Internal Audit Guide


—ATTESTATION PROGRAM PURPOSE AND SCOPE



Download 433.12 Kb.
Page5/6
Date02.02.2017
Size433.12 Kb.
#16091
1   2   3   4   5   6

9.3—ATTESTATION PROGRAM PURPOSE AND SCOPE
The purpose of the following attestation program is to develop a general program for conducting attestation engagements. It covers steps applicable for all three types of attestations: examinations, reviews, and agreed-upon procedures. These engagements are of less scope than full audits.
This program has the following major objectives:


  • Determine the appropriate type of attestation and scope




  • Understand the program or subject area under engagement




  • Identify risk elements




  • Identify significant compliance requirements




  • Identify significant reporting requirements

Program steps are based on AICPA Statement of Standards for Attestation Engagements (SSAE) and Generally Accepted Government Auditing Standards (GAGAS) promulgated by the Government Accountability Office (GAO). This program may be used for examination, review or agreed-upon procedure attestation engagements, as stated above.




A.

Preplan the Attest Engagement

1.

Determine whether attest engagement will be an examination, review or agreed-upon procedure. (Refer to comparison chart of examination, review and agreed-upon procedure attestation engagements at the end of this program)

2.

In determining the assignment consider the following:

  • Does auditor have sufficient technical training & proficiency to perform engagement?

  • Does auditor have adequate knowledge of subject matter?

  • Are there criteria suitable & available to evaluate the subject matter?

  • Is auditor independent in both mind and appearance?

  • Is auditor able to exercise due professional care in planning & performing engagement and the preparation of report?

B.

Plan the Attest Engagement

1.

Maintain timesheet of hours spent on engagement

2.

Adequately plan the attest engagement by considering the following:

  • Plan procedures to address the objectives of the attest engagement

  • Determine criteria which will be the basis of the engagement

  • Make initial judgments regarding risk and materiality of engagement (may be appropriate to use lower materiality levels because of public accountability of government agencies)

  • Consider likelihood of revising or adjusting the subject matter

  • Consider whether attest procedures should be modified or extended

  • Verify or adjust the nature of the attest engagement; examination, review or agreed-upon procedure

3.

Notify appropriate management, in writing, of the intent and date to conduct an attest engagement of a program or activity (engagement letter/email). Letter should include:

  • Objective of the engagement

  • Management’s responsibility

  • Auditor’s responsibility

  • Limitations of the engagement (e.g. specific scope and expected deliverables)

4.

Additional guidance for agreed-upon procedures (AUP)

  • Terms of the AUP should be understood by the auditor and ideally expressed in an engagement letter

  • Specific procedures on the subject matter must be agreed to by the auditor and the specified party making the request

  • The specified party is responsible for determining the sufficiency of the procedures

  • The criteria to be used for determining a conclusion must be agreed to by the auditor and specified party

  • There is agreement between auditor and specified party regarding materiality, if applicable

  • If the work of a specialist is used, the auditor and specified party should explicitly agree to that use

5.

Plan for supervision of team members, if assigned

6.

Review background information, such as applicable laws, policies and regulations, to become familiar with activities of the division or section. Consider the following:

  • Federal regulations

  • State laws, policies, procedures and rules

  • Administrative code

  • ITD department policies and rules

  • ITD manuals affecting subject area

  • Internal or external peer review reports

  • Industry standards & best practices

  • Mission, vision and goals

7.

Obtain the organizational chart for the office and define positions, functions and identify vacancies

8.

Determine if current desk manuals are available

9.

Review prior internal audit report, program and work papers, if applicable, and note areas of audit interest

  • Document findings for appropriate follow up

  • Identify any reported weaknesses that haven’t been corrected

10.

Search for review/audit reports from external groups

11.

If applicable, obtain printouts of the total revenue and expenditure transactions for the latest completed fiscal year

12.

Conduct an interview with the division administrator, section manager or specified party for input on perceived risks to their program or activity. Discuss:

  • Programs and activities

  • Any changes in policies, procedures and organization

  • Employee turnover rate

  • General internal control environment

  • Performance goals, measures or tracking

  • Ask management if they are aware of any fraud, waste or abuse

  • Obtain policies and procedures related to program or activity under engagement

  • Consider whether an evaluation is indicated for any of the above items

13.

Conduct an entrance conference with the Division Administrator, section manager or specified party. Discuss:

  • Objective(s) of engagement

  • Estimated length of engagement

  • Responsibilities of Management regarding the engagement

  • Responsibilities of the auditor regarding the engagement

14.

Interview executive management and other stakeholders to determine areas of interest or concern

15.

