留学生会计专业课程作业需求：AUDIT PLANNING PROC

Audit Process: Audit Planning To Fieldwork
Section 5 documents how the Office of the City Auditor complies with standards related to reasonableassurance, significance, audit risk, and planning. This section provides guidance on 留学生dissertation网the how to applythose standards in conducting audits based on the Citywide Risk Assessment model or requestedaudits. Specifically, this section will cover the initial planning phase of the audit (preliminary survey)that begins with start the audit, preliminary survey and risk assessment, and development of the auditprogram. The purpose of audit planning process is to generate information and ideas to betterunderstand the audit subject, determine the audit objective, and to develop the audit field workprogram. Planning also involves estimating the time and resources necessary to complete the audit.The evidence gathered in background research and later fieldwork is documented in the workingpapers. Key outputs of audit planning include an audit background memorandum; audit scopestatement; risk and vulnerability assessment document; and field work audit program.
AUDIT PLANNING PROCESS
The audit planning process can be divided into the following three phases: 1) starting the project, 2)preliminary survey (planning the audit and conducting risk assessment), and 3) developing the auditprogram. These steps are followed by fieldwork and reporting. Details of each of the steps are notedbelow.
Audit Start
o City Auditor assigns staff to audit.
o City Auditor and audit team hold a project initiation and
expectation meeting.
o Job start letter sent to agency or department director.
o If requested audit, Audit staff research audit topic-program,
policy, or agency.
o Conduct entrance conference with agency.


Preliminary Survey & Risk Assessment
o Obtain and review relevant background documents.
o Define audit scope.
o Assess risk: understand program and significance; identify
major threats; consider management controls to mitigate
threats; and complete vulnerability assessment through
rating internal controls and assessing threat levels.
o Identify sources and reliability of evidence.
o Assess staffing and resources for the audit.


Section 5 64
Audit Program Development
o In-charge drafts field work audit program to include the
audit plan and the workplan that details specific tasks for
meeting the audit objectives.
o City Auditor approves the Audit Program.


Fieldwork
o Fieldwork conducted.
o Audit Finding Development.
o Report Draft.
PROJECT START
Project assignment
The City Auditor assigns staff to the audit based on input from the Audit Manager. Staff assignmentswill be based on auditor availability, experience, knowledge, and familiarity with the audit subject. Foreach audit, a Staff Assignment Form will be completed to document assignment approval, and staffcompetence, see page 82. After staff are assigned to an audit, an initial team meeting is held withthe City Auditor to share information, discuss strategy (such as which officials to contact), and learnof the auditor’s expectations. The meeting helps to identify project issues, their significance topotential users of the audit report, the contribution the office can make, and the availability of dataand resources, and whether a consultant is required for the project. The in-charge summarizes themeeting in a memo, obtains approval from the supervisor, and forwards a copy to the City Auditor. All#p#分页标题#e#
relevant documents and forms are found on the shared directory located at:\\ad.sannet.gov\Dfs\AUD-Shared\Auditor\HOME_SYS\SEC-AUD\Audit Templates\All Audit
Templates\Working Folder\Project Hierarchy Template
The audit program template is shown on page 78 and located at:Templates\Working Folder\Project Hierarchy Template\A Admin, Findings, Draft Report and
Wrapup\APG_template.docThe audit program identifies all the required audit steps that must be performed and identifies therequired documents that must be completed.
Job Start letter
The in-charge auditor will draft the audit job start letter for the City Auditor’s signature to inform thedepartment of the audit request, list required documentation, and request or confirm a meeting withthe agency head. Examples of job start letters are shown on page 51 and 52.
Audit Request Research
For requested audits, the in-charge auditor must research the concerns behind the request. This mayinvolve contacting the requesting party or office. Any meetings with the requesting party or officemust involve the City Auditor.
