The Auditing Function in Government
If you stop for a moment to examine the work you just completed, you are performing an “internal audit.” You may examine your tax return before filing it to see if you completed all of the required forms. You may pause during the day to reflect on the work you are doing in building bookshelves. You want to see if it meets the needs of your spouse by providing sufficient shelf space to hold the many books currently stored in the attic. As you look at the manual way you pay your bills, you may realize you could be using a computer. You realize that paying your bills electronically would save you significant time and ultimately costs, such as postage and envelopes.
In the case of the tax return, you are doing a compliance audit. In the case of the bookshelves, you are doing an audit of results — did you accomplish what your spouse intended? Finally, in the case of paying your bills, you are doing an economy-and-efficiency audit and identifying technology as a new and better way of doing business.
Auditors do the same thing, but they are examining operations on behalf of someone else. Years ago, auditors were focused only on financial activities and were often viewed as bean counters. Later, they became concerned with the broader aspects of accountability, such as efficiency and effectiveness of operations. While the role of the accountability agent is still an important one, today the job of the auditor has taken on a new dimension, and the auditor serves as a consultant, offering new ideas and approaches to accomplishing the mission of the organization. Auditors must be knowledgeable about many areas of government. They must keep up with emerging technology so they can use it in their own work, and so they can recommend how management might be able to incorporate it into the daily activities of the organization.
Most government auditors are internal to government. The government pays them. Often, they are independent from management, and the auditor chooses the program, function, or activity to be audited, without input or interference from management. Government auditors may not need management’s approval to audit, may have subpoena power to compel compliance with the audit engagement, and may report to the public on their findings. This great level of independence enables the government auditor to take an objective view of the operations and “call it like it is,” reporting independently to the legislature as well as the public. In doing so, the professional government auditor is guided by professional audit standards.
There are a number of auditors who play an important role in the government accountability process:
- Internal audit units within government agencies, who report to some level of management within the agency
- Independent executive or legislative auditors, who have the statutory or constitutional authority to audit a government’s financial statements, departments, programs, functions, or activities
- Government auditors from other levels of government, who may audit to see that program funds are spent appropriately
- Government auditors who conduct audits of government grants or contracts given to private- sector organizations
- Government auditors doing audits of private-sector individuals or organizations to determine compliance with laws, rules, or regulations.
- Private auditors hired by government managers to report on the financial statements or some other aspect of a program or function
The need for these various auditors is driven by two factors. First, management wants to know that it is doing right and that its employees are carrying out the policies and procedures established. Second, the public has a need, and a right, to know that the money it has entrusted to government managers is being used appropriately and in compliance with the law. The public also wants to know that its money is being used economically and efficiently and that the results of the expenditures accomplished what was intended. In a democratic society, accountability is inherent in the governing process.
In the private sector, the balance sheet and income statement are powerful tools of accountability. If a private-sector organization is not profitable, it will soon be bankrupt and out of business. Governments, however, do not operate to make profits. Although bankruptcy is a possibility, it rarely occurs, and many government programs outlive their usefulness.
Thus, there is a compelling need to have a variety of auditors serving several purposes in the accountability process. These purposes include:
- Assisting management in the discharge of its duties
- Reporting to the public on the effectiveness of the activities of government managers
- Reporting to other levels of government on the use of funds provided
- Reporting on the results of operation and financial position of the government
Auditing gives credibility to the information provided by the management of the organization. It also serves another vital function. The knowledge that a program, function, or activity is subject to review at any time has an incredible effect on assuring internal discipline and works to minimize wrongdoing by employees.
Internal auditors of a government organization typically report to the management of the organization. Their primary role is to serve management by helping it make sure that good internal control systems are in place and to improve operations. To be effective, internal auditors need to have the support of the chief executive and should report to a sufficiently high level to assure they have the cooperation of the people they audit.
There are several types of external government auditors. One is the independent auditor within a government unit. For example, a state auditor may be an elected official charged with auditing all state government programs, functions, activities, and financial statements. The state auditor is internal to the government as a whole, reporting to the public and to the legislature, but external to the agency or department being audited. Another type is the independent auditor from another level of government, such as an auditor from the federal Environmental Protection Agency (EPA) who might audit to see that federal EPA dollars were spent appropriately. The primary role of these auditors is to report to the public on the expenditure of its tax dollars. In addition, they may recommend how government managers can improve the operations of the program under audit.
