Effective Audit Planning Resources - Templates Table of Contents

Transcription

1 Note: This document is bookmarked to make it easy to navigate the electronic version. Also the table of contents above is hyperlinked to the specific template. Effective Audit Planning Resources - Templates Table of Contents 1. Austin s Audit Planning Steps 2. Prior Audits Template 3. General Background Template 4. Criteria Matrix 5. Kick-off Meeting Template 6. Planning Conclusions Log 7. Risk Assessment Matrix 8. End of Planning Meeting Template

2 Austin s Audit Planning Steps Planning Step A. Identify and Rank Inherent Risks 1. Review prior audit work 2. Determine the reported status of prior audit recommendations as applicable 3. Meet with the staff that performed related audits 4. Request information from Audit Plan team 5. Request fraud risk information from investigators (or other appropriate source) 6. Identify key organization/program objectives and processes a. Ask the auditee for prior audits [other than ours] or reviews related to the audit objective 7. Research and identify criteria 8. Populate the Risk Assessment with inherent risk information gathered through the steps above B. Kick Off Meeting 1. Schedule and conduct audit team Kick Off meeting with [audit] office management a. Provide meeting agenda and draft engagement prior to meeting b. Populate the Risk Assessment with any additional inherent risk information c. If needed, contact applicable commissions/committees C. Engagement with Auditee 1. City Auditor sends engagement to department director a. City Auditor calls or s department director to obtain audit point of contact and answer any questions re: the audit 2. If requested by the auditee, schedule, conduct, and document entrance conference a. If department has an internal audit group, ensure their audit director is included on the meeting invitation 3. Populate the Risk Assessment with any additional inherent risk information D. Gather and Summarize Information Related to Identified Inherent Risks 1. Conduct and document fraud brainstorming meeting with investigators (provide Kick-Off Meeting work paper in advance) a. Provide investigators with Fraud Brainstorm meeting work paper for review/comment; update based on feedback 2. Gather information related to identified inherent risks (interviews, flowcharts, and document reviews) a. Collect information regarding implementation of past recommendations as appropriate b. Contact relevant boards and commissions as needed 3. Identify and analyze key data sources and IT systems related to processes subject to the audit objective (continued on next page) Templates Prior audits template General background template Criteria matrix Risk assessment Kick-off meeting agenda Engagement template Fraud brainstorming meeting Interview template

3 Austin s Audit Planning Steps Planning Step (continued from prior page) 4. Determine reliability and integrity of information gathered above, including data generated from systems 5. Populate Planning Conclusions Log with conclusions reached in work papers 6. Populate the Risk Assessment with additional inherent risk information and control information gathered E. Dispose of Planning Conclusions 1. Group similar conclusions 2. Summarize conclusion groups 3. Dispose of all conclusion groups (options include: carry to risk assessment, refer to future audit plan, refer to investigators, not relevant) F. Rate and Dispose of Identified Risks 1. Determine ratings for risks a. Share the risk ranking results with CAIU staff and get their input on ranking the fraud-related risks and associated attributes to be tested during fieldwork 2. Dispose of all risks (options include: carry to fieldwork, refer to future audit plan, refer to investigators, not relevant/in scope) G. End of Planning Meeting 1. Schedule, conduct, and document End of Planning briefing with [audit] office management a. Send Risk Assessment and End of Planning document prior to meeting 2. If significant issues noted, ensure they are communicated to auditee during the End of Audit Planning Meeting 3. If audit not proceeding to fieldwork, document reasons and proceed to reporting procedures H. End of Planning Meeting with Auditee 1. Prepare End of Planning Meeting with Auditee agenda 2. Schedule, conduct, and document End of Planning Meeting with Auditee a. If dept. has an internal audit group, ensure their audit director is included on the meeting invitation b. Update Risk Assessment and adjust planned fieldwork as necessary Templates Data reliability summary Planning conclusions log Risk assessment Planning conclusions log Risk assessment End of planning agenda (internal) End of planning agenda (external) [End of Planning; next step is to populate Fieldwork Procedures with approved fieldwork steps and tasks]

