WORKPAPER DOCUMENTATION

1
 DEFINING THE NECESSARY AND NATURE OF
AUDIT WORKPAPERS
Workpapers are the direct end product of the internal audit staff’s work and effort. The
workpapers demonstrate what was done – what was found – and what was confirmed. Elected
officials, news media and the public in many instances only see, or rather ask to see the end
product of the internal audit effort - the three or four paragraph report. The workpapers are
usually ever examined, and the effort is usually never ever sees the light of day. That is until the
documentation comes into question – either by the commissioners’ court – by the district
attorney – and/ or by a court of review or inquiry.
Internal audit workpapers provide various levels of usefulness:
A. During the audit adequately prepared workpapers provide
1. Guidance as to the objective of the examination
2. Guidance as to the sequence of steps and development
of assurance
3. Documentation that the office being evaluated has
conformed to statutory requirements
4. Documentation that accounting policies and procedures
are being conform with, and
5. Documentation that the county auditor’s office has
performed the duties of the office as required by existing state
statutes.
B. After the audit is completed the workpapers provide
1. Evidence that support the findings as reported
2. Evidence that the internal audit was performed
following established and accepted methodology
3. Evidence concerning the need to conform to the state
statutes
4. Evidence which can be relied on by the external
auditors, and
5. In the event the auditee finds himself or herself in court
trying to defend the findings, the workpapers provide an excellent
defense and support for the reports’ findings.
Professional internal auditing standards have over the years established some basic
guidelines and requirements concerning the preparation and maintenance of adequate
workpapers. There is currently no requirement in the state statues that indicates, “You shall
create and maintain workpapers to support audit findings.” However, there are recognized
professional standards that say that the quantity, form and content of workpapers may vary with
the circumstances, but the workpapers should be sufficient to show that:
1. There was an objective to the internal review
2. That the review performed achieved the objective
3. That applicable standards of field work were observed
4. That records reviewed agreed with, or could be reconciled to financial
information as reported
5. That planning and supervision appeared to be adequate

2
6. That there was sufficient understanding of the internal control structure,
and
7. That the audit evidence obtained and the testing performed provided
sufficient, competent and evidential matter to support the final report.

3
 Each county auditor’s office is going to establish specific workpaper policies related to
the type of engagement that is to undertaken. In many instances these policies are verbal and
passed down from auditor to auditor. Thus, the process follows the old axiom of “that is the way
we have always done it.” However, if an office is going to introduce some form of quality
control in full filling its statutory responsibility, then the workpaper policy should be reduced to
writing. A written policy sets the requirement for written internal review programs, which then
allows the auditor to examine the nature, extent and timing of the work to be performed.
In many instances having a checklist that the auditor can follow will provide some assurance that
the process is followed consistently with each office.

This presentation focuses on the internal auditor function in a county auditor’s

office.

All county auditor offices need to be cognizant of the fact that all federal grants require
elaborate workpaper documentation. Accounting records are not sufficient in many instances.

The nature of workpapers provide:

1. Documentation that departmental procedures were followed – tests were
performed – information was obtained, and that a conclusion was developed
2. The foundation for the auditor’s opinion related to the review
3. Foundation for how much importance should be attributed to the evidence
accumulated
4. Evidence as to how problems and errors noted were corrected and or resolved

Workpapers and internal audit programs must be adaptable to the needs of the review
being conducted. Not all offices function in the same manner. Not all offices are required to
follow the same set of statutory standards. Not all grants require the same functionality to be
present. As a result audit programs need to flexible.

The workpapers as prepared should tell who ever is doing the reviewing and/or
examination a story. They should communicate what was done and document what was found.
A well prepared set of workpapers (i.e. complete and accurate) will be able to stand on its own –
that is to say they don’t anyone to explain them to reviewer or to the jury.

Workpapers are anything that the auditor conducting the review deems to be necessary to
enable him/her to render a statement regarding the financial and/or operational objective that was
being tested and reviewed. Workpapers might include, for example:
A program of work
An internal control evaluation
A checklist of required steps
An analytical review for some function
Direct confirmations
Copies of receipts
Computer print outs

