Table of Contents
Page 1 of 3
Office of Independent Internal Audit
Procedures Manual
Table of Contents
Chapter 1 - Introduction
Procedure 1.01 - Internal Audit Authority
Procedure 1.02 - Types of Audits Performed
Procedure 1.03 - Government Auditing Standards
Procedure 1.04 - Audit Process Overview
Procedure 1.05 - Handling Confidential and Sensitive Information of Information
Exempt from Public Disclosure
Procedure 1.06 - TeamMate Audit Management Software
Procedure 1.07 - Non-audit Services: Contract Reviews
Chapter 2 - Project Initiation and Planning
Procedure 2.01 - Annual Audit Plan
Procedure 2.02 - Staff Assignments, Independence and Ethical Principles
Procedure 2.03 - Engagement Planning
Procedure 2.04 - Engagement Letter
Procedure 2.05 - Entrance Conference
Chapter 3 - Audit Fieldwork
Procedure 3.01 - Engagement Evidence and Fieldwork
Procedure 3.02 -Auditor Responsibilities Regarding Fraud
Procedure 3.03 - Audit Workpapers
Procedure 3.04 - Fieldwork Verification Conference
Table of Contents
Page 2 of 3
Chapter 4 - Communicating Results
Procedure 4.01 - Draft Report
Procedure 4.02 - Technical Review of Draft Report
Procedure 4.03 - Exit Conference and Issuing Draft Report
Procedure 4.04 - Issuing Final Audit Report
Procedure 4.05 - Post Engagement Client Survey
Chapter 5 -
Quality Assurance
Procedure 5.01 - Roles and Responsibilities in Ensuring Quality
Procedure 5.02 - Post-Project Evaluation
Procedure 5.03 - Continuous Development and CPE
Procedure 5.04 - Quality Control Review Process
Procedure 5.05 - Annual Internal Quality Assurance Self-Assessment
Procedure 5.06 - Peer Review
Procedure 5.07 - Project Completion & Closeout
Procedure 5.08 - Post Engagement Client Survey
Chapter 6 - Audit Follow-up
Procedure 6.01 -Audit Follow-up and Reporting
Chapter 7 - Record Retention
Procedure 7.01 - Open Record Requests
Procedure 7.02 - Workpaper Retention
Chapter 8 - General Administrative
Procedure 8.01 - Recruiting and Professional Development
Procedure 8.02 - Time Keeping and Flexible Work Schedule
Table of Contents
Page 3 of 3
Procedure 8.03 - Safety Policy
Appendix
Appendix A-
GA Law 3826 Local and Special Acts and Resolutions, Vol. II
DeKalb County - Independent Internal Audits- No. 206 (House Bill No.
599)
Appendix B - DeKalb County, Georgia - Code of Ordinances / Organizational Act
Section10A- Independent Internal Audit
Appendix C-
THE OPEN RECORDS ACT 50-18-70
Procedure 1.01
Page
1
of
8
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
I
Chapter 1
Procedure 1.01
-
Internal Audit Charter/Authority
Purpose:
This procedure establishes the Chief Audit Executive (CAE) and Office of Independent
Internal Audit (OIIA)
1
Charter/Authority.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015
2
,
and the Government Auditing Standards (GAS) also known
as the "Yellow Book" promulgated by the Comptroller General of the United States and
published by the United States Government Accountability Office.
Applicability:
This Internal Audit Charter/Authority applies to the CAE and all OIIA staff members.
1
OIIA (Office of Independent Internal Audit) referenced herein refers to the Office of Internal Audit as documented in House Bill 599
(2015 Ga. Laws 3826)
2
Incorporated into DeKalb County, Georgia - Code of Ordinances/ Organizational Act Section10A- Independent Internal Audit
subject
r
Introduction
r
Procedure
Number
Procedure Number 1.01
References
House Bill 599(2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act
Section10A- Independent Internal
Audit; GAS 2.01-2.10 Complying
with GAGAS; GAS 2.16-2.19 Stating
compliance with GAGAS in the Audit
Report; GAS 3.17-3.57
Independence; GAS 5.44 Monitoring
of Quality
Issue
Date:
06/24/2019
Approved: John L. Greene, Chief Audit Executive
Effective:
07/01/2019
Approved: Audit Oversight Committee approved
on 12/16/2016
Amended:
02/28/2020
Procedure 1.01
Page
2
of
8
Internal Audit:
I.
Introduction
The OIIA was established in accordance with House
Bill
599, enacted by the
Georgia General Assembly, signed into Law on May 12, 2015 and incorporated into
DeKalb County, Georgia - Code of Ordinances/ Organizational Act Section1QA-
Independent Internal Audit (See Appendix A
-HB
599 (2015 Ga. Laws 3826) and
Appendix B-DeKalb County, Georgia - Code of Ordinances
I
Organizational Act
Section10A- Independent Internal Audit).
The OIIA shall consist of the GAE and those assistants, employees, and personnel
as deemed necessary by the GAE for the efficient and effective administration of the
affairs of the office, and over whom the GAE shall have the sole authority to appoint,
employ, and remove.
II.
OFFICE OF INDEPENDENT INTERNAL AUDIT MISSION, VISIONS AND VALUES
Mission Statement (why we exist and what we do)
Our purpose (why we exist) is to provide independent, objective, insightful,
nonpartisan assessment of the stewardship or performance of policies, programs
and operations in promoting efficiency, effectiveness, and integrity in DeKalb
County.
Our promise (what we do) is to accomplish this through financial audits, performance
audits, inquiries, investigations, and reviews.
Vision Statement (where we are going)
Excellence in our products and services as we promote positive change throughout
DeKalb County with an inspired team that strives for continuous improvement.
Procedure 1.01
Page
3
of
8
Ill. Standards for the Office of Independent Internal Audit
The OIIA audits will be prepared pursuant to DeKalb County, Georgia - Code of
Ordinances / Organizational Act Sec. 10A. - Independent Internal Audit, Georgia
Statues. The OIIA staff members will follow 2018 Government Auditing Standards
(GAS) for all audits performed by the OIIA. OIIA staff members are responsible for
familiarizing themselves with and adhering to GAS. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives.
Procedure 1.01
Page
4
of
8
IV. Authority
HB 599 and DeKalb County, Georgia - Code Ordinances/Organizational Act
Section10A- Independent Internal Audit provide safeguards consistent with GAS
3.54c
3
to mitigate structural threats to independence as defined in GAS 3.30g
4
.
The
GAE will report to an independent Audit Oversight Committee (AOC). The AOC
consist of five voting members. The committee:
•
Ensures the independence of the OIIA.
•
Selects no fewer than two or more three nominees for the position of GAE for
approval by the DeKalb Board of Commissioners.
•
Provides suggestions and comments for the annual audit plan.
•
Proposes the internal audit budget and recommend the budget to the DeKalb
County Board of Commissioners for approval.
•
Receives communications from the GAE on the internal audit activity's
performance relative to its plan and other matters.
•
Provides general oversight and guidance.
•
Consults with GAE on technical issues.
•
Coordinates with contracted audit efforts and other consulting engagements.
The OIIA has unrestricted access to employees, information, and records including
electronic data within their custody regarding powers, duties, activities, organization,
property, financial transactions, contracts, and methods of business required to
conduct an audit or otherwise perform audit duties. In addition, all officers and
employees of DeKalb County shall provide access for the OIIA to inspect all
property, equipment, and facilities within their custody. If such officers or employees
fail to provide or produce such access and information, the GAE may initiate a
search to be made and exhibits to be taken from any book, paper, or record of any
such official or employee or outside contractor or subcontractor, except as governed
by statute. The GAE shall have the authority to issue subpoenas and may apply to
the Superior Court of DeKalb County for the enforcement of any subpoena issued by
the GAE.
V. Independence and Objectivity
The OIIA is completely independent and is not subject to control or supervision of
the Chief Executive Officer (CEO), the Board of Commissioners (BOC), or any other
official, employee, department, or agency of the county government. The position of
the GAE is nonpartisan.
The GAE will ensure that the OIIA remains free from all conditions that threaten the
ability of internal auditors to carry out their responsibilities in an unbiased manner,
3
GAS 3.54C- "appointed by someone other than a legislative body, so long as the appointment is confirmed by a
legislative body and removal from the position is subject to oversight or approval by a legislative body and reports
the results of audits to and is accountable to a legislative body."
4
GAS 3.30g "structural threat - the threat that an audit organization's placement within a government entity, in
combination with the structure of the government entity being audited, will impact the audit organization's ability
to perform work and report results objectively."
Procedure 1.01
Page
5
of
8
including matters of audit selection, scope, procedures, frequency, timing, and report
content. If the chief audit executive determines that independence or objectivity may
be impaired in fact or appearance, the details of impairment will be disclosed to
appropriate parties including the AOC.
Internal auditors will maintain an unbiased mental attitude that allows them to
perform engagements objectively and in such a manner that they believe in their
work product, that no quality compromises are made, and that they do not
subordinate their judgment on audit matters to others.
Internal auditors will have no direct operational responsibility or authority over any of
the activities audited. Accordingly, internal auditors will not implement internal
controls, develop procedures, install systems, prepare records, or engage in any
other activity that may impair their judgment, including:
•
Assessing specific operations for which they had responsibility within the
previous year.
•
Performing any operational duties for DeKalb County.
•
Initiating or approving transactions external to OIIA.
•
Directing the activities of any DeKalb County employee not employed by the
OIIA, except to the extent that such employees have been appropriately
assigned to auditing teams or to otherwise assist internal auditors.
Where the CAE has or is expected to have roles and/or responsibilities that fall
outside of internal auditing, safeguards will be established to limit impairments to
independence or objectivity.
Internal auditors will:
•
Disclose any impairment of independence or objectivity, in fact or appearance,
to appropriate parties.
•
Exhibit professional objectivity in gathering, evaluating, and communicating
information about the activity or process being examined.
•
Make balanced assessments of all available and relevant facts and
circumstances.
•
Take necessary precautions to avoid being unduly influenced by their own
interests or by others in forming judgments.
The CAE will confirm to the AOC, at least annually, the organizational independence
of the OIIA.
The CAE will disclose to the AOC any interference and related implications in
determining the scope of internal auditing, performing work, and/or communicating
results.
Procedure 1.01
Page
6
of
8
VI. Duties & Responsibilities
In accordance with HB599 (2015 Ga. Laws 3826) and DeKalb County, Georgia -
Code of Ordinances/ Organizational Act Section10A- Independent Internal Audit,
the OIIA is responsible for conducting financial and performance audits of all
departments, offices, boards, activities, agencies and programs of the County
independently and objectively to determine whether:
1. Activities and programs being implemented have been authorized by this
Act, Georgia law, or applicable federal law or regulations and are being
conducted and funds expended in compliance with applicable laws.
2. The department, office, board, or agency is acquiring, managing,
protecting, and using its resources, including public funds, personnel,
property, equipment, and space, economically, efficiently, effectively, and
in a manner consistent with the objectives intended by the authorizing
entity or enabling legislation.
3. The entity, programs, activities, functions, or policies are effective,
including the identification of any causes of inefficiencies or uneconomical
practices.
4. The desired results or benefits are being achieved.
5. Financial and other reports are being provided that disclose fairly,
accurately, and fully all information required by law, to ascertain the nature
and scope of programs and activities, and to establish a proper basis for
evaluating the programs and activities including the collection of,
accounting for, and depositing of, revenues and other resources.
6. Management has established adequate operating and administrative
procedures and practices, systems or accounting internal control systems,
and internal management controls.
7. Indications of fraud, abuse, or illegal acts are valid and need further
investigation.
In addition, the OIIA:
•
Coordinates and monitors auditing performed by certified public accounting
firms or other organizations employed under contract by the governing
authority to assist with audit related activities.
•
Participates with the AOC in the selection of the external audit firm.
•
Follows up on audit recommendations to monitor the status of corrective
action.
The chief audit executive has the responsibility to:
•
Submit a one- to five-year audit schedule at the beginning of each fiscal year
to the AOC and the BOC for review and comment. The schedule shall include
the proposed plan, and the rationale for the selections, for auditing
departments, offices, boards, activities, programs, policies, contractors,
subcontractors, and agencies for the period. This schedule may be amended
Procedure 1.01
Page
7
of
8
after review with the AOC and the BOC, but the CAE shall have final authority
to select the audits planned.
•
Select audit areas and audit objectives, determine the audit scope and the
timing of audit work. The CAE shall consult with federal and state auditors
and external auditors so that the desirable audit coverage is provided, and
audit efforts are properly coordinated.
•
Submit an annual report to the AOC, CEO, and the BOC indicating audits
completed, major findings, corrective actions taken by administrative
managers, and significant issues which have not been fully addressed by
management. The annual report, in written or some other retrievable form,
shall be made available to the public through the county website within ten
(10) days of submission to the commission.
•
Follow up on audit recommendations to determine if corrective action has
been taken. The OIIA shall request periodic status reports from audited
agencies regarding actions taken to address reported deficiencies and audit
recommendations.
•
Review and adjust the internal audit plan, as necessary, in response to
changes in DeKalb County's risks, operations, programs, systems, and
controls.
•
Communicate to AOC any significant interim changes to the internal audit
plan.
•
Ensure the OIIA collectively possesses or obtains the knowledge, skills, and
other competencies needed to meet the requirements of the internal audit
charter.
•
Ensure conformance of the OIIA with the general requirements for complying
with generally accepted government auditing standards (GAGAS) that are
applicable to all GAGAS engagements.
VII. Quality Assurance and Improvement Program
The OIIA will maintain a quality assurance and improvement program that covers
all aspects of the OIIA. The program will include an evaluation of the OIIA's
conformance with the Standards. The program will also assess the efficiency and
effectiveness of the OIIA and identify opportunities for improvement. The CAE
should include a statement in the Annual report that "The Office's internal quality
control and assurance program is ongoing and includes continuous supervision
and internal reviews of audit work to ensure accuracy and compliance with
standards and internal policies and procedures."
The audit organization should analyze and summarize the results of its
monitoring process at least annually, with identification of any systemic or
repetitive issues needing improvement, along with recommendations for
corrective action. The audit organization should communicate to the relevant
Procedure 1.01
Page
8
of
8
engagement manager, and other appropriate personnel, any deficiencies noted
during the monitoring process and recommend appropriate remedial action.
5
The audit activities of the OIIA shall be subject to a peer review in accordance
with applicable government auditing standards by a professional, nonpartisan
objective group utilizing guidelines endorsed by the Association of Local
Government Auditors (ALGA).
The peer review shall use applicable government auditing standards to evaluate
the quality of audit effort and reporting. Specific quality review areas shall include
staff qualifications, adequacy of planning and supervision, sufficiency of work
paper preparation and evidence, and the adequacy of systems for reviewing
internal controls, fraud and abuse, program compliance, and automated systems.
The peer review shall also assess the content, presentation, form, timelines, and
distribution of audit reports. The commission shall pay for the costs of the peer
review.
A copy of the written report of such independent review shall be furnished to the
CAE, BOC and AOC.
VIII. Chief Audit Executive Provisions
The term of office of the Chief Audit Executive shall be five (5) years and until his
or her successor is qualified and appointed. The CAE shall be limited to a
maximum of two (2) terms in office. In addition, the position of the CAE shall be
nonpartisan. Qualifying for election to a public office shall constitute a resignation
from the position as of the date of qualifying.
5
GAS 5.44-Requirements: Monitoring of Quality, page 91
Procedure
1.01
Page 1 of 8
Office of Independent Internal Audit
Audit Function
Procedures Manual
Subject
Introduction
Procedure
Number
Procedure Number 1.01
References
House Bill 599(2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act
Section10A- Independent Internal
Audit; GAS 2.01-2.10 Complying
with GAGAS; GAS 2.16-2.19 Stating
compliance with GAGAS in the Audit
Report; GAS 3.17-3.57
Independence; GAS 5.44 Monitoring
of Quality
Issue
Date:
06/24/2019
Approved: John L. Greene, Chief Audit Executive
Effective:
07/01/2019
Chapter 1
Procedure 1.01 -
Internal Audit Charter/Authority
Purpose:
This procedure establishes the Chief Audit Executive (CAE) and Office of Independent
Internal Audit (OIIA)
1
Charter/Authority.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015
2
,
and the Government Auditing Standards (GAS) also known
as the "Yellow Book" promulgated by the Comptroller General of the United States and
published by the United States Government Accountability Office.
Applicability:
This Internal Audit Charter/Authority applies to the CAE and all OIIA staff members.
1
OIIA (Office of Independent Internal Audit) referenced herein refers to the Office of Internal Audit as documented in House Bill 599
(2015 Ga. Laws 3826)
2
Incorporated into DeKalb County, Georgia -
Code of Ordinances/ Organizational Act Section10A- Independent Internal Audit
Procedure
1.01
Page 2 of 8
Internal Audit:
I.
Introduction
The OIIA was established in accordance with House
Bill
599, enacted by the
Georgia General Assembly, signed into Law on May 12, 2015 and incorporated into
DeKalb County, Georgia - Code of Ordinances/ Organizational Act Section10A-
independent Internal Audit (See Appendix A
-HB
599 (2015 Ga. Laws 3826) and
Appendix B- DeKalb County, Georgia - Code of Ordinances
I
Organizational Act
Section10A- Independent Internal Audit).
The OIIA shall consist of the GAE and those assistants, employees, and personnel
as deemed necessary by the GAE for the efficient and effective administration of the
affairs of the office, and over whom the GAE shall have the sole authority to appoint,
employ, and remove.
II.
OFFICE OF INDEPENDENT INTERNAL AUDIT MISSION, VISIONS AND VALUES
Mission Statement (why we exist and what we do)
Our purpose (why we exist) is to provide independent, objective, insightful,
nonpartisan assessment of the stewardship or performance of policies, programs
and operations in promoting efficiency, effectiveness, and integrity in DeKalb
County.
Our promise (what we do) is to accomplish this through financial audits, performance
audits, inquiries, investigations, and reviews.
Vision Statement (where we are going)
Excellence in our products and services as we promote positive change throughout
DeKalb County with an inspired team that strives for continuous improvement.
Procedure
1.01
Page 3 of 8
Ill. Standards for the Office of Independent Internal Audit
The OIIA audits will be prepared pursuant to DeKalb County, Georgia - Code of
Ordinances/ Organizational Act Sec. 10A. - Independent Internal Audit, Georgia
Statues. The OIIA staff members will follow 2018 Government Auditing Standards
(GAS) for all audits performed by the OIIA. OIIA staff members are responsible for
familiarizing themselves with and adhering to GAS. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives.
Procedure
1.01
Page 4 of 8
IV. Authority
HB 599 and DeKalb County, Georgia - Code Ordinances/Organizational Act
Section1DA- Independent Internal Audit provide safeguards consistent with GAS
3.54c
3
to mitigate structural threats to independence as defined in GAS 3.30g
4
.
The
GAE will report to an independent Audit Oversight Committee (AOC). The AOC
consist of five voting members. The committee:
•
Ensures the independence of the OIIA.
•
Selects no fewer than two or more three nominees for the position of GAE for
approval by the DeKalb Board of Commissioners.
•
Provides suggestions and comments for the annual audit plan.
•
Proposes the internal audit budget and recommend the budget to the DeKalb
County Board of Commissioners for approval.
•
Receives communications from the GAE on the internal audit activity's
performance relative to its plan and other matters.
•
Provides general oversight and guidance.
•
Consults with GAE on technical issues.
•
Coordinates with contracted audit efforts and other consulting engagements.
The OIIA has unrestricted access to employees, information, and records including
electronic data within their custody regarding powers, duties, activities, organization,
property, financial transactions, contracts, and methods of business required to
conduct an audit or otherwise perform audit duties. In addition, all officers and
employees of DeKalb County shall provide access for the OIIA to inspect all
property, equipment, and facilities within their custody. If such officers or employees
fail to provide or produce such access and information, the GAE may initiate a
search to be made and exhibits to be taken from any book, paper, or record of any
such official or employee or outside contractor or subcontractor, except as governed
by statute. The GAE shall have the authority to issue subpoenas and may apply to
the Superior Court of DeKalb County for the enforcement of any subpoena issued by
the GAE.
V. Independence and Objectivity
The OIIA is completely independent and is not subject to control or supervision of
the Chief Executive Officer (CEO), the Board of Commissioners (BOC), or any other
official, employee, department, or agency of the county government. The position of
the GAE is nonpartisan.
The GAE will ensure that the OIIA remains free from all conditions that threaten the
ability of internal auditors to carry out their responsibilities in an unbiased manner,
3
GAS 3.54C- "appointed by someone other than a legislative body, so long as the appointment is confirmed by a
legislative body and removal from the position is subject to oversight or approval by a legislative body and reports
the results of audits to and is accountable to a legislative body."
4
GAS 3.30g "structural threat - the threat that an audit organization's placement within a government entity, in
combination with the structure of the government entity being audited, will impact the audit organization's ability
to perform work and report results objectively."
Procedure
1.01
Page 5 of 8
including matters of audit selection, scope, procedures, frequency, timing, and report
content. If the chief audit executive determines that independence or objectivity may
be impaired in fact or appearance, the details of impairment will be disclosed to
appropriate parties including the AOC.
Internal auditors will maintain an unbiased mental attitude that allows them to
perform engagements objectively and in such a manner that they believe in their
work product, that no quality compromises are made, and that they do not
subordinate their judgment on audit matters to others.
