Loading...
HomeMy WebLinkAboutCOM 0601.001 2012-2014 J Yoshimoto Lane Shibata Of . of N��'' Acting Legislative Auditor Chair&Presiding Officer `o.�:%"•• ', S S� Council District 2 +:�� ?�; `�/, :+I% Business Address 1266 Kamehameha Avenue �oq.4 SuiteA-8 •-14... j„:441%- Hilo,Hawaii 96720 County of Raiintiq OFFICE OF THE LEGISLATIVE AUDITOR 25 Aupuni Street * Hilo,Hawai`i 96720 * (808)961-8386 * Fax(808)961-8905 website:http:-ihawaiicountv.gov e-mail:publiclao(a�co.hawaii.hi.us iv January 2, 2014 - Chairman J Yoshimoto Hawai`i County Council -. 25 Aupuni Street Hilo, Hawai`i 96720 Dear Chairman Yoshimoto: This letter transmits our revised Audit Manual (Updated with the Government Auditing Standards 2011 Revision). The purpose of this audit manual is to provide a description of the duties and responsibilities of the Office of the Legislative Auditor and to establish written policies and procedures for the office. This audit manual is a reference and guide for audit staff in order to ensure that our audit work is conducted in accordance with government auditing standards (GAS). Sincerely, LANE H. SHIBATA Acting Legislative Auditor Enclosures LS: map Comm. No. (001 Ref.To: FL Ref. Dote JAN Q 2 014 Hawaii County is an Equal Opportunity Provider and Employer County of Hawai' i Office oft he Legislative Auditor N,-Y OF f►.Q ,••• •••4 „. .......•'.- • - - ,,......„7„ 3 :. : 4, 4w ... f s Audit Manual (Updated with the Government Auditing Standards 2011 Revision) FOREWORD We wish to express our appreciation for the assistance and guidance extended by the City Auditor and the staff of the Office of the City Auditor, City and County of during preparation of this audit manual. Table of Contents (Yellow Book 2011 Revision) Section IIntroduction and Overview Introduction...............................................................I-1 Mission......................................................................I-1 Authority and Independence.....................................I-2 Annual Audit Plan.....................................................I-3 County-wide Risk Assessment Model......................I-4 Relationship between GAGAS and Other Professional Standards..................................I-5 What is an Audit?......................................................I-5 Financial Audits........................................................I-6 Attestation Engagements..........................................I-7 Performance Audits..................................................I-9 Nonaudit Services...................................................I-10 Follow-up Audits and Monitoring of Audit Recommendations.......................................I-10 Section IIEthical Principles and General Standards Introduction..............................................................II-1 Ethical Principles.....................................................II-1 The Public Interest.......................................II-2 Integrity........................................................II-2 Objectivity....................................................II-3 Proper Use of Government Information, Resources,andPosition...................II-3 *Professional Behavior..................................II-4 General Standards....................................................II-4 Independence...............................................II-4 Professional Judgment...............................II-12 Competence................................................II-14 Quality Control Assurance.........................II-17 Charter Protections.................................................II-21 OLA Independence Policies and Procedures.........II-22 Staff Independence and assignment...........II-22 Contract auditors and specialists................II-23 *Provision of nonaudit services..................II-23 Impairment after report issuance...............II-23 OLA CPE Policies and Procedures........................II-24 OLA Professional Judgment Policies And Procedures..............................II-26 i Supplement 1 (12-2013) OLA Quality Control Assurance (QCA) Policies and Procedures.............................II-27 *Assessment of QCA monitoring system...II-29 Compliancewith External Peer Review....II-29 Section IIIPlanningthe Audit Introduction.............................................................III-1 Reasonable assurance..................................III-1 Significance.................................................III-2 Audit risk....................................................III-2 Planningfor Performance Audits............................III-3 Nature and profile of the program and userneeds........................................III-4 Internal control............................................III-7 Information systems controls......................III-9 Provisions of laws, regulations, contracts, and grant agreements....................III-11 Fraud.........................................................III-11 Abuse........................................................III-12 Ongoing investigations or legal proceedings...................................III-13 Follow-up on previous audits....................III-13 Identifying audit criteria...........................III-13 Identifying sources of evidence................III-13 Using the work of others...........................III-14 Assigning staff and other resources..........III-15 Communicating with management, those charged with governance, and others......................................III-16 Preparing awritten audit plan...................III-17 Supervision...............................................III-17 OLA Planning Process..........................................III-18 Four steps of planning...............................III-19 Step One: Project initiation and expectations...................................III-19 Step Two: Preliminary survey..................III-20 Step Three: Risk assessment.....................III-21 Step Four: Work Program.........................III-25 Types of Audit Files..................................III-30 Confidential Working Papers....................III-31 Reconsideration and Termination of an Audit....................................III-31 Section IVFieldwork and Testing ii Supplement 1 (12-2013) Introduction............................................................IV-1 Review Internal (Management Controls)...............IV-2 Assessing risk.............................................IV-2 Reviewing and testing controls..................IV-3 Determining known effectiveness..............IV-3 Reviewing design controls.........................IV-3 Reviewing implementation of controls......IV-4 Reviewing documentation of transactions................................IV-4 Access to confidential or sensitiveinformation......................IV-4 Testing for Compliance..........................................IV-4 Illegal acts and other noncompliance.........IV-5 Testing procedures.....................................IV-5 Risk of fraud..............................................IV-6 Risk of abuse..............................................IV-6 Reporting of noncompliance......................IV-6 Handling issues of law and coordination of legal services........IV-7 Evidence Standards for Performance Audits.........IV-7 Appropriateness.........................................IV-8 Sufficiency...............................................IV-10 Overall assessment of evidence...............IV-10 Audit Findings.....................................................IV-12 Elements of a finding...............................IV-12 Audit Recommendations......................................IV-14 Audit Documentation...........................................IV-14 OLA Working Paper Standards...........................IV-16 OLA Working Paper Policies and Procedures.....IV-19 Types of working papers..........................IV-19 Interviews.................................................IV-21 Sampling..................................................IV-23 Preparation of Working Papers................IV-26 Tying Working Papers to Workplan........IV-28 Security of Working Papers.....................IV-29 Disclosure of Working Papers.................IV-29 Preliminary Audit Findings and Recommendations........................IV-30 Report Outline..........................................IV-30 Section VReport Preparation and Distribution Introduction..............................................................V-1 Report Quality Elements..........................................V-1 Accurate.......................................................V-1 Objective......................................................V-1 iii Complete......................................................V-2 Convincing...................................................V-2 Clear.............................................................V-2 Concise.........................................................V-3 Timely..........................................................V-3 Reporting Standards.................................................V-3 Report Contents.......................................................V-4 Objectives, Scope and Methodology...........V-5 Findings........................................................V-6 Reporting Internal Control Deficiencies..................V-7 Reporting Fraud; Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements; and Abuse.....................V-7 Reporting Findings Directly to Parties Outside the Audited Entity...........................V-8 Conclusions..............................................................V-9 Recommendations....................................................V-9 GAGAS Compliance Statement..............................V-9 Reporting Views of Responsible Officials............V-10 Reporting Confidential and Sensitive Information.................................V-12 Distributing Reports...............................................V-12 OLA Reporting Policies and Procedures...............V-13 Report Format............................................V-13 Developing Draft Reports..........................V-19 Indexing Draft Reports to Working Papers..............................V-19 Independent Report Review (IRR)............V-20 Supervisory Review of Draft Report.........V-21 Agency Comment to Preliminary Draft Report...................................V-21 Agency Response to Final Draft Report/ Auditor Comment or Rebuttal.......V-22 Production and Distribution of Final Audit Report.........................V-22 Presentation of Audit Report.....................V-24 Public Availability of Audit Reports.........V-25 Disclosure of Confidential or Sensitive Information.....................V-25 Insufficient and Inappropriate Evidence After Report Issuance.....V-25 Section VIProject Closure End ofAudit...........................................................VI-1 Document Retention..............................................VI-1 Project Evaluation..................................................VI-1 iv Staff Evaluation.....................................................VI-1 Section VIIUse of Consultant Services Introduction...........................................................VII-1 Appropriate Uses..................................................VII-1 Procurement Procedure.........................................VII-1 Applicable Standards............................................VII-1 General Procurement Process...............................VII-2 Hawai’i Compliance Express (HCE)....................VII-3 Contract specifications..............................VII-4 General terms of contracts........................VII-4 Instructions for prospective consultants....VII-5 Solicitation of interested consultants........VII-6 Evaluation of statement of qualifications andproposals................................VII-7 Contract execution....................................VII-8 Contract administration.............................VII-8 Contract termination...............................VII-10 Evaluation of contractor..........................VII-11 List of Exhibits Section I:Policies and Procedures No Exhibits Section II:Ethical Principles and General Standards *Exhibit II–A:Project Statement of Independenceand Assignment Exhibit II–B:CPE Training Summary Exhibit II–C:Report of Completed CPE Training *Exhibit II –D:QCS Assurance Review Section III:Planning the Audit Exhibit III–A:Sample Scope Statement Exhibit III–B:Sample Risk Assessment AuditProgram Exhibit III–C:Sample Audit Plan Exhibit III–D:Sample Workplan Exhibit III–E:Sample Engagement Letter v Supplement 1 (12-2013) Section IV:Fieldwork and Testing Exhibit IV-A:Finding Development Worksheet Section V:Report Preparation and Distribution Exhibit V–A:Policy and Procedures for Conducting the Independent Report Review Exhibit V–B:Independent Report Review Worksheet Exhibit V–C:Audit Report Distribution Checklist Section VI:Project Closure Exhibit VI–A:Employee Performance Evaluation Section VII:Use of Consultant Services No Exhibits vi Section I Policies and Procedures The purpose of this audit manual is to provide a description of the duties Introduction and responsibilities of the Office of the Legislative Auditor(office) and to establish internal policies and procedures for the office. This audit manual is a reference and guide for audit staff, in order to ensure that our audit work is conducted in accordance with government auditing standards (GAS). Thisaudit manual describes the audit function of the office, its authority to conducts audits, and the general way in which audits are planned, organized, carried out, and reported by the office.In addition, this audit manual serves to guide employees of the officein the conduct of their work and to ensure that the office meets generally accepted government auditing standards (GAGAS) as set forth in the Government Auditing Standards, commonly referred to as the Yellow Book2011 Revision,issued by the U.S. Government Accountability Office (GAO). Periodically, the policies and procedures of this audit manual will be reviewed by the legislative auditor and the audit staff to ensure that this audit manual is appropriate and complete. An electronic version of this audit manual and accompanying formis stored on the office shared drive titled Audit Manual. This audit manual is not a contract of employment between the officeand its employees. The officemaintains an administrative manual for itsat will, exempt appointedemployees. Mission The Office of the LegislativeAuditor (office)independently serves the council and citizens of the Hawai‘iCountyby promoting accountability, fiscal integrity,and openness in local government. We serve as a catalyst for improving countygovernment. Through postaudits of countyagencies, programs and departments, the office will examine the use of public funds, evaluate programs and activities, and provide analyses, options, and recommendations to decision makers in a timely, accurate, and objective manner. Furthermore, the council and the public need objective and timely information about what departments and programs are doing and how they could perform them more effectively, efficiently, and economically.Our work helps to hold countygovernment accountable for its stewardship of the public trust, management of programs and resources, and expenditure of public funds. I-1 Section I: Policies and Procedures (Yellow Book 2011Revision) The Office of the Legislative Auditor was established in 2008 by a charter Authorityand amendment approved by a majority vote of the Hawai‘iCounty citizens. Independence The Hawai‘iCounty Charter(2012Edition)§3-18provides: (a)There is establishedwithin the legislative branch an independent office of the legislative auditor to be headed by a legislative auditor who shall be appointedby the county council and shall serve for a period of six years, and thereafter, until a successor is appointed. The council, by a two-thirds vote of its membership, may remove the legislative auditor from office at any time for cause. (b)The legislative auditor shall possess adequate professional proficiency for the office demonstrated by relevant certification, such as certification as a certified internal auditor or certified public accountant or an advanced degree in a relevant field, and at least three years of general auditing experience which shall include a minimum of one year’s experience in the field of government auditing. A certified internal auditor or certified public accountant shall be preferred. All financial audits shall be conducted by a certified public accountant. (c)The legislative auditor shall submit an annual budget to the county council. The legislative auditor on behalf of the county council shall hire the necessary staff for which appropriations have been made by the county council. (d)The legislative auditor shall conduct or cause to be conducted: (1)The annual financial audit of the county, as required in Article X, Financial Procedures, Section 10-13, Post-audit. (2)Performance and/or financial audits of the funds, programs, services, and operations of any county agency, executive agency, or program, as set forth by the legislative auditor in an annual audit plan that shall be transmitted to the county council and the mayor and filed with the county clerk as a public record. (3)Follow-up audits and monitoring of responses to audit recommendationsby audited entities. (e)For the purposes of this section, “county agency” or “executive agency” includes any office, department, board, commission, agency, semi-autonomous agency, or other governmental unit of the county in the executive or legislative branch that is supported, in whole or in part, by county funds. I-2 Section I: Policies and Procedures (Yellow Book 2011Revision) (f)For purposes of carrying out any audit, the legislative auditor shall have: (1)Full, free, and unrestricted access to any county officer or employee. (2)Full, free, and unrestricted access to and authority to examine and inspect any record of any county agency, executive agency, or program except for any record protected from disclosure by law, rule or privilege. (3)Full, free, and unrestricted access to and authority to examine and inspect any property, facility, or equipment of any county agency, executive agency, or program pertinent to the audit or to a contract. (4)Full, free, and unrestricted access to and authority to administer oaths and subpoena witnesses and compel the production of records pertinent thereto. If any person subpoenaed as a witness or compelled to produce records shall fail or refuse to respond thereto, the proper court, upon request of the auditor, shall have the power to compel obedience to any process of the auditor and to punish, as contempt of court, any refusal to comply therewith without good cause. The auditor may retain special counsel, in the manner authorized by the council, to represent the auditor in implementing these powers. (g)The legislative auditor shall conduct or cause to be conducted all audits in accordance with government auditing standards, and shall set forth final audit findings and recommendations in written reports, copies of which shall be transmitted to the county council and the mayor and filed with the county clerk as public records. Pursuant to section 3-18(d)(2) of the Hawai‘iCounty Charter, as amended, AnnualAudit Plan the legislative auditor shall conduct or cause to be conducted performance and/or financial audits of the funds, programs, services, and operations of anycounty agency, executive agency, or program as set forth by the legislative auditor in an annual audit plan that shall be transmitted to the county council and the mayor and filed with the county clerk as a public record. In developing the audit plan, the legislative auditor identifies and prioritizes potential audit areas, by utilizing a county-wide risk assessment model, and, together with the audit staff, considers what realistically can be accomplished during the fiscal yearutilizing available funds and resources. I-3 Section I: Policies and Procedures (Yellow Book 2011Revision) The annual audit plan istransmitted to the council for consideration and comment, but not for approval. The office uses a risk assessment model as a tool in preparing our annual County-wide Risk audit plans.A county-wide risk assessment is conducted approximately Assessment Model every three years in order to develop our annual audit plans.The risk assessment process evaluates the major county funds, programs and activities, and services and operations of all county agencies and departments. A listof the risk criteria is developed and linkedto each individual survey question. Risk assessment surveys categorized into four types are completed by managerial personnel at different administrative levels: Cross-DepartmentalSurvey (mayor, managing/deputy managing directors, finance/deputy finance directors, corporation counsel/assistant corporation counsel, and councilmembers). DepartmentalSurvey (directors and deputy directors). DivisionSurvey (heads and supervisors). Program/ActivitySurvey (personnel directly responsible for each program/activity). Each survey contains the following risk criteria: Change Risk Ethics Financial Risk Health andSafety Legal andCompliance Planning andPerformance Public Perception Public Purpose Size andComplexity Technology The above-listedcriteria arerankedinto high, medium, or low levels of risk, usingthe average scores from the cross-departmental survey responses for each criteria. I-4 Section I: Policies and Procedures (Yellow Book 2011Revision) The Risk Assessment Process The first stage in the risk assessment process entailsdesign of the survey instrument.This includesdrafting of the four surveys mentioned above, determining the assigned values for each survey response, obtaining proper legislative and administration approvals, and determining to whom the surveys will be sent. The foursurveys contain questionsassigned to eachof the tenrisk criteria,and responses will fall into the three ranked levels of risk (high, medium, and low). The second stage in the risk assessment process entails distribution of the surveys,answering questions on information that may be unclearin the surveys, and following up on the timely completion and return of the surveys. The third stage in the risk assessment process entailstabulation of the surveys. Utilizingthe values foreach survey response assigned in the preparation stage(including values assigned to each critical question that maynot receive a response), all surveyresponses are tabulated usingthe values of 1 to 5,with1beingthe lowest value and 5 beingthe highest value.Depending on how surveyquestions are worded, the values for certain responses maybe reversed, with1beingthe highest value and 5 being the lowest value.As statedabove,the ten criteria are ranked into high, medium, or low levels of risk,usingthe average scores from the cross-departmental survey responses for each criteria.Theprogram/activity survey tabulation is then incorporated into the division survey tabulation, which isthen incorporated into the department survey tabulation. The last stage in the risk assessment process entails ranking of all departments fromhigh risk to low risk. This risk assessment rankingof departments is then used to determine the office’s focus in planning specific annualaudits for upcomingfiscal years. Auditors may use GAGAS in conjunction with professional standards Relationship issued by other authoritative bodies. [GAS 2.19] between GAGAS and Other Professional Auditors may also cite the use of other standards in their audit reports, as Standards appropriate. If the auditor is citing compliance with GAGAS and inconsistencies exist between GAGAS and other standards cited, the auditor should use GAGAS as the prevailing standard for conducting the audit and reporting the results. Whatis an Audit? It has been suggested that audits are one technique or approach that is part of the larger field of policy analysis. In general, the purpose of public policy analysis is to apply rational decision making procedures to public issues. I-5 Section I: Policies and Procedures (Yellow Book 2011Revision) How this is accomplished has given rise to a number of widely used but vaguely defined terms: policy analysis, program evaluation, strategic planning, program analysis, as well as performance auditing. It appears that there is no widely accepted set of definitions of these terms, particularly for the purposes of distinguishing and choosing one approach over another to address aparticular problem. In lieu of any existing shared understandings, used as an example forthis audit manual, the following are offered as useful guidelines: The term policy analysis isused to describe the universe of analytical approaches and activities applied to public policy problems. Policy analysis approaches and activities are categorized into one of two general but not necessarily mutually exclusive sets:those approaches and activities that relate to planning, and those that relate to evaluation. The definition ofplanning 1.is set forth as the act of proposing a method for achieving an end.Planning defines the current condition and the end to be achieved, suggests alternative methods to achieve the end, evaluates the methods against certain standards or criteria, and thenidentifies the best method or combination of methods as the recommended plan of action. The definition forevaluation 2.isthe act of examining and judging the worth, quality, significance, amount, degree, or condition of something. An evaluation describes what exists and compares that against a standard or criteria with which judgment is made, and then states the result of such comparison. This definitional scheme suggests that the primary difference between these two policy analysis categories is whether the primary direction of the report is forward or backward in time. Those forms of policy analysis relating to planning are prospective in viewpoint, intending to guide future actions, while those relating toevaluation are retrospective in nature, intending to review past conditions or actions. Performance auditing includes aspects of both forms:evaluation to the extent that the audit is to judge the past performance of an agency or program, and planning to the extent that the audit develops recommendations that address the causes of known problems. The Yellow Book 2011 Revision, definesfinancial audits asfollows: Financial Audits Financial audits provide an independent assessment of whether an entity’s reported financial information (e.g., financial condition, results, and use of I-6 Section I: Policies and Procedures (Yellow Book 2011Revision) resources) are presented fairly in accordance with recognized criteria. Financial audits performed in accordance with GAGAS include financial statement audits and other related financial audits: a.Financial statement audits: The primary purpose of a financial statement audit is to provide an opinion about whether an entity’s financial statements are presented fairly in all material respects in conformity with an applicable financial reporting framework. Reporting on financial statement audits performed in accordance with GAGAS also includes reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements that have a material effect on the financial statements. b.Other types of financial audits: Other types of financial audits conducted in accordance with GAGAS entail various scopes of work, including: (1) obtaining sufficient, appropriate evidence to form an opinion on single financial statements, specified elements, accounts, or items of a financial statement; (2) issuing letters for underwriters and certain other requesting parties; and (3) auditing compliance with applicable compliance requirements relating to one or more government programs.[GAS 2.07] GAGAS incorporates by reference the American Institute of Certified Public Accountants (AICPA) Statements on Auditing Standards (SAS). Additional requirements for performing financial audits in accordancewith GAGAS are contained in (GAS) chapter 4. For financial audits performed in accordance with GAGAS, auditors should also comply with (GAS) chapters 1 through 3.[GAS 2.08] As a general rule, the office will hire consultants to perform its financial audits,and ensurescompliance with the foregoing standards through the procurement and contracting process whichis more fully discussed in Section VII –Use of Consultant Services –of this audit manual. Additionally, prior to using the work of a contract auditor or specialist, individuals or firms will be required to submit representations to the office regarding their independence from the audit entity. If an individual or firm has an impairment to independence, the office will not enter into a contract for its services. Prior to using the work of a contract auditor or specialist, individuals or firms will also be required to provide their most recent external peer review report and any letter of comment to the office. TheYellow Book2011 Revision, defines an attestation engagement as Attestation follows: Engagements I-7 Section I: Policies and Procedures (Yellow Book 2011Revision) Attestation engagements can cover a broad range of financial or nonfinancial objectives about the subject matter or assertion depending on the users’ needs.GAGAS incorporates by reference the AICPA’s Statements on Standards for Attestation Engagements (SSAE).Additional requirements for performing attestation engagements in accordance with GAGAS are contained in (GAS) chapter 5.The AICPA’s standards recognize attestation engagements that result in an examination, a review, or an agreed-upon procedures report on a subject matter or on an assertion about a subject matter that is the responsibility of another party. The three types of attestation engagements are: Examination a.:Consists of obtaining sufficient, appropriate evidence to express an opinion on whether the subject matter is based on (or in conformity with) the criteria in all material respects or the assertion is presented (or fairly stated), in all material respects, based on the criteria. Review b.:Consists of sufficient testing to express a conclusion about whether any information came to the auditors’ attention on the basis of the work performed that indicates the subject matter is not based on (or not in conformity with) the criteria or the assertion is not presented (or not fairly stated) in all material respects based on the criteria. Auditors should not perform review-level work for reporting on internal control or compliance with provisions of laws and regulations. Agreed-Upon Procedures c.:Consists of auditors performing specific procedures on the subject matter and issuing a report of findings based on the agreed-upon procedures. In an agreed-upon procedures engagement, the auditor does not express an opinion or conclusion, but only reports on agreed-upon procedures in the form of procedures and findings related to the specific procedures applied.[GAS 2.09] As a general rule, the office will hire consultants to perform its attestation engagements,and ensurescompliance with the foregoing standards through theprocurement and contracting process whichis more fully discussed in Section VII –Use of Consultant Services –of this audit manual. Additionally, prior to using the work of a contract auditor or specialist, individuals or firms will be required to submit representations to the office regarding their independence from the audit entity. If an individual or firm has an impairment to independence, the office will not enter into a contract for its services. Prior to using the work of a contract auditor or specialist, individuals or firms will also be required to provide their most recent external peer review report and any letter of comment to the office. I-8 Section I: Policies and Procedures (Yellow Book 2011Revision) Performance Audits The Yellow Book 2011Revision,definesaperformance audit asfollows: Performance audits are defined as audits that provide findings or conclusions based on an evaluation of sufficient, appropriate evidence against criteria.Performance audits provide objective analysis to assist management and those charged with governance and oversight in using the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. The term “program” is used in GAGAS to include government entities, organizations, programs, activities, and functions. [GAS2.10] Performance audit objectives vary widely and include assessments of programeffectiveness, economy, and efficiency; internal control; compliance; and prospective analyses. These overall objectives are not mutually exclusive. Thus, a performance audit may have more than one overall objective. For example, a performance audit with an objective of determining or evaluating program effectiveness may also involve an additional objective of evaluating internal controls to determine the reasons for a program’s lack of effectiveness or how effectiveness can be improved… a.Program effectiveness and results audit objectives are frequently interrelated with economy and efficiency objectives. Audit objectives that focus on program effectiveness and results typically measure the extent to which a program is achieving its goals and objectives.Audit objectives that focus on economy and efficiency address the costs and resources used to achieve program results. b.Internal control audit objectives relate to an assessment of one or more components of an organization’s system of internal control that is designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal control comprises the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal control includes the processes and procedures for planning, organizing, directing, and controlling program operations, and management’s system for measuring, reporting, and monitoring program performance. c.Compliance audit objectives relate to an assessment of compliance with criteria established by provisions of laws, regulations, contracts, or grant agreements, or other requirements that could affect the acquisition, protection, use, and disposition of the entity’s resources and the quantity, I-9 Section I: Policies and Procedures (Yellow Book 2011Revision) quality, timeliness, and cost of services the entity produces and delivers. Compliance requirementscan be either financial or nonfinancial. d.Prospective analysis audit objectives provide analysis or conclusions about information that is based on assumptions about events that may occur in the future, along with possible actions that the entity may take in response to the future events.[GAS 2.11] GAGAS does not cover nonaudit services, which are defined as NonauditServices professional services other than audits or attestation engagements. Therefore, auditors do not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit, audit organizations should communicate with requestors and those charged with governance to clarify that the work performed does not constitute an audit conducted in accordance with GAGAS. [GAS 2.12] When audit organizations provide nonaudit services to entities for which they also provide GAGAS audits, they should assess the impact that providing those nonaudit services may have on auditor and audit organization independence and respond to any identified threats to independence in accordance with the GAGAS independence standard. [GAS 2.13] Pursuant to section 3-18(d)(3) of the Hawai‘iCounty Charter, as amended, Follow-up Auditsand the legislative auditor shall conduct or cause to be conducted follow-up Monitoring of Audit audits and monitoring of responses to audit recommendations by audited Recommendations entities.The auditortransmits requests for statusreportson the implementationof audit recommendations tothe audited entities,and also requests that the audited entitiesprovideevidence of their implementation of audit recommendations.The auditorreviewsthe status reports and documentation submitted by the audited entities and determines whether to conduct fieldwork and/or testing to verify the actions reported.The auditor then issuesfollow-up audit reports in accordance with GAGAS standards and office policies and procedures as outlined inSection V –Report Preparation and Distribution –of this audit manual. I-10 Section II Fuijdbm!Qsjodjqmft!boe!Hfofsbm!Tuboebset The concept of accountability for public resources is the key in our nation’s Introduction governing process and acritical element for a healthy democracy. Government auditing is a key element in fulfilling thegovernment’s duty to be accountable to the people. Auditing allows stakeholders to have confidence in the reported information about the results of programs and operationsand in therelated systems of internal control. Government Auditing Standards as codified in the YellowBook, commonly referred to as generally accepted government auditing standards (GAGAS),provides a framework to auditors so that audit work can lead to improved government management, decision making, oversight, and accountability. The Yellow Book2011Revision,provides an overall framework for ensuring that auditors have the competence, integrity,objectivity, and independencein planning, conducting, and reporting on their work. This section also establishes the general standards and provides guidance for performing financial audits, attestation engagements,and performance audits under GAGAS. The general standards emphasize theindependence of the audit organization and its individual auditors; theexercise of professional judgment in the performance of work and thepreparation of related reports; the competence of audit staff; audit qualitycontrol and assurance; and external peer review. The general standardstogether with the ethical principles establish a foundation for credibility ofauditors’ work. The ethical principles presented in this section provide the foundation, Ethical Principles discipline, and structure, as well as the climate that influence the application of GAGAS. This section sets forth fundamental principles rather than establishing specific standards or requirements. [GAS 1.10] Because auditing is essential to government accountability to the public, the public expects audit organizations and auditors who conduct their work in accordance with GAGAS to follow ethical principles. Management ofthe audit organization sets the tone for ethical behavior throughout the organization by maintaining an ethical culture, clearly communicating acceptable behavior and expectations to each employee, and creating an environment that reinforces and encourages ethical behavior throughout all levels of the organization. The ethical tone maintained and demonstrated by management and staff is an essential element of a positive ethical environment for the audit organization. [GAS 1.11] Conducting audit work in accordance with ethical principles is a matter of personal and organizational responsibility. Ethical principles apply in II-1 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) preserving auditor independence, taking on only work that the audit organization is competent to perform, performing high-quality work,and following the applicable standards cited in the auditors’ report. Integrity and objectivity are maintained when auditors perform their work and make decisions that are consistent with the broader interest of those relying on the auditors’ report, including the public. [GAS 1.12] Other ethical requirements or codes of professional conduct may also be applicable to auditors who conduct audits in accordance with GAGAS. For example, individual auditors who are members of professional organizations or arelicensed or certified professionals may also be subject to ethical requirements of those professional organizations or licensing bodies. Auditors employed by government entities may also be subject to government ethics laws and regulations. [GAS 1.13] The ethical principles that guide the work of auditors who conduct audits in accordance with GAGAS are: a.the public interest; b.integrity; c.objectivity; d.proper use of government information, resources, and position; and e.professional behavior. [GAS 1.14] The Public Interest The public interest is defined as the collective well-being of the community of people and entities the auditors serve. Observing integrity, objectivity, and independence in discharging their professional responsibilities assists auditors in meeting the principle of serving the public interest and honoring the public trust. The principle of the public interest is fundamental to the responsibilities of auditors and critical in the government environment. [GAS 1.15] A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamentalto serving the public interest. [GAS 1.16] Integrity Public confidence in government is maintained and strengthened by auditors performing their professional responsibilities with integrity. Integrity includes auditors conducting their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regardto audited entities and users of the auditors’ reports. Within the constraints of applicable confidentiality laws, rules, or policies, communications with the II-2 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) audited entity, those charged with governance, and the individuals contracting for or requesting the audit are expected to be honest, candid, and constructive.[GAS 1.17] Making decisions consistent with the public interest of the program or activity under audit is an important part of the principle of integrity. In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and other likely users. Auditors may also encounter pressures to inappropriately achieve personal or organizational gain. In resolving those conflicts and pressures, acting with integrity means that auditors place priority on their responsibilities to the public interest.[GAS 1.18] Objectivity The credibility of auditing in the government sector is based on auditors’ objectivity in discharging their professional responsibilities. Objectivity includes independence of mind and appearance when providing audits, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest. Maintaining objectivity includes a continuing assessment of relationships with audited entities and other stakeholders in the context of the auditors’ responsibility to the public. The concepts of objectivity and independence are closely related. Independence impairments impact objectivity.[GAS 1.19] Proper Use of Government information, resources, and positions are to be used for official Government purposes and not inappropriately for the auditor’s personal gain or in a Information, Resources, manner contrary to law or detrimental to the legitimate interests of the and Positions audited entity or the audit organization. This concept includes the proper handling of sensitive or classified information or resources.[GAS 1.20] In the government environment, the public’s right to the transparency of government information has to be balanced with the proper use of that information. In addition, many government programs are subject to laws and regulations dealing withthe disclosure of information. To accomplish this balance, exercising discretion in the use of information acquired in the course of auditors’ duties is an important part in achieving this goal. Improperly disclosing any such information to third parties is not an acceptable practice.[GAS 1.21] Accountability to the public for the proper use and prudent management of government resources is an essential part of auditors’ responsibilities. Protecting and conserving government resources and using them appropriately for authorized activities is an important element in the public’s expectations for auditors.[GAS 1.22] II-3 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) Misusing the position of an auditor for financial gain or other benefits violates an auditor’s fundamental responsibilities. An auditor’s credibility can be damaged by actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an auditor’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the auditor serves as an officer, director, trustee, or employee; or an organization with which the auditor is negotiating concerning future employment.[GAS 1.23] Professional Behavior High expectations for the auditing profession include compliance with all relevant legal, regulatory, and professional obligations and avoidance of any conduct that might bring discredit to auditors’ work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors’ work was professionally deficient. Professional behavior includes auditors putting forth an honest effort in performance of their duties and professional servicesin accordance with the relevant technical and professional standards.[GAS 1.24] A general standard, along with the overarching ethical principles noted General Standards previously, establishesa foundation for credibility of auditors’ work. Credibility is essential to all audit organizations performing work that government leaders and other users rely on for making decisions, and is what the public expects of information provided by auditors.These general standards emphasize the independence of the audit organization and its individual auditors; the exercise of professional judgment in the performance of work and the preparation of related reports; the competence of audit staff, including the need for their continuing professional education; and the existenceof quality control systems, assurance, and external peer reviews. Independence The general standard related to independenceprovides that: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be independent. [GAS 3.02] Independence comprises: a.Independence of Mind The state of mind that permits the performance of an audit without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise II-4 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) objectivity and professional skepticism. b.Independence in Appearance The absence of circumstances that would cause a reasonable and informed third party, having knowledge of the relevant information, to reasonably conclude that the integrity, objectivity, or professional skepticism of an audit organization or member of the audit team had been compromised.[GAS 3.03] Auditors and audit organizations maintain independence so that their opinions, findings,conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. Auditors should avoid situations that could lead reasonable and informed third parties to conclude that the auditors are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work.[GAS 3.04] Except under the limited circumstances discussed in (GAS) paragraphs 3.47 and 3.48, auditors should be independent from an audited entity during: a.any period of time that falls within the period covered by the financial statements or subject matter of the audit, and b.the period of the professional engagement, which begins when the auditors either sign an initial engagement letter or other agreement to perform an audit or begin to perform an audit, whichever is earlier. The period lasts for the entire duration of the professional relationship (which, for recurring audits, could cover many periods) and ends with the formal or informal notification, either by the auditors or the audited entity, of the termination of the professional relationship or by the issuance of a report, whichever is later. Accordingly, the period of professional engagement does not necessarily end with the issuance of a report and recommence with the beginning of the following year’s audit or a subsequent audit with a similar objective.