4
 WORKPAPER CONTENT
No two auditors will prepare workpapers using the same structure; however there are
some general rules that governmental internal auditors can agree on.
Workpapers consist of anything that the auditor retains and or creates to document that
the review conducted met certain established requirements and developed support for the fact
that federal guidelines, state statutes, budgetary constraints, financial accountability, and/or
county policy was being complied with. Properly designed workpapers can help to identify
adequately performing control structure as well as inadequately performing controls. Properly
designed workpapers can assist in evaluating the apparent risks that exist. Properly designed
workpapers can provide the support for the suggestions to improve the offices internal control.
Workpapers should:
1. Provide corroboration of the amounts appearing in financial reports and
statements
2. Record the review conducted, the tests performed that are required for the
particular engagement
3. Provide information that would allow the reviewer to evaluate the job
performances of the personnel performing the review, and
4. Provide a starting point for the subsequent review’s to be performed.
There are usually two types of workpaper files – permanent and current. Permanent
files are files that contain information and matters that are important to each year’s audit.
Information that isn’t expected to change materially from year to year. Examples would be
location of the office, office policies, contractual agreements for service, required reports to be
filed, statutory compliance check lists, copies of prior years reports, fixed asset responsibility,
etc.
Current files would constitute the workpapers the auditor prepares to support the
conclusions for the report written. Current files include the audit program, the internal control
evaluation, tests performed, analytical schedules developed, bank and account reconciliations,
copies of support documents, computer print outs, memorandums as to discussions held,
confirmations, review of budgetary compliance, etc.
Every workpaper should contain as a minimum:
1. A heading that clearly designates the name of the office, the county, a
description of the contents of the workpaper and the date(s) of the period being
reviewed
2. An indication as to who prepared the workpaper and the date of preparation
3. If the schedule was prepared by the office, the indication using “PBC”
indicates that the workpaper was “prepared by client”
4. The source where the information contained in the workpaper came from –
cash receipts ledger, court docket, disbursements journal, payroll ledger, etc., and
5. The nature and extent of the work performed should be indicated through
narrative description, symbols, tick marks or combination there of.
6. Conclusions reached should be clearly stated and supported
7. That all doubts and or problems were resolved

5
8. Indexing and cross referencing

6
 If tick marks are used, they can save the auditor time and space – and standard tick marks
should be adopted, and a legend of those tick marks should be available for the reviewer. Each
tick mark should be clearly explained. Tick marks should be simple, distinctive and clear so that
they can quickly written by the preparer and easily discerned by the reviewer. Some tick marks
commonly used are:
Footed
Cross footed
Calculation checked
Agreed to ____________
Traced to financial report
Traced to ____________
Examined supporting documents
Examined cancelled check
See footnote # ________

As a last issue, all workpapers should be indexed and cross-referenced where necessary.
Indexing of work papers are going to vary from office to office. Many prefer an Alpha
sequence, while others prefer a numerical. However, it is common to find both an alpha and
numerical sequence of indexing being used. The following is an example of indexing:

Section Section Area

A Reports
B Administration
C Communication
D Audit Program
E Planning
F Assets
I Internal Control
L Search for Unrecorded Liabilities
R Revenue Analysis
X Expenditure Analysis
Z Other/Miscellaneous

7
 Section Area General Subject
Reports 10 Financial Reports
12 Expenditure Report
13 Original Budget
14 Budget Adjustments
18 Elements of Disclosure
Administration 20 Engagement Control Checklists
26 Memos re: Matters of Concern
28 Comm. Court Minutes
Communication 30 Communications With Depart.
32 Confirmations
34 Certifications
Audit Program 40 Control Document
44 Time Sheets
Planning 50 Planning Memos

Assets 60 Cash
62 Fixed Assets

Internal Control 70 Control Environment

72 Revenue Cycle
73 Expenditure Cycle
74 Purchasing Cycle
75 Payroll Cycle
78 Risk Analysis

Search For Liabilities 80 Expenditures

82 Lease Analysis
84 Prepaids
86 Trust Accounts
88 Search For Unrecorded Lib.

Revenue Analysis 140 Substantive Test of Receipts

142 Substantive Test of Docket
144 Substantive Test of Revenue
148 Review of Receivables
Expenditure Analysis 170 Budgetary Analysis
172 Expenditure Support
176 Payroll Analysis
Other/Miscellaneous 190 Other
As a general rule workpapers are not subject to open records purview until the report is
issued.
As a general rule workpapers should be retained for a minimum of 7 years, and probably
as long as 10 years.

8
 DOCUMENTATION OF PLANNING AND
SUPERVISION
The internal audit workpapers should demonstrate that the three generally accepted
standards of fieldwork have been met – planning and supervision, internal control evaluation,
and evidential matter. The first standard only suggests that there needs to be documentation
that the work of the review was adequately planned and that supervision had been provided.

To meet the criteria of being able to demonstrate adequate planning and supervision does
not require many specific workpaper requirements. Some of the more common and generally
suggested are:

1. Audit Programs
An audit program is essentially a list of procedures to be followed and is usually
in writing. They are generally divided into logical segments as to the area of the
review’s focus. The program allows the reviewer to be able to compare the level
of work required to the level of work done. Some programs are highly detailed,
while some are very general in nature and allow the auditor the ability to insert
some flexibility. The program will usually require the staff person performing the
function to sign off on those requirements completed, and cross reference the
program to the workpaper supporting the function.

2. Preliminary Analytical Procedures

It should always be a requirement that the auditor be required to apply analytical
procedures in planning the audit. A basic premise in the application of analytical
procedures is that plausible relationships among data may reasonably be expected
to continue in the absence of known conditions to the contrary. Preliminary
analytical procedures are intended to enhance the auditor’s understanding of the
office being reviewed – the office’s transactions and events that have occurred
since the last review. The analytical procedure process may alert the auditor to
areas of risk that had not been present at the time of the last review. Analytical
procedures will look for unusual transactions and events – examined ratios and
trends in a narrative or in the form of a worksheet.