Because of the complex nature of government programs and activities, government managers today find it helpful to hire external, private-sector auditors to assess some aspect of their programs. These auditors are often doing work that is the same or similar to what the internal or external government auditor is doing. Management defines the type and extent of the work they do. In addition, private-sector auditors are often called upon to offer an opinion on the government’s financial statements.
A professional auditor is guided by certain auditing standards. The two primary standards that are the focus of internal auditors in government are the Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, and the Government Auditing Standards issued by the comptroller general of the United States. Within each set of standards, there are certain basic concepts that focus on the auditors’ professional qualifications, the quality of audit effort, and the characteristics of professional and meaningful reports.
The Standards for the Professional Practice of Internal Auditing encompass:
- The independence of the internal auditing department from the activities audited and the objectivity of internal auditors
- The proficiency of internal auditors and the professional care they should exercise
- The scope of internal auditing work
- The performance of internal auditing assignments
- The management of the internal auditing department
The Government Auditing Standards are designed to ensure that:
- The scope of audit is sufficiently broad to assure accountability.
- The audit is conducted by personnel who collectively have the necessary skills.
- The independence of the auditors is maintained.
- Applicable standards are followed in planning and conducting audits and reporting the results.
- The audit organization has an appropriate internal quality control system in place.
- The audit organization undergoes an external quality control review.
The Standards for the Professional Practice of Internal Auditing apply both to internal auditors in government and to internal auditors in the private sector. The Government Auditing Standards are required for certain audits under federal legislation and are accepted by many federal, state, and local government audit organizations as applicable guidance to assure that the audit scope is sufficiently broad and that a quality audit report will be produced.
Several important concepts are embodied in both standards. The first concept is accountability. In the case of the Internal Auditing Standards, both the board of directors and management are accountable for the adequacy and effectiveness of their organization’s systems of internal control and quality of performance. Under the Government Auditing Standards, officials and employees who manage government programs, activities, and functions must render an account of their activities to the public. While not always specified by law, the accountability concept is inherent in the governing process of our nation. But the definition of accountability has expanded with the growth and complexity of business and government, and the scope of managerial accountability and the audit of that accountability have expanded with it. The audit of government reporting is an essential element of public control and accountability; it provides credence to the information reported.
Another important concept cited in both standards is due professional care, which requires the auditor to be reasonably prudent and competent. Auditors must be alert to intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest.
The types of audits that are possible under both standards can be classified as follows:
- Reviews of the reliability and integrity of financial and operating information.
- Financial statement audits which provide reasonable assurance that the financial statements of an entity present fairly the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles
- Financial related audits, which could examine any of the financial activities of the organization, including purchasing, cash, inventory, payroll, and a host of other activities that assure the proper administration of an entity
- Reviews of operations to ensure compliance with applicable policies, plans, procedures, laws, and regulations that could have an impact on operations. This could include, for example, assuring that the legislatively enacted competitive bidding process is followed, environmental laws are followed, or the requirements for a safe and healthy workplace are met.
- Reviews of the safeguarding of assets and verifying the existence of such assets. This could include making sure all personal computers are accounted for and that controls are in place to assure they are used properly. In addition, other assets could be examined, including the cash on hand and inventory if they are significant components of the operations.
- Evaluation of the economy and efficiency of operations. Areas an auditor might examine include assuring that resources are properly deployed, that there are no idle resources or overstaffed functions, and that resources are acquired at a reasonable price.
- Reviews of operations or programs to determine whether results are consistent with established objectives and goals and whether operations and programs are being carried out as planned. This could include determining if programs achieved the intended level of results; for example, in a loan program intended to create or retain jobs, were the number of jobs created or retained equal to the original estimates, and did the number of jobs created or retained result from the loans or were other factors the real cause?
There are many possible approaches to doing an audit. The following is a description of the process followed by a state auditing agency responsible for auditing all agencies within its jurisdiction. This description should help the government manager better understand the need for good communication with the audit team during the audit.
