to review
  

• 
  Rank what they consider to be the five most significant areas or processes for which they are responsible
  

Meetings should be scheduled with Executive Management and the Audit Committee, if applicable, to obtain their audit requests and areas of concern they would like considered. Consider informal sources of audit requests, such as, concerns noted in conversations and emails from STA staff members, anonymous tips, and auditor observations and concerns noted in other audits. Perform risk assessments on all the auditable units to determine priorities taking into consideration any audit requests that are received. Each year, new audit requests may be added and a risk assessment conducted to prioritize and insert new requests into the ongoing list.

• 
  Revenues/expenditures
  

• 
  Federal responsibilities/requirements
  

• 
  Legal responsibilities/requirements
  

• 
  Public impact or exposure
  

• 
  Impact to the STA
  

• 
  Management needs
  

• 
  Date of last audit
  

• 
  Prior experience with auditee
  

• 
  Inherent risk factors (high activity, high volume, complexity of operations, dollar value of assets, etc.)
  

• 
  Potential for fraud (improper conduct, suspected misuse, improper use of assets, blatant disregard for procedures)
  

• 
  Strength of internal controls
  

• 
  Reported problems on last audit, external audit, or U.S. Department of Transportation (USDOT) reviews
  

• 
  Potential efficiency improvements
  

• 
  New programs, initiatives or activities
  

• 
  Change in key personnel
  

• 
  New IT systems or major changes to IT systems key to department
  

• 
  Estimated audit time
  

• 
  Management override - Controls are readily set aside at the option of management or personnel.
  

• 
  Optional or incomplete controls - Controls that say “may” or those that give options without guidance for making decisions on how to proceed are not effective. Clear direction regarding the choice should be made.
  

• 
  Form over substance - Controls appear to be well designed but are ineffective or miss their intended mark.
  

• 
  Conflicts of interest - Causes personnel to place their interest above that of the organization.
  

• 
  Access to assets - Having improper or unauthorized access to assets can result in theft, misuse or abuse.
  

• 
  Inadequately trained or informed personnel - Personnel who don’t understand the reason or necessity for a particular control or the desired result may not properly execute the necessary steps.
  

• 
  Inadequate separation of duties – Multiple control points are the responsibility of one person.
  

Chapter 5 discusses internal control in more detail.

• 
  Poorly designed or implemented internal control processes--the process becomes routine due to familiarity and steps in the process are overlooked
  

• 
  Information concerning a law, rule or procedure was not adequately communicated
  

• 
  Employees not properly trained or instructed
  

• 
  Personnel not knowledgeable of the importance of a step or process and its impact on another area
  

• 
  Confusion over who is responsible (each area incorrectly thinks the other is handling the process)
  

• 
  Time constraints
  

• 
  Inadequate resources devoted to the process
  

• 
  Employees unknowingly overlooked something
  

• 
  Personnel are comfortable with the current process and resistant to change
  

To determine the number of internal engagements to be scheduled, an analysis of available staff hours should be conducted. The internal audit manager should consider the following in determining hours available:

• 
  Total annual hours
  

• 
  Holidays
  

• 
  Annual leave
  

• 
  Sick leave
  

• 
  Training
  

• 
  Miscellaneous administrative
  

• 
  Additional annual leave for long-term employees
  

• 
  Retirements/resignations
  

• 
  Time required to replace employees who retire or resign
  

• 
  Furlough days
  

• 
  Extended use of leave (family & medical leave, military leave, disability, and sick leave)
  

• 
  Other types of reviews, consulting, and non-audit services
  

Based on the risk assessment and analysis of staff availability, an audit work plan should be developed. Remember to include any needs for audit follow-ups (e.g. 90 – 120 days). It may be helpful to develop two types of audit work plans. One type would give a narrative describing the engagement. The second type would be a scheduling tool to assign auditors to each selected engagement with time estimates across the twelve months. Another consideration for scheduling engagements is the auditee’s schedule, which may include deadlines or busy seasons. These factors as well as others specific to your STA should be taken into account when scheduling.