3. Risk and Materiality

Audit risk needs to be evaluated at the department level – at the county level –
and at the auditor’s level. Risk is the concept that the auditor, the department, the
county will unknowingly fail to catch an error, a mistake, an irregularity that is
material to financial reports or the management of the department. Workpapers
will often include documentation that the auditor considered the influence of audit
risk in the application of procedures. The auditor will generally plan the greater
portion of labor hours to be concentrated on those departments that present the
greatest risk, and in those departments the areas that present the highest potential
risk. Those areas of highest risk should always be documented and the auditor’s
response to them. The audit strategy to address the risk should be clearly stated.

9
 Before addressing risk assessment the internal auditor should indicate how materiality is
going to be addressed. Materiality should be considered and addressed during the planning of
the review to determine the nature, timing and extent of tests to be performed. In addressing the
scope of the review the level of events should be reduced to a level which would provide the
reviewer with a low risk of over looking an element or a happen stance that would dramatically
effect the financial or management review that is being conducted. Setting a level of materiality
insures that the auditor will do enough work to find misstatements. There is no authoritative
rule of thumb or measure of materiality – materiality is strictly based on professional
judgment.

Risk assessment should be performed on each office individually and attributes should be
classified as either inherent risks or control risks. Steps to be taken could be broken down as
follows:

GENERAL RISK ASSESSMENT STEPS

DEFINE THE AUDIT UNIVERSE

CHOOSE HOW TO DEFINE RISK
CHOOSE A CONTROL OR RISK MODEL
ASSESS INHERENT AND CONTROL RISK TO DETERMINE VULNERABILITY
ASSESS THE AUDITABILITY OF HIGH VULNERABILITY AREAS

DEFINE THE AUDIT UNIVERSE

DEFINE THE MANNER IN WHICH THE UNIVERSE IS TO BE DEFINED

THE MORE COMMON METHODS USED BY INTERNAL AUDITORS FOR

DEFINING THE UNIVERSE ARE:

1. PROGRAMS
2. STRATEGIES
3. CONTROL SYSTEMS

GENERAL TYPES OF INTERNAL AUDITS TO BE CONDUCTED

1. FULL PROGRAM AUDITS

2. CONTROL SYSTEM AUDITS
3. INVESTIGATIVE AUDITS
4. PERFORMANCE EVALUATIONS
5. QUICK RESPONSE AUDITS

10
PRIMARY AUDIT FOCUS

1. COMPLIANCE ASPECTS
2. RELIABILITY OF DATA
3. SAFE GUARDING OF ASSETS

SELECTION OF AN AUDIT OBJECTIVE (RANK, RISK & AUDITABILITY)

1. VULNERABILITY
(The Mission May Not Be Accomplished)
2. INHERENT RISK
(The Nature and/or The Culture Of The Audit Objective Has Risks Without Controls)
3. CONTROL RISKS
(Probability That The Inherent Risks Will Become A Reality: Probability That
Controls Are Put In Place And Will Not Accomplish The Mission)
4. AUDITABILITY
(Skills, Time, and Evidence)

INTERNAL AUDITING - BASIC RISK FACTORS

1. ETHICAL CLIMATE
2. PRESSURE ON MANAGEMENT
3. PERSONNEL INTEGRITY, COMPETENCE
4. NUMBER OF PERSONNEL
5. NUMBER OF TRANSACTIONS
6. SIZE OF THE ASSETS
7. COMPLEXITY/VOLATILITY OF ACTIVITIES
8. STATUTORY REGULATIONS
9. LEVEL OF COMPUTERIZATION
10. GEOGRAPICAL LOCATION
11. ADEQUACY OF INTERNAL CONTROLS
12. MANAGEMENT CULTURE
13. ACCEPTANCE OF AUDIT FINDINGS & CORRECTIVE ACTION TAKEN
14. TIME LAPSE SINCE LAST AUDIT

KEY ACCOUNTABILITY CONTROL SYSTEMS

Departmental and Assessment Management

Policy Management

Performance Management

Information Management

Resource Management

11
ACCOUNTABILITY RISK FACTORS

POLICY RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO DELIVER EXPECTED
RESULTS BECAUSE OF UNSTABLE OPERATIONS DUE TO CHANGES IN
MANAGEMENT, PERSONNEL AND/OR THE ENVIRONMENT, OR RESOURCES ARE
NOT EFFICIENTLY USED OR EFFECTIVELY CONTROLLED.

PERFORMANCE RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO DELIVER

EXPECTED RESULTS BECAUSE IT DOES NOT USE PERFROMANCE INFORMATION
EFFECTIVELY TO MANAGE ITS OPERATIONS.