4 Prior Audits Source: List the audits reviewed and the reference information for where these audits are located. Include prior OCA audits, if any, in the review. Make sure the Source includes at minimum the agency (SAO), title (Audit of HR Compliance), release date (May 2010) [Note: Please do not import the actual audit reports into Teammate. Reference information for the Source is the G:/ location]. Purpose: To gain an understanding of the risks related to the audited area as noted in prior audits. Procedure: Reviewed prior audits related to the audit objectives. For OCA audits, also obtained and reviewed implementation status of prior audit recommendations. [Note: reviewing the implementation status does not mean you perform tests to determine whether or not the recommendations were actually implemented or are at the status level report. This is something that may be considered in the risk assessment and deciding what to pursue in fieldwork]. Conclusion: [High level summary of the risks]. Results: Prior OCA Audits: Issue # Name of Audit Risk Identified Implementation Status/Comments Non-OCA Audits Issue # Name of Audit Risk Identified Comments

5 GENERAL BACKGROUND INFORMATION AUDIT NAME AUDIT NUMBER Purpose: To gain a general understanding of the nature and profile of the program/area under audit. Source: Various (as referenced in the sections below) Procedure: Obtained, reviewed, and summarized information applicable to our audit area and objective from the documents noted in the source section above. Conclusion: [High-level summary of information reviewed]. Results: Mission Vision Performance Measures Budget Business Plan Staffing Key Stakeholders (i.e. Council, individual citizens, interest groups.) Strategic Plan Relevant News Department Policies Department Org Chart OCA s History with Auditee Trade Magazines or Professional Organizations in the Area Being Audited Oversight Organizations (i.e. OSHA, GAO)

6 Criteria Research Purpose: Sources: (i.e. City ordinances, laws and regulations (State, Federal), best practices, industry standards) CRITERIA MATRIX AUDIT NAME AUDIT NUMBER To gain an understanding of the relevant criteria for audit work etc. [Link to Procedures] Procedure: Results/Conclusion: Using the information referenced in the Source, researched criteria relevant to the audit. Entered criteria into the worksheet "Criteria Matrix." Column Headings Source # : Aligns with the criteria source as listed in the Source Source Title : The source/reference for the criteria. Criteria Summary: Brief summary of the criteria Reference Location: Location (i.e.page number/paragraph heading) where specific criteria language is found Comments: Additional information noted by the auditor. See information documented in the "Criteria Matrix" below. Source # Source Title Criteria Summary Reference Location Comments Page 1 of 1

7 Inherent Risk Categories HIGH MEDIUM LOW HIGH MEDIUM LOW Serious consequence (loss of life or Moderate consequence (moderate public Mild or no consequence if risk Risk has occurred or is very Risk may occur or it is Risk has not occurred or is Life limb) if risk occurs. safety risk, inconvenience to citizens) if risk occurs. likely to occur given the known unknown if the risk may occur unlikely to occur given the Risk Occurrence occurs. control environment. given the known control known control environment. environment. Risk impacts an area that is known to be important to Council. Importance to Council Criteria for Impact Ratings Risk may impact an area that is known to be important to Council or it is unknown if the impacted area is important to Council. Risk does not impact an area that is known to be important to Council. Management's Risk Awareness & Mitigation Criteria for Likelihood Ratings A significant risk exists that management is not aware of or management is aware of the risk but efforts to address the risk have failed. A moderately significant risk exists that management is aware of and is planning to address. A minor risk exists or a significant risk exists but efforts to address the risk appear to be adequate. Mission Operation would not be able to or be unlikely to achieve the mission, goals, and objectives if the risk occurs. Few or no established goals and objectives for the operation. Operation would likely achieve only some of the mission, goals, and objectives if the risk occurs. Operation has established some goals and objectives but certain areas of operation are missing this direction. Operation would likely achieve the mission, goals, and objectives even if the risk occurs. Operation has established goals and objectives for virtually all areas of operation. Reputational Major loss of credibility and/or public support. Moderate loss of credibility and/or public support. Minor or no loss of credibility and/or public support. Financial Potential for large financial loss (30% or more of operation's total budget) or consistently repeated smaller financial losses. Potential for midrange financial loss (between 10% and 30% of the operation's total budget) or smaller financial losses that may repeat with moderate frequency. Potential for small financial losses (up to 10% of the operation's total budget) or a one time small loss. Regulatory Risk occurrence will result in noncompliance with laws and regulations (where there is an identified effect) or repeated noncompliance with City policies. Risk occurrence may result in noncompliance with laws and regulations with moderate significance. Risk occurrence will likely not result in or will result in slight noncompliance with laws and regulations. Operational Changes Operation has recently experienced significant change and change has impacted virtually all areas of operation. Operation has recently experienced Operation has remained moderately significant change but changes constant or the operation has were limited to select areas of operation. experienced only small, insignificant changes. Cross Departmental Impact Risk impacts multiple City departments. Risk may impact a few other City departments. Risk impacts only the operation subject to audit.