Internal auditors will have no direct operational responsibility or authority over any of
the activities audited. Accordingly, internal auditors will not implement internal
controls, develop procedures, install systems, prepare records, or engage in any
other activity that may impair their judgment, including:
•
Assessing specific operations for which they had responsibility within the
previous year.
•
Performing any operational duties for DeKalb County.
•
Initiating or approving transactions external to OIIA.
•
Directing the activities of any DeKalb County employee not employed by the
OIIA, except to the extent that such employees have been appropriately
assigned to auditing teams or to otherwise assist internal auditors.
Where the GAE has or is expected to have roles and/or responsibilities that fall
outside of internal auditing, safeguards will be established to limit impairments to
independence or objectivity.
Internal auditors will:
•
Disclose any impairment of independence or objectivity, in fact or appearance,
to appropriate parties.
•
Exhibit professional objectivity in gathering, evaluating, and communicating
information about the activity or process being examined.
•
Make balanced assessments of all available and relevant facts and
circumstances.
•
Take necessary precautions to avoid being unduly influenced by their own
interests or by others in forming judgments.
The GAE will confirm to the AOC, at least annually, the organizational independence
of the OIIA.
The GAE will disclose to the AOC any interference and related implications in
determining the scope of internal auditing, performing work, and/or communicating
results.
Procedure
1.01
Page 6 of 8
VI.
Duties & Responsibilities
In accordance with HB599 (2015 Ga. Laws 3826) and DeKalb County, Georgia -
Code of Ordinances/ Organizational Act Section10A- Independent Internal Audit,
the OIIA is responsible for conducting financial and performance audits of all
departments, offices, boards, activities, agencies and programs of the County
independently and objectively to determine whether:
1. Activities and programs being implemented have been authorized by this
Act, Georgia law, or applicable federal law or regulations and are being
conducted and funds expended in compliance with applicable laws.
2. The department, office, board, or agency is acquiring, managing,
protecting, and using its resources, including public funds, personnel,
property, equipment, and space, economically, efficiently, effectively, and
in a manner consistent with the objectives intended by the authorizing
entity or enabling legislation.
3. The entity, programs, activities, functions, or policies are effective,
including the identification of any causes of inefficiencies or uneconomical
practices.
4. The desired results or benefits are being achieved.
5. Financial and other reports are being provided that disclose fairly,
accurately, and fully all information required by law, to ascertain the nature
and scope of programs and activities, and to establish a proper basis for
evaluating the programs and activities including the collection of,
accounting for, and depositing of, revenues and other resources.
6. Management has established adequate operating and administrative
procedures and practices, systems or accounting internal control systems,
and internal management controls.
7. Indications of fraud, abuse, or illegal acts are valid and need further
investigation.
In addition, the OIIA:
•
Coordinates and monitors auditing performed by certified public accounting
firms or other organizations employed under contract by the governing
authority to assist with audit related activities.
•
Participates with the AOC in the selection of the external audit firm.
•
Follows up on audit recommendations to monitor the status of corrective
action.
The chief audit executive has the responsibility to:
•
Submit a one- to five-year audit schedule at the beginning of each fiscal year
to the AOC and the BOC for review and comment. The schedule shall include
the proposed plan, and the rationale for the selections, for auditing
departments, offices, boards, activities, programs, policies, contractors,
subcontractors, and agencies for the period. This schedule may be amended
Procedure
1.01
Page 7 of 8
after review with the AOC and the BOC, but the CAE shall have final authority
to select the audits planned.
•
Select audit areas and audit objectives, determine the audit scope and the
timing of audit work. The CAE shall consult with federal and state auditors
and external auditors so that the desirable audit coverage is provided, and
audit efforts are properly coordinated.
•
Submit an annual report to the AOC, CEO, and the BOC indicating audits
completed, major findings, corrective actions taken by administrative
managers, and significant issues which have not been fully addressed by
management. The annual report, in written or some other retrievable form,
shall be made available to the public through the county website within ten
(10) days of submission to the commission.
•
Follow up on audit recommendations to determine if corrective action has
been taken. The OIIA shall request periodic status reports from audited
agencies regarding actions taken to address reported deficiencies and audit
recommendations.
•
Review and adjust the internal audit plan, as necessary, in response to
changes in DeKalb County's risks, operations, programs, systems, and
controls.
•
Communicate to AOC any significant interim changes to the internal audit
plan.
•
Ensure the OIIA collectively possesses or obtains the knowledge, skills, and
other competencies needed to meet the requirements of the internal audit
charter.
•
Ensure conformance of the OIIA with the general requirements for complying
with generally accepted government auditing standards (GAGAS) that are
applicable to all GAGAS engagements.
VII. Quality Assurance and Improvement Program
The OIIA will maintain a quality assurance and improvement program that covers
all aspects of the OIIA. The program will include an evaluation of the OIIA's
conformance with the Standards. The program will also assess the efficiency and
effectiveness of the OIIA and identify opportunities for improvement. The CAE
should include a statement in the Annual report that "The Office's internal quality
control and assurance program is ongoing and includes continuous supervision
and internal reviews of audit work to ensure accuracy and compliance with
standards and internal policies and procedures."
The audit organization should analyze and summarize the results of its
monitoring process at least annually, with identification of any systemic or
repetitive issues needing improvement, along with recommendations for
corrective action. The audit organization should communicate to the relevant
Procedure
1.01
Page 8 of 8
engagement manager, and other appropriate personnel, any deficiencies noted
during the monitoring process and recommend appropriate remedial action.
5
The audit activities of the OIIA shall be subject to a peer review in accordance
with applicable government auditing standards by a professional, nonpartisan
objective group utilizing guidelines endorsed by the Association of Local
Government Auditors (ALGA).
The peer review shall use applicable government auditing standards to evaluate
the quality of audit effort and reporting. Specific quality review areas shall include
staff qualifications, adequacy of planning and supervision, sufficiency of work
paper preparation and evidence, and the adequacy of systems for reviewing
internal controls, fraud and abuse, program compliance, and automated systems.
The peer review shall also assess the content, presentation, form, timelines, and
distribution of audit reports. The commission shall pay for the costs of the peer
review.
A copy of the written report of such independent review shall be furnished to the
CAE, BOC and AOC.
VIII. Chief Audit Executive Provisions
The term of office of the Chief Audit Executive shall be five (5) years and until his
or her successor is qualified and appointed. The CAE shall be limited to a
maximum of two (2) terms in office. In addition, the position of the CAE shall be
nonpartisan. Qualifying for election to a public office shall constitute a resignation
from the position as of the date of qualifying.
5
GAS 5.44-Requirements: Monitoring of Quality, page 91
Procedurel.02
Page 1 of 6
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
I
Chapter 1
Procedure 1.02
-
Types of Audits Performed
Purpose:
This procedure defines the different types of work that the Office of Independent Internal
Audit (OIIA) can be perform depending on the objectives. Engagements may have a
combination of objectives that include more than one type of work. In cases where
different standards could apply to an objective, auditors should consider users' needs
and the auditors' knowledge, skills, and experience in deciding which standards to
follow.
Authority:
Government Auditing Standards(GAS) GAS 2.01-2.04;GAS 2.07-2.08, Financial Audits;
GAS 2.09, Attestation Engagements; GAS 2.10-2.11, Performance Audits; GAS 2.12,
Nonaudit Services (professional services other than audits or attestation engagements)
GAS 3.33-3.59, Independence When Performing Nonaudit Services
ApplicabiIity:
Most of the OIIA engagements will follow performance audit standards. If the team
decides other standards are applicable, the team will document the decision following
the initial planning meeting (See Chapter 2 Procedure 2.03).
Subject
Introduction
Procedure
Number
1.02
References
GAS 2.01-2.04, 2.07-2.08-Financial
Audits, 2.09,-Attestation Engagements,
2.10-2.11- Performance Audits, 2.12-
Nonaudit Services,3.33-3.59,
Independence When Performing
Nonaudit Services
Issue
Date:
Effective:
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedurel.02
Page 2 of 6
Types of Audits:
I.
Financial Audits
The primary purpose of a financial audit is to provide reasonable assurance about
whether an entity's reported financial condition, results or use of resources are
presented fairly in accordance with recognized criteria - such as financial statement
audits, management letters, single audits, or special reports for portions of financial
statements or reviewing interim financial information.
While the OIIA does not conduct the annual audit of the DeKalb County financial
statements, the OIIA may conduct financial audits in conjunction with other audit
objectives. GAS incorporates American Institute of Certified Public Accountants'
(AICPA) Statements on Auditing Standards (SAS). GAS also prescribes general
standards and additional fieldwork and reporting standards beyond those provided
by the AICPA when performing financial audits.
OIIA performs audits related to the achievement of one or more financial assertions
(existence or occurrence, completeness, valuation and allocation, rights and
obligations, presentation, disclosure). In addition, provide reasonable assurance
related to the design and operation of key control related to financial activities and
the efficiency and effectiveness of the processes. Other types of financial audits
include auditing compliance with applicable compliance requirements relating to one
or more government programs.
II.
Attestation Engagements
The primary purpose of an attestation engagement is to provide a specified level of
assurance about whether a management report or assertion is consistent with stated
criteria that are the responsibility of another party. Attestation engagements may
cover a broad range of financial or non-financial subjects and can be part of financial
or performance audits; however, lower levels of assurance (review or agreed-upon
procedure) engagements should not be used for reporting on internal controls or
compliance with provisions of laws and regulations. Possible subjects of attestation
engagements include:
•
Internal control over financial reporting.
•
Compliance with requirements of specified laws, regulation, rules,
contracts or grants.
•
Prospective financial statements or pro-forma financial information.
•
The accuracy and reliability of reported performance measures.
•
The allowability and reasonableness of proposed contract amounts that
are based on detailed costs.
Procedurel.02
Page 3 of 6
For attestation engagements, GAS incorporates AICPA Statements on Standards
for Attestation Engagements (SSAE). GAS also prescribes general standards and
additional fieldwork and reporting standards beyond those provided by the AICPA
for attestation engagements.
The OIIA does not conduct attestation engagements.
Ill.
Performance Audits
The primary purpose of a performance audit is to provide objective analysis so that
management and those charged with governance and oversight can use the
information to improve program performance and operations and contribute to
public accountability. A performance audit provides findings or conclusions based
on an evaluation of sufficient, appropriate evidence against criteria. Performance
audits may be broad or narrow in scope and encompass a variety of objectives,
including assessing program efficiency, effectiveness, equity, internal control
(Guidance from Committee of Sponsoring Organization Internal Control Integrated
Framework), compliance with legal or other requirements, and objectives related to
prospective analyses.
IV. Information Systems Audits
The primary purpose of an Information Systems (IS) audit is provide assurance
related to the design and operation of general control activities or specific
application control activities. Information Systems can be broken down into two
broad categories as it relates to auditing.
1.
The first category is auditing of IS general controls. Evaluation of IS general
controls may include:
•
Logical access controls over infrastructure, applications, and data.
•
System development life cycle controls.
•
Program change management controls.
•
Data center physical security controls.
•
System and data backup and recovery controls.
•
Computer operation controls.
2.
The second category of IS auditing also includes Information System (IS)
application control. IS application control auditing evaluates the internal control
environment over individual computer applications or programs. Evaluations of
existing applications may include a review to:
•
Ensure the input data is complete, accurate, and valid.
•
Ensure the internal processing produces the expected results.
•
Ensure the processing accomplishes the desired tasks.
•
Ensure output reports are protected from disclosure.
Procedurel.02
Page 4 of 6
Also, Information Techonology auditing focuses on the organization's Information
Security Program. This program should be designed to protect the information and
systems that support the operations and assets of the organization. To safeguard each
system at DeKalb County is to ensure that the following security objectives can be
realized for their information:
•
Confidentiality - Protecting information from unauthorized access and disclosure.
•
Integrity - Assuring the reliability and accuracy of information and IT resources by
guarding against unauthorized information modification or destruction.
•
Availability - Defending information systems and resources to ensure timely and
reliable access and use of information.
These audits are conducted in accordance with applicable standards set forth by
professional associations representing internal auditors such as the Information
Systems Audit and Control Association (ISACA) and other professional information
systems organizations, which the auditor should also be mindful of Government
Auditing Standards.
V. Professional Services Other than Audits
GAS does not cover nonaudit services and requires audit organizations to
communicate with requestors and those charged with governance that such work
does not constitute an audit conducted in accordance with GAS. Further, GAS
recognizes that certain nonaudit services impair an audit organization's
independence and limits nonaudit services that may be provided (GAS 3.45; 3.50-
3.58). For nonaudit services not specifically prohibited, GAS requires audit
organizations to evaluate threats to independence and to apply safeguards to
reduce any identified threat to an acceptable level (GAS 3.34-3.39).
It is OIIA policy not to take on nonaudit services that could impair our organizational
independence to conduct audits. If the GAE or Audit Oversight Committee
determines that it is in the DeKalb County's best interest to provide limited advisory
services to management that are beyond the scope of routine activities identified in
GAS 3.40-3.41, the GAE or OIIA staff is responsible for documenting:
•
Consideration of threats to independence that require the application of
safeguards (GAS 3.24).
•
Objectives of the nonaudit service.
•
Services to be performed.
•
The auditor's responsibilities.
•
Any limitations of the nonaudit service (GAS 3.39).
The OIIA staff member assigned to provide the service is responsible for
documenting management's assurance that it:
Procedurel.02
Page 5 of 6
•
Assumes all management responsibilities.
•
Has designated a qualified individual to oversee the service.
•
Will evaluate the adequacy and results of the service.
•
Accepts responsibility for the results of the service (GAS 3.37).
The OIIA may provide targeted and limited advice to management consistent with
GAS 3.40-3.41. Such advice should generally be communicated in writing, signed
by the CAE, and a record kept in the correspondence file. OIIA staff members may
from time to time serve on DeKalb County committees or task forces in a purely
advisory capacity with the CAE approval. Specific actions to avoid is:
•
Voting on any issues that include internal controls, program objectives,
etc.
•
Participating in designing or implementing internal controls.
•
Fulfilling a management function or making a management decision, for
example:
o
Setting policies and strategic direction for the audited entity;
o
Directing and accepting responsibility for the actions of the audited
entity's employees in the performance of their routine, recurring
activities;
o
Having custody of an audited entity's assets;
o
Reporting to those charged with governance on behalf of
management;
o
Deciding which of the auditor's or outside third party's
recommendations to implement;
o
Accepting responsibility for the management of an audited entity's
project;
o
Providing services that are intended to be used as management's
primary basis for making decisions that are significant to the subject
matter of the audit;
o
Developing an audited entity's performance measurement system
when that system is material or significant to the subject matter of
the audit
•
Accepting responsibility, such as a director or member of management, of
a program that may be audited.
•
Seeking employment with the organization(s) for which the nonaudit
service is being rendered.
Providing information, training, and technical assistance to the DeKalb County
Board of Commissioners or other external oversight bodies or conducting other
types of independent work, such as investigating hotline complaints and following
Procedurel.02
Page 6 of 6
up on open audit recommendations, does not impair the organization's
independence to conduct audits.
Procedure 1.03
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
Subject
Introduction
Procedure
Number
1.03
References
Government Auditing Standards, 2011
Revision
Issue
Date:
Effective:
Approved: John L. Greene, Chief Audit Executive
Amended:
Chapter 1
Procedure 1.03 -
Government Auditing Standards
Purpose:
The Office of Independent Internal Audit (OIIA) is committed to achieving a high level of
audit quality by performing its audit work in accordance with the Government Auditing
Standards.
Authority:
Government Auditing Standards (GAS),
1
also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office (GAO).
ApplicabiIity:
The OIIA staff members will follow GAS for all financial and performance audits and
attestation engagements performed by the OIIA. OIIA staff members are responsible for
familiarizing themselves with and adhering to GAS
Generally Accepted Government Auditing Standards (GAGAS):
I.
General Auditing Standards
Independence:
In all matters relating to the audit work, the audit organization and
the individual auditor, whether government or public, must be independent.
1
The current version of GAS was published in December 2011 and is available on the GAO website at http://
http://www.gao.gov/assets/590/587281.pdf. This revision supersedes the 2007 revision.
Procedure 1.03
Page 2 of 3
Professional Judgment:
Auditors must use professional judgment in planning and
performing audits and in reporting the results.
Competence:
The staff assigned to perform the audit must collectively possess
adequate professional competence needed to address the audit objectives and
perform the work in accordance with GAGAS.
Quality Control and Assurance:
Each audit organization performing audits in
accordance with GAGAS must:
a. Establish and maintain a system of quality control that is designed to provide
the audit organization with reasonable assurance that the organization and its
personnel comply with professional standards and applicable legal and
regulatory requirements.
b. Have an external peer review performed by reviewers independent of the
audit organization being reviewed at least once every 3 years.
II.
Fieldwork Standards for Performance Audits
Planning:
Auditors must adequately plan and document the planning of the work
necessary to address the audit objectives.
Supervision:
Audit supervisors or those designated to supervise auditors must
properly supervise audit staff.
Evidence:
Auditors must obtain sufficient, appropriate evidence to provide a
reasonable basis for their findings and conclusions.
Audit Documentation:
Auditors must prepare audit documentation related to
planning, conducting, and reporting for each audit. Auditors should prepare audit
documentation in sufficient detail to enable an experienced auditor, having no
previous connection to the audit, to understand from the audit documentation the
nature, timing, extent, and results of audit procedures performed, the audit evidence
obtained and its source and the conclusions reached, including evidence that
supports the auditors' significant judgments and conclusions. An experienced
auditor means an individual (whether internal or external to the audit organization)
who possesses the competencies and skills that would have enabled him or her to
conduct the performance audit. These competencies and skills include an
understanding of (1) the performance audit processes, (2) GAGAS and applicable
legal and regulatory requirements, (3) the subject matter associated with achieving
the audit objectives, and (4) issues related to the audited entity's environment.
Ill.
Reporting Standards for Performance Audits
Form:
Auditors must issue audit reports communicating the results of each
completed performance audit.
Report Contents:
Auditors should prepare audit reports that contain (1) the
objectives, scope, and methodology of the audit; (2) the audit results, including
findings, conclusions, and recommendations, as appropriate; (3) a statement about
Procedure 1.03
Page 3 of 3
the auditors' compliance with GAGAS; (4) a summary of the views of responsible
officials; and (5) if applicable, the nature of any confidential or sensitive information
omitted.
Report Distribution:
Distribution of reports completed under GAS depends on the
relationship of the auditors to the audited organization and the nature of the
information contained in the report. Auditors should document any limitation on
report distribution. The following discussion outlines distribution for reports
completed in accordance with GAGAS:
a. Audit organizations in government entities should distribute audit reports to
those charged with governance, to the appropriate audited entity officials, and
to the appropriate oversight bodies or organizations requiring or arranging for
the audits. As appropriate, auditors should also distribute copies of the
reports to other officials who have legal oversight authority or who may be
responsible for acting on audit findings and recommendations, and to others
authorized to receive such reports.
b. Internal audit organizations in government entities may also follow the
Institute of Internal Auditors' (IIA) International Standards for the Professional
Practice of Internal Auditing. In accordance with GAGAS and IIA standards,
the head of the internal audit organization should communicate results to
parties who can ensure that the results are given due consideration. If not
otherwise mandated by statutory or regulatory requirements, prior to releasing
results to parties outside the organization, the head of the internal audit
organization should: (1) assess the potential risk to the organization, (2)
consult with senior management or legal counsel as appropriate, and (3)
control dissemination by indicating the intended users of the report.
Organizations.
c. Public accounting firms contracted to perform an audit in accordance with
GAGAS should clarify report distribution responsibilities with the engaging
organization. If the contracting firm is responsible for the distribution, it should
reach agreement with the party contracting for the audit about which officials
or organizations will receive the report and the steps being taken to make the
report available to the public.
Procedure 1.04
Page 1 of 5
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 1
Procedure 1.04 -
Audit Process Overview
Purpose:
Audits conducted by the Office of Independent Internal Audit (OIIA) comply with
Government Auditing Standards. The audit process ensures and support compliance
with Government Auditing Standards.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
The audit process and Team
Mate (Audit Management Software) procedures are to
be followed for each audit engagement unless an exception is approved and
documented. The office's compliance with Government Auditing Standards shall be
achieved and demonstrated through adherence to the audit process and TeamMate
procedures, as well as adequate documentation, supervision, and communication.
Audit Process
I.
Introduction
Before an audit is assigned, the Internal Audit Management team formulates
preliminary objectives
of engagements through a review of the annual internal
audit plan and prior engagement results, discussions with stakeholders, and
consideration of the mission, vision, and objectives of the area or process under
review. The
preliminary objectives
are further enhanced through risk assessment
Subject
Audit Fieldwork
Procedure
Number
1.04
References
GAS 3.92, GAS 6.06-6.34, GAS 6.36,
GAS 6.47-6.50
Issue
Date:
I
Effective:
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedure 1.04
Page 2 of 5
exercises to cover the governance, risk management, and controls of the area or
process under review.
Although every audit project is unique, the audit process is similar for most
engagements and normally consists of four stages:
Planning
(sometimes called
Survey or Preliminary Review),
Fieldwork, Reporting, and Follow-up Review.
Client involvement is critical at each stage of the audit process.
II.
Planning
(Refer to 01/A Chapter 2 - Project Initiation and Planning Procedures)
Internal auditors typically gather information regarding the audit client's policies and
procedures and seek to understand any Information Technology systems used by
the area under review, along with sources, types, and reliability of information used
in the process and those that will be evaluated as evidence. Internal auditors also
obtain and review the results of work performed by other internal or external
assurance providers and/or prior audit results from the area or process under
review, if applicable.