Section 5 65
Entrance conference
Once the job start letter has been sent to the auditee, the in-charge auditor will schedule an entranceconference to meet with the agency head and key staff. At the entrance conference, the City Auditorwill: (1) introduce the members of the audit team, including the Audit Supervisor (2) explain the auditobjective, scope, methodology, general process and timetable for the audit work, including theagency’s deadlines to respond to preliminary findings and to the preliminary draft; (3) gain anunderstanding of the protocol to be followed in contacting staff and requesting information; (4) ifapplicable, request work space and network connectivity for the audit, and (5) solicit the views andconcerns of the agency head on the project. Audit staff must document the meeting results, includinga list of meeting attendees.
PRELIMINARY SURVEY—Audit Planning and Risk Assessment
Obtain and Review Relevant Background InformationOnce an entrance conference has been held, the in-charge auditor obtains and reviews relevant
information related to the audit request. This may include obtaining information regarding theauditee’s mission, goals and objectives, organizational structure, policies and procedures, processes,resources, outputs, and outcomes. The auditor’s goal is to understand the program to be audited andto finalize the audit objectives. To accomplish these tasks, auditors should undertake a preliminaryaudit program to do the following:
• Review any resolution, committee and Independent Budget Analyst reports, testimony, andother pertinent documents, such as committee hearing notes and reports relating to the audit
subject;
• Review the City Charter, ordinances, contracts, grant agreements, program memoranda,annual reports, recent budget requests, testimony, internal reports, policy and proceduremanuals, and organizational charts relating to the audit subject;#p#分页标题#e#
• Review relevant literature, including identifying criteria and related audits conducted by other
local government auditors;
• Interview agency staff;
• Review agency files and key memorandums and reports related to the audit;
• Observe and document agency activities related to the audit;
• Review the results of previous audits and attestation engagements that directly relate to thecurrent audit objectives.
An example of the preliminary survey and risk assessment audit work plan is shown on page 57.Preliminary information about agency operations is gathered expediently and should be relevant tothe audit topic. The key objective is to understand completely and competently the key issues of theprogram or entity being audited. After obtaining and reviewing the relevant background informationhas been, the auditor should write an Audit Background and Scoping Statement Memorandum1(see page 66) that summarizes key audit topic information and audit scope. The memorandum isessentially a work paper summary that is reviewed by the Internal Audit Manager and City Auditor.
Defining Audit Scope
The purpose of the Scoping Statement is to document and define the audit scope by establishing keyaudit questions to answer, identifying potential sources of evidence, and developing an audit budget.
1 \\ad.sannet.gov\Dfs\AUD-Shared\Auditor\HOME_SYS\SEC-AUD\Audit Templates\All Audit Templates\WorkingFolder\Project Hierarchy Template\A Admin, Findings, Draft Report and Wrapup
Section 5 66
This process is intended to keep the planning process to a minimum by focusing on what we aregoing to do, why we are going to do it, and how we are going to do it. If done properly, the scopingwork will help the team focus its risk assessment work around the tentative scope, methodology andobjectives of the audit. A meeting will be held to review and approve the Audit Background andScoping Statement Memorandum.
Office of the City Auditor
Audit Title
Audit Background and Scoping Statement Memorandum
Written by: Date:
Approved by: Date:
Background
History and Current Operations, including Key Functions, Processes or Factors:
Key Personnel and Related Needs:
Financial / Operational Impact:
Key Issues and Related Internal Controls:
Time and History Since Last Audit:
Overview of Audit Program
Audit Objectives:
Audit Scope (including what audit period should be covered (i.e. Fiscal Year 200X))2:
2 Audit objectives and scope are prepared after the preliminary survey and review of background material. The audit objectives arewhat the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included, and may alsoinclude the potential findings and reporting elements that the auditors expect to develop. Audit objectives can be thought of as questionsabout the program that the auditors seek to answer based on evidence obtained and assessed against criteria. Audit scope is the boundaryof the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on,such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locationsthat will be included.#p#分页标题#e#
Section 5 67
Audit Criterion (those areas where “what should be” criteria will have to be developed):
Audit Procedures, considering major work tasks that require attention during the audit:
General / Administrative
Staffing:
Time Estimates:
The following are estimates only and not meant to be restrictive in achieving the audit objectives.
