CHAPTER 4 — AUDIT RISK ASSESSMENT AND AUDIT PLAN 4.1 Overview 12
4.2 Identify Audit Universe or Auditable Units 12
4.3 Benefits of Auditable Units 12
4.4 Develop Permanent Files 13
4.5 Risk Assessment 14
4.6 Risk Assessment Criteria 15
4.7 Consideration of Internal Controls 16
4.8 Internal Control Weaknesses 17
4.9 Analysis of Internal Audit Resources 18
4.10 Developing the Audit Work Plan 18
CHAPTER 5 — INTERNAL CONTROL 5.1 Overview 20
5.2 COSO Categories 20
5.3 Five Components of COSO 21
5.4 COBIT 23
5.5 Understanding an Auditee’s Internal Controls 26
5.6 Documenting Internal Controls 27
5.7 Internal Control over Financial Reporting 28
5.8 Evaluation of Internal Controls 28
5.9 Classifying Internal Control Weaknesses for Reporting 29
CHAPTER 6 — USDOT AGENCIES AND DESCRIPTIONS 6.1 USDOT Agencies and Descriptions 30
6.2 Office of the Secretary .31
6.3 Federal Aviation Administration 32
6.4 Federal Highway Administration 33
6.5 Federal Motor Carrier Safety Administration 36
6.6 Federal Railroad Administration 36
6.7 Federal Transit Administration 37
6.8 Maritime Administration 39
6.9 National Highway Traffic Safety Administration 39
6.10 Office of Inspector General 41
6.11 Pipeline and Hazardous Materials Safety Administration 41
6.12 Research and Innovative Technology Administration 42
6.13 Saint Lawrence Seaway Development Corporation 43
6.14 Surface Transportation Board 43
CHAPTER 7 – STEWARSHIP, OVERSIGHT, LAWS, AND REGULATIONS 7.1 Stewardship and Oversight Agreement between the FHWA and State
Transportation Agencies 45
7.2 Hierarchy 46
7.3 Federal Requirements (2 CFR 200) 47
7.4 Audit Requirements 47
7.5 Catalog of Federal Domestic Assistance 48
7.6 State Law 48
CHAPTER 8 — INNOVATIVE FINANCING AND CONSTRUCTION DELIVERY METHODS 8.1 Grant Anticipation Revenue Vehicle (GARVEE) 49
8.2 Transportation Infrastructure Finance and Innovation Act (TIFIA) 49
8.3 Section 129 Loans (23 U.S.C. 129 (A)(7)) 49
8.4 Tax Increment Financing (TIF) 49
8.5 Private Activity Bonds (PABs) 49
8.6 Public-Private Partnerships (P3s) 50
8.7 Design-Build (DB) 50
8.8 Construction Manager/General Contractor (CMGC) 50
CHAPTER 9 – GENERAL AUDIT AND ATTESTATION PROGRAMS 9.1 Audit Program Purpose and Scope 51
9.2 Phases ……………………………………………………………….51
9.3 Attestation Program Purpose and Scope 53
GLOSSARY 58
Chapter 1 – Introduction 1.1—OVERVIEW This guide was developed by a task force of the American Association of State Highway and Transportation Officials (AASHTO) Audit Subcommittee with input from various federal partners. State Transportation Agencies (STAs) have the same overall mission, but are structured differently across the United States. Most STAs have internal auditors, external auditors, and inspector generals. Some audit groups are organized as standalone units and others are included as part of larger organizational components of the STA. This guide focuses on the goals, functions, and services of internal audit groups within STAs. In addition, detailed practice aids are provided as a supplement to the guide.
The Institute of Internal Auditors (IIA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
1.2—WHY A GUIDE? This guide is designed to strengthen stewardship and oversight functions performed by STA internal audit groups. An essential role of government is the stewardship and oversight of public expenditures. As government transportation expenditures grow and budgets and staffing shrink, the stewardship and oversight process for transportation programs must be enhanced. The purpose of this internal audit guide is to provide a tool that can be used by STA internal auditors to perform audits of transportation processes and programs.
This guide is intended to help auditors understand processes, terminology, policies, audit techniques, and sources for laws and regulations. The guide’s objective is to identify the audit universe in a general sense and provide a reference guide for the following items:
Internal Controls
Risk Assessment
Compliance with applicable laws and regulations
Federal programs
Innovative financing
Effective use of resources
1.3—AUDITING STANDARDS STA internal audit groups follow basically two sets of auditing standards – Generally Accepted Government Auditing Standards (GAGAS) issued by the Comptroller General of the United States and the IIA standards for internal audit. We will discuss the different auditing standards in the next chapter.