While planning an engagement, internal auditors establish the engagement's
objectives and scope in conformance with GAS Standard Planning 6.06-6.09. Doing
so allows internal auditors to consider what should be tested in the process or area
under review. It also enables them to prioritize the areas within the engagement
scope based on the significance of the risks identified. Priority is generally
determined by the likelihood of a risk occurrence and the impact that risk would have
on the organization if it occurred. Risks with a higher likelihood of occurrence and
the greatest impact are generally given the highest priority for testing.
Preliminary Survey
In this phase the auditor gathers relevant information about the entity in order to
obtain a general overview of operations. Internal auditors typically talk with key
personnel who work in the area or process under review and review reports, files,
and other sources of information. This will enhance the auditor's understanding and
lead to more effective engagement planning.
Internal Control Review (Risk Assessment
&
Fraud Considerations)
The internal auditor will review the agency's internal control structure, a process
which is usually time-consuming. In doing this, the auditor will use a variety of tools
and techniques to gather and analyze information about the operation. The review
of internal controls helps the auditor determine the areas of highest risk and design
tests to be performed in the fieldwork section.
Procedure 1.04
Page 3 of 5
Narrative or flowchart
Prepare the process narrative or flowchart to document the process under audit
based on discussions held with individual familiar with the process.
Engagement Letter
The auditor drafts an engagement letter to the entity head of audited area
communicating an overview of the objectives, scope, and methodology and the
timing of the performance audit.
Conduct Entrance Conference
This meeting is used to communicate with entity management the reasons for the
audit, describe the audit process, address management's questions or concerns,
identify key contacts, and discusses logistics if necessary.
Audit Program
Preparation of the audit program concludes the preliminary review phase. This
program outlines the fieldwork necessary to achieve the audit objectives.
(The audit
program and other planning procedures must be approved in TeamMate prior
to performing fieldwork procedures.)
Ill.
Fieldwork
(Refer to OIIA Chapter 3 -Audit Fieldwork Procedures)
The fieldwork concentrates on transaction testing and informal communications. It is
during this phase that the auditor determines whether the controls identified during
the preliminary review are operating properly and in the manner described by the
client. The fieldwork stage concludes with a list of, if any, significant findings from
which the auditor will prepare a draft of the audit report.
One of the key objectives is to avoid disrupting ongoing activities.
Transaction Testing
After completing the preliminary review, the auditor performs the procedures in the
audit program. These procedures usually test the major internal controls and the
accuracy and propriety of the transactions. Various techniques including sampling
are used during the fieldwork phase.
Advice
&
Informal Communications
As the fieldwork progresses, the auditor discusses, if any, significant findings with
the client. Hopefully, the client can offer insights and work with the auditor to
Procedure 1.04
Page 4 of 5
determine the best method of resolving the finding. Usually these communications
are oral.
Discussion of Preliminary Results
Once the auditor has completed the fieldwork, the auditor and the OIIA management
team assess the evidence gathered, come to agreement about the major findings
and conclusions and determine whether additional data collection or analysis is
needed based on our overall assessment of evidence, significance, and audit risk.
Afterwards, the auditor will draft a PowerPoint to discuss the preliminary findings
with client. Our goal: No surprises.
(The fieldwork procedures must be approved in TeamMate prior to performing
reporting procedures.)
IV.
Reporting
(Refer to 01/A Chapter 4 - Communicating Results Procedures)
Our principal product is the final report in which we express our opinions, present the
audit findings, and discuss recommendations for improvements.
Draft Report
At the conclusion of fieldwork, the auditor drafts the report. Audit management
thoroughly reviews the audit working papers and the draft report before it is
presented to the client for comment. This discussion draft is prepared for the entity's
operating management and is submitted for the client's review before the exit
conference. This draft report is also submitted to Audit Oversight Committee for
comment.
Exit Conference
When audit management has approved the draft report, Internal Audit meets with
the entity's management team to discuss the findings, recommendations, and text of
the draft. At this meeting, the client comments on the draft and the group work to
reach an agreement on the audit findings.
Formal Draft Report
The auditor then prepares a formal draft, taking into account any revisions resulting
from the exit conference and other discussions. When the changes have been
reviewed by audit management, the Chief Audit Executive issues the final draft
report to the client for written response to the findings and recommendations within
60 days, as required by law. The client indicates whether they concur or do not
concur with the recommendations, plans for addressing recommendations and a
timetable to complete such activity.
Procedure 1.04
Page 5 of 5
Final Report
Internal Audit distributes the final report, with the client's comments, to the entity's
operating management, senior management of DeKalb County (CEO, COO, &
Deputy COO of the entity), Board of Commissioners, Ethics Officer, the County
Attorney, and Audit Oversight Committee. If no response is received, Internal Audit
notes that fact in the transmittal letter and the final report is released.
Handling Confidential Information
The office will protect confidential information from unauthorized disclosure and will
handle the withholding of confidential information from audit reports in accordance
with Government Auditing Standards, and applicable laws and regulations.
Guidance on handling confidential information is outline in the OIIA Procedure 1.05
Handling Confidential and Sensitive Information of information Exempt from Public
Disclosure. If all or part of an audit is deemed to be confidential, TeamMate
procedures for confidential audits should be followed.
Once the results of a confidential audit (or portion of an audit) are communicated to
authorized recipients, the office will post the name of the report on its OIIA's website
and note that it is confidential; however, the contents of the report will not be
published. The office is committed to transparency in government and will make
every effort to maximize the amount of information provided to the public.
Client Comments
Finally, as part of Internal Audit's self-evaluation program, we ask clients to comment
on Internal Audit's performance through a survey distributed from TeamMate. This
feedback has proven to be very beneficial to us, and may result in changes in our
procedures as a result of clients' comments and/or suggestions.
V.
Audit Follow-Up
(Refer to OJ/A Chapter 6 - Audit Follow-up Procedures)
Within approximately six months of the final report, Internal Audit will perform a
follow-up review to verify the resolution of the report findings.
Procedure
1.05
Page
1
of
6
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 1
Procedure 1.05 - Handling Confidential and Sensitive Information or
Information Exempt from Public Disclosure
Purpose:
To specify the policies and procedures that apply within the Office of Independent
Internal Audit (OIIA) regarding the use, maintenance, and disclosure of confidential and
non-public (exempt from open records request) information.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office. Also, Georgia Open Records Act§ 50-18-70 et seq.
provides for exemptions of confidential information that would put the organization at
risk. O.C.G.A. § 50-18-72(a) (1) through. (46).
ApplicabiIity:
Whenever an engagement includes the handling of confidential and sensitive
information or information exempt from public disclosure, steps should be taken to
prevent unauthorized access and disclosure. To the extent practicable, confidential and
sensitive information or information exempt from public disclosure should not be
mentioned in working papers and audit reports. However, when it is necessary, as part
Subject
Confidential and Non-Public Information
Procedure
Number
1.05
References
GAS 6.63-6.69, GAS 9.61-9.67 Reporting
Confidential and Sensitive Information
GAS 6.70 Distributing Reports
GAS 9.10-9.17, Report Contents
Georgia Open Records Act 50-18-70
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
2/28/2020
Procedure
1.05
Page
2
of
6
of the labeling of the documents, the specific Act or law that provides the exemption
should be cited.
The following are the most common examples of confidential and exempt information
encountered within OIIA activities (this list is not comprehensive):
•
Individual Social Security Numbers which have been lawfully collected during
the course of an audit from program areas are confidential and exempt from
public inspection.
•
The identity of an individual disclosing information pursuant to the Whistle-
Blower Act.
•
Information received in an investigation designated as whistle-blower while
the investigation is active.
•
Risk analysis information, as a result of audits and evaluations relating to
security of data and information technology resources, and internal policies
and procedures which, if disclosed, could facilitate the unauthorized
modification, disclosure, destruction of data or information technology
resources, or expose the County to risks.
•
Information security and Information Technology documentation, data or
information that would expose the County to risks.
•
Personally identifiable information related to customers, County residents,
and employees.
Audit reports with confidential, sensitive, nonpublic information, or information that could
put the County at risk will not be published on the OIIA website. In addition, such reports
will be discussed in person and copies collected at the end of discussion. All nonpublic,
confidential, sensitive information should be redacted or omitted, whichever deemed
appropriate by the CAE. In the case where the subject of the entire report (as in the case
with security) is exempt from public disclosure by state law, the completion of the audit
will be reported on the OIIA website but the law exempting the report from public
disclosure will be referred to instead.
Work Papers and Audit Documentation
Whenever audit work papers and documentation will need to include confidential
information or information exempt from public disclosure, steps will be taken to prevent
unauthorized disclosure. The information should be secured with a password and/or
redacted.
The Audit Manager and/or Auditor in charge will possess the password for such files. The
name of all electronic files, containing confidential or information exempt from public
disclosure, will contain the word
"Confidential"
in the name.
Procedure
1.05
Page
3
of
6
All audit files containing working papers with information that is exempt from public
disclosure, whether electronic or hard copy, are required to contain the OIIA
Confidentiality Statement template which includes the following:
OIIA Confidentiality Statement
(This statement should be placed in the hard and/or electronic copy)
"These project working papers and any associated reports may contain
information which is confidential and exempt from inspection and copying.
Office of the Independent Internal Audit (O1/A) project working papers are
subject to laws related to their disclosure. Information should not be
released without complying with the process which ensures that any
appropriate information is redacted prior to project working papers and any
associated reports being released. O1/A project working papers are to be
disclosed only in compliance with O1/A Procedure
1.05
of the Policies and
Procedural Manual."
Whenever requesting information that is confidential and exempt from public disclosure,
precautions should be taken to obtain the information in a secure manner. The auditor
should advise management of the Office procedures for handling confidential and
sensitive information. A memorandum
(see templates for a copy of the
memorandum)
to management should be prepared outlining the items that are
considered confidential, the persons the audit believes will provide the information, the
secure method that will be used to provide the requested information or documentation,
and requesting that management contact audit management if any other requests are
made that are also confidential that were not included in the memorandum. Also, the
auditor should follow Office procedures for safeguarding confidential and sensitive
information.
Handling Confidential, Sensitive, and Nonpublic Information:
Emailing Confidential Information:
Documents, reports, or forms that contain confidential, sensitive, and exempt from public
information should be password protected before they are attached to an email. Also, the
following statements should be added to the body of any email with a confidential
attachment.
The
document attached to
this
email is
password protected. Please contact
at
XXX-XXXX
to obtain the password. This email and any attachments
may contain information that is exempt from disclosure under applicable law. Do not
release or disseminate without prior coordination with the O1/A.
Procedure
1.05
Page
4
of
6
Release of Work papers and Audit Documentation:
No workpapers will be released to anyone outside of the office without the Chief Audit
Executive's (GAE) prior knowledge. Incomplete workpapers are generally not
considered final and should not be released for fear of misinterpretation, etc. In the
event that the GAE cannot be reached, workpapers that are open to the public may be
copied at the expense of the requester, and the GAE should be immediately informed.
No documents/workpapers should be released without also consulting the Office's
General Counsel.
Workpapers and other audit documentation released internally that contain confidential,
sensitive, and nonpublic information will be distributed using the following procedures:
•
The documents should be marked confidential.
•
The documents should be distributed to management via secure methods.
•
The document should include the Office's confidential statement.
CONFIDENTIALITY NOTICE: The Office of Independent Internal Audit intends for these
documents to be used only by the person(s) or entity to which they are addressed. The
documents may contain confidential, sensitive, nonpublic information or information that
could put the County at risk. If the reader is not the intended recipient of this message
or an employee or agent responsible for delivering the message to the intended
recipient, you are hereby notified that you are prohibited from printing, copying, storing,
disseminating or distributing this communication. If you received this communication in
error, please delete it from your computer and notify the sender by reply e-mail.
Requests for the disclosure of information contained within, or referred to by, the
audit report of the OIIA concerning security for the protection of confidential and
exempt data, software support, authentication, logging and separation of duties.
Preserving the confidentiality of sensitive documents is eminently reasonable, but
nonetheless requires compliance with the Georgia Open Records Act (O.C.G.A. §50-
18-70 through -77). The legislative findings of the Open Records Act include these
statements of policy:
The General Assembly ...
finds and declares that there is a strong
presumption that public records should be made available for public
inspection without delay. This article [of the law] shall be broadly
construed to allow the inspection of governmental records. The exceptions
set forth in this article, together with any other exception located
elsewhere in the Code, shall be interpreted narrowly to exclude only those
portions of records addressed by such exception.
0.C.G.A. § 50-18-70 (a). In addition to this disclosure mandate, Section 10A(n)(9)(D) of
the Organizational Act of DeKalb County (2015 Ga. Laws 3826) states unequivocally
that the AOC to which the OIIA reports has the duty of "Ensuring that
audit reports are transmitted to the governing authority and to the public."
Procedure
1.05
Page
5
of
6
This rule of disclosure has specific exceptions, one of which applies to data and other
information needed for the protection of security operations for which access must be
limited. Section 50-18-72(a) of Georgia's Open Records Act provides that public
disclosure shall not be required for.
(25)(A) Records the disclosure of which would compromise security
against sabotage or criminal or terrorist acts and the nondisclosure of
which is necessary for the protection of life, safety, or public property,
which shall be limited to the following:
i.
Security plans and vulnerability assessments for any public utility,
technology infrastructure, building, facility, function or activity in effect
at the time of the request for disclosure or pertaining to a plan or
assessment in effect at such time.
ii.
Any plan for protection against terrorist
ef
or other attacks that
depends for its effectiveness in whole or in part upon a lack of
general public knowledge of its details.
iii.
Any document relating to the existence, nature, location, or function
of security devises designed to protect against terrorist or other
attacks that depend for their effectiveness in whole or in part upon a
lack of general public knowledge.
iv.
Any plan, blueprint, or other material which if made public could
compromise security against sabotage, criminal, or terroristic acts.
v.
Records of any government sponsored programs concerning training
relative to governmental security measures which would identify
persons being trained or instructors or would reveal information
described in divisions (i) though (iv) of this subparagraph.
The plans, vulnerability assessments, records, documents, data, blueprints or other
material to be shielded from disclosure must meet one or more of the criteria listed
in O.C.G.A. § 50-18-72(a)(26)(A), set out above, to be properly withheld, in whole
or in part, as necessary for the protection of County property and operations from
hacking and related attacks.
The need for shielding the data and documents in question must be balanced with
the obligations of our office under state law specific to the OIIA:
A final draft of the audit report shall be forwarded to the AOC, the
CEO, the BOC, and the audited agency for review and comment
regarding factual content prior to its release under Section 10AU)(4) of
the Organizational Act of DeKalb County.
To meet these competing requirements, we should invite members of the
Board of Commissioners and the Audit Oversight Committee to our office to
review the draft audit report with the specific issues identified that have been
provided to appropriate DeKalb County management responsible for making
corrections or other responses to the draft.
We should meet with the DeKalb
County management responsible for this confidential and highly
Procedure
1.05
Page
6
of
6
sensitive data to discuss whether such information should be released
for review. Copies, photos or any other record the confidential and
highly sensitive data will not be allowed.
Our objective is to comply with
the specific obligations of the OIIA pursuant to the Georgia Open Records Act
while maintaining the confidentiality and integrity of data and operations that
protect against sabotage and other attacks against County property and
operations.
Procedure
1.06
Page 1 of 6
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 1
Procedure 1.06 -
TeamMate Audit Management Software Introduction
Purpose:
To specify the policies and procedures that apply within the Office of Independent
Internal Audit (OIIA) regarding the use of the TeamMate Audit Management (AM)
software in the management of audit documentation. This policy is not intended and
does not replace the available TeamMate User Manuals on how to perform
tasks/activities referenced in this document.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office. GAS requires that auditors must prepare audit
documentation related to planning, conducting, and reporting for each audit. GAS does
not specifically require the use of electronic audit documentation/workpapers. However,
OIIA utilizes the TeamMate AM primarily for management of audit documentation and
quality control.
ApplicabiIity:
Whenever a project is initiated by OIIA all stages of the project, including initial creation
of project, planning, fieldwork, reporting and follow-up, along with all workpapers and
related supporting evidence are documented in TeamMate AM. Audit management
review/supervision of work done is also documented within TeamMate. The OIIA Policy
and Procedures manual references the use of TeamMate AM where applicable in the
performance of procedures and the management of audit workpapers. (See a/so 01/A
Policy and Procedure 3.03 Audit Workpapers.)
Subject
I Confidential and Non-Public Information
Procedure
Number
1.06
References
GAS 8.132
-
8.139, Audit
I
Documentation
Issue
Date:
06/24/2019
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedure
1.06
Page 2 of 6
Custom TeamMate Policies that Impact Key Audit Activities
1. Creating/Modifying User Profiles
•
Only TeamMate Champions, who have administrative access to the
'TeamAdmin' module can add, deactivate and otherwise modify user profiles and
application access rights. All user profile/access changes should have the prior
authorization of the CAE. CAE authorization is documented using the
TEAMMATE ACCESS REQUEST/CHANGE FORM 1.06.01.
•
The CAE, at least quarterly, shall review the TeamMate application access of
users for any unauthorized changes.
•
New users should only be added using the 'Add from Active Directory'. The 'Add
User' link should not be used.
•
User Authentication: TeamMate user login utilizes the Microsoft Windows
Authentication process. TeamMate user identity will be automatically
authenticated/verified via Windows Authentication whenever the TeamMate
application/module is initialized
2. Application Access
In creating the user profile in TeamMate, the TeamMate Champions will also
seVregister the Application Access levels for each user, as authorized by the CAE.
Users are granted various application access levels to TeamMate modules depending
on their role in OIIA. The available TeamMate Application Modules are accessible from
the TeamMate 'Launchpad' (see the screenshot below):
Y:\FORMS & TEMPLATES\GENERAL\2019\TeamMate Application Access Request_Change Form_l.06.01
Procedure
1.06
Page 3 of 6
User Application Access Policy
User
Application Access
Chief Audit Executive
User/Resource/Audit Management
Audit Manager
User/Resource/Audit Management
Senior Auditor/ Auditor
User/Resource
TeamMate Champion
Administrator/Resource
For a description of each application access type please review the TeamMate-AM-
Roles.pdf document.
Application Access Table in TeamAdmin
3. Creating Project Master File
All OIIA projects should be registered/created in the TeamAdmin module. Audit
Projects can
only
be created from within 'TeamAdmin' by the TeamMate Champion.
Procedure
1.06
Page 4 of 6
Naming a Project
1.
Project Code format: Audit Plan Year -
Project
number of audits for the year
- Acronym representing responsible department to audit. For example:
2019-001-WM
2.
Project Name: YYYY- and brief phrase indicating the nature of the project. YYYY =
Audit Plan Year
Project Details
3.
Audit Plan: Audit should be assigned to the appropriate annual audit plan.
4.
Start Date: Project Start Date - defined as the date when planning is anticipated to
commence.
All project fields, such as 'Entities', Type' and 'Scope', as well as the tabs for
"Background Information' and preliminary 'Engagement Objectives' should be
completed
if known/info available at
this stage.
Scheduling a project
OIIA policy - 'TeamSchedule' Module should be used to assign resources to a project.
At a minimum, the Project Manager and Project lead should be designated. Only the
TeamMate Champions, Audit Managers, and the GAE can schedule projects and assign
projects in Team Schedule. The lead auditor can also schedule projects from within
TeamEWP.
Initializing Audit Projects in TeamMate EWP
Created Audit Projects should be initialized from the TeamMate EWP module. Policy:
Only the assigned Project Manager or the Project Lead can initiate an Audit Project into
EWP. TeamMate Champions can also initialize projects due to their administrative
access, but should generally only initialize projects for which they are the Project
Manager or auditor in charge or to help troubleshoot a TeamMate issue.
Other assigned project staff are not able to initiate a project from EWP. Once a project
is initiated i.e. 'brought' into EWP, it will become visible/available to other projected
members within EWP and will also become available for time tracking in TeamTEC,
time tracking module.
Policy: Project members can only charge time to projects in TeamTEC after the project
has been initiated/ 'brought' into EWP. Note: if that project member's access is "read
only" they will not be able to charge time to project.
Procedure
1.06
Page 5 of 6
4. Assigning Project User Roles.
Project level roles assigned for users. The following are the standard project roles in
TeamMate:
TeamMate User Guide page 43.
The OIIA default policy is to assign team members the project roles of Preparer/
Reviewer for initialized projects. TeamMate Champions by default have the role of
Project Owners/Administrators. The GAE by default is added to every initiated project
with the role of 'Read Only'.
Procedure
1.06
Page 6 of 6
The following project roles should be assigned to staff:
Title
TeamMate Project Role
Chief Audit Executive
Read Only (default project template)
Audit Manager
Preparer/Reviewer
Auditor in Charge (Lead)
Preparer/Reviewer
Auditor
Preparer
Administrative Assistant
Preparer
Interns
Preparer
TeamMate Champion
Administrator/ Project Owner (default project
template)
5. Other Changes/Modifications to TeamMate Configuration
Any changes/modifications to TeamMate should be done only by the TeamMate
Champions. All major changes/modifications should be first authorized by the GAE.
GAE authorization for changes/modifications should be documented using the
TEAMMATE APPLICATION MODIFICATION REQUEST FORM 1.06.02. Major
changes include changes to TeamMate system policy, major changes to EWP audit
project template that involve new default procedures/steps. Adding an audit project,
previously approved in the OIIA annual audit plan, to Teammate or correcting
grammatical errors does not require the use of the TeamMate Application Modification
Request Form.
