Академический Документы
Профессиональный Документы
Культура Документы
1
DEFINING THE NECESSARY AND NATURE OF
AUDIT WORKPAPERS
Workpapers are the direct end product of the internal audit staff’s work and effort. The
workpapers demonstrate what was done – what was found – and what was confirmed. Elected
officials, news media and the public in many instances only see, or rather ask to see the end
product of the internal audit effort - the three or four paragraph report. The workpapers are
usually ever examined, and the effort is usually never ever sees the light of day. That is until the
documentation comes into question – either by the commissioners’ court – by the district
attorney – and/ or by a court of review or inquiry.
Internal audit workpapers provide various levels of usefulness:
A. During the audit adequately prepared workpapers provide
1. Guidance as to the objective of the examination
2. Guidance as to the sequence of steps and development
of assurance
3. Documentation that the office being evaluated has
conformed to statutory requirements
4. Documentation that accounting policies and procedures
are being conform with, and
5. Documentation that the county auditor’s office has
performed the duties of the office as required by existing state
statutes.
B. After the audit is completed the workpapers provide
1. Evidence that support the findings as reported
2. Evidence that the internal audit was performed
following established and accepted methodology
3. Evidence concerning the need to conform to the state
statutes
4. Evidence which can be relied on by the external
auditors, and
5. In the event the auditee finds himself or herself in court
trying to defend the findings, the workpapers provide an excellent
defense and support for the reports’ findings.
Professional internal auditing standards have over the years established some basic
guidelines and requirements concerning the preparation and maintenance of adequate
workpapers. There is currently no requirement in the state statues that indicates, “You shall
create and maintain workpapers to support audit findings.” However, there are recognized
professional standards that say that the quantity, form and content of workpapers may vary with
the circumstances, but the workpapers should be sufficient to show that:
1. There was an objective to the internal review
2. That the review performed achieved the objective
3. That applicable standards of field work were observed
4. That records reviewed agreed with, or could be reconciled to financial
information as reported
5. That planning and supervision appeared to be adequate
2
6. That there was sufficient understanding of the internal control structure,
and
7. That the audit evidence obtained and the testing performed provided
sufficient, competent and evidential matter to support the final report.
3
Each county auditor’s office is going to establish specific workpaper policies related to
the type of engagement that is to undertaken. In many instances these policies are verbal and
passed down from auditor to auditor. Thus, the process follows the old axiom of “that is the way
we have always done it.” However, if an office is going to introduce some form of quality
control in full filling its statutory responsibility, then the workpaper policy should be reduced to
writing. A written policy sets the requirement for written internal review programs, which then
allows the auditor to examine the nature, extent and timing of the work to be performed.
In many instances having a checklist that the auditor can follow will provide some assurance that
the process is followed consistently with each office.
All county auditor offices need to be cognizant of the fact that all federal grants require
elaborate workpaper documentation. Accounting records are not sufficient in many instances.
Workpapers and internal audit programs must be adaptable to the needs of the review
being conducted. Not all offices function in the same manner. Not all offices are required to
follow the same set of statutory standards. Not all grants require the same functionality to be
present. As a result audit programs need to flexible.
The workpapers as prepared should tell who ever is doing the reviewing and/or
examination a story. They should communicate what was done and document what was found.
A well prepared set of workpapers (i.e. complete and accurate) will be able to stand on its own –
that is to say they don’t anyone to explain them to reviewer or to the jury.
Workpapers are anything that the auditor conducting the review deems to be necessary to
enable him/her to render a statement regarding the financial and/or operational objective that was
being tested and reviewed. Workpapers might include, for example:
A program of work
An internal control evaluation
A checklist of required steps
An analytical review for some function
Direct confirmations
Copies of receipts
Computer print outs
4
WORKPAPER CONTENT
No two auditors will prepare workpapers using the same structure; however there are
some general rules that governmental internal auditors can agree on.
Workpapers consist of anything that the auditor retains and or creates to document that
the review conducted met certain established requirements and developed support for the fact
that federal guidelines, state statutes, budgetary constraints, financial accountability, and/or
county policy was being complied with. Properly designed workpapers can help to identify
adequately performing control structure as well as inadequately performing controls. Properly
designed workpapers can assist in evaluating the apparent risks that exist. Properly designed
workpapers can provide the support for the suggestions to improve the offices internal control.