[GAS 3.05] GAGAS’s practical consideration of independence consists of four interrelated sections, providing: a.conceptual framework for making independence determinations based on facts and circumstances that are often unique to specific environments; b.requirements for and guidance on independence for audit organizations that are structurally located within the entities they audit; II-5 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) c.requirements for and guidance on independence for auditors performing nonaudit services, including indication of specific nonaudit services that always impair independence and others that would not normally impair independence; and d.requirements for and guidance on documentation necessary to support adequate consideration of auditor independence.[GAS 3.06] GAGAS Conceptual Framework Approach to Independence Many different circumstances, or combinations of circumstances, are relevant in evaluating threats to independence. Therefore, GAGAS establishes a conceptual framework that auditors use to identify, evaluate, and apply safeguards to address threats to independence.The conceptual framework assists auditors in maintaining both independence of mind and independence in appearance. It can be applied to many variations in circumstances that create threats to independence and allows auditors to address threats to independence that result from activities that are not specifically prohibited by GAGAS. [GAS 3.07] Auditors should apply the conceptual framework at the audit organization, audit, and individual auditor levels to: a.identify threats to independence; b.evaluate the significance of thethreats identified, both individually and in the aggregate; and c.apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level.[GAS 3.08] Threats to Independence Threats to independence are circumstances that could impair independence. Whether independence is impaired depends on the nature of the threat, whether the threat is of such significance that it would compromise an auditor’s professional judgment or create the appearance that the auditor’s professional judgment may be compromised, and on the specific safeguards applied to eliminate the threat or reduce it to an acceptable level. Threats are conditions to be evaluated using the conceptual framework. Threats do not necessarily impair independence. [GAS 3.13] Threats to independence may be created by a wide range of relationships and circumstances. Auditors should evaluate the following broad categories of threats to independence when threats are being identified and evaluated: Self-interest threat a.-the threat that a financial or other interest will inappropriately influence an auditor’s judgment or behavior(see II-6 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) examples at GAS A3.03); Self-review threat b.-the threat that an auditor or audit organization that has provided nonaudit services will not appropriately evaluate the results of previous judgments made or services performed as part of the nonaudit services when forming a judgment significant to an audit(see examples at GAS A3.04); Bias threat c.-the threat that an auditor will, as a result of political, ideological, social, or other convictions, take a position that is not objective(see examples at GAS A3.05); Familiarity threat d.-the threat that aspects of a relationship with management or personnel of an audited entity, such as a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective(see examples at GAS A3.06); Undue influence threat e.-the threat that external influences or pressures will impact an auditor’s ability to make independent and objective judgments(see examples at GAS A3.07); Management participation threat f.-the threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit (see examples at GAS A3.08); and Structural threat g.-the threat that an audit organization’s placement within a government entity, in combination with the structure of the government entity being audited, will impact the audit organization’s ability to perform work and report results objectively (see examples at GAS A3.09).[GAS 3.14] Circumstances that result in a threat to independence in one of the above categories may result in other threats as well. For example, a circumstance resulting in a structural threat to independence may also expose auditors to undue influence and management participation threats.[GAS 3.15] Application of GAGAS Conceptual Framework to Independence Auditors should evaluate threats to independence using the conceptual framework when the facts and circumstances under which the auditors perform their work may create or augment threats to independence. Auditors should evaluate threats both individually and in the aggregate because threats can have a cumulative effect on an auditor’s independence. [GAS 3.20] II-7 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) Facts and circumstances that create threats to independence can result from events such as the start of a new audit; assignment of new staff to an ongoing audit; and acceptance of a nonaudit service at an audited entity. Many other events can result in threats to independence. Auditors use professional judgment to determine whether the facts and circumstances created by an event warrant use of the conceptual framework. Whenever relevant new information about a threat to independence comes to the attention of the auditor during the audit, the auditor should evaluate the significance of the threat in accordance with the conceptual framework. GAS 3.21] Auditors should determine whether identified threats to independence are at an acceptable level or have been eliminated or reduced to an acceptable level. A threat to independence is not acceptable if it either (a) could impact the auditor’s ability to perform an auditwithout being affected by influences that compromise professional judgment or (b) could expose the auditor or audit organization to circumstances that would cause a reasonable and informed third party to conclude that the integrity, objectivity, or professional skepticism of the audit organization, or a member of the audit team, had been compromised.[GAS 3.22] When an auditor identifies threats to independence and, based on an evaluation of those threats, determines that they are not at an acceptable level, the auditor should determine whether appropriatesafeguards are available and can be applied to eliminate the threats or reduce them to an acceptable level. The auditor should exercise professional judgment in making that determination, and should takeinto account whether both independence of mind and independence in appearance are maintained. The auditor should evaluate both qualitative and quantitative factors when determining the significance of a threat.[GAS 3.23] In cases where threats to independence are not at an acceptable level, thereby requiring the application of safeguards, the auditors should document the threats identified and the safeguards applied to eliminate the threats or reduce them to an acceptable level.[GAS 3.24] Certain conditions may lead to threats that are so significant that they cannot be eliminated or reduced to an acceptable level through the application of safeguards, resulting in impaired independence. Under such conditions, auditors should decline to perform a prospective audit or terminate an audit in progress.[GAS 3.25] If a threat to independence is initially identified after the auditors’ report is issued, the auditor should evaluate the threat’s impact on the audit and on GAGAS compliance. If the auditors determine that the newly identified threat had an impact on the audit that would have resulted in the auditors’ report being different from the report issued had the auditors been aware of II-8 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of theorganizations requiring or arranging for the audits, and other known users, so that they do not continue to rely on findings or conclusions that were impacted by the threat to independence. If the report was previously posted to the auditors’ publicly accessible website, the auditors should remove the report and post a public notification that the report was removed.The auditors should then determine whether to conduct additional audit work necessary to reissue the report, including any revised findings or conclusions or repost the original report if the additional audit work does not result in a change in findings or conclusions.[GAS 3.26] Government Auditors and Audit Organization Structure The ability of audit organizations in government entities to perform work and report the results objectively can be affected by placement within government and the structure of the government entity being audited. The independence standard applies to auditors in government entities whether they report to third parties externally (external auditors), to senior management within the audited entity (internal auditors), or to both.[GAS 3.27] Audit organizations that are structurally located within government entities are often subject to constitutional or statutory safeguards that mitigate the effects of structural threats to independence. For external audit organizations, such safeguards may include governmental structures under which a government audit organization is: a.at a level of government other than the one of which the audited entity is part (federal, state, or local); for example, federal auditors auditing a state government program; or b.placed within a different branch of government from that of the audited entity; for example, legislative auditors auditing an executive branch program. [GAS 3.28] Safeguards other than those described above may mitigate threats resulting from governmental structures. For external auditors or auditors who report both externally and internally, structural threats may be mitigated if the head of an audit organization meets any of the following criteria in accordance with constitutional orstatutory requirements: a.directly elected by voters of the jurisdiction being audited; b.elected or appointed by a legislative body, subject to removal by a legislative body, and reports the results of audits to and is II-9 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) accountable to a legislative body; c.appointed by someone other than a legislative body, so long as the appointment is confirmed by a legislative body and removal from the position is subject to oversight or approval by a legislative body, and reports the results of audits to and is accountable to a legislative body; or d.appointed by, accountable to, reports to, and can only be removed by a statutorily created governing body, the majority of whose members are independently elected or appointed and are outside the organization being audited.[GAS 3.29] Consideration of Specific Nonaudit Services Before an auditor agrees to provide a nonaudit service to an audited entity, the auditor should determine whether providing such a service would create a threat to independence, either by itself or in aggregate with other nonaudit services provided, with respect to any GAGAS audit it performs. A critical component of this determination is consideration of management’s ability to effectively oversee the nonaudit service to be performed. The auditor should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience, and that the individual understands the services to be performed sufficiently to oversee them. The individual is not required to possess the expertise to perform or reperform the services. The auditor should document consideration of management’s ability to effectively oversee nonaudit services to be performed.[GAS 3.34] Auditors performing nonaudit services for entities for which they perform audits should obtain assurance that audited entity management performs the following functions in connection with the nonaudit services: a.assumes all management responsibilities; b.oversees the services, by designating an individual, preferably within senior management, who possess suitable skill, knowledge, or experience; c.evaluates the adequacy and results of the services performed; and d.accepts responsibility for the results of the services.[3.37] In connection with nonaudit services, auditors should establish and document their understanding with the audited entity’s management or those charged with governance, as appropriate, regarding the following: II-10 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) a.objectives of the nonaudit service; b.services to be performed; c.audited entity’s acceptance of its responsibilities; d.the auditor’s responsibilities; and e.any limitations of the nonaudit service.[GAS 3.39] An auditor who previously performed nonaudit services for an entity that is a prospective subject of an audit should evaluate the impact of those nonaudit services on independence before accepting an audit. If the nonaudit services were performed in the period to be covered by the audit, the auditor should (1) determine if the nonaudit service is expressly prohibited by GAGAS and, if not, (2) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework.[GAS 3.42] An auditor in a government entity may be required to perform a nonaudit service that could impair the auditor’s independence with respect to a required audit. If the auditor cannot, as a consequence of constitutional or statutory requirements over which the auditor has no control, implement safeguards to reduce the resultingthreat to an acceptable level, or decline to perform or terminate a nonaudit service that is incompatible with audit responsibilities, the auditor should disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS compliance statement accordingly.[GAS 3.44] For performance audits and agreed-upon procedures engagements, nonaudit services that are otherwise prohibited by GAGAS may be provided when such services do not relate to the specific subject matter of the engagement. [GAS 3.47] For financial statement audits and examination or review engagements, a nonaudit service performed during the period covered by the financial statements may not impair an auditor’s independence with respect to those financial statements provided that the following conditions exist: a.the nonaudit service was provided prior to the period of professional engagement; b.the nonaudit service related only to periods prior to the period covered by the financial statements; and c.the financial statements for the period to which the nonaudit service did relate were audited by another auditor (or in the case of an examination or review engagement, examined, reviewed, or audited by another auditor as appropriate).[GAS 3.48] II-11 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) Documentation of Independence Documentation of independence considerations provides evidence of the auditor’s judgments in forming conclusions regarding compliance with independence requirements. GAGAS contains specific requirements for documentation related to independence which may be in addition to the documentation that auditors have previously maintained. While insufficient documentation of an auditor’s compliance with the independence standard does not impair independence, appropriate documentation is required under the GAGAS quality control and assurance requirements.The independence standard includes the following documentation requirements: a.document threats to independence that require the application of safeguards, along with safeguards applied, in accordance with the conceptual framework for independence as required by paragraph 3.24; b.document the safeguards required by paragraph 3.30 if an audit organization is structurally located within a government entity and is considered independent based on those safeguards; c.document consideration of audited entity management’s ability to effectively oversee a nonaudit service to be provided by the auditor as indicated in paragraph 3.34; and d.document the auditor’s understanding with an audited entity for which the auditor will perform a nonaudit service as indicated in [GAS] paragraph 3.39.[GAS 3.59] Professional Judgment The general standard related to professional judgmentprovides that: Auditors must use professional judgment in planning and performing audits and in reporting the results.[GAS 3.60] Professional judgment includes exercising reasonable care and professional skepticism. Reasonable care includes acting diligently in accordance with applicable professional standards and ethical principles. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty. [GAS 3.61] Using the auditors’ professional knowledge, skills, and experience to diligently perform, in good faith and with integrity, the gathering of information and the objective evaluation of the sufficiency and appropriateness of evidence is a critical component of audits. Professional judgment and competence are interrelated because judgments made are II-12 Supplement 1 (12-2013) Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) dependent upon the auditors’ competence.[GAS 3.62] Professional judgment represents the application of the collective knowledge, skills, and experiences of all the personnel involved with an audit, as well as the professional judgment of individual auditors. In addition to personnel directly involved in the audit, professional judgment may involve collaboration with other stakeholders, external specialists, and management in the audit organization.[GAS 3.63] Using professional judgment is important to auditors in carrying out all aspects of their professional responsibilities, including following the independence standards and related conceptual framework; maintaining objectivity and credibility; assigning competent staff to the audit; defining the scope of work; evaluating, documenting, and reporting the results of the work; and maintaining appropriate quality control over the audit process. [GAS 3.64] Using professional judgment is important to auditors in applying the conceptual framework to determine independence in a given situation. This includes the consideration of any threats to the auditor’s independence and related safeguards which may mitigate the identified threats. Auditors use professional judgment in identifying and evaluating any threats to independence, including threats to the appearance of independence.[GAS 3.65] Using professional judgment is important to auditors in determining the required level of understanding of the audit subject matter and related circumstances. This includes consideration about whether the audit team’s collective experience, training, knowledge, skills, abilities, and overall understanding are sufficient to assess therisks that the subject matter of the audit may contain a significant inaccuracy or could be misinterpreted. [GAS 3.66] An auditor’s consideration of the risk level of each audit, including the risk of arriving at improper conclusions, is also important.Within the context of audit risk, exercising professional judgment in determining the sufficiency and appropriateness of evidence to be used to support the findings and conclusions based on the audit objectives and any recommendations reported is an integral part of the audit process.[GAS 3.67] While this standard places responsibility on each auditor and audit organization to exercise professional judgment in planning and performing an audit, it does not imply unlimited responsibility, nor does it imply infallibility on the part of either the individual auditor or the audit organization. Absolute assurance is not attainable due to factors such as the nature of evidence and characteristics of fraud. Professional judgment does not mean eliminating all possible limitations or weaknesses associated with II-13 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) a specific audit, but rather identifying, assessing, mitigating, and explaining them.[GAS 3.68] Competence The general standard related to competence provides that: The staff assigned to perform the audit must collectively possess adequate professional competence needed to address the audit objectives and perform the work in accordance with GAGAS.[GAS 3.69] The audit organization’s management should assess skill needs to consider whether its workforcehas the essential skills that match those necessary to perform the particular audit. Accordingly, audit organizations should have a process for recruitment, hiring, continuous development, assignment, and evaluation of staff to maintain a competent workforce. The nature, extent, and formality of the process will depend on various factors such as the size of the audit organization, its structure, and its work.[GAS 3.70] Competence is derived from a blending of education and experience. Competencies are not necessarily measured by years of auditing experience because such a quantitative measurement may not accurately reflect the kinds of experiences gained by an auditor in any given time period. Maintaining competence through a commitment to learning and development throughout an auditor’s professional life is an important element for auditors. Competence enables an auditor to make sound professional judgments.[GAS 3.71] Technical Knowledge The staff assigned to conduct an audit in accordance with GAGAS should collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that audit. The staff assigned to a GAGAS audit should collectively possess: a.knowledge ofGAGAS applicable to the type of work they are assigned and the education, skills, andexperience to apply this knowledge to the work being performed; b.general knowledge of the environment in which the audited entity operates and the subject matter; c.skills to communicate clearly and effectively, both orally and in writing; and d.skills appropriate for the work being performed; for example, skills in: II-14 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) (1)statistical or nonstatistical sampling if the work involves use of sampling; (2)information technology if the work involves review of information systems; (3)engineering if the work involves review of complex engineering data; (4)specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, as applicable; or (5)specialized knowledge in subject matters, such as scientific, medical, environmental, educational, or any other specialized subject matter, if the work calls for such expertise.[GAS 3.72] Auditors performing financial audits should be knowledgeable in U.S. generally accepted accounting principles (GAAP), or with the applicable financial reporting framework being used, and the American Institute of Certified Public Accountants’ (AICPA)Statements on Auditing Standards (SAS)and they should be competent in applying these SASs to the audit work.[GAS 3.73] Similarly, auditors performing attestation engagements should be knowledgeable in the AICPA general attestation standard related to criteria, the AICPA attestation standards for field work and reporting, and the related Statements on Standards for Attestation Engagements (SSAE), and they should be competent in applying these standards and SSAE to the attestation work.[GAS 3.74] Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants, persons working for a licensed certified public accounting firm or for a government auditing organization, or licensed accountants in states that have multi-class licensing systems that recognize licensed accountants other than certified public accountants.[GAS 3.75] Continuing Professional Education (CPE) Auditors performing work in accordance with GAGAS, including planning, directing, performing audit procedures, orreporting on an audit conducted in accordance with GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work in accordance with GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. Auditors who are involved in any amount II-15 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) of planning, directing, or reporting on GAGAS audits and auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS audits should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) that enhances the auditor’s professional proficiency to perform audits. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year periods. Auditors hired or initially assigned to GAGAS audits after the beginning of an audit organization’s 2-year CPE period should complete a prorated number of CPE hours.[GAS 3.76] CPE programs are structured educational activities with learning objectives designed to maintain or enhance participants’ knowledge, skills, and abilities in areas applicable to performing audits. Determining what subjects are appropriate for individual auditors to satisfy both the 80-hour and the 24-hour requirements is a matter of professional judgment to be exercised by auditors in consultationwith appropriate officials in their audit organizations. Among the considerations in exercising that judgment are the auditors’ experience, the responsibilities they assume in performing GAGAS audits, and the operating environment of the audited entity.[GAS 3.77] Meeting CPE requirements is primarily the responsibility of individual auditors. The audit organization should have quality control procedures to help ensure that auditors meet the continuing education requirements, including documentation of the CPE completed. The Government Accountability Office (GAO) has developed guidance pertaining to CPE requirements to assist auditors and audit organizationsin exercising professional judgment in complying with the CPE requirements.[GAS 3.78] CPE Requirements for Specialists The audit team should determine that external specialists assisting in performing a GAGAS audit are qualified and competent in their areas of specialization; however, external specialists are not required to meet the GAGAS CPE requirements. [GAS 3.79] The audit team should determine that internal specialists consulting on a GAGAS audit who are not involved in directing, performing audit procedures, or reporting on a GAGAS audit, are qualified and competent in their areas of specialization; however, these internal specialists are not required to meet the GAGAS CPE requirements.[GAS 3.80] The audit team should determine that internal specialists, who are performing work in accordance with GAGAS as part of the audit team, includingdirecting, performing audit procedures, or reporting on a GAGAS audit, comply with GAGAS, including the CPE requirements.The GAGAS CPE requirements become effective for internal specialists when an audit II-16 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) organization first assigns an internal specialistto an audit. Because internal specialists apply specialized knowledge in government audits, training in their areas of specialization qualify under the requirement for 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.[GAS 3.81] Quality Control The general standard related to quality control and assurance provides that: Assurance Each audit organization performing audits in accordance with GAGAS must: a.establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatoryrequirements;and b.have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years. [GAS 3.82] System of Quality Control An audit organization’s system of quality control encompasses the audit organization’s leadership, emphasis on performing high quality work, and the organization’s policies and procedures designed to provide reasonable assurance of complying with professional standards and applicable legal and regulatory requirements.The nature, extent, and formality of an audit organization’s quality control system will vary based on the audit organization’s circumstances, such as the audit organization’s size, number of offices and geographic dispersion, knowledge and experience of its personnel, nature and complexity of its audit work, and cost-benefit considerations.[GAS 3.83] Each audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization’s compliance with its quality control policies and procedures. The form and content of such documentation are a matter of professional judgment and will vary based on the audit organization’s circumstances.[GAS 3.84] II-17 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) An audit organization should establish policies and procedures in its system of quality control that collectively address: a.leadership responsibilities for quality within the audit organization; b.independence, legal, and ethical requirements; c.initiation, acceptance, and continuance of audits; d.human resources; e.audit performance, documentation, and reporting; and f.monitoring of quality. [GAS 3.85] Leadership Responsibilities Audit organizations should establish policies and procedures on leadership responsibilities for quality within the audit organization that include the designation of responsibility for quality of audits performed in accordance with GAGAS and communication of policies and procedures relating to quality. Appropriate policies and communications encourage aculture that recognizes that quality is essential in performing GAGAS audits and that leadership of the audit organization is ultimately responsible for the system of quality control.[GAS 3.86] The audit organization should establish policies and procedures designed to provide it with reasonable assurance that those assigned operational responsibility for the audit organization’s system of quality control have sufficient and appropriate experience and ability, and the necessary authority, to assume thatresponsibility.[GAS 3.87] Independence, Legal, and Ethical Requirements Audit organizations should establish policies and procedures on independence, legal, and ethical requirements that are designed to provide reasonable assurance that the audit organization and its personnel maintain independence and comply with applicable legal and ethical requirements. Such policies and procedures assist the audit organization to: a.communicate its independence requirements to its staff, and b.identify and evaluate circumstances and relationships that create threats to independence, and take appropriate action to eliminate those threats or reduce them to an acceptable level by applying safeguards, or, if considered appropriate, withdraw from the audit where withdrawal is not prohibited by law or regulation.[GAS 3.88] Initiation, Acceptance, and Continuance of Audits Audit organizations should establish policies and procedures for the initiation, acceptance, and continuance of audits that are designed to provide reasonable assurance that the audit organization will undertake audits only II-18 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) if it can comply with professional standards, legal requirements, and ethical principlesand is acting within the legal mandate or authority of the audit organization.[GAS 3.89] Human Resources Audit organizations should establish policies and procedures for human resources that are designed to provide the audit organization with reasonable assurance that it has personnel with the capabilities and competence to perform its audits inaccordance with professional standards and legal and regulatory requirements.[GAS 3.90] Audit Performance, Documentation, and Reporting Audit organizations should establish policies and procedures for audit performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that audits are performed and reports are issued in accordance with professional standards and legal and regulatory requirements.[GAS 3.91] When performing GAGAS audits, audit organizations should have policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention. Whether audit documentation is in paper, electronic, or other media, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors’ knowledge, or if the documentation is lost or damaged.For audit documentation that is retained electronically, the audit organization should establish effective information systems controls concerning accessing and updating the audit documentation.[GAS 3.92] Monitoring of Quality Audit organizations should establish policies and procedures for monitoring of quality in the audit organization.Monitoring of quality is an ongoing, periodic assessment of work completed on audits designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice. The purpose of monitoring compliance with quality control policies and procedures is to provide an evaluation ofwhether the: a.professional standards and legal and regulatory requirements have been followed, b.quality control system has been appropriately designed, and c.quality control policies and procedures are operating effectively and complied with in practice. [GAS 3.93] II-19 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) Monitoring procedures will vary based on the audit organization’s facts and circumstances. The audit organization should perform monitoring procedures that enable it to assess compliance with applicable professional standards and quality control policies and procedures for GAGAS audits. Individuals performing monitoring should collectively have sufficient expertise and authority for this role.[GAS 3.94] The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to appropriate personnel any deficiencies noted during the monitoring process and make recommendations for appropriate remedial action.[GAS 3.95] External Peer Review The audit organization should obtain an external peer review at least once every 3 years that is sufficient in scope to provide a reasonable basis for determining whether, for the period under review, the reviewed audit organization’s system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards. [GAS 3.96] The first peer review for an audit organization not already subject to a peer review requirement covers a review period ending no later than 3 years from the date an audit organization begins its first audit in accordance with GAGAS. The period under review generally covers 1 year, although peer review programs may choose a longer review period. Generally, the deadlines for peer review reports are established by the entity that administers the peer review program. Extensions of the deadlines for submitting the peer review report exceeding 3 months beyond the due date are granted by the entity that administers the peer review program and GAO.[GAS 3.97] An external audit organizationshould make its most recent peer review report publicly available.For example, an audit organization may satisfy this requirement by posting the peer review report on a publicly available web site or to a publicly available file designed for public transparency of peer review results. Alternatively, if neither of these options is available to the audit organization, then it should use the same transparency mechanism it uses to make other information public. The audit organization should provide the peer review report to others upon request. If a separate communication detailing findings, conclusions, and recommendations is issued, public availability of that communication is not required. Internal audit organizations that report internally tomanagement and those charged with governance should provide a copy of the peer review report to those II-20 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) charged with governance.[GAS 3.105] Section 3-18 (a) of the Hawai‘i County Charter, as amended, establishes Charter Protections within the legislative branch an independent office of the legislative auditor to be headed by a legislative auditor who shall be appointed by the county council and shall serve for a period of six years, and thereafter, until a successor is appointed. The council, by a two-thirds vote of its membership, may remove the legislative auditor from office at any time for cause. Section 3-18 (c) of the Hawai‘i County Charter, as amended, affords further safeguards by allowing the legislative auditor on behalf of the county council to hire the necessary staff for which appropriations have been made by the county council. In addition, Section 3-18 (f) of the Hawai‘i County Charter, as amended, provides that for purposes of carrying out any audit, the legislative auditor shall have: (1)Full, free, and unrestricted access to any county officer or employee. (2)Full, free, and unrestricted access to and authority to examine and inspect any record of any county agency, executive agency, or program except for any record protectedfrom disclosure by law, rule or privilege. (3)Full, free, and unrestricted access to and authority to examine and inspect any property, facility, or equipment of any county agency, executive agency, or program pertinent to the audit or to a contract. (4)Full,free, and unrestricted access to and authority to administer oaths and subpoena witnesses and compel the production of records pertinent thereto. If any person subpoenaed as a witness or compelled to produce records shall fail or refuse to respond thereto, the proper court, upon request of the auditor, shall have the power to compel obedience to any process of the auditor and to punish, as contempt of court, any refusal to comply therewith without good cause. The auditor may retain special counsel, in the manner authorized by the council, to represent the auditor in implementing these powers. II-21 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) Office administrative and audit policies and procedures protect the OLAIndependence independence of the office and its staff. These policies and procedures Policies and require staff to adhere to the County of Hawai‘i Code of Ethics, the office Procedures administrative manual, the office audit manual, and GAGAS requirements. Any staff member who fails to comply with these office policiesand procedures related to independence can be subject to office disciplinary measures as appropriate. Staff independenceand Before project assignments are made, all staff members are given the assignment opportunity to identify potential impairments to independence that may preclude work on specific projects. In addition, the auditor assesses whether prior non-audit services performed or procured by the office would impact the office’s ability in the current audit engagement to appropriately evaluate the results of previous judgments made or services performed. Any potential impairment must be resolved in a timely manner by either removing the staff member(s) from the project or withdrawing the office from the audit. The auditor evaluates the significance of identified impairments, both individually and in the aggregate, and applies safeguards as necessary to eliminate the threats to independence or reduce them to an acceptable level. The auditor also documents in the project working papers any threats to independence that require the application of safeguards as well as the safeguards applied. Any identified impairment must be disclosed in the audit scope section of the audit report and the GAGAS compliance statement modified accordingly. All staff members, including the auditor and independent report reviewer, Project Statement of Independence and Assignment are required to file a form(see Exhibit II-A) for the respective project declaring any potential impairments. Upon notification of such potential impairments, the auditor will determine whether staff members lack independence to work on the project. Staff members are not formally assigned to a project until approved by the auditor on the Project Statement of Independence and Assignment form. The auditor assigns to projects those staff members who together possess the skills to do the work. Considerations in making assignments include: 1.The qualifications and special expertise of staff; 2.The magnitude and complexity of projects; and 3.Any impairment, such as a conflict of interest. II-22 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) Another consideration is giving staff the opportunity to gain work experience and subject area expertise, supervise and manage the work of others, and foster professional development of staff. Contract auditors and Prior tousing the work of a contract auditor or specialist, individuals or specialists firms will be requiredto submit representations to the officeregarding their independence from the audited entity.If afirm or individual has an impairmentto independence, the officewill not enter into a contract for its services. Since the office will normallyhire consultants to perform its financial audits and attestation engagements, the office will ensure compliance with these additional qualifications through the procurement and contracting process of securing a consultant. See Section VII –Use of Consultant Services –of this audit manual for further guidance. Provision of nonaudit Hawai‘i County Chartersection 3-18(g)requires that the auditor conduct all services audits in accordance with government auditing standards. Since government auditing standards do not cover professional services other than audits and attestation engagements, as a general rule, the officewill not engage in or perform nonaudit services for the council and administration. However, the office may occasionally be requested to perform or procure independent data collection, analysis, reconciliation, and reporting; review procedures and internal controls; and/orconduct special studies that are intended to provide timely and objective information to the council, administration, and public. If so, the office will evaluate whether performing or procuringsuch nonaudit services creates an impairment to independence,either in fact or appearance,with respect to the entities the officeaudits.If based onthe facts and circumstances the officedetermines that provision of such services creates an independenceimpairment,the officewill refuse the assignment.If based on the facts and circumstances the office determines that provision of such services does not create an independenceimpairment, the office will applythe GAGAS independence standard related to nonaudit services. When providing nonaudit services, the office will obtain assurance that management assumes all management responsibilities, will oversee the services, will evaluate the adequacy and results of the servicesbeing performed , and will accept responsibility for the results. The office will also document its understanding with management or the body charged with governance regarding the objectives, services, acceptance of its responsibilities, and limitations of the nonaudit servicesbeing provided. Impairment after report If an impairmentto independence is identified after the audit report is issuance issued, the officewill assess itsimpact on the audit.If the officeconcludes II-23 Supplement 1 (12-2013) Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) that the audit did not comply with GAGAS, it will notify in writing the audited entity, mayor, appropriate board or commission, council,and persons known to be using the report about the independence impairment and itsimpact on the audit. If the report was posted on the office website, the office will remove it and post a public notificationof its removal. The auditor will then determine whether to conduct additional fieldwork necessary to reissue the report, including any revised findings or conclusions, or repost the original report if additional fieldwork does not result in a change in findings or conclusions. All audit staff of the officemust satisfy the GAGAS requirement of a OLACPE minimum of 80 credit hours of CPE overa two-year period while Policies and maintaining their customary workload. Audit staffwhodonot fulfill this Procedures requirement will be considered not qualified to conduct audits and attestation engagements. CPE credits are computed on a calendaryearbasis: • At least 24 of the total 80 hours shall be in subjects directlyrelated to the government environment and governmentauditing. Government-related hours are those relating togovernment procedures, regulatory requirements, or currentoperations. This may include subjects related to specific orunique environments in which audited entities operate. • first Auditstaff must complete at least 20 hours by December 31of the year second year ofthe biennium and 80 hours by December 31of the of thebiennium. Staff may not carry over CPE hours earned in excessof the 80 and 24-hour requirements from one two-year period tothe next. • Audit staffwho failto complete the required number of CPEhours for any two-year period will be given two monthsimmediately following the two- year period to make up thedeficiency. • New audit staff will be advised of their CPE requirements andtheir schedule for meeting these requirements. Staff auditorsemployed after the beginning of a two-year CPE period arerequired to complete a pro rata number of CPE hoursbased on the number of hoursworked in the remaining CPE period.In addition to CPE requirements, new audit supervisors, audit analysts,and staffreceive orientation on basic office policies, procedures, andoperations. • Audit staff on extended leave without pay or sick leave, and anyother extenuating circumstances during the two-year period willbe generally required to complete a pro rata number of CPEhours based on the number of hoursworked inthe two-year period. Such exceptions will be approved inwriting by the auditor. II-24 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) • The administrative assistant to the auditormaintains the files and documentation of approved staff training requestsand completed training CPE TrainingSummary(see Exhibit II-B) information and produces the for the auditor. Types of training • In-house training provided by the auditor’s staff or outside consultants. The office encourages staff members to develop and present training courses in consultation with the CPE coordinator and with the approval of the auditor. • External training provided by other government agencies, professional institutes and organizations, colleges, seminars, conferences, and other activities approved by the auditor. Staff members are encouraged to explore comparable programs offered by government agencies. • Self-study programs offered by other government agencies or professional organizations,such asACFE, AGA, AICPA, ALGA,andIIA. Criteria for CPE hours • Most in-house training sessions will qualify for CPE credit hoursas designated for each offered program. Most formalpresentations by audit staff on behalf of the office willqualify for credit. • External training courses and self-study programs mustcontribute to each auditor’sauditing proficiency and benefit thework of the office. Training may be on any aspect of auditing;government operations; subject areas related to theoffice’s work; or topics such as management, supervision, and writing. Eligible training includes,but is not limited to,meetings, conferences, and seminars by professionalorganizations; workshops offered by other government