INFROMATION RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO MEET

EXPECTED RESULTS BECAUSE MANAGEMENT INFORMATION IS NOT
COMMUNICATED OR USED EFFECTIVLY BY DECISION MAKERS.

RESOURCE MANAGEMENT RISK - THE RISK THAT AN ACTIVITY WILL FAIL TO

ACHIEVE EXPECTED RESULTS OR WILL NOT ESTABLISH AN ENVIRONMENT THAT
PROTECTS AGAINST FRAUD AND FINANCIAL DISASTER BECAUSE RESOURCES
ARE NOT MANAGED EFFICIENTLY AND EFFECTIVELY WITHIN ITS OPERATIONS
OR WITHIN ITS JURISDICTION.

CONTROL ENVIRONMENT RISK - THE RISK THAT THE INTEGRITY, ETHICAL

VALUES, AND COMPETENCE OF THE PEOPLE DO NOT LAY A SOLID FOUNDATION
TO AQCHIEVE EXPECTED RESULTS

AUDITABILITY IS DETERMINED BY:

1. TIME FRAME
2. INFORMATION
3. AVAILABILITY OF DOCUMENTATION
4. AUDIT SKILLS
5. AUDIT EDUCATION
6. AUDIT HOURS
7. AUDIT MORALE

IN ORDER FOR THE RISK ASSESSMENT PROCESS TO BE SUCCESSFUL, IT

MUST:

1. INVOLVE THE DEPARTMENT BEING AUDITED

2. PRODUCE CREDIBLE RESULTS THAT ARE ACCEPTED BY BOTH THE
AUDITORS AND MANAGEMENT.
3. BE TIMELY SO THAT THE AUDIT PROCESS IS NOT HELD BACK
WAITING FOR RESULTS.
4. BE COST EFFECTIVE IN THAT THE RESULTING INFORMATION IS AT
LEAST AS VALUABLE AS THE COST TO OBTAIN IT.

12
FIVE BASIC PHASES OF - PLANNING AN AUDIT

1. Gather information
2. Conduct preliminary assessment
3. Define and refine the audit objectives
4. Develop the:
Audit scope
Audit methodologies
Audit fieldwork programs
5. Estimate the audit budget and resources

STEPS TO BE TAKEN IN THE PRELIMINARY ASSESSMENT

1. Select which of the accountability control systems and subsystems are relevant to
the audit (within the initial audit scope).
2. Assess which of the inherent risks and which of the control risks exist (be sure to
document risk assessment).
3. Select the accountability control subsystem for which audit objectives will be
developed (be sure and identify the relevant performance aspects to be reviewed).
4. Reassess audit ability
5. Update risk and internal controls information (update permanent files, prepare
preliminary assessment document, and document audit ability).

DEFINE/REFINE - AUDIT OBJECTIVE

In speaking to the objective for an internal audit, the “Yellow Book” (accounting and
audit guidelines for federal grants) indicates that there needs to be a clear indication as to what
the report related to the audit is to accomplish. Further, it is noted that the subject of the audit
needs to be clearly identified as well as the aspects of performance that are to be examined.
Therefore:

THE AUDIT OBJECTIVE - ESTABLISHES BOUNDRIES FOR THE AUDIT BY

CLEARLY STATING WHAT THE AUDIT IS TO ACCOMPLISH. IT
IDENTIFIES THE SUBJECT OF THE AUDIT AND THE PERFORMANCE
GOAL.

OPEN-ENDED OBJECTIVES SHOULD BE RESTATED AS CLOSED-ENDED

OBJECTIVES.

13
OPEN-ENDED OBJECTIVES:
♦ Identify the subject; what is the audit to examine
♦ Are vague in defining what the audit is to accomplish

CLOSED-ENDED OBJECTIVES:
♦ Are answerable
♦ Identify what the audit is to examine
♦ Clarify what the audit is to accomplish

1. IDENTIFY THE PRIMARY REPORT USER(S):

 What do they want to know?
 When they receive the information what are they going to do?

2. UNDERSTAND THE SUBJECT, PROBLEM AND/OR CONCERN?

 The audit subject is usually an organization, a department, a program, a

service, an activity and/or a function, a management policy, and a
performance issue.

3. DECIDE WHAT PERFORMANCE ASPECTS ARE TO BE INCLUDED IN

THE AUDIT.

 Is there management oversight?

 Is there a desire for customer satisfaction?

 Is the payroll process efficient?

 Are goals being established?

 Is the legislative intent being followed?

 Can the accuracy of the activity be evaluated?

4. WHEN ISSUES ARE ESTABLISHED, DETERMINE IF THE REASON
FOR THE ISSUE IS DUE TO PROCESSING OF TRANSACTIONS OR THE
ACCOMPLISHMENT OF A GOAL.
(Control risks should be clearly linked to the risks that exist
to the county.)