Workpapers should:
1. Provide corroboration of the amounts appearing in financial reports and
statements
2. Record the review conducted, the tests performed that are required for the
particular engagement
3. Provide information that would allow the reviewer to evaluate the job
performances of the personnel performing the review, and
4. Provide a starting point for the subsequent review’s to be performed.
There are usually two types of workpaper files – permanent and current. Permanent
files are files that contain information and matters that are important to each year’s audit.
Information that isn’t expected to change materially from year to year. Examples would be
location of the office, office policies, contractual agreements for service, required reports to be
filed, statutory compliance check lists, copies of prior years reports, fixed asset responsibility,
etc.
Current files would constitute the workpapers the auditor prepares to support the
conclusions for the report written. Current files include the audit program, the internal control
evaluation, tests performed, analytical schedules developed, bank and account reconciliations,
copies of support documents, computer print outs, memorandums as to discussions held,
confirmations, review of budgetary compliance, etc.
Every workpaper should contain as a minimum:
1. A heading that clearly designates the name of the office, the county, a
description of the contents of the workpaper and the date(s) of the period being
reviewed
2. An indication as to who prepared the workpaper and the date of preparation
3. If the schedule was prepared by the office, the indication using “PBC”
indicates that the workpaper was “prepared by client”
4. The source where the information contained in the workpaper came from –
cash receipts ledger, court docket, disbursements journal, payroll ledger, etc., and
5. The nature and extent of the work performed should be indicated through
narrative description, symbols, tick marks or combination there of.
6. Conclusions reached should be clearly stated and supported
7. That all doubts and or problems were resolved
5
8. Indexing and cross referencing
6
If tick marks are used, they can save the auditor time and space – and standard tick marks
should be adopted, and a legend of those tick marks should be available for the reviewer. Each
tick mark should be clearly explained. Tick marks should be simple, distinctive and clear so that
they can quickly written by the preparer and easily discerned by the reviewer. Some tick marks
commonly used are:
Footed
Cross footed
Calculation checked
Agreed to ____________
Traced to financial report
Traced to ____________
Examined supporting documents
Examined cancelled check
See footnote # ________
As a last issue, all workpapers should be indexed and cross-referenced where necessary.
Indexing of work papers are going to vary from office to office. Many prefer an Alpha
sequence, while others prefer a numerical. However, it is common to find both an alpha and
numerical sequence of indexing being used. The following is an example of indexing:
7
Section Area General Subject
Reports 10 Financial Reports
12 Expenditure Report
13 Original Budget
14 Budget Adjustments
18 Elements of Disclosure
Administration 20 Engagement Control Checklists
26 Memos re: Matters of Concern
28 Comm. Court Minutes
Communication 30 Communications With Depart.
32 Confirmations
34 Certifications
Audit Program 40 Control Document
44 Time Sheets
Planning 50 Planning Memos
Assets 60 Cash
62 Fixed Assets
8
DOCUMENTATION OF PLANNING AND
SUPERVISION
The internal audit workpapers should demonstrate that the three generally accepted
standards of fieldwork have been met – planning and supervision, internal control evaluation,
and evidential matter. The first standard only suggests that there needs to be documentation
that the work of the review was adequately planned and that supervision had been provided.
To meet the criteria of being able to demonstrate adequate planning and supervision does
not require many specific workpaper requirements. Some of the more common and generally
suggested are:
1. Audit Programs
An audit program is essentially a list of procedures to be followed and is usually
in writing. They are generally divided into logical segments as to the area of the
review’s focus. The program allows the reviewer to be able to compare the level
of work required to the level of work done. Some programs are highly detailed,
while some are very general in nature and allow the auditor the ability to insert
some flexibility. The program will usually require the staff person performing the
function to sign off on those requirements completed, and cross reference the
program to the workpaper supporting the function.