Total hours: hours
Estimated Closing Conference date:
(Note: Based on availability of staff, number of scheduled or special audits, responses to
information requests and expansion of scope)
Reporting Requirements and Needs of Potential Users of the Report:
Risk Assessment
Once the scoping statement is completed, auditors need to identify and assess the risks associatedwith the agency, program, or policy under audit. The purpose of risk assessment is to identify andrate the threats facing the program or agency under audit, identify and assess the controls orprocedures in place to prevent or mitigate such threats, and perform a vulnerability assessment of theaudit risks and controls.
Purpose
• To identify the threats facing the program or contract under audit; identify the controls orprocedures the City has in place to prevent, eliminate or minimize the threats.
• To identify the threats facing the program or contract under audit; identify the controls orprocedures the City has in place to prevent, eliminate or minimize the threats.To determinethe probability that noncompliance and abuse, which is individually or in the aggregatematerial, could occur and not be prevented or detected in a timely manner by the internalcontrols in place; assess the internal control structure in accordance with SAS 55.To develop audit procedures to see if the controls or procedures the City has in place to prevent,eliminate, or minimize identified threats are working; determine if additional audit procedures arenecessary to document threats actually occurring.
Section 5 68
http://www.ukthesis.org/Thesis_Writing/The rationale for conducting a risk assessment is that auditors can limit testing and focus on thoseareas most vulnerable to noncompliance and abuse. This produces a more cost-effective and timelyaudit.In conducting a risk assessment, the auditor:
• Identifies the threats associated with the area or activity under review;
• Determines the inherent risk associated with the identified threats; and
• Assesses whether the existing internal controls will prevent, detect, or correct instances when
threats actually occur.
The extent of audit testing is directly related to an assessment of the activity's degree of vulnerability.
The higher the vulnerability, the more extensive the audit testing needs to be and vice versa. Thus,
even though an activity may have a high degree of inherent risk, a strong system of internal controls
can reduce the entity's exposure to a low or moderate level. Accordingly, the need to conduct detailed#p#分页标题#e#
audit tests could be reduced to an appropriate level
The risk assessment work should be documented in the audit working papers. This assessment
should serve as the foundation for the developing the detailed audit steps and tests to be performed
in the Audit Program. The risk assessment should be documented in a completed risk matrix and
relevant to the audit objectives. Auditors must perform the following steps.
Risk Assessment Audit Steps
1. Based on information gathered during the Preliminary Survey, prepare a tentative list of threats for
the major audit objectives. If computer processed data is an important or integral part of the audit
and the reliability of the data is crucial to accomplishing audit objectives, the auditor should
include threats to computer processed data in this list. Auditors must consider the following
factors.
o Assess the risk that abuse or illegal acts could occur and materially impact the auditee’s
compliance with laws, rules, or regulations or have a material effect on the auditee’s
operations. Consider whether the auditee has controls that are effective in preventing or
detecting illegal acts. See Section 10 for specific guidance.
o If computer systems or computer-processed data are included as threats or as controls
above, consult with the project supervisor to determine the need for EDP audit assistance.
o Identify material and significant findings and recommendations from previous reports
issued by the office on the agency or program that may require follow-up in the current
project. An auditee’s failure to rectify outstanding issues and implement previous
recommendations are considered threats.
2. Meet with audit management to review the list of potential threats and include any additional
threats to the list. Auditors may send this information to the auditee prior to the meeting. At the
same meeting, auditors must document management’s internal controls (actual or potential
controls) to mitigate the identified threats.
3. Create a risk matrix with the identified threats and corresponding identified controls. Use the
rating guides to assess each threat’s inherent risk, rate each internal control, and assess the
vulnerability of each internal control given the threat risk and internal control rating. These guides
are shown on the following pages and are used to determine the extent of testing needed to
assess the identified internal controls. An example of an excerpt of a completed risk matrix and
Section 5 69
vulnerability assessment is shown after the rating guides. The Internal Audit manager reviews the
final risk matrix and the City Auditor approves the document. A meeting may be held to discuss
the matrix and assessment.
Section 5 70
Threat Inherent Risk and Internal Control Rating Guide
The threat’s#p#分页标题#e#
inherent risk
is
if
The internal
control is
If
HIGH
• Noncompliance or abuse may
result in significant losses to the
City of marketable assets (e.g.,
cash, securities, equipment,
tools, supplies).