agencies;and accredited college level courses. Theauditor prior to the training date must approve all requests for CPE training. Approval will be based on the expected value to the individual and the office, workload constraints, and available funds. The auditor may grant verbal,email, or writtenapproval of a training request. Computation of CPE hours • Each 50-minute unit of training qualifies for 1 CPEcredit hour. • Each semester college credit qualifies for 15 CPE credit hours. • In-house trainers will earn one credit hour for each 50-minutetraining session they present. Trainers will earn two preparation credit hours for II-25 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) each 50 minutes of presentation time. Credits will not be given for either presentation or preparation for repeated courses within a two-year period. • The office will assign CPE credit hours for external training, such as conferences and seminars, based on the number of contact hours of qualified activities or the number of CPE credits designated by the external training organization. • The auditor will determine the appropriate CPE credits for self-study programs. Report of Upon completion of all CPE training, staff must submit the Completed Training(see Exhibit II-C) to the auditor for approval. The auditor will certify to the completion and award the appropriate CPE credit hours for the completed training. External specialists assisting in performing a GAGAS assignment shouldbe qualified and maintain professional competence in their areas of specialization,but are not required to meet the GAGAS CPErequirements described. However, auditors who use the work ofexternal specialists should assess theprofessional qualifications of suchspecialists and document their findings and conclusions. Internalspecialists who are a part of the audit organization and perform as amember of the audit team should comply with GAGAS, including CPE requirements. The Yellow Book(GAS 3.60) requires use of professional judgment in OLA Professional planning and performing audits and reporting the results. The office Judgment Policies provides a copy of the Yellow Bookto each auditor. Auditors are andProcedures responsible for understanding and exercising professional judgment as described in GAS 3.61 through GAS 3.68 of the Yellow Book, 2011 Revision. All members of the audit team are expected to apply ethical principles of integrity, objectivity, and professional behavior. To help ensure that sound professional judgment is exercised in planning and conducting an audit, the auditor assigns staff deemedcompetent to conduct the auditand provides ongoing supervision of assigned staff. For each audit conducted, the audit supervisor prepares anaudit program based on the standard audit programs the office has adopted for preliminary survey, risk assessment, field work, and report writing. Auditors are expected to assess risk,plan audits,and conduct examinations with an appropriate level of testing, considering the possibility of material irregularities or noncompliance. All members of the audit team are expected to render the care and skill expected of a prudent and competent auditor in the same or similar II-26 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) circumstances. In exercising due professional care, the audit staff should be alert as to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. Such conditions and activities should be discussed with the auditor. All auditor impairments and conflicts of interest must be reported and discussed with the auditor. Auditors are required to assess the materiality, impact, and effect in developing potential audit findings. Potential audit findings are discussed with the auditor throughout the audit process. Findings that are not material in nature may be communicated internally to managementthrough a separate management letter.All reports and management letters must be approved and signed by the auditor or auditor’s designated representative. Internal quality control is a continuous process that utilizes a series of OLA Quality Control quality control assurance reviews and relies on the efforts of the audit Assurance (QCA) organization’s trained and professional staff. Its goal is to keep the workon Policies and track, confirm that applicable standards have been met, and ensurethat Procedures working papers adequately support the results of work. Theconsideration of the risk level of each audit, including the risk of arriving at improper conclusions, is also important. Internalquality control establishes whether: • Project objectives, scope, and methodology are appropriatelydesigned and clearly explained; • Sufficient information is given to establish the context forunderstanding the findings, conclusions, and recommendations; • Findings, conclusions, and recommendations are consistent withthe project scope, objectives, and methodology; • Findings, conclusions, and recommendations are clearlyexplained, and supported by sufficient and appropriate evidence and analysis; and • Supervision is adequate and documented in the working papers. There are four types of internal quality assurance reviews: 1.Supervisory review; 2.Project status review; 3.Independentreport review;and 4.Auditor and editorial reviews. II-27 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) Supervisory review Auditsupervisorsof projects are responsible for the ongoingsupervision and review of work progress, working papers, and productsproduced by members of the audit team.Theyregularly review working papers to ensure adherence to the Audit Plan and Workplan, and document their review by initialing and dating the first page of each working paper reviewed.In addition, audit supervisorsare responsible for writing review notesforworking paperssubmitted by audit staff.Review notes can also take the form of memos, email responses,andnotations on draftdocuments utilizing Microsoft Word“Track Changes”or similar format.After theyare clearedby audit supervisors,review notesmust be filed amongthe working paper files.Audit supervisors also review the auditworkprogram, the findings andrecommendations, and the office draft of the reportto be sure audit objectiveshave been met and working papers support information presented. Project status review In addition, the auditor reviews the status of each project during staff meetings. The auditor provides suggestions, comments and direction based on the verbal project status reports made by the audit supervisor. Independent report review (IRR) The auditor assigns each indexed office draft of the report to a staff auditor or outside expert to verifythe information contained in the office draft.The reviewer is someone who has not conducted fieldwork in the project, and is expected to have a neutral perspective. While conducting the review, the reviewer works independently and free from influence of project staff. The reviewer works primarily with the auditor, and generally does not discuss the project with the audit supervisor or team members.The reviewer is responsible for writing review notes,such asinaccuracies in indexing, errors in the data, and failure ofevidence to support findings and (see Exhibit V-B: Independent Report recommendations in the office draft Review Worksheet) .The auditor discusses resolution of thereview notes with the audit supervisoror audit team, and approvescorrectionsto the office draftthat aredocumented in theworking papers. Auditor and editorial review The auditor reviews and approves the audit program, the preliminary findings and recommendations,the report outline, and theoffice draft of the report.In addition, the auditor selects staff membersor outside experts to assist in editorial review of the officedraft.Theworking papers are made available to the editors,as needed,to verify thecorrectness and reasonableness of the information presented. II-28 Section II:Ethical Principles and General Standards (Yellow Book 2011Revision) QCS Assessment of QCA At the conclusion of each audit engagement, the office will complete a Assurance Review (see Exhibit II-D) monitoring system, summarizeany systemic quality control issues identified and corrective actions recommended, and file the QCS Assurance Review form and summary in the QCS Summary Binder. The auditor will, at a minimum, annually review and assess the effectiveness of the office’soverallQCAmonitoring system,identify any systemic issuesneeding improvement,makerecommendations for corrective actions, and document the annual assessment in the QCS Summary Binder.The auditor may use an institutional assessment survey process or a staff meeting session to discuss weaknesses in the office's QCA monitoring system and seek recommendations for improvement.Any material changes to the office's QCA monitoring system will be made in the update to the office audit manual. Compliance with The YellowBook details the requirements of external peer review.The External PeerReview office will participate in an external peerreview program,such as the program conducted by the Association of Local GovernmentAuditors (ALGA).Upon completion of a peer review, the office will transmit a copy of its external peer review report and any letter of comment to the council, county clerk, and mayor.In addition, the peer review report and any letter of comment will be posted on the office’s website and a copy of the reports will be made available to the public upon request. When contracting a consultant to perform an audit or attestation engagement in accordance with GAGAS, the officewill ensure that the consultant provides itsmost recent external peer review report and any letter of comment to the office. Information in the external peer review report and letter of comment is often relevant to decisions on procuring audit or attestation engagement services. Auditors who are relying on another audit organization’s work should request a copy of the audit organization’s peer review report and any letter of comment, and the audit organization should provide the peer review report and letter of comment when requested.If an external peer review is not required of a consultant, the officewill require a statement from the organization describing the applicable professional standards of quality assurance used or followed by the organization. II-29 Supplement 1 (12-2013) This page intentionally left blank. Section III Planningthe Audit The policies and procedures in thissectionhave been prepared to guide the Introduction auditors in managing and conducting their audit work in accordance with generally accepted government auditing standards (GAGAS). The office followsthe Yellow Book 2011 Revisionstandards and guidelines in order to ensure that our audit work is consistentandprofessional. The legislative auditor (auditor) initiates projects based on a County-wide risk assessment and annual audit plan after consideration ofprior audits, suggestions from the public,and requests from the councilthrough resolutions, ordinances, or other directives. The fieldworkstandards for performance audits relate to planning the audit; supervisingstaff; obtaining sufficient, appropriate evidence; and preparing auditdocumentation. The concepts of reasonable assurance, significance, andaudit risk form a framework for applying these standards throughout the conductof performance audits. Reasonable assurance is provided by a rigorous planning process and through implementation of a quality controlassurancereview system. Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusionsin relation to the audit objectives.For example, when usingcomputer-processed information, auditors should assess the sufficiency and appropriateness of the information whether provided to or independently extracted by the auditors. Significance can be a guide to deciding the type and extent of audit work to be performed, evaluating the results of audit work, and developing the report and related findings and conclusions. Significance is defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors. Audit risk is the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete. This could be due to insufficient evidence, inadequate audit process, intentional omissions, or misleading information due to misrepresentation or fraud. Auditors should be aware of audit risk in the planning of audits, and should take steps to reduce audit risk to an appropriate level to provide reasonable assurance that their evidence is sufficient and appropriate. Reasonable assurance In performance audits that comply with GAGAS, auditors obtain reasonable assurance that evidence is sufficient and appropriate to support the auditors’ findings and conclusions in relation to the audit objectives. Thus, the III-1 Section III:Planningthe Audit (Yellow Book 2011Revision) sufficiency and appropriateness of evidence needed and tests of evidence will vary based on the audit objectives, findings, and conclusions. Objectives for performance audits range from narrow to broad and involve varying types and quality of evidence. In some engagements, sufficient, appropriate evidence is available, but in others, information may have limitations. Professional judgmentassists auditors in determining the audit scope and methodology needed to address the audit objectives, and in evaluating whether sufficient, appropriate evidence has been obtained to address the audit objectives. [GAS 6.03] Significance The concept of significance assists auditors throughout a performance audit, including when deciding the type and extent of audit work to perform, when evaluating results of audit work, and when developing the report and related findings and conclusions. Significance is defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors. Such factors include the magnitude of the matter in relation to the subject matter of the audit, the natureand effect of the matter, the relevance of the matter, the needs and interests of an objective third party with knowledge of the relevant information, and the impact of the matter to the audited program or activity. Professional judgment assists auditorswhen evaluating the significance of matters within the context of the audit objectives. In the performance audit requirements, the term “significant” is comparable to the term “material” as used in the context of financial statement engagements. [GAS 6.04] Audit risk Audit risk is the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete, as a result of factors such as evidence that is not sufficient and/or appropriate, an inadequate audit process, or intentional omissions or misleading information due to misrepresentation or fraud. The assessment of audit risk involves both qualitative and quantitative considerations. Factors impacting audit risk include the time frames, complexity, or sensitivity of the work; size of the program in terms of dollar amounts and number of citizens served; adequacy of the audited entity’s systems and processes to detect inconsistencies, significant errors, or fraud; and auditors’ access to records. Audit risk includes the risk that auditors will not detect a mistake, inconsistency, significant error, or fraud in the evidence supporting the audit. Audit risk can be reduced by taking actions such as increasing the scope of work; adding specialists, additional reviewers, and other resources to perform the audit; changing the methodology to obtain additional evidence, higher quality evidence, or alternative forms of corroborating evidence; or aligning the findings and conclusions to reflect the evidence obtained. [GAS 6.05] III-2 Section III:Planningthe Audit (Yellow Book 2011Revision) The fieldwork standard related to planning for performance audits Planning for performed in accordance with GAGAS provides that: Performance Audits Auditors must adequately plan and document the planning of the work [ necessary to address the audit objectives.GAS 6.06] Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to obtain reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions. This determination is a matter of professional judgment. In planning the audit, auditors should assess significance and audit risk and apply these assessments in defining the audit objectives and the scope and methodology to address those objectives. Planning is a continuous process throughout the audit. Therefore, auditors may need to adjust the audit objectives, scope, and methodology as work is being completed. In situations where the audit objectives are established by statute or legislative oversight, auditors may not have latitude to define or adjust the audit objectives or scope. [GAS 6.07] The objectives are what the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included, and may also include the potential findings and reporting elements that the auditors expect to develop. Audit objectives can be thought of as questions about the program that the auditors seek to answer based on evidence obtained and assessed against criteria. The term “program” is used in GAGAS to include government entities, organizations, programs, activities, and functions. [GAS 6.08] Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included.[GAS6.09] The methodology describes the nature and extent of audit procedures for gathering and analyzing evidence to address the audit objectives. Audit procedures are the specific steps and tests auditors perform to address the audit objectives. Auditors should design the methodology to obtain reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions in relation to the audit objectives and to reduce audit risk to anacceptable level.[GAS 6.10] Auditors should assess audit risk and significance within the context of the audit objectives by gaining an understanding of the following: III-3 Section III:Planningthe Audit (Yellow Book 2011Revision) a.the nature and profile of the programsand the needs of potential users of the audit report; b.internal control as it relates to the specific objectives and scope of the audit; c.information systems controls for purposes of assessing audit risk and planning the audit within the context of the audit objectives; d.provisions of laws, regulations, contracts, and grant agreements, and potential fraud, and abuse that are significant within the context of the audit objectives; e.ongoing investigations or legal proceedings within the context of the audit objectives; and f.the results of previous audits and attestation engagements that directly relate to the current audit objectives.[GAS 6.11] During planning, auditors also should: a.identify the potential criteria needed to evaluate matters subject to audit; b.identify sources of audit evidence and determine the amount and type of evidence needed given audit risk and significance; c.evaluate whether to use the work of other auditors and specialists to address some of the audit objectives; d.assign sufficient staff and specialists with adequate collective professional competence and identify other resources needed to perform the audit; e.communicate about planning and performance of the audit to management officials, those charged with governance, and others as applicable; and f.prepare a written audit plan.[GAS 6.12] Nature and profile of the Auditors should obtain an understanding of the nature of the program or program and user needs program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include: III-4 Section III:Planningthe Audit (Yellow Book 2011Revision) a.visibility, sensitivity, and relevant risks associated with the program under audit; b.age of the program or changes in its conditions; c.the size of the program in terms of total dollars,number of citizens affected, or other measures; d.level and extent of review or other forms of independent oversight; e.program’s strategic plan and objectives; and f.external factors or conditions that could directly affect the program. [GAS 6.13] One group of users of the auditors’ report is government officials who may have authorized or requested the audit. Other important users of the auditors’ report are the audited entity, those responsible for acting on the auditors’ recommendations, oversight organizations, and legislative bodies. Other potential users of the auditors’ report include government legislators or officials (other than those who may have authorized or requested the audit), the media, interest groups, and individual citizens. In addition to an interest in the program, potential users may have an ability to influence the conduct of the program. An awareness of these potential users’ interests and influence can help auditors judge whether possible findings could be significant to relevant users. [GAS 6.14] Obtaining an understanding of the program under audit helps auditors to assess the relevant risks associated with the program and the impact of the risks on the audit objectives, scope, and methodology. The auditors’ understanding may come from knowledge they already have about the program or knowledge they gain from inquiries, observations, and reviewing documents while planning the audit. The extent and breadth of those inquiries and observations will vary among audits based on the audit objectives, as will the need to understand individual aspects of the program, such as the following: Provisions of laws, regulations, contracts and grant agreements a.: Government programs are usually created by law and are subject to specific laws and regulations.Laws and regulations usually set forth what is to be done, who is to do it, the purpose to be achieved, the population to be served, and related funding guidelines or restrictions. Government programs may also be subject to contracts or grant agreements. Thus, understanding the laws and legislative history establishing a program and the provisions of any contracts or grant agreements is essential to understanding the program itself. Obtaining III-5 Section III:Planningthe Audit (Yellow Book 2011Revision) that understanding is also a necessary step in identifying the provisions of laws, regulations, contracts, or grant agreements that are significant within the context of the audit objectives. Purpose and goals b.: Purpose is the result or effect that is intended or desired from a program’s operation. Legislatures usually establish the program’s purpose when they provide authority for the program. Entity officials may provide more detailed information on the program’s purpose to supplement the authorizing legislation. Entity officials are sometimes asked to set goals for program performance and operations, including both output and outcome goals. Auditors may use the stated program purpose and goals as criteria for assessing program performance or may develop additional criteria to use when assessing performance. Internal control c.: Internal control, sometimes referred to as management control, in the broadest sense includes the plan, policies, methods, and procedures adopted by management to meet its missions, goals, and objectives. Internal control includes the processes for planning, organizing, directing, and controlling program operations. It includes the systems for measuring, reporting, and monitoring program performance. Internal control serves as a defense in safeguarding assets and in preventing and detecting errors; fraud; noncompliance with provisions of laws, regulations, contracts or grant agreements; or abuse. Inputs d.: Inputs are the amount of resources (in terms of money, material, personnel, etc.) that are put into a program. These resources may comefrom within or outside the entity operating the program. Measures of inputs can have a number of dimensions, such as cost, timing, and quality. Examples of measures of inputs are dollars spent, employee-hours expended, and square feet of building space. Program operations e.: Program operations are the strategies, processes, and activities management usesto convert inputs into outputs. Program operations may be subject to internal control. Outputs f.: Outputs represent the quantity of goods or services produced by a program. For example, an output measure for a job training program could be the number of persons completing training, and an output measure for an aviation safety inspection program could be the number of safety inspections completed. Outcomes g.: Outcomes are accomplishments or results of a program. For example, an outcome measure for a job training program could be the percentage of trained persons obtaining a job and still in the work III-6 Section III:Planningthe Audit (Yellow Book 2011Revision) place after a specified period of time. An example of an outcome measure for an aviation safety inspection program could be the percentage reduction in safety problems found in subsequent inspections or the percentage of problems deemed corrected in follow- up inspections. Such outcome measures show the progress made in achieving the stated program purpose of helping unemployable citizens obtain and retain jobs, and improving the safety of aviation operations. Outcomes may be influenced by cultural, economic, physical, or technological factors outside the program. Auditors may use approaches drawn from other disciplines, such as program evaluation, to isolate the effects of the program from these other influences. Outcomes also include unexpected and/or unintentional effects of a program, both positive and negative. [GAS 6.15] Internal control Auditors should obtain an understanding of internal control that is significant within the context of the audit objectives. For internal control that is significant within the context of the audit objectives, auditorsshould assess whether internal control has been properly designed and implemented and should perform procedures designed to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls. Information systems controls are often an integral part of an entity’s internal control. The effectiveness of significant internal controls is frequently dependent on the effectiveness of information systems controls. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. [GAS 6.16] The effectiveness of internal control that is significant within the context of the audit objectives can affect audit risk. Consequently, auditors may determine that it is necessary to modify the nature, timing, or extent of the audit procedures based on the auditors’ assessment of internal control and the results of internal control testing. For example, poorly controlled aspects of a program have a higher risk of failure, so auditors may choose to focus more efforts in these areas. Conversely, effective controls at the audited entity may enable the auditors to limit the extent and type of audit testing needed. [GAS 6.17] Auditors may obtain an understanding of internal control through inquiries, observations, inspection of documents and records, review of other auditors’ reports, or direct tests. The nature and extent of procedures auditors perform to obtain an understanding of internal control may vary among audits based on audit objectives, audit risk, known or potential internal control deficiencies, and the auditors’ knowledge about internal control gained in prior audits. [GAS 6.18] III-7 Section III:Planningthe Audit (Yellow Book 2011Revision) The following discussion of the principal types of internal control objectives is intended to help auditors better understand internal controls and determine whether or to what extent they are significant to the audit objectives. Effectiveness and efficiency ofprogram operations a.: Controls over program operations include policies and procedures that the audited entity has implemented to provide reasonable assurance that a program meets its objectives, while considering cost-effectiveness and efficiency. Understanding these controls can help auditors understand the program operations that convert inputs to outputs and outcomes. Relevance and reliability of information b.: Controls over the relevance and reliability of information include policies and procedures that officials of the audited entity have implemented to provide themselves reasonable assurance that operational and financial information they use for decision making and reporting externally is relevant and reliable and fairly disclosed in reports. Understanding these controls can help auditors (1) assess the risk that the information gathered by the entity may not be relevant or reliable and (2) design appropriate tests of the information considering the audit objectives. Compliance with applicable laws, regulations, contracts, and c. grant agreements : Controls over compliance include policies and procedures that the audited entity has implemented to provide reasonable assurance that program implementation is in accordance with provisions of laws, regulations, contracts, and grant agreements. Understanding the relevant controls concerning compliance with those laws, regulations, contracts or grant agreements that the auditors have determined are significant within the context of the audit objectives can help them assess the risk of noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse. [GAS 6.19] A subset of these categories of internal control objectives is the safeguarding of assets and resources. Controls over thesafeguarding of assets and resources include policies and procedures that the audited entity has implemented to reasonably prevent or promptly detect unauthorized acquisition, use, or disposition of assets and resources. [GAS 6.20] In performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct (1) impairments of effectiveness or efficiency of III-8 Section III:Planningthe Audit (Yellow Book 2011Revision) operations, (2) misstatements in financial or performance information, or (3) noncompliance with provisions of laws, regulations, contracts, or grant agreements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. [GAS 6.21] Information systems Understanding information systems controls is important when information controls systems are used extensively throughout the program under audit and the fundamental business processes related to the audit objectives rely on information systems. Information systems controls consist of those internal controls that are dependent on information systems processing and include general controls, application controls, and user controls. Information systems general controls a.(entitywide, system, and application levels) are the policies and procedures that apply to all or a large segment of an entity’s information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning. Information systems application controls b., sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master file, interface, and data management system controls. Information systems user controls c.are portions of controls that are performed by people interacting with information system controls. A user control is an information system control if its effectiveness depends on information systems processing or the reliability (accuracy, completeness, and validity) of information processed by information systems. [GAS 6.23] An organization’s use of information systems controls may be extensive; however, auditors are primarily interested in those information systems controls that are significant to the audit objectives. Information systems controls are significant to the audit objectives if auditors determine that it is III-9 Section III:Planningthe Audit (Yellow Book 2011Revision) necessary to evaluate the effectiveness of information systems controls in order to obtain sufficient, appropriate evidence. When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls is dependent on the effectiveness of information systems controls, auditors should then evaluate the design and operating effectiveness of such controls. This evaluation would include other information systems controls that impact the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. [GAS 6.24] Audit procedures to evaluate the effectiveness of significant information systems controls include: (1) gaining an understanding of the system as it relates to the information and (2) identifying and evaluating the general, application, and user controls that are critical to providing assurance over the reliability of the information required for the audit. [GAS 6.25] The evaluation of information systems controls may be done in conjunction with the auditors’ consideration of internal control within the context of the audit objectives or as a separate audit objective or audit procedure, depending on the objectives of the audit. Depending on the significance of information systems controls to the audit objectives, the extent of audit procedures to obtain such an understanding may be limited or extensive.In addition, the nature and extent of audit risk related to information systems controls are affected by the nature of the hardware and software used, the configuration of the entity’s systems and networks, and the entity’s information systems strategy. [GAS 6.26] Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. The following factors may assist auditors in making this determination: a.The extent to which internal controls that are significant to the audit depend on the reliability of information processed or generated by information systems. b.The availability of evidence outside the information system to support the findings and conclusions: It may not be possible for auditors to obtain sufficient, appropriate evidence without evaluating the effectiveness of relevant information systems controls. For example, if information supporting the findings and conclusions is generated by information systems or its reliability is dependent on information systems controls, there may not be sufficient supporting or corroborating information or documentary evidence that is available III-10 Section III:Planningthe Audit (Yellow Book 2011Revision) other than that produced by the information systems. c.The relationship of information systems controls to data reliability: To obtain evidence about the reliability of computer-generated information, auditors may decide to evaluate the effectiveness of information systems controls as part of obtaining evidence about the reliability of the data. If the auditor concludes that information systems controls are effective, the auditor may reduce the extent of direct testing of data. d.Evaluating the effectiveness of information systems controls as an auditobjective: When evaluating the effectiveness of information systems controls is directly a part of an audit objective, auditors should test information systems controls necessary to address the audit objectives. For example, the audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations. [GAS 6.27] Provisions of laws, Auditors should identify any provisions of laws, regulations, contracts, or regulations, contracts, grant agreements that are significant within the context of the audit and grant agreements objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, or grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, or grant agreements that are significant within the context of the audit objectives. [GAS 6.28] The auditors’ assessment of audit risk may be affected by such factors as the complexity or newness of the laws, regulations, contracts, or grant agreements. The auditors’ assessment of audit risk also may be affected by whether the entity has controls that are effective in preventing or detecting noncompliance with provisions of laws, regulations, contracts, or grant agreements. If auditors obtain sufficient, appropriate evidence of the effectiveness of these controls, they can reduce the extent of their tests of compliance. [GAS 6.29] Fraud In planning the audit, auditors should assess risks of fraud occurring that is significant within the context of the audit objectives. Fraud involves obtaining something of value through willful misrepresentation. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors’ professional responsibility. Audit team members should discuss among the team fraud risks, including factors such as individuals’ incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or III-11 Section III:Planningthe Audit (Yellow Book 2011Revision) attitudes that could allow individuals to commit fraud. Auditors should gather and assess information to identify risks of fraud that are significant within the scope of the audit objectives or that could affect the findings and conclusions. For example, auditors may obtain information through discussion with officials of the audited entity or through other means to determine the susceptibility ofthe program to fraud, the status of internal controls the audited entity has established to prevent and detect fraud, or the risk that officials of the audited entity could override internal control. An attitude of professional skepticism in assessing these risks assists auditors in assessing which factors or risks could significantly affect the audit objectives. [GAS 6.30] When auditors identify factors or risks related to fraud that has occurred or is likely to have occurred that they believe are significant within the context of the audit objectives, they should design procedures to obtain reasonable assurance of detecting any such fraud. Assessing the risk of fraud is an ongoing process throughout the audit and relates not only to planning the auditbut also to evaluating evidence obtained during the audit. [GAS 6.31] When information comes to the auditors’ attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to: (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. If the fraud that may have occurred is not significant within the context of the audit objectives, the auditors may conduct additional audit work as a separate engagement, or refer the matter to other parties with oversight responsibility or jurisdiction. [GAS 6.32] Abuse Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements. [GAS 6.33] Because the determination of abuse is subjective, auditors are not required to detect abuse in performance audits. However, as part of a GAGAS audit, if auditors become aware of abuse that could be quantitatively or qualitatively significant to the program under audit, auditors should apply audit procedures specifically directed to ascertain the potential effect on the program under audit within the context of the audit objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or noncompliance with provisions of laws, regulations, contracts, or grant agreements. [GAS 6.34] III-12 Section III:Planningthe Audit (Yellow Book 2011Revision) Ongoing investigations Avoiding interference with investigations or legal proceedings is important or legal proceedings in pursuing indications of fraud, noncompliance with provisions of laws, regulations, contracts or grant agreements, or abuse. Laws, regulations, and policies may require auditors to report indications of certain types of fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse to law enforcement or investigatory authorities before performing additional audit procedures. When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current audit. In some cases, it may be appropriate for the auditors to work with investigators or legal authorities, or withdraw from or defer further work on the audit or a portion of the audit to avoid interfering with an ongoing investigation or legal proceeding.[GAS 6.35] Follow-up on previous Auditors should evaluate whether the audited entity has taken appropriate audits corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, performance audits, or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. [GAS 6.36] Identifying audit criteria Auditors should identify criteria. Criteria represent the laws, regulations, contracts, grant agreements, standards, specific requirements, measures, expected performance, defined business practices, and benchmarks against which performance is compared orevaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Auditors should use criteria that are relevant to the auditobjectives and permit consistent assessment of the subject matter. [GAS 6.37] Identifying sources of Auditors should identify potential sources of information that could be used evidence as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. [GAS 6.38] If auditors believe that it is likely that sufficient appropriate evidence will not be available, they may revise the audit objectives or modify the scope and methodology and determine alternative procedures to obtain additional III-13 Section III:Planningthe Audit (Yellow Book 2011Revision) evidence or other forms of evidence to address the current objectives. Auditors should also evaluate whether the lack of sufficient, appropriate evidence is due to internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. [GAS 6.39] Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions. The concept of sufficient appropriate evidence is integral to an audit. In assessing evidence, auditors should evaluate whether the evidence taken as a whole is sufficient and appropriate for addressing audit objectives and supporting findings and conclusions. Professional judgment assists auditors in determining the sufficiency and appropriateness of evidence taken as a whole. (See GAS 6.56 through 6.59) Using the work of others Auditors should determine whether other auditors have conducted, or are conducting, audits of the program that could be relevant to the current audit objectives. The results of other auditors’ work may beuseful sources of information for planning and performing the audit. If other auditors have identified areas that warrant further audit work or follow-up, their work may influence the auditors’ selection of objectives, scope, and methodology.[GAS 6.40] If other auditors have completed audit work related to the objectives of the current audit, the current auditors may be able to use the work of the other auditors to support findings or conclusions for the current audit and, thereby, avoid duplication of efforts. If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors’ qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors is adequate for reliance in the context of the current audit objectives. Procedures that auditors may perform in making this determination include reviewing the other auditors’ report, audit plan, or audit documentation, and/or performing tests of the other auditors’ work. The nature and extent of evidence needed will depend on the significance of the other auditors’ work to the current audit objectives and the extent towhich the auditors will use that work.[GAS 6.41] Some audits may necessitate the use of specialized techniques or methods that require the skills of a specialist. Specialists to whom this section applies include, but are not limited to, actuaries, appraisers, attorneys, engineers, environmental consultants, medical professionals, statisticians, geologists, and information technology experts. If auditors intend to use the work of specialists, they should assess the professional qualifications and independence of the specialists.[GAS 6.42] III-14 Section III:Planningthe Audit (Yellow Book 2011Revision) Auditors’ assessment of professional qualifications of the specialist involves the following: a.the professional certification, license, or other recognition of the competence of the specialist in his or her field, as appropriate; b.the reputation and standing of the specialist in the views of peers and others familiar with the specialist’s capability or performance; c.the specialist’s experience and previous work in the subject matter; and d.the auditors’ prior experience in using the specialist’s work.[GAS 6.43] Auditors’ assessment of the independence of specialists who perform audit work includes identifying threats and applying any necessary safeguards in the same manner as they would for auditors performing work on those audits.[GAS 6.44] Assigning staff and Audit management should assign sufficient staff and specialists with other resources adequate collective professional competence to perform the audit.Staffing an audit includes, among other things: a.assigning staff and specialists with the collective knowledge, skills, and experience appropriate for the job, b.assigning a sufficient number of staff and supervisors to the audit, c.providing for on-the-job training of staff, and d.engaging specialists when necessary.[GAS 6.45] If planning to use the work of a specialist, auditors should document the nature and scope of the work to be performed by the specialist, including: a.the objectives and scope of the specialist’s work, b.the intended use of the specialist’s work to support the audit objectives, c.the specialist’s procedures and findings so they can be evaluated and related to other planned audit procedures, and d.the assumptions and methods used by the specialist. [GAS 6.46] III-15 Section III:Planningthe Audit (Yellow Book 2011Revision) Communicating with Auditors should communicate an overview of the objectives, scope, and management, those methodology and the timing of the performance audit and planned reporting charged with (including any potential restrictions on the report), unless doing so could governance, and others significantly impair the auditors’ ability to obtain sufficient, appropriate evidence to address the audit objectives, such as when the auditors plan to conduct unannounced cash counts or perform procedures related to indications of fraud. Auditors should communicate with the following parties, as applicable: a.management of the audited entity, including those with sufficient authority and responsibility to implement corrective action in the program or activity being audited; b.those charged with governance; c.the individuals contracting for or requesting audit services, such as contracting officials or grantees; and d.the cognizant legislative committee, when auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity.[GAS 6.47] In those situations where there is not a single individual or group that both oversees the strategic direction of the audited entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. [GAS 6.48] Determining the form, content, and frequency of the communication is a matter of professional judgment, although written communication is preferred. Auditors may use an engagement letter to communicate the information. Auditors should document this communication.[GAS 6.49] If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated. Determining whether and how to communicate the reason for terminating the audit to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the audit, and other appropriate officials will depend on the facts andcircumstances and, therefore, is a matter of professional judgment.[6.50] III-16 Section III:Planningthe Audit (Yellow Book 2011Revision) Preparing a written audit Auditors must prepare a written audit plan for each audit. The form and plan content of the written audit plan may vary among audits and may include an audit strategy, audit program, project plan, audit planning paper, or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and the auditors’ basis for those decisions. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit.[GAS 6.51] A written audit plan provides an opportunity for audit organization management to supervise audit planning and to determine whether: a.the proposed audit objectives are likely to result in a useful report; b.the audit plan adequately addresses relevant risks; c.the proposed audit scope and methodology are adequate to address the audit objectives; d.available evidence is likely to be sufficient and appropriate for purposes of the audit; and e.sufficient staff, supervisors, and specialists with adequate collective professional competence and other resources are available to perform the audit and to meet expected time frames for completing the work.[GAS 6.52] Supervision Audit supervisors or those designated to supervise auditors must properly supervise audit staff. [GAS 6.53] Audit supervision involves providing sufficient guidance and direction to staff assigned to the audit to address the audit objectives and follow applicable requirements, while staying informed about significant problems encountered, reviewing the work performed, and providing effective on-the- job training.[GAS 6.54] The nature and extent of the supervision of staff and the review of audit work may vary depending on a number of factors, such as the size of the audit organization, the significance of the work, and the experience of the staff.[GAS 6.55] III-17 Section III:Planningthe Audit (Yellow Book 2011Revision) The audit organization assures that reasonable assurance, significance, and OLAPlanning risk are appropriately addressed by ensuring that auditors properly plan Process their audit work. The purpose of “planning”, as the term is used here, is to: Generate information and ideas to better understand the audit subject; Determine the auditobjective; Assess the audit risk and significance within the context of the audit objective; and Develop the audit approach and fieldwork tasks. Planning also develops information necessary to estimate the time and resources necessary to accomplish an audit, and reveals whether a proposed objective can be accomplished in the available time or with the available resources. The evidence gathered in background research and later fieldwork is documented in the working papers. Also, if consultants are to be engaged, those steps are performed in this stage, as described in Section VII –Use of Consultant Services –of this audit manual. The work of researching a selected or potential audit subject and planning how the audit would take place may occur either before or after selection of the subject of an audit project. For audit projects initiated by the office, researching potential audit subjects prior to selection enables that decision to be based on available factual information. For audit projects requested by the council through a resolution, audit planning would normally begin after the request has been selected by the legislative auditor for audit. The steps and procedures of a project are many and complex. Usually, about one-third of the time on a project is spent on planning, one-third on fieldwork, and the remaining third on report development. The planning stage is sufficiently flexible to encourage creativity in shaping the project, but has enough structure to produce a logical and defensible work program. Planning ensures that appropriate steps are laid out and that results will satisfy audit objectives in a timely manner. The audit supervisor plans the work of the project and keeps the auditor informed of progress. The purpose of the planning stageis to clearly identify audit objectives, scope, and methodology while keeping in mind timeframes and staff resources. The end product of planning –the Work Program –will guide the work of the project during fieldwork and ensure that project results willsatisfy the audit objectives. III-18 Section III:Planningthe Audit (Yellow Book 2011Revision) Four Steps of Planning The planning process can be divided into the following four major steps: 1)Project initiation and expectations. 2)Preliminary survey. 3)Risk assessment. 4)Workprogram. Step One:The scope and extent of planning will depend on such factors as prior audits Project initiation and on the subjector audit entity;the experience and knowledge of the staff expectations assignedto the project;the type of report to be developed; and/or the specificity of a council resolution. Project assignment: Soon after the auditor assigns staff toa project, the audit supervisorand any team membersmeet with the auditor to share information, discuss strategy (such as which officials to contact), andlearn of the auditor’s expectations. The meeting helps to identify projectissues, their significance to potential users of the audit report, thecontribution the office can make, the availability of data andresources, and whether a consultant is required for the project. The auditsupervisor summarizes the meeting in a memorandum, obtains approval from theauditor, and forwards copies to all team members. Background research: When an audit is undertaken by the office based on the office’s Annual Audit Plan, the audit supervisor examines areas of risk identified in the county-wide risk assessment that evaluated major county funds, programs and activities, services and operations and ranked the particular department for audit review.Prior to the entrance conference with the administrator and key staff of the department, the audit supervisor identifies issues and areas requiring clarification and discusses these with the auditor.When an audit is undertaken by the officeat the request of the council, the audit supervisor examines any resolution, committee reports, testimony, and otherpertinent documents.Toidentify the concerns behind the audit request, the auditsupervisormay find it usefulto contact the council memberresponsible for the request.Prior to meeting with the council member, the auditsupervisoridentifies issues and areas requiring clarification and discusses these withthe auditor. Scoping statement: Upon completion of some preliminary background Scoping research on theaudit entity, the auditsupervisorwill develop a Statement(seesample at Exhibit III-A) .The purpose of the Scoping Statement is to avoiddiscovery auditing (defining theaudit scope during fieldwork) as muchas possible—keeping a focus on the audit’s real questions and concerns,and to assess what has to be done to answer those questions andconcerns.This conceptualization process is intended to keep III-19 Section III:Planningthe Audit (Yellow Book 2011Revision) theplanning process to a minimum by focusing on what we are going to do, why we are going to do it, and how we are going to do it. Thescoping process is intended to save the amount of time it will take to perform and complete the preliminary survey and risk assessment work. If done properly, the scoping work will help the audit team focus its preliminary surveyand risk assessment work around the tentative scope, methodology, andobjectives of the audit. The audit supervisor submitsthe Scoping Statement to the auditor for approval. StepTwo:The preliminary survey phase includesformally notifying the audit entity, Preliminary survey conducting an entrance meeting with the audit entity, andperforming the preliminary survey/document search and review. Audit notification letter: Upon approval of the Scoping Statement by the auditor, the auditsupervisorwill draft the audit notification letter for the auditor’s signature to informthe audit entity,mayor, appropriate board or commission, and council of the start ofthe audit. The notification would include a brief description of the impetusfor the audit and a request for a meeting with the administratorof the audit entity. Entrance conference: At the entrance conference, the auditor, audit supervisor, and teammembers meet with the administrator of the audit entityand key staff to: 1.Introduce themembers of the audit team, 2.Explain the general process and timetablefor the audit work, including the audit entity’s deadlines to respond topreliminary findings and the preliminary draftreport; 3.Gain understanding ofthe audit entity’s protocol to be followed in contacting staff and requesting information; 4.Request work space and network connectivity for the audit team during the conduct of the fieldwork;and 5.Solicit the views andconcerns of the administrator and key staff of the audit entity on the project. 6.Request copies of the audit entity’s organizational chart, including identification of position titles, vacant positions, and length of position vacancies; written policies and procedures and workflow diagrams; written performance standards and measuresand reports on performance measures; and other organizational documents. III-20 Section III:Planningthe Audit (Yellow Book 2011Revision) Preliminary survey: As related to the areas identified in the Scoping Statement, informationabout the audit entity’s mission, goals and objectives, structure, policies,procedures, processes, resources, outputs, and outcomes is obtainedthrough a preliminary survey. The purpose is to understand the department, agency, program, activity, or fundto be audited and develop thefinal audit objectives.An auditentitymayinclude programs, activities, and/or fundsthat cross departments oragencies.The preliminarysurvey may include: 1.Reviewing the charter and ordinances relating tothe audit entity,its program and financial plans, program memoranda, annualreports, recent budget requests, testimony, internal reports, policy and procedure manuals, organizational charts, and functional statements; 2.Researching the literature, including identifying criteria and related auditsconducted by other county and stateauditors; 3.Interviewing staff; 4.Reviewing files; 5.Observing and documenting activities;and 6.Identifying and assessing potential sources of data for the audit. Preliminary information about operations is gathered quickly, without detailed verification, and should be relevantto the focusestablished in the scoping statement process. StepThree:This phase requires that we assess the risk of the audit entitybased on Risk assessment documents received from the audit entityor obtained from external sources during theproject initiation and preliminary survey process. The purpose of this review is to identify the threats facing the audit entity, identify the controls or procedures in place to prevent orminimize such threats, and help sharpen the preliminary scope, methodology, and objectives of the Scoping Statement. The risk assessment work should be documented in theworking papers Risk Assessment Audit Program following the program established in the (seesample at Exhibit III-B) . This assessment should serve as the foundation for the development of the detailed audit tests in the Work Program. The assessment of theaudit risk should be documented and relevant to theaudit objectives. Review of internal (management) controls: Auditors should achieve an understanding of management controls that is significant within the context III-21 Section III:Planningthe Audit (Yellow Book 2011Revision) of the audit objectives. Auditors should assess whether management controls have been properly designed and implemented, and should perform procedures designed to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls. Information system controls should also be understood when relevant to the audit subject at hand. In order to determine if the audit objectives require such review, the following approach may be considered: • Reduce audit objectives to questions about specific aspects of the audited program (e.g., purpose and goals, efforts, program operations, outputs, outcomes). • Identify management controls that directly address the program aspects implicated in the questions. • Determine if weaknesses in those controls would significantly affect the auditor’s answers to the audit questions. If so, the review should be performed. The Comptroller General of the United States has prescribed several general standards for management controls in the federal government. These standards are equally applicable to the county: • Reasonable assurance. Managementcontrol systems should provide reasonable assurance that the objectives will be attained. • Supportive attitude. Managers and employees should maintain and demonstrate a positive and supportive attitude toward management controls at all times. • Competent personnel. Managers and employees should have personal and professional integrity and maintain sufficient competence to allow them to carry out their assigned duties as well as to understand the importance of good management controls. • Control objectives. Management control objectives should be developed for each agency activity and are to be logical, applicable, and reasonably complete. • Control techniques. Management control techniques should be effective and efficient in accomplishing management control objectives. • Documentation. Management control systems and all transactions III-22 Section III:Planningthe Audit (Yellow Book 2011Revision) and other significant events should be clearly documented, and the documentation should be readily available for examination. • Recording of transactions and events. Transactions and other significant events should be promptly recorded and properly classified. • Execution of transactions and events. Transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. • Separation of duties. Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions should be divided among individuals. • Supervision. Qualified and continuous supervision should be provided to ensure that management control objectives are achieved. • Access to and accountability for resources. Access to resources and records should be limited to authorized individuals, and accountability for the custody and use of resources should be assigned and maintained. Periodic comparison should be made of the resources with the recorded accountability to determine whether the two agree. The frequency of the comparison should be determined by the vulnerability of the resource. If undertaken, the extent of reviewing management controls should be based on an assessment of the risk that controls could fail. The risk assessment is based on such factors as whether the controlshave been recently reviewed, whether previous audits have shown weaknesses, whether the controls are well documented, and whether there are incentives for noncompliance. The review is based on the auditor’s determination of the most probable risks of failure in the audit entityto: 1.Meet goals and objectives; 2.Comply with laws and regulations; 3.Prevent waste, loss, and misuse of resources; and 4.Maintain reliable data on its activities. The auditor then considers whether the controls to prevent those failures are: 1.Logical; 2.Reasonably complete; and 3.Likely to deter or detect those failures. III-23 Section III:Planningthe Audit (Yellow Book 2011Revision) Management control weaknesses include: 1.The absence of controls; 2.The insufficiency of controls; and 3.The failure to carry out the controls. The auditor should consider the reasonableness of the controls in relationto the benefits to be gained. The following are examples of how the understanding of management controls can influence the Audit Plan(see Step Four:Work Program): Objectives. Poorly controlled aspects of a program have higher risk of failure, so they may be more significant than others in terms of where to focus auditefforts. Scope. Poor controls in a certain location may lead auditors to target efforts there. Methodology. Effective controls over collecting, summarizing, and reporting data may reduce the extent of direct testing of data validity and reliability. Poor controls may require auditorsto perform more direct testing of the data, look for data from outside the entity, or develop their own data. Test for compliance with laws, regulations, contracts, grant agreements Testing to provide reasonable assurance that the audit entitycomplied with applicable laws,regulations, contracts, and grant agreementsshould be done when required by the audit objectives. If undertaken, the extent of testing performed should be based on an assessment of risk that illegal acts could occur. The risk assessment is based on such factors as whether previous audits have shown noncompliance, whether the laws,regulations, contracts, and/or grant agreementsare difficult to understand, whether there are incentives for noncompliance, and the extent of management controls to ensure compliance. In all performance audits, staff auditors shouldbe alert to situations or transactions that could be indicative of illegal acts, fraud, or abuse. If any evidence of illegal acts, fraud, or abuse is found, the audit supervisor should immediately notify the auditor, who will then notify and refer the matter to the appropriate authority. No actions should be taken that would interfere with legal proceedings or investigations. III-24 Section III:Planningthe Audit (Yellow Book 2011Revision) The Work Program consists of a written Audit Plan and Workplan Step Four:: Work Program The Audit Plan includes objectives, scope, methodology, and related concerns. The Workplan includes detailed steps and procedures for accomplishing the audit objectives. Based primarily on the Scoping Statement, preliminary survey, and assessment of risk, the audit supervisor drafts the Work Program for review and approval by the auditor: Work programs should be designed to obtain evidence that meets the basictests of sufficiency and appropriateness. Working papers should reflect the details of the evidence and disclose how it was obtained. The Audit Plan section of the Work Program normally covers the following subjects(see sample audit plan attached as Exhibit III-C) : • Introduction and background. The legal authority for the project, statutory background on the audit entity, its history, organization, objectives, and any other information needed for an understanding of the project are cited. A description of the resources put into the audit entity’s program (moneys, materials, personnel) should be included. Trends over several years may be useful. For studies, a brief discussion of the subject area and policy issues is appropriate. • Definition of terms. Unique terms are defined or explained. • Objectives. The objectives clearly identify what is to be accomplished and the audit subjects and the performance aspects to be examined. They identify the potential finding and reporting elements to be developed. • Scope. Scope sets the boundaries of the work. It addresses such things as the time period and number of locations to be covered. It balances the information needed to achieve the audit objectives with the availability of data, appropriateness of analytic techniques, amount of time, resources of staff, and so forth. Criteria. Criteria are the standards against which the object of study is judged. They are used to determine whether an audit entity meets or exceeds expectations. Good criteria are reasonable, attainable, III-25 Section III:Planningthe Audit (Yellow Book 2011Revision) and relevant to the matters being audited. The Audit Plan should, where possible, state the criteria to be used. • Methodology. Methodology shows how data will be gathered, analyzed, and used. The methodology should be designed to provide appropriate and sufficient evidence to achieve the audit objectives. In planning methodology and designing audit tests, audit supervisors consider the materiality and significance of the issues and the resources needed to accomplish the work. Sampling plans and other research approaches such as surveys and interviews may be outlined. Any planned follow-up on the status of previous findings and recommendations should be identified. • Legal compliance. When applicable, the plan should include to the extent possible the nature of legal compliance to be assessed. Additional preliminary work may be necessary to plan these activities. • Coordination efforts. Other audits being conducted on the subject are identified to coordinate work with other governmentor external auditors. When several agencies are conducting audits of the same entity, the Audit Plan may explain how the work of others can be used to satisfy audit objectives.Evidence in the working papers should documentthe qualifications and independence of the other auditorsas well as a determination that the scope, quality, and timing of their audit work is adequate for reliance in the context of the office’s audit objectives.Similar documentation should be included inthe working papers when using the work of specialists. • Resources and special instructions. Any audit staff assigned to the project are listed. Resources required beyond those already allocated to the project (such as consultants or extensive travel) are identified. • Deadlines. Deadlines are set for various phases and products. In developing the schedule, adequate time is allowed for review and report production. The audit supervisor works backwards from a deadline set by the auditor, factoring in time for vacation leave, sick leave, and training. The Workplan section of the Work Program details specific tasks for meeting audit objectives (see sample workplan attached as Exhibit III-D). The detailing of tasks helps the audit supervisor determine what theaudit teammust do to complete the Work Program. The Workplan also estimates III-26 Section III:Planningthe Audit (Yellow Book 2011Revision) the number of work days to complete the tasks and a general indexing plan for organizing the working papers. Types of audit procedures: The four types of audit procedures used to test systems, transactions, or processes include: Verification. 1.The purpose of verification is to establish the accuracy, reliability, or validity of something. Verification techniques include: •Counting. •Comparing. •Examining. •Inspecting. •Footing. •Re-computing. •Reconciling. •Confirming. •Vouching. •Tracing. Observation. 2.Auditors observe conditions, make mental notes, consider deviations from the norm, and use judgment to assess dangerous conditions, backlogs, or idle personnel, equipment, or facilities. Interviews. 3.Auditors perform interviews with the audit entity and related parties throughout the audit. Good oral communication skills on the part of the auditor assist in getting accurate and meaningful information from the interviewee. Auditors should use open-ended questions when possible. Interviews should be documented and, depending on the type of information received in an interview, may need to be confirmed in writing. Analysis. 4.Analysis includes compilation and review of data, making detailed calculations and computations, documentation of ratios and trends, andmaking comparisons. Types of evidence: The four types and sources of evidence used depending on the audit objectives include: Physical evidence. 1.Physical evidence is obtained by an auditor’s direct inspection or observation of: III-27 Section III:Planningthe Audit (Yellow Book 2011Revision) Activities of people. Property. Events. Such evidence may be documented in the form of: Memorandasummarizing the matters inspected or observed. Photographs and/or videos. Drawings. Charts. Maps. Actual samples. The value of physical evidence is often limited by the number of observations made, the biases of the observer, and the impact of observation of the subjects. Documentary evidence. 2.Documentary evidence consists of created information, including hard copy or electronically stored information. The documents, forms, journals, or reports may originate within the audit entity or may come from an external source. Some examples are: Letters and e-mails. Contracts. Laws. Regulations. Procedures. Budget information. Accounting records, invoices, and spreadsheets. Database extracts. Management information on performance. Documentary evidence is usually more reliable, more objective, easier to assemble, and easier to document than other kinds of evidence. Testimonial evidence. 3.Testimonial evidence is obtained from others through statements received in response to inquiries, questionnaires, interviews, focus groups, and public forums. Statements important to the audit should be corroborated when possible with additional evidence. Testimonial evidence is to be III-28 Section III:Planningthe Audit (Yellow Book 2011Revision) evaluated in order to determine whether the individual may be biased or only have partial knowledge about the area. Analytical evidence. 4.Analytical evidence is the result of analysis and verification. Some of the techniques or processes used to analyze evidence gathered to determine whether it is appropriate and sufficient include: Computations. Comparisons. Reasoning or rational arguments. Separation of information into components. The quality of analytical evidence depends on the accuracy and reliability of the data used, the level of detail, and the logic applied in analysis. Variations of work programs: In some circumstances, the auditor may authorize variations of Work Programs to facilitate project efficiency and effectiveness. For example, some projects involving a consultant may only need a “project approach memorandum” in the development of an RFP to secure a consultant through the public procurement process. The project approach memorandum would normally contain only some of the elements found in a Work Program. Some of the elements could include the background information, project objectives, scope of work, an estimated timetable, and an explanation of the type or types of consultant resources needed. Using a project approach memorandum may be particularly appropriate in projects requiring rapid development of an RFP and in projects where the consultant will do most of the work (as opposed to projects in which the work will be split more evenly between the consultant and the office staff). In another example, some projects may need only an “expanded workplan” but no Audit Plan. The Workplan would contain the usual detailed description of audit tasks, but would be prefaced with a short introductory section containing key elements of an Audit Plan in abbreviated form. This approach might be useful in a highly structured project that differs so little from previous similar projects that a full Audit Plan would be superfluous. In using variations of Work Programs, care must be taken to document the reasons for the different approach, the necessary approvals, and to ensure that the approach meets GAGAS requirements. Changes to approved work program: The auditor will approve any significant departures from the Work Program, with an explanation for the III-29 Section III:Planningthe Audit (Yellow Book 2011Revision) change documented in a memorandumprepared by the audit supervisor. Minor changes,such as extensions of internal deadlines,do not require formal approval by the auditor. Engagement letter to audit entity(see sample engagement letter attached as Exhibit III-E): Once the Work Program is approved, an engagement letter is sent to the audit entity, mayor, appropriate board or commission, and council regarding the auditscopeand objectives. To the extent possible, the methodology and timing of the audit will be communicated in the communication. Types of Audit Files When an audit project is initiated, the audit supervisor develops two types of audit files: 1.Project files. 2.Working papers. Project files are maintained by the administrative assistant to the auditor and contain administrative materials external to the working papers, such as the documents which initiated the audit(e.g., council resolution), copies of contracts to engage any consultants engaged for the audit and all related procurement documents, all project correspondence on office letterhead, a numbered copy of the report draft, and a copy of the final report. Working papers are generally files generated and obtained during fieldwork in support of the findings and conclusions. Working papers are more fully discussed in Section IV –Fieldwork and Testing–of this audit manual. Briefly, working papers help the audit supervisor organize materials and prepare report outlines and reports. Working papers can also help the audit supervisor monitor work progress and ensure that it is accurate and timely; document progress toward achieving audit objectives by showing the work done, data collected, and methodology used; and assist in planning for and carrying out subsequent audit assignments. Finally, working papers provide evidence of audit quality: that the conclusions and judgments in an audit are based on fact and are reasonably supported by the evidence. Upon completion, the working papers supporting the final audit report and project files are appropriately labeled by the audit supervisor and submitted to the auditor for general review before forwarding to the administrative assistant to the auditor for filing in the office central files (see Section VI—Project Closure–of this audit manual). Neither type of files includes peripheral, duplicative, or extraneous materials, or materials of questionable value. The audit supervisor is responsible for ensuring that the project files and working papers are appropriately organized and complete. III-30 Section III:Planningthe Audit (Yellow Book 2011Revision) Confidential Working According to the Uniform Information Practices Act, working papers are Papers available for public inspection upon written request to the auditor. However, confidential documents may be exempted from public disclosure if disclosurewould invade an individual’s right to privacy or frustrate a legitimate government function. Documents that are provided in confidence or documents that are protected by federal and state laws can also be withheld from disclosure. They should be marked “CONFIDENTIAL”,and the auditor should be notified to ensure the documents are handled appropriately. Protected documents are best left with the agency being audited. In those cases where these documents are confidential and are needed as evidence, the auditsupervisor should consider including only a summary of the documents in the working papers. Reconsiderationand On rare occasion, based on the information gathered in the course of Termination ofan Audit researching or conducting the audit, the auditor may decide that toproceed with an audit as initially directed may be inadvisable. Forexample, the audit may appear premature, the value to be gained mayappear to be outweighed by the cost, or events subsequent to the auditauthorization may have rendered an audit moot. If it is determined that an audit should be terminated before it iscompleted and no audit report issued, the audit entitywill be notified inwriting with a copy to the mayor, appropriate board or commission,and council.In addition, the auditsupervisorwill summarize in writing the results of the workto date and the reason why the audit was terminated, and file this summary in the audit working papers. III-31 This page intentionally left blank. Section IV Fieldwork and Testing The WorkProgram guides fieldwork. In fieldwork, the auditsupervisoris Introduction responsible for ensuring that tasks identified in the Workplan portion ofthe WorkProgram arecarried out. These might include interviewingofficials, reviewing documents (e.g.,internal memoranda,correspondence, reports, minutes, contracts), and gathering statisticaldata through database searches, analysis of secondary data sources, andsurveys. The purpose of the fieldwork and testing stage is for auditors to: Perform detailed data collection and analysis; Address audit objectives; and Complete fieldwork audit steps included in the Work Program. Staff auditors should maintain constant and close communication with the auditsupervisorand auditorduring the fieldwork process to discuss audit results and potential revisionsand/or additions to the Work Program. Staff auditors may encounter difficulties in completing certain tasks or in meeting the rules of evidence, or they may encounter new, unanticipated issues and findings. Staff auditors are encouraged to revise their Work Programs as needed, with the approval of the audit supervisor and auditor. During fieldwork, auditors should gather appropriate and sufficient evidence to address the audit objectives and provide support for the audit findings and conclusions during the fieldwork process. If, after assessment of the evidence, there is concern about the appropriatenessandsufficiency of the evidence, additional procedures may need to take place, that include, but are not be limited to: Gathering of additional evidence, as appropriate. Redefining the audit scope, as appropriate. Redefining the audit objectives, as appropriate. Modifying the findings, as appropriate. Modifying the conclusions, as appropriate. As fieldwork proceeds, adetailed report outline is developed concurrently by the audit supervisor. This gives direction to fieldwork, and forces the auditsupervisor to think about how the information being gathered relates to the audit objectives and the audit report. Developing the report outline also reveals what information is missing so far and must be gathered to support emerging findings. The report outline leads to production of the preliminary and final reports. Written reports are a public record of the IV-1 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) audit project. They serve to clarify the audit results toavoid misunderstanding, and they simplify the process of following up on corrective action when so requested. As discussed in Section III –Planning,management controls are defined as Reviewing Internal the techniques, procedures, and plans adopted by management to ensure (Management) that the audited entity:1)meets goals and objectives;2)complies with Controls laws, regulations, and policies;3) prevents waste, loss, and misuse of its resources; and4) maintains reliable information on its activities.They include the audited entity’s entire process for planning, organizing, directing, and controlling program operations. Because of the lack of administrative continuity in government units, effective management controls are essential. Reviewing the effectiveness of that system may be part of an audit engagement. Management controls are part of management’s regulating and operating functions, and are not separate, specialized systems. Ideally, management controls help to ensure that government conducts itsbusiness properly and is fully accountable for the resources it uses. In addition, they include the systems for measuring, reporting, and monitoring program performance. Management controls over program operations include policies and procedures that management has implemented to provide reasonable assurance that a program meets its goals and objectives, while considering cost effectiveness and efficiency. Understanding these controls will help the auditsupervisor understand the program operations that convert inputs and efforts to outputs and outcomes. Assessing risk A review of management controls significant to the audit objectives is an ongoing process. The following are examples of circumstances where management controls can be significant toaudit objectives and thus, testing would be required: • Todeterminethe cause of unsatisfactory performance if that unsatisfactory performance could result from weaknesses in specific management controls; and • To assess the relevance and reliability of performance measures developed by the audited entity. Effective management controls over collecting, summarizing, and reporting data will help ensure valid and reliable performance measures. IV-2 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Reviewing and testing The key steps in reviewingand testingcontrols are to: controls 1.Identify and understand relevant controls; 2.Determinewhat is already known about control effectiveness; 3.Review adequacy of control design; 4.Determine if controls are properly implemented; and 5.Determine if transactions are properly documented. Management controls consist of management’s objectives, procedures, and accounting and monitoring systems. The deficiencies in these elements eventually become part of a finding. Control objectives are the results management is trying to attain or the adverse conditions that management is trying to avoid. In developing a finding, these are often the criteria. Control procedures are the specific steps, techniques, or procedures established by management to provide reasonable assurance that control objectives are achieved. Weaknesses here are often the cause element of a finding. Accounting systems include the methods and records used to identify, assemble, analyze, classify, record, and report transactions and maintain accountability for assets, liabilities, revenues, and expenses. Monitoring systems includes management’s methods for following up and checking on performance to ensure that control and accounting procedures are complied with, including internal auditing. Determining known The auditsupervisor considers what, if anything is already known about the effectiveness effectiveness of the controls. If these controls have been reviewed by other agencies, the auditsupervisor considers using that work, guided by the standards for using the work of others. If prior control reviews are sufficiently recent and thorough, the auditsupervisor does not need to further review management control design and implementation. Reviewing design The auditsupervisor considers what is most likely to go wrong in the controls agency’s operations, such as misuse of resources or failure to attain objectives. Then the auditsupervisor examines whether the controls for preventing those situations are logical, reasonably complete, and likely to deter ordetect possible misuse, failure, or errors. Weaknesses include the absence of controls, the insufficiency of controls, or the failure to carry out controls. Controls should provide reasonable, but not absolute, assurance of deterring or detecting problems. The auditsupervisor considers the reasonableness of the controls in relation to the benefits to be gained. IV-3 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Reviewing A system of management controls may be appropriately designed but still implementation of ineffective if it is used incorrectly and/or inconsistently. The audit controls supervisorconducts enough testing to provide a reasonable basis for concluding whether the controls are being applied correctly and consistently. Reviewing The audited entityshould have clearly documented its transactions and documentation of should make these documents readily available to the auditsupervisor. The transactions auditsupervisor asks to see such key documents as policies and procedures manuals, personnel manuals, organization charts, and budget justification data. If any of the documents involve computer-processed data, the audit supervisor is guided by the standards relating to such data discussed earlier in this audit manual. Access to confidential or Audited entity officials may be reluctant to share confidential information, sensitive information such as personnel records, with the auditor’s office. The audit supervisor should request access to only those records needed to plan the project and conduct fieldwork. At the same time, the auditsupervisor and team members should not be inhibited unnecessarily by confidentiality concerns, since the charter authorizes our access to the necessary information. If the audited entity raises questions, the audit supervisor may be able to informally obtain access by orally citing: 1.Sections of the charter provision that give access to needed information; and 2.Sections of the Uniform Information Practices Act that both authorize agencies to release information to our office and require our office to observe the same restrictions on disclosure of the records that apply to the originating agency. If necessary, the auditor will write to the audited entity, acknowledging the auditedentity’s concerns and citing the appropriate charter provisions that justifyaccess. Some projects may require that we test whether audited entitiesand their Testing for programs comply with the charter, ordinances, regulations, or other Compliance requirements. Failure to comply can affect an audited entity’s performance. This section describes the office’s approach to meeting auditing standards for testing for compliance in performance audits. IV-4 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Illegal acts and other The audit should be designed to provide reasonable assurance about noncompliance compliance with laws and regulations that are significant to the audit objectives. This requires determining if laws and regulations are significant to the audit objectives and, if they are, assessing the risk that significant illegal acts could occur. Based on the risk assessment performed in the planning phase, we design and perform procedures to provide reasonable assurance of detecting instances of violations of legal and regulatory requirements or violations of provisions of contracts or grant agreements that are significant within the context of the audit objectives. The auditsupervisor is careful to distinguish between legal language that requires an audited entityto do something (“shall” or “must”) and language that gives the audited entitydiscretion to do something (“may”). For example, an ordinance says a department shall carry out educational programs and may authorize researchers in substance abuse to withhold the identity of research subjects. Under these provisions, failure to carry out educational programs would be noncompliance, but failure to authorize researchers to withhold subjects’ identities would not be. Discretionary provisions may be important for several reasons. They often contain requirements to be followed if the audited entitychooses to exercise the authority. Failure to follow these contingent requirements would then be noncompliance. Furthermore, the mandatory and discretionary provisions together circumscribe the audited entity’s authority. Acting outside this authority would be noncompliance. Testing procedures Once it is determined that the project requires testing for legal compliance, the auditsupervisor should consider the extent of testing to be done. In planning tests of compliance with significant rules and regulations, we assess the risk that illegal acts could occur. That risk may be affected by such factors as the complexity of the laws and regulations or their newness. When assessing risk, we consider whether the entity has controls that are effective in preventing or detecting illegal acts.Our review of the sufficiency of evidence of the effectiveness of these controls will determine the extent of our tests for compliance.The audit supervisor should be alert to situations or transactions that could be indicative of illegal acts. When information comes to attention (through audit procedures, tips, or other means) indicating that illegal acts may have occurred, the auditor supervisor should consider whether the possible illegal acts could significantly affect the audit results. The term noncompliance has a broader meaning than illegal acts. Noncompliance includes not only illegal acts, but also violations of provisions of contracts or grant agreements. Like illegal acts, these other types of noncompliance can be significant to the audit objectives.In IV-5 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) planning tests fornoncompliance, the auditsupervisor considerssuch factors as whether previous audits have shown noncompliance, whether the statutes and rules are difficult to understand, whether there are disincentives for compliance, and whether there are temptations such as large amounts of cash.As part of risk assessment, auditorsexamine whether the audited entityhas adequate control procedures for the activity being studied. This would include assessing management’s monitoring of the activity and other factors. The rationale for the assessment is that even if a statute or rule is highly susceptible to noncompliance, strong controls decrease the likelihood that this will happen. In these cases, only limited testing will be needed and the evaluation can be done quickly. Risk of fraud The auditsupervisor is responsible for assessing risks of fraud occurring that is significant within the context of the audit objectives. The audit supervisorand audit team should be aware of fraud risks, including factors such as individuals’ incentives or pressure to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could allow individuals to commit fraud. Auditors should gather and assess information to identify risks of fraud that are significant within the scope of the audit objectives or that could affect the findings and conclusions. Conditions such as the following might indicate a heightened risk of fraud: • Auditees offer unreasonable explanations to our inquiries. • Auditees are annoyed at our reasonable questions. • Auditees refuse to provide us with records. • Auditees refuse to take vacations or accept promotions. (See GAS 6.30-6.32, and Section III –Planning–of this audit manual) Risk of abuse Abuse is distinct from illegal acts and other noncompliance. Abuse does not necessarily involve fraudornoncompliance with provisions of laws, regulations, contracts, or grant agreements. Because the determination of abuse is subjective, auditors are not required to detect abuse in performance audits. However, as part of a GAGAS audit, if auditors become aware of abuse that could be quantitatively or qualitatively significant to the program under audit, auditors should apply audit procedures specifically directed to ascertain the potential effect on the program under audit within the context of the audit objectives. (See GAS 6.33-6.34, and Section III –Planning –of this audit manual) Reporting of Auditors should report deficiencies in internal control, fraud, noncompliance noncompliance with provisions of laws, regulations, contracts, or grant IV-6 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) agreements, or abuse. For some matters, early communication to those charged with governance or management may be important because of their relative significance and the urgency for corrective follow-up action. Further, when a control deficiency results in noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse, early communication is important to allowmanagement to take prompt corrective action to prevent further noncompliance… [GAS 6.78] Should audit supervisors discover possible abuse, fraud or illegal acts, they should notify the auditor immediately. This is particularly important for acts that could result in criminal prosecution. Informing the auditor is the first step in determining whether cases will be referred to law enforcement authorities and whether the project or any part of it should be suspended so as not to disrupt or jeopardize ongoing or potential investigations and legal proceedings. Under some circumstances, laws, regulations, or policies require the auditor to report indications of certain types of illegal acts to law enforcement or investigatory authorities before extending audit steps and procedures. The auditor may withdraw from or defer further work on an audit or a portion of an audit in order not to