9
Before addressing risk assessment the internal auditor should indicate how materiality is
going to be addressed. Materiality should be considered and addressed during the planning of
the review to determine the nature, timing and extent of tests to be performed. In addressing the
scope of the review the level of events should be reduced to a level which would provide the
reviewer with a low risk of over looking an element or a happen stance that would dramatically
effect the financial or management review that is being conducted. Setting a level of materiality
insures that the auditor will do enough work to find misstatements. There is no authoritative
rule of thumb or measure of materiality – materiality is strictly based on professional
judgment.
Risk assessment should be performed on each office individually and attributes should be
classified as either inherent risks or control risks. Steps to be taken could be broken down as
follows:
1. PROGRAMS
2. STRATEGIES
3. CONTROL SYSTEMS
10
PRIMARY AUDIT FOCUS
1. COMPLIANCE ASPECTS
2. RELIABILITY OF DATA
3. SAFE GUARDING OF ASSETS
1. VULNERABILITY
(The Mission May Not Be Accomplished)
2. INHERENT RISK
(The Nature and/or The Culture Of The Audit Objective Has Risks Without Controls)
3. CONTROL RISKS
(Probability That The Inherent Risks Will Become A Reality: Probability That
Controls Are Put In Place And Will Not Accomplish The Mission)
4. AUDITABILITY
(Skills, Time, and Evidence)
1. ETHICAL CLIMATE
2. PRESSURE ON MANAGEMENT
3. PERSONNEL INTEGRITY, COMPETENCE
4. NUMBER OF PERSONNEL
5. NUMBER OF TRANSACTIONS
6. SIZE OF THE ASSETS
7. COMPLEXITY/VOLATILITY OF ACTIVITIES
8. STATUTORY REGULATIONS
9. LEVEL OF COMPUTERIZATION
10. GEOGRAPICAL LOCATION
11. ADEQUACY OF INTERNAL CONTROLS
12. MANAGEMENT CULTURE
13. ACCEPTANCE OF AUDIT FINDINGS & CORRECTIVE ACTION TAKEN
14. TIME LAPSE SINCE LAST AUDIT
Policy Management
Performance Management
Information Management
Resource Management
11
ACCOUNTABILITY RISK FACTORS
POLICY RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO DELIVER EXPECTED
RESULTS BECAUSE OF UNSTABLE OPERATIONS DUE TO CHANGES IN
MANAGEMENT, PERSONNEL AND/OR THE ENVIRONMENT, OR RESOURCES ARE
NOT EFFICIENTLY USED OR EFFECTIVELY CONTROLLED.
1. TIME FRAME
2. INFORMATION
3. AVAILABILITY OF DOCUMENTATION
4. AUDIT SKILLS
5. AUDIT EDUCATION
6. AUDIT HOURS
7. AUDIT MORALE
12
FIVE BASIC PHASES OF - PLANNING AN AUDIT
1. Gather information
2. Conduct preliminary assessment
3. Define and refine the audit objectives
4. Develop the:
Audit scope
Audit methodologies
Audit fieldwork programs
5. Estimate the audit budget and resources
1. Select which of the accountability control systems and subsystems are relevant to
the audit (within the initial audit scope).
2. Assess which of the inherent risks and which of the control risks exist (be sure to
document risk assessment).
3. Select the accountability control subsystem for which audit objectives will be
developed (be sure and identify the relevant performance aspects to be reviewed).
4. Reassess audit ability
5. Update risk and internal controls information (update permanent files, prepare
preliminary assessment document, and document audit ability).
In speaking to the objective for an internal audit, the “Yellow Book” (accounting and
audit guidelines for federal grants) indicates that there needs to be a clear indication as to what
the report related to the audit is to accomplish. Further, it is noted that the subject of the audit
needs to be clearly identified as well as the aspects of performance that are to be examined.
Therefore:
13
OPEN-ENDED OBJECTIVES:
♦ Identify the subject; what is the audit to examine
♦ Are vague in defining what the audit is to accomplish
CLOSED-ENDED OBJECTIVES:
♦ Are answerable
♦ Identify what the audit is to examine
♦ Clarify what the audit is to accomplish
14
SUB-OBJECTIVES Will address elements of the primary findings - will usually
help to identify the nature of the data required – will tend to lead to major audit steps.