• Noncompliance or abuse will
likely expose the City to
adverse criticism in the eyes of
its citizens.
• Incentives of noncompliance or
abuse outweigh the potential
penalties.
WEAK
• Management and/or staff
demonstrate an uncooperative or
uncaring attitude with regard to
compliance, recordkeeping, or
external review.
• Prior audits or the preliminary
survey has disclosed significant
problems.
• The Risk Matrix reveals that
adequate and/or sufficient internal
control techniques are not in place.
• Documentation of procedures is
lacking or of little use.
MODERATE
• Noncompliance or abuse my
result in moderate losses to the
City of marketable assets (e.g.,
cash, securities, equipment,
tools, supplies).
• Noncompliance or abuse will
result in inefficient operations or
substandard service to the
citizens.
• Incentives of noncompliance or
abuse are approximately equal
to the potential penalties.
ADEQUATE
• Management and staff demonstrate
a cooperative attitude with regard to
compliance, recordkeeping, and
external review.
• Prior audits or the preliminary
survey has disclosed some
problems but management has
implemented remedial action and
has satisfactorily responded to audit
recommendations.
• The Risk Matrix reveals that
adequate and/or sufficient internal
control techniques are in place.
• Although deficient or outdated,
documentation of procedures is still
useful or can easily be updated.
LOW
• Noncompliance or abuse may
result in low losses to the City
of marketable assets (e.g.,
cash, securities, equipment,
tools, supplies).
• Noncompliance or abuse will
result in a disregard of an
administrative procedure or
authoritative standard.
• The potential penalties
outweigh the incentives of
noncompliance or abuse
STRONG
• Management and staff demonstrate
a constructive attitude, including an
eagerness to anticipate and
forestall problems.
• Prior audits and the preliminary
survey have not disclosed any
problems.
• The Risk Matrix reveals that
numerous and effective internal
control techniques are in place.
• Procedures are well documented.
Section 5 71
Vulnerability Assessment and Testing Extent
Inherent Risk Internal Controls#p#分页标题#e#
Vulnerability and
Testing Extent
High
Weak
Adequate
Strong
High
Moderate to High
Low to moderate
Moderate
Weak
Adequate
Strong
Moderate to High
Moderate
Low
Low
Weak
Adequate
Strong
Low to moderate
Low
Very low
Example of Risk Matrix and Vulnerability Assessment
Threat/Control
Threat’s
Inherent
Risk
Internal
Control
Rating
Vulnerability
Assessment
T-1
Procurement card holders make
purchases that are not permitted by
law, regulation, or policy
Moderate
C-1
City maintains and enforces policy on
monitoring credit card usage
Weak
Moderate to
high
C-2
Bank sends monthly summary
statement to Approving Official listing
all cardholders and transactions.
Adequate Moderate
C-3
Approving Officials are required to
review all statements and approve all
purchases within 10 days.
Weak
Moderate to
high
C-4
Accounting staff review approved
statements for approving official
signature, travel-related expenses,
technology purchases, and unusual
purchases.
Adequate Moderate
Section 5 72
AUDIT PROGRAM DEVELOPMENT
Field Work Audit Program
Based on the results of the scope review, preliminary survey, and risk assessment, the auditor
develops an audit program that consists of the audit objectives, scope, methodology, and related
concerns. The audit program includes detailed audit steps, tasks, and procedures to test if the
identified controls or procedures the audited entity has in place to prevent, eliminate, or minimize
identified threats are working as intended. The supervisor reviews the audit program and the City
Auditor approves the document.
Auditors should follow the Audit Procedure Guidelines listed on page 76 in developing the specific
audit steps listed in the audit program. Specifically, based on the risk and vulnerability assessment,
the in-charge auditor will write the audit program to determine if the controls or procedures the
audited entity has in place to prevent, eliminate, or minimize identified threats are working as
intended. As the audit progress, the audit staff should document the key decisions about the audit
objectives, scope, and methodology.