5. DECIDE WHAT ELEMENTS OF THE FINDINGS ARE TO BE

DEVELOPED WHICH ARE LINKED TO SUB-OBJECTIVES.

14
SUB-OBJECTIVES Will address elements of the primary findings - will usually
help to identify the nature of the data required – will tend to lead to major audit steps.

SUB-OBJECTIVES Are developed as a series of questions addressing each finding

element you decide to develop. A separate question should be written for each
finding element.
EXAMPLES OF SUB-OBJECTIVES:

1. CONDITIONED BASED OBJECTIVE:

What is the average response time for a 911 call out?
2. CRITERIA BASED OBJECTIVE:
What was the unit cost to process a payroll check in FY 03?

3. EFFECT BASED OBJECTIVE:

What is the difference between the legislative intent and the
department’s goals?
4. CAUSE BASED OBJECTIVES:
What are the underlying factors that influence customer satisfaction
with the ability of the department to deliver service?

15
 DOCUMENTATION REGARDING INTERNAL
CONTROL
The second standard of fieldwork that needs to be considered is that of internal control.
The workpapers should have adequate documentation that the auditor had obtained a sufficient
understanding of the existing internal control structure for the department being reviewed. The
extent to which internal control is established in the department will impact the nature, timing
and extent of the tests that will need to be performed.

The workpapers should document:

1. The understanding of the office’s internal control structure, and
2. The auditor’s assessment of its effectiveness in detecting and/or preventing
material misstatements.

Basically the department’s internal control system consists of the policies and procedures
that have been established to provide reasonable assurance that those specific objectives will be
achieved. Policies and procedures may be established through statutes, may be established by
the commissioners’ court, may be established by the county auditor, and they may be created by
the elected official and/or department head.

Normally with a financial review the auditor will be concerned with those policies and
procedures that are primarily concerned with the recording, processing, summarizing, and
reporting of financial, and the affect an error will have.

The department’s internal control consists of three elements:

1. The control environment
2. The accounting system, and
3. The control procedures
Each of these components needs to be understood in order to plan the review that is to take place.

The Control Environment – essentially reflects management’s attitude, awareness and actions
concerning the importance of control. The factors that the auditor will need to
consider are:

1. Management’s philosophy (the operating style used)

2. The department’s organizational structure
3. The method of assigning authority and responsibility
4. Personnel policies and practices
5. Management’s control methods used for monitoring performance to include
internal auditing
6. External influences that may impact the office, and
7. Interaction with other offices in the county

These factors serve to make other control policies and procedures more effective. When
management is found to have a positive attitude towards controls and does not try to mitigate the
effectiveness of policies and procedures or to override the controls, the reviewer finds that the
nature, timing and extent of the review can be reduced.

16
The Accounting System – consists of the methods and records which are used to identify,
analyze, classify, record and report the department’s transactions and to maintain accountability
for related assets and liabilities. The auditor needs to understand the accounting system in
sufficient detail in order to understand:

1. The types of transactions that can occur within the department

2. How those transactions are initiated
3. The accounting records, support documents, machine readable information, and
specific accounts in the financial system involved in the processing and reporting
of the transaction
4. The accounting process from the initiation of the transaction to the inclusion in
the financial data
5. How the computer is used to process the data at each level, and
6. The financial reporting process.

The Control Procedures – consist of those policies and procedures, in addition to the control
environment and the accounting system that management has established to provide reasonable
assurance that its objectives will be achieved.

Examples of control procedures are:

1. Segregation of duties
2. Proper authorization, and
3. Independent checks and balances.

The audit strategy is based on the reviewer’s understanding of the control procedures. If
control procedures are weak, then it doesn’t make a lot of sense to waste time to test controls.
However, if the auditor is able to test the control procedures and finds that they are strong and
effective, then he/she may decide that the substantive tests can be reduced. The understanding to
be obtained is developed through inquires of the department, review of the department’s manuals
and documents, and observation of the department’s routines.

The reviewer must ascertain reliable information that confirms that the policies and
procedures, the control procedures are not just in writing – they are being practiced. This
confirmation comes from:
1. Inquires
2. Observations, and
3. Hands on monitoring of transactions.

The understanding that the auditor comes to needs to be documented. The size and the
complexity of the entity, as well as the nature of the department’s internal control structure
influence the form and the extent of this documentation. A large department may have its own
documentation of the internal control procedures that the auditor can copy and put in the
workpapers. For smaller departments the auditor may develop their understanding through the
use of flow charts and/or questionnaires. For really small departments the auditor may just use a
memorandum – for small offices with one or two employees it is real difficult to put into place
effective internal controls. Generally the more complex the department, the more extensive the
internal control, and the more extensive the auditor’s documentation.

17
 The most commonly used methods of documentation are:
1. Memorandums – narrative descriptions of the relevant control structure. Polices
and procedures. They are most useful when the matter being described is
relatively simple. They are less useful when the system becomes very complex.