15
DOCUMENTATION REGARDING INTERNAL
CONTROL
The second standard of fieldwork that needs to be considered is that of internal control.
The workpapers should have adequate documentation that the auditor had obtained a sufficient
understanding of the existing internal control structure for the department being reviewed. The
extent to which internal control is established in the department will impact the nature, timing
and extent of the tests that will need to be performed.
Basically the department’s internal control system consists of the policies and procedures
that have been established to provide reasonable assurance that those specific objectives will be
achieved. Policies and procedures may be established through statutes, may be established by
the commissioners’ court, may be established by the county auditor, and they may be created by
the elected official and/or department head.
Normally with a financial review the auditor will be concerned with those policies and
procedures that are primarily concerned with the recording, processing, summarizing, and
reporting of financial, and the affect an error will have.
The Control Environment – essentially reflects management’s attitude, awareness and actions
concerning the importance of control. The factors that the auditor will need to
consider are:
These factors serve to make other control policies and procedures more effective. When
management is found to have a positive attitude towards controls and does not try to mitigate the
effectiveness of policies and procedures or to override the controls, the reviewer finds that the
nature, timing and extent of the review can be reduced.
16
The Accounting System – consists of the methods and records which are used to identify,
analyze, classify, record and report the department’s transactions and to maintain accountability
for related assets and liabilities. The auditor needs to understand the accounting system in
sufficient detail in order to understand:
The Control Procedures – consist of those policies and procedures, in addition to the control
environment and the accounting system that management has established to provide reasonable
assurance that its objectives will be achieved.
The audit strategy is based on the reviewer’s understanding of the control procedures. If
control procedures are weak, then it doesn’t make a lot of sense to waste time to test controls.
However, if the auditor is able to test the control procedures and finds that they are strong and
effective, then he/she may decide that the substantive tests can be reduced. The understanding to
be obtained is developed through inquires of the department, review of the department’s manuals
and documents, and observation of the department’s routines.
The reviewer must ascertain reliable information that confirms that the policies and
procedures, the control procedures are not just in writing – they are being practiced. This
confirmation comes from:
1. Inquires
2. Observations, and
3. Hands on monitoring of transactions.
The understanding that the auditor comes to needs to be documented. The size and the
complexity of the entity, as well as the nature of the department’s internal control structure
influence the form and the extent of this documentation. A large department may have its own
documentation of the internal control procedures that the auditor can copy and put in the
workpapers. For smaller departments the auditor may develop their understanding through the
use of flow charts and/or questionnaires. For really small departments the auditor may just use a
memorandum – for small offices with one or two employees it is real difficult to put into place
effective internal controls. Generally the more complex the department, the more extensive the
internal control, and the more extensive the auditor’s documentation.
17
The most commonly used methods of documentation are:
1. Memorandums – narrative descriptions of the relevant control structure. Polices
and procedures. They are most useful when the matter being described is
relatively simple. They are less useful when the system becomes very complex.
The auditor’s understanding of the control structure is required to be documented, but the
procedures to be used to obtain this understanding are not. Thus, the auditor’s procedures done
to understand the design of the procedures done to see if the department’s control structure and
to see that the department’s policies and procedures have been placed in operation need not be
specifically described.
Even so even if the procedures to obtain the knowledge of the internal control are
required to documented, the auditor should document the procedures applied and the reasoning
for the judgment process that was applied. Any file memos as to the procedures followed or the
documents examined should be dated and at least initialed by the individual making the
statement. A signed off audit program is a commonly used document which has a step by step
program for the auditor’s to use and the cycle that is to be followed.
After the auditor has obtained his understanding of the internal control structure, while he
obtains it, it is not uncommon for the auditor to consider whether there are policies and
procedures in place that would reduce the risk of material misstatement, and if there are, whether
it would be efficient to test them I order to reduce the scope of substantive tests.
18
If the auditor decides that he/she wants to take advantage of the existing internal control
structure, i.e. existing policies and procedures, in an effort to reduce the amount of time required
to do substantive testing – then there must be apply tests of the controls to see if the policies or
procedures (that are to be relied on) are designed and operating effectively. The tests must be
directed at determining whether the policy or procedure is suitably designed to prevent or detect
material misstatements and how effectively it is operating.