8 KICK-OFF MEETING AUDIT NAME DATE/TIME Purpose: To gain an understanding of and discuss the preliminary objectives, scope, and inherent risks; To clarify project expectations, roles and responsibilities, and if additional resources are needed To determine if there are anticipated departures from Government Auditing Standards (GAS). Sources: Attendees Documents referenced OCA Strategic Audit Plan FYXXXX [file location] OCA Strategic Audit Plan risk documents Other work papers as cross-referenced in the Results section Conclusion: The attendees discussed the inherent risks and decided that the preliminary objective and scope would be: o Objective o Scope - The attendees discussed expectations for the project and determined that additional resources were not/were needed. No departures from GAS are expected [OR expected departures from GAS include: XXX]. Procedures: Conducted background research related to the preliminary audit objective Met with OCA Management to discuss the audit on DATE. Results: See page 2 [Note: Items presented in the Kick off Agenda must be cross referenced to support within the TeamMate working papers].

9 KICK-OFF MEETING AUDIT NAME DATE/TIME AGENDA 1. Team: ACA AIC Team Members - 2. Project Information: SAP rationale Preliminary objective(s) Preliminary Scope 3. Background Information: Background information related to the department, program, or function to be audited XXXXXXXX XXXXXXXX XXXXXXXX 4. Preliminary Risks: discuss identified inherent risks 5. Budget and Milestones: Phase Planning Fieldwork Report Close-out Total Original Budget Milestone End of Planning Meeting End of Planning Meeting with auditee Message Meeting QAC d draft report sent to auditee Exit Conference Deadline for Auditee Response Original Date 6. Departures from GAS: Determine whether any departures from GAS are anticipated. 7. Audit Area Environment: discuss Council/City Manager position on the topic, auditee relationship, the needs of potential users of the audit report, and groups other than department that may need to be considered and communicated with (i.e. Boards & Commissions 8. Additional Questions/Concerns:

10 Issue Tracking Log CONCLUSIONS LOG AUDIT AUDIT NUMBER Purpose: To summarize conclusions from audit planning work papers and determine their disposition. Sources: Various work papers as hyperlinked in the Conclusion Log worksheet Conclusion: Conclusions from planning work papers have been summarized and disposed. Procedure: Conclusions from planning work papers were documented in the Conclusion Log worksheet. Similar conclusions were grouped together and summarized. Conclusion groups were then disposed in one of the following categories: Carry to the RV - for control information related to inherent risks Forwardto CAIU - for conclusions related to fraud, waste, or abuse Forward to the SAP team - for conclusions outside of the scope/objective of the current audit No disposition necessary - for conclusions not relevant Dispositions # of Disposition Conclusions Carried to Risk Assessment 0 Forwarded to CAIU 0 Forwarded to SAP team 0 Not relevant 0 TOTAL 0 EVIDENCE TYPES Testimonial 0 Documentary 0 Physical 0 TOTAL 0 Results: See Conclusion Log worksheet WP Hyperlink Type of Evidence WP Conclusion Category Summary Selected Disposition Hyperlink to Disposition (N/A if not relevant) Comments

11 Audit Name AU14104 Risk Assessement Purpose: To assess risks related to the audit objective and determine what should be tested during the fieldwork stage of the audit. Sources: Hyperlinked in the RA worksheet Conclusion: Auditors identified and rated XXX risks related to the audit objective. Of those, XXX will be tested during fieldwork. Procedure: Auditors researched inherent risks related to the audit objective and identified potential impacts if those risks occured. See the RA worksheet. Auditors added additional risks identifed during planning work. Auditors rated the impact of each risk using the Rating Criteria worksheet Auditors determined the likelihood that each risk would occur using auditor judgement and information about controls learned during planning. A combined risk rating was assigned to each risk and auditors used that combined rating to determine which risks would be tested during fieldwork. Results: See RA worksheet

12 Risk Assessment Category Source Inherent Risk 1 Potential Impact(s) if Occurs Impact Rating (H/M/L) Control Information Likelihood Rating (H/M/L) Combined Rating Comments 1. Inherent risk is defined by the IIA glossary as "risk derived from the environment without the mitigating effects of internal control."