6. User Manual References
Detail references on how to perform specific activities mentioned in this policy can be
found in the TeamMate User Guides located here: C:\Program Files
(x86)\TeamMate\Help\ OR accessible via the link on the top right corner of the
TeamMate 'Launchpad'.
Y:\FORMS & TEMPLATES\GENERAL\2019\TeamMate Application Modification Request Form_l.06.02
Procedurel.07
Page 1 of 5
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
r
Chapter 1
Procedure 1.07 -
Nonaudit Services: Contract Reviews
Purpose:
To provide an overview of the procedures for performing nonaudit services specifically
related to the review of solicitations and contracts as requested by the Dekalb County
Board of Commissioners (BOC).
Authority:
Government Auditing Standards (GAS) GAS 3.64-3.84, Provision of Nonaudit Services
to Audited Entities; GAS 3.85-3.106, Consideration of Specific Nonaudit Services
Applicability:
GAS recognizes auditors have traditionally provided a range of nonaudit services that
are consistent with their skills and expertise. This procedure applies to the provision of
the nonaudit service for reviews of proposed contracts as requested by the BOC.
Please see Procedure 1.02 - Types of Audits Performed, Ill - Professional Services
Other than Audits.
Subject
Introduction
r
Procedure
Number
1.07
References
GAS 3.64-3.84, Provision of Nonaudit
Services to Audited Entities; GAS 3.85-
3.106, Consideration of Specific
Nonaudit Services
Issue
Date:
12/06/2019
Effective:
01/02/2020
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedurel.07
Page 2 of 5
Contract Reviews
I.
Overview
Our review of proposed awards is a nonaudit service, as defined by GAS. These
reviews will be limited to the contract reviews requested by the BOC. Also, these
reviews will be limited to the supporting documentation, pre-award procedural
documentation for the respective solicitation, renewal(s), and change order(s). These
requests normally involve the following types of procurement activities:
•
Invitation to Bid (ITBs)
•
Request for Proposals (RFPs)
•
Renewals of existing contract(s)
•
Change orders of existing contract(s)
The objective of our review is to determine whether the information provided in the
proposed contract award, contract renewal, change order, and related documents are
supported. Also, the review may identify more potentially cost-effective alternatives for
management and the BOC to consider.
These reviews are to provide the BOC assurance of the processes performed by
management in performing their procurement and contracting responsibilities. They are
not intended to substitute for management responsibilities for procurement, purchasing,
and contracting. Also, these reviews constitute non-audit services as outlined by
government auditing standards. The Government Auditing Standards require the Office
of Independent Internal Audit (OIIA) to evaluate the acceptance of nonaudit services as
a threat to independence and apply safeguards. The OIIA has developed a contract
review framework that outlines the following safeguards in place for contract reviews:
Safeguards
To ensure that the OIIA remains independent and objective as outlined in the standards,
the following safeguards will be implemented, along with the acceptance of the nonaudit
work outlined above. Where safeguards will not sufficiently mitigate the threats to
independence then the OIIA will not accept the review request.
•
The results of our review will not include a decision regarding the approval of the
solicitation, renewal(s), and change order(s) reviewed. The decision regarding
approval will remain the responsibility of management and the BOC.
•
The conclusions in the review reports will be limited to assurance regarding the
reliability and validity of the analysis and assessments performed by
management. Assurance is a well-established internal audit function.
•
As an additional safeguard, staff managing and performing reviews under this
framework will refrain from working on any regular audits of the procurement,
purchasing, and contracting processes and functions.
Procedurel.07
Page 3 of 5
•
The management and staff performing these reviews will refrain from providing,
designing, and developing any policies and procedures related to these or any
other processes. These responsibilities belong to management and will impair
the objectivity and independence of the OIIA.
•
Quality control reviews of regular audit engagements related to procurement,
purchasing, and contract-related processes will not be performed by any staff
who worked on the reviews of proposed contract awards.
II.
Contract Review Initiation
Only requests from the BOC and its subcommittees will be considered by the OIIA. The
BOC request must be in writing before the OIIA can accept it.
Only the Chief Audit Executive (CAE), Deputy Chief Audit Executive or their delegates
can decide to accept or deny a request. In evaluating the request, the CAE may
consider various factors, such as resource availability, possible threats to
independence, and safeguards in place. The CAE shall provide the decision to the
review request in writing.
If the request is accepted, the CAE/DCAE shall assign the project to the manager and
auditor in charge. A project should be created in TeamMate for each accepted review
request. TeamMate project codes for these reviews shall be prefaced by
CR
for
contract review. The following format shall be used: "CR-2019-Agenda Item# - UD". For
example, agenda item 2019-3681 for Watershed Management would be created in
teammate using the following code:
CR-2019-3681-WM
Ill. Conducting the Review
The review methodology may include but is not limited to the following:
1) Obtain and review supporting documentation which may include but is not be limited
to the following:
•
Bid Tabulation.
•
Bid Schedule.
•
Request for Proposal scores.
•
Agenda notes
•
Market Survey.
•
Previous contracts, and contract expenditures related to the proposed award,
renewal, or change orders.
2) Perform analysis of the contract information and supporting documentation to:
a. Assess compliance with established policies and procedures, guidance, and
methodologies.
Procedurel.07
Page 4 of 5
b. Validates and assess the information and documentation provided by
management.
c. Confirm the accuracy of the information contained in management and applicable
third-party documentation. Such information will include, but not be limited to, the
following:
1)
Bid information.
2)
Unit pricing.
3)
Quantities.
4)
Units of measure.
5)
Cost analyses.
6)
Workload output data.
7)
Expenditures listed.
8)
Performance standards.
3) Determine if management considered potential cost-saving alternatives, such as:
•
Piggybacking on existing cooperative agreements with other jurisdictions for
similar services.
•
Leveraging existing County contracts for similar services.
All documentation for the review should be maintained in TeamMateEWP. The
workpapers should be prepared by the Auditor in Charge and reviewed by the Audit
Manager.
IV. Communicating the Results
Preliminary results and observation should be communicated throughout the review to
the user department and department of purchasing and contracting for validation and
obtaining additional evidence where necessary.
The communication of the final results should be in the form of a
written
report using
the OIIA contract review report template.
OIIA shall document in the review report whether our work performed confirmed that the
information in the solicitation, renewal(s), and change order(s) reviewed was reliable
and supported by the documentation and information provided by management. In
addition, the review report shall document if contract activities comply with the County's
Purchasing Policy and procedures and Georgia state laws. The conclusion will be
limited to the objectives of the review and should not be construed as a decision
regarding the acceptance of the contract or proposed award. It is the responsibility of
management to make that determination based on information provided by OIIA.
The review report will include the following:
1)
A statement regarding the request from management.
2)
The objectives and scope of the review.
3)
The methodology used to complete the review.
Procedurel.07
Page 5 of 5
4)
An overview of the standards related to nonaudit services.
5)
Management's acceptance of their responsibilities.
6)
OIIA's' responsibilities.
7)
Limitations on the provision of nonaudit services.
8)
Conclusion on the reliability and validity of the information provided related to the
contract(s) under review.
The draft report should be prepared by the auditor-in-charge. The draft report should
then be reviewed by the Audit Manager and approved by the Chief Audit Executive.
The final report should be communicated to the user department(s) and the Department
of Purchasing and Contracting, Chief Operating Officer, and the BOC committee
members who requested the review. The Audit Manager, CAE or the Deputy CAE
should communicate the final report. The final report will also be posted to the OIIA's
website.
Procedure
2.01
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
Subject
Project Initiation and Planning
Procedure
Number
2.01
References
House Bill 599(2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act
Section10A- Independent Internal Audit;
GAS 3.01-3.117- Ethical Principles,
Independence, and Professional
Judgement
Issue
Date:
06/24/2019
Effective:/
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
Chapter 2
Procedure 2.01 -
Annual Audit Plan
Purpose:
The purpose of the Office of Independent Internal Audit (OIIA) annual and long-term
audit plan (commonly referred to as the OIIA Work Plan) is to identify, select, and plan
the audits and reviews that provide the most benefit to the DeKalb County. Due care
must be exercised in preparing the OIIA Work Plan to ensure that realistic, realizable
goals are set.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by Georgia General Assembly signed
into law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances/ Organizational Act Section1DA- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
Applicability:
The Chief Audit Executive (CAE) is responsible for preparing and submitting an annual
audit schedule.
Procedure
2.01
Page 2 of 3
Annual Audit Plan:
I.
Introduction
Each fiscal year, the CAE shall submit a one-to-five-year audit schedule to the audit
oversight committee and the Commission for review and comment. The schedule
shall include the proposed plan, and the rationale for the selections, for auditing
departments, offices, boards, activities, programs, policies, contractors,
subcontractors, and agencies for the period. This schedule may be amended after
review with the audit oversight committee and the Board of Commissioners, but the
CAE shall have final authority to select the audits planned.
1
II.
Risk Assessment and Annual Work Plan
The OIIA Work Plan is based on a risk assessment, staffing allocation, and other
factors. The CAE is responsible for preparing the draft of proposed activities, staffing
allocation, and coordinating the risk assessment.
The CAE will prepare a staffing allocation based upon the staffing for the coming year
and the hours estimated for OIIA Work Plan activities. The CAE shall consider work
in progress, holidays, leave (annual, sick, and administrative), training, and establish
an appropriate reserve for special projects. The CAE shall also consider the technical
knowledge, skills, and experience of staff to ensure the staff collectively possesses
adequate professional competence to perform Work Plan projects.
The risk assessment process shall include input from DeKalb County department
managers and OIIA staff as well as a study of program areas, processes, and systems.
The objective of the risk assessment and OIIA Work Plan development is to provide
the greatest possible assurance that the audit services will benefit DeKalb County.
Although the risk assessment provides a base of information to identify areas that may
need review, a high ranking in the risk assessment is not the only factor used to
determine inclusion in the upcoming years' work plan schedules. Other factors include
audits or reports required by law or statute, in-process audits that will be completed
during the fiscal year, a reserve for future special requests by the Board of
Commissioners, CEO, and others, the need for balanced coverage of the DeKalb
County's program areas and available staff resources.
1
House Bill 599 (2015 Ga. Laws 3826) enacted by Georgia General Assembly signed into Law on May 12, 2015 and
Incorporated into DeKalb County, Georgia - Code of Ordinances/ Organizational Act SectionlOA- Independent
Internal Audit
Procedure
2.01
Page 3 of 3
The annual and long-range work plans are developed using the results of the risk
assessment. The OIIA Work Plan describes the audit and other activities scheduled
for evaluation and estimates of time available to complete the plan activities. The
annual work plan also considers available staff resources and allows for unplanned
projects or special assignments. The annual and long-range work plans must be
submitted to the Board of Commissioners for review and to the Audit Oversight
Committee for review and approval. The CAE has the final authority to select the
audits planned.
Procedure
2.02
Page 1 of 6
Office of Independent Internal Audit
Audit Function
Procedures Manual
Subject
Project Initiation and Planning
Procedure
Number
2.02
References
House Bill 599 (2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act
Section10A- Independent Internal Audit;
GAS 3.02-3.16-Ethical Principles, 3.17-
3.1OB-Independence, GAS 4.02-4.15-
Competence, GAS 9.10-9.17 Report
Content
Issue
Date:
06/24/2019
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
2/28/2020
Chapter 2
Procedure 2.02
-
Staff Assignments, Independence, and Ethical
Principles
Purpose:
The purpose of staff assignments is to ensure that staff members assigned to a project
collectively possess the knowledge, skills, and experience to perform the required tasks
and are independent in fact and appearance and able to exercise objectivity and
professional skepticism. In addition, ensure staff performs their work with consideration
for the ethical principles described in Government Auditing Standards.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by Georgia General Assembly signed
into law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances / Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
Procedure
2.02
Page 2 of 6
Applicability:
The Chief Audit Executive (GAE) assigns staff to projects based on the project's
complexity and each individual's knowledge, skills, experience, interests, availability,
and professional development needs, and goals. The GAE ensures that the staff
assigned to each project is independent and competent to do the work. The GAE
may hire consultants or specialists to assist on projects when additional knowledge
and/or skills are needed.
Staff Assignments and Independence:
I.
Introduction
Audit staff members are individually responsible for notifying the GAE of threats to
their independence as described in GAS 3.26-3.48 through annual disclosure,
project-related disclosures, and ongoing throughout the year as circumstances arise.
The GAE will evaluate the significance of the threats identified and apply safeguards
as necessary to eliminate or reduce the threat to an acceptable level.
II.
Disclosure of Threats to Independence
Auditors and investigators will complete and provide their Annual Independence and
Objectivity Statement
2.02-A
and Annual Independence -Investigative Statement
2.02-B
to the GAE to assist in identifying potential self-interest threats to
independence, which are defined as financial or other interests that could
inappropriately influence the auditor or investigator's judgment or behavior. Auditors
and investigators are also responsible for notifying the GAE as circumstances arise if
they or their spouse:
a. have any relatives who are employed by the DeKalb County or its
component units.
b. serve on the board of directors of any agency that receives grants or other
funding from the DeKalb County.
c. have a financial interest or hold any position or office in any business that
contracts with the DeKalb County.
d. are seeking employment with another agency of the DeKalb County or its
component units.
Auditors and investigators are also required to seek the GAE Approval prior to
participating in paid employment outside of their DeKalb County job.
1
It is our policy
not to assign auditors or investigators to projects where a potential self-interest
threat exists.
1
See Personnel Code 20-22; Conflict of Interest 20-20 (E)
Procedure
2.02
Page 3 of 6
At the beginning of each audit assignment, auditors are also responsible for
assessing potential threats related to individual assignments, including:
•
Self-review - the threat that an auditor who has previously provided nonaudit
services related to the assignment will not appropriately evaluate the results or
judgments related to the earlier work that is significant to the audit.
•
Bias - the threat that an auditor will fail to exercise objectivity because of
political, ideological, social or other convictions.
•
Familiarity - the threat that an auditor will fail to exercise objectivity because of
aspects of a relationship with management or personnel of an audited entity.
•
Undue influence - the threat that external influences or pressures will affect an
auditor's ability to make independent and objective judgments.
•
Management participation - the threat that results from an auditor taking on the
role of management or performing management functions on behalf of the
agency under audit.
•
Structural threat - the threat that an audit organization's placement within a
government entity, in combination with the structure of the government entity
being audited, will impact the audit organization's ability to perform work and
report results objectively.
Georgia Law (2015 GA. Laws 3826) and DeKalb
County, Georgia - Code of Ordinances / Organizational Act Section1QA-
Independent Internal Audit provides safeguards consistent with GAS 3.29c
to mitigate structural threats to independence.
(See Procedure 1.01 Internal
Audit Authority)
When assessing allegations, investigators are responsible for assessing potential
conflicts of interests related to personal relationships or financial interests that could
prevent the investigator from objectively collecting facts and assessing evidence.
The investigator(s) document this consideration on the Annual Independence
Investigative Statement
2.02-8
which is filed with the case notes.
Disclosure of threat(s) to independence must be addressed to the CAE and copy the
Audit Manager in writing (memo). The memo should list the GAS category of threats
to independence and an explanation of the threat or possible threat to
independence.
Auditor Assignment and Independence Statement.
The auditor will disclose any
potential threats to independence on attachments to the Auditor Assignment and
Independence Statement. The GAE/Audit manager and the auditor will assess
whether any identified potential threat would affect the auditor's ability to exercise
objectivity and impartial judgment on issues associated with conducting and
Procedure
2.02
Page 4 of 6
reporting on the work and whether it could lead reasonable third parties to question
the auditor's independence concerning the project. The audit team is responsible for
documenting, in writing, safeguards applied to reduce or eliminate potential threats
to independence, for example reassigning the auditor or limiting the auditor's
involvement in the project to tasks that would not be affected. Auditors are
responsible for alerting the CAE/Audit Manager of any potential threats to their
independence or interference in completing work, including denials or excessive
delays of access to records or individuals, that arise during an assignment or are
identified after the audit is completed.
The CAE/Audit manager's signature on the form indicates that consideration has
been given to staff qualifications and independence such that the assigned staff
collectively possesses the knowledge and skills necessary to complete the assigned
project and the CAE has evaluated threats to independence.
The lead auditor is responsible for ensuring the Auditor Assignment and
Independence Statement
2.03A
(See Procedure 2.03 Engagement Planning under
Planning Templates for a Sample of the Statement) is completed and filed in the
audit working papers. When staff members are added to a project after it has
begun, the newly assigned staff shall sign the statement prior to beginning work on
the project and the CAE/Audit Manager will initial any changes to signify approval.
Staff is responsible for reporting any threats to independence during the audit. If a
project results in two or more reports, a copy of the statement shall be filed with the
TeamMate electronic working papers.
Reporting Impairments to Independence.
If a threat to independence exists and
cannot be reduced to an acceptable level, the CAE will terminate the audit and
communicate the reason with the Audit Oversight Committee or modify the scope of
the audit and report the reason for the scope limitation in the public report.
Whenever relevant new information about a threat to independence comes to the
attention of the auditor during the audit, the auditor notifies the CAE and Audit
Manager. The CAE or Audit Manager will evaluate the significance of the threat in
accordance with the conceptual framework. Threats identified by other OIIA staff will
also be evaluated by the CAE or the Audit Manager in accordance with the
conceptual framework. Once the CAE or Audit Manager has evaluated the threat,
the CAE or the Audit Manager will communicate the decision in writing (memo) the
safeguards that will be taken to eliminate the threat or reduce the threat to an
acceptable level.
If an auditor identifies a significant threat to independence after the audit report is
released that occurred during the audit period, the CAE or Audit manager will assess
Procedure
2.02
Page 5 of 6
the effect on the report, as required by GAS 3.26. If the assessment determines that
the impairment affected or could be perceived to have affected the auditor's
objectivity or judgment in conducting the work or reporting the results, the GAE will
notify in writing those to whom the report was distributed. The results of the
assessment and the written notification, if required, will be retained in the audit
working papers.
Use of Consultants.
Qualified consultants or specialists will be hired in accordance
with DeKalb County's contracting procedures, and any request for proposal will
identify the specific knowledge, skills, and experience required. Consultants and
specialists who are retained to assist with a project shall be subject to the same
competence and independence requirements as OIIA staff. Consultants and
specialists shall sign an independence statement as part of the contracting process.
Reliance on Work Performed by Others.
When an audit team plans to use work
performed by consultants, auditors, or other professionals outside of the OIIA, the
audit team should assess the qualifications, independence, and quality assurance
process being followed of the other party and the sufficiency, relevance, and
competence of their evidence before the OIIA relies on their work.
The lead auditor will review relevant sections of Government Auditing Standards and
assess whether the work performed is adequate for reliance in the context of the
current objectives by considering the qualifications, independence, quality assurance
process, and evidence followed for the work.
Based on the assessment of the work and any supplemental tests of evidence
completed by the lead auditor and team, the Manager will decide on whether the
audit team can rely on the work done by others, and if so, the extent of the reliance.
The lead auditor will document the assessment and the decision of whether to rely
on the work in TeamMate.
If the decision is made to rely on the work, the lead auditor will disclose the reliance
on work performed by others in the objective, scope, and methodology section of the
report, and the Manager will verify that the disclosure is contained in the report.
Procedure
2.02
Page 6 of 6
Ethical Principles:
I.
Introduction
All employees shall also abide by the Ethical Principles promulgated by our office
approved professional organization of which they are a member or have
certifications, as long as it does not conflict with Government Auditing Standards or
any applicable laws or regulations. They shall also adhere to the DeKalb County's
DeKalb County Code of Ordinances/Organizational Act/Sec. 22A. - Code of ethics;
DeKalb County
Code of Ordinances/Chapter 2 - Administration/Article II. - Officers
and Employees / Division 2. - Code of Ethics. Ethics violations are subject to
disciplinary action up to and including termination of employment and/or prosecution.
II.
Procedures
A)
Upon employment and annually, each employee shall review OIIA's Annual
Ethical Principles Statement and sign the statement acknowledging that they have
read the ethical principles and understand that it is a condition of employment that
they abide by the ethical principles and the rules of conduct.
B)
The administrative staff is responsible for obtaining signatures acknowledging
review of the Annual Ethical Principles Statement
2.02-C
annually from all
employees.
Procedure
2.03
Page 1 of 10
Office of Independent Internal Audit
Audit Function
Procedures Manual
Subject
Project Initiation and Planning
Procedure
Number
2.03
References
GAS 8.01-8.19- Planning; 8.33 -8.48
-
Preparing a Written Audit
Plan; 8.59- 8.67 Information Systems
Controls Considerations; 8.68- 8.70
-
Provisions of Laws, Regulations,
Contracts, and Grant Agreements.; 8.71
8.76
-
Fraud; 8.77- 8.79
-
Identifying
Sources of Evidence and the Amount
and Type of Evidence Required
Issue
Date:
06/24/2019
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
5/13/2020
Chapter 2
Procedure 2.03 -
Engagement Planning
Purpose:
To document the audit planning process including the planning steps to be completed
before the audit fieldwork begins.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
Auditors must adequately plan the work necessary to address the audit objectives.
Auditors must document the audit plan.
Procedure
2.03
Page 2 of 10
Audit Planning
I.
Introduction
The engagement planning steps and related templates within TeamMate project
planning work papers have been designed to document the following planning
information:
•
Gathering background information on the area being audited.