Identify programs and activities, flow chart processes and evaluate for risk

  • Evaluate for adequate internal controls

  • Note any gaps or weaknesses in controls

  • Identify risks to the program or activities

  • Verify risks with employees responsible and with management or resolve if additional mitigating information is provided

  • Prioritize risks as high, medium or low based on probability and impact

  • Consider the probability of each risk occurring

  • Consider the impact to the program or activity if it occurred

  • Identify the priority level for each risk (high, medium or low)

16.

Meet with Audit Manager to verify or refine original objective(s) to focus efforts

  • Determine scope, and resource and time budget for assignment

  • Consider Government Accountability Office (GAO) Audit Standards

  • Consider AICPA Statements on Standards for Attestation Engagements (SSAE)

C.

Fieldwork Phase

1.

Obtain sufficient evidence (based on nature of attest engagement) to provide a reasonable basis for a conclusion

  • Evaluate inherent risk (inherent risk in the type of process or treatment of transactions)

  • control risk (risk that internal controls are not present and/or not operating adequately)

  • detection risk (risk that a material weakness or fraud, waste or abuse won’t be detected)

  • Strive to achieve a low level of audit risk for examination engagements

  • Strive to achieve a moderate level of audit risk for review engagements

  • Add newly identified risks to list of risks already identified and prioritize as in step B.15

2.

Design examination engagement to detect instances of fraud and noncompliance with laws, regulations, contracts and grant agreements that may have a material effect on the subject matter

  • Assess risk and possible effects of fraud and noncompliance with laws, etc.

  • Document risk factors and auditor’s conclusion regarding those risks

  • If auditor becomes aware of abuse that could be material to subject matter, design procedures to assess the potential effect

  • Instances of fraud; noncompliance with laws, regulations, contracts or grant agreements; or abuse should be communicated to those charged with governance

3.

If, while conducting procedures of a review or agreed-upon procedure engagement; instances of fraud, noncompliance with laws, regulations, contracts or grant agreements; or abuse come to the auditor’s attention, those charged with governance should be informed

4.

Obtain evidential matter for agreed-upon procedure to provide a reasonable basis for conclusions. Appropriate procedures may include:

  • Conduct specific procedures as established by specified user

  • Need not perform additional procedures outside the scope of engagement

  • Conduct sampling according to agreed-upon parameters

  • Inspect specified documents for evidence of certain transactions or detailed attributes

  • Confirm specific information with third parties

  • Compare documents, schedules or analyses with specified attributes

  • Perform specific procedures on work performed by others

  • Perform mathematical computations

5.

Determine scope of testing for examinations & reviews; consider quality and quantity of evidential matter

  • Consider previous audit findings and recommendations in assessing risk and determining scope of testing

  • Conduct interviews and observations

  • Conduct site visits if appropriate

  • Obtain financial reports for inspection or testing

  • Document findings and observations

  • Document management comments

  • Determine whether internal controls are adequate; consider expanding testing if not

  • Include purpose, source, scope and conclusion in work papers

6.

Document meetings to update Audit Manager on progress and status of attestation assignment



















7.

Provide periodic communication with administrator, section manager or specified party requesting attestation engagement and with management under audit, if different

  • Document periodic communication

  • Update administrator or manager on progress, any identified problems or suggested best practices

8.

Review or Agreed-Upon Procedures: Prepare draft report identifying results, conclusions and recommendations

9.

Examinations: Prepare draft report identifying findings and recommendations. Must develop elements of findings (criteria, condition, cause and effect)

D.

Reporting Phase

1.

Compliance with reporting standards

  • Identify subject matter and character of engagement

  • Conclusion relates to criteria used to evaluate subject matter

  • Document the nature, timing, extent and results of the attest procedures and information obtained; quantify results if possible (experienced auditor test)

  • In following GAGAS standards, include a statement that the attestation engagement was conducted in accordance with GAGAS

  • If a review, GAGAS statement should include statement that a review engagement is substantially less in scope than an examination, the objective of which is to express an opinion on the subject matter, and accordingly, review reports express no such opinion

  • If an agreed-upon procedure, GAGAS statement should include a statement that “auditors were not engaged to and did not conduct an examination or a review of the subject matter, the objective of which would be the expression of an opinion or limited assurance and that if the auditors had performed additional procedures, other matters might have come to their attention that would have been reported.”