interfere with an investigation. Even where noncompliance does not incur civil or criminal penalties, the auditor can be helpful in advising the auditsupervisoron how to document noncompliance and on additional testing that may be needed. The audit supervisor is responsible for bringing to the auditor’s attention any matters that may require communicating with the auditedentityor consulting with law enforcement authorities. Handling issues of law Audit supervisors are expected to develop skills in basic legal research. and coordination of legal However, this does not mean that they must be skilled as an attorney. They services must be able to use the charter and ordinances to trace the history of a law and identify potential violations. In reviewing laws, regulations, contracts, and grant agreements as a part of assessing compliance, questions or concerns may arise that need to be resolved by an attorney. When more specialized legal assistance is needed, consultation with the Corporation Counsel should be coordinated through the auditor. Auditors must obtain sufficient, appropriate evidence to provide a Evidence Standards [ reasonable basis for their findings and conclusions.GAS 6.56] for Performance Audits The concept of sufficient, appropriate evidence is integral to an audit. Appropriateness is the measure of the quality of evidence that encompasses its relevance, validity, and reliability in providing support for findings and conclusions related to the audit objectives. In assessing the overall appropriateness of evidence, auditors should assess whether the evidence is IV-7 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) relevant, valid, and reliable. Sufficiency is a measure of the quantity of evidence used to support the findings and conclusions related to the audit objectives. In assessing the sufficiency of evidence, auditors should determine whether enough evidence has been obtained to persuade a knowledgeable person that the findings are reasonable. [GAS 6.57] In assessing evidence, auditors should evaluate whether the evidence taken as a whole is sufficient and appropriate for addressing the audit objectives and supporting findings and conclusions. Audit objectives may vary widely, as may the level of work necessary to assess the sufficiency and appropriateness of evidence to address the objectives. For example, in establishing the appropriateness of evidence, auditors may test its reliability by obtaining supporting evidence, using statistical testing, or obtaining corroborating evidence. The concepts of audit risk and significance assist auditors with evaluating the audit evidence. [GAS 6.58] Professional judgment assists auditors in determining the sufficiency and appropriateness of evidence taken as a whole.Interpreting, summarizing, or analyzing evidence is typically used in the process of determining the sufficiency and appropriateness of evidence and in reporting the results of the audit work. When appropriate, auditors may use statistical methods to analyze and interpret evidence to assess its sufficiency. [GAS6.59] Appropriateness Appropriateness is the measure of the quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions. Relevance a.refers tothe extent to which evidence has a logical relationship with, and importance to, the issue being addressed. Validity b.refers to the extent to which evidence is a meaningful or reasonable basis for measuring what is being evaluated.In other words, validity refers to the extent to which evidence represents what it is purported to represent. Reliability c.refers to the consistency of results when information is measured or tested and includes the concepts of being verifiable or supported. [GAS 6.60] There are different types and sources of evidence that auditors may use, depending on the audit objectives. Evidence may be obtained by observation, inquiry, or inspection. Each type of evidence has its own strengths and weaknesses. The following contrasts are useful in judging the appropriateness of evidence. However, these contrasts are not adequate in themselves to determine appropriateness. The nature and types of evidence IV-8 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) to support auditors’ findings and conclusions are matters of the auditors’ professional judgment based on the audit objectives and audit risk. a.Evidence obtained when internal control is effective is generally more reliable than evidence obtained when internal control is weak or nonexistent. b.Evidence obtained through the auditors’ direct physical examination, observation, computation, and inspection is generally more reliable than evidence obtained indirectly. c.Examination of original documents is generally more reliable than examination of copies. d.Testimonial evidence obtained under conditions in which persons may speak freely is generally more reliable than evidence obtained under circumstances in which the persons may be intimidated. e.Testimonial evidence obtained from an individual who is not biased and has direct knowledge about the area is generally more reliable than testimonial evidence obtained from an individual who is biased or has indirect or partial knowledge about the area. f.Evidence obtained from a knowledgeable, credible, and unbiased third party is generally more reliable than evidence obtained from management of the audited entity or others who have a direct interest in the audited entity. [GAS 6.61] Testimonial evidence may be useful in interpreting or corroborating documentary or physical information. Auditors should evaluate the objectivity, credibility, and reliability of the testimonial evidence. Documentary evidence may be used to help verify, support, or challenge testimonial evidence. [GAS 6.62] Surveys generally provide self-reported information about existing conditions or programs. Evaluation of the survey design and administration assists auditors in evaluating the objectivity, credibility, and reliability of the self-reported information. [GAS 6.63] When sampling is used, the method of selection that is appropriate will depend on the audit objectives. When a representative sample is needed, the use of statistical sampling approaches generally results in stronger evidence than that obtained from nonstatistical techniques. When a representative sample is not needed, a targeted selection may be effective if the auditors have isolated risk factors or other criteria to target the selection. [GAS 6.64] IV-9 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) When auditors use information provided by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information. The auditor may find it necessary to perform testing of management’s procedures to obtain assurance or perform direct testing of the information. The nature and extent of the auditors’ procedures will depend on the significance of the information to the audit objectives and the nature of the information being used. [GAS 6.65] Auditors should assess the sufficiency and appropriateness of computer- processed information regardless of whether this information is provided to auditors or auditors independently extract it. The nature, timing, and extent of audit procedures to assess sufficiency and appropriateness is affected by the effectiveness of the audited entity’s internal controls over the information, including information systems controls, and the significance of the information and the level of detail presented in the auditors’ findings and conclusions in light of the audit objectives. The assessment of the sufficiency and appropriateness of computer-processed information includes considerations regarding the completeness and accuracy of the data for the intended purposes. [GAS 6.66] Sufficiency Sufficiency is a measure of the quantity of evidence used for addressing the audit objectives and supporting findings and conclusions. Sufficiency also depends on the appropriateness of the evidence. In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions. [GAS 6.67] The following presumptions are useful in judging the sufficiency of evidence. The sufficiency of evidence required to support the auditors’ findings and conclusions is a matter of the auditors’ professional judgment. a.The greater the audit risk, the greater the quantity and quality of evidence required. b.Stronger evidence may allow less evidence to be used. c.Having a large volume of audit evidence does not compensate for a lack of relevance, validity, or reliability [GAS 6.68] Overall assessment of Auditors should determine the overall sufficiency and appropriateness of evidence evidence to provide a reasonable basis for the findings and conclusions, within the context of the audit objectives. Professional judgments about the sufficiency and appropriateness of evidence are closely interrelated, as IV-10 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) auditors interpret the results of audit testing and evaluate whether the nature and extent of the evidence obtained is sufficient and appropriate. Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments conducted to conclude on the validity and reliability of specific evidence. [GAS 6.69] Sufficiency and appropriateness of evidence are relative concepts, which may be thought of in terms of a continuum rather than as absolutes. Sufficiency and appropriateness are evaluated in the context of the related findings and conclusions. For example, even though the auditors may have some limitations or uncertainties about the sufficiency or appropriateness of some of the evidence, they may nonetheless determine that intotal there is sufficient, appropriate evidence to support the findings and conclusions. [GAS 6.70] When assessing the sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions, available corroborating evidence, and the level of audit risk. The steps to assess evidence may depend on the nature of the evidence, how the evidence is used in the audit or report, and the audit objectives. a.Evidence is sufficient and appropriate when it provides a reasonable basis for supporting the findings or conclusions within the context of the audit objectives. b.Evidence is not sufficient or not appropriate when (1) using the evidence carries an unacceptably high risk thatit could lead the auditor to reach an incorrect or improper conclusion, (2) the evidence has significant limitations, given the audit objectives and intended use of the evidence, or (3) the evidence does not provide an adequate basis for addressing the audit objectives or supporting the findings and conclusions. Auditors should not use such evidence as support for findings and conclusions. [GAS 6.71] Evidence has limitations or uncertainties when the validity or reliability of the evidence has not been assessed or cannot be assessed, given the audit objectives and the intended use of the evidence. Limitations also include errors identified by the auditors in their testing. When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should apply additional procedures, as appropriate. Such procedures include: IV-11 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) a.seeking independent, corroborating evidence from other sources; b.redefining the audit objectives or limiting the audit scopeto eliminate the need to use the evidence; c.presenting the findings and conclusions so that the supporting evidence is sufficient and appropriate and describing in the report the limitations or uncertainties with the validity or reliability of the evidence, if such disclosure is necessary to avoid misleading the report users about the findings or conclusions; and d.determining whether to report the limitations or uncertainties as a finding, including any related, significant internal control deficiencies. [GAS 6.72] Audit findings normally contain the elements of criteria, condition, and Audit Findings effect, plus cause when problems are found. However, the elements needed for a finding depend entirely on the objectives of the audit. A finding or set offindings is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the finding’s elements. Auditors should plan and perform procedures to develop the elements of a finding necessary to address the audit objectives. In addition, if auditors are able to sufficiently develop the elements of a finding, they should develop recommendationsfor corrective action if they are significant within the context of the audit objectives. The elements needed for a finding are related to the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are addressed and the report clearly relates those objectives to the elements of a finding. For example, an auditobjective may be to determine the current status or condition of program operations or progress in implementing legislative requirements, and not the related cause or effect. In this situation, developing the condition would address the audit objective and development of the other elements of a finding would not be necessary. [GAS 6.73] Auditors should document their audit findings in the working papers by Finding Development Worksheet (see Exhibit IV-A) completing the . Elements of a finding The fourelements of a finding include: Criteria. What should be?What should have happened? Criteria are the laws, regulations, contract requirements, standards, measures, and expectations of what should exist. IV-12 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Auditors should identify criteria. Criteria represent the laws, regulations, contracts, grant agreements, standards, specific requirements, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Auditors should use criteria that are relevant to the audit objectives and permit consistent assessment of the subject matter. [GAS 6.37] Condition. What is?What’s the problem? Condition is a situation that exists. The condition is determined and documented during the audit. [GAS 6.75] Cause. Why did it happen?What broke down? Cause is the explanation for the deviation between what is (condition) and what should be (criteria). Often the “cause” is a breakdown in internal controls. The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desiredstate (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors includepoorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference between the condition and the criteria. [GAS 6.76] Effect. What’s the impact?Why should we care? Effect represents the impact of the discrepancy between what is (condition) and what should be (criteria). In analyzing the findings, it is important for auditors to consider materiality and significance which are normally judged by the extent of the adverse effect (e.g., dollars lost, increased risk to the public, etc.) The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, “effect” is a measure of those consequences. Effector potential effect may be used to demonstrate the IV-13 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) need for corrective action in response to identified problems or relevant risks. [GAS 6.77] Audit Recommendation. What should be done about it? Auditors make recommendations to correct the deficiency, generally the Recommendations cause. Recommendations can be general or very specific depending on the audit objectives and management’s need for guidance and direction. The auditor is responsible for making effectiverecommendations. Recommendations are effective when they are specific, practical, cost effective, measurable, and addressed to parties whohave theauthority to take corrective action. Management (not the auditor) is responsible for implementing the recommendations. (See Section V: Report Preparation and Distribution –Recommendations) The fieldwork standards related to audit documentation for performance Audit Documentation audits performed in accordance with GAGAS include: Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed, the audit evidence obtained and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions. An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to conduct the performance audit. These competencies and skills include an understanding of (1) the performance audit processes,(2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter associated with achieving the audit [ objectives, and (4) issues related to the audited entity’s environment. GAS 6.79] Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report. [GAS 6.80] Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors’ professional judgment. [GAS 6.81] IV-14 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Audit documentation is an essential element of audit quality. The process of preparing and reviewing audit documentation contributes to the quality of an audit. Audit documentation serves to (1) provide the principal support for the auditors’ report, (2) aid auditors in conducting and supervising the audit, and (3) allow for the review of audit quality. [GAS 6.82] Auditors should document the following: a.the objectives, scope, and methodology of the audit; b.the work performed and evidence obtained to support significant judgments and conclusions, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, butcopies of documents examined or detailed listings of information from those documents are not required); and c.supervisory review, before the audit report is issued, of the evidence that supports the findings, conclusions, and recommendations contained in the audit report. [GAS 6.83] When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors’ conclusions. This applies to departures from unconditional requirements and from presumptively mandatory requirements when alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard. [GAS 6.84] Underlying GAGAS audits is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to perform audits in accordance with GAGAS cooperate in auditing programs of common interest so that auditors may use others’ work and avoid duplication of efforts. Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as audit documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives. The use of auditors’ work by other auditors may be facilitated by contractual arrangements for GAGAS audits that provide for full and timely access to appropriate individuals, as well as audit documentation. [GAS 6.85] IV-15 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Working papers are a record of work we do on a project. They includethe OLAWorking Paper administrative materials maintained by the auditsupervisorand the Standards evidencecollected and developed by audit staff during the project. They maytake the form of documents, interview notes, analyses, tapes, films, computerjump drives, and other materials. working papers The office uses the term as: Each document or piece of evidence; The summaries and analyses of these documents; and The body of compiled evidence. Audit standards stipulate that working papers should contain: The audit’s objectives, scope, and methodology, including sampling criteria used; Documentation of the work performed to support significant findings and conclusions; and Evidence of supervisory review of the work performed. Working papers should be supported, cross-indexed, and tied to underlying documents and source data that allow independent readers to replicate the audit methodology and verify the accuracy and reliability of the evidence used to support audit findings and conclusions. Office Working Paper Standard:Evidence Our office working paper standards require thatarecord of the auditors’ work be retained in the form of working papers. Working papers should contain sufficient information to enable an experienced auditor having no previous connection with the audit to ascertain from them the evidence that supports the auditors’ significant findings and conclusions. Office Working Paper Standard:Appropriateness of Evidence Our office working paper standards require working papers to be clear and understandable without supplementary oral explanations. Adequate working paper support for a finding demandsthat all required development steps be performed. For example, when determining the effects of a deficiency, auditors must sufficiently demonstrate support for conclusions through computations, comparisons, testimony, agency documentation, internal review reports, or other appropriate sources. Auditors should Finding Development document their audit findings by completing the Worksheet (see Exhibit IV-A) . IV-16 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Auditors should ensure that working papers and related information accumulated while developing a specific finding have direct bearing on the finding and related recommendations. This requirement does not exclude making appropriate observations for consideration in other areas or noting potential problem areas. However, staff should avoid indiscriminately accumulating papers and documents which may be related to the subject but have no potential bearing on the finding. Office Working Paper Standard:Sufficiency of Evidence Our office working paper standards require auditors to ensure that underlying audited entity data and all corroborating information are available to our audit team. Auditors must make effective use of corroborating data such as contracts and minutes of meetings; confirmations and other written representations by knowledgeable people; information obtained from inquiry, observations, inspections, and physical examination; and any other information which enables the team member to reach conclusions. Auditors may find it useful to obtain from officials of the audited entity written representations concerning the competence of the evidence they obtain. Written representations ordinarily confirm oral representations given to auditors, indicate and document the continuing appropriateness of such representations, and reduce the possibility of misunderstanding concerning the matters that are the subject of the representations. While GAGAS suggests some discretion as to when representation letters should be obtained, office policy is to require them only when conflicting oral testimony cannot be confirmed or documented through other physical or documentary evidence and such testimony is essential to support the audit findings. Office Working Paper Standard: Evidence from Computer-Based Systems. There may be a need to test evidence from computer-based systemsfor validity and reliability. The nature and extent of such tests depend on how auditorsintend to use the data—for background information, as a tool for audit planning, or as support for findings.If auditorsuse the data for background or informationalpurposes and thedata are not significant to the audit findings, then citing the source of the data and stating that thedatawere not verified will satisfy the reporting standards for accuracy and completeness. If auditorsuse the data for planning purposes only (and not in the report), then verification is not needed. The GAO guide, Assessing the Reliability of Computer-Processed Data, July 2009, provides guidance on the following key steps:1) determining how computer-based data will be used and how they will affect the audit objectives;2) finding out what is known about the data and the system that IV-17 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) produced them;3) obtaining an understanding of relevant system controls, which can reduce risk to an acceptable level;4) testing the data for reliability; and5) disclosing the data source and how data reliability was established or qualifying the report if data reliability could not be established. We follow the GAGAS guideline that auditors should obtain sufficient and appropriate evidence that computer-processed data are valid and reliable when those data are significant to the auditors’ findings. When the reliability of a computer-based system is the primary objective of the audit, the auditors should conduct a review of the system’s general and application controls. This work is necessary regardless of whether the data are provided to auditors or the auditors independently extract them. Auditors should determine if other auditors have worked to establish the validity and reliability of the data or the effectiveness of the controls over the system that produced the data. If they have, auditors may be able to use that work. If not, auditors may determine the validity and reliability of computer- processed data by direct tests of the data. Auditors canreduce the direct tests of the data if they test the effectiveness of general and application controls over computer-processed data, and these tests support the conclusion that the controls are effective.Audit staff may need to call on outside expertisein assessing the reliability of computer-based data. The audit supervisor should notify the auditor if outside expertise is required to assess the reliability of computer-based data. Office Working Paper Standard: Overall Assessment of Evidence If, afteran assessment of evidence, there is concern about the overall sufficiency and appropriateness of evidence to provide a reasonable basis for significant audit findings and conclusions within the context of the audit objectives, auditors mayapply alternativeprocedures to obtain additional evidence, redefine the audit objectives, or revise the findings and conclusions, if necessary.Any application of alternativeprocedures, redefinition of the audit objectives, or revision of the findings and conclusionsshould be documented in the working papers. Office Working Paper Standard:Audit Documentation Our office working paper standards require that fieldwork tasks be documented in the working papersas they relate to the audit objectives, scope, and methodology. The audit supervisor must evaluate the materials gathered, identify substantive issues, assess the validity and significance of the information, and as appropriate, summarize the work donein order to ensure support for significant findings,conclusions, and recommendations. The audit supervisor reviews all working papers generated by team members, and initials and dates the first page of each working paper as evidence of supervisory review. The audit supervisor also datesand indexesthe working papers to the Workplan as tasks are completed. IV-18 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) The three main purposes ofworking papers are: OLA Working Paper Policies and 1.To support theinformation presented in the written report, Procedures especially the findings andrecommendations(see Exhibit IV-A: Finding Development Worksheet); 2.To help the auditsupervisorand auditormanage thework of a project;and 3.To allow others to review the audit’s quality. Used to manage and supervisea project, working papers: • Document progress towards achieving project objectives and showing the work done, data collected, and methods used; • Assist auditsupervisors in monitoring the work and ensuring that it isaccurateand timely; • Assistin planning for and carrying out subsequent assignments; • Help the auditsupervisororganize materials; and • Facilitate report preparation. As supporting evidence and to allow for the review of audit quality, working papers: • Demonstrate that the project was performed in accordance with GAGAS,or document departures from GAGAS requirements and their impact on the audit and auditors’ conclusions; • Demonstrate that the findings and recommendations in a reportare based on facts and are reasonably concluded from theevidence(see Exhibit IV-A: Finding Development Worksheet); • Defend the project against criticism and litigation; and • Enhance the credibility of the office. Types of working papers There are two main types of working papers that are produced and maintained during the course of an audit: IV-19 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Interviews: Interviews are an important source of data collection for audits. As used in this audit manual, interviews include face-to-face meetings, email responses, and telephone conversations where information is obtained for the audit. Audit team membersprepare typed recordsof face-to-face and telephone interviews as soon after the interviewsas possible and include themin the working papers. Printed copies of email responses can serve as a record of an email interview. Documents: The major portion of working papers consists of documents. Primary source documents (e.g., copiesof the audited entity’s actual ledgers, rules, datafiles, transcripts of meetings) and secondary source documents (e.g., summaries of data files, newspaper clippings, annual reports, lengthy source documents). How evidence is documented in the working papers varies by the type of work performed. The main point is to describe the records examined so that an experienced auditor would be able to examine the same records, noting, for example, file or case numbers. Copies of the documents themselves need not always be included. Working papers may include originals or copies of requests for proposals, contracts, subcontracts, amendments, change orders, drawings, blueprints, schematics, books and records, meeting minutes, reports, correspondence, memoranda, spreadsheets, payrolls, time records, time cards, checks, orders, invoices, vouchers, bills, receipts, papers, accounting records, and other materials and information, whether stored on paper or electronically, pertaining to a county program or project. If computer processed data is relied upon, its reliability must be assessed. Textbooks and other lengthy material used for general background (and not specifically quoted or referenced in the report) need not bepart of the final working papers. Instead, a bibliographic citation or a copy of excerpted material may be used. Care should be taken to balance the need to document the facts and project parameters required by the audit standards versus the need to expedite such documentation efforts and deliver the audit in a timely fashion. The production of working papers begins with the background research conducted for the risk assessment and the planning stage, continues through fieldwork, and is organized during the report preparation and project closure phases. The organization of working papers ties together all the work done for a project. Anyone reviewing the working papers should be able to grasp what was done, why it was done, and how the findings and recommendations in the audit report are justified. When consultants are engaged, working papers are also required to be prepared and organized, and access to the working papers must be provided to ensure that the consultants have gathered evidence that is appropriate and sufficient to support the findings and recommendations made. IV-20 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Interviews Much of the information regarding the operation of county programs is not available in written form.It is also the case that written information is often more expeditiously understood by obtaining explanation by those directly familiar with it. In order to gathersuch information, interviews must be performed. Interviews may be in person, conducted over the telephone, or through email, and may be with county officials or with members of the community.In order to be useful, the interview must take place in as confidential and neutral a setting as possible, and interview statements must be recorded accurately.The success of an interview greatly depends on how well preparations were made. The purpose of an interview should be to clarify, expand, interpret, explain, and obtain information not otherwise available.It should notbe used to gain initial familiarity with the subject. That is a waste of time for both the auditorsand the interviewee.Reference sources regarding the topic should be reviewed to become as knowledgeable as possible before the interview. That way, inconsistencies between the reference information and the interviewee’s statements can be identified and resolved. Although some interview statements may be used verbatim and quoted in the auditreport, in most cases, the statements must be corroborated by other means. Corroboration may be through observation, researching documents, or by follow up interviews with other persons who are authoritative sources. Preparing for the Interview Beforeconducting an interview, the auditteampreparesinterview questions and reviews them with the auditor to ensure that the audit objectives are addressed. The following guidelines apply to the development of interview questions: • Keep questions short, address only one topic at a time, be precise, and use language that is easily understood. • Frame questions in non-judgmental terms.Similarly, avoid leading questions. • Avoid asking questions for which the answer is obvious or can readily be found in available reference sources. • Frame questions to require a narrative response rather than a “yes” or “no” answer. • Be mindful of the length of the questionnaire. • Organize the questions in a logical sequence. IV-21 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) • Save controversial questions for the end. An appointment should be made to conduct the interview.By calling for an appointment, the auditsupervisor can introduce him or herself, clarify who will be participating in the interview, explain why the interview is requested, and state what will be covered. Ifpossible, the interview should be held in the interviewee’s officeormeeting room, or in a neutral site. It is also helpful to provide the interviewee with a copy of the questions to assist in gathering materials necessary for the response. However, requestsby the audited entityfor copies of interview notes will not be granted, since interview questions with responses noted are confidential working papers during the conduct of the audit. The protocol for arranging interviews should be decided in the entrance conference or shortly thereafter. Conducting the Interview Sensitive interviews or interviews on detailed and complex subjects are best conducted in pairsor teams.The auditsupervisor is primarily responsible for developing and asking the questions and writing up the interview notes afterward. The role of auditteam membersis to listen carefully, help to record the responses, and follow up on inconsistencies, ambiguities, and promising new avenues of exploration as they arise.The interjections of other team membersprovide welcome relief to the interview leader, who can use the break to refocus on the progress of the interview and upcoming question. The auditteam should arrive for the interview on time.The interviewee should be thanked for taking time for the appointment. The audit supervisor begins by introducing auditteammembers, explaining the objectives of the audit, explaining the purpose of the audit interview, and assuring the interviewee that the results of the interview will be kept confidential. The elements of the findings planned for the audit may also be explained.If the interviewee asks that particular remarks be kept off the record, the audit supervisorand teammembers should stop taking notes; however, keep in mind that the information then cannot be used as evidence. When asking the prepared questions, demonstrate your interest in the interviewee’s statements by listening actively.It is helpful to occasionally restate or summarize your understanding of the interviewee’s remarks to confirm your understanding.The auditteamshould ensure that the questions are fully answered. This may require several restatements of the question or of the given response.Finally, while having questions prepared in advance is essential, keep in mind that flexibility during the interview is also important to identify and respond to new issues raised in the interviewee’s statements.Thus, the audit supervisorshould listen carefully to the interviewee’s responses, determining whether questions are answered completely while avoiding asking a question already answered by a IV-22 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) previous response. This is difficult for an interviewerto do alone, which is why interviewing in pairs or teams is recommended for sensitive or complex topics.At the close of the interview, be sure to thank the interviewee and ask if follow up questions can be made by telephone. Returning back to the office, it is useful for the audit supervisorand team members to evaluate how well the interview went, whether all of the questions were asked and adequately responded to, and whether any new leads or issues were raised. The audit supervisorshould ensure that new leads or issues are documented in the interview notes.Interview notes should be drafted as soon as possible after the meeting while everyone’s memory is still fresh. The draft interview notes shouldbe reviewed for accuracy and completeness by audit teammembers.Since statements in an interview usually require corroboration, the audit supervisorshould also conduct appropriate research to obtain such information as soon as possible. Documenting the Interview Auditors prepare a record of interviews (including telephone) as soon after the interviews as possible. Handwritten interview notes may be attached to the record if the audit supervisor requests and become part of the permanent working papers.Each interview record contains the following information: • Date and place of interview. • Time interview began and ended. • Name, position, organization, and telephone number of interviewee, and others present at the interview. • Name(s) of interviewer(s). • Purpose of interview. • Audit supervisor’s and team members’ judgments, comments, and working paper cross-references, where appropriate. Sampling This section discusses the use of sampling tools in performance audits.It also identifies the differences between “probability” and “nonprobability” sampling, and describes how samples can be used. Definitions In general, there are two types of samples: probability samples and nonprobability samples. IV-23 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) probability sample(random sample) Ais selected in such a way that each item or person in the population has a known chance of being included in the sample.Thus, every item or person has a chance of being selected. There are various types of probability samples. Each involves some method of selecting an item or person on a random basis.These methods are sometimes collectively referred to as random samples.For ease of reference and consistency, the remaining section of this audit manual will use the term “random sample” for any type of probability sample. nonprobability sample(judgment sample) In a not all items or persons have an equal chance of being selected. The person or item in the sample is selected based on the judgment or convenience of the person conducting the audit. Thus, these types of samples are referred to as judgment samples or convenience samples. The results of these types of samples may be biased, meaning results may not be representative of the population. All types of nonprobability samples will be called judgment samples in the remaining section of this audit manual. population Ais every object or person under consideration. sample Ais a part orsubset of the population. Reasons for Sampling Generally, samples are selected when it is not necessary or not possible to measure or test the entire population of interest.In some cases, it is impossible to check all items.In other cases, it is too costly or too time consuming to do so. Practically speaking, it is usually not possible to examine every transaction or record. In most cases, a study of the entire population is not necessary to meet the objectives of the audit. In order to determine whether to use a random sampleor a judgment sample, the auditsupervisor needs to know how information from the sample will be used. If the audit team member needs to make a statement about the entire population of interest, then a random sample is definitely needed. If no statementor description of the population is needed, then a random or a judgment sample can be used. The auditsupervisor should understand that the results of a judgment sample describe the sample only. Such results cannot be used to make a statement about the population. Auditing standards for performance audits also require adequate professional competency, statistical sampling skills as necessary, due professional care, and a clear explanation of the evidence gathering and analysis techniques used in the audit.Information on statistical sampling and analysis techniques should bedisclosed in the scope and methodology section of the audit report. IV-24 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Approaches to Sampling Sampling serves several purposes in auditing: Attributes sampling: The most common purpose is to provide an estimate of the population. If the auditsupervisor wishes to count the frequency of an event or an item, the auditsupervisor is engaged in attributes sampling. Examples include counting errors versus non-errors in a transaction, improperly completed requisitions, and the number of clients who have received health care within the past month. With attributes sampling, the auditsupervisor answers questions about “how many.” Variables sampling: Sometimes the audit team member wishesto estimate the average and/or total value of items in the population.In these cases, the auditsupervisor may measure the dollar value of inventory, the average length of time to fill out a requisition, or the number of overtime hours in a given time period. When conducting such measurements the auditsupervisor is engaged in variables sampling. Random samples Properly constructed random samples enable the auditsupervisor to review considerably less than the entire population of interest while allowing for a projection of sample results with given degrees of confidence to the population. In addition: • Sample results are objective and defensible. • An estimate of the sampling error can be determined. • The results can be replicated by another auditor. • The reliability of the results can be computed and expressed in numerical terms. There are several types of random samples. Use of a particular type of random sample may depend on the audit purpose, cost considerations, access to data, population size and complexity, etc.The following are four types of random samples: Simple random sample: This is the most common type of random sample, but may be more costly or less efficient than other random sample methods. All items in the population have the same chance of being included in the sample. Systematic random sample: Items or individuals in the population are arranged in some way, such as alphabetically, by date, or by some other method. A random starting point is selected, and then every kth member of the population is selected for the sample.This method ensures that there is IV-25 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) an even spread of the sample across the entire population, if there is any pattern in the population. Stratified random sample: The population is divided into subgroups called strata,and a sample is selected from each subgroup. Either a proportional or a non-proportional sample can be selected. A proportional sample procedure requires that the number of items chosen from each stratum be in the same proportion as in the population. In a non- proportional stratified sample, the number of items chosen may be disproportionate to the population.Stratified random samples ensure that items from each subgroup are included in the sample. Cluster samples: This involves dividing the population into clusters or groups, selecting a sample of those groups, and then selecting a sample of items or persons from the selected sample groups. Judgment samples Judgment samples can be used when random samples are not necessary. For example, an auditsupervisor may not need to mathematically project results to the population, but may simply be interested in evaluating a process or determining if all phases of the process are operational. A few items selected on a judgmental basis may be sufficient to provide feedback on whether system activities are functioning.Judgment samples may also be used to provide an indication of the need to proceed with a random sample in fieldwork. Documenting sampling procedures Sampling procedures are part of the working papers.Regardless of the type of sample selected, the auditsupervisor should document in the working papers:procedures used to determine the sample size, type of sample method used, how the sample was chosen, sample results, and pertinent characteristics(such as the universe of items cannot be determined)and, if appropriate, how the results project to the population of interest. Preparation ofWorking Working papers should: Papers • Contain adequate indexing and cross-referencing, schedules, and summaries. • Be dated and initialed by the prepareron the upper right hand corner of the first page of each working paper. • Be reviewed and initialed by the auditsupervisorwiththe date of review noted,as well as indexed and dated by the audit supervisor to the Workplan as tasks are completed. IV-26 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) • Be complete and accurate to provide proper support forfindingsand recommendations to demonstrate thenature and scope of work conducted(see Exhibit IV-A: Finding Development Worksheet). • Where appropriate, auditors’ judgments, comments, and conclusions that may be helpful in developing findings and recommendations should be placed on the working paper in an appropriate location. • Be understandable without oral explanations, complete and yet concise. Users should be able to readily determine theirpurpose, data sources, the nature and scope of the workconducted, and the preparer’s conclusions. • Be as legible and neat as practicableto maintain their worth as evidence. • Be restricted to matters that are significant and relevant to the objectives of the assignment. Orientation of working papers Auditors should generally prepare working papers on standard sizepaper (8½” X 11”).Tofacilitate review of working papers, all non-standard size paper, such aslegal size spreadsheets or computer generated printouts, should be filed,as practical, in portrait presentation.If possible, all non- standard size paper shouldbe attached to a stiff folder type backing and folded to match theborders of a standard letter size paper.Lengthy documents (journal articles, book chapters, etc.) that bear theirown pagination need not be repaginated when indexing them. In thesecases, only the first page of the document needs to be initialed and dated, with the additionalnumber of pagesindicated.While filing working papers into project binders, prepare index tabs for only major sections or sub-sections. Spreadsheets Computerized or manual spreadsheets may be used to keep track ofvarious parts of a project, analyze or summarize information, or record operations or transactions. Generally, spreadsheets have alogical structureand are readable and complete. Auditors reference information to the source of the data,and whenever possible,attach theraw data to the spreadsheet and describe the methodology forsummarizing or analyzing the data. Summaries Summaries of work performed and conclusions reached are prepared as needed. Summaries serve three primary purposes: 1.To analyze the materials collected and summarize the work done. IV-27 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) 2.To synthesize the evidence used to support and build the audit findings andprovide an analysis of the materials reviewed. 