The Field Work Audit Program guides the Internal Audit staff through the steps necessary to complete
audit fieldwork. In fieldwork, Auditors obtain and analyze program data and information to determine
if the identified controls are working as intended. This is accomplished by completing the audit steps
identified in the Audit Program. Audit steps may include interviewing officials, reviewing documents
(e.g. internal memoranda, correspondence, reports, minutes, contracts), and gathering statistical data#p#分页标题#e#
through database searches, analysis of secondary data sources, and surveys. The audit field work
objective is to develop audit findings.
Variations of audit programs
In certain instances, the need may arise to make modifications to the audit program to address
expanded audit scope or to address new audit issues. The City Auditor will approve any significant
departures from the Audit Program, with an explanation for the change documented in a memo
prepared by the in-charge auditors. Minor changes such as extensions of internal deadlines do not
require formal approval by the City Auditor.
In other circumstances, the City Auditor may authorize variations of audit programs to facilitate project
efficiency and effectiveness. For example, some projects may need only a preliminary audit plan, but
no field work audit program, such as close-out audits and the annual inventory audits, both of which
of have set audit programs. In these instances, the audit plan would contain the usual detailed
description of audit tasks, but would be prefaced with a short introductory section containing key
elements of an audit plan in abbreviated form. This approach might be useful in a highly structured
project that differs so little from previous similar projects that a comprehensive audit plan would be
superfluous. In using variations of audit programs, care must be taken to document the reasons for
the different approach, the necessary approvals, and to ensure that the approach meets GAGAS
requirements
Auditors should extend audit procedures when there are indications that fraud or abuse significant to
http://www.ukthesis.org/Thesis_Writing/the audit objectives may have occurred. Auditors should document in the working papers and audit
program when audit procedures are extended. If the potential fraud is not significant to the audit
objectives, auditors may conduct additional work as a separate engagement or refer the matter to
other parties with oversight responsibility. In fraud-related situations, our policy will be not to interfere
with legal proceedings or investigations.
Section 5 73
Developing Preliminary Findings
Audit findings must contain condition, criteria, cause, effect, and recommendations. However, the
elements needed for a finding depend entirely on the objectives of the audit. A finding or set of
findings is complete to the extent that the audit objectives are satisfied and the report clearly relates
those objectives to the finding’s elements.
Condition What is? The situation that exists and has been documented during the audit.
Criteria What should be! The standards used to determine whether a program meets
or exceeds expectations. Criteria provide a context for understanding the
results of the audit. The audit plan, where possible, should state the criteria to#p#分页标题#e#
be used. Criteria should be reasonable, attainable, and relevant to the matters
being audited.
Effect The difference between the condition and criteria. What is the impact (actual or
potential) in services, dollars, or people resulting from the stated condition.
The harm that could occur from the condition.
Cause Who or how the problem or non-compliance with the criteria occurred.
Recommendations Specific actions that will rectify the cause of the condition.
Throughout the course of the audit, the in-charge auditor, supervisor, and City Auditor should discuss
proposed findings. When all of the elements of a finding have been met and audit work completed,
the staff should present to the Supervisor a report outline including the above elements. The City
Auditor will review and comment on the outline, make suggestions and then approve the development
of a report draft. The auditor should follow the guidance provided in the attachment to Section 7 for
writing the report.
Section 5 74
Version 1 With No Entrance Conference Date
Date
___________ Department
City of San Diego
202 C Street
San Diego, CA 92101
Dear ________:
In accordance with the Office of the City Auditor’s approved fiscal year 2009 Audit Workplan,
we are initiating an audit of the _______________ of the _______________ Department.
In order to commence the audit, we would like to schedule an entrance meeting to discuss the audit
objectives, audit process, time frames, data needs, and to introduce members of the audit team. A
member of my staff will contact you to arrange this meeting with members of your department.
Accordingly, please provide us with the following preliminary information about ________________:
• An organization chart and listing of key program personnel;
• Background information and a history of the program;
• A copy of the program's written procedures;
• Management reports, financial reports, and budget information on the program for the past
three years;
• Any additional information you believe may be relevant to us in learning about your program.