•
Determining the audit objectives and scope of the unit being audited.
If the
objectives change during the engagement, the revised objectives and
reasons for the changes must be documented and approved by the CAE.
•
Obtaining a basic understanding of the audited entity's work processes, laws,
rules, regulations, and policies and procedures.
•
Assessing audit risks at the project level, identifying internal controls, and
documenting preliminary audit concerns.
•
Documenting the project kickoff meeting.
•
Communicating with the functional management of the unit to be audited
regarding the audit objectives.
•
Documenting risk assessment, including fraud risk assessment.
•
Estimating the time and resources necessary and specific milestones to meet
the audit objectives.
•
Documenting the preliminary assessment of the reliability of computer data.
•
Developing and submitting for CAE approval a detailed audit/engagement
program based on relevant criteria.
II.
Planning Tools to Use
The following engagement planning steps and related planning templates within
TeamMate (under the Planning program group) should be used to document the
planning process:
•
Step 1 Project Administration.
•
Step 2 Background Research on the Audit Topic.
•
Step 3 Project Initiation.
•
Step 4 Gain an Understanding.
Procedure
2.03
Page 3 of 10
•
Step 5 Risk and Control Assessment.
•
Step 6 Planning Results and Verification.
•
Step 7 Draft Fieldwork Program.
•
Step 8 Entrance Conference.
Project Administration
The Project Administration section ensures that administrative activities are completed
and documented by the project leader or the audit manager. The following templates
are to be completed.
•
Auditor Assignment and Independence Statement
2.03-A
•
TeamMate + Modification Form
2.03-B
•
Engagement Work Plan
2.03-C
•
Engagement Budget Worksheet
2.03-D
Background Research on the Audit Topic
The audit team collects basic background information that is publicly available on the
audit topic. At this stage, the entity to be audited should not be contacted to provide this
information; rather, the team should gather information from available sources. For
example,
•
Prior audit reports on the program and/or process.
•
Budget and staffing information from public budget documents or county
databases. As a general rule, collect data for a 3-year period.
•
Organizational information on the roles and responsibilities of potential key
contacts within the agency to be audited or consulted.
•
Key considerations regarding significance to the preliminary scope and
objectives.
•
Relevant County code, regulations, laws, contracts and agreements, policies,
and guidelines.
•
Peer review reports - should be obtained from an organization when OIIA will be
utilizing the organization's work.
The auditor will document the key background information within the "Background
Research on the Audit Topic" sub-section of the TeamMate Planning section using
the Project Research Template
(2.03E)
(Yolanda will revise this document to only
include relevant steps) located within the Planning Templates.:.
Project Initiation
Procedure
2.03
Page 4 of 10
I.
Introduction
During the project initiation phase, the audit team discusses the reasons for the
assignment and potential concerns of stakeholders to decide on:
•
General scope and objectives.
•
Type of work to be performed.
•
Standards to be followed.
They will schedule a project kickoff meeting at the start of a project that should be
attended by the audit team, audit manager, GAE, and/or Deputy GAE.
In addition, during the project initiation phase, the audited entity is briefed on the
preliminary scopes and objectives.
II.
Internal Project Kickoff Meeting
The audit manager/project leader discusses the reason the audit was selected. Meeting
participants develop statements that describe the value of the audit from a
user/stakeholder perspective. This serves to identify potential areas of concern to
stakeholders such as:
•
Risk areas.
•
Matters that have received media attention.
•
Issues/concerns raised by the CEO, the BOC, agencies, or others.
During the kick-off meeting, participants will set the preliminary scope and objectives,
determine the type of audit to be performed, and determine what standards to follow.
Participants will usually follow performance audit standards and the team should
document the decision to follow different standards in the workpapers. The auditor will
use the Internal Kickoff Meeting Agenda Template
2.03-F
to facilitate this meeting.
Ill.External Project Kickoff Meeting
The auditor arranges a meeting with the audited entity to discuss the preliminary scope
and objectives and obtain key contacts. The auditor will use the Project Initiation Memo
Template
2.03-G
to facilitate the meeting. This is the first and last time the Project
Initiation Memo is mentioned. If we start with the memo, it must have been created in
another step. The auditor will use the External Kickoff Meeting Agenda Template
2.03
H
to facilitate the meeting.
Gain an Understanding
I.
Introduction
The purpose is for the auditor to gain an understanding of the nature of the program or
program component under audit. During this step, the auditor should prepare process
narratives or flowcharts to document the processes being audited based on
discussions held with individuals familiar with the processes.
Procedure
2.03
Page 5 of 10
II.
General Familiarization
The auditor obtains documents that provide descriptions of services and operations.
In addition, an on-site visit and walk-through of operations can help gain an
understanding of the program and identify potential problems. During a walk-through,
auditors observe conditions and ask questions about workflow, filing systems,
equipment usage, and so forth. Auditors are encouraged to meet with key personnel
who are familiar with the process. The auditor will use the General Meeting Template
2.03-1
to document general information and the Project Walk-thru Template
2.03-K
to
document the results of walk-thru meetings.
Ill.
Interviews
Interviews are held with key department personnel to gain familiarity with policies and
practices, obtain written materials, and help to identify issues or problems.
Knowledgeable persons from other County departments and individuals outside of the
County government are also interviewed for their insights and suggestions.
The auditor should inquire with the management of the audited entity whether any
investigations or legal proceedings significant to the audit objectives have been
initiated or are in process with respect to the period under audit. Also, the project
leader or audit manager should consult with the GAE on whether the auditor should
contact the County's Legal Department.
The auditor should gain a complete understanding of the client's key processes and
document the steps for these processes. Also, the auditor should confirm with the
client the criteria that should be used during the audit.
The auditor will use the Interview Template
2.03-J
to document the results of these
meetings.
IV. Criteria
The auditor should identify and confirm with the audited entity relevant criteria based
on the audit objectives. The criteria provide a context for evaluating evidence and
understanding the findings, conclusions, and recommendations in the report. The
following are examples of criteria:
a.
laws and regulations applicable to the operation of the audited entity;
b.
goals, policies, and procedures established by officials of the audited entity;
c.
technically developed standards or norms;
d.
expert opinions;
e.
prior periods' performance;
f.
defined business practices;
Procedure
2.03
Page 6 of 10
g.
contracts or grant agreements; and
h.
benchmarks against which performance is compared, including the performance
of other entities or sectors.
Risk and Control Assessment
I.
Introduction
The auditor will review the audited entity's internal control structure. In doing this, the
auditor will use a variety of tools and techniques to gather and analyze information
about the operation. The review of internal controls helps the auditor determine the
areas of highest risk and design tests to be performed during the fieldwork phase.
During this process, the auditor should evaluate the effect of initiated or in-process
investigations or legal proceedings on the current audit. Additionally, evaluate whether
the audited entity has taken appropriate corrective action to address findings and
recommendations from prior engagement(s) that are significant within the context of
the audit objectives.
II.
Determining Significance and Obtaining an Understanding of Internal Control
Auditors should determine and document whether internal control is significant to the
audit objectives. If it is determined that internal control is significant to the audit
objectives, auditors should obtain an understanding of such internal control.
Some factors that may be considered when determining the significance of internal
control to the audit objectives include:
1.
The subject matter under audit, such as the program or program component
under audit, including the audited entity's objectives for the program and
associated inherent risks;
2.
The nature of findings and conclusions expected to be reported, based on the
needs and interests of audit report users;
3.
The three categories of entity objectives (operations, reporting, and compliance);
and
4.
The five components of internal control (control environment, risk assessment,
control activities, information and communication, and monitoring) and the
integration of the components.
III.
Consideration of Fraud Risks
Auditors should assess the risk of fraud occurring that is significant within the
context of the audit objectives. Audit team members should discuss with the team
fraud risks, including factors such as individuals' incentives or pressures to commit
fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could
increase the risk of fraud. Auditors should gather and assess information to identify
the risk of fraud that is significant within the scope of the audit objectives or that
could affect the findings and conclusions.
Procedure
2.03
Page 7 of 10
Assessing the risk of fraud is an ongoing process throughout the audit. When
information comes to the auditors' attention indicating that fraud, significant within
the context of the audit objectives, may have occurred, auditors should extend the
audit steps and procedures, as necessary, to (1) determine whether fraud has likely
occurred and (2) if so, determine its effect on the audit findings.
Assessing Fraud Risks.
In assessing fraud, the audit team may consider various
sources of information to determine the susceptibility of a program/process to fraud
with significance to the audit objects and scope. This may include but is not limited
to the following:
1.
Review the Team Store Risk Library for applicable fraud risks and associated
controls. See Team Store: Global Cabinets-> Fraud Considerations for relevant
fraud risks programs, risks, and controls.
2.
Consider preliminary conversations with the management of the audited entity.
3.
Review relevant Fraud Risk Assessment Tools 2.03 - L examples located on the
OIIA shared drive. Have management of the audited entity complete a fraud risk
questionnaire to gain a better understanding of risks and related controls that are
in place.
4.
Review the Association of Certified Fraud Examiners (ACFE) fraud tree.
s.
Consider any fraud risks identified in the Brainstorming session.
6.
Review AU Section 316 Consideration of Fraud in a Financial Statement Audit
Source: SAS No. 99; SAS No. 113, Effective for audits of financial statements for
periods beginning on or after December 15, 2002, unless otherwise
indicated.
Also review GTAG13: Fraud Prevention and Detection in an
Automated World published by the IIA in December 2009. The International
Professional Practices Framework (IPPF)-Practice guide entitled Internal
Auditing and Fraud published by the IIA in December 2009.
Assessing the risk of fraud is an ongoing process throughout the audit and relates
not only to planning the audit but also to evaluating evidence obtained during the
audit. See Procedure 3.02, Auditor Responsibilities Regarding Fraud
The auditor should complete the related engagement work paper in the TeamMate
Project Planning step "Fraud Risk Consideration" to document the fraud risks
identified. The auditor can utilize the Fraud Risk Questionnaire Template
2.03-
J2
located within the Planning Templates. This questionnaire may be customized
based on the specific subject area if required after reviewing step 3 above. The fraud
risks identified during planning should be incorporated into the TeamMate Risk and
Controls module used for documenting Risk and Control Assessment.
IV. Brainstorming Meeting
Procedure
2.03
Page 8 of 10
The brainstorming meeting is to solicit and document the "Corporate Knowledge" of
OIIA staff on the assigned topic.
At the meeting the following work should be performed:
•
GAE/Manager explains the purpose of the meeting and discusses the
engagement origin, background, and preliminary scope and objectives.
•
GAE/Manager explains some basic rules of an effective brainstorming
session: Everyone should participate; Build on each other's ideas; Think
outside the box; Do not overlook the obvious; Suspend judgment (all ideas
are good ideas); Do not make negative remarks about others ideas; and do
not stop to discuss in-depth.
•
Everyone should consider potential fraud issues and provide ideas.
•
Any applicable risks identified during the brainstorming meeting should be
incorporated into the audit project.
The results of the meeting should be documented in the General Meeting Template
2.03-1
The project leader should document their understanding of internal controls and
assessed risks and determination. The project leader should document the significance
of internal controls to the audit objectives within the "Risk and Control Assessment"
section of the TeamMate Planning program and using the Risk and Control module of
TeamMate. Auditors may also use the Project-Based Risk Assessment Template
2.03
M
to document risks before uploading to the TeamMate Risk and Control module.
V.
Information Systems Controls Considerations
The effectiveness of significant internal controls frequently depends on the effectiveness
of information systems controls. Thus, when obtaining an understanding of internal
control significant to the audit objectives, auditors should also determine whether it is
necessary to evaluate information systems controls.
When information systems controls are determined to be significant to the audit
objectives or when the effectiveness of significant controls depends on the effectiveness
of information systems controls, auditors should then evaluate the design,
implementation, and/or operating effectiveness of such controls. This evaluation
includes other information systems controls that affect the effectiveness of the
significant controls or the reliability of information used in performing the significant
controls. Auditors should obtain a sufficient understanding of information systems
controls necessary to assess audit risk and plan the audit within the context of the audit
objectives.
The auditor will The auditor will complete the Applications and Systems
Assessment Questionnaire
2.03-J1
to determine the need for a data reliability
assessment. If a data reliability assessment is necessary, the IT Audit Team will
complete the assessment using the Data Reliability Checklist.
2.03 - L
Procedure
2.03
Page 9 of 10
Planning Results and Verification
The purpose of this process is to: summarize the results of the planning activities,
assess the sufficiency of the evidence gathered, obtain agreement about whether the
audit should be continued, and determine whether additional data collection or analysis
is needed to determine to satisfy the audit objectives.
Issues identified during the planning phase of the project by the project leader should be
communicated to and verified by audit entity management. Planning results should be
documented in TeamMate using the Procedure Grid and the results should reviewed
and approved by the manager. The Planning Results Reviews Meeting document is
discussed with the CAE and Deputy CAE during the project planning verification
meeting. The document should be sent to the CAE and DCAE one week before the
meeting. During the meeting the CAE and the Deputy CAE will:
1)
Determine if a sufficient level of planning has been completed to move to
the next phase of the audit.
2)
Determine if the audit will be continued.
3)
Review the audit engagement letter.
2.04-A
4)
Review the draft fieldwork program.
Draft Fieldwork Program
Based on the results of the Project Planning Verification meeting and after the GAE has
concluded that the audit is to proceed, the auditor will prepare a Fieldwork Program
2.03-0
that outlines the fieldwork necessary to achieve the engagement objectives.
After review and approval by the manager and GAE/Deputy GAE, the auditor will use
the Fieldwork Program to populate the fieldwork program (B.1.PRG) in TeamMate.
The preparation of the Fieldwork Program concludes the planning phase.
Entrance Conference
This meeting is used to communicate with audit entity management the reasons for the
audit, describe the audit process, address management's questions or concerns,
identify key contacts, and discuss logistics if necessary. (See Procedure 2.05 -
Entrance Conference for further guidance)
Procedure 2.03
Page 10 of 10
Procedure 3.01
Page 1 of 2
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 2
Procedure 2.04 -
Engagement Letter
Purpose:
The purpose of the engagement letter is to let agency management and the Chief
Operating Officer, Chief Executive Officer and Board of Commissioners and Audit
Oversight Committee Chairperson know that the OIIA is starting an audit of the
department, agency, or program; to provide general information about the audit; and to
request an entrance conference. We communicate an overview of the planned audit to
those charged with governance through our annual audit plan.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
The engagement letter should describe the expected nature and focus of the work to
the extent known, identify the audit team, state that we will schedule an entrance
conference, and may request that some basic information be brought to the entrance
conference such as an organization chart or staff directory.
Subject
Project Initiation and Planning
Procedure
Number
2.04
References
GAS 8.20-8.26, Auditor Communication
(Performance Audits)
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
4/15/20
Procedure 3.01
Page 2 of 2
Engagement Letter:
The lead auditor drafts an engagement letter to the head of the department or agency
communicating an overview of the objectives, scope, and methodology and the timing of
the performance audit and planned reporting (including any potential restrictions on the
report) for the area under audit to avoid delaying the project. The head of the
department or agency, the Chief Operating Officer or Chief Financial Officer should be
copied when audits are of areas for which they are responsible.
The Audit Manager will format the letter, ensure names and titles are correct, get the
CAE's signature, and distribute it to the recipients.
In addition, the
Engagement Letter
template
2.04-A
is located under the Planning
Templates, Entrance Conference folder.
Procedure
2.05
Page 1 of 2
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 2
Procedure 2.05 -
Entrance Conference
Purpose:
The entrance conference is used to communicate with agency management the
reasons for the audit, describe the audit process, address management's questions or
concerns, identify key contacts, and discuss logistics if necessary.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
The entrance conference should communicate an overview of the objectives, scope,
and methodology and the timing of the performance audit and planned reporting
(including any potential restrictions on the report).
Entrance Conference:
I.
Introduction
The lead auditor schedules the audit entrance conference within several days after
the engagement letter has been distributed. Those who typically attend the audit
entrance conference are:
a. Agency head and key agency directors or managers for the audit topic
area.
b. Audit Manager and the audit team.
Subject
Project Initiation and Planning
Procedure
Number
2.05
References
GAS 8.20-8.26, Auditor Communication
(Performance Audits)
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
04/15/2020
Procedure
2.05
Page 2 of 2
c. Chief Audit Executive.
The lead auditor prepares an agenda for the entrance conference, including:
• Introductions of the audit team and leadership and the agency
management who are present.
• Describe the audit process, including estimated timing and dates for the
audit survey.
• Obtain audit suggestions and input from agency management.
• Identify the key contact people from the agency.
• Determine the owners of key data and documents and how to obtain
relevant information/data during the audit.
• Emphasize the need for responsiveness when the audit team requests
data; consider requesting the agency head.
The audit team is responsible for recording who attended, matters discussed, and
any decisions made. The record is kept as an attachment with the TeamMate
Research and Planning program, Entrance Conference step.
II.
Entrance Conference Tools to Use
The entrance conference meeting should be documented in the TeamMate
Research and Planning program group. The following tools should be used to
document the entrance conference agenda and attendees:
•
Entrance Conference Agenda.
•
Entrance Conference Sign-In Sheet.
Ill.
Copies of the entrance conference templates such as
Entrance Conference
Agenda
2.05-A and
Entrance Conference Sign-In Sheet 2.05-B
are also located
under Planning Templates, Entrance Conference folder.
Procedure 3.01
Page 1 of 8
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 3
Procedure 3.01 -
Engagement Evidence and Fieldwork
Purpose:
Audit fieldwork is to gather information and appropriate evidence to provide a
reasonable basis for conclusions about the audit objectives.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
The result of fieldwork is a body of workpapers including summaries of the audit team's
conclusions regarding each of the objectives.
Engagement Evidence:
I.
Introduction
Internal auditors must identify sufficient, reliable, relevant, and useful information to
achieve the engagement's objectives. Information should be collected on all matters
related to the engagement objectives and scope of work.
Subject
Audit Fieldwork
Procedure
Number
3.01
References
GAS 3.109- 3.117, Professional
Judgment
GAS 8.77-8.79, Identifying Sources of
Evidence and the Amount and Type of
Evidence Required; GAS 8.90- 8.107,
Evidence; GAS 8.108
-
8.115
GAS 8.116-8.131, Findings
Issue
Date:
08/24/2017
I
Effective:
08/24/2017
Approved: John L. Greene, Chief Audit Executive
Amended:
05/17/2020
Procedure 3.01
Page 2 of 8
II.
Types of Information
Sufficient
information is factual, adequate, and convincing so that a prudent,
informed person would reach the same conclusions as the auditor. Sufficiency is
interdependent on the engagement scope. To determine if the evidence is sufficient,
the auditor should use his or her judgment. To help the auditor in using judgment as
the basis for determining whether the evidence is sufficient, the auditor should
decide if there is enough information to support the findings or conclusions reached.
In cases where two sources of evidence conflict, the auditor should determine which
is more precise keeping in mind that evidence must be impartially judged for
significance and completeness.
Reliable
information is best attainable using appropriate engagement techniques.
As engagements are performed, the auditor should continuously assess the
soundness and credibility of the evidence to help ensure the information is
competent. Competent information is defined as the quality of evidence. For
example, is the information valid, complete, and credible or are we sure that our
information is accurate? When determining whether information received is
competent, the auditor should keep in mind that evidence obtained from
independent sources are more reliable than non-independent sources. Evidence
developed under a good system of internal controls is more reliable than that
obtained from a system that has weak or non-existent controls. Evidence obtained
through physical examination, observation, computation, or inspection is more
reliable than evidence obtained indirectly. These assumptions can be useful in
judging whether evidence is competent.
Relevant
information supports engagement observations and recommendations and
is consistent with the objectives for the engagement. Relevancy refers to the
relationship of evidence to its use. Does the evidence/information have a logical and
sensible relationship to the engagement objective? If a logical sensible relationship
exists, then the evidence is reliable. Generally, relevant evidence will have a logical
relationship to the engagement subject, the time period, and the aspects of
performance.
If the information is irrelevant it should not be included as part of the work papers.
The following are general questions the auditor should ask in determining whether
the information is relevant: Is the related to such factors as background, condition,
criteria, effect, or cause and does the evidence make an asserted finding,
conclusion, or recommendation more believable? If these conditions exist, the
evidence is relevant.
Procedure 3.01
Page 3 of 8
Useful
information helps the organization meet its goals. The gathering of
engagement evidence that is useful to the organization is the main justification for
the existence of an internal audit function. Useful information will depend on various
factors such as cost/benefit and the needs of the users of the information.
Determining whether evidence is adequate for the auditor's purpose is a question of
judgment and will depend on the type of engagement and the scope of work to be
performed. The auditor must be aware that the judgment imposed must be objective
and will vary based on the auditor's experience and training.
Ill. Types of Evidence
Evidence may be categorized as a physical, documentary, testimonial, and
analytical. These categories are important to auditors because they determine the
competency of the evidence, the methods used to assure the competency of the
evidence, and the methods for obtaining the evidence.
The team is responsible for deciding how to conduct the work necessary to complete
the fieldwork. The audit approach and methodology the team selects should take
into account our reasons for doing the audit, the audit objectives we decided on, the
time and resources available, the types of data available, and the control
environment.
Things to consider:
•
What sources of data are available to address our objectives? Are data
available for the different elements of a finding (condition, criteria, cause,
effect, recommendation) that we plan to address?