A typical audit has several interrelated stages or activities. These include:
- Opening conference. An opening conference is scheduled with agency officials. A major objective of the opening conference is establishing a climate in which top management is aware of the audit process and is provided an opportunity for input. The following matters should be covered:
- Scope of audit, including program areas being reviewed and period of time covered
- Specific areas agency officials may want examined
- Procedures for obtaining information and transmitting preliminary audit findings
- Establishment of appropriate communication channels
- Any known improprieties that have occurred since the last audit
- Standard reporting procedures for preliminary, draft, and final reports, including the need for responses from management
- Preliminary audit survey. The audit team conducts a survey of organizational and program information before the major audit effort begins. The objective is to develop a more complete understanding of the organization and its internal control system and environment so risks can be assessed and an audit plan can be established.
- Fieldwork phase. This phase consists of the focused audit effort and usually takes the single largest amount of time. The auditor in charge supervises the day-to-day activities of the on-site audit team to ensure that quality audit work is completed within predetermined time frames. This is where the auditors develop the evidence to support their audit findings.
- Preliminary audit findings. After completing the fieldwork phase for each audit segment, the auditor in charge or other audit staff will discuss the audit findings and conclusions with involved agency managers. Findings that may later appear in the draft report will be written up by the on-site audit team and transmitted to agency officials. Responses to these preliminary findings should be provided by management, and all factual differences should be resolved before the audit team leaves the site.
- Closing conference. At the completion of the fieldwork, the audit team will meet with the agency managers to discuss the audit results. The closing conference should include a discussion of management’s response to the preliminary audit findings and how the auditors will incorporate it into the draft report. It is also another opportunity for managers to communicate with the audit team.
- Draft and final reports. The report is the audit’s end product and is the basic means by which interested parties are informed of the audit results. The draft report is sent to the agency management with a request for a formal response, which will be included in the final report. The final report should be written in a fair and objective manner and convey the true sense of what is occurring in the management of the entity audited.
To be effective, an internal auditor develops five elements for each audit finding in a performance audit. These elements are:
- Criteria. The standards used to determine whether a program, function, or activity meets or exceeds expectations. Criteria are what the auditor measures against — they are what should be.
- Condition. What actually exists. This is what is determined and documented during the audit.
- Effect. The consequences or implications of the difference between the criteria and the condition. Effect demonstrates the need for corrective action.
- Cause. The reason the condition does not equal the criteria. Without understanding the cause, the auditor cannot make a useful recommendation.
- Recommendation. The action needed to correct the condition found, so it will meet the criteria.
At the beginning of the audit, auditors do a survey, one of the objectives of which is to define the criteria to be used in evaluating the program or activity under audit. They are also working to develop a preliminary assessment of the internal controls, including the control environment, so they can make some decisions about the number and type of transactions to be reviewed during the substantive testing phase of the audit. After the survey, typically, the auditors develop an audit plan that identifies the controls assessed and the specific areas to be reviewed during the audit testing phase. After reviewing the transactions, the auditors will have some sense of the condition that actually exists and the possible effects of the condition and criteria not being the same.
At this point, auditors begin to think about the contents of the draft audit report.
Because the cause is often difficult to determine, an effective auditor devotes more time to this critical element of a well-developed finding. The development of an audit finding and recommendation is shown in Figure 5.1. The recommendation is a logical consequence of the auditor’s conclusion about the cause.
The Committee of Sponsoring Organizations (COSO) report on internal control (see Chapter 1) provides auditors with good insight into the management process and possible areas that could point to the cause of the problems identified. Auditors sometimes focus only on policies and procedures as the cause of a problem. But as COSO suggests, “Internal control is a process, affected by an entity’s board of directors, management and other personnel….” Internal control is affected by people. It is not merely policy manuals and forms, but people at every level of the organization.
Not grappling with the people issue is to risk missing the real cause of the problems. The control environment and all of its elements — mostly focused on people and their integrity, ethical values, and competence — are difficult to evaluate but critical to understanding whether an organization is in control.
To be effective, an auditor needs to be independent, objective, a professional skeptic, and an innovator.