3.To facilitate review of evidence supporting the draft report. Summaries are developed to fulfill the objectives of the audit and thesteps in the Workplan. They describe the work done, methodologyused, and the audit team’s conclusions.They tietogether related documents or tasks and explain the work that was done.Examples are summaries of legislative history, plans, programs, budgetsand expenditures;content analysis of a number of interviews;and resultsof surveys, or reviews of files.The types and numbers of summaries are determined by the nature of theproject and the judgment of theauditsupervisor.Summaries areprepared on an ongoing basis as work is completed, but are limited to matters that are significant and relevant to the audit. Ideally, summaries should have supporting working papersattached to them.Like other working papers, summaries should have the appropriate preparer’s initials and date of preparation. Notes or memos to the file are brief summaries that inform the reviewer quickly of work done or highlight information in a working paper or important issues or conclusions reached. They may be notes written on the working paper or on a separate sheet. Multi-use working papers A particular working paper may document work completed underseveral objectives,or be used as evidence for more than one statement inthe Audit Plan, findings and recommendations, or draftreport. Tying Working Papers to Working papers verify that all planned steps in the project have been Workplan carried out: The audit supervisor initials and datesthe first page of each working paperto verify that planned tasks have been completed. The audit supervisor also indexes and dates the working papers to the Workplan as tasks are completed. For any planned task that is not carried out, the audit supervisor can simply note or prepare a working paper to document and explain the reasons for not completing the task, and the auditor initials the working paper to document approval. Any changes that require significant changes to the Workplan must be approved by the auditor. Working papers also substantiate the adequacy of the methodology used in the project, such as documentation of sampling procedures discussed above. Working papers document physical IV-28 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) evidence such as photographs, and auditors utilize working papers to corroborate evidence and add information needed to create an audit trail. Security of Working The GAGAS evidence standard for performance audits requires establishing Papers policies and procedures for preparing working papers, supporting the findings and conclusions in the report through evidence contained in the working papers, and ensuring the safe custody and retention of working papers for a time sufficient to satisfy legal, regulatory, and administration requirements for records retention.During the course of a project, the audit supervisorand team members areresponsible for the safe custody of working papers. These materialsmust be protected from theft or destruction and be accessible only toauthorized persons.Asneeded, sensitive or confidential materials may be placed in lockedcabinets. In order to safeguard their data, auditors should back up theircomputer data files to an external hard drive and/orjump driveas necessary. Disclosure ofWorking GAGAS standards state that the audit organization should developpolicies Papers to dealwith requests by outside parties to obtain access to audit documentation, especially when an outside party attemptsto obtain information indirectly through the auditor rather than directly from the audited entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any.The office’s policy is that requests from outside the office for access to working papers, both before and after publication of the project report, should be directed tothe auditor. The decision whether to provide access to working papers on request requires considerable judgment and involves weighing applicable lawsthat govern what materials may be shared and with whom, policy considerations, and the best interests of the office.Guidelines andopinions from the County Corporation Counsel and State Office of Information Practices (OIP) as to whatmay be released and appropriate procedures for releasing information(such ashow to segregate confidential material) may also be considered. In the course of a project, auditorsmay obtain information whoserelease would be improper and could have serious consequences bothlegal and personal.This could includepersonal healthinformation, certain personnel records, and other types of information inwhich an individual has a significant privacy interest. Highly sensitivedocuments such as health records are best left with the agency beingaudited. If this is not feasible, the auditsupervisorshould secure theinformation in ouroffice during the audit and discuss its disposition withtheauditorprior to project closure. IV-29 Section IV:Fieldwork and Testing (Yellow Book 2011Revision) Under certain circumstances during the course of a project, the audit supervisormay wish to share some evidence with officials of the audited entityorothers: for example, to confirm its reliability or to obtain their perspectives. In doing so, great care must be taken not to violate confidences or confidentiality. For example, notes of interviews with audited entitystaff are not to be shared with officials of the audited entity, and privatepersonnel-related information must be carefully protected.The auditsupervisorshould bring questions on such matters to the attention of theauditorto obtain guidance. PreliminaryAudit At the conclusion of fieldwork,the auditsupervisorprepares a summary of Findings and preliminary findings andrecommendations for review by the auditor. The Recommendations summary ofpreliminary findings and recommendations restates the project objectives; describes applicable findings and recommendations from previous reports; summarizes the present findings; provides details including the elements of each findingand the key supporting evidence;and summarizes each recommendation. The auditsupervisor and audit team then meet with the auditor to reach agreement on the mainissues tobe discussed, the findings to be formulated, the recommendations to bemade, and the adequacy of evidence to be presented in drafting thereport. As needed, the auditsupervisorrevises the summary of preliminaryfindings and recommendations based on the meeting and submits itto theauditor for approval. Report Outline During the development of the preliminary findings andrecommendations, and prior to the writing of the draft report, the auditsupervisoralso prepares a Report Outline for the auditorto review. The Report Outline shows the organization of the draft report by backgroundmaterial (including project objectives), findings, supporting evidence, andrecommendations. The Report Outline is generally organized andstructured by the respective report headings and guides the writing of theofficedraft. The summary of findings and the recommendations in theReport Outline should be written out in full text.The Report Outline is reviewed along withthe preliminary findings and recommendations and approved by the auditor as a combineddocument. IV-30 Section V Report Preparation and Distribution The office strives for audit reports of high quality in form, content, and Introduction presentation in order to satisfy the needs of our readers.Before being issued in the name of the auditor, all drafts of audit reports go through an extensive review,and the final product is the result of the combined efforts of many people, including staff auditors,audit supervisors,independent report reviewers or verifiers, the administrative assistant to the auditor,and the auditor.This section contains the policiesand instructions that apply in the development and distribution of our audit reports and incorporates the GAGAS reporting standards for performance audits. The reporting standard related to report quality for performance audits Report Quality performed in accordance with GAGAS provides that: Elements The auditor may use the report quality elements of timely, complete, accurate, objective, convincing, clear, and concise when developing and writing the audit report as the subject permits. [GAS A7.02] Accurate An accurate report is supported by sufficient, appropriate evidence with key facts, figures, and findings being traceable to the audit evidence. Reports that are fact-based, with a clear statement of sources, methods, and assumptions so that report users can judge how much weight to give the evidence reported, assist in achieving accuracy. Disclosing data limitations and other disclosures also contribute to producing more accurate audit reports. Reports also are more accurate when the findings are presented in the broader context of the issue. One way to help audit organizations prepare accurate audit reports is to use a quality control process such as referencing. Referencing is a process in which an experienced auditor who is independent of the audit checks that statements of facts, figures, and dates are correctly reported, that the findings are adequately supported by the evidence in the audit documentation, and that the conclusions and recommendations flow logically from the evidence. [GAS A7.02a] Objective Objective means that the presentation of the report is balanced in content and tone. A report’s credibility is significantly enhanced when it presents evidence in an unbiased manner and in the proper context. This means presenting the audit results impartially and fairly. The tone of reports may encourage decision makers to act on the auditors’ findings and recommendations. This balanced tone can be achieved when reports present sufficient, appropriate evidence to support conclusions while V-1 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) refraining from using adjectives or adverbs that characterize evidence in a way that implies criticism or unsupported conclusions. The objectivity of audit reports is enhanced when the report explicitly states the source of the evidence and the assumptions used in the analysis. The report may recognize the positive aspects of the program reviewed if applicable to the audit objectives. Inclusion of positive program aspects may lead to improved performance by other government organizations that read the report. Audit reportsare more objective when they demonstrate that the work has been performed by professional, unbiased, independent, and knowledgeable staff. [GAS A7.02b] Complete Being complete means that the report contains sufficient, appropriate evidence needed to satisfy the audit objectives and promote an understanding of the matters reported. It also means the report states evidence and findings without omission of significant relevant information related to the audit objectives. Providing report users with an understanding means providing perspective on the extent and significance of reported findings, such as the frequency of occurrence relative to the number of cases or transactions tested and the relationship of the findings to the entity’s operations. Beingcomplete also means clearly stating what was and was not done and explicitly describing data limitations, constraints imposed by restrictions on access to records, or other issues. [GAS A7.02c] Convincing Being convincing means that the audit results are responsive to the audit objectives, that the findings are presented persuasively, and that the conclusions and recommendations flow logically from the facts presented. The validity of the findings, the reasonableness of the conclusions, and the benefitof implementing the recommendations are more convincing when supported by sufficient, appropriate evidence.Reports designed in this way can help focus the attention of responsible officials on the matters that warrant attention and can provide an incentive for taking corrective action. [GAS A7.02d] Clear Clarity means the report is easy for the intended user to read and understand.Preparing the report in language as clear and simple as the subject permits assists auditors in achieving this goal. Use of straightforward, nontechnical language is helpful to simplify presentation. Defining technical terms, abbreviations, and acronyms that are used in the report is also helpful. Auditors may use a highlights page or summary within the report to capturethe report user’s attention and highlight the overall message. If a summary is used, it is helpful if it focuses on the specific answers to the questions in the audit objectives, summarizes the audit’s most significant findings and the report’s principalconclusions, and V-2 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) prepares users to anticipate the major recommendations. Logical organization of material, and accuracy and precision in stating facts and in drawing conclusions assist in the report’s clarity and understanding. Effective use of titles and captions and topic sentences makes the report easier to read and understand. Visual aids (such as pictures, charts, graphs, and maps) may clarify and summarize complex material. [GAS A.702e] Concise Being concise means that the report is not longer than necessary to convey and support the message. Extraneous detail detracts from a report, may even conceal the real message, and may confuse or distract the users. Although room exists for considerable judgment in determining the content of reports, those that are fact-based but concise are likely to achieve results. [GAS A7.02f] Timely To be of maximum use, providing relevant evidence in time to respond to officials of the audited entity, legislative officials, and other users’ legitimate needs is the auditors’ goal. Likewise, the evidence provided in the report is more helpful if it is current. Therefore, the timely issuance of the report is an important reporting goal for auditors. During the audit, the auditors may provide interim reports of significant matters to appropriate entity officials. Such communication alerts officials to matters needing immediate attention and allows them to take corrective action before the final report is completed. [GAS A7.02g] The policy of the office is to communicate the results of its work to the ReportingStandards council, countyofficials, and interested members of the public.The GAGAS reporting standards require that work be communicated in a report—written or in some other retrievable form: Auditors must issue audit reports communicating the results of each completed performance audit.[GAS7.03] Auditors should use aform of the audit report that isappropriate for its intended use and is in writing or in some other retrievable form. For example, auditors may present audit reports using electronic media that are retrievable by report users and the audit organization.The users’ needs will influence the form of the audit report. Different forms of audit reports include written reports, letters, briefing slides, or other presentation materials. [GAS 7.04] The purposesof audit reports are to(1) communicate the results of audits to those charged with governance, the appropriate officials of the audited entity, and the appropriate oversight officials;(2) make the results less V-3 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) susceptible to misunderstanding;(3) make the results available to the public, unless specifically limited; and(4)facilitate follow-up to determine whether appropriate corrective actions have been taken.[GAS7.05] If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated. Determining whether and how to communicate the reason for terminating the audit to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the audit, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.[See GAS 7.06 and 6.50] If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the organizations requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors’ publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to conduct additional audit work necessary to reissue the report, including any revised findings or conclusions or repost the original report if the additional audit work does not result in a change in findings or conclusions. [GAS 7.07] The reporting standard related to the contents of the report for performance Report Contents audits conducted in accordance with GAGASprovides that: Auditors should prepare audit reports that contain: (1)the objectives, scope, and methodology of the audit; (2)the audit results, including findings, conclusions, and recommendations, as appropriate; (3)astatement about the auditors’ compliance with GAGAS; (4)asummary of the views of responsible officials; and, (5)if applicable, the nature of any confidential or sensitive information omitted.[GAS7.08] V-4 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Objectives, Scopeand Auditors should include in the report a description of the audit objectives Methodology and the scope and methodology used for addressing the audit objectives. Report users need this information to understand the purpose of the audit, the nature and extent of the audit work performed,the context and perspective regarding what is reported, and any significant limitations in audit objectives, scope, or methodology.[GAS7.09] Audit objectives for performance audits may vary widely.Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions.When audit objectives are limitedbutbroader objectives couldbe inferred by users, auditors should state in the audit report that certain issues were outside the scope of the audit in order toavoid potential misunderstanding.[GAS7.10] Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that they could reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report significant constraints imposed on the audit approach by information limitations or scope impairments, including denials or excessive delays of access to certain records or individuals.[GAS7.11] In describing the work conducted to address the audit objectives and support the reported findings and conclusions, auditors should,as applicable, explain the relationship between the population and the items tested; identify organizations, geographic locations, and the period covered; report the kindsand sources of evidence; and explain any significant limitations or uncertainties based on the auditors’ overall assessment of the sufficiency and appropriateness of the evidence in the aggregate.[GAS 7.12] In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence gathering and analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditorsaddressed the audit objectives. Auditors may include a description of the proceduresperformed as part of their assessment of the sufficiencyand appropriateness of information used as audit evidence.Auditorsshould identify significant assumptions made in conducting the audit;describe comparative techniques applied; describe the criteria used;and, when sampling significantly supports auditors’ findings, conclusions,or recommendations, describe the sample design and state why thedesign was chosen, including whether the results can be projected to the intended population.[GAS7.13] V-5 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Findings In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Clearly developed findingsassist management andoversight officials of the audited entity in understanding the need for taking corrective action.If auditors are able to sufficiently develop the elements of a finding, they should provide recommendations forcorrective action if they are significant within the context of the audit objectives. However, the extent to which the elements for a finding are developed depends on the audit objectives. Thus, a finding or set of findings is complete to the extent that the auditors address the audit objectives.[GAS7.14] Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions…[E]ven though the auditors may have some uncertainty about the sufficiency or appropriateness of some of the evidence, they may nonetheless determine that in total there is sufficient, appropriate evidence given the findings and conclusions. Auditorsshould describe the limitations or uncertainties regarding evidence inconjunction with the findings and conclusions, in addition to describingthose limitations or uncertainties as part of the objectives, scope, andmethodology. Additionally, this description provides report users with aclear understanding regarding how much responsibility the auditors aretaking for the information.[GAS7.15] Auditors should place their findings in perspective by describing thenature and extent of the issues being reported and the extent of the workperformed that resulted in the finding. To give the reader a basis forjudging the prevalence and consequences of these findings, auditorsshould, as appropriate, relate the instances identified to the population orthe number of cases examined and quantify the results in terms of dollarvalue, or other measures.If the results cannot beprojected, auditors should limit their conclusions appropriately.[GAS7.16] Auditors may provide selective background information to establish the context of the overall message and to help the reader understand the findings and significance of the issues discussed.Appropriate background information may include information on how programs and operations work; the significance of programs and operations (e.g., dollars, impact, purposes, and past audit work, if relevant);a description of the audited entity’s responsibilities; and explanation of terms, organizational structure; and the statutory basis for the program operations. When reporting on the results of their work, auditors should disclose significant facts relevant to the objectives of their work and known to them which, if not disclosed, could mislead knowledgeable users, misrepresent the results, or conceal V-6 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) significant improper or illegal practices.[GAS7.17] Auditors should also report deficiencies in internal control, instances of fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse that have occurred or are likely to have occurred and are significant within the context of the audit objectives.[GAS7.18] Auditors should include in the audit report (1) the scope of their work on Reporting Internal internal control and (2) any deficiencies in internal control that are Control Deficiencies significant within the context of the audit objectives and based upon the audit work performed. When auditors detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. Auditors should refer to that written communication in the audit report, if the written communication is separate from the audit report. When auditors detect deficiencies that do not warrant the attention of those charged with governance, the determination of whether and how to communicate such deficiencies to audited entity officials is a matter of professional judgment. [GAS 7.19] In a performance audit, auditors may conclude that identified deficiencies in internal control that are significant within the context of the audit objectives are the cause of deficient performance of the program or operations being audited. In reporting this type of finding, the internal control deficiency would be described as the cause. [GAS 7.20] When auditors conclude, based on sufficient, appropriate evidence that Reporting Fraud; fraud, noncompliance with provisions of laws, regulations, contracts or Noncompliance with grant agreements, or abuse either has occurred or is likely to have occurred Provisions of Laws, which is significant within the context of the audit objectives, they should Regulations, report the matter as a finding. Whether a particular act is, in fact, fraud or Contracts, and Grant noncompliance with provisions of laws, regulations, contracts or grant Agreements; and agreements, may have to wait final determination by a court of law or other adjudicative body. [GAS 7.21] Abuse When auditors detect instances of fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse that are not significant within the context of the audit objectives but warrant the attention of those charged with governance, they should communicate those findings in writing to audited entity officials. When auditors detect instances of fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse that do not warrant the attention of those charged with governance, the auditors’ determination of whether and V-7 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) how to communicate such instances to audited entity officials is a matter of the auditors’ professional judgment. [GAS 7.22] When fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse either have occurred or are likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings and, for example, report only on information that is already a part of the public record.[GAS 7.23] Auditors should report known or likely fraud, noncompliance with Reporting Findings provisions of laws, regulations, contracts, or grant agreements, or abuse Directly to Parties directly to parties outside the audited entity in the following two Outside the Audited circumstances: Entity a.When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the information directly to the specified external parties. b.When entity management fails to take timely and appropriate steps to respond to known or likely fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse that (1) is significant to the findings andconclusions and (2) involved funding received directly or indirectly from a government agency, auditors should first report management’s failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practical after the auditors’ communication with those charged with governance, then the auditors should report the entity’s failure to take timely and appropriate steps directly to the funding agency. [GAS 7.24] The reporting in (GAS) paragraph 7.24 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion… [See GAS 7.25] V-8 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly in (GAS) paragraphs 7.24 and 7.25.[See GAS 7.26] Auditors should report conclusions based on the audit objectives and the Conclusions findings. Report conclusions are logical inferences about the program based on the auditors’ findings, not merely a summary of the findings.The strength of the auditors’ conclusions depends on the sufficiency and appropriateness of the evidence supporting the findings and the soundness of the logic used to formulate the conclusions. Conclusions are more compelling if they lead to the auditors’ recommendations and convince the knowledgeable user of the report that action is necessary. [GAS 7.27] Auditors should recommend actions to correct deficiencies and other Recommendations findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that logically flow from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. [GAS 7.28] Effective recommendations encourage improvements in the conduct of government programs and operations. Recommendations are effective when they are addressed to parties that have the authority to act and when the recommended actions are specific, practical, cost effective, and measurable. [GAS 7.29] When auditors comply with all applicable GAGAS requirements, they GAGAS Compliance should use the following language, which represents an unmodified Statement GAGAS compliance statement,in the audit report to indicate that they performed the audit in accordance with GAGAS. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [GAS 7.30] V-9 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in 7.30, modified to indicate the requirements that were not followed or (2) language that the auditor did not follow GAGAS. [GAS 7.31] Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS audits, as appropriate. Unmodified GAGAS compliance statement a.: Stating that the auditor performed the audit in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the auditors’ report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements, or (2) have followed unconditional requirements, and documented justification for any departures from applicable presumptively mandatory requirements and have achieved the objectives of those requirements through other means. Modified GAGAS compliance statement b.: Stating either that (1) the auditor performed the audit in accordance with GAGAS, except for specific applicable requirements that were not followed, or (2) because of the significance of the departure(s) from the requirements, the auditor was unable to and did not perform the audit in accordance with GAGAS. Situations when auditors use modified compliance statements also include scope limitations, such as restrictions on access to records, government officials, or other individuals needed to conduct the audit. When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), andhow not following the requirement(s) affected, or could have affected, the audit and the assurance provided. [GAS 2.24] When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the auditobjectives, (2) document the assessment, along with their reasons for not following the requirement(s), and (3) determine the type of GAGAS compliance statement. The auditors’ determination is a matter of professional judgment, which is affected by the significance of the requirement(s) not followed in relation to the audit objectives. [GAS 2.25] Auditors should obtain and report the views of responsible officials of the Reporting Views of audited entity concerning the findings, conclusions, and recommendations Responsible Officials included in the audit report, as well as any planned corrective actions. V-10 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) [GAS 7.32] Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors’ findings, conclusions, and recommendations, but also the perspectives of the responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.[GAS 7.33] When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials’ written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.[GAS 7.34] Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.[GAS 7.35] Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user’sneeds; auditors have worked closely with the responsible officials throughout the work and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with the findings, conclusions, and recommendations in the draft, or major controversies with regard to the issues discussed in the draft report.[GAS 7.36] When the audited entity’s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors’ recommendations, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.[GAS 7.37] If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.[GAS 7.38] V-11 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) If certain pertinent information is prohibited from public disclosure or is Reporting excluded from a report due to the confidential or sensitive nature of the Confidentialand information, auditors should disclose in thereport that certain information Sensitive Information has been omitted and the reason or other circumstances that make the omission necessary.[GAS 7.39] Certain information may be classified or may be otherwise prohibited from general disclosure by federal, state, or local laws or regulations.In such circumstances, auditors may issue a separate, classified or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.[GAS 7.40] Additional circumstances associated with public safety, privacy, or security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report.For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distributethe report only to those parties responsible for acting on the auditors’ recommendations. In some instances, it may be appropriate to issue both a publicly available report with the sensitive information excluded and a limited use report. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.[GAS 7.41] Considering the broad public interest in the program or activity under audit assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices.[GAS 7.42] When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate.For example, the auditors may communicate general information in a written report and communicate detailed information orally. The auditor may consult with legal counsel regarding applicable public records laws.[GAS 7.43] The reporting standard related to report issuance and distribution for Distributing Reports performance audits performed in accordance with GAGAS provides that: V-12 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Distribution of reports completed in accordance with GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. Auditors should documentany limitation on report distribution… Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or whomay be responsible for acting on audit findings and recommendations, and to others authorized to [ receive such reports. GAS 7.44a] The office’s reports present findings and conclusions in a logical manner so OLAReporting that readers see the rationale for the recommendations. The office also Policies and strives to satisfy the needs of readers. The readers of our audit reports Procedures include councilmembers who need the information, agency people who may be expected to implement the recommendations, and members of the public who may have an interest in the report. The primary audience, however, is the Council. Councilmembers want to be informed on the subject and issues of the audit, but are also hard pressed to read all of the material that inundates them. Councilmembers also come from varied backgrounds. The reports are thereforewritten concisely as possible and use language suitable for the general reader. Report Format When it appears that audit evidence, findings, and recommendations are sufficiently developed, a final draft report can be produced, following the basic structure set forth in the Report Outlineas discussed in Section IV – Fieldwork and Testing.Audit approaches and decisions are subject to reevaluation as the draft report is reviewed. A published report includes all matters that are material to the objectives of the audit. The typical organization of the audit report is shown below. The various chapters of the report are drafted as soon as the necessary information is obtained during the audit process. Title Page The title of the audit report is restated on the inner title page, along with the report date (month-year) and report number. Foreword With the exception of reports conducted by consultants, all reports contain the auditor’s foreword. The foreword provides the reader with some idea of the impetus and rationale for the report and acknowledges those outside of the office who assisted in the work. V-13 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Executive Summary The executive summary covers the report’s purpose, provides some background information, and explains the findings and recommendations in a concise way. Table of Contents A table of contents helps to provide an overview of the organization of the report, particularly when a report is lengthy. List of Exhibits and/or Appendices Along with the table of contents, the report may include alist of exhibits and/or appendicesto provide quick reference. Chapter 1–Introduction and Background The first chapter usually explains the impetus for the audit report, lists the objectives of the assignment, describes the scope and how the work was done, and declares any significant limitations.As warranted, this section describes any review of management (internal) controls or compliance with laws and regulations. In the case where background information requires lengthy explanation, background may be presented in a separate chapter. Impetus for the report: A report identifies its impetus, such as a resolution, committee report, request from a councilmember, annual audit plan, or initiationby the auditor;gives the reasons for the work;anddescribes the concerns that led to it. Objectives: The objectives of the audit are stated in concise and neutral language.Audit objectives may vary widely and can include assessments of program effectiveness, economy, and efficiency; internal control;compliance; and prospectiveanalyses. These objectives are not mutually exclusive. Thus,a performance audit may have more than one overall objective. Scope: The scope sectiondescribes the depth and breadth of our work and explains what was done, or not done, in meeting the audit objectives. The scope section discloses constraints on the audit approach due to data limitations or scope impairments, andalso indicates the time period in which the audit was conducted. Audit standards also require that noncompliance with standards be disclosed in the scopesection. Methodology: The methodology section describes the data and sources used, the procedures followed, and the strengths and limitations of the data.Data mayinclude laws and regulations, reports, interviews, and questionnaire responses. Sources may include books, journal articles, agency files, department officials, V-14 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) and experts. Procedures maybe the method of sampling or the conduct of interviews. The data strengths and limitations may include problems in obtaining accurate information or constraints on time and resources. If agency data were used and not tested for reliability, this would be disclosed in the methodology section. Background: The background prepares the reader for the main body of the report and enables the reader to better understand the findings and recommendations. If necessary, certain background information may be provided in an appendix. Background on the audit itself, findings, conclusions, or recommendations are generally not discussed in the background section.The background section may include information on the followingelements: Authority and purpose of the program being examined: o County programs are created by some authority and for some purpose. It may beimportant to cite this authority in some reports. If necessary, the background briefly explains relevant aspects of the program or activity. Character and responsibilities of the administering o organization: When relevant, the background describes the agency responsible for administering the program or activity. This may include its organization, staffing, lines of management authority, or other details pertinent to the content of the report. Nature of the subject being studied: Some reports may need o to enlighten the reader on a complex or important subject. Key concepts and terms: If necessary, inform the reader of key o concepts, laws, and regulations,and define terms that will be used in the discussion to follow. Chronology: The report may set forth the sequence of events o leading to the current status of the audited program or entity. Prior audits and studies: The dates and key findings of prior o audits of the subject or agency should be summarized. GAGAS compliance statement: Auditors should include as o appropriate: an unmodified GAGAS compliance statement stating the audit was performed in accordance with GAGAS;or a modified GAGAS compliance statement and disclose the applicable requirement not followed, the reasons for the departure, and how the departure could have impacted the audit and the assurance provided(see pages V-9 to V-10). V-15 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Chapter 2–Findings and Recommendations Audit reports issued by the office have findings called for by the audit objectives and supported by the evidence, andrecommendations which address the problems identified. The findings and recommendations are usually presented in the same chapter. In the case where recommendations do not flow from the findings or require lengthy explanation, they may be presented in aseparate chapter. Findings: To the extent possible, when presenting findings, auditors should develop the elements of criteria, condition, cause, and effect to assist management or oversight officials of the audited entity in understanding the need for taking corrective action. In addition, if auditors are able to sufficiently develop the findings, auditors should provide recommendations for corrective action. The following is guidance for reporting on elements of findings: Criteria. Criteria provideinformation so that the report user o will be able to determine what the required or desired state is or what is expected from the program or operation. The criteria are easier to understand when stated fairly, explicitly, and completely and when the source of the criteria is identified in the audit report. Condition. Condition provides evidence on what the auditors o found regarding the actual situation. Reporting the scope or extent of the condition allows the report user to gain an accurate perspective. Cause. Cause provides persuasive evidence on the factor or o factors responsible for the difference between condition and criteria. In reporting the cause, auditors may consider whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference as opposed to other possible causes, such as poorly designed criteria or factors uncontrollable by program management. The auditors also may consider whether the identified cause could serve as a basis for the recommendations. Effect. Effect provides a clear, logical link to establish the o impact of the difference between what the auditors found (condition) and what should be(criteria). Effect is easier to understand when it is stated clearly, concisely, and, if possible, in quantifiable terms. The significance of the reported effect can be demonstrated through credible evidence. V-16 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Weaknesses in internal (management)controls: The office generally reports all significant weaknesses in internalcontrols within the context of the audit objectives that are foundduring fieldwork and testingas a finding.When auditors detect deficiencies in internal controls that are not significant to the audit objectives but warrant the attention of those charged with governance, the office may either include those deficiencies in the report,or communicate them in writing to the audited entity and refer to the written communication in the report. For those internal control deficienciesthat do not warrant the attention of those charged with governance, communication to the audited entity is a matter of professional judgment.