The Audit Function
Introduction to the Internal and Performance Auditing Function in Government
by David R. Hancox
- Develop an appreciation for the various types of audit work available today.
- Develop an appreciation for the auditing standards that help assure the quality of the work done by various auditors.
- Learn the characteristics that a good auditor should possess.
If you stop for a moment to examine the work you just completed, you are performing an “internal audit.” You may examine your tax return before filing it to see if you completed all of the required forms. You may pause during the day to reflect on the work you are doing in building bookshelves. You want to see if it meets the needs of your spouse by providing sufficient shelf space to hold the many books currently stored in the attic. As you look at the manual way you pay your bills, you may realize you could be using a computer. You realize that paying your bills electronically would save you significant time and ultimately costs, such as postage and envelopes.
In the case of the tax return, you are doing a compliance audit. In the case of the bookshelves, you are doing an audit of results – did you accomplish what your spouse intended? Finally, in the case of paying your bills, you are doing an economy-and-efficiency audit and identifying technology as a new and better way of doing business.
Auditors do the same thing, but they are examining operations on behalf of someone else. Years ago, auditors were focused only on financial activities and were often viewed as bean counters. Later, they became concerned with the broader aspects of accountability, such as efficiency and effectiveness of operations. While the role of the accountability agent is still an important one, today the job of the auditor has taken on a new dimension, and the auditor serves as a consultant, offering new ideas and approaches to accomplishing the mission of the organization. Auditors must be knowledgeable about many areas of government. They must keep up with emerging technology so they can use it in their own work, and so they can recommend how management might be able to incorporate it into the daily activities of the organization.
Most government auditors are internal to government. The government pays them. Often, they are independent from management, and the auditor chooses the program, function, or activity to be audited, without input or interference from management. Government auditors may not need management’s approval to audit, may have subpoena power to compel compliance with the audit engagement, and may report to the public on their findings. This great level of independence enables the government auditor to take an objective view of the operations and “call it like it is,” reporting independently to the legislature as well as the public. In doing so, the professional government auditor is guided by professional audit standards.
TYPES OF AUDITORS
There are a number of auditors who play an important role in the government accountability process:
- Internal audit units within government agencies, who report to some level of management within the agency
- Independent executive or legislative auditors, who have the statutory or constitutional authority to audit a government’s financial statements, departments, programs, functions, or activities
- Government auditors from other levels of government, who may audit to see that program funds are spent appropriately
- Government auditors who conduct audits of government grants or contracts given to private-sector organizations
- Government auditors doing audits of private-sector individuals or organizations to determine compliance with laws, rules, or regulations
- Private auditors hired by government managers to report on the financial statements or some other aspect of a program or function
The need for these various auditors is driven by two factors. First, management wants to know that it is doing right and that its employees are carrying out the policies and procedures established. Second, the public has a need, and a right, to know that the money it has entrusted to government managers is being used appropriately and in compliance with the law. The public also wants to know that its money is being used economically and efficiently and that the results of the expenditures accomplished what was intended. In a democratic society, accountability is inherent in the governing process.
In the private sector, the balance sheet and income statement are powerful tools of accountability. If a private-sector organization is not profitable, it will soon be bankrupt and out of business. Governments, however, do not operate to make profits. Although bankruptcy is a possibility, it rarely occurs, and many government programs outlive their usefulness.
Thus, there is a compelling need to have a variety of auditors serving several purposes in the accountability process. These purposes include:
- Assisting management in the discharge of its duties
- Reporting to the public on the effectiveness of the activities of government managers
- Reporting to other levels of government on the use of funds provided
- Reporting on the results of operation and financial position of the government
Auditing gives credibility to the information provided by the management of the organization. It also serves another vital function. The knowledge that a program, function, or activity is subject to review at any time has an incredible effect on assuring internal discipline and works to minimize wrongdoing by employees.
The Internal Auditor
Internal auditors of a government organization typically report to the management of the organization. Their primary role is to serve management by helping it make sure that good internal control systems are in place and to improve operations. To be effective, internal auditors need to have the support of the chief executive and should report to a sufficiently high level to assure they have the cooperation of the people they audit.
The External Government Auditor
There are several types of external government auditors. One is the independent auditor within a government unit. For example, a state auditor may be an elected official charged with auditing all state government programs, functions, activities, and financial statements. The state auditor is internal to the government as a whole, reporting to the public and to the legislature, but external to the agency or department being audited. Another type is the independent auditor from another level of government, such as an auditor from the federal Environmental Protection Agency (EPA) who might audit to see that federal EPA dollars were spent appropriately. The primary role of these auditors is to report to the public on the expenditure of its tax dollars. In addition, they may recommend how government managers can improve the operations of the program under audit.
