Overview of the Internal Audit Division and the Audit Process
The Internal Audit Division (IAD) seeks to assist the Frederick County Government (FCG), the Frederick County Board of Education (BOE), the Frederick Community College (FCC) Board of Trustees, citizens and management in establishing accountability, transparency and a culture of continuous improvement in operations and service delivery to achieve the mission of each Board and their agencies. The IAD is an independent division with oversight from the Interagency Internal Audit Authority (IIAA).
The IAD and (IIAA) was established by County Resolution in 1978 and codified into the Frederick County Charter as enacted on April 17, 2018, and effective on June 16, 2018 through Bill No. 18-12. This Bill ensures the IIAA and IAD independence.
The Bill also discusses the annual work plan and five year plan under section 1-2-137: “Annually, the Director shall submit to the IIAA, a strategic plan outlining the major risk areas within FCG, FCPS and FCC and a five-year plan to provide coverage of those areas. In addition, prior to the beginning of each fiscal year, the Director shall present to the IIAA for approval, a detailed work plan reflecting each project planned for the year and the corresponding budgeted hours.”
The IAD adheres to an overall audit strategy that a high quality and clear annual work plan is critical for meeting the goals, objectives, and mission of the office. The work plan is fluid and changes with the environment and needs of each entity (FCG, FCPS and FCC) throughout each year. Any changes to the work plan or engagements must be approved by the IIAA.
The IAD utilizes interview techniques annually with each division within all three entities to discuss and inquire upon internal controls, potential fraud areas as well as waste and abuse incurring or potential to incur within each departmental area across each entity. The IAD also focuses on general at risk areas of concern with each division as well as performance efficiencies and effectiveness on divisional overall programs. From these discussions the internal audit director may draft the annual risk assessment and work plan. The IAD also collects information from internal fraud, waste and abuse hotlines from all three entities. Instances reported are investigated and added to the work plan when necessary.
Projects listed in the annual work plan may become audits, agreed upon procedures reports, reviews, general engagements or special projects based on the risk level, budget funding and scope determined in the pre-planning and discovery phase of work performed. Projects included in the annual work plans are selected and prioritized on a risk-based approach. Risk assessment is a process used to identify and prioritize projects based upon specific risk factors related to the quality of internal controls and the estimated liability and level of exposure to FCG, FCPS or FCC related to various departments, programs, activities and contracts.
In performing engagements from the work plan, the IAD utilized two contractors to perform the internal audit, attest and non-attest services under the direction of the internal audit director. Both contractors have experience in state and local government internal audit engagements. As a result of utilizing contractors the division is capable of providing professional insight and expertise from a variety of professionals with differing fields of expertise whether it be information technology, school activities, government activities, higher education or water and sewer. The use of professional contractors allows the IAD to have a greater depth of knowledge, expertise and industry-wide up to date best practices and guidance. Utilizing contractors on engagements also provides an even greater level of independence in appearance.
Once engagements are selected a task order is written by the IAD and submitted to one or both of the contractors for response. Contractor responses are reviewed by the IAD director and the IIAA. The IIAA will vote upon the task order and contractor response for approval. If a special project is deemed adequate to be performed by the IAD director, then that engagement will also go to the IIAA for approval. Once approved the engagement may begin. Engagements generally follow Government Accountability Office, Government Auditing Standards (GAS).
The engagement begins with a planning phase in which the divisions or departments involved are notified and a planning meeting takes place. During the planning phase interviews and risk assessments are performed to familiarize the contractor and the IAD director with the subject matter, criteria, policies and procedures and internal controls involved. The risk assessment is utilized to identify the highest risk areas requiring further testing during fieldwork. The planning phase and risk assessments help determine the audit objectives, scope, and methodology; staffing needs and audit schedule.
Fieldwork is the next stage of the process in which testing is conducted, usually on a sample basis, to gather evidence necessary to support engagement findings and recommendations. Fieldwork consists of data collection, analysis and other activities designed to address engagement objectives. During this stage the auditors will obtain sufficient appropriate evidence to provide a reasonable basis for their findings, conclusions and recommendations.
During contractor run engagements the IAD director shall manage the contractor through the full process and shall maintain an understanding of the engagement at all times. The IAD director may assist with the contractor with the full audit process. The IAD director is tasked with reviewing the final product and therefore must be able to provide insightful input and recommendations. Monthly status reports of each engagement are expected by the contractor for presentation at the monthly IIAA meetings.
A written communication in the form of a report is prepared at the end of fieldwork in order to communicate the objective, scope, observations, findings, recommendations and management responses to recommendations. Reports are drafted and must be reviewed by the IAD, responsible managers or directors of the audited entity, and the IAA for approval. Once the IIAA approves the final draft of a report, the report may then be released. Most reports are released publicly, however, if entity security is of matter of concern then a report will be held confidential.
Depending on recommendations held within a report, a follow up is performed by the IAD between six months after the final release of a report to a year. The follow up time frame is also dependent upon management response time frames in order to maintain efficiency in the process. Follow up procedures to a report are instrumental in assisting the entity with ensuring steps are being taken to improve policies and procedures through the recommendations made within the report.