We plan to conduct this audit in accordance with generally accepted government auditing
standards. Prior to issuing any audit report resulting from this audit, you will have the opportunity to
review the report and provide written comments for inclusion in the final audit report. You will also
have the opportunity to include a memorandum of program accomplishments in the final report.
If you have questions or need additional information, please do not hesitate to contact either
me on 533-5214 or ___-____. Your cooperation is greatly appreciated.
Sincerely,
Eduardo Luna
City Auditor
cc: Jay Goldstone
Section 5 75
Version 2 With Entrance Conference Date
Date#p#分页标题#e#
___________ Department
City of San Diego
202 C Street
San Diego, CA 92101
Dear ________:
In accordance with the Office of the City Auditor’s approved fiscal year 2009 Audit Work Plan,
we are initiating an audit of the _______________ of the _______________ Department.
In order to commence the audit, we have scheduled an entrance meeting to discuss the audit
objectives, audit process, time frames, data needs, and to introduce members of the audit team. The
entrance meeting will be held on Monday, January 14, 2008, at the Office of the City Auditor located
at 600 B Street, Suite 1440, San Diego, CA.
Accordingly, please provide us with the following preliminary information about ________________:
• An organization chart and listing of key program personnel;
• Background information and a history of the program;
• A copy of the program's written procedures;
• Management reports, financial reports, and budget information on the program for the past
three years;
• Any additional information you believe may be relevant to us in learning about your program.
We plan to conduct this audit in accordance with generally accepted government auditing
standards. Prior to issuing any audit report resulting from this audit, you will have the opportunity to
review the report and provide written comments for inclusion in the final audit report. You will also
have the opportunity to include a memorandum of program accomplishments in the final report.
If you have questions or need additional information, please do not hesitate to contact either
me on 533-5214 or ___-____. Your cooperation is greatly appreciated.
Sincerely,
Eduardo Luna
City Auditor
cc: Jay Goldstone
Section 5 76
CITY OF SAN DIEGO
OFFICE OF THE CITY AUDITOR
AUDIT PROCEDURES GUIDELINES
There are many types of audit procedures which can be used to test transactions or processes. The
audit objective determines the type of procedure to be used. The auditor must judge the evidence
obtained through the audit procedures to make conclusions for each audit objective. The evaluation
process requires professional judgment in determining the adequacy, efficiency, economy and
effectiveness of what has been audited. Care must be taken in selecting the correct procedure to
achieve the audit objective. The audit risks include: selecting an improper audit procedure, executing
the procedure incorrectly, and incorrect evaluations.
The following general types of audit procedures are discussed below: Verification, Observation,
Inquiry, and Analysis.
A. Verification
Verification is the confirmation of things such as: Assets; Records; Statements; Documents;
Compliance with laws and regulations; effectiveness of internal controls; transactions; and
processes. The purpose of verification is to establish the accuracy, reliability or validity of#p#分页标题#e#
something. Following is a discussion of types of verification techniques:
1. Count: An auditor will use this technique to verify the accounting records of a physical
asset by physically counting the assets.
2. Compare: An auditor will identify similar and/or different characteristics of information
from two or more sources. Types of comparison include: (a) Comparison with prescribed
standards; (b) Comparison of current operations with past or similar operations; (c)
Comparison with written policies and procedures; (d) Comparison with laws or regulations;
and (e) Comparison with other reasonable criteria.
Specific examples are:
• To compare a law requiring that a percentage of taxes will be used for a particular
program with the accounting records showing the amount of taxes and how much was
spent on the program.
• To compare the documentation of a transaction with the procedure for the transaction.
3. Examine: To look something over carefully, such as a document, especially for the
purpose of detecting flaws or irregularities. For example, an auditor may examine a
document to verify that it has been executed by authorized persons.
4. Inspect: To look something over carefully, such as a physical asset, especially for the
purpose of detecting flaws or irregularities. For example, an auditor may inspect inventory
to verify quality.
5. Foot: To recompute the mathematical result of addition or subtraction of columns or rows
of numbers in documents or records.
Section 5 77
6. Recompute: To check mathematical computations performed by others.
7. Reconcile: The process of matching two independent sets of records and to show
mathematically, with supporting documentation, the difference between the two records.