13 Inherent Risk Categories HIGH MEDIUM LOW HIGH MEDIUM LOW Serious consequence (loss of life or Moderate consequence (moderate public Mild or no consequence if risk Risk has occurred or is very Risk may occur or it is Risk has not occurred or is Life limb) if risk occurs. safety risk, inconvenience to citizens) if risk occurs. likely to occur given the known unknown if the risk may occur unlikely to occur given the Risk Occurrence occurs. control environment. given the known control known control environment. environment. Risk impacts an area that is known to be important to Council. Importance to Council Criteria for Impact Ratings Risk may impact an area that is known to be important to Council or it is unknown if the impacted area is important to Council. Risk does not impact an area that is known to be important to Council. Management's Risk Awareness & Mitigation Criteria for Likelihood Ratings A significant risk exists that management is not aware of or management is aware of the risk but efforts to address the risk have failed. A moderately significant risk exists that management is aware of and is planning to address. A minor risk exists or a significant risk exists but efforts to address the risk appear to be adequate. Mission Operation would not be able to or be unlikely to achieve the mission, goals, and objectives if the risk occurs. Few or no established goals and objectives for the operation. Operation would likely achieve only some of the mission, goals, and objectives if the risk occurs. Operation has established some goals and objectives but certain areas of operation are missing this direction. Operation would likely achieve the mission, goals, and objectives even if the risk occurs. Operation has established goals and objectives for virtually all areas of operation. Reputational Major loss of credibility and/or public support. Moderate loss of credibility and/or public support. Minor or no loss of credibility and/or public support. Financial Potential for large financial loss (30% or more of operation's total budget) or consistently repeated smaller financial losses. Potential for midrange financial loss (between 10% and 30% of the operation's total budget) or smaller financial losses that may repeat with moderate frequency. Potential for small financial losses (up to 10% of the operation's total budget) or a one time small loss. Regulatory Risk occurrence will result in noncompliance with laws and regulations (where there is an identified effect) or repeated noncompliance with City policies. Risk occurrence may result in noncompliance with laws and regulations with moderate significance. Risk occurrence will likely not result in or will result in slight noncompliance with laws and regulations. Operational Changes Operation has recently experienced significant change and change has impacted virtually all areas of operation. Operation has recently experienced Operation has remained moderately significant change but changes constant or the operation has were limited to select areas of operation. experienced only small, insignificant changes. Cross Departmental Impact Risk impacts multiple City departments. Risk may impact a few other City departments. Risk impacts only the operation subject to audit.

14 END OF PLANNING MEETING AUDIT NAME AUDIT NUMBER AGENDA Project Title o Current o Proposed Audit Objective o Current - o Proposed - Audit Scope o Identified Risks (High level summary of the risks that the audit team plans to address in fieldwork) Planned Audit Approach (See attached Fieldwork Plan) o FW Objective 1 (Hours Total) o FW Objective 2 (Hours Total) End of Planning with Auditee o Who/where/when/etc. Potential Obstables Identified in Planning (issues that could affect the progress of audit work or ability to gather evidence in support of objectives. Determine whether issues may potentially affect independence, objectivity, competency, and/or ability to comply with audit standards) Budget Hours/Audit Schedule Phase Original Budget Revised Budget Planning Fieldwork Report Close-out Quality Assurance Total Total (Post Planning Audit) Milestone Original Date Revised Date Actual Date End of Planning Meeting with auditee Message Meeting

15 END OF PLANNING MEETING AUDIT NAME AUDIT NUMBER Milestone Original Date Revised Date Actual Date QAC d draft report sent to auditee Exit Conference Deadline for Auditee Response Attachment A Detailed Fieldwork Plan Basic Package FW Objective 1 (Hours TOTAL) o Step 1 (hours) (include type of evidence) o Step 2 (hours) FW Objective 2 (Hours TOTAL) o Step 1 (hours) o Step 2 (hours) Plus Package (if needed) FW Objective 1 (Hours TOTAL) o Step 1 (hours) o Step 2 (hours) FW Objective 2 (Hours TOTAL) o Step 1 (hours) o Step 2 (hours)