Tests of controls are concerned with how a control structure policy or procedure was
applied – the consistency with which it was applied during the period under examination and by
whom the control was applied. These tests include inquires of appropriate personnel –
inspection of documents – examination of reports – observation of applications – and,
performance evaluations. It should be remembered that tests of controls are undertaken only
when the auditor believes that by performing such tests that the substantive testing can reduce
the need for substantive testing of the detailed documentation. Tests of controls are used in the
hopes of being able to increase efficiency. Tests of controls are required if there is going to be
reliance placed on the underlying controls and procedures. The more that the auditor is able to
depend on the department’s internal control structure to prevent or detect material misstatement,
the less substantive work that will be required to be performed.
When the auditor is able to conclude that he/she is able to reduce substantive testing on
the effectiveness of the control structure, there needs to be documentation of the basis for this
decision in the workpapers. That is, in addition to the understanding of the control structure that
is already documented, there needs to be documentation of the tests of the controls and their
result that were performed.
The form and the content of this documentation are going to vary from office to office
and from department to department. But, is some form the documentation should include:
It is always good to document the type of misstatement that the control policy or
procedure can be depended on to prevent and/or detect. It is not uncommon for the
auditor to make a statement in the workpapers whether the controls tested worked as
expected and can be depended on. The more reliance the auditor can place on the control
structure (i.e. there is a low assessment of risk) the more evidence that should be
documented to support the reliance.
19
When the internal auditor is dealing with an office that only has two people in the office,
then it is unlikely that the office will be able to effect adequate control measures that can be
relied on. If the auditor is not going to place reliance on the internal control measures, then there
is not reason to test them. Thus, there is no dependence on the controls and/or procedures to
prevent and detect material misstatements.
Any weaknesses noted in the internal control structure should be clearly noted in the
workpapers as reportable conditions and should be communicated to the department head
and/or elected official, and should be reported in the letter of findings to the official. Reportable
conditions are significant deficiencies in the design or operation of the internal control structure
that could adversely affect the department’s ability to record, process, summarize, or report
financial data consistent with accounting and financial procedures required by state statutes and
or county policy. The deficiencies might involve any of the three components of the control
structure – the control environment, accounting system, or the control procedures.
If the condition is reported orally to the department head and/or elected official then the
initial conversation should be well documented. The communication should always be followed
up in writing. Conditions that have been reported in prior years, and which have not been
corrected, should be re-iterated until the department head and/or elected official has clearly
acknowledged the risk and has stated reasons for not correcting. Management’s acknowledge is
always critical. Thus, it is not an uncommon practice to allow the department head and/or
elected official the opportunity to respond to the finding in the report.
20
DOCUMENTING SUBSTANTIVE TESTS
The internal auditor detects material misstatements in financial statements by applying
substantive tests. The tests are designed based on the auditor’s assessment of risk that material
misstatements will occur and that the department will not catch the error. This is commonly
referred to as inherent and control risks. The higher the risk of misstatement occurring
undetected by the client, the more evidence the auditor will need to accumulate.
The accumulation of evidence supporting the amounts in the financial statements is by far
the most time consuming part of the audit and documentation of substantive tests generally
accounts for the bulk of the workpapers that are prepared. Thus, the third standard of fieldwork
states:
Evidential matter is obtained through two general classes of auditing procedures that
comprise substantive tests:
Books of original entry and other records maintained by the department such as ledgers,
journals, cost allocations, and reconciliations may in part support the monthly and/or quarterly
reports – those records do not constitute what is considered evidential matter. Documentation
must be collected that will corroborate the information shown in the above-mentioned
documents. Corroborating evidential mater includes:
1. Cancelled checks
2. Receipts
3. Invoices
4. Contracts
5. Independent confirmations
6. Information independently obtained or developed through inquiry, observation, or
inspection.
Auditors choose from a wide range of methods and techniques to test the validity of
accounting information and reports. Some of the more commonly used techniques are:
1. Documenting the process used to develop the financial information, then testing
the information entered into the process
2. Comparing the accounting data and information to data that is collected outside of
the department, and
3. Comparing the accounting information to the auditor’s expectations, which have
been derived through logical analysis.