2. Flowcharts – are useful when there is a system of internal control or operational

system that is very complex. A flowchart is a graphic depiction of operations and
decisions applied in the department’s structure. Flowcharts need not be elaborate
– their advantage is that complex matters can often be made easier to understand
in a graphic presentation.

3. Questionnaires – or sometimes referred to, as checklists are programs that allow

the auditor the ability to ask questions as to functionality and receive responses
from individuals. They are especially relevant when the auditor wants to make
sure that specific items or procedures have been focused on and all relevant
matters have been considered. This form of documentation lends itself to be
summarized more easily than memorandums and flowcharts. There are two
general types of questionnaires:

A. Opened-Ended Questionnaires – ask general questions and let the auditor

answer with whatever information is relevant in the circumstances.
B. Closed-End Questionnaires – ask questions that must be answered yes or
no.
C. Closed ended questionnaires are less flexible than open-ended
questionnaires, but they are more comprehensive. Closed ended
questionnaires are usually more useful with larger more complex offices,
while open-ended questionnaires are better applied to the smaller office.

The auditor’s understanding of the control structure is required to be documented, but the
procedures to be used to obtain this understanding are not. Thus, the auditor’s procedures done
to understand the design of the procedures done to see if the department’s control structure and
to see that the department’s policies and procedures have been placed in operation need not be
specifically described.

Even so even if the procedures to obtain the knowledge of the internal control are
required to documented, the auditor should document the procedures applied and the reasoning
for the judgment process that was applied. Any file memos as to the procedures followed or the
documents examined should be dated and at least initialed by the individual making the
statement. A signed off audit program is a commonly used document which has a step by step
program for the auditor’s to use and the cycle that is to be followed.

Assessing Control Risk

After the auditor has obtained his understanding of the internal control structure, while he
obtains it, it is not uncommon for the auditor to consider whether there are policies and
procedures in place that would reduce the risk of material misstatement, and if there are, whether
it would be efficient to test them I order to reduce the scope of substantive tests.

18
 If the auditor decides that he/she wants to take advantage of the existing internal control
structure, i.e. existing policies and procedures, in an effort to reduce the amount of time required
to do substantive testing – then there must be apply tests of the controls to see if the policies or
procedures (that are to be relied on) are designed and operating effectively. The tests must be
directed at determining whether the policy or procedure is suitably designed to prevent or detect
material misstatements and how effectively it is operating.

Tests of controls are concerned with how a control structure policy or procedure was
applied – the consistency with which it was applied during the period under examination and by
whom the control was applied. These tests include inquires of appropriate personnel –
inspection of documents – examination of reports – observation of applications – and,
performance evaluations. It should be remembered that tests of controls are undertaken only
when the auditor believes that by performing such tests that the substantive testing can reduce
the need for substantive testing of the detailed documentation. Tests of controls are used in the
hopes of being able to increase efficiency. Tests of controls are required if there is going to be
reliance placed on the underlying controls and procedures. The more that the auditor is able to
depend on the department’s internal control structure to prevent or detect material misstatement,
the less substantive work that will be required to be performed.

Documenting The Control Risk Assessment

When the auditor is able to conclude that he/she is able to reduce substantive testing on
the effectiveness of the control structure, there needs to be documentation of the basis for this
decision in the workpapers. That is, in addition to the understanding of the control structure that
is already documented, there needs to be documentation of the tests of the controls and their
result that were performed.

The form and the content of this documentation are going to vary from office to office
and from department to department. But, is some form the documentation should include:

1. A written description of the tests performed

2. The identity of the person performing the tests should be clear
3. An indication of the when the tests were performed and when they were
completed
4. A description of the evidence that was examined (a copy in the file for an
example would be useful to the reader)
5. An indication of the number of items that were tested
6. The source of the items selected and how these items were determined for
selection, and
7. A description of the exceptions noted and an explanation as to their disposition.

It is always good to document the type of misstatement that the control policy or
procedure can be depended on to prevent and/or detect. It is not uncommon for the
auditor to make a statement in the workpapers whether the controls tested worked as
expected and can be depended on. The more reliance the auditor can place on the control
structure (i.e. there is a low assessment of risk) the more evidence that should be
documented to support the reliance.

19
 When the internal auditor is dealing with an office that only has two people in the office,
then it is unlikely that the office will be able to effect adequate control measures that can be
relied on. If the auditor is not going to place reliance on the internal control measures, then there
is not reason to test them. Thus, there is no dependence on the controls and/or procedures to
prevent and detect material misstatements.

Weaknesses In Internal Control

Any weaknesses noted in the internal control structure should be clearly noted in the
workpapers as reportable conditions and should be communicated to the department head
and/or elected official, and should be reported in the letter of findings to the official. Reportable
conditions are significant deficiencies in the design or operation of the internal control structure
that could adversely affect the department’s ability to record, process, summarize, or report
financial data consistent with accounting and financial procedures required by state statutes and
or county policy. The deficiencies might involve any of the three components of the control
structure – the control environment, accounting system, or the control procedures.