For example, the beginning and ending balances in an account could be reconciled to
document the transactions that account for the changes between the beginning and the
end.
8. Confirm: To obtain information from an independent source (third party) for the purpose of
verifying information.
9. Vouch: To verify recorded transactions or amounts by examining supporting documents.
In vouching, the direction of testing is from the recorded item to supporting documentation.
The purpose for vouching is to verify that recorded transactions represent actual
transactions.
10. Trace: Tracing procedures begin with the original documents and are followed through the
processing cycles into summary accounting records. In tracing, the direction of testing is
from supporting documentation to the recorded item. The purpose of tracing is to verify
that all actual transactions have been recorded.
B. Observation
Observation is auditors seeing with a purpose, making mental notes and using judgment to
measure what they see against standards in their minds. Experienced auditors may be better#p#分页标题#e#
able to observe deviations from the norm. Observed deviations usually require confirmation
through analysis or corroboration.
Types of deficient conditions which can be observed include:
1. Idle personnel, equipment, or facilities;
2. Security violations;
3. Dangerous conditions or safety violations; and
4. Backlogs.
C. Inquiry
Auditors perform interviews with the auditee and related parties throughout the audit. Good oral
communication skills on the part of the auditor assist in getting accurate and meaningful
information from the interviewee. Auditors should use open-ended questions when possible.
Depending on the type of information received in an interview, it may need to be confirmed
through documentation.
D. Analysis
Analysis is the separation of an entity for the purpose of studying the individual parts of data. The
elements of the entity can be isolated, identified, quantified, and measured. The quantification
may require the auditor to perform detailed calculations and computations. Furthermore, the
auditor can document ratios and trends, make comparisons and isolate unusual transactions or
conditions.
Section 5 78
Office of the City Auditor
AUDIT NAME: JOB ORDER #:
Department: Budgeted Hrs:
Audit Period: Date Started:
Principal Auditor: Audit Manager:
Audit Program Guide
Preliminary Audit Objectives (should relate to COSO controls objectives and components):
1. Add Text
2. Add Text
3. Add Text
Audit Risks:
1. List the risks that the audit may have;
2. There could be more than 1
3. Add text
Audit Procedures:
A. Administrative / Findings / Report / Wrap-Up
Initials
W/P
Ref
1. Conduct a Kickoff Meeting and document in Audit Kickoff Memo
2. Complete Staff Assignment Form *
3. Complete / send Job Start Letter (also available with no date) *
4. Prepare the Audit Communications Document for Entrance *
5. Schedule an Entrance Meeting & prepare the agenda & sign in sheet *
Preliminary Survey & Risk Assessment performed (see section B below)
6. Prepare the Audit Client Participation List (after preliminary survey) *
7. Prepare the Preliminary Audit Budget *
8. Complete the Audit Standards Plan *
9. Prepare the Audit Program Guide *
10. Prepare the Audit Summary of Findings *
11. Complete the Audit Workpaper Review Checklist *
Report Writing & Issuance
12. Prepare the draft report *
13. Supervisory review of draft report (Review Notes)
Section 5 79
14. City Auditor review of draft report (Review Notes)
15. Independent Report Review Process (Review Notes)
16. Address all audit review comments
17. Report draft is edited
18. Draft audit report issued to agency management
19. Final audit report revisions#p#分页标题#e#
20. Schedule an Exit Meeting & prepare the agenda & sign in sheet *
21. Final draft report issued to agency management
22. Agency management submits written response to audit report.
23. Scan signed audit report to Adobe “filename.pdf” on shared drive.
24. Final audit report is issued with written agency response
25. Update the Audit Standards Plan *
26. Update the budget for actual hours and prepare variance analysis
27. Upload signed final report to external City Auditor web site, unless
report is confidential.
N/A
B. Background / Preliminary Survey Initials
W/P
Ref
Preliminary Survey (PS)
1. Review the City Charter, ordinances, contracts, grant agreements,
program memoranda, annual reports, recent budget requests,
testimony, internal reports, policy and procedure manuals, and
organizational charts relating to the audit subject.
2. Review relevant resolutions, committee reports, testimony, and other
pertinent documents relating to the audit subject.