21
Competence Of Evidential Matter
The relevance of evidential matter has to do with whether the information bears on the
accounting or reporting data in question. While the relevance of evidential matter to a specific
circumstance is generally clear, in some cases, particularly those involving the estimated
outcomes of future events, the auditor needs to particularly careful in considering whether the
correct factors are considered in arriving at the conclusion.
Once the internal auditor has considered the evidential matter and has found it to be
relevant and reliable, he/she must then determine whether or not the data collected is sufficient –
that is there is enough data that will allow for a basis to be developed related to the finding and
that the data will support the finding. As a rule of thumb, the evidential matter must be sufficient
to reduce to an acceptable low level the risk that the internal auditor will fail to detect a material
misstatement in the financial data and related reports. Evidential matter may be developed
through the use of substantive testing. The sufficiency of evidential matter will depend on:
The internal auditor has to always be cognizant of the economics and the timeliness of an
internal audit. For a finding and a solution to be economically useful, it must be developed
and rendered in a reasonable length of time. There is a rational relationship between the cost
of obtaining evidence and its usefulness. Evidential matter that is to be collected has a cost to
the taxpayers. That is not to say that the matter of difficulty and expense involved in testing a
particular attribute is not in and of itself a valid basis for omitting an otherwise necessary step in
the internal audit function.
22
Types of Substantive Tests
There are two types of substantive tests – tests of details and analytical procedures.
During most internal audit procedures both types of testing are generally used. The
internal auditor will choose the procedure based on:
1. Materiality
2. Risk of misstatement
3. Production of persuasive evidence
4. Comparative efficiency
Tests of detail are audit procedures in which amounts that make up an account balance
or class of transactions are compared to corroborating information. These tests are usually
directed at balance sheet accounts and used to test the existence, ownership, and valuation of
assets and the amount and responsibility for liabilities. Tests of details can be directed at both
revenue and expenditure accounts in an effort to document the classification accuracy of each. A
test of details will usually include one or more of the following:
Analytical procedures lend themselves to provide easy analysis of income and expense
and developing techniques for insuring that everything that should have been recorded was
recorded. When applying analytical procedures the internal auditor should:
1. Consider the relationship between the data that is collected and the expected result
2. Compare what is expected to that recorded and reported by the department
3. Obtain sufficient understanding of events that will help to explain any differences,
and
4. Obtain supporting evidence to corroborate the explanation.
23
It is not uncommon for an internal auditor in a county to perform substantive testing at
periodic times during the year on any and all departments. The auditor needs to always consider
the activity as previously tested in relationship to the activity currently being tested. In addition
the auditor should include in their normal set of procedures the following:
24
TYPES OF WORKPAPERS
Workpapers can be simply defined as anything the internal auditor uses to document the
results of the examination and the scope of the procedures performed. They will also confirm
and/or deny the fact that the financial reports and underlying data for the financial reports of the
department agree and/or reconcile. Working papers generally include:
Workpapers generally present a logical flow to the information and data. Workpapers
should be able to tell the reader and/or reviewer a story without the need for additional oral
communication and explanation. The workpapers should be compiled in the form of a pyramid –
the findings to the front and the detail to the back. A contents page should be used to give the
reader the ability to find transaction work quickly. If “tick marks” are used, it is customary to
have a legend at the front of commonly used “tick marks.”
The contents page would be followed then by the report of findings; followed by any
other communication (written and oral) that occurred during the examination; followed by any
internal memos and general observations; followed by a worksheet delineating any adjustments
and/or reclassifications that are proposed (each adjustment should be referenced to the support
documents in the workpapers); followed by the evaluation of internal control; followed by a risk
assessment; followed by the audit program; followed by detailed tests; followed by analytical
review; and followed by any substantive testing, reconciliations, and/or recalculations.
Depending on the county auditor’s instructions and or the culture of the county, when the
internal auditor is performing an analysis of expenditure accounts, a detailed analysis should
always be performed on:
25
All workpapers should have a clear indication as to:
Always remember:
If you don’t write it down – it was never said – it was never done!
Consider the thought – that if a bus hit you today – would someone else be able to follow
behind you.
26