Auditors are independent when they can carry out their work without fear of unwarranted repercussions. They should have unrestricted access to the highest level of management in the organization. If an auditor hesitates to address certain issues, such as the control environment (management’s philosophy, management’s operating style, competence of people), it may be an indicator that the auditor does not have the independence to properly address the issues confronting the organization.
To illustrate the importance of independence, consider the following example:
Example. Auditors concluded that there were significant shortcomings in the basic operations of a large state agency. The organization was responsible for liquidating bankrupt insurance companies. There were more than 50 insurance companies under management’s supervision. However, the auditors found that basic financial controls were not in place. Despite having more than 500 bank accounts, management did not require that bank reconciliations be performed. There was no listing of the assets of the bankrupt insurance companies. As the audit progressed, the auditors continued to find significant shortcomings in every area reviewed. In considering the cause of the problems, they concluded that top managers were not qualified for the positions they held. The deputy in charge was the press officer of the department’s parent organization, and his top assistants were appointed to their positions because of their political connections. None of them had a background in managing insurance companies. Because this audit was done by an independent group, the auditors were able to report on the lack of competence of management in administering the day-to-day affairs of the entity. Without an appropriate level of independence, the auditors’ ability to get to the underlying cause of the problems would have been diminished.
Objectivity is an issue internal to the auditor. An auditor has to render conclusions uncolored by feelings or personal opinions. Objectivity can be defined as an independent mental attitude.
Objectivity could be affected by personal impairments, including preconceived ideas toward individuals, groups, organizations, or the objectives of a particular program. Personal impairments include those induced by political or social convictions that result from relationships with, or loyalty to, a particular group or organization. For example, a personal impairment could exist for an auditor assigned to do a compliance audit of an entity for which his mother is employed; others could rightfully challenge the auditor’s ability to be objective.
Each of us has a political philosophy, and we all have social convictions. Does this mean auditors cannot be objective in doing audits of certain programs? For some auditors on some programs, the answer is yes. And where that situation exists, auditors have a duty to raise the problem with their supervisors because reassignment to another audit may be the best solution.
The areas under audit need to be vigorously challenged by the auditor in the fieldwork stage to be sure sufficient, competent, and relevant evidence is developed. At the end of the fieldwork stage, and before the report-writing stage, the auditor’s objectivity comes into play in assessing the evidence gathered. If the initial problem that the auditor suspected exists, the evidence should be clear and persuasive. Otherwise, the auditor is obligated to report that no problem exists.
Objectivity, therefore, rests with the auditor’s ability to fairly evaluate evidence gathered under a rigorous program of critical examination, hardened with a touch of professional skepticism. Objectivity is the mark of a good auditor.
The good auditor must maintain an attitude of professional skepticism. Professional skepticism is an attitude of doubt about the evidence presented to you until you are persuaded as to its validity.
In assessing areas to audit, the auditor must exercise due professional care and should consider issues of materiality, significance, risk; adequacy of internal controls; and situations that suggest abuse or illegal acts. In other words, the auditor should be auditing significant issues that are potential problems. Therefore, the auditor should keep Murphy’s Law in mind — holding to the preconceived idea that, if something could be wrong, there is a chance something is wrong. This concept is similar to the scientific method used by scientists. A scientist establishes a hypothesis (i.e., a preconceived idea) and systematically tests the validity of it (i.e., gathers evidence). The hypothesis is a tentative assumption made to draw out and test its logical or empirical consequences.
Today, the demands on the auditing profession are greater than ever. Expectations concerning the auditor’s ability to add value to an organization are increasing, and auditors must be innovative to keep up with the times. No longer is it acceptable to simply say that the agency must improve some aspect of its operation. The public and the leadership of governments want to know if there is a better way of doing business. The auditor’s job is to tell them.
If auditors are to be innovative, they need to learn continually so they can keep up on the latest technology, management thinking, and the issues confronting policy makers. Auditors can assess themselves by measuring their “innovation ratio” — the number of recommendations about new ways of doing business compared to the total recommendations made in an audit report. This would place a value-added focus to the auditor’s performance.