If the condition is reported orally to the department head and/or elected official then the
initial conversation should be well documented. The communication should always be followed
up in writing. Conditions that have been reported in prior years, and which have not been
corrected, should be re-iterated until the department head and/or elected official has clearly
acknowledged the risk and has stated reasons for not correcting. Management’s acknowledge is
always critical. Thus, it is not an uncommon practice to allow the department head and/or
elected official the opportunity to respond to the finding in the report.

20
 DOCUMENTING SUBSTANTIVE TESTS
The internal auditor detects material misstatements in financial statements by applying
substantive tests. The tests are designed based on the auditor’s assessment of risk that material
misstatements will occur and that the department will not catch the error. This is commonly
referred to as inherent and control risks. The higher the risk of misstatement occurring
undetected by the client, the more evidence the auditor will need to accumulate.

The accumulation of evidence supporting the amounts in the financial statements is by far
the most time consuming part of the audit and documentation of substantive tests generally
accounts for the bulk of the workpapers that are prepared. Thus, the third standard of fieldwork
states:

 Sufficient competent evidential matter is to be obtained through inspection,

observation, inquires, and confirmation to afford a reasonable basis for an
opinion regarding the financial information under examination.

Evidential matter is obtained through two general classes of auditing procedures that
comprise substantive tests:

1. Tests of detailed transactions, and

2. Analytical procedures

Books of original entry and other records maintained by the department such as ledgers,
journals, cost allocations, and reconciliations may in part support the monthly and/or quarterly
reports – those records do not constitute what is considered evidential matter. Documentation
must be collected that will corroborate the information shown in the above-mentioned
documents. Corroborating evidential mater includes:

1. Cancelled checks
2. Receipts
3. Invoices
4. Contracts
5. Independent confirmations
6. Information independently obtained or developed through inquiry, observation, or
inspection.

Auditors choose from a wide range of methods and techniques to test the validity of
accounting information and reports. Some of the more commonly used techniques are:

1. Documenting the process used to develop the financial information, then testing
the information entered into the process
2. Comparing the accounting data and information to data that is collected outside of
the department, and
3. Comparing the accounting information to the auditor’s expectations, which have
been derived through logical analysis.

21
Competence Of Evidential Matter

To be competent, evidential matter must be both reliable and relevant. Reliability of

evidential matter will always depend on the circumstances under which it is obtained. However,
there are some generalizations that are commonly held to be true (but one must understand that
there are exceptions to every rule):

1. Greater assurance to the accuracy of information can be assigned to evidence that

is obtained independently and outside of the department that is being examined.
2. Financial information that is created within a department that has strong internal
controls (or in some cases just satisfactory internal controls) provide more
assurance as to accuracy than those produced in an environment with less than
satisfactory conditions.
3. Direct personal knowledge obtained by the auditor through physical examination,
computation and inspection is more reliable than data obtained indirectly.

The relevance of evidential matter has to do with whether the information bears on the
accounting or reporting data in question. While the relevance of evidential matter to a specific
circumstance is generally clear, in some cases, particularly those involving the estimated
outcomes of future events, the auditor needs to particularly careful in considering whether the
correct factors are considered in arriving at the conclusion.

Sufficiency of Evidential Matter

Once the internal auditor has considered the evidential matter and has found it to be
relevant and reliable, he/she must then determine whether or not the data collected is sufficient –
that is there is enough data that will allow for a basis to be developed related to the finding and
that the data will support the finding. As a rule of thumb, the evidential matter must be sufficient
to reduce to an acceptable low level the risk that the internal auditor will fail to detect a material
misstatement in the financial data and related reports. Evidential matter may be developed
through the use of substantive testing. The sufficiency of evidential matter will depend on:

1. The nature of the elements under examination

2. The relative size of the population and the auditor’s judgment as to materiality
3. The auditor’s assessment as to the inherent and control risk’s within the
department – i.e. risk of material misstatement, and
4. The nature of the evidential matter obtained – persuasiveness of the evidence
collected and the risk that it may be interrupted incorrectly.

The internal auditor has to always be cognizant of the economics and the timeliness of an
internal audit. For a finding and a solution to be economically useful, it must be developed
and rendered in a reasonable length of time. There is a rational relationship between the cost
of obtaining evidence and its usefulness. Evidential matter that is to be collected has a cost to
the taxpayers. That is not to say that the matter of difficulty and expense involved in testing a
particular attribute is not in and of itself a valid basis for omitting an otherwise necessary step in
the internal audit function.

22
Types of Substantive Tests

There are two types of substantive tests – tests of details and analytical procedures.