•
How are data collected, stored, verified, retrieved, and used? Are data
accurate, timely, authoritative, and authentic? Being able to answer these
questions helps to assess validity and reliability. Consider ways to test data
reliability when deciding what data to collect including:
a. Corroborating the evidence (comparing to other sources for
consistency).
b. Verifying the evidence (direct testing - confirming through other
sources).
c. Validating the evidence (testing the control environment).
d. Obtaining additional evidence.
•
Methods for collecting data and the extent to which we can rely on them
depend on the type. Often, there are alternate sources of needed data and
alternative ways to collect them. It's usually best to get the strongest
evidence available - subject to resource constraints and considering our
purpose and risk. From
strongest to weakest,
the types of audit evidence
are:
Procedure 3.01
Page 4 of 8
o
PHYSICAL EVIDENCE is obtained by direct inspection or observation of
people, property, or events. It may be documented in memos, charts, or
photographs.
o
DOCUMENTARY EVIDENCE consists of already existing information
such as letters, contracts, accounting records, invoices, spreadsheets,
and management information on performance.
o
TESTIMONIAL EVIDENCE is obtained through inquiry, interviews, or
questionnaires.
o
ANALYTICAL EVIDENCE derives from the auditors' analysis (such as
computations and comparisons) and logical reasoning using data
previously obtained. The strength of analytic evidence in supporting a
conclusion depends on methodological soundness as well as the
underlying data.
Analytical procedures should be used in the planning phase of the
engagement and during the engagement to examine and evaluate
information to support engagement results. The application of analytical
procedures is based on the premise that, in the absence of known
conditions to the contrary, relationships among information may
reasonably be expected to exist and continue.
Analytical procedures provide the auditor with an efficient and effective
means of assessing information collected during the engagement. The
assessment results from comparing such information with expectations
identified or developed by the internal auditor.
Analytical procedures are useful in identifying, among other things:
Differences that are not expected.
The absence of differences when they are expected.
Potential errors, irregularities, or illegal acts.
Other unusual or nonrecurring transactions or events.
Internal auditors should consider the following factors in determining the
extent to which analytical engagement procedures should be used:
The significance of the areas being examined.
The adequacy of the system of internal control.
The availability and reliability of financial and non-financial
information.
The precision with which the results of the analytical procedures
can be predicted.
The availability and comparability of information regarding the
industry in which the organization operates.
Procedure 3.01
Page 5 of 8
The extent to which other engagement procedures provide support
for engagement results.
IV. Standards of Audit Evidence
Audit standards (GAS 8.90-8.107) require that auditors obtain sufficient, appropriate
evidence to provide a reasonable basis for their findings and conclusions.
Appropriateness considers the quality of evidence, including relevance, validity, and
reliability.
o
Relevant data are logically related to the issue being addressed.
o
Valid data are accurate/sound - measures what it purports to measure.
o
Reliable data are consistently measured, complete, and verifiable.
·
Sufficiency considers the quantity of evidence. Is there enough appropriate
evidence to address the audit objectives and support the findings and
conclusions? Note that sufficiency depends upon appropriateness - volume
doesn't make up for lack of relevance, validity, or reliability. The fieldwork plan
directs the audit team to obtain and evaluate evidence that will ultimately support
their audit judgments and conclusions about the audit objectives.
The approach to assessing appropriateness and sufficiency of evidence depends
on the source of information that constitutes the evidence.
•
Data gathered by the auditors. This evidence is the audit team's own
observations and measurements, usually gathered through questionnaires,
structured interviews, direct observations, and computations. Auditors
exercise professional judgment to ensure that this evidence is appropriate
and sufficient.
•
Data gathered by management. If the audit team uses data gathered by
officials of the audited entity, they should determine its validity and reliability
by direct testing of the data. The entity's internal controls over the validity and
reliability of that data can be tested to establish this.
•
Data gathered by third parties. The auditors' evidence may also include data
gathered by third parties, such as outside audit reports, our legal counsel
interpretation on complex laws or regulations, etc. Auditors should assess
the competence or credibility of the party that gathered the information and/or
assess the methodology used.
V. Fieldwork
The fieldwork phase includes performing and documenting the planned
engagement program. It is during the fieldwork phase that the auditor determines
whether the controls identified during the planning phase are effective. The
fieldwork phase concludes with findings and recommendations from which the
auditor will prepare the engagement report.
Procedure 3.01
Page 6 of 8
Fieldwork is the process of gathering evidence, analyzing, and evaluating that
evidence. The engagement objectives, steps, and procedures should be prioritized
so that the most important and most significant are performed and completed first.
This will assist the auditor in keeping focused on completing the engagement by
developing sufficient information to reach conclusions throughout the engagement
process.
Some of the procedures conducted during fieldwork are:
•
Gaining an understanding of the activity, system, or process under review
and the policies, procedures supplementing and continuing to build upon the
information already obtained in the preliminary work/survey.
•
Observing conditions or operations and interviewing people.
•
Examining assets, accounting business, and other operational records.
•
Reviewing systems of internal control and identifying internal control points.
•
Evaluating and concluding on the adequacy (effectiveness and efficiency) of
internal controls.
•
Conducting compliance and substantive testing.
•
Determining if appropriate action has been taken regarding significant
engagement concerns and corrective actions reported in prior engagements.
VI.
Audit Sampling
Sampling is the application of audit procedures to less than 100 percent of the
items within the population. For some types of testing, the sample may be
unnecessary because the use of computer software allows the audit team to test
100 percent of the population. In addition, computer software can be used to
reduce the size of the population sampled by selecting data with certain
characteristics.
When sampling is used, the appropriate selection method will depend on the audit
objectives. When a representative sample is needed, the use of statistical sampling
approaches generally results in stronger evidence than that obtained from
nonstatistical techniques. When a representative sample is not needed, a targeted
selection may be effective if the auditors have isolated risk factors or other criteria
to target the selection. (GAS 8.107)
•
Statistical sampling
is a sampling of units that must be randomly selected
and quantitatively evaluated through the application of probability theory. The
random sample seeks to represent, as closely as possible, the population
from which it was drawn. The results of the sample are projected to the entire
population. In addition, statistical sampling permits the auditor to measure
sampling risk - that is the risk that a sample will not represent the population.
•
Nonstatistical (judgmental) sampling
based on the auditor's professional
judgment and meant to focus and confirm a condition that is reasonably
thought to exist. It occurs if units cannot be randomly selected or
quantitatively evaluated. The audit team determines sample size and
Procedure 3.01
Page 7 of 8
evaluates results based on subjective audit experience. Conclusions may be
drawn from the results of the sample only about the sample population. In
addition, judgmental sampling permits an auditor to select items at random
without attempting to draw statistical inferences about the entire population.
The audit workpapers should include sufficient detail to describe clearly the
sampling objective and the sampling process used. The workpapers should include
the source of the population, the sampling method used, sampling parameters (e.g.,
random start number or method by which random start was obtained and sampling
interval), items selected, details of audit tests performed, and conclusions reached.
VII. Exercising Professional Judgment
Auditors are responsible for exercising professional judgment in conducting
fieldwork. Professional judgment requires auditors to conduct work diligently in
accordance with professional standards and ethical principles; objectively evaluate
evidence as it is gathered; to exercise professional skepticism; and to refrain from
assuming that management is either honest or dishonest. In addition, professional
judgment should be used to determine whether evidence gathered is sufficient,
reliable, relevant, and useful to conclude on the established objectives. Judgment
should be based on the information available. Reassess the engagement
objectives, scope, and procedures to ensure efficient use of engagement
resources.
VIII. Resolving Access Problems
The manager is responsible for alerting the Chief Audit Executive timely of
problems that could affect the project schedule, such as lack of cooperation or
access to needed information. HB 599 (2015 Ga. Laws 3826) and DeKalb County,
Georgia - Code of Ordinances/ Organizational Act Section10A- Independent
Internal Audit provides for officers and employees of DeKalb County shall furnish to
the OIIA unrestricted access to employees, information, and records including
electronic data within their custody regarding powers, duties, activities,
organization, property, financial transactions, contracts, and methods of business
required to conduct an audit or otherwise perform audit duties. In addition, they
shall provide access for the OIIA to inspect all property, equipment, and facilities
within their custody. If such officers or employees fail to provide or produce such
access and information, the OIIA may initiate a search to be made and exhibits to
be taken from any book, paper, or record of any such official or employee or outside
contractor or subcontractor, except as governed by statute. The CAE shall have
the authority to issue subpoenas and may apply to the Superior Court of DeKalb
County for the enforcement of any subpoena issued by the CAE.
Procedure 3.01
Page 8 of 8
As a rule of thumb, the CAE should be made aware when the audited entity doesn't
respond to requests for information after one week. If the audited entity requires
longer than one week to produce requested data or schedule an interview, the team
should draft a confirmation memo documenting what we requested, when we made
the request, and our understanding of why the audited entity is unable to comply
with the request promptly. The memo should be addressed to the head of the
agency with responsibility for the area under audit, from the CAE and the Audit
Oversight Committee and the responsible executive (Chief Financial Officer, Chief
Operating Officer, or county attorney) should be copied. A copy of the memo and
any related correspondence should be retained in the audit workpapers.
IX. Communicating with Audited Entity Management During Fieldwork
The Project Leader is responsible for periodically briefing audited entity
management or the designated point-of-contact on the status of the audit work and
tentative conclusions. However, the team must avoid reporting audit findings or
making recommendations to the audited entity during fieldwork because our final
findings and recommendations reflect the judgment of the audit organization as a
whole, not just the team, and are based on an overall assessment of the evidence.
The Project Leader should schedule a meeting with the CAE and the Audit Manager
in cases where the team thinks circumstances warrant providing management with
findings and recommendations before fieldwork is complete. We'll decide at the
meeting whether to issue an interim report.
X. Fieldwork Tools to Use
Fieldwork should be documented in the TeamMate Fieldwork program within the
related fieldwork steps.
Procedure 3.02
Page 1 of 3
+Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 3
Procedure 3.02
-
Auditor Responsibilities Regarding Fraud
Purpose:
Conducting a performance audit in accordance with standards provides reasonable
assurance - but no guarantee - that auditors will detect illegal acts or fraud related to
the audit objective(s).
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into law on May 12, 2015
1
and Government Auditing Standards (GAS) also known as
the "Yellow Book" promulgated by the Comptroller General of the United States and
published by the United States Government Accountability Office.
1
Incorporated into DeKalb County, Georgia - Code of Ordinances/ Organizational Act Section1QA- Independent Internal Audit
Subject
Audit Fieldwork
Procedure
Number
3.02
References
House Bill 599(2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act
Section10A- Independent Internal Audit;
GAS 8.27-8.28 Investigations or Legal
Proceedings
GAS 8.71-8.77, Fraud
GAS 9.35-9.39, Reporting on
Noncompliance with Provisions of Laws,
Regulations, Contracts, and Grant
Agreements;
GAS 9.40-9.44, Reporting on Instances of
Fraud
GAS 9.45-9.49, Reporting Findings
Directly to Parties outside the Audited
Entity
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
5/13/20
Procedure 3.02
Page 2 of 3
Applicability:
Fieldwork standards for performance audits require auditors to assess risks of fraud
throughout the project.
Auditor Responsibilities Regarding Potential Fraud:
I.
Introduction
Fieldwork standards for performance audits require auditors to assess risks of fraud
throughout the project. When auditors identify fraud risks that are significant within
the context of the audit objectives, they should design procedures to obtain
reasonable assurance of detecting fraud (GAS 8.72). When information comes to
the auditors' attention that fraud may have occurred that is significant within the
context of the audit objectives, standards require auditors to extend audit steps to
determine whether fraud has likely occurred and, if so, its effect on audit findings
(GAS 8.76). Auditors must use professional judgment in pursuing indications of
possible fraud so as not to interfere with investigations or legal proceedings (GAS
8.27- 8.29).
II.
During Fieldwork
If during fieldwork, the audit team becomes aware of situations or transactions that
could indicate fraud, the Project Leader/manager is responsible for meeting with the
CAE to decide whether to extend audit steps or to report the potential fraud (See
Procedure 2.03, Planning).
Ill. Reporting Fraud to Officials in the Organization
If the CAE becomes aware of abuse or illegal acts or indications of such acts that
could affect the governmental entity, the CAE shall report the irregularities to the
audit oversight committee, the Chief Executive, and the Commission. If a member
of the governing authority is believed to be a party to abuse or illegal acts, the CAE
shall report the acts directly to the audit oversight committee, the Chief Executive,
and the Commission.
GAS requires auditors to use judgment in reporting instances of fraud or likely fraud
to officials of the audited entity. Auditors should include information in the audit
report about the fraud or likely fraud unless public reporting would compromise
investigative or legal proceedings (GAS 9.39-9.41). If public reporting could
compromise proceedings, the auditor should limit the extent of reporting to
information that is already part of the public record (GAS 9.44). When auditors
Procedure 3.02
Page 3 of 3
detect instances of fraud that do not warrant the attention of those charged with
governance, the auditors' determination of whether and how to communicate such
instances to audited entity officials is a matter of professional judgment (GAS 9.43).
IV. Reporting Fraud to a Third Party
Audit teams should avoid interfering with ongoing investigations or legal
proceedings. In addition, audit teams should be alert during an audit to situations or
transactions that could be indicative of possible illegal acts or fraud and
communicate the observation to the manager who will work with the CAE to assess
how to proceed. In some cases, laws or regulations require the audited entity to
report fraud directly to outside parties such as a federal inspector general or state
attorney general. If it appears that the irregularity is criminal in nature, the CAE shall
notify the district attorney in addition to those officials previously identified in Section
111.
If management fails to report the fraud as required, the CAE needs to communicate
this failure to the governing body. If the audited entity does not then make the
required report as soon as possible, the auditor is required to report the fraud
directly to the specified external agency (GAS 9.46-9.49). Auditors should also
report fraud directly when they cannot confirm through evidence that entity officials
reported the fraud as required (GAS 9.47). Auditors should first communicate the
failure to report requirements to those charged with governance when audited entity
management fails to:
a) satisfy legal or regulatory requirements to report such information to external
parties specified in law or regulation; or
b) take timely and appropriate steps to respond to noncompliance with
provisions of laws, regulations, contracts, and grant agreements or instances
of fraud that
i.
are likely to have a significant effect on the subject matter and
ii.
involve funding received directly or indirectly from a government
agency.
If the audited entity still does not report this information to the specified external
parties as soon as practicable after the auditors' communication with those charged
with governance, then the auditors should report the information directly to the
specified external parties. (GAS 9.45).
V. Tools to Use
The TeamMate Fieldwork steps should be used to document the fieldwork process.
Procedure 3.03
Page 1 of 10
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 3
Procedure 3.03 -
Audit Workpapers
Purpose:
Workpapers serve as tools to aid the auditor in performing his work and written
evidence of the work done to support the auditor's report. The information included in
work papers must be sufficient, reliable, relevant, and useful to achieve the
engagement's objectives.
Authority:
The Georgia Open Records Act and the Government Auditing Standards (GAS) also
known as the "Yellow Book" promulgated by the Comptroller General of the United
States and published by the United States Government Accountability Office.
ApplicabiIity:
Internal auditors must document relevant information to support the conclusions and
engagement results of appropriate analyses and evaluations.
Audit Workpapers
I.
Introduction
The purpose of audit workpapers is to:
Subject
Audit Fieldwork
Procedure
Number
3.03
References
Georgia Open Records Act; GAS 5.46
Monitoring of Quality, GAS 8.08-8.10
-
Planning; GAS 8.49
-
8.53 Assessing
Internal Control; 8.54
-
8.58 Internal
Control Deficiencies Considerations;
GAS 8.132
-
8.141, Audit Documentation
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Auditecutive
Amended:
5/13/2020
Procedure 3.03
Page 2 of 10
a. Provide a systematic, written record of the work performed to fulfill the
audit objectives (i.e., the what, why, how, when, and by whom) that
ultimately links the evidence obtained to the reported findings and
conclusions.
b. Facilitate supervision and internal and external quality control reviews of
audit work.
c. Help ensure that we are following GAS in conducting and reporting on the
work.
d. Document formal communications with management, data requests,
potential scope impairments or impairments to independence and our
efforts to resolve them, and other administrative matters.
II.
Principles
Audit documentation serves to (1) provide the principal support for the audit report,
(2) aid auditors in conducting and supervising the audit, and (3) allow for the review
of audit quality.
Auditors must prepare audit documentation related to planning, conducting, and
reporting for each audit. Auditors should prepare audit documentation in sufficient
detail to enable an experienced auditor, having no previous connection to the audit,
to understand from the audit documentation the nature, timing, extent, and results of
audit procedures performed; the evidence obtained; and its source and the
conclusions reached, including evidence that supports the auditors' significant
judgments and conclusions. The lead auditor is responsible for ensuring the audit
workpapers are complete, accurate, and logically organized. The audit team and
audit organization as a whole are responsible for safeguarding confidential
information and complying with the Georgia Open Records Act requirements.
Ill.
Content
Audit workpapers should be prepared professionally, free of extraneous personal
comments, easily followed, and understood by an experienced auditor unfamiliar
with the engagement details. The key to good workpapers is to ensure they
document the following aspects of the engagement process:
1)
Planning.
2)
The examination and evaluation of the adequacy and effectiveness of the
system of internal control.
3)
The engagement procedures performed, the information obtained, and the
conclusions reached.
4)
Review.
5)
Communication.
6)
Follow-up.
Procedure 3.03
Page 3 of 10
The information in working papers should be restricted to information pertinent to the
engagement objectives.
Auditors should design the form and content of audit documentation to meet the
circumstances of the particular audit. The audit documentation constitutes the
principal record of the work that the auditors have performed in accordance with
standards and the conclusions that the auditors have reached. The quantity, type,
and content of audit documentation are a matter of the auditors' professional
judgment. In addition, work papers should be uniform in composition and
organization. In addition, workpapers should:
1)
Be complete and include support for engagement conclusions reached. Work
papers must be able to "stand-alone." This means that all questions must be
answered, all points raised by the reviewer must be cleared, and a logical,
well thought out conclusion must be reached for each audit phase.
2)
Contains evidence that supports the findings, conclusions, and
recommendations before they issue their report.
3)
Auditors should document the following: (GAS 8.135):
a. The objectives, scope, and methodology of the audit;
b. The work performed and evidence obtained to support significant
judgments and conclusions, as well as expectations in analytical
procedures, including descriptions of transactions and records
examined (for example, by listing file numbers, case numbers, or other
means of identifying specific documents examined, though copies of
documents examined or detailed listings of information from those
documents are not required); and
c. Supervisory review, before the audit report is issued, of the evidence
that supports the findings, conclusions, and recommendations
contained in the audit report.
4)
When auditors do not comply with applicable GAGAS requirements because
of law, regulation, scope limitations, restrictions on access to records, or other
issues affecting the audit, the auditors should document the departure from
the GAGAS requirements and the impact on the audit and the auditors'
conclusions. (GAS 8.136)
IV. Clear and Objective
Workpapers form the basis for our conclusions and therefore must be objective and
factual. Auditors should write clearly and avoid adjectives or adverbs that imply
value judgments. An active voice is usually easiest to understand. Auditors should
write summary workpapers or use cross-references to support conclusions based
on multiple workpapers. Cross-referencing identifies other relevant documents or
sources of data. For example, a summary spreadsheet that pulls together data
from multiple spreadsheets should be cross-referenced to the documents that
Procedure 3.03
Page 4 of 10
provide the source of the data; interviews with different people on a related topic
should be cross-referenced to support overall conclusions. The
Lead Sheet Template
can be used to summarize workpapers.
V. Avoid Creating Unnecessary Workpapers
Auditors should design the form and content of audit documentation to meet the
circumstances of the audit. The audit documentation constitutes the principal record
of the work that the auditors have performed in accordance with standards and the
conclusions that the auditors have reached. The quantity, type, and content of audit
documentation are a matter of the auditors' professional judgment.
To be concise, auditors must have a clear understanding of why they are
performing a specific audit task and how the task will satisfy the audit objectives
before undertaking the work. The project leader should provide guidance and
feedback to auditors conducting the work. Auditors should seek direction when an
assignment is unclear. Clear descriptions of the purpose of the workpaper help
ensure a common understanding of what the work is intended to achieve.
VI. The workpapers must be complete
The workpapers must contain sufficient information to demonstrate that we complied
with GAS in planning, conducting, and reporting the audit. Additionally, workpapers
must be linked with significant findings and conclusions as evidence and must be
understandable without supplementary explanations. However, "complete" does not
mean self-contained. Auditors need to exercise judgment in deciding what to
include in the workpaper file. It's helpful to write summaries instead of scanning
voluminous documents in the file. Readily available documents (e.g., the Code of
Ordinances, Comprehensive Annual Financial Report, budget) should be referenced
instead of scanned for inclusion in the workpapers. When using other reference
materials or reports, auditors can include a sample page, or copies of only the title
page and the other relevant pages from a document.
VII. Confidential Records and Sensitive Information
Workpapers sometimes include information that is exempt from release under the
Georgia Open Records Act, including legal advice or personal information, such as
social security numbers or banking information. Auditors should use judgment when
preparing workpapers and not include personal information unless it is relevant to
the purpose and necessary to establish sufficiency or competence of the evidence
presented. Refer to Procedure 1.05: Handling Confidential and Sensitive Information
or Information Exempt from Public Disclosure (Requesting, Maintaining,
Communicating and Reporting).