Example. An agency was asking the legislature for more money to increase staff to deal with a backlog of work, which the agency said was a labor-intensive operation. After the auditors examined the operation, they concluded that hiring additional staff was not the best solution to the problem. Rather, the auditors suggested a new way of doing business. They suggested that an improved computer system and current technology could result in a more efficient process. For example, scanning technology could allow application documents to be scanned, digitized, and stored on optical media, and imaging technology could increase electronic access to the many documents that support the application. Imaging would also eliminate the time-consuming process of microfilming application documents. In addition, the auditors showed that this technology could be integrated with the revenue process to account for and record applicable fees paid.
Beyond scanning and imaging, the auditors suggested that this agency could allow for the electronic transfer of data. This would reduce the need to key in data and could decrease application processing time. They further suggested that the bank could help eliminate delays if mail were initially directed to the bank, which would open it, deposit funds received, scan in data from the application, and electronically provide the data to the agency.
We need to take the time to keep up on emerging technology and to be alert for problem areas that could benefit from a new way of doing business.
The amount of confrontation that exists between the auditors and the agency being audited should be minimized — a daunting task because no one enjoys being audited. However, this is a challenge that auditors should accept without sacrificing their professionalism, objectivity, or audit findings for the sake of reduced tensions.
One of the most effective techniques an auditor can develop to help minimize confrontations is empathic communication. Empathic communication depends on the auditor understanding the other person’s position before stating his or her own position. To understand what government managers are doing and the limitations imposed on them takes time and requires highly honed skills in listening and responding. A course on communication skills is beyond the scope of this book, but the auditor is encouraged to study the concept of empathic communication to effectively deal in the highly charged atmosphere of internal auditing. Empathy should be called upon particularly during the audit fieldwork and in writing the audit report.
In trying to open communication channels with the people being audited, the auditor should focus efforts on the risk assessment made by managers of their operations. Risk assessment is an important part of the system of internal controls, which is the responsibility of management. Management must define its goals and objectives, assess the risk associated with achieving those objectives, and then decide how to manage those risks. In the past, auditors’ efforts have tended to focus on their own assessment of the risks that exist in the agencies audited. Based on that assessment, auditors would devote resources to auditing in the areas where they thought the highest risk existed. Most of the time, this was done without consulting the management of the organization they were assessing.
In opening communications with managers to understand how they’ve assessed risk, auditors are not sacrificing their independence. Instead, they have an opportunity to learn more about the policies of the agency that might be important to their audit objectives. It also helps auditors to improve their credibility with agency management when management understands that the auditors have a broad perspective and are striving to be balanced and objective. Finally, it helps the auditors to deal with a common agency response: “While your recommendations are good, the agency doesn’t have the resources to implement them.”
Managers also can take a number of steps to improve communication. Managers need to recognize that auditors play an important role in the accountability process. An effective manager will recognize that role and seek to cooperate with the auditor. If an auditor senses resistance from managers, the auditor begins to think: “What’s up? What are they afraid of?” In fact, a red flag for auditors is a delay in having access to records or people. Frauds that have escaped auditors have occurred in situations where management attempted to control records and people.
The example below illustrates a cooperative audit.
Example. The auditors determined their initial objective from documents between the governor’s office and the legislature. It seemed, based on that information, that it was the intention of the governor and the legislature for a new program initiative to save money. However, in the opening conference, the commissioner of the agency being audited advised the auditors that, in fact, the objective was not to save money, but rather to provide more effective services to the client population. Considering this information, the auditors expanded their scope from one of economy to include program effectiveness. They also advised the commissioner that there was sufficient evidence to show that economy should be a program objective. The commissioner acknowledged that while the agency had not focused on that issue, it was an appropriate issue to include in the scope of the audit.
By better understanding how the agency assessed risk, the auditors were able to focus the audit in a way that helped to reduce confrontation and increase agency cooperation. In fact, the auditors worked with agency management to define the specific criteria to evaluate program effectiveness, since they had not established a formal system to measure program success. If the auditors had focused only on the economy issue, management would have been frustrated because its resources had been focused on effectiveness issues.
Auditors must continue to do their own independent risk assessments. Those assessments, however, should be done with an understanding of management’s assessment of the risks affecting the organization. Therefore, confrontation can be reduced if auditors devote equal time to those areas management identifies as significant.