When necessary, internal auditors obtain additional guidance from standards issued by the American Institute of Certified Public Accountants (AICPA) and guidance from the IIA.
1.4—ENGAGEMENTS Internal auditors perform a variety of engagements, ranging from attestation engagements consisting of reviews, examinations, and agreed-upon procedures, to performance audits.
STA internal auditors may be responsible for:
Reviewing STA internal controls to ensure they are adequately designed and are functioning properly
Reviewing STA programs and processes to ensure they comply with applicable federal and state laws and regulations as well as STA policies and procedures
Reviewing STA processes to ensure they operate effectively and efficiently
Reviewing programs to ensure that management has adequately safeguarded STA assets and used taxpayer resources properly
Chapter 2 – Auditing Standards 2.1—GAGAS Generally Accepted Government Auditing Standards (GAGAS) produced by the Government Accountability Office (GAO) contains requirements and guidance for entities conducting government audits within the United States. Professional auditors must follow these standards when conducting financial audits of government and non-profit organizations receiving federal funds subject to the audit requirements in Subpart F of 2 CFR 200 — Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. In the United States, use of GAGAS is also mandatory for federal inspectors general, many state and local government auditors and some internal auditors, as well as CPA firms when conducting single audits and other government audits. In addition, many auditors and audit organizations choose to voluntarily perform their work in accordance with GAGAS. GAGAS contains requirements for financial audits, attestation engagements and performance audits. Many international government audit organizations use GAGAS as guidance when conducting financial and performance audits, even when there is no specific legal requirement to do so.
2.2—INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING For internal auditors, there is another set of standards, the International Standards for the Professional Practice of Internal Auditing, produced by the IIA. Internal auditors throughout the world use these standards. Certified Internal Auditors are required to follow the IIA Standards, and anyone who wishes to state their audits are conducted in accordance with IIA Standards must follow the IIA Standards.
The IIA Standards are divided between Attribute and Performance Standards. Attribute Standards address the attributes of organizations and individuals who perform internal auditing. The Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.
Some government organizations conduct their engagements in accordance with both the IIA Standards and GAGAS. The IIA Standards are often implemented along with the performance audit requirements of GAGAS (chapters 1-3, 6 and 7). While GAGAS is used for conducting government audits by both external and internal audit organizations, it contains some specific requirements and guidance related to internal auditors and internal audit organizations.
Each STA should determine which standards they follow and document that as part of their policies and procedures. Some STAs have laws that require they follow one of the two standards and some states require their agencies to follow both.
2.3—COMPARISON OF IIA AND GAGAS STANDARDS GAGAS is commonly referred to as “Yellow Book” and IIA Standards are commonly referred to as “Red Book.” The Institute of Internal Auditors (IIA) provides a comparison of the IIA and GAGAS Standards on IIA’s website.
The following is a list of some of the most notable differences between the standards:
Each starts from a different definition of auditing and auditors.
GAGAS emphasizes accountability; IIA emphasizes governance, risk and controls to add value.
IIA requires an internal audit charter; GAGAS does not.
GAGAS discourages non-audit consulting services, noting that they could compromise objectivity and independence; the IIA recognizes consulting as a service that internal auditors provide to their organizations and have established ‘consulting standards’. The IIA defines consulting services to include counsel, advice, facilitation and training but states services must be provided without assuming any management responsibility for them.
Under GAGAS, auditors must document consideration of independence; IIA has no formal requirement to document independence. However, the IIA Standards require internal auditors to have independence and states an auditor “must have an impartial, unbiased attitude and avoid any conflict of interest.” The Standards also require “organizational independence” and provides definitions of “independence” and “objectivity.”
GAGAS requires external peer reviews every three years; IIA requires external peer reviews every five years.
GAGAS defines three types of assurance engagements: financial, attestation, and performance; IIA discusses assurance services but focuses on the auditor’s work and governance, risk assessment and controls.
IIA requires the development of an audit universe and annual work plan; GAGAS has no such requirement.
Under GAGAS, auditors write ‘findings’ when fraud, abuse, internal control weaknesses and noncompliance are found; IIA requires auditors to “communicate engagement results and where appropriate, the communication must contain the internal auditor’s opinion and/or conclusions.” These results must include issues of fraud, abuse, internal control weaknesses, and noncompliance. Each issue noted must include the condition, criteria, cause and effect.