It may also be helpful to prepare a two-year audit plan in order to assist with prioritizing engagements and resources. However, the second year of the internal audit plan is always given reconsideration at the time of the development of the next year’s two year plan. This is due to changes in circumstances and risks that may occur over the one-year period since the plan was last developed.

Final meetings with the STA’s chief executive officer and the audit committee, if applicable, should be scheduled to obtain concurrence and approval of the proposed audit work plan. Any scheduling concerns should be communicated at this time.

1. 
   Reporting - related to the internal and external financial and nonfinancial reporting to stakeholders, encompassing reliability, timeliness, transparency, or other elements as established by regulators, standard setters, or the entity’s policies
   

2. 
   Compliance - adhering to those laws and regulations to which the entity is subject, where non-compliance could result in penalties, fines or negative impacts to reputation
   

3. 
   Operations - addresses an entity’s basic business objectives, including performance and goals and safeguarding of resources.
   

In assessing the design and operating effectiveness of internal controls under the COSO framework, management also considers the five components of internal control as depicted in the COSO “Cube”. If designed and operating effectively, controls within these five components in totality provide a framework for internal control. The 2013 framework incorporates 17 principles that support these five components. For effective internal controls, the 2013 framework requires that each of the five components and 17 relevant principles be present and functioning, and that the five components must operate together in an integrated manner.

1. 
   Control Environment
   

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the set of standards, processes, and structures that provides the basis for carrying out internal control across the organization. It is the foundation for all other components of internal control, providing discipline and structure.

1. 
   The organization demonstrates a commitment to integrity and ethical values.
   
2. 
   The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
   
3. 
   Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
   
4. 
   The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
   
5. 
   The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
   

2. 
   Risk Assessment
   

Every entity faces a variety of risks from external and internal sources that must be assessed. Risk assessment is the identification and analysis of relevant risks that could affect the achievement of the entity’s objectives, forming a basis for determining how the risks should be managed.

1. 
   The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
   
2. 
   The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
   
3. 
   The organization considers the potential for fraud in assessing risks to the achievement of objectives.
   
4. 
   The organization identifies and assesses changes that could significantly affect the system of internal control.
   

3. 
   Control Activities
   

Control activities are the policies and procedures that help determine if management directives are carried out. They help facilitate the necessary actions required to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

1. 
   The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
   
2. 
   The organization selects and develops general control activities over technology to support the achievement of objectives.
   
3. 
   The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.
   

4. 
   Information and Communication
   

Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but with information about external reporting as well. Effective communication must also occur in a broader sense, flowing down, across, and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and stakeholders.

1. 
   The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
   
2. 
   The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
   
3. 
   The organization communicates with external parties about matters affecting the functioning of internal control.
   

5. 
   Monitoring Activities
   

Internal control systems need to be monitored (a process that assesses the quality of the system’s performance over time). This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The 2013 Framework distinguishes between a management review control as a control activity and a monitoring activity. A management review control that is a control activity responds to a specified risk and is designed to detect and correct errors. However, a management review control that is a monitoring activity would ask why the errors exist, and then assign the responsibility of fixing the process to the appropriate personnel.

1. 
   The organization selects, develops, and performs ongoing or separate evaluation to ascertain whether the components of internal control are present and functioning.
   
2. 
   The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
   

The COSO 2013 Framework became effective December 15, 2014.