Procedure 3.03
Page 5 of 10
VIII. Format
While the content of workpapers will vary, the format should be consistent to
facilitate review and enhance their usefulness in completing the project. Although
consistency is important, auditors should exercise judgment in preparing workpapers
and avoid emphasizing form over substance.
Workpapers are stored electronically in TeamMate Audit Management Software,
TeamEWP (Electronic Working Papers) module. All important information such as
program steps, issues, notes, sign-offs, and edit histories are contained in database
tables, which allow real-time, team-based use, facilitate filtering and sorting of key
information.
(See Procedure 7.03, Workpaper Retention)
The page of each workpaper lists:
•
Auditor-
the name of the person who is assigned to the audit step should
be selected within TeamMate. Once the audit step is completed (or a
revision made) the auditor should click the
"prepared by"
button:
to indicate the date and time of completion and to notify the manager of the
required review and sign-off.
•
The Project review notes are used to document any comments by the
reviewer. The reviewed by button
•
should be clicked by the audit manager to indicate the date and time when
the workpaper was last reviewed/sign-off.
•
Type
-
The type of audit procedure should also be selected from the
dropdown within the TeamMate procedure/step, for example:
â–
Administrative.
â–
Planning.
â–
Walkthrough/Observation.
â–
Inspection/Examination
•
Purpose
-
a narrative description of why the work was completed.
It's often useful to write the purpose as a question or series of
questions/steps that the work is intended to answer. Located under
the "Audit Step" tab under within the TeamMate procedure. The
questions/audit steps should be consistent and referenced to the
approved audit program developed during Planning step # 20:
Prepare draft audit/engagement program GAE review. In addition,
audit steps
must
be referenced/hyperlinked to the related risk and
controls that the procedure seeks to address/evaluate.
Procedure 3.03
Page 6 of 10
•
Source/References
- the source of the information contained in the
workpaper with enough detail so that a reviewer can assess the
competence of the evidence presented.
o
Identify Standards Used.
o
Document - include the title of the document and location
where it was obtained or the name and position title of the
person who provided it (include the telephone number for
non-county staff).
o
Analysis - the source of the data used in the analysis and
how it was obtained or where it can be found.
o
Observation - location and date.
o
Interview - name and position title of the person interviewed
(include the telephone number of non-county staff and for all
telephone interviews).
In TeamMate EWP this is documented under the "Source of
Information" tab. Please note that in TeamMate the "References"
tab is auto populated with all hyperlinked documents uploaded to
all other tabs in that audit procedure.
•
Scope & Methodology
- a description of what the auditor did to
complete the work. The description should be clear enough that a
reviewer can assess the competence of the evidence presented. The
rule of thumb is that an experienced auditor unfamiliar with the topic
should be able to understand what was done without additional
explanation. A description of the method generally isn't necessary for
interviews and may not be necessary for reviews of documents unless
the auditor used to search or decision criteria for deciding what and
how to review. For TeamMate data analytics or other work that is
developed iteratively, it is helpful to outline the sequence of steps in
the method, so a reviewer can retrace the steps to arrive at the
conclusion. In TeamMate EWP this is documented under the "Work
Performed and Conclusion" tab.
•
Conclusion
- a brief summary of the auditor's conclusions based on
the information contained in the workpaper or cross-referenced when
multiple workpapers support a conclusion. The conclusion should be
related to the purpose and appropriate to the level of evidence
contained in the workpaper. The conclusion should document their
assessment of the design, implementation, and/or operating
effectiveness of such internal control to the extent necessary to
address the audit objectives. Also, evaluate and document the
significance of identified internal control deficiencies within the context
of the audit objectives. In TeamMate EWP this is documented under
the "Work Performed and Conclusion" tab.
•
Results
- usually include any additional workpapers linked to this
workpaper to reflect the auditor's work or links to information obtained
Procedure 3.03
Page 7 of 10
from the audited entity. In TeamMate EWP this is documented under
the "Results" tab.
Please note that the above references the use of electronic workpapers in
TeamMate but at times it may be necessary to develop a workpaper using MS Word
and/Excel (for example, for data analytics/computations, etc.). These linked
workpapers should also be able to stand on their own, even when it is hyperlinked to
a procedure in TeamMate. Each page of the workpaper should also document at a
minimum the areas outlined above.
Workpapers should reflect professionalism. Because we work in teams, workpapers
need to be useful to other people. Keep in mind also that audit files are subject to
review by external auditors, peer review teams, and anyone outside of the OIIA who
requests to review them, including members of the media, after an audit report is
released.
IX. Organization
Workpapers should be organized logically as the audit progresses and stored
electronically within TeamMate.
Steps in setting up a project within TeamMate.
The TeamMate Administrator creates new engagements within TeamMate Admin
module. (Security groups are created and maintained in TeamAdmin, including
adding and removing team members, but the security groups are associated with
Projects in EWP. Members of the Project Ownership team can only add or remove
groups from a Project.) The project is assigned to the appropriate annual audit plan
year. A project code is assigned in the following format: 2019-001-WM [Audit plan
year - sequential audit project number-letters indicating the name of the primary
department]. A title/project name is also assigned to the project using calendar year
and brief phrase indicating the nature of the project. (2016 - Water billing project).
The audit manager will then schedule the project and assign the project leader and
team members within TeamMate Schedule module.
The auditor-in-charge or audit manager will then "pull in/initiate" the project within
TeamMate EWP assigning the appropriate TeamMate project template. The project
template will contain the base program groups, audit steps, project folders, and sub-
folders and related tools/templates for the engagement.
TeamEWP work program allows for individual sign-off of each procedure within a
multiple-step program. This allows team members to work on different steps within
the same work program and sign-off electronically on their steps.
Procedure 3.03
Page 8 of 10
Workpaper Index
Functional access levels within TeamEWP provide for distinct levels of authorization
based upon your 'role' on a given project. For example, a preparer cannot sign-off
on electronic workpapers as reviewed and a read-only team member can view the
project file but not make changes. When the preparer signs off on a document, audit
step, audit program, or issue, the preparer's initials are recorded with the date and
time. When the reviewer signs off on any document the reviewer's initials are also
recorded with the date and time.
Workpapers should be made available in accordance with Georgia Opens Records
Act. (See Procedure 7.02, Open Records Request).
The team should create additional fieldwork sub-folders within the fieldwork project
folder to organize work. The workpaper index below provides an overview of the
baseline project template, a uniform method for organizing working papers common
to all audit projects and suggests methods for organizing the workpapers for audit
fieldwork. Using the index facilitates review and retrieval while allowing flexibility to
meet the needs of the audit. (See Procedure 1.06, TeamMate Audit Management
Software)
Abbrev.
TeamMate Folder
Title
Contents
PA.
Project
Administration
Administrative documents, such as:
•
Auditor Assignment and Independence
Statement.
•
Engagement Assignment Sheet.
•
Engagement Budget and Work Plan.
•
Engagement Initiation.
•
Engagement Letter.
•
Independent Quality Control Review.
•
Confidential.
•
Communication with Client.
A.
Project Planning
& Research
•
Step 1 Project Administration.
•
Step 2 Background Research on the Audit Topic.
•
Step 3 Project Initiation.
•
Step 4 Gain an Understanding.
•
Step 5 Risk and Control Assessment.
•
Step 6 Planning Results and Verification.
Procedure 3.03
Page 9 of 10
•
Step 7 Draft Fieldwork Program.
•
Step 8 Entrance Conference.
B.
Fieldwork Wrap-
Up
Documentation of audit work necessary to support
findings and recommendations. Depending on the size
and complexity of the project, the team may create sub-
folders for tasks related to specific objectives or types of
testing.
•
Exceptions Noted Communicated with
Management.
•
Clear all Review Notes.
•
Develop Finding Summary.
•
Fieldwork Verification Conference.
C.
Reporting and
Wrap-Up
Only the most current electronic version of each of
these drafts should be kept in the project folder on the
server to ensure that changes and corrections are made
to the correct draft.
•
Prepare Draft Report.
•
Deputy Chief Audit Executive Review.
•
Technical Review of Draft Report.
•
Quality Control Review.
•
Chief Audit Executive Review.
•
Audit Documentation Follow-up.
•
Exit Conference and Issue Draft Report.
•
Client Management Responses.
•
Issue Final Report.
•
Post Engagement Client Survey.
•
Project Close-Out and Finalization.
Revising work paper files within TeamMate.
Auditors should not revise
workpapers stored in the project files after the audit manager or project leader has
approved (signed off). Avoid keeping multiple versions of each document.
Generally, only the final version should be retained.
X. Sharing Workpapers with the Audited Entity
It is sometimes helpful to audited entity staff or management the results of an
analysis to get their input. In doing so, however, we should communicate to the
Procedure 3.03
Page 10 of 10
audited entity that the work is in progress and subject to change. Check with the
CAE or audit manager before sharing workpapers with the audited entity. Work
should undergo supervisory review before it is shared and should be marked,
"Confidential - For Discussion Only." Our general practice is to retain copies of
workpapers that we share in the meeting.
Procedure
3.04
Page 1 of 7
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 3
Procedure 3.04
-
Fieldwork Verification Conference
Purpose:
Assess the evidence gathered, agree on the major findings and conclusions, and
determine whether additional data collection or analysis is needed based on our overall
assessment of evidence including the significance of the evidence to the audit
objectives and the sufficiency or appropriateness of the evidence to mitigate audit risk.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
Internal auditors must document relevant information to support the findings and
conclusions.
Subject
Audit Fieldwork
Procedure
Number
3.04
References
GAS 3.109 - 3.117, Professional
Judgment; GAS 8.15- 8.16 Planning;
GAS 8.90 - 8.107 Evidence; GAS 8.108-
8.115, Overall Assessment of Evidence;
GAS 8.116-8.131, Findings
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
5/13/2020
Procedure
3.04
Page 2 of 7
Fieldwork Verification Conference
I.
Introduction
The fieldwork verification conference is to assess the evidence gathered, agree on the
major findings and conclusions, and determine whether additional data collection or
analysis is needed based on our overall assessment of evidence, significance, and
audit risk.
1
The result of fieldwork verification conference is agreement on the overall
"message" of our work and a summary of finding elements that lay the foundation for
the draft report. The format and nature of the report can vary depending on timing
requirements and user needs. Regardless of whether our final product is a bound
report, briefing slides, memo, or an email, we recognize that our value to the DeKalb
County government will be judged largely by the quality of our reports.
The audit manager, GAE, and/or Deputy GAE should be in attendance. The
auditor-in-charge or other designated team members will facilitate the meeting.
Formulate the message to be reported. The facilitator will use some type of
structured process for group decision-making so participants will:
•
Formulate each element of the finding. (What we know).
•
Match relevant data to each finding. (How we know it).
•
Identify solutions (potential recommendations).
II.
Overall Assessment of Evidence
As we formulate the elements of our findings, we'll assess whether our evidence as a
whole is appropriate and sufficient to support the findings and conclusions given the
expected significance and audit risk. Evidence is not sufficient or not appropriate
when:
•
Using the evidence carries an unacceptably high risk that it could lead to an
incorrect or improper conclusion.
•
The evidence has significant limitations.
•
It doesn't adequately support the findings and conclusions.
While working together to develop findings and assess the evidence, participants need
to exercise professional skepticism, draw conclusions based on the evidence that
we've collected, explicitly consider alternative explanations, and recognize when we
need more information. Everyone is expected to participate. We encourage the free
and open exchange of information and ideas and will not judge the merit of ideas
1
Before the fieldwork verification conference, the auditor must informally discuss the findings with the audited
entity, so they can present any additional information to the auditor that may resolve the finding.
Procedure
3.04
Page 3 of 7
based on hierarchy. Dissent and conflict are a valuable part of the process - surfacing
and resolving potential weaknesses in our evidence and overall conclusions strengthen
our work. To be constructive, participants must be prepared to articulate their reasons
for agreement or disagreement. The strength of the agreement or disagreement is a
starting point for discussion, not the final argument.
Ill.
Audit Documentation
The auditor-in-charge is responsible for documenting the date, who attended the
fieldwork verification conference, and decisions made regarding audit findings. (See
Procedure 3.03, Audit Workpapers).
IV. Attributes of a Well-Developed Audit Finding
Findings are pertinent statements of fact. Those findings necessary to support or to
prevent misunderstanding of the internal auditor's conclusions and recommendations
should be included in the final audit report. Less significant information or findings
may be communicated orally or through informal correspondence.
Attributes to be discussed for every Office of Independent Internal Audit finding are:
A.
Condition (What does exist).
B.
Criteria (What should exist).
C.
Cause (Why the difference exists).
D.
Effect or potential effect (The impact of the difference).
E.
Recommendation (This is technically not an element of a finding but provides
details of what should/could be done to address the finding.)
A. Condition:
The statement of condition identifies the nature and extent of the finding or
unsatisfactory condition. It is the facts. It often answers the question: "What
is wrong?"
Normally, a clear and accurate statement of condition evolves from the
internal auditor's comparison of results with appropriate evaluation criteria.
Procedure
3.04
Page 4 of 7
B. Criteria:
This attribute establishes the legitimacy of the finding by identifying the
evaluation criteria, and answers the question: "By what standards was it
judged?"
In operational or management audits, criteria could be management
objectives, plans, industry or company standards, contracts, policies,
procedures, guidelines, laws or regulations, and expectations for efficiency,
effectiveness, and economy.
In financial audits, criteria could be accuracy, materiality, consistency, or
compliance with applicable accounting principles and legal or regulatory
requirements.
In audits of efficiency, economy, and program results (effectiveness), criteria
might be defined in mission, operation, or function statements; performance,
production, and cost standards; contractual agreements; program objectives;
policies, procedures, and other command media; or other external sources of
authoritative criteria.
C. Cause:
This attribute identifies the underlying reasons for unsatisfactory conditions or
findings, and answers the question: "Why did it happen?"
If the condition has persisted for a long period of time or is intensifying, the
contributing causes for these characteristics of the condition should also be
described.
Identification of the cause of an unsatisfactory condition or finding is a
prerequisite to making meaningful recommendations for corrective action.
The cause may be quite obvious or may be identified by deductive reasoning
if the audit recommendation points out a specific and practical way to correct
the condition. However, failure to identify the cause in a finding may also
mean the cause was not determined because of a limitation in audit work
performed.
An internal auditor's failure to thoroughly investigate the real root cause can
also contribute to a less-than-adequate recommendation, possibly fixing the
wrong thing, or correcting the symptom rather than the real cause.
Frequently, the real root cause is a "soft" issue which otherwise would not be
addressed.
Procedure
3.04
Page 5 of 7
D. Effect:
This attribute identifies the real or potential impact of the condition and
answers the question: "What effect did/could it have?"
The significance of a condition is usually judged by its effect. In operational
audits, reduction in efficiency and economy, or not attaining program
objectives (effectiveness), are appropriate measures of effect. These are
frequently expressed in quantitative terms; e.g., dollars, number of personnel,
units of production, quantities of material, number of transactions, or elapsed
time. If the real effect cannot be determined, potential or intangible effects
can sometimes be useful in showing the significance of the condition.
Accurate evaluation of the real or potential effect is crucial in determining the
effort, resources, or control that should be applied to improve the situation, as
well as in getting management's agreement on the issue.
E. Recommendations:
This final attribute identifies suggested improvement action and answers the
question: "What should be done?"
The relationship between the audit recommendation and the underlying cause
of the condition should be clear and logical. If a relationship exists, the
recommended action will most likely be feasible and appropriately directed.
The quality and sustainability of the improvement activities will be significantly
enhanced if the audited entity is brought into the discussion and takes part
with the OIIA in jointly developing the solution.
Recommendations in the audit report should state precisely what
improvement action has been agreed upon. More generalized
recommendations (e.g., greater attention be given, controls are
reemphasized, a study be made, or consideration be given) should not be
used in the audit report, although they are sometimes appropriate in summary
reports to direct top management's attention to specific areas.
Unless the benefits of taking the recommended action are very obvious, they
should be stated. Whenever possible, the benefits should be quantified in
terms of additional revenue, lower costs, or enhanced effectiveness or
efficiency. The cost of implementing and maintaining recommendations
should always be compared to risk.
Procedure
3.04
Page 6 of 7
Recommendations should be directed to the individual with both adequate
knowledge and effective responsibility, or authority, to ensure implementation
of improvement activities.
V.
Development of the Report Structure
We structure our reports to meet the needs of readers. The key elements of a reader-
based report are:
•
Title.
•
Summary.
•
Headings.
•
Topic sentences/key support.
•
Graphics.
These elements allow non-expert, busy readers to understand our message by just
skimming the report. Note that the structure moves from the whole (the overall
message) to the parts (the supporting detail). Some people are more comfortable
writing from the detail and building up to the conclusion.
We should exercise care in developing the report when our findings include fraud,
illegal acts, waste, abuse, or significant violations of contracts or grant agreements.
Prior to developing the report, we should have already determined our responsibility to
notify management, officials, or third parties (See Procedure 3.02 Auditor
Responsibilities Regarding Fraud). The information in our public report should be
limited so as not to interfere with an ongoing investigation or legal proceeding. Our
practice is to seek legal advice if there's a question of what we can responsibly report.
The report should describe significant deficiencies in internal controls related to our
objectives. These will be part of our findings and developed as part of the message
rather than a separate section.
The CAE will decide the kind of product that best communicate results. Usually, if we
plan to issue a memo or briefing slides instead of a report, we will have made this
decision when setting the scope. GAS identifies timeliness as an element of a quality
report and defines timeliness as providing relevant information in time to respond to
legislative officials and other users' legitimate needs. We can be most responsive to
timeliness needs when we identify them early. However, if we become aware of
timeliness issues later in the audit process, we'll tailor the report format and outline to
respond to user needs while still following standards.
Procedure
3.04
Page 7 of 7
VI.
TeamMate Plus Issue Report
Well-written internal audit findings should result in recommendations that add value by
including the nature of the findings, the criteria used to determine the existence of the
condition, the root cause of the condition, the significance of its impact, and what the
internal auditors (with management's input) recommend should be done to improve the
situation.
In describing each of the attributes, the use of audited entity-related terminology, and
avoidance of internal audit "lingo" will enhance understanding of the finding.
Fully developed findings containing each of the five attributes are easily understood,
convey impact and significance to appropriate management, and enhance the
likelihood and sustainability of improvement action.
The team should schedule an exit briefing with program managers of the area under
audit on our conclusions and recommendations to get their input and identify additional
relevant information. Communicating with program managers before drafting the
report should help ensure that the report is accurate, fair, complete, and objective, and
gives the audited entity more time to prepare its response.
VII.
Tools to Use
The auditor should use the Issues Viewer in TeamMate to add issues/findings and link
those issues/findings to the appropriate audit procedure in TeamMate using two way
linking.
The auditor may use the
Fieldwork Verification Template
to summarize issues before
entering into the teammate Issue viewer.
Procedure 4.01
Page 1 of 4
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 4
Procedure 4.01 -Draft Report
Purpose:
The report is to communicate our audit results to a broad audience.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
The audit team is responsible for drafting a report that follows the format and content
guide, outlined in the standards, that provides convincing support for findings, and is
consistent with our report template.
Draft Audit Report:
I.
Introduction
The audit team uses the audit report template to write the first draft of the report.
The first draft is subject to change based on editing and technical review. The first
draft should include:
•
Background
- This section contains an introductory paragraph that states the
overall nature and purpose of the audit, an explanation of why we did the
audit, and enough background information about the area under audit to
Subject
Communicating Results
Procedure
Number
4.02
References
GAS 9.03-9.05, Reporting Auditors'
Compliance with GAGAS; GAS 9.06-9.09,
Report Format; GAS 9.10-9.49 Report
Contents
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedure 4.01
Page 2 of 4
provide context for the reader to understand our findings. Shorter is better.
Avoid putting conclusions in the background.
•
Audit Objective
- This section contains a statement about the audit objective
as outlined in the engagement letter and previously communicated to the
audited entity.
•
Scope and Methodology
- This section contains a description of the scope -
the timeframe being reviewed - and objectives and the major steps we
completed to conduct the audit. We also include:
o A statement that we conducted the audit in accordance with generally
accepted government auditing standards. If we did not follow auditing
standards or any other standard, we disclose the standard(s) that we did
not follow and the likely impact it would have on our report.
o Disclosure of any scope or independence impairments (See Procedure
2.02 Staff Assignments, Independence, and Ethical Principles).
o A statement that we omitted information from the report, when applicable,
and the reasons for the omission. Most omissions will be related to
ongoing investigations or legal proceedings, confidential, or sensitive
information protected under Georgia's Open Records Act. It is our
practice to seek legal advice if there is a question of whether information
should be omitted.
o
Description of interim reports or separate communications of deficiencies
to management that was not significant to the audit objectives if
applicable.
•
Audit Results
- This section lays out our findings, conclusions, and
recommendations and is the primary focus of the message development
meeting. The draft should be consistent with the format and content outlined
in the standards and meet the quality elements identified in Reporting
Standards for Performance Audits (GAS 9.17). The extent to which a report
meets the quality elements is a matter of professional judgment. We
recognize the inherent tensions between the elements (accurate, objective,
complete, convincing, clear, concise, and timely) and will draw on our
different strengths and work as a team to balance them.
o
Accurate
- The report must be factual. Even fairly minor inaccuracies
can cast doubt on the entire audit and damage the credibility of the office.
Keep in mind that misplaced precision - while accurate - can detract from
our meaning.