The Private-Sector Auditor
Because of the complex nature of government programs and activities, government managers today find it helpful to hire external, private-sector auditors to assess some aspect of their programs. These auditors are often doing work that is the same or similar to what the internal or external government auditor is doing. Management defines the type and extent of the work they do. In addition, private-sector auditors are often called upon to offer an opinion on the government’s financial statements.
The American Institute of Certified Public Accountants through its Special Committee on Assurance Services has defined new markets for CPAs to explore. According to the Committee, the CPA today can provide assurance on an organization’s financial and non-financial measures used to evaluate the effectiveness or efficiency of its activities. There is a spectrum of performance-measurement services that the CPA can provide, including:
- Assessing the reliability of information being reported from the organization’s performance measurement system (for those organizations that have a performance measurement system).
- Assessing the relevance of the performance measures (for those organizations that have a performance measurement system).
- Identifying relevant performance measures (for those organizations that do not have a performance measurement system).
The Special Committee suggested a number of other areas the CPA could work in, including assessing risks to an organization and assessing the reliability of information systems.
A professional auditor is guided by certain auditing standards. The two primary standards that are the focus of internal auditors in government are the Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, and the Government Auditing Standards issued by the comptroller general of the United States. Within each set of standards, there are certain basic concepts that focus on the auditors’ professional qualifications, the quality of audit effort, and the characteristics of professional and meaningful reports.
The Standards for the Professional Practice of Internal Auditing encompass:
- The independence of the internal auditing department from the activities audited and the objectivity of internal auditors
- The proficiency of internal auditors and the professional care they should exercise
- The scope of internal auditing work
- The performance of internal auditing assignments
- The management of the internal auditing department
The Government Auditing Standards are designed to ensure that:
- The scope of audit is sufficiently broad to assure accountability.
- Personnel who collectively have the necessary skills conduct the audit.
- The independence of the auditors is maintained.
- Applicable standards are followed in planning and conducting audits and reporting the results.
- The audit organization has an appropriate internal quality control system in place.
- The audit organization undergoes an external quality control review.
The Standards for the Professional Practice of Internal Auditing apply both to internal auditors in government and to internal auditors in the private sector. The Government Auditing Standards are required for certain audits under federal legislation and are accepted by many federal, state, and local government audit organizations as applicable guidance to assure that the audit scope is sufficiently broad and that a quality audit report will be produced.
Several important concepts are embodied in both standards. The first concept is accountability. In the case of the Internal Auditing Standards, both the board of directors and management are accountable for the adequacy and effectiveness of their organization’s systems of internal control and quality of performance. Under the Government Auditing Standards, officials and employees who manage government programs, activities, and functions must render an account of their activities to the public. While not always specified by law, the accountability concept is inherent in the governing process of our nation. But the definition of accountability has expanded with the growth and complexity of business and government, and the scope of managerial accountability and the audit of that accountability have expanded with it. The audit of government reporting is an essential element of public control and accountability; it provides credence to the information reported.
Due Professional Care
Another important concept cited in both standards is due professional care, which requires the auditor to be reasonably prudent and competent. Auditors must be alert to intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest.
Types of Audits
The types of audits that are possible under both standards can be classified as follows:
- Reviews of the reliability and integrity of financial and operating information.
- Financial statement audits which provide reasonable assurance that the financial statements of an entity present fairly the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles
- Financial related audits, which could examine any of the financial activities of the organization, including purchasing, cash, inventory, payroll, and a host of other activities that assure the proper administration of an entity
- Reviews of operations to ensure compliance with applicable policies, plans, procedures, laws, and regulations that could have an impact on operations. This could include, for example, assuring that the legislatively enacted competitive bidding process is followed, environmental laws are followed, or the requirements for a safe and healthy workplace are met.
- Reviews of the safeguarding of assets and verifying the existence of such assets. This could include making sure all personal computers are accounted for and that controls are in place to assure they are used properly. In addition, other assets could be examined, including the cash on hand and inventory if they are significant components of the operations.
- Evaluation of the economy and efficiency of operations. Areas an auditor might examine include assuring that resources are properly deployed, that there are no idle resources or overstaffed functions, and that resources are acquired at a reasonable price.