3. Review relevant literature, including identifying criteria and related
audits conducted by other local government auditors.
4. Review agency files and key memorandums and reports related to the
audit.
5. Observe and document agency activities related to the audit.
6. Review the results of previous audits and attestation engagements that
directly relate to the current audit objectives.
7. Interview key program managers and staff related to the audit subject.
(Reference General Survey Inquiry Tool)
8. Assess whether work requires coordination with other auditors for
work completed or ongoing that can be used to help carry out the
project;
9. Identify whether law enforcement or other agencies are investigating
the auditee. If yes, note whether such investigations may limit your
scope or have other limitations that may impact the audit;
10. Develop the Audit Background and Scoping Statement Memorandum.
(Should be stored in Admin Folder) *
Risk Assessment (RA)
1. Prepare a tentative list of threats for the major audit objectives. If
computer processed data is an important or integral part of the audit
Section 5 80
and the reliability of the data is crucial to accomplishing audit
objectives, the auditor should include threats to computer processed
data in this list. Auditors must consider the following factors.
• Assess the risk that abuse or illegal acts could occur and materially
impact the auditee’s compliance with laws, rules, or regulations or
have a material effect on the auditee’s operations. Consider
whether the auditee has controls that are effective in preventing or
detecting illegal acts.
• If computer systems or computer-processed data are included as
threats or as controls above, consult with the project supervisor to#p#分页标题#e#
determine the need for EDP audit assistance.
• Identify material and significant findings and recommendations
from previous reports issued by the office on the agency or program
that may require follow-up in the current project. An auditee’s
failure to rectify outstanding issues and implement previous
recommendations are considered threats.
2. Meet with audit management to review the list of potential threats and
include any additional threats to the list. Auditors may send this
information to the auditee prior to the meeting. At the same meeting,
auditors must document management’s internal controls (actual or
potential controls) to mitigate the identified threats.
3. Create a risk matrix with the identified threats and corresponding
identified controls. Use the rating guides to assess each threat’s
inherent risk, rate each internal control, and assess the vulnerability of
each internal control given the threat risk and internal control rating.
4. Create an audit program (below) to determine if the controls or
procedures the audited entity has in place to prevent, eliminate, or
minimize identified threats are working as intended.
Internal Control Documentation (as applicable)
1. Prepare a flowchart of process(es)
2. Prepare a narrative of process(es) and internal controls in place and
functioning
3. Complete a walkthrough of process(es) to confirm understanding of
process(es) [complete a walkthrough only if fieldwork does not
include transaction testing – see section C of APG]
4. Summarize relevant and most updated policies, procedures and
department guidelines (see template)*
Section 5 81
C. – Y. Audit Fieldwork
Initials
W/P
Ref
Sample Selection
1.
2.
3.
Fieldwork
1.
2.
3.
Z. Additional Data Analyses
Initials
W/P
Ref
Data Collection/Sample Selection
1.
2.
3.
ACL / Excel Analysis
1.
2.
3.
Additional Analyses
1.
2.
3.
Section 5 82
Staff Assignment Form
Assignment Title:
Job Number:
Audit Type: Performance ____ Financial ____ Other ____
Workplan: FY _______
Source: Citywide Risk Assessment
Required
Requested by ____________
(Attach documentation of Audit Committee approval)
Will this assignment result in our auditing our own work? Yes ____ No _____
Has the Office of the City Auditor (1) performed any management functions or made any
management decisions relative to the audit subject Yes ____ No _____ (2) provided non-audit
services that are significant or material to the subject matter of the audit? Yes ____ No _____
If so, please document below:
Audit Supervisor: Kyle Elser
Audit Staff:#p#分页标题#e#
Estimated
Completion Date:
Estimated Hours:
Special instructions:
I have reviewed the assigned staffs’ résumés, and current training records. The assigned staff
留学生dissertationcollectively possess the technical knowledge, skills, and experience necessary to be competent for the
type of work being performed. Further, I have reviewed each assigned staff person’s signed Annual
Independence Statement and found that no known impairments exist.
Approved: ___________________________ Date: _____________
Eduardo Luna
City Auditor