During most internal audit procedures both types of testing are generally used. The
internal auditor will choose the procedure based on:

1. Materiality
2. Risk of misstatement
3. Production of persuasive evidence
4. Comparative efficiency

Tests of detail are audit procedures in which amounts that make up an account balance
or class of transactions are compared to corroborating information. These tests are usually
directed at balance sheet accounts and used to test the existence, ownership, and valuation of
assets and the amount and responsibility for liabilities. Tests of details can be directed at both
revenue and expenditure accounts in an effort to document the classification accuracy of each. A
test of details will usually include one or more of the following:

1. Vouching (invoices, receipts, budgetary authorization, etc.)

2. Account analysis
3. Reconciliations
4. Confirmations
5. Observation, and
6. Recalculation

Analytical procedures are commonly referred to as substantive tests of financial

information consisting of observation and comparisons of relationships among data, such as
fluctuations or trends noted in various ratios, percentages, quantities and dollars. Some
commonly used analytical procedures include comparisons of financial information between:

1. Current period and prior period

2. Current period this year to same period in prior year(s)
3. Current period year to date and prior year to date
4. Budget and actual
5. Similar departments
6. Revenue and expense to produce the revenue

Analytical procedures lend themselves to provide easy analysis of income and expense
and developing techniques for insuring that everything that should have been recorded was
recorded. When applying analytical procedures the internal auditor should:

1. Consider the relationship between the data that is collected and the expected result
2. Compare what is expected to that recorded and reported by the department
3. Obtain sufficient understanding of events that will help to explain any differences,
and
4. Obtain supporting evidence to corroborate the explanation.

23
 It is not uncommon for an internal auditor in a county to perform substantive testing at
periodic times during the year on any and all departments. The auditor needs to always consider
the activity as previously tested in relationship to the activity currently being tested. In addition
the auditor should include in their normal set of procedures the following:

1. Comparative review of data from test period to test period

2. Insuring that the general ledger and the subsidiary ledger agree
3. Always tracing entries to their source, and
4. Ascertaining that all recommended adjustments have been made.

Some elements to remember about substantive testing:

1. Substantive testing can be reduced and may be eliminated.
2. Substantive testing and the test of controls may be combined into one function.
3. Substantive testing is not just number crunching – they include:
Confirming accounts receivable
Reviewing commissioners’ courts’ minutes
Investigating fluctuations in account balances
Testing support for uncollected accounts
Observing physical inventory
Computing debt requirements from original documents
4. Vouching should include the review of cancelled checks, contracts, purchase
orders
5. Account analysis is the systematic detailing of the components as recorded in the
general ledger and/or subsidiary ledger
6. Reconciliations involve the verification of an account balance

24
 TYPES OF WORKPAPERS

Workpapers can be simply defined as anything the internal auditor uses to document the
results of the examination and the scope of the procedures performed. They will also confirm
and/or deny the fact that the financial reports and underlying data for the financial reports of the
department agree and/or reconcile. Working papers generally include:

1. General ledger activity reports

2. Copies of departmental reports
3. An audit program
4. Documentation as to the understanding of the internal control structure
5. Designated tests to be performed to confirm the understanding
6. Notes, memorandums, copies of documents, minutes, contracts, invoices,
purchase orders, etc.
7. Schedules (either prepared by the auditor or prepared by the department that
support the distributions to the general ledger and subsequent reports.

Workpapers generally present a logical flow to the information and data. Workpapers
should be able to tell the reader and/or reviewer a story without the need for additional oral
communication and explanation. The workpapers should be compiled in the form of a pyramid –
the findings to the front and the detail to the back. A contents page should be used to give the
reader the ability to find transaction work quickly. If “tick marks” are used, it is customary to
have a legend at the front of commonly used “tick marks.”

The contents page would be followed then by the report of findings; followed by any
other communication (written and oral) that occurred during the examination; followed by any
internal memos and general observations; followed by a worksheet delineating any adjustments
and/or reclassifications that are proposed (each adjustment should be referenced to the support
documents in the workpapers); followed by the evaluation of internal control; followed by a risk
assessment; followed by the audit program; followed by detailed tests; followed by analytical
review; and followed by any substantive testing, reconciliations, and/or recalculations.

Depending on the county auditor’s instructions and or the culture of the county, when the
internal auditor is performing an analysis of expenditure accounts, a detailed analysis should
always be performed on:

1. Single expenditures in excess of $5,000

2. Multiple expenditures with the same vendor that exceed $25,000
3. Legal expenses
4. Professional fees
5. Maintenance and repair in excess of $ __________
6. Rents

25
 All workpapers should have a clear indication as to:

1. The department being examined

2. The title of the workpaper
3. A brief description of the workpapers’ contents
4. A statement as to the source of the data obtained
5. The period being covered by the examination
6. Who prepared the workpaper, when it was prepared and who reviewed the
document
7. Any documents which are prepared by the department should be clearly labeled as
to who prepared the document and when
8. Any adjustments that are being proposed and documentation for such, and
9. Any reference to other documents

Always remember:

If you don’t write it down – it was never said – it was never done!

Internal audit work papers should always tell a story.

Consider the thought – that if a bus hit you today – would someone else be able to follow
behind you.

26