- Reviews of operations or programs to determine whether results are consistent with established objectives and goals and whether operations and programs are being carried out as planned. This could include determining if programs achieved the intended level of results; for example, in a loan program intended to create or retain jobs, were the number of jobs created or retained equal to the original estimates, and did the number of jobs created or retained result from the loans or were other factors the real cause?
CHARACTERISTICS OF A GOOD AUDITOR
To be effective, an auditor needs to be independent, objective, a professional skeptic, and an innovator.
Auditors are independent when they can carry out their work without fear of unwarranted repercussions. They should have unrestricted access to the highest level of management in the organization. If an auditor hesitates to address certain issues, such as the control environment (management’s philosophy, management’s operating style, competence of people), it may be an indicator that the auditor does not have the independence to properly address the issues confronting the organization.
To illustrate the importance of independence, consider the following example:
Example. Auditors concluded that there were significant shortcomings in the basic operations of a large state agency. The organization was responsible for liquidating bankrupt insurance companies. There were more than 50 insurance companies under management’s supervision. However, the auditors found that basic financial controls were not in place. Despite having more than 500 bank accounts, management did not require that bank reconciliations be done. There was no listing of the assets of the bankrupt insurance companies. As the audit progressed, the auditors continued to find significant shortcomings in every area reviewed. In considering the cause of the problems, they concluded that top managers were not qualified for the positions they held. The deputy in charge was the press officer of the department’s parent organization, and his top assistants were appointed to their positions because of their political connections. None of them had a background in managing insurance companies. Because an independent group did this audit, the auditors were able to report on the lack of competence of management in administering the day-to-day affairs of the entity. Without an appropriate level of independence, the auditors’ ability to get to the underlying cause of the problems would have been diminished.
Objectivity is an issue internal to the auditor. An auditor has to render conclusions uncolored by feelings or personal opinions. Objectivity can be defined as an independent mental attitude.
Objectivity could be affected by personal impairments, including preconceived ideas toward individuals, groups, organizations, or the objectives of a particular program. Personal impairments include those induced by political or social convictions that result from relationships with, or loyalty to, a particular group or organization. For example, a personal impairment could exist for an auditor assigned to do a compliance audit of an entity for which his mother is employed; others could rightfully challenge the auditor’s ability to be objective.
Each of us has a political philosophy, and we all have social convictions. Does this mean auditors cannot be objective in doing audits of certain programs? For some auditors on some programs, the answer is yes. And where that situation exists, auditors have a duty to raise the problem with their supervisors because reassignment to another audit may be the best solution.
The areas under audit need to be vigorously challenged by the auditor in the fieldwork stage to be sure sufficient, competent, and relevant evidence is developed. At the end of the fieldwork stage, and before the report-writing stage, the auditor’s objectivity comes into play in assessing the evidence gathered. If the initial problem that the auditor suspected exists, the evidence should be clear and persuasive. Otherwise, the auditor is obligated to report that no problem exists.
Objectivity, therefore, rests with the auditor’s ability to fairly evaluate evidence gathered under a rigorous program of critical examination, hardened with a touch of professional skepticism. Objectivity is the mark of a good auditor.
The good auditor must maintain an attitude of professional skepticism. Professional skepticism is an attitude of doubt about the evidence presented to you until you are persuaded as to its validity.
In assessing areas to audit, the auditor must exercise due professional care and should consider issues of materiality, significance, risk; adequacy of internal controls; and situations that suggest abuse or illegal acts. In other words, the auditor should be auditing significant issues that are potential problems. Therefore, the auditor should keep Murphy’s Law in mind – holding to the preconceived idea that, if something could be wrong, there is a chance something is wrong. This concept is similar to the scientific method used by scientists. A scientist establishes a hypothesis (i.e., a preconceived idea) and systematically tests the validity of it (i.e., gathers evidence). The hypothesis is a tentative assumption made to draw out and test its logical or empirical consequences.
Today, the demands on the auditing profession are greater than ever. Expectations concerning the auditor’s ability to add value to an organization are increasing, and auditors must be innovative to keep up with the times. No longer is it acceptable to simply say that the agency must improve some aspect of its operation. The public and the leadership of governments want to know if there is a better way of doing business. The auditor’s job is to tell them.
If auditors are to be innovative, they need to learn continually so they can keep up on the latest technology, management thinking, and the issues confronting policy makers. Auditors can assess themselves by measuring their “innovation ratio” – the number of recommendations about new ways of doing business compared to the total recommendations made in an audit report. This would place a value-added focus to the auditor’s performance.