  • The agreed-upon procedure report is also required to state that the sufficiency of the procedures is solely the responsibility of the specified parties and must include a disclaimer of responsibility for the sufficiency of the procedures

  • Agreed-upon procedure reports must be restricted to the specified party or parties

  • Document any departures from GAGAS requirements and the impact on the engagement and conclusions

  • Document any significant reservations, such as scope deficiencies and engagement reservations, and determine if a qualified conclusion or disclaimer should be reported

  • Document instances of fraud and noncompliance with laws, regulations, contracts and agreements that have a material effect on the subject matter

  • Document instances of abuse that have a material effect on the subject matter

  • Document if separate reports are being issued for fraud, noncompliance or abuse

  • Document significant deficiencies or material weaknesses in internal controls

  • Document if confidential and sensitive information was omitted and reason for omission

  • Determine whether to communicate internal control deficiencies not considered significant or material to those charged with governance

2.

Document meetings with team and Audit Manager to review and approve findings and/or conclusions, and recommendations

3.

Conduct preliminary close out meeting with managers and supervisors to listen and discuss the section’s input and concerns regarding findings and/or conclusions, and recommendations

4.

Hold close out meeting with division administrator, section manager, or specified party; chief officer; controller and any other executive/management stakeholders

5.

Request and review management’s responses and action plans; note whether a target date and responsible position is identified; or note audited entity did not provide comments





































6.

Present final attestation report to Director/Secretary, obtain concurrence, signature and distribute (electronically and/or hardcopy)

  • Distribute report to those charged with governance, the audited section’s management and other stakeholders as appropriate

  • If subject matter involves material that is classified for security reasons or contains confidential or sensitive information, auditor should limit distribution

  • Include statement if restricted distribution, “This report is intended solely for the information and use of __________________.” (e.g. agreed-upon procedures)

  • Consider need to report findings or conclusions to outside agencies

7.

Finalize work paper documentation and obtain internal quality control assessment of attest work papers

8.

Retain documents according to department policy

9.

Administrative procedures are in place to maintain the confidentiality of attest documentation

E.

References

1.

AICPA AT Section 50 establishes the SSAE Hierarchy

2.

AICPA AT Section 101 provides guidance and practice aids for examinations and reviews

  • Checklists for an examination and review report

  • Sample examination and review reports

3.

AICPA AT Section 201 provides guidance and practice aids for agreed-upon procedures

  • Checklist for an agreed-upon procedure report

  • Sample agreed-upon procedure report

4.

GAGAS incorporates AICPA standards by reference

Glossary
Actual Costs — Amounts determined based on costs incurred and supported by source documentation, such as invoices, receipts, and cancelled checks. Actual costs are generally not determined based on forecasts or historical averages.
Administrative Expenses — Costs that are not directly identified with any one item of work, but when taken as a whole, support or contribute to all activities of a firm.
Agreement — An obligation between two parties that is less formal than a contract, which identifies the deliverable goods or services to be provided, under what conditions, and the method of reimbursement for such goods and services. An agreement may include both federal and state requirements that must be met by the STA and entity. Agreements usually indicate start and finish dates, record retention requirements, and other pertinent information relative to the work to be performed. In the context of this guide, generally refers to intergovernmental obligations, such as grant agreements.
Allocable — A cost is allocable to a government contract if the cost is incurred specifically for the contract; benefits both the contract and other work, and can be distributed to them in reasonable proportion to the benefits received; or is necessary to the overall operation of the business, although a direct relationship to any particular cost objective cannot be shown.
Allowable — A cost is an allowable charge to a government contract only if the cost is reasonable, allocable, compliant with GAAP, compliant with terms of the contract, and not prohibited by federal cost principles.
Analytical Procedure — An audit procedure whereby an auditor assesses information by comparing it to certain parameters or expectations selected by the auditor. It involves the auditor reasonably expecting a certain relationship among certain information and expecting those relationships to continue unless there are known conditions that should cause the relationship to not exist. The expected conditions should be developed by the auditor through the use of reliable sources to ensure an unbiased comparison. Some common analytical procedures include ratio analysis, trend analysis, comparison between periods, comparison to budgets and forecasts, external benchmarking, and internal benchmarking.
AASHTO — American Association of State Highway and Transportation Officials
AICPA — American Institute of Certified Public Accountants, the national professional organization of Certified Public Accountants
Audit Confirmation — An audit procedure whereby an auditor obtains direct written verification of the accuracy of information from a third party. Positive confirmation is obtained by asking the third party to respond by stating whether or not they believe the information is correct. Negative confirmation asks the third party to respond only if there is an issue. Positive confirmation is more reliable because, with negative confirmation, there is no certainty if the party does not respond that there is no issue.


Download 433.12 Kb.

Share with your friends:
1   2   3   4   5   6




The database is protected by copyright ©ininet.org 2024
send message

    Main page