GAGAS requires 80 hours of CPE every two years; IIA Standards state, “Internal Auditors must enhance their knowledge, skills, and other competencies through continuing professional development”, but it does not specify a required number of hours for non-certified members. However, Certified Internal Auditors are required to have a minimum of 40 hours of continuing education every year. Certified Government Auditing Professionals are required to have 25% of their hours in government related training.
2.4—REFERENCES https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx
http://gao.gov/yellowbook/overview
The Institute of Internal Auditors, Supplemental Guidance: IIA International Standard for the Professional Practice of Internal Auditing/ Government Accountability Office Government Audit Standards (GAGAS)/ A Comparison, 2nd Edition Leita Hart-Fanta, CPA, CGFM, CGAP, For the Orange, April 9, 2013
Chapter 3 – Types of Engagements 3.1—OVERVIEW This chapter describes the different types of government audits, attestation engagements, and other non-audit services provided by internal audit organizations. This description is not intended to limit or require the types of services that may be conducted. In conducting the services described in this chapter, auditors should follow the applicable standards adopted by their STA.
3.2—TYPES OF AUDITS Financial audits provide an independent assessment of whether an entity’s reported financial statements are presented fairly in all material respects in conformity with an acceptable financial framework. Other objectives of financial audits, which provide for different levels of assurance and entail various scopes of work, may include:
Providing an opinion for specified elements, accounts, or items of a financial statement
Reviewing interim financial information
Issuing letters for underwriters and certain other requesting parties
Reporting on the processing of transactions by service organizations
Auditing compliance with applicable requirements relating to governmental financial assistance
Financial audits for states, local governments, and non-profit organizations are generally performed through the Single Audit process by outside entities. In addition, many STAs have “external audit” groups that conduct financial-related audits of architectural and engineering firms to provide assurance that their indirect cost rates are developed in compliance with federal requirements.
Performance audits are objective and systematic examinations of evidence against specific criteria in order to provide an independent assessment of the control design and operating effectiveness of a program or processes implemented to meet agency objectives. Performance audits provide an objective analysis to assist management and those charged with governance and oversight in using the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to transparency and public accountability.
Performance audit objectives vary widely and include assessments of program effectiveness, economy, and efficiency; internal control; compliance; and prospective analyses (defined later). These overall objectives are not mutually exclusive. Consequently, a performance audit may have more than one objective.
Program effectiveness and results audits are frequently interrelated with economy and efficiency audits. Audit objectives that focus on program effectiveness and results typically measure the extent to which a program is achieving its goals and objectives. Audit objectives that focus on economy and efficiency address the costs and resources used to achieve program results.
Examples of program effectiveness and results audits include assessing:
The extent to which legislative, regulatory, or organizational goals and objectives are being achieved, with outcomes that support the objectives of the program
The relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness
The relative cost and benefits or cost effectiveness of program performance
Whether a program produces results or effects not intended by the objectives
The extents to which programs duplicate, overlap, or conflict with other programs
Whether the audited entity is following sound procurement practices
The validity and reliability of performance measures concerning the program’s effectiveness and efficiency
The reliability, validity, or relevance of financial information related to the performance of a program
Whether the outcomes achieved the objectives of the program
Internal control auditsare an assessment of one or more components of an organization’s system of internal control. They are designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal controls include the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations, and management’s system for measuring, reporting, and monitoring program performance. Examples of audit objectives related to internal control include the extent to which a program provides reasonable assurance that:
Organizational missions, goals, and objectives are achieved effectively and efficiently.
Resources are used in compliance with laws, regulations, or other requirements.
Resources are safeguarded against unauthorized acquisition, use, or disposition.
Management information and public reports that are produced, such as performance measures, are complete, accurate, and consistent to support performance and decision-making.
Security over computerized information systems will prevent or detect unauthorized access.
Contingency planning for information systems provides essential back-up to prevent unwarranted disruption of activities and functions the systems support.
Compliance audits are assessments of compliance with criteria established by provisions of laws, regulations, contracts, grant agreements, internal policies, or other requirements that could affect the acquisition, protection, use, and disposition of the entity’s resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance requirements can be either financial or nonfinancial.
Information technology audits include the evaluation of internal controls related to the development, operation, maintenance, and management of the information technology environment, infrastructure, and data. Some of the areas addressed include:
Governance of policy and process documentation.
Physical and logical security.