Example. An agency was asking the legislature for more money to increase staff to deal with a backlog of work, which the agency said was a labor-intensive operation. After the auditors examined the operation, they concluded that hiring additional staff was not the best solution to the problem. Rather, the auditors suggested a new way of doing business. They suggested that an improved computer system and current technology could result in a more efficient process. For example, scanning technology could allow application documents to be scanned, digitized, and stored on optical media, and imaging technology could increase electronic access to the many documents that support the application. Imaging would also eliminate the time-consuming process of microfilming application documents. In addition, the auditors showed that this technology could be integrated with the revenue process to account for and record applicable fees paid.
Beyond scanning and imaging, the auditors suggested that this agency could allow for the electronic transfer of data. This would reduce the need to key in data and could decrease application-processing time. They further suggested that the bank could help eliminate delays if mail were initially directed to the bank, which would open it, deposit funds received, scan in data from the application, and electronically provide the data to the agency.
We need to take the time to keep up on emerging technology and to be alert for problem areas that could benefit from a new way of doing business.
Auditor certification is one way the auditing profession seeks to assure competent and qualified auditors. There are several certification programs that students can explore depending upon their career goals.
The Institute of Internal Auditors sponsors the Certified Internal Auditor designation. Candidates must demonstrate the ability to identify risks, examine alternative remedies, and prescribe the best initiatives to control these risks. CIAs must have knowledge of auditing standards and practices as well as management principles and controls, information technology, and emerging strategies to improve business and government.
Candidates for the CIA exam must:
- hold a bachelor’s degree or its equivalent from an accredited college-level institution,
- submit a character reference from a responsible person such as a CIA, supervisor, manager, or educator
- complete 24 months of internal auditing experience or its equivalent.
The CIA examination is offered in four parts. Each part consists of 80 multiple-choice questions.
Part I — Internal Auditing Process
Part II — Internal Audit Skills
A. Problem Solving & Evaluating Audit Evidence
B. Data Gathering, Documentation, & Reporting
C. Sampling and Mathematics
Part III — Management Control and Information Technology
A. Management Control
B. Operations Management
C. Information Technology
Part IV — The Audit Environment
A. Financial Accounting
C. Managerial Accounting
D. Regulatory Environment
The Association of Certified Fraud Examiners is an international professional organization dedicated to fighting fraud and white-collar crime. It sponsors the Certified Fraud Examiner designation.
A specific degree program is not required for CFE certification, but you must have a minimum of two years of professional experience to be certified as a CFE. The experience requirement for CFEs must be related, directly or indirectly, to the detection and deterrence of fraud.
The examination includes four sections covering:
- Fraudulent Financial Transactions
- Legal Elements of Fraud
- Fraud Investigation
- Criminology and Ethics
The Information Systems Audit and Control Association serves the needs of information technology auditors. This association sponsors the Certified Information Systems Auditor program. A minimum of five years professional Information Systems auditing, control, or security work experience is required to be certified. You may substitute education for part of the experience requirement.
The examination includes five domains including:
- Information Systems Audit Standards and Practices and Information Systems Security and Control Practices
- Information Systems Organization and Management
- Information Systems Process
- Information Systems Integrity, Confidentiality, and Availability
- Information Systems Development, Acquisition, and Maintenance
A commonly recognized designation is the Certified Public Accountant. The requirements to become a CPA include completing a program of study in accounting at a college or university — the AICPA recommends at least 150 hours of study, passing the Uniform CPA Examination graded by AICPA and, obtaining a certain amount of professional work experience in public accounting. CPAs must have an accounting background, but as you will see in this book, much of the work done by internal and performance auditors may not be directly related to accounting records. Therefore, to be an effective internal or performance auditor it is not necessary to be a CPA.
The CPA exam includes the following parts:
- Financial Accounting and Reporting
- Accounting and Reporting – Taxation, Managerial, Governmental and Not-For-Profit Organization
- Business Law and Professional Responsibilities
- Information Technology Topics
For Further Study:
Examine the Internet sites for Professional Organizations
- Institute of Internal Auditors: http://www.theiia.org/
- Association of Government Accountants: http://www.agacgfm.org/homepage.aspx
- Certified Fraud Examiners: http://www.acfe.org/
- American Institute of Certified Public Accountants: http://www.aicpa.org/
- State Societies of CPAs – New York’s: http://www.nysscpa.org/
- American Accounting Association: http://www.rutgers.edu/Accounting/raw/aaa/
- Information Systems Audit and Control Association: http://www.isaca.org/