(See also, Section IV –Fieldwork and Testing –Reviewing Internal (Management) Controls –pages IV-2 to IV-4of this audit manual). Illegal acts; fraud; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or abuse: The office generally reports all significantinstances of illegal acts, fraud, noncompliance, or abuse within the context of the audit objectives that are found during fieldwork and testingas a finding.Certain circumstances, laws, regulations, or policies require the auditor to report indications of illegal acts to law enforcement or investigatory authorities, and care is exercised by the office so as not to disrupt or jeopardize ongoing or potential investigations and legal proceedings. When auditors detect instances of fraud, noncompliance, or abuse that are not significant to the audit objectives but warrant the attention of those charged with governance, the office will communicate them in writing to the audited entity.For those instances thatdo not warrant the attention of those charged with governance, communication to the audited entity is a matter of professional judgment. Auditors should report known or likely fraud, noncompliance, or abuse directly to parties outside the audited entity: 1) when entity management fails to satisfy legal or regulatory reporting requirements, auditors should first communicate to thosecharged with governance, and then to specified external parties if no reporting action is taken; and 2) when entity management fails to timely respond to known or likely fraud, noncompliance, or abusethat is significant to the audit findings and conclusions and involvesgovernment funding, auditors should first report to those charged with governance, then directly to the funding agencyif no corrective action is taken. Auditors should either corroborate assertions by entity management that it has reported fraud,noncompliance, or abusein accordance with applicable laws, regulations, or funding agreements, or report auditors’inability to obtain corroboration. (See also, Section IV –Fieldwork and Testing –Testing for Compliance –pages IV-4 to IV-7of this audit manual). V-17 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Conclusions: Auditors should report conclusions based on the audit objectives and audit findings. Conclusions should be logical inferences about the audited program based on the audit findings, not merely a summary of the findings.The strength of conclusions depends on the appropriateness and sufficiency of the evidence supporting the findings.Conclusions are more compelling if they lead to the auditors’ recommendations. Noteworthy accomplishments: In order to be balanced and fair, the report should include any noteworthy management accomplishments that were identified during the project and fall within the scope of the audit. Describing accomplishments can strengthen the argument and make the agency more receptive to the auditors’ recommendations. Recommendations: A primary purpose of the written report is to help decision makers improve government programs and operations. The report should address recommendations to the manager or managing body who can best implement them–such as the agency or department head, applicable board or commission, mayor, or council. Auditors should recommend actions to correct problems identified during the audit,and improve programs and operations when potential for improvement is substantiated by the audit findings and conclusions. Auditors should make recommendations that flow logically from the audit findings and conclusions, are directed at resolving the cause of identified problems, and clearly state the corrective actions recommended.The most useful recommendations flow from a discussion of the cause or causes of a condition. In cases where findings are cumulative and lead to a broader solution, a single recommendation may be made. Response of Affected Agency To give the audited entity theopportunity to present itsviews, when feasible and appropriate, the office transmitspreliminary and final draftsof the report, invites commentsfrom the audited entity, and includes itswritten responseto the final draftin the published report.The copy of the agency response is preceded by an introductory page that summarizes which agencies responded, the major points of the response, and provides the auditor’s rebuttal where appropriate. Appendices A report’s appendices contain supportinginformation and other material that are necessary to the readers understanding of the findings and recommendations,but would interrupt the flow of the narrative. For example, the office places explanations of sampling techniques, detailed analyses, and lengthy tables in the appendices rather than in the body of the V-18 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) report. Audit Report Cover The last item prepared for all audit reports is the Audit Report Cover.The cover should conform to the format of other office audit reports and be printed on heavier cover stock paper. The administrative assistant to the auditor is responsible for the production of the audit cover. DevelopingDraft Planning for the final product,the published reportbegins as early as Reports possible. In developing an argument for the proposed findings, auditstaff considers the purpose of the report, potential readers, and content.All writing meant for the public should be plainly worded and non-technical. Theauditsupervisorand auditordiscuss the report and its issues at regular decisionpoints along the way. The officedraft moves smoothly through production when prepared in a consistent way, using standard word processing commands. For example, setting tabs and margins at the same numerical values, keeping new format lines to a minimum, and using the table function in our word processing program and the graph function the integrated spreadsheet program to in insert exhibits into the text section of the officedraft will cut down on the production time. The administrative assistant to the auditor formats the officedraft in a readable and attractive format. The audit supervisor is responsible to ensure that where appropriate, exhibits in the format of tables, charts, graphs, photos, or other visual aids are developed for inclusion in the report. The administrative assistant to the auditor may help create such exhibits and provide other technical assistance. The auditor reviews office drafts for conformity with standards of presentation forother office audit reports. Indexing Draft Report to Indexing of the office draft to the supporting working papers is an important Working Papers component of our quality control assurance program. It is an annotation of the office draft by the audit team. Indexing enables audit supervisors and independent reviewers to assess the appropriateness and sufficiency of evidence contained in the working papers to support the report. While most sentences need to be indexed, some sentences or ideas that do not directly reference a specific working paper should be explained. They may simply be introductory, conclusive, or standardized statements present in most, if not all, drafts. The following are examples of situations where indexing to specific working papers is not used, but standardized explanatory phrases can be noted on the office draft. V-19 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) The audit supervisor is responsible for reviewing the indexing of the office draftto ensure that evidence is appropriate and sufficient and that the findings, conclusions, and recommendations are fully supported. Independent Report Independent report review is anotherimportant component of our quality Review (IRR)control assurance program. It is a detailed word-by-word, line-by-line examination of an indexed office draft of the report to ensure that its contents are accurate and supported. The auditor assigns the indexed office draft to a staff auditor or outside expert who hasnot conducted fieldwork in the project to verify the accuracy of the information and whether the evidence supports the contents of the draft. Prior to commencing the IRR, Project the auditor is responsible for ensuring that the reviewer completes a Statement of Independenceand Assignmentform(see Exhibit II-A) .The Policy and Procedures for Conducting the reviewer follows the office’s Independent Report Review (IRR) (see Exhibit V-A) , and completes the Independent Report Review Worksheet(see Exhibit V-B) . The reviewer works primarily with the auditor, and generally does not discuss the project with the audit supervisor or team members. The reviewer completes the Independent Report Review Worksheet by writing review notes such as inaccuracies in indexing, errors in the data, or failure of the evidence to support findings and recommendations in the office draft. Upon conclusion ofthe IRR, thereviewer submits the Independent Report Review Worksheet to the auditor, who discussesresolution of the review noteswith the audit supervisor and team members. Required changes to the office draft are made by the audit supervisorand documented in the working papers. The auditor reviews any unresolved review notes and recommends resolution prior to authorizingfinalization ofthe office draft. V-20 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Supervisory Review of In reviewing reportoutlines and draftsat numerous points during the report Draft Reports preparation process, the following elements are considered: • Overall quality of the draft and its consistency with reporting standards for content and presentation. • Responsiveness to the auditobjectives. • Soundness of the evidence supporting the findings and recommendations. • Logic, reasonableness, and soundness of the argumentsupporting the findings and recommendations. • Appropriateness, constructiveness, and specificity ofthe recommendations. • Professional quality of the writing and presentation. Multiple supervisory reviewsby the audit supervisor and auditor throughout the planning, fieldwork and testing, and report preparation phases of an auditareto ensure that all findings are included; the evidence is appropriate and sufficient; and the findings, conclusions, and recommendations are well-argued, logically linked, and supported.The auditor must approve all preliminary and final report drafts before they may be prepared for final printing and distribution. Agency Comment to In order to give the parties affected by the report the opportunity to present Preliminary Draft Report their views, the office sends them numbered preliminary drafts of the report marked CONFIDENTIAL and invites the audited entity to meet with the office to discuss questions and comments at a scheduled exit conference. Copies of the numbered confidential preliminary draft reports are hand- delivered to the audited entity, mayor, and/or appropriate boardor commission. Audited entitiesare asked todate-stampand returncopies of their transmittal letter to acknowledge receipt of the numbered confidential draft reports, and the date-stamped receipts are retainedin office project files. Exit Conference Soon after approval of the preliminary draft report, the auditsupervisor, with approval of the auditor, schedules an exit conference with the administrator of the audited entity.The auditor and auditsupervisor attend the exit conference, and audit team members may be asked to attend to provide additional details on the fieldwork performed.The administrator of V-21 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) the audited entitymay invite appropriate staff to attend the exit conference. At the exit conference, the administratoris informed of the office’s preliminary findingsand recommendations.The conference is an opportunity to catch errors and confirm the validity of findings, andaffords the office an opportunity to assess with the agency the usefulness of possible other recommendations by asking what if questions.Immediately after the exit conference, the auditsupervisor summarizes the conference in a memorandum,including any suggestions for further action or changes to thepreliminary draftreport, and forwards it to the auditor for approval. Agency Responseto When an audit report is in an approved final draft form, copies of the report Final Draft Report/are transmitted to the audited entity, mayor, and/or appropriate board or Auditor Commentor commission. In the transmittalletter, the audited entityis informed that it is Rebuttal being provided approximately 10 working days to prepare a written response to the final draft report. If the audited entity’s written response to the final draft report is received in the allotted time, it is generally appended to the final report, and modifications are made to the final reportif the audited entity’s response is supported by sufficient, appropriateevidence. The auditor’s comments or rebuttal to the audited entity’sresponse,chapter page,and executive summary are drafted, and the report is proofed for the last time. The distribution list for the published report must be prepared to determine the necessary number of copies to be printed and bound. Upon completion of these steps, the report production process can begin. Production and In order to produce a high-quality product, the audit supervisor should Distributionof Final allow sufficient time for all phases of production. The average report takes Audit Report 4 to 6 weeks to produce and distribute (including agency review and comment, printing, binding, and final distribution). Reports needing extensive rewriting may take longerto produce and distribute. Production and Distribution Steps Production begins when an office draft is submitted to the auditor,andends when the final report is issued to the audited entity, mayor, appropriate board or commission, and council.Themain steps in the production and distribution process include: Review: The auditor reviews the office draft, makes changesdirectly on the draft, and returns the draft to the audit supervisorfor revision. Accuracy check: The auditorarranges for the revised officedraft to be proofreadand checkedfor accuracyby audit team members. Entering of final changes: The auditor then reviewsand approves any additionalchanges to the revised office draftand transmits them to the V-22 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) administrative assistant to the auditor, who inputs the changes and completes a final office draft forreview by the audit supervisor and auditor. All changes should be madebefore the revised office draft is formatted. Formatting: The administrative assistant to the auditorformats thefinal office draft and prepares a table ofcontents for the report.The body of the audit report should be printed ondouble-sided pages when possible. There should be a degree of consistency in the appearance of office audit reports, whichsupports the development of a separate identity for the audit function. Final review: Once the auditor approves the formatted office draft, the administrative assistant to the auditor will make multiple copies to expedite review by the audit team members, audit supervisor, and auditor.Changes are authorized only by the auditor. Agency distribution and response: Once the auditor approves the formatted office draft, the administrative assistant to the auditor also prepares transmittal letters to appropriate recipients, including those charged with governance, appropriate audited entity officials and oversight bodies, and others authorized to receive such reports. Prior to preparation of transmittal letters, the audit supervisor should ensure that report recipients are identified and a decision made by the auditor as to who will receive reports. If a report recommendation is directed to the mayor or a particular board or commission, the standard transmittal letter may need modification to invite them to comment on the recommendation. Foreword, executive summary, auditor’s comment/rebuttal: After the audited entity’sresponse isreceived, theauditsupervisorprepares the foreword, executive summary, and auditor’s comment or rebuttal to the response,and forwards them to the auditor for approval.The auditor revises and submits themto the administrative assistant to the auditorforinclusion in the final report. Prepublication check: The administrative assistant to the auditorformats all prefaces and attachments to the body of the report, including the foreword, executive summary, table of contents,title page, exhibits, appendices, etc.The audit supervisor and auditor will review the master copy of the report to ensure that the report is in finished form, including insertionof the audited entity’s response and auditor’s comment/rebuttal. Printing and production of report: The administrative assistant to the auditoris responsible for reproducing and binding the final reportin the quantities specified on the distribution lists.Audit staff may assist as needed. V-23 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Transmittal lettersor memoranda: The audit supervisor prepares transmittal letters of preliminary and final drafts to theaudited entity, mayor, and any applicable boardor commission chairfor the auditor’s approval. In addition, the audit supervisor preparestransmittal letters or memorandaof final reportsto councilmembers,including a brief discussion of the issues andrecommendations, for the auditor’s approval. Documentation of Final Report Distribution: Todocumentdistribution Audit of the final report,the administrative assistant to the auditor uses the Report Distribution Checklist(see Exhibit V-C) .The final reportisfirst releasedto the audited entity, mayor, applicable board or commission chair, and council.Distribution is based on the distribution listdiscussed above and/ora supplemental list as necessary.After the final audit report has been agendized for presentation by the office to the appropriate council committee,distribution of thefinal report is madeto the publicand the press, with acopyof the finalreportposted on the officewebsiteand extra copies made available to the publicupon request to the office.One copy of the report is also added to the office library catalog; and one copy is held in the project file for the audit (including the report in computer file format). Presentation of Audit The council may request a presentation of the final audit report, which is Report typically at a meeting of the pertinent committee of the council. Arrangements are typicallyinitiated by the committee chair or chair’s staff and the auditor. The presentation of the report is organized by the office, subject to the approval of the committee chair. If the audit wasconducted by a consultant, the logistics of having the consultant appearat the meeting must be handled bythe office.The meeting room, audio/visual equipment, and other materials that would assist in the presentation of the report should also be arranged by the office. The actual presentation of theaudit report is typically performed by the auditor, audit supervisor, and/or the consultant, if applicable. Auditteam members may attend thehearing to provide additional details on the fieldwork performed oranswer any questions of councilmembers. The presenter should beprepared to fully discuss the audit’s background, findings,recommendations, our comments regarding the audited entity’s response to thedraft report, and any other matters pertinent to the audit. The auditsupervisoris responsible for preparing testimony for approval by the auditor.If instructed by the auditor, the administrative assistant to the auditorensuresthat afinal copy of the testimony is submitted to the respective councilcommittee clerk (eitherbyemail or hard copy) at least one workingday prior to thecouncil committee meeting.The administrative assistant to the auditoralso provides copies of the testimony to audit team members prior to the hearing, and retainsa copyin theoffice project file. V-24 Section V:Report Preparation and Distribution (Yellow Book 2011Revision) Public Availability of In addition to viewing reports on the office website, members of the public Audit Reports may review published audit reports at our officeorthe Office of the County Clerk. Copies are also available to the public upon request to our office. Disclosure of In accordance with GAGAS requirements for reporting confidential and Confidential or Sensitive sensitive information, if certain information is prohibited from public Information disclosure or is excluded from a report due to its confidential or sensitive nature, auditors should disclose in the report its omission and the reason necessitated its omission. If certain information may be classified or otherwise prohibited from general disclosure by federal, state, or local laws or regulations, auditors may issue a separate classified or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it. Auditors should evaluate whether excluding certain information is appropriate when considering the broad public interest in the program or activity under review. As discussed in Section III: Planning the Audit, the State Uniform Information Practices Act(UIPA) provides that confidential documents may be exempted from public disclosure if disclosurewould invade an individual’s right to privacy or frustrate a legitimate government function. Documents that are provided in confidence or documents that are protected by federal and state laws can also be withheld from disclosure. They should be marked “CONFIDENTIAL”andhandled appropriately. Protected documents are best left with the agency being audited. Inthose cases where confidential documents are needed as evidence, consideration should be given to including only a summary of the documents in the working papers.Additional guidelines and opinions from the County Corporation Counsel and State Office of Information Practices (OIP) as to what information may be disclosedand the appropriate procedures for disclosinginformation(such as how to segregate confidential material) may also be considered. Insufficient and If after the audit report is issued, the auditor discovers that the report did not Inappropriate Evidence contain sufficient, appropriate evidence to support the reported audit after Report Issuance findings or conclusions, the office willsonotify in writing the audited entity, mayor, appropriate board or commission, council, and other known report users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was posted on the office website, the office will remove it and post a public notification of its removal. The auditor will then determine whether to conduct additional fieldwork necessary to reissue the report, including any revised findings or conclusions, or repost the original report if additional fieldwork does not result in a change in findings or conclusions. V-25 This page intentionally left blank. Section VI Qspkfdu!Dmptvsf End of Audit At the end of anaudit project, appropriate stepsaretaken to bring the project to an orderly close and ensure thatoriginal project files andworking paperscontain allessential documentation.The project closure process maybegin soon after the final audit report has been agendized for presentation by the office to the appropriate council committee;afterthe office’s audit report presentation to the councilcommittee;orif applicable, after final payment totheproject consultant has been processed. In accordance with the County’sRecords Retention Policy, theoffice Document maintains in perpetuity the original projectfilesand working papers Retention followingpublication of itsfinal audit report. Project Evaluation After the completion of an auditproject, the auditor meetswith the audit team and office staffto discuss accomplishments,issues encountered, lessons learned,and suggestions for improvementofthe office’s audit process. Staff Evaluation After closure of each project,the each audit team membercompletes an Employee Performance Evaluation form(see Exhibit VI-A) . The employee and the auditor meettoreviewand discuss employee performance during the audit project, and the completed Employee Performance Evaluation form is filed in the employee’s personnel file. In addition, theauditormay ask individual auditstaff to complete an Employee Performance Evaluation form on an annual basis, and to meet with the auditor to review and discuss theemployee’s annual performance. The completed Employee Performance Evaluation formis also filed in the employee’s personnel file. VI-1 This page intentionally left blank. Section VII Vtf!pg!Dpotvmubou!Tfswjdft Consultant services are professional or technical services (such asauditing, Introduction engineering work, legal research, statistical analysis, and polling)provided to Office of the Legislative Auditor (office)by individuals or firms acting as independentcontractors. The use of consultant services is appropriate for financialor performance Appropriate Uses audits,attestation engagements, and non-audit workthat require professional or technical competencies not available in the office.The officewillnormally hire a consultant to perform financial audits and attestationengagements for the office. In addition, the office may hire a consultantwhen special expertise is required to accomplish the audit objectives ina performance auditor the specifications of a non-audit service engagement. The procurement of consultants,ingeneral, is described below. It shouldbe Procurement cautioned, however, that all of the procedures described in thisaudit manual Procedure for the procurement of consultants must be read in the context ofthe provisions of the State of Hawai‘i Public Procurement Code (HRS chapter 103D), Hawaii Administrative Rules (chapter 3-120),and rules adopted by the State of Hawai‘i Procurement Policy Board and theCountyof Hawai‘i Department of Finance Purchasing Division.If there is any conflict between this audit manual and the above-referenced code and rules,as they may be amended, the provisions of said code and rules, as amended,shall prevail. The auditsupervisor on a project must first determine if andwhat type of Applicable consultant services is needed for aproject. Thisrequires planning activities, Standards including preparation of the riskassessment, scoping statement, and work program, as described in Section III –Planning.Based on this preliminary research and analysis, theproject’s background, objectives, scope, work hours, estimated timetable,and budget can be determined. Keep in mind that the consultant mayconduct the entire projectif the subject matter is beyond the technicalexpertise of the officestaff, or perform parts of the project. If a consultant isneeded, the audit supervisor brings the proposal to the auditor for approval. Financial audits are to be conducted in accordance with generally accepted government auditing standards (GAGAS). GAGAS incorporates by reference the American Institute of Certified Public Accountants (AICPA) VII-1 Section VII:Use of Consultant Services (Yellow Book 2011Revision) Statements on Auditing Standards (SAS).All sections of the SASs are incorporated, including the introduction, objectives, definitions, requirements, and application and other explanatory material. Auditors performing financial audits in accordance with GAGAS should comply with the incorporated SASs as well as any additional requirements under GAGAS.(See GAS 4.01through GAS 4.48) Attestation engagements are to be conducted in accordance with generally accepted government auditing standards (GAGAS). Auditors performing attestation engagements in accordance with GAGAS should comply with the American Institute of Certified Public Accountants (AICPA) general attestation standard on criteria, the field work and reporting attestation standards,and the corresponding statements on standards for attestation engagements (SSAEs).Auditors performing attestation engagements should also comply with anyadditional requirements under GAGAS.(See GAS 5.01through GAS 5.66) Performance audits are to be conducted in accordance with generally accepted government auditing standards (GAGAS).(See GAS 6.01and GAS 6.02, and specific guidance provided inthis audit manual.) Non-audit services , which are defined as professional services other than financial or performance audits and attestation engagements, are not covered under generally accepted government auditing standards GAGAS. (See GAS 2.12and GAS 2.13, and specific guidance provided inthis audit manual.) The applicablestandards and compliance procedures are to be detailed by the office in itscontract specifications and instructions to prospective consultants for each financialor performance audit,attestation engagement, and non-audit services related work.As part of the procurement process, prospective consultants are required to submit representations regarding their independence from the audit entity as well as their most recent external peer review report and any letter of comment. The office may use procurementproceduresincluding, but not limited to: GeneralProcurement Process Invitation for Bid (IFB)/Competitive Sealed Bidding. (HRS §103D-302) Request for Proposal (RFP)/Competitive Sealed Proposal. (HRS §103D-303) Professional ServicesProcurement . (HRS §103D-304) Small Purchases . (HRS§103D-305) Sole Source Procurement . (HRS §103D-306) Emergency Procurement . (HRS §103D-307) Exemptionfrom State Procurement Code . (HRS chapter 103D/HAR §3-120-4(b) County Finance Director Rule 4.8(b). VII-2 Section VII:Use of Consultant Services (Yellow Book 2011Revision) The following procurement elementsare intended toprovide a general guide to follow when the need for a consultant hasbeen determined for a project. The auditor or audit supervisor may consult with the County’s Purchasing Agent and/or Corporation Counsel for specific guidanceto ensure that proper procurement procedures are followed in securinga consultant for financial or performance audit,attestation engagement, and non-audit servicesrelatedwork. All vendors doing business with the State or County are required to comply Hawai‘i Compliance with all applicable statutesandadministrative rules and procedures. Express (HCE) Vendors wishing to do business with the State or County must register and be in compliance HCE).State or County agencies must verify vendor compliance prior to award. HCE is a one-stop online program where vendors verify and manage their compliance. Once a vendor is registered, HCE provides the following proof of complianceorcompliance documentation: Certificate of Good Standing (COGS) from the State Department of Commerce and Consumer Affairs (DCCA)–Business Registration Division; Tax clearances (federal and state) from the Department of Taxation (DOTAX); and Compliance with HRS chapters 383 Hawai'i Employment Security Law (Unemployment Insurance), 386 Workers’Compensation Law, 392 Temporary Disability Insurance,and 393 Prepaid Healthcare Act. There is a nominal fee to subscribe to HCE. Please note that it may take two or more weeks to establish a vendor account in HCE. For more information and to register, see http://vendors.ehawaii.gov. The successful proposer must be registered and comply with HCEprior to a contract being issuedand again before final payment can be made. In the event an apparent successful proposer is not in compliance with HCE within 10calendar days of being requiredto do so, the County may award the contract to the next most acceptable proposer,who shall furnish said compliance with HCE. It is not required, but strongly suggested, that proposers furnish compliance with HCE with their proposals, and any additional certification requirements for compliance with Hawai‘i Administrative Rules (HAR) section 3-122-112. VII-3 Section VII:Use of Consultant Services (Yellow Book 2011Revision) Contract specifications When it is determined that consultant services are required, the audit supervisorprepares the specifications for the anticipated scope of work and submits them to theauditor for approval. These specifications become the basis forreviewing qualificationsof and proposals from consultants. Contract specifications may vary by project in their details, but generally include the following types of information: • An introduction and/or background section,briefly summarizingthe history behind the project authorization anddefining the subject or problem to be examined; • A statement of the project objectives; • A statement of the scope of work to be performed, including any specific methodology that may have already been determined; • A description of the work products to be produced; • Standard provisions relating to the conduct of auditsand non-audit servicesfor the office,including requirements thattheconsultant comply with applicable standards;comply with policies relating to contract cancellation;provide the officereasonable access to examine working papersand toidentify and label proprietary information in working papers;maintain confidentiality;be available to present the completed report to the council,etc.; • Amount of compensation, if established. This may be the upsetor maximum price of the consultant contract. A statement shouldalso be included that Hawai‘i’s general excise tax must beincluded as part of the proposedprice. If the compensationis to be issued in increments, the timing, amount, and/or basis ofthe increments or progress payments should be stated; • Time schedule and limitations affecting the project; • A liquidated damages provision describing the penalty for delays beyond the contracted deadlines, if needed; and • Copies of pertinent legislation, committee reports, or other background materials. General terms of The general terms of professional services contracts issued by the officeis contracts part of all such contracts. It prescribes the procedure to address eventssuch as changes to the contract specifications, payment schedule,compensation, and contract termination. It also sets forth requirementsof the contractor VII-4 Section VII:Use of Consultant Services (Yellow Book 2011Revision) relating to such matters as vendor compliancecertificationsrequired for all countycontracts.The generalterms of contractsare updated by the office from time to time when the county’s general terms are modified. The office version deletes provisions that are inapplicable to officecontracts. Instructions for Whether a consultant will be competitively procured by soliciting bids or prospective consultants soliciting proposals will have an impact on what additional provisionsare included in the specifications. Briefly, a bid may be defined as aprice quote offered by an interested consultant to perform the consultant services specified by the office. A proposal may be defined as apackage of services which the consultant believes would fulfill the projectobjectives specified by the office, offered at a price set by theconsultant. In general, bids may be requested from interestedconsultants when the projectto be performed has a small and/or welldefinedscope, while proposals may be requested when the workneeded to perform the projectis complex or not predetermined.Regardless of whether bids or proposals are requested, in addition to thespecifications, theauditor must prepare a set of instructions to befollowed by interested consultants in respondingto the request. Theinstructions typically include the following: 1.How (e.g.,in what form), where, and when bids or proposals are to be submitted. 2.Information to be provided by interested consultants about themselves: a.A description of the proposed team, including background, qualifications, and experience, and where applicable, knowledge of all relevant accounting and auditing standards; b.An explanation of the work hours to be expended and any other special resources to be used in the project; c.Time required for completingthe work, if different from the time limitations set forth in the specifications; d.Itemization of costs, including staff fee rates, technical services fee rates, travel, reportprinting, and other costs; e.Description of the firm and special resources available to the consultantteam; f.Local address where the consultant services will be conducted, and where questions tothe consultant may be directed;and VII-5 Section VII:Use of Consultant Services (Yellow Book 2011Revision) g.Full (independence)disclosure of the consultantfirm’s possible conflicts of interest or other impairments that might affect the objectivity of the consultant’s work. h.Copy of the consultant firm’s most recent external peer review report and any letter of comment (if applicable). 3.If consultant services are to be procured by requesting proposals, the methodology to be used by theconsultant to perform contract servicesis also requested. 4.Discussion of how bids or proposals will be evaluated and contract awarded. 5.Statement that the auditor need not select any bidder or proposer. This allows the officeto reinitiate or terminate the procurement if no bidder or proposer is qualified or no bid or proposal is satisfactory. 6.If necessary, announcement of a bidders’ conference. The conference, attendance atwhich may be required of all bidders, allows the opportunity for the officeto provide all interested consultantsfurther information about the contract, respond to questions already received, and respond to any new questions. Additional materials may be distributed at the conference. After the conference, requests for substantive clarification of contract specificationsare responded to in writing by the auditor and distributed toall conference attendees. The list of attendees is considered publicinformation, but the auditor is careful not to divulge to other partiesany sensitive or proprietary information. Solicitation of interested After the auditor hasapproved the specifications, the Department of consultants Finance’sPurchasing Division will advertise ornotify prospective consultantsof the contractin accordance with the stateprocurement code and countypolicies so that they can submit statementsofqualificationsand bidsor proposals.WithIFBs/RFPs, this normally takes the form of advertisements in newspapers of general circulation, supplemented by invitations to specific consultants known to be in the relevant field. Advertisements may also be placed in appropriate trade journals when special expertise is needed. The contents and method ofadvertisement shall be in accordance with the procurement code. VII-6 Section VII:Use of Consultant Services (Yellow Book 2011Revision) Evaluation of statement All statementsof qualifications and bids or proposals received by the of qualifications and designateddeadline are evaluated and scored independently by at least three proposals qualified individualsand the auditoror the auditor’s designee. The auditor will develop an evaluation andscoring form indicating the areas to be evaluated and thenumber of points and/or weight to be given to each item. The formshould betailored to meet the needs of the contractwhile taking intoaccount the evaluationcriteria. Pursuant to the procurement code, the evaluation criteria and process must have been previously disclosed to potentialproposers. An example of criteria which may be applicable to theprocurement effort is provided below: • Degree to which the proposal meets the specifications and instructions; • Feasibility and adequacy of the methodology that the consultant intends to follow,and the tests and standards tobe used in performing the indicated work; • Qualifications and expertise of the consultant based primarily onthe assigned personnel’s capabilities, past experience, andcredentials, and secondarily on the nature of the consultant’sorganization and reputation; • Adequacy of the resources the consultant intends to commit tothe project, including the timeliness and reasonableness of the consultant’s overall project schedule; • For RFPs, reasonableness of the consultant’s proposed costs and allocations of costs for the project.It should be noted that if so designatedin thespecifications and instructions to proposers, the selected consultant maynot be the one with the lowest cost. In that case, the focus is onselecting the proposal that will achieve the desired results in the mosteffective manner, while giving dueregard to costs and available funding; and For IFBs, the qualified consultantsubmitting the lowest bid price will be awarded the contract.If permitted by the procurement code and contract specifications and instructions, theauditor may negotiate with a consultant to obtain the most favorableterms and conditions for carrying out the project. The auditor may alsoreject all proposals if none meet the requirements of the specificationsand instructions. The auditor may call for new proposals with or withoutrevising the original specifications and instructions. VII-7 Section VII:Use of Consultant Services (Yellow Book 2011Revision) Contract execution Once the selection of a consultant is made, the Department of Finance’s Purchasing Divisionnotifies theselected consultant by letter.Consultants not selected are also notified by letter. All copies of thebids or proposals and supplementary materials submittedby interested consultantsmay be returnedto them if so requested. Each contract hasunique provisions,but there are also a number ofstandard specifications. It may be convenient to incorporate these specificationsas well as the consultant’s proposal by reference into the contract, subject to anymodifications or qualifications that might be included within the contract. Once the contract has been prepared and put into final form, the office then follows the County’s Contract RoutingProcesswhichis generally conducted as follows: 1.Submittal to the contractor for review and notarized signature. 2.Submittal to the auditor for recommending approval and signature; 3.Submittal to the council chair for recommending approval and signature; 4.Submittal to the purchasing agent for procurement review and reporting; 5.Submittal to the director of finance for certification of funds; 6.Submittal to the corporation counsel for approvalas to form, legality, and signature; 7.Submittal to the mayor for review, notarized signature, and date; 8.Upon receipt from the mayor, theoffice issues the Notice to Proceed to the consultantand distributes contract copies to the affected parties; and 9.The original fully executed contract with required attachments is retained bythe officein its project files. Contract administration The auditorand/or auditsupervisoradministers the contract and acts as liaison with the consultant. VII-8 Section VII:Use of Consultant Services (Yellow Book 2011Revision) The responsibilities of the auditsupervisorgenerally include the following: • Drafting correspondence relating tothe contract or project; • Orienting the consultant to office procedures and practices, including such matters as billing procedures, confidentiality restrictions, working paper requirements, and expectationsregarding progress reports; • Arranging meetings between the officeand the consultant to initiate, monitor, and conclude the project; • Communicating with the consultant and helping as needed toensure the successful and timely completion of the project,including working with the consultant to obtain neededbackground information; • Assisting in fieldwork by introducing the consultant to affected parties, notifying them of the consultant’s status with the office, helping to open up lines of communication and access to needed documentation, and scheduling interviews as necessary for consultants based outside ofthe Stateof Hawai‘i; • Monitoring the work of the consultant and ensuring that the consultant produces the specified products, adheres to thetimetable called for in the contract, submits required progressreports, complies with office standards, and keeps the officeadvisedof unforeseen and unavoidable delays or other problems. Where appropriate, the auditsupervisor andaudit staff assigned by the auditor may attend interviews of county personnel with the consultant to obtain a first-hand view of theinformation being gathered and the issuesuncovered during the project; • Coordinating and participating in the review and comment on materials andwork products submitted by the consultant, suchas progress reports, report outline, and report drafts; • Ensuring that the findings and recommendations of the report are adequately supportedbyworking papers that are made available to the office and that adequately attest to theaccuracy, completeness, and reliability of the consultant’s workand the report’s contents; • Assisting in the distribution of the draft report andpublished report, including ensuring that the draft report isreviewed and commented on by all affected agenciesandcoordinating the consultant’s comment on the agency responses; and VII-9 Section VII:Use of Consultant Services (Yellow Book 2011Revision) • Wrapping up the project, preparing project files for closure, and handling any follow-up activities. Theresponsibilities of the auditor generally include the following: Reviewing the consultant’s invoices for accuracy and completeness and approving them for processing and payment, includingensuring that a vendor compliance certificationis obtained when required. Participating in the review and comment on materials submitted by the consultant. Reviewing of the draft report, includingrequiring the consultant to revise preliminary drafts as necessary toensure that the finalreport: Complies with all pertinent provisions of the specifications, o proposal, and contract; Accurately portrays the work of the consultant as reported bythe o consultant and as evidenced in meetings attended andmaterials examined by the auditor. The report must also provideadequate support for all findings and recommendations; Presents recommendations that are feasible, reasonable, and o appropriate; Communicates the results of the consultant’s work in a clear, o consistent, concise, and logical manner. Reviewing the consultant’s proposed presentation to the council, including obtaining copies of any proposed slide showand/or handouts, to ensure thepresentation effectively and clearly communicates the main points ofthe reportin the allotted time. Contract termination The auditor may terminate a contract for consultant services when thework is not progressing as intended, is unlikely to produce the result orproduct specified in the contract, or is unreasonably delayed. If it isdetermined that the contractshould be terminated, a report of suchdetermination should be filed with the consultant. Upon termination, the consultant is paidfor all work performed to date, provided the consultant submits anappropriate bill. Theseactions must betaken pursuant to any contract provisions specifying how contract terminationswill be handled. The cancellation of a consultant contract need not mean the terminationof the project. The remaining work may be completed by a newconsultant. VII-10 Section VII:Use of Consultant Services (Yellow Book 2011Revision) Evaluation of contractor The auditor and audit supervisor will evaluate the services of the contractor at the close of the engagement. VII-11 This page intentionally left blank. Office of the LegislativeAuditor Project Statement of IndependenceandAssignment Background Generally Accepted Government Auditing Standards (GAGAS) place responsibility on each auditor and the audit organization to maintain independence of mind and appearance so that opinions, findings, conclusions, judgments, and recommendations will be impartial and will be viewed as impartial by reasonable and informed third parties. In all matters relating to the audit work, the audit organization and the individual auditors, whether government or public, should be free from personal and external impairments to independence, should be organizationally independent, and should maintain an independent attitude and appearance. All audit staff assigned to an auditmust complete and sign the following. ProjectTitle: Name: Threats/impairments regarding the agency/program to be audited:YESNO 1.Self-interest threat –Is there a threat that a financial or other interest will inappropriately influence an auditor’s judgment or behavior? 2.Self-review threat –Is there a threat that an auditor or audit organization that has provided nonaudit services, to include maintaining office accounting records or performing accounting tasks, that will not appropriately evaluate the results of previous judgments made or services performed as part of the nonaudit services when forming a judgment significant to an audit? 3.Bias threat –Is there a threat that an auditor will, as a result ofpolitical, ideological, social, or other convictions, take a position that is not objective? 4.Familiarity threat –Is there a threat that aspects of a relationship with management or personnel of an audited entity, suchas a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective? 5.Undue influence threat –Is there a threat that external influences or pressures will impact an auditor’s ability to make independent and objective judgments? 6.Management participation threat –Is thereathreat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit? 7.Structural threat –Is there a threat that the office’splacement within a government entity, in combination with the structure of the government entity being audited, will impact the office’s ability to perform work and report results objectively? Exhibit II-A Project Statement of Independence andAssignment Supplement 1 (12-2013) I certify that above statements are true to the best of my knowledge and any “yes” answers will be discussed with thelegislative auditor. SignatureDate To be completed by the legislativeauditoror legislative auditor’s designee: 1.Staffqualifications/justification: 2.Didthe assigned auditor disclose any threat(s)/impairment(s)listed above? 3.Can the threat(s)/impairment(s)be mitigated? If YES, explain how the threat(s)/impairment(s)can be mitigated in order to justify the assignment. 