• 
  PO1—Define a strategic IT plan
  

• 
  PO2—Define the information architecture
  

• 
  PO3—Determine technological direction
  

• 
  PO4—Define the IT processes, organizations, and relationships
  

• 
  PO5—Manage the IT investment
  

• 
  PO6—Communicate management aims and direction
  

• 
  PO7—Manage IT human resources
  

• 
  PO—Manage quality
  

• 
  PO9—Assess and manage IT risks
  

• 
  PO10—Manage projects
  

2. ACQUIRE AND IMPLEMENT (AI)

• 
  AI1—Identify automated solutions
  

• 
  AI2—Acquire and maintain application software
  

• 
  AI3—Acquire and maintain technology infrastructure
  

• 
  AI4—Enable operation and use
  

• 
  AI5—Procure IT resources
  

• 
  AI—Manage changes
  

• 
  AI7—Install and accredit solutions and changes
  

3. DELIVER AND SUPPORT

• 
  DS1—Define and manage service levels
  

• 
  DS2—Manage third-party services
  

• 
  DS3—Manage performance and capacity
  

• 
  DS4—Ensure continuous service
  

• 
  DS5—Ensure systems security
  

• 
  DS6—Identify and allocate costs
  

• 
  DS7—Educate and train users
  

• 
  DS8—Manage service desk and incidents
  

• 
  DS9—Manage the configuration
  

• 
  DS10—Manage problems
  

• 
  DS11—Manage data
  

• 
  DS12—Manage the physical environment
  

• 
  DS13—Manage operations
  

• 
  ME—Monitor and evaluate IT performance
  

• 
  ME—Monitor and evaluate internal control
  

• 
  ME3—Ensure compliance with external requirements
  

• 
  ME4—Provide IT governance
  

• 
  Prior experience with the entity
  

This can be a major source of audit efficiency in recurring audits. Because systems and controls usually don’t change frequently or significantly from year to year, information obtained by the auditor in previous audits of the entity can be updated and carried forward to the current year’s audit.

• 
  Inquiries of management, supervisory, and staff personnel within the entity
  

The auditor may inquire about the types of accounting documents used to process transactions and about control activities that have been placed in operation for authorizing, for example, a credit.

• 
  Observation of client activities and procedures
  

The auditor can observe client personnel in the process of preparing accounting records and documents and carrying out their assigned accounting and control functions.

• 
  Inspection of accounting documents and records
  

By inspecting actual, completed documents and records, the auditor can better understand their application to the entity’s internal control. The auditor may wish to obtain copies of sample documents used by the entity for inclusion in the permanent file.

• 
  Entity’s policy and system manuals
  

This includes both (1) policy manuals and documents, and (2) system manuals and documents, such as an accounting manual and an organization chart.

• 
  Provide evidence of the understanding of the design of significant processes
  

• 
  Identify key risks within the process.
  

• 
  Identify controls that would prevent or detect errors from occurring within the process.
  

• 
  Identify control gaps and process improvement opportunities.
  

This documentation may take several forms such as:

• 
  Flowchart – A diagram that shows step-by-step progression through a procedure or system especially using connecting lines and a set of conventional symbols. The purpose of flowcharting is to:
  
  • 
    Be a tool for analyzing processes.
    
  • 
    Break down processes into individual events and activities, usually by process or event owner.
    
  • 
    Identify interdependencies across the business.
    
  • 
    Link system and manual activities.
    
  • 
    Identify control gaps, segregation of duties, problems and inefficiencies.
    

• 
  Narrative – A document that describes a process or transaction flow using words rather than a pictorial representation. The purpose of a narrative is to:
  
  • 
    Provide evidence of understanding of a process.
    
  • 
    Identify and document key risks, controls and control gaps.
    
  • 
    Confirm understanding with the process owner.
    
  • 
    Provide knowledge that can be used in future years by other employees.
    

• 
  Walkthrough – A document that traces one representative transaction through a process from beginning to end. The purpose of a walkthrough is to:
  
  • 
    Confirm understanding of the significant flow of transactions.
    
  • 
    Confirm understanding of the relevant controls.
    
  • 
    Confirm that relevant controls have been placed in operation.
    
  • 
    Confirm process documentation.
    

• 
  Internal Control Questionnaire – Designed to identify basic control issues and used as a guide for improving or implementing good business practices and complying with policies and procedures.
  

• 
  Testing by statistical sampling – focuses on sampling techniques that provide assurance based on sampling risk that the auditor and stakeholders deem acceptable
  

• 
  Testing by direct sampling – focuses more closely on specific transactions or certain types of transactions and can be used when the population under review is not homogeneous
  

• 
  Reviews/interviews – used when the performance of a process does not lend itself to normal testing procedures
  

• 
  Observation – looks at actual practices to see if appropriate controls are actually in place and working
  

• 
  Analytical procedure – takes information as a whole and applies some set standard, analysis or comparison