Application and infrastructure assets.
Monitoring.
Business continuity/disaster recovery.
System development review.
IT audits are becoming increasingly important as record keeping and transmission of non-public personal information rely on automation.
When an information system is significant to the audit objective, the audit should include an evaluation of the information technology controls to provide reasonable assurance that the information being processed and produced by the system is valid and reliable.
Follow-up audits are designed to test the status and evaluate the effectiveness of corrective actions taken on audit issues reported in prior released reports.
3.3—ATTESTATION ENGAGEMENTS The subject matter for attestation engagements may take many forms, including historical or prospective performance or condition, physical characteristics, analyses, system processes and behavior. Attestation engagements may cover a broad range of financial or non-financial subjects and can be part of a performance review. Possible subjects of attestation engagements can include reporting on:
An entity’s internal control over financial reporting
An entity’s compliance with requirements of specified laws, regulations, rules, contracts or grants
The effectiveness of an entity’s internal control over compliance with specified requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts
Management’s discussion and analysis presentation
Prospective financial statements or pro-forma financial information
Allowability and reasonableness of proposed contract amounts and specific procedures performed on a subject matter (agreed-upon procedures)
There are three types of attestation engagements:
Examination
Examinations consist of obtaining sufficient evidence to express an opinion on whether the subject matter is based upon or in conformity with the criteria in all material respects or the assertion is presented or fairly stated, in all material respects, based upon the criteria. Examinations provide the highest level of assurance outside of an audit. Since assurance is provided in an examination, the risk of undetected material misstatement must be reduced to a tolerable amount.
Review
Reviewsconsist of performing sufficient testing to express a conclusion about whether any information came to the auditors’ attention that indicates the subject matter is not based upon or in conformity with the criteria in all material respects. The auditor may conclude the assertion is not presented, in all material respects, based upon the criteria. Reviews provide negative assurance. Negative assurance means that nothing came to the auditors’ attention that would lead them to believe the subject matter did not conform to the criteria.
Agreed-upon procedures
Agreed-upon procedures consist of performing specific procedures on a subject matter and issuing a report of findings based upon the agreed-upon procedures. The auditors do not express an opinion about the subject matter but issue a report of findings based upon specific procedures performed on the subject matter.
3.4—NON-AUDIT SERVICES OR CONSULTING SERVICES Internal audit organizations may provide non-audit services or consulting services. These types of services are generally performed at the discretion of the head of the audit organization, requested by management of a bureau/division within the STA, or for an oversight body or independent external organization. Designed and executed appropriately, these services generally do not impair the auditors’ independence.
These services may be considered advisory services provided by an Internal Audit group to the STA. They are services, other than specific audit work, that are provided and are intended to add value and improve the organization’s governance, risk management, and control processes. Consulting services include counsel, advice, facilitation, or training regarding issues such as internal control structure, compliance, governance and risk management. Consulting may come in the form of informal or formal consulting services.
Informal consulting services generally consist of meeting with STA management and staff to discuss issues and requirements and provide advice. Generally no formal documentation of these services is required. They might consist of discussing with management or staff where they can find information regarding certain requirements or explaining how the requirements are generally viewed by an auditor. They may include an explanation or training on the types of internal controls or their use.
Formal consulting comes in the form of a special project and requires documentation to support the services. The extent of the documentation required to support the services will depend upon the scope of the project and the work performed. However, sufficient evidence must be obtained to support any conclusions that are made.
Other examples of non-audit/consulting services include the following:
Gathering and providing information to a requesting party without providing an evaluation or verification of the information
Providing advice on potential improvements of standards, methodologies, policies, procedures, and internal control
Providing assistance and technical expertise to legislative bodies or developing questions for the use at legislative hearings
Advising an entity regarding its performance of internal control assessments
Providing advice to management officials to help them identify good business practices
Conducting OMB A-133 Desk Reviews
Audit organizations may also be asked to perform prospective analysis engagements. These engagements provide analysis or conclusions about information that is based upon assumptions about events that may occur in the future, along with possible actions that the entity may take in response to future events. Examples of prospective analysis engagements may include:
Performing risk assessments to determine program or policy alternatives, including forecasting program outcomes under various assumptions
Assessing the advantages and disadvantages of legislative proposals
Analyzing views of stakeholders on policy proposals for decision-makers
Identifying best practices for use in evaluating program or management system approaches, including financial and information management systems
Producing a high-level summary that affects multiple programs or entities on issues studied or under study