4.Will the assignment resultin our auditing our own work?YES/NO 5.Has the office:(1) performed any management functions or made any management decisions relative to the auditee;and (2) providedany nonaudit services thatare significant or material to the subject matter of the audit?YES/NO Assignment: 6.Support Staff Staff Auditor Audit Supervisor Independent Report Reviewer Other APPROVE:/DISAPPROVE:the project/assignment. LegislativeAuditor’sSignatureDate Exhibit II-A Project Statement of Independence and Assignment Supplement 1 (12-2013) Office of the Legislative Auditor CPE Training Summary Biennium Period: January 1, xxxx to December 31, xxxx Name: Title: Total Gov't Non DateCourse Title / ConferenceSponsorLocationCost HoursReqGov't $0.00 $0.00 $0.00 20 Total Non Gov't Cost HoursGov't Req Name: Calendar Year (1) YTD CPE Training Summary Subtotal: Subtotal000$0.00 Total Gov't Non DateCourse Title / ConferenceSponsorLocationCost HoursReqGov't $0.00 $0.00 $0.00 20 Total Non Gov't Cost HoursGov't Req Name: Calendar Year (2) YTD CPE Training Summary Subtotal: Subtotal000$0.00 40 Total Non Gov't Cost HoursGov't Req Name: CPE Training Biennium Summary Biennium Total: Total000$0.00 Exhibit II-B CPE Training Summary Office of the Legislative Auditor Report of Completed CPE Training Name:Date: Course Title/Conference: Sponsor: Location: Date(s): Computation of CPE credit earned*:(50 minutes = 1 CPE Credit) 1.Length of external training (exclude lunch breaks):hours=minutes=CPE credit 2.Instructor's training preparation (length of presentation):hours=minutes=CPE credit 3.Length of instructor's training presentation: (exclude lunch breaks):hours=minutes=CPE credit 4.Other training (self-study, course work):hours=minutes=CPE credit TotalCPE Credit 5.Check one: Government auditing training hours Other non-government qualified training hours * If sponsoring organization awards CPE credit for the training, do not exceed the total hours in your computation. Tuition/registration fee reimbursement requested:NoYesAmount Attach training agenda, program documentation, and/or a certificate of completion. Date: Employee's Signature Date: CPE Coordinator's Signature Date: Legislative Auditor's Signature Exhibit II-C Report of Completed CPE Training Office of the Legislative Auditor QCS Assurance Review Audit Title, Project No.: Review Performed By:Date: Objective: To ensure that audit activities and reports comply with the U.S. Comptroller Government Auditing Standards –2011 Revision General’s . The format and Association of Local Government numbering of this document conforms to the Auditor’s 2011 I.A. Review of Audit Engagement Documentation .For all audits the GENERAL STANDARDS section will be completed; when applicable the FINANCIAL AND ATTESTATION STANDARDS section will be completed; when applicablethe PERFORMANCE STANDARDSsection will be completed. I.A REVIEW OF AUDIT ENGAGEMENT DOCUMENTATION (Revision Date: 11/19/12) ALGA Peer Review Guide (2011) GENERAL STANDARDSYesNoN/AReviewer Comments : INDEPENDENCE 1.The audit organization and the individual auditor, whether government or public, must be independent (GAS 3.02). Quality Control System procedures should include: a)Verify auditors were independent during the period covered by the subject matter of the audit and the period of the engagement (3.05) b)Identify threats to independence, evaluate theirsignificance, determine if identified threats to independence have been eliminated or are at an acceptable level, and apply and document safeguards as necessary (3.08, 3.20-3.23, 3.24, 3.59) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) GENERAL STANDARDSYesNoN/AReviewer Comments : c)Evaluate the categories of threats to independence: self-interest, self-review, bias, familiarity, undue influence, management participation, and structural (3.14) d)Decline or terminate the audit if threats cannot be eliminated or reduced to an acceptable level. (3.25) e)Evaluate the impacts of threats identified after report issuance and take appropriate steps. (3.26) 2.(Quality Control System Review Only) 3.(Quality Control System Review Only) 4.Evaluate the impact on independence of any previously performed nonaudit services before accepting the prospective audit. (3.42) 5.When performance of a nonaudit service could impair independence with respect to a required audit, disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS statement accordingly.(3.44) 6.(Quality Control System Review Only) 7.(Quality Control System Review Only) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) GENERAL STANDARDSYesNoN/AReviewer Comments : PROFESSIONAL JUDGMENT 8.Use professional judgment (includes exercising reasonable care and professional skepticism) in planning and performing audits and in reporting the results. (3.60, 3.61) COMPETENCE 9.Assess skill needs to consider whether the essential skills match those necessary to perform a particular audit. (3.69, 3.70) 10.(Quality Control System Review Only) 11.Staff assigned to conduct an auditshould collectively possess the technical knowledge, skills, and experience necessary.(3.72) 12.Auditors performing financial audits or attestation engagements should be knowledgeable of applicable standards and competent in their application. (3.73-3.75) 13.(Quality Control System Review Only) 14.(Quality Control System Review Only) 15.External/internal specialists assisting with or performing GAGAS audits are qualified and competent. (3.79-3.81) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) GENERAL STANDARDSYesNoN/AReviewer Comments : QUALITY CONTROL AND ASSURANCE 16.(Quality Control System Review Only) 17.(Quality Control System Review Only) 18.(Quality Control System Review Only) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) FINANCIAL AND ATTESTATION STANDARDS: YesNoN/AReviewer Comments AICPA STANDARDS 19.Forfinancial audits and attestation engagements follow applicable AICPAStandards, SASs, SSAEs, and applicable GAGAS. (4.02,5.02) AUDITOR COMMUNICATION 20.Communicate pertinent information to individuals contracting for or requesting the engagement and to others as required.(4.03-4.04, 5.04- 5.05) PREVIOUS AUDITS AND ATTESTATION ENGAGEMENTS 21.Follow up on findings from prior audits/engagements. (4.05, 5.06) FRAUD, NONCOMPLIANCE WITH LAWS, REGULATIONS, CONTRACTS, AND GRANT AGREEMENTS, AND ABUSE 22.For financial audits,extend AICPA requirements for laws and regulations to also apply to compliance with provisions of contract or grant agreements. If abuse is discovered, apply procedures to ascertain the effect on financial statements or data significant to audit objectives. (4.06, 4.08) 23.For examination level attestation engagements, design the engagement to Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) FINANCIAL AND ATTESTATION STANDARDS: YesNoN/AReviewer Comments detect fraud and noncompliance that may have a material effect on the subject matter. If abuse is discovered, apply procedures to ascertain the effect on the subject matter or other datasignificant to the engagementobjectives.(5.07, 5.09) 24.Do not interfere with investigations or legal proceedings. (4.09, 5.10) ELEMENTS OF A FINDING 25.Develop the elements of a finding that are relevant and necessary to achieve audit or engagement objectives. (4.10- 4.14, 5.11-5.15) DOCUMENTATION 26.For financial audits, document supervisory reviewof the evidence supporting the report before the report release date anddocument any departures from GAGAS requirementsand the impact on the audit.(4.15) 27.For examination-level attestation engagements, prepare sufficient attest documentation, document supervisory review of evidence before the date of the report, and document any departures from GAGAS requirements. (5.16) 28.Make appropriate individuals Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) FINANCIAL AND ATTESTATION STANDARDS: YesNoN/AReviewer Comments and audit or attest documentation available to other auditors or reviewers upon request, subject to applicable laws and regulations.(4.16, 5.17) REPORTING 29.Follow AICPA reporting requirementsand applicable GAGASfor financial auditsand examination engagements. Document assessment of any noncompliance and determine typeof GAGAS compliance statement. (2.24, 2.25, 4.18, 5.19) 30.For financial audits,report on internal controls over financial reporting and compliance, describe scope of internal control and compliance testing, and state whether the tests performed provided sufficient, appropriate evidence to support opinions. If reporting separately on internal controls and on compliance, include statement on issuing additional reports. (4.19-4.20, 4.22) 31.For financial audits,report significant deficiencies and material weaknesses, instances of fraud and noncompliancewith laws and regulations, noncompliance with provisions ofcontracts and grant agreements, and abuse that have a material effect on the audit. (4.23) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) FINANCIAL AND ATTESTATION STANDARDS: YesNoN/AReviewer Comments 32.For examination engagements, report on significant deficiencies and weaknesses in internal control and instances of fraud, abuse, and noncompliance that are material to the subject matter. Reference any separate reports. (5.20-5.23) 33.Report known or likely fraud, noncompliance, or abusethat is material to those charged with governance and when applicable, to external parties under specific circumstances. (4.25-4.26, 5.24-5.25) 34.Develop the elements of the findings to the extent necessary to assist with understanding the need for taking corrective actions and making recommendations. (4.28-4.29, 5.27-5.28) 35.Report known or likely fraud or noncompliance with laws, regulations, contracts, or grant agreements or abuse to outside parties when: 1) management fails to report as required or 2) management fails to take timely and appropriate steps to respond. (4.30-4.32, 5.29-5.31) 36.Report views and planned corrective actionsof responsible officials. If commentsare inconsistent or in conflict or actions are Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) FINANCIAL AND ATTESTATION STANDARDS: YesNoN/AReviewer Comments inadequate, evaluate validity of comments. If auditors disagree with comments,report reasons for disagreement. (4.33-4.39, 5.32-5.38) 37.For financial audits and examination engagements, report the nature of and reason for omitted information. (4.40- 4.44, 5.39-5.43) 38.For financial audits, and examination, review and agreed-upon attestation engagements,submit reports to appropriate officials and make available to public. Document any limitation on report distribution. (4.45, 5.44, 5.52, 5.62) ADDITIONAL GAGAS CONSIDERATIONSFOR FINANCIAL AUDITS AND EXAMINATION ENGAGEMENTS 39.For financial audits,apply the concept of materiality appropriately in planning and performing the audit. (4.47) 40.For examination engagements, consider,preliminary judgments about attestation risk and materiality for attest purposeswhen planning the engagement. (5.46) ADDITIONAL GAGAS REQUIREMENTSFOR REVIEW AND AGREED-UPON PROCEDURE ENGAGEMENTS Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) FINANCIAL AND ATTESTATION STANDARDS: YesNoN/AReviewer Comments 41.For review and agreed-upon procedures engagements, communicate significant deficiencies, material weaknesses, instances of fraud, noncompliance, or abuse to audited entity officials. (5.49, 5.59) 42.For review andagreed-upon procedures engagements, report compliance with GAGAS.(5.51, 5.61) 43.For review and agreed-upon proceduresengagements, establish an understanding with the audited entity regarding the servicesto be performed. (5.54, 5.64) 44.For review engagements, report in the form of negative assurance.(5.56) 45.For agreed-upon procedures engagements,report in the form of procedures and findings. (5.66) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) PERFORMANCE YesNoN/AReviewer Comments STANDARDS: PLANNING 46.Plan and document work necessary to define audit objectives, scope,and methodology such that work provides reasonable assurance that sufficient,appropriate evidence supports conclusions. (6.06, 6.07, 6.10) 47.Assess audit risk and significance within the context of the audit objectives by gaining an understanding of the following: a)Nature of the program and user needs (6.11a, 6.13) b)Design and implementation of internal controls (6.11b, 6.16) c)Design and effectivenessof information system controls (6.11c, 6.24, 6.27) d)Legal,regulatory,contract, and/or grant agreement provisions, and potential fraud and abuse(6.11d, 6.28, 6.30-6.32, 6.34) e)Impact on ongoing investigation and legal proceedings (6.11e, 6.35) f)Results of previous audits (6.11f, 6.36) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) PERFORMANCE YesNoN/AReviewer Comments STANDARDS: 48.Identify potential criteria to the extent relevant to the audit objectives. Planning allows auditors to identify potential criteria and sources of evidence, and evaluate whether to use the work of other auditors or experts. (6.12 a-c; 6.37; 6.38; 6.40- 6.42) 49.Determine the type and amount of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives.Evaluate whether internal control or other program weaknesses are the cause when auditors conclude that sufficient, appropriate evidence is not available. (6.39) 50.Extend audit procedures when there are indications that fraud or abuse significant to the audit objectives may have occurred; do notinterfere with legal proceedings or investigations. (6.32; 6.34-6.35) 51.Assess qualifications and independence of specialists. (6.12d, 6.43-6.44) 52.Assign sufficient number of appropriatelyskilled staffand document work performed by specialists.(6.12d; 6.45-6.46) 53.Communicate planned testing and reporting to management, those charged with governance Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) PERFORMANCE YesNoN/AReviewer Comments STANDARDS: and requestors.Document communications.Follow appropriate requirements if audit is terminated before completed.(6.12e; 6.47-6.50) 54.Prepare and update awritten audit plan.(6.12f; 6.51) SUPERVISION 55.Properly supervise staff. Review work performed and document review of work before issuing the audit report. (6.53-6.55, 6.83c) EVIDENCE 56.Obtain sufficient, appropriate evidence to provide reasonable basis for findings and conclusions.(6.56-6.57) 57.Document assessment that evidence taken as a whole is sufficient and appropriate for addressing audit objectives and supporting findings and conclusions. (6.58, 6.67, 6.69) 58.Evaluate testimonial evidence and information provided by officials when used as evidence. (6.62, 6.65) 59.Assess sufficiency and appropriateness of computer- processed information. (6.66) 60.Based on the assessment of the evidence, apply additional procedures, redefine the audit objectives, or revise the Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) PERFORMANCE YesNoN/AReviewer Comments STANDARDS: findings and conclusions, if necessary.(6.71-6.72) 61.Plan and perform procedures to develop the elements of a finding to address audit objectives and develop recommendations for corrective action. (6.73) DOCUMENTATION 62.Prepare and maintain audit documentation related to planning, conducting, and reporting on the audit to support findings, conclusions, and recommendations before issuing the report.(6.79-6.83) 63.Document departures from GAGAS requirements and the impact on the audit and auditors’ conclusions. (6.84) 64.Make appropriate individuals and audit documentation available to other auditors or reviewers upon request, subject to applicable laws and regulations. (6.85) REPORTING 65.Issue audit report, make the report available to the public, unless specifically limited, if audit is terminated, document results of work completed and reason for termination.(7.03- 7.04, 7.06) 66.If, after the report is issued, auditors discover they did not Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) PERFORMANCE YesNoN/AReviewer Comments STANDARDS: have sufficient, appropriate evidence, follow appropriate procedures. (7.07) 67.Audit reports should contain the objectives, scope,and methodology of the auditand the audit results.(7.08-7.13) 68.Present sufficient, appropriate evidence to support the findings and conclusions in relation to audit objectives. Describe any evidence limitations and deficiencies in internal control, etc. (7.14- 7.18) 69.Report scope of work on internal controls and any significant deficiencies found. Refer to separate written communication to officials in audit report.(7.19) 70.Report likely fraud, illegal acts, and significantviolations of contracts or grant agreements, or significant abuse. (7.21- 7.22) 71.Report known or likely fraud, illegal acts, violations of contracts or grant agreements, or abuse to any appropriate outside parties. (7.24-7.26) 72.Report conclusions based on objectives and findings. (7.27) 73.Recommend actions to correct identified problems and to improve programs and operations. (7.28) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) PERFORMANCE YesNoN/AReviewer Comments STANDARDS: 74.Use the language in GAS 7.30 to cite compliance with GAGAS in report when all applicable requirements are followed, disclose when not followed. (2.23-2.24, 7.08, 7.30-7.31) 75.Include a copy of written comments from responsible officials or a summary of written or oral comments. Evaluate the validity of the commentsand revise report as necessary. (7.08, 7.32, 7.34- 7.35, 7.37-7.38) 76.If information is prohibited from public disclosure or excluded from the report due to its confidential or sensitive nature, disclose that certain information has been omitted and the reason for its omission. (7.08, 7.39, 7.42-7.43) 77.Submit report to those charged with governance, appropriate officials, and appropriate oversight bodies; document any limitation on report distribution. (7.44) Exhibit II-D Sample of QCS –Assurance Review Supplement 1 (12-2013) Office of the LegislativeAuditor Sample ScopingStatement < Project Title> Reasons I.for the audit audit question II.Issue to be addressed—the real questions III.The —what are we really trying to answer Sub-questions IV.to help answer the real questions—what workyou’ll do (forms the beginning of some audit objectives) key functions, processes, or factors V.Identify being reviewed “what should be” criteria VI.Identify those areas where will have to be developed major work tasks VII.Identify that you will need to do during the audit (maybe similar to the sub-questions; should help to formulate your audit objectives and audit program) real question VIII.For each above: a.Draft a framework that answers the question; b.Identify the types of analyses you really think you’ll do; c.Identify likely sources of information; and d.Identify any barriers you think you might run into time to complete XIV.Estimated —issue report PREPARED BY: Date: Signatureand Title APPROVED BY: Date: Legislative Auditor’s Signature Exhibit III-A SampleScoping Statement Office of the LegislativeAuditor Sample Risk Assessment Audit Program <Project Title> PURPOSE In order to identify the threats facing the program or agency under audit; identify the controls or procedures the countyhas in place to prevent, eliminate or minimize the threats, and to determine the probability that noncompliance and abuse, which is individually or in the aggregate material/significant, could occur and not be prevented or detected in a timely manner by the internal controls in place. 1.Basedon information gathered during the Preliminary Survey, prepare a tentative list of threats for the major audit areas identified during Scoping Statement analysis. If computer- processed data is an important or integral part of the audit and the reliability of the data is crucial to accomplishing audit objectives, the auditor should include threats to computer- processed data in this list. Consult with the project supervisor to determine the need for electronic data processing (EDP)audit assistance. 2.Summarize the management (internal) controls identified as mitigating the threats listed in item 1 above. Add to this list any other controls identified during the Preliminary Survey (both actual and potential controls). 3.Assess the risk that abuse or illegal acts could occur and materially/significantlyimpact the auditee’s compliance with laws, rules, or regulations or have a material/signicanteffect on the auditee’s operations. Consider whether the auditee has controls that are effective in preventing or detecting illegal acts. 4.If computer systems or computer-processed data are included as threats or as controls above, consult with the project supervisor to determine the need for EDP audit assistance. 5.Assess whether work requires coordination with other auditors for work completed or ongoing that can be used to help carry out the project. Identify whether law enforcement or other agencies are investigating the auditee. If yes, note whether such investigations may limit your scope or have other limitations that may impact the audit. 6.Identify material and significant findings and recommendations from previous reports issued by the office on the agency or program. Material and significant previous findings and recommendations that could affect the present audit objectives require follow-up in the current project. PREPARED BY: Date: Signatureand Title APPROVED BY: Date: Legislative Auditor’s Signature Exhibit III-B Sample Risk Assessment Audit Program Office of the LegislativeAuditor Sample Audit Plan <Project Title> Objectives: Determine if Department of Water Supply (DWS)standpipe permit application process adequately promotes equal access and open competition. Scope/Criteria: 1.Departmental written policies and procedures. 2.Departmental written rules and regulations. 3.State of Hawai‘i Revised Statuses. 4.Hawai‘i County Charter. 5.Hawai‘i County Code. 6.Public UtilitiesCommission Regulation. Methodology: 1.Review DWS standpipe permit applications. 2.Reviewsupporting documentation relating to standpipe permit application process provided by DWS. 3.Interview and diagram (process map) the standpipe permitsapplication process with DWS. 4.Review and assess written procedures of the standpipe permit application process. 5.Compare and assess standpipe permit application process to procurement rules and regulation. Related Concerns: PREPARED BY: Date: Signatureand Title APPROVED BY: Date: Legislative Auditor’s Signature Exhibit III-C Sample Audit Plan Office of the Legislative Auditor Sample Workplan <Project Title> OBJECTIVE1:Assess if written policies and procedures relating to cash handling adequately address internal controls and compliance. Index # of Completed TASKSCodeAnalystDaysDate 1.1Obtain all policies and procedures relating to cash handling (cash receipts, cash deposits, petty cash and change fund. 1.2 Review policies and procedures to get aclear understanding of the cashhandling activities. 1.3 Note any possible questionable risk areas throughout the cash handling process. 1.4 Flowchart the department’s activities for all phases of cash handling activities. 1.5 Prepare a questionnaire for all phases of cash handling activities for interviewing department personnel. OBJECTIVE 2:Assess if the cash handling activities adequately address security. Index # of Completed TASKSCodeAnalystDaysDate 2.1 Interview separately a random sample of department personnel that addresses security. 2.2 Observe department personnel performing their daily cash handling activities from receipt to deposit of cash. 2.3Compare the interview questionnaire to the flowchart of security policies and procedures and record any discrepancies. 2.4 Compare the observation of department personnel to the flowchart of security procedures and record any discrepancies. OBJECTIVE 3:Assess the adequacy of separation of duties over the cash handling activities. Index # of Completed TASKSCodeAnalystDaysDate 3.1Compare the interview questionnaire to the flowchart for proper segregation of duties of the cash handling activities and record any discrepancies. 3.2 Compare the observation of department personnel to the flowchart for proper segregation of duties and record any discrepancies. Exhibit III-D Sample Workplan OBJECTIVE 4:Assess if cash is adequately safeguarded. Index # of Completed TASKSCodeAnalystDaysDate 4.1Compare the interview questionnaire to the flowchart for proper safeguarding of cash and record any discrepancies. 4.2Compare the observation of department personnel to the flowchart for proper safeguarding of cash and record any discrepancies. OBJECTIVE 5:Assess if cash is received and deposited in a timely manner. Index # of Completed TASKSCodeAnalystDaysDate 5.1Compare the interview questionnaire to the flowchart for proper procedure when cash is received and depositedand record any discrepancies. 5.2Compare the observation of department personnel to the flowchartfor proper procedure when cash is received and depositedand record any discrepancies. 5.3 Develop a random sample of transactions to test the completeness and accuracy from receipt to deposit. OBJECTIVE 6:Assess the adequacy of internal controls over cash handling activities of satellite offices. Index # of Completed TASKSCodeAnalystDaysDate 6.1Interview separately a random sample of department personnel at the satellite offices of internal controls over cash handling activities. 6.2Observe department personnel performing their daily cash handling activities from receipt to deposit of cash. 6.3Compare the interview questionnaire to the flowchart for proper procedure of internal controls over cash handling activities and record any discrepancies. 6.4Compare the observation of department personnel to the flowchart for proper procedure of internal controls over cash handling activities and record any discrepancies. 6.5Develop a random sample of transactions to test the completeness and accuracy from receipt to deposit. OBJECTIVE 7:Assess accounting records of the cash handling process. Index # of Completed TASKSCodeAnalystDaysDate 7.1 Develop a random sample of water billing generated and traced to actual cash receipts. 7.2 Review accounting records to assess the proper accountability of cash transactions. 7.3 Review the reconciliation of the bank accounts to assess the proper accountability of cash transactions. 7.4Review for partial payments and ensure adequate procedures allow for proper accounting of transactions. Exhibit III-D Sample Workplan OBJECTIVE 8:Assess the adequacy of IT Financial Systems physical security. Index # of Completed TASKSCodeAnalystDaysDate 8.1Obtain all policiesand proceduresrelating to IT Financial Systems physical security. (Access to server rooms, location of back-up storage, information stored on local workstations) 8.2Review industry best practices for IT Financial Systems physical security. 8.3Review policies and procedures to get a clear understanding of any physical security issues. 8.4Inspect server room and any other key IT systems. 8.5Note any possible questionable risk areas regarding physical security of IT Systems. 8.6Preparea questionnaire for IT systems physical security processes for interviewing department personnel. OBJECTIVE 9:Assess IT Financial Systems application functions and program security features. Index # of Completed TASKSCodeAnalystDaysDate 9.1Obtain systems specifications, systems manuals, anduser documentation relating to IT Financial Systems (system functions, application functions, application security features). 9.2Review systemsspecifications, user manuals, and user documentationto get a clear understanding of the IT Financial Systems. 9.3Researchthe adequacy of the IT Financial Systems functionalitycompared to systems used in other jurisdictions. 9.4Research industry standards and best practices regarding IT Financial Systems. 9.5Note any possible questionable system or application risk areas throughout the IT Financial Systems. 9.6 Prepare a questionnaire for departmental personnel regarding system and application risk areas 9.7 Interview department personnel regarding system and application risk areas and document procedures and recommendations that may mitigate these risks. 9.7Prepare a questionnaire for the vendors of the IT Financial Systems. 9.8 Interview vendors regarding application risk areas and request vendors to recommend mitigation measures. Exhibit III-D Sample Workplan OBJECTIVE 10:Assess if written policies and procedures relating to IT Financial Systemsfunctions, adequately address internal controls and compliance. Index # of Completed TASKSCodeAnalystDaysDate 10.1 Obtain all policies, procedures, and application user documentation relating to IT Financial Systems (security, passwords, access rights, user groups, application functions, back-ups, disaster recovery). 10.2 Review industry best practices for IT Financial Systems policies and procedures. 10.3 Review departmental policies and procedures to get a clear understanding of the IT Financial Systems. 10.4 Interview other jurisdictions regarding policies and procedures relating to IT Financial Systems. 10.5 Note any possible questionable risk areas throughout the IT Financial Systems. 10.6 Prepare a questionnaire for primary functions of IT Financial Systems processesfor interviewing department personnel. 10.4 Interview departmental personnelregarding policies and procedures relating to IT Financial Systems and document responses and recommendations. OBJECTIVE 11:Assess the adequacy of separation of duties for IT Financial Systems functions. Index # of Completed TASKSCodeAnalystDaysDate 11.1 Obtain a print-out of system administrators and application administrators, users, user groups, and user access rights. 11.2Obtain job position descriptions for key IT Financial Systems users. 11.3 Research industry best practices for administrator and user access rights, and separation of duties. 11.4 Compare administrator and user access rights to job descriptionsand record any discrepancies. 11.5 Interview department personnel regarding use of user groups and whether passwords are shared with other personneland document responses and recommendations. Exhibit III-D Sample Workplan OBJECTIVE 12:Assess the adequacy of internal controls for the IT Financial Systems activities. Index # of Completed TASKSCodeAnalystDaysDate 12.1 Prepare a questionnaire relating to policies and procedures for IT Financial System activities. 12.2 Interview separately a random sample of departmental personnel a record responses to questionnaire relating to policies and procedures for the IT Financial Systems. 12.3 Observe departmental personnel performing their IT Financial System duties. 12.4 Request a random sample of IT Financial Systems records for key functions (access rights change orders, password resets, key financial transactions). 12.5 Review system changes, change order process, and system transactions. 12.6 Request reports used for reconciliation and log files. 12.7 Review reports andreconciliationprocesses for transaction activities. 12.8 Review the log files and log file review process. OBJECTIVE 13:Assess the adequacy of internal controls for IT Financial Systems at satellite offices. Index # of Completed TASKSCodeAnalystDaysDate 13.1 Review policies and procedures relating to IT Financial Systems at satellite offices. 13.2 Interview separately a random sample of departmental personnel at satellite offices regarding IT Financial Systems and record responses. 13.3 Observe departmental personnel performing their IT Financial Systems activities. OBJECTIVE 14:Draft narratives of findings and recommendations for draft audit report. OBJECTIVE 15:Exit conference and discussion with DWS. OBJECTIVE 16:Final Report to DWS, Water Board and Council and response from DWS regarding recommendations. PREPARED BY: Date: Signatureand Title APPROVED BY: Date: Legislative Auditor’s Signature Exhibit III-D Sample Workplan Sample EngagementLetter <DATE> <NAME> <ADDRESS> Dear <NAME> In accordance with the approved <FYAnnual Audit Plan/Resolution No.>Weare initiating an audit of the <ASSIGNMENT>. The preliminary objectives of this audit are to <INSERT FROM WORK PROGRAM>. Scope Review the effectiveness and efficiency of the departments’ practices, policies, and procedures relating to<ASSIGNMENT>. Objectives Determine the reasons for<ASSIGNMENT>; Determine whether adequate procedures and controls existtoand<ASSIGNMENT>. Determine whether adequate procedures existto resolve<ASSIGNMENT>. Methodology Select a sample of <ASSIGNMENT>for detailed review. Review quality control systems relating to<ASSIGNMENT>. Review <ASSIGNMENT>for accuracy and completeness. Compare departmental performance measure with industry best practices. Interview appropriate departmental staff. Proposed Timeline Audit Staff AuditPlan It is the goal of the office to provide recommendations that will result in the most effective and efficient use of county resources. We will keep you apprised of findings and recommendations as they develop and seek your responses during the course of the audit. We extend our appreciation in advance for your commitment to providing the assistance requested. Exit Conference Upon completion of the draft audit report, we will schedule an exit conference with your key personnel to review the draft report and answer any questions they may have. At that time, we we provide a schedule for submission of your response to our findings and recommendations so we may make any necessary revisions to the final report based upon your response. If received by the scheduled submission date, a copy of your response will be included in the final audit report. Government Auditing Standards All auditing will be conducted in accordance with government auditing standards. The office is committed to a contructive audit process to assist the departmentin meeting our common goals of accountability and effectiveness in county government. Exhibit III-E Sample Engagement Letter Please contact meat 961-8386to confirm a time for our entrance conference of your earliest convenience. Very Truly Yours, ___________________________ LegislativeAuditor Exhibit III-E Sample Engagement Letter Office of the Legislative Auditor Finding Development Worksheet <Project Title> W/P#: STAFF AUDITOR: SUPERVISOR: DATE: FINDING. (Summary statement of the finding) CONDITION. (What is the existing situation? Is it isolated or widespread?) CRITERIA. (What should be?) EFFECT. (In terms of cost, adverse performance, or other factors. So what?) CAUSE. (Who? Why?) RECOMMENDATION. (What should be done? Who should do it? When should it be done?) PREPARED BY: Date: Signature and Title APPROVED BY: Date: Legislative Auditor’s Signature Exhibit IV-A Finding Development Worksheet Office of the LegislativeAuditor Policy and Procedures for Conducting the Independent Report Review Purpose The Independent Report Review (IRR) is an important component of our quality control assurance program. It is a detailed word-by-word, line-by-line examination of an indexed office draft of the audit report to ensure that its contents are accurate and supported. Background The independent report reviewer’s job is to examine the report’s logic and facts. The reviewer is expected to verify every statement of fact by tracing it back to thesupporting working paper. Working papersshould reflect details of the evidence and disclose how it was obtained. Procedures/Responsibilities The Legislative Auditor is responsible for: Assigning a staff auditor or outside expert who has not performed fieldwork in the audit project to conductthe independent report review. Before commencement ofthe IRR, ensuring that the independent report reviewer completes a Project Statement of Independence and Assignmentform (see Exhibit II-A), and reviewing thesePolicy and Procedures for Conducting the Independent Report Review with the reviewer. After completion of the IRR, reviewing the Independent Report Review Worksheet (see Exhibit V-B) and meeting with the reviewer to discuss any questions or concerns. Consulting with the audit supervisor or audit team to resolve any review notes, recommending changes to the office draft,and noting theresolutionof review notesin the working papers. Reviewing and approving required changes to the office draft made by the audit supervisor or audit team. The Independent Report Reviewer is responsible for: Before commencement of the IRR, completing a Project Statement of Independenceand Assignment form (see Exhibit II-A),and reviewing thesePolicy and Procedures for Conducting the Independent Report Reviewwith the legislative auditor.The reviewer works primarily with the Legislative Auditor, and generally does not discuss the project with the audit supervisor or audit team. Reviewing an indexed copy of the office draft to verify the accuracy of the information and whether evidence supports the contents of the office draft. Exhibit V-A Policy and Procedures for Conducting the Independent Report Review Tracing every statement of fact to the supporting working paper, such asdates, numbers, percentages, computations, titles, proper names, quotes, and legal citations. Statements referenced as an auditor’s opinion or conclusion need not be verified; however,theyshould be read to ascertain that they meet the reasonable persontest. Completing the Independent Report Review Worksheet (see Exhibit V-B) by writing review notes, such as inaccuracies in indexing, errors in the data, or failure of the evidence to support findings and recommendations. After completion of the IRR, submittingthe Independent Report Review Worksheet to the legislative auditor and meetingwith the legislative auditor to discuss any questions or concerns. I acknowledge that I have read and understand the Office of the Legislative Auditor’s policy and procedures for conducting an independent report review. Date: Independent Reviewer/Consultant Signature I acknowledge that I have reviewed the foregoing IRR Policy and Procedures with the above independent reviewer/consultant. Date: Legislative Auditor’s Signature Exhibit V-A Policy and Procedures for Conducting the Independent Report Review Office of the LegislativeAuditor Independent Report ReviewWorksheet ProjectTitle:Independent Reviewer: Date: CommentsDateInitial ChapterPageParagraph Exhibit V-B Independent Report Review Worksheet Office of the LegislativeAuditor Audit Report Distribution Checklist ProjectTitle: NUMBERED DRAFTI QuantityTransmittal Distribution Date Initials LetterMethodDelivered <Auditagency/director> (If applicable board or commission) Mayor Corporation counsel Legislativeauditor Audit staff Office project file NUMBERED DRAFTII (if needed) <Audit agency/director> (If applicable board or commission Mayor Corporation counsel Legislativeauditor Audit staff Office project file FINAL AUDIT REPORT <Auditagency/director> (If applicable board or commission) Mayor Corporation Counsel CouncilChair & Council Members County Clerk LegislativeAuditor Audit Staff Office Project File MANAGEMENT RESPONSEDueDateDate Received Exhibit V-C Audit Report Distribution Checklist OFFICE OF THE LEGISLATIVEAUDITOR COUNTY OF HAWAI‘I EMPLOYEE PERFORMANCE EVALUATION EN: MPLOYEE AME PT: OSITION ITLE PT: ROJECT ITLE PE:From: To: ERIOD OF VALUATION ___________________________________________________________________________________ PART I-INSTRUCTIONSTO RATER Listed below are five performance factors, seven behavioral traits, and five supervisory factors that are important in the performance of the employee’s job. Performance factors and behavioral traits must be utilized for all employees. The supervisor factors should be utilized only for employees with supervisory NOTE: A rating of Unacceptable (1), Needs Improvement (2) or Superior (5) responsibilities. requires comments. The “overall performance” evaluationshould reflect the employee’s total performance, including the performance factors as related to the employee’s responsibilities and duties as set forth in the job description, behavioral traits and supervisory factors, if applicable. M 1. The supervisor should indicate the employee’s performance by using ARKING check box next to the appropriate level of performance. I NSTRUCTIONS The following rating scale guide is being provided to assist the evaluator in assigning the most appropriate measurement of the employees’ performance factors, behavioral traits and supervisory factors. 1=U- Consistently fails to meet job requirements; performance clearly below minimum NACCEPTABLE requirements. Immediate improvement required to maintain employment. I– 2=NOccasionally fails to meet job requirements; performance must improve to EEDS MPROVEMENT meet expectations of position. 3=ME– Able to perform 100% of job duties satisfactorily. Normal guidance and EETS XPECTATIONS supervision are required. E– 4 =EFrequently exceeds job requirements; all planned objectives were XCEEDS XPECTATIONS achieved above the established standards and accomplishments were made in unexpected areas as well. – 5 =SConsistently exceeds job requirements; this is the highest level of performance that UPERIOR can be attained. Exhibit VI-A Employee Performance Evaluation PART II-PERFORMANCEFACTORS 1.Knowledge, Skills, Abilities –Consider the degree to which the employee exhibits the required level of job knowledge and/or skills to perform the job and this employee’s use of established techniques, materials and equipment as they relate to performance. Unacceptable..........................................................................Superior 12345 Comments: 2.Quality of Work–Does the employee complete assignments meeting quality standards? Consider accuracy, neatness, thoroughness and adherence to standards and safety rules. Unacceptable..........................................................................Superior 12345 Comments: 3.Quantity of Work–Consider the results of this employee’s efforts. Does the employee demonstrate the ability to manage several responsibilities simultaneously; performwork ina productive and timely manner; meet work schedules? Unacceptable..........................................................................Superior 12345 Comments: 4.Work Habits –To what extent does the employeedisplay a positive, cooperative attitude toward work assignments and requirements? Consider compliance with established work rules and organizational policies. Unacceptable..........................................................................Superior 12345 Comments: 5.Communication –Consider job related effectiveness in dealing with others. Do the employee express ideasclearly both orally and in writing, listen well and respond appropriately? Unacceptable..........................................................................Superior 12345 Comments: Exhibit VI-A Employee Performance Evaluation PART III -BEHAVIORAL TRAITS 1.Dependability –Consider the amount of time spent directing this employee. Does the employee monitor projects and exercise follow-through; adhere to time frames; is on time for meetings and appointments; and responds appropriately to instructions and procedures? Unacceptable..........................................................................Superior 12345 Comments: 2.Cooperation –How well does the employee work with co-workers and supervisors as a contributing team member? Does the employee demonstrate consideration of others; maintain rapport with others; help others willingly? Unacceptable..........................................................................Superior 12345 Comments: 3.Initiative –Consider how well the employee seeks and assumes greater responsibility, monitors projects independently, and follows through appropriately. Unacceptable..........................................................................Superior 12345 Comments: 4.Adaptability –Consider the ease with which the employee adjusts to any change in duties, procedures, supervisors or work environment. How well does the employee accept new ideas and approaches to work, respond appropriately to constructive criticism and to suggestions for work improvement? Unacceptable..........................................................................Superior 12345 Comments: 5.Judgment –Consider how well the employee effectively analyzes problems, determines appropriate action for solutions, and exhibits timely and decisive action; thinks logically. Unacceptable..........................................................................Superior 12345 Comments: 6.Attendance –Consider number of absences, use of annual and sick leave in accordance with office policy. UnacceptableAcceptable Comments: 7.Punctuality –Consider work arrival and departure in accordance with office policy. UnacceptableAcceptable Comments: Exhibit VI-A Employee Performance Evaluation PART IV -SUPERVISORY FACTORS 1.Leadership –Consider how well the employee demonstrates effective supervisory abilities; gains respect and cooperation; inspires and motivates subordinates; directs work group toward common goal. Unacceptable........................................................................SuperiorN/A 12345 Comments: 2.Delegation –How well does the employee demonstrate the ability to direct others in accomplishing work; effectively select and motivate staff; define assignments; oversee the work of subordinates? Unacceptable........................................................................SuperiorN/A 12345 Comments: 3.Planning and Organizing –Consider how well the employee plans and organizes work; coordinates with others, and establishes appropriate priorities; anticipates future needs; carries out assignments effectively. Unacceptable........................................................................SuperiorN/A 12345 Comments: 4.Administration –How well does the employee perform day-to-day administrative tasks; manage time; administer policies and implement procedures; maintain appropriate contact with supervisor and utilize funds, staff or equipment? Unacceptable........................................................................SuperiorN/A 12345 Comments: 5.Personnel Management –Consider how well the employee serves as a role model; provides guidance and opportunities to their staff for their development and advancement; resolves work-related employee problems; assists subordinates in accomplishing their work-related objectives. Does the employee communicate well with subordinates in a clear, concise, accurate, and timely manner and make useful suggestions? Unacceptable........................................................................SuperiorN/A 12345 Comments: Exhibit VI-A Employee Performance Evaluation PART V -OVERALL PERFORMANCE Please use this space to describe the overall performance rating. The overall rating should be a reflection of the performance factors, behavioral traits and supervisory factors. Unacceptable...........................................................................Superior 12345 Comments: PARTVI-TO THE EMPLOYEE: I have been advised of my performance ratings. I have discussed the contents of this review with my supervisor. My signature does not necessarily imply agreement. My comments are as follows (optional) (attach additional sheets if necessary): ___________________________________________________________________________________ ___________________________________________________________________________________ ___________________________________________________________________________________ Signature: __________________________________________Date:_________________________ Comments:__________________________________________________________________________ ___________________________________________________________________________________ OPTIONAL: ESTABLISHMENT OF OBJECTIVES FOR THE COMING YEAR With reference to the position responsibilities, list belowthe goals, objectives, projects or special assignments which should be continued and/or completed in the coming year. It is understood that these goals, objectives, etc. are subject to adjustment or change as situations and priorities change. This sectionmay be detached and kept in departmental files so that it can be updated as the situation warrants and so that it can be used to assist the reviewer at the end of the next evaluation period. GOALS/OBJECTIVE / MAJOR DUTIES / PROJECT(S) / SPECIAL ASSIGNMENTS 1._____________________________________________________________________________________________________ 2._____________________________________________________________________________________________________ 3._____________________________________________________________________________________________________ 4._____________________________________________________________________________________________________ 5._____________________________________________________________________________________________________ Employee’s Signature:______________________________Date:_________________________ Legislative Auditor’s Signature: _________________________Date:_________________________ Exhibit VI-A Employee Performance Evaluation