Procedure 4.01
Page 3 of 4
o
Objective
- The report should be balanced in content and tone. Findings
should be kept in perspective. Avoid unnecessary adjectives and
adverbs.
o
Complete
- The report should contain enough evidence to support our
conclusions and provide context and perspective about the significance of
the findings. One example of a minor deficiency is not enough evidence
to support a broad conclusion. We will have discussed support for our
conclusions in the fieldwork verification and message development
meetings.
o
Convincing
- The report should be presented persuasively with
conclusions and recommendations following logically from the facts.
Techniques to express the relationships between main ideas within and
among paragraphs (parallel structures; coordination, subordination, and
transition phrases; and running heads) help make the report convincing.
The key controlling idea should be in the first sentence of the paragraph to
help make a clear and convincing case.
o
Clear
- The report should be easy to read and understand. Use the
active voice. Avoid acronyms and jargon. Define technical terms or
abbreviations at their first use in the text or a glossary if they are essential
to understanding (but it's better to avoid using them). Simple sentence
structures are usually easiest to understand (subject-verb-object). Put
statements in positive form (what is, rather than what isn't). Graphs,
charts, maps, and other visuals also aid in clarity.
o
Concise
- The report should be no longer than necessary to convey and
support the message. Shorter is better as long as the report is complete.
Too much detail can obscure our message. Omit needless words. Using
strong verbs and limiting adverbs and noun phrases help with clarity and
conciseness.
o
Timely
- For the report to be of maximum use, the information in the
report is more helpful if it is current. Also, the timely issuance of the report
should be an important reporting goal. During the audit, the auditors
should provide interim reports of significant matters to the appropriate
process owners and oversight officials. Such communication alerts
officials to matters needing immediate attention and allows them to take
corrective action before the final report is completed.
•
Appendices
- Information that would be useful to some readers but is too
detailed to include in the body of the report may be attached as appendices.
Examples include the full text of an Administrative Order or a technical
description of an audit method - such as sampling, forecasting, or modeling.
Procedure 4.01
Page 4 of 4
Interim reports to management are included as appendices in most cases.
Number each appendix sequentially and refer to each in the body of the
report.
For specific guidance on report formatting and writing, audit teams should refer to
the OIIA Draft Audit Report Template
4.01-A
and the Document Review Checklist
4.01-8
The team/auditor submits the first draft to the auditor's manager for paragraph-level
editing and sentence structure, and then to the CAE for a quick read, mainly for
clarity and coherence of structure.
A 'cold' read/review by audit manager/auditor who is independent of the project team
should be performed. In addition, we send a draft out to the Audit Committee to
review before we hold the exit conference with the audited entity.
Audit Transmittal Email.
The CAE prepares a transmittal email when sending the
draft report to the AOC, the CEO, the BOC, and the audited agency for review and
comment. The email briefly states the reason we conducted the audit and the 60-
day statutory deadline date.
Management's response.
The CAE sends the draft to management for review and
comment (See Procedure 4.03 Exit Conference and Issuing Draft Report, Section I).
The team scans management's final response into the report, once we receive it,
and ensures that the formatting and pagination are correct. (See Procedure 4.03,
Exit Conference and Issuing Draft Report, Section IV
&
V)
Retaining drafts in the workpapers.
Avoid keeping multiple versions of the report
draft in the workpapers (See Procedure 3.03 Audit Workpapers). The audit team
should keep in the copies of the workpaper files of the outline, if applicable, the
technical review draft, the draft that was sent to management, the draft that was sent
to the audit committee, and the final published report. Only the most current
electronic version of the draft should be kept in the project folder on the server to
ensure that changes and corrections are made to the correct draft. Auditors may
keep electronic files of previous drafts in their personal folders for reference if
desired.
Procedure 4.02
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 4
Procedure 4.02
-
Technical Review of Draft Report
Purpose:
The technical review is to ensure that the report accurately and objectively conveys the
results of the work and that findings and conclusions in the report are based on
sufficient, appropriate evidence.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
Completion of technical review documents the overall assessment of the collective
evidence used to support findings and conclusions.
Technical Review of the Draft Audit Report:
I.
Introduction
The technical review involves lead auditor cross-referencing the draft report to
supporting workpapers and the audit manager, checking the references to confirm
that support is sufficient and appropriate. All reviewer reference points should be
resolved during the review. Auditors must exercise professional judgment in
Subject
Communicating Results
Procedure
Number
4.03
References
GAS 5.02
-
5.95, Quality Control and
Peer Review
GAS 8.108
-
8.114 Overall Assessment
of Evidence
GAS 9.17 Report Content
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
5/13/2020
Procedure 4.02
Page 2 of 3
conducting all aspects of technical review to remain aware of the purpose and avoid
a form over substance mentality.
Technical review does not substitute for and should not duplicate supervisory review
of workpapers (See Procedure 5.01, Roles and Responsibilities in Quality Control
and Assurance).
II.
Referencing
The audit lead is responsible for referencing the draft report to the workpapers.
Referencing (sometimes called indexing or cross-referencing) is the process in
which the auditor notes on the draft report the workpaper source for each fact,
figure, date, or other pieces of evidence described in the report. Referencing should
be complete and accurate. The project leader is responsible for correcting the report
as they find errors to ensure that it is consistent with the evidence in the workpapers.
Each major section of the draft report should be referenced to the workpapers
including the appendices. Summary paragraphs should be referenced to the
relevant text in the body of the report, which is referenced to the workpapers. Some
sentences or ideas in the Background and Introduction Section do not directly relate
to a specific workpaper and may be referenced as the conclusion, statement,
recommendation, or calculation. All findings must be referenced with the
corresponding issues in TeamMate, which must be linked to the audit procedures
that contain the relevant supporting workpapers.
Ill.
Checking references
The audit manager is responsible for checking each reference to confirm that the
source supports each fact, figure, and the date and that the conclusions in the report
are based on sufficient, appropriate evidence. The audit manager should be
thorough in checking references, raise substantive issues and avoid writing points
related to text editing, except to the extent that word choices affect meaning.
IV. Answering and resolving points
The project leader will answer all points of referenced the draft report. Responses
should be brief and constructive. The audit manager will check the responses
including revised text and references and indicate that the issue was satisfactorily
resolved. If the auditor and audit manager can't agree, the CAE will make the final
decision.
Completion of technical review documents the assessment that evidence is sufficient
and appropriate to support the findings and conclusions in the report.
The referenced draft report and referencing notes are maintained in the workpaper
files.
Procedure 4.02
Page 3 of 3
The project leader is responsible for ensuring that substantive changes to the draft
report that occurs after technical review are referenced. For example, if we add
information to the report following management's or the Audit Oversight Committee's
review, any fact, conclusion, or statement we add must be referenced.
Procedure 4.03
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 4
Procedure 4.03
-
Exit Conference and Issuing Draft Report
Purpose:
Providing management with a draft audit report for review and comment serves three
primary purposes. First, it helps to ensure that the report is accurate, fair, complete,
and objective. Second, providing management's written response in the published
report promotes transparency and helps the reader assess whether the report is fair and
credible. Finally, management's specific response to recommendations provides the
basis for later follow-up on the implementation of recommendations.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances/ Organizational Act Section10A- Independent Internal Audit.
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
The review is to ensure that the draft audit report is clear, objective, and balanced.
Subject
Communicating Results
Procedure
Number
4.04
References
House Bill 599(2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act
Section10A- Independent Internal GAS
9.06-9.09, Report Format; GAS 9.18
-
9.27, Reporting Findings, Conclusions,
and Recommendations; GAS 9.50- 9.55
Obtaining Views of Responsible Officials
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
5/13/2020
Procedure 4.03
Page 2 of 3
Exit Conference and Issuing Draft Audit Report:
I.
Sending the Draft Audit Report to Management for Review and Comment
Once editing and formatting are completed, the project leader will contact the head
of the audited entity to schedule an exit conference. Based upon the agreed-upon
exit conference dates with the audited entity, an Outlook invite is sent to the CAE,
CEO, COO, and CFO (if applicable). In addition, others are copied on the invite
when audits involve areas for which they are responsible. (Rule-of-thumb - whoever
received the engagement letter should also receive the draft report.) Primarily, a pdf
copy of the draft report is attached to the email invite. In cases where the report
contains confidential information, a pdf copy will not be attached.
II.
Exit conference
The purpose of the exit conference is to discuss management's questions, concerns,
and proposed changes to the draft report before asking for their written response to
the recommendations. The exit conference is usually in the OIIA conference room
to enable access to workpapers.
The exit conference meeting should be documented in the TeamMate Reporting and
Wrap-up program group. The following tools should be used to document the exit
conference agenda and attendees:
•
Exit Conference Agenda
4.03-A
•
Exit Conference Sign-In Sheet
Auditors should carefully assess management's comments and concerns and decide
whether and how to revise the report. The audit team is responsible for recording
attendance, matters discussed, and decisions made. The team keeps the record in
the administrative files of the audit documentation.
Following the exit conference, the audit team is responsible for making agreed-upon
revisions to the report and referencing substantive change.
Ill.
Final Draft Audit Report
The final draft of the audit report shall be forwarded to the audit oversight committee,
the Chief Executive, the Commission, and the audited agency for review and
comment regarding factual content before its release.
The draft report should be issued to the audited agency by email stating that they
shall respond in writing, specifying the agreement with audit findings and
recommendations or reasons for disagreement with findings and recommendations,
plans for implementing solutions to issues identified, and a timetable to complete
such activities. The response shall be forwarded to the OIIA within 60 days. The
response should be documented on the Management Response Template
4.03-B
Procedure 4.03
Page 3 of 3
IV. Obtaining the Views of Responsible Officials
When management's response contains comments that are inconsistent or in
conflict with the findings, conclusions, or recommendations in the draft report, the
manager and GAE will evaluate the validity of management's comments. If the
manager and the GAE disagree with management's comments, the project leader
will document the reason for disagreement in TeamMate workpapers and the report.
Conversely, if the audit team and GAE determine management's comments are valid
and supported by sufficient, appropriate evidence, the report will be modified to
reflect the comments. The evaluation of management's responses should be
documented in the Evaluation of Management's Response template
4.03-C
V. When Management Doesn't Respond Timely
If management refuses to respond or is unable to respond within a reasonable
timeframe, the OIIA shall note that fact in the audit report and the transmittal email
that management did not respond; and shall release the audit report.
Procedure 4.04
Page 1 of 2
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 4
Procedure 4.04
-
Issuing Final Audit Report
Purpose:
Final reports are provided to officials responsible for oversight and decision-making, as
well as to the public to promote accountability and transparency in DeKalb County
government and to protect our independence.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances / Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
Each audit shall result in a final report, in written or some other retrievable form.
Subject
Communicating Results
Procedure
Number
4.05
References
House Bill 599 (2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act; GAS
9.56, Report Distribution; GAS 9.68
Discovery of Insufficient Evidence after
Report Release
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
5/13/2020
Procedure 4.04
Page 2 of 2
Issuing the Final Audit Report:
I.
Introduction
The report shall contain relevant background information, findings,
recommendations, and shall communicate results to the Audit Oversight Committee
(AOC), the audited agency, and the governing authority.
II.
Issue Report
The OIIA shall include the response from the audited entity in the audit report. The
GAE prepares the transmittal e-mail and if no response is received from the audited
entity, that fact shall be noted in the report that the audited entity did not provide
comments.
(See Procedure 4.03 Exit Conference and Issuing Draft Report, Section
V)
The transmittal email should:
•
State that the report has been released (with title and project number).
•
Give a brief synopsis of the audit that includes the purpose and what was
examined.
•
State the result of the engagement and what the conclusion was relative to
the objective.
•
Attach a pdf copy of the report to the email.
•
The project leader should ensure that a copy of the transmittal email is filed
with the audit documentation.
The final report is posted to the OIIA website after copies are distributed to the AOC,
CEO, Board of Commissioners (BOC), and the audited agency.
As part of the quality assurance and improvement program, there is a survey to
obtain feedback from stakeholders that pertain to the performance of the recently
completed services and associated report. The audit survey template is titled
"OIIA
Post Engagement Client Survey" (See Procedure 5.06, Post Engagement Client
Survey).
It can be accessed from TeamMate EWP within the project, under the tab
"Teammate". Click the button "Survey" then select "Templates" and then create a
survey from the template. The project leader should send out the survey once the
final report is issued to the audited entity.
Ill. Errors and Omissions:
After the final report has been released and the GAE determines the report contains
a significant error or omission, the OIIA will communicate the corrected information
to all parties who received the original report. The date of the report should be the
revised issue date.
(See GAS 9.68).
Procedure 4.05
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 4
Procedure 4.05 -
Post Engagement Client Survey
Purpose:
The post client survey is intended to solicit the client's feedback on the performance of
the audit, value of the audit report, client engagement, and interaction. The results of
the survey should be considered and action plans developed to address identified areas
of improvement for the OIIA.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances/ Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
This procedure applies to all OIIA audit projects and supports ongoing performance
monitoring and improvement. Each member of the OIIA plays a role in ensuring quality.
Subject
Quality Assurance
Procedure
Number
4.06
References
House Bill 599 (2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act;
GAS 3.85f, 3.93-3.95, Quality Control and
Assurance
Issue
Date:
06/12/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
6/23/2020
Procedure 4.05
Page 2 of 3
Post Engagement Client Survey (TeamMate):
I.
Introduction
After the project is complete and the final report is issued, a Post Audit Client Survey
should be administered to the key contact(s) engaged during the audit to solicit
feedback on their experience during the audit and suggestions for improvement.
II.
Administering the Survey
The survey should be sent after the final report is issued but before the project
completion and close out step and before the project is finalized and sent to Team
Central. The following steps should be performed by the Audit Manager of the project.:
1.
From within Teammate EWP module, select the 'Review" tab/ribbon.
2.
Select the Survey Manager button
I
from the Survey manger pop-up window
select "Create Survey" button and select available Post Client Survey with title:
"01/A Post Engagement Client Survey'.
3.
The default end date is 14 days from the date the survey is created. This
should be adjusted as needed.
4.
Select project contacts to receive survey.
5.
Click "Next", review details then click "Publish".
Note:
Next, complete the "Audit Satisfaction Survey" procedure under the Reporting
and Wrap-up Program group in EWP. Enter the date the survey was sent and
estimated end date. The Audit Manager is responsible for verifying that survey has
been sent to client before approving step. All survey sent can be seen verified in Team
Central module.
Important
- to increase survey responses, the Client should be informed at least during
the exit conference that they will receive a post engagement survey and the importance
of completing the survey. After the survey is sent, the Audit Manager should follow-up
with the client to confirm receipt and address any questions or issues the client may
have.
Ill.
View/Access Surveys Results
Survey results are reported/recorded in the Team Central Module. Open Team Central
and click "Survey" from menu. Locate the survey with project title and open.
The CAE, Managers and project staff can view survey results; however, the survey
results cannot be edited and
should never be deleted.
Procedure 4.05
Page 3 of 3
Note: There is no automatic notification for receipt of survey results. The auditor should
make periodic checks in Team Central
IV. Survey Result Impact/ Action Plans
The CAE is primarily responsible for reviewing survey responses. The Audit manager
should also review survey results and meet with the CAE and project team members to
review the results and discuss opportunities for improvement. A comprehensive log of
areas of improvement identified across projects should be maintained by the CAE with
supported by managers. Action plans should be put in place to address issues as
needed.
At least annually, the CAE should review the log of survey identified opportunities to
identify issues/themes common across projects/teams. Actions plans should be
developed to address systemic issues as necessary, which may require staff
(re)training, clarification of OIIA manual, etc.
Procedure 5.01
Page 1 of 5
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 5
Procedure 5.01 -Roles and Responsibilities in Quality Control and
Assurance
Purpose:
The Quality Control and Assurance system encompasses the organization's leadership,
emphasis on performing high-quality work, and policies and procedures designed to
provide reasonable assurance of complying with professional standards (GAS) and
applicable legal and regulatory requirements. Additionally, it includes organizational
and personnel management structures, forms, templates, and monitoring tools to help
accomplish this goal.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
Each member of the OIIA plays a role in ensuring quality. Quality is essential in
conducting audit work in compliance with GAS standards and the CAE and other
members of audit management are ultimately responsible for the system of quality
control.
Subject
Quality Assurance
Procedure
Number
5.01
References
GAS 5.0 -5.03, Quality Control and
Assurance; GAS 5.04, System of Quality
Control; 5.05-5.07, Leadership
Responsibilities for Quality within the
Audit Organization
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedure 5.01
Page 2 of 5
Roles and Responsibilities in Ensuring Quality:
I.
Introduction
Key elements of quality assurance include:
•
Policies and procedures.
•
Chief Audit Executive review.
•
Project Management.
•
Conferences.
•
Technical review.
•
Post-project evaluation.
•
Continuous development of staff (on-the-job training, coaching, performance
assessments, and CPE).
•
Informal communication and collaboration.
All OIIA employees are responsible for remaining aware of current procedures and
why these procedures must be followed and emphasizing the spirit of complying with
the procedures.
II.
Policies and Procedures
Written policies and procedures have been established for all phases of the audit
process and for the key administrative functions within the OIIA to help ensure the
achievement of office responsibilities and effective quality control and assurance.
Policies and procedures are communicated to OIIA personnel, readily available on
the office's internal SharePoint site, and periodically reviewed during staff meetings
and other office gatherings to ensure continued effectiveness and applicability.
Ill.
Chief Audit Executive Role
The CAE is responsible for the overall direction and management of the office.
Specific duties include:
•
Developing an annual audit plan considering risks to the County and capabilities
and resources of the OIIA to conduct the work.
•
Assigning a sufficient number of staff members that collectively possess the
necessary knowledge andskills to conduct the projects and who are
independent.
•
Setting overall expectations for performance of critical job elements and conduct.
•
Participating in internal project meetings to decide on audit scope and objectives.
Procedure 5.01
Page 3 of 5
•
Meeting regularly with the audit team to ensure audits are progressing
satisfactorily.
•
Reviewing and approving the draft outline, report drafts, and the final report.
•
Compiling the results of individual auditors' post-project reviews to fulfill County
requirements for an annual performance evaluation.
•
Representing the OIIA to the Audit Oversight Committee, County officials and
external stakeholders.
IV. Audit Manager's Role
•
The Audit managers assist the CAE in day-to-day management of the office.
Specific duties include:
•
Supervising team leaders (providing guidance and direction, communicating
expectations).
•
Monitoring project status and assisting audit teams to manage the projects.
•
Reviewing key audit documentation such as referencing review notes and
support for complex or sensitive findings.
•
Editing draft reports.
•
Preparing an annual summary and analysis of the effectiveness of ongoing
monitoring procedures.
•
Developing procedures, templates, and other tools to guide/aid audit teams.
•
Participating constructively in team meetings and internal project reviews.
•
Monitoring project status on a day-to-day basis.
•
Communicating expectations to audit team members.
•
Assigning tasks to balance workload.
•
Providing opportunities for professional development.
•
Providing feedback to audit team members on how well they meet expectations.
•
Directing and instructing audit team members on the conduct of their work.
•
Ensuring completed workpapers are accurate, complete, and within the scope of
the audit.
•
Facilitating internal project meetings or designating a facilitator.
•
Documenting timely supervisory review of workpapers (see below).
•
Modeling good practices in conducting audit work.
•
Establishing a working relationship with auditees.
•
Communicating project status and significant impediments to the CAE.
•
Evaluating audit team members' individual performance once the project is
complete.
Procedure 5.01
Page 4 of 5
V.
Auditor's Role
Members of the audit team are responsible for completing assigned work tasks in
accordance with policies and procedures. Specific duties include:
•
Preparing administrative documents, such as the Auditor Assignment and
Independence Statement, Engagement Assignment Sheet, Engagement Budget
and Work Plan, Engagement Initiation, Engagement Letter, and key meeting
invitations, client communications, milestone summaries, budget and actual
analysis, and meeting agendas.
•
Defining and completing tasks to achieve goals.
•
Documenting work completed by preparing workpapers consistent with policies
and procedures.
•
Communicating audit progress and significant problems to the audit manager,
team leader, and other team members.
•
Communicating issues that may require follow-up to the Audit Manager and other
team members.
•
Establishing a working relationship with audit clients.
•
Managing time to meet established deadlines.
•
Participating constructively in team meetings.
VI.
Supervision of the Audit:
Managers are responsible for ensuring that staff is provided with appropriate tasks,
given their skills and proficiencies, and that proper supervision is provided during all
phases of an audit. They are responsible for overseeing the individual development
of staff through coaching, observation, providing timely feedback, and rating
performance.
Manager reviews ensure:
1.
Individual workpapers have:
•
a clear purpose that is relevant to the audit objective(s)
•
a clear description of the methodology used
•
a conclusion that addresses the purpose and is consistent with and
supported by the type and amount of evidence presented
•
accurate data entry and calculations
2.
The body of audit workpapers is complete, accurate, and logically organized.
Procedure 5.01
Page 5 of 5
Workpapers with these characteristics allow readers to draw sound conclusions
based on appropriate evidence and to systematically link findings and
recommendations to the work conducted.
Managers must review audit documentation in a timely manner. Timeliness
depends on the nature of the work and the experience level of the staff members
conducting the work. Work conducted by less experienced staff and complex work
or work that provides the basis for additional steps should be reviewed within a few
days of completion. Managers should review audit documentation as soon as
practical.
Auditors are responsible for promptly addressing and resolving questions and
concerns raised in their manager's review. Managers must ensure all outstanding
questions or comments have been satisfactorily resolved before approving a
workpaper. Managers should document the extent to which they verified data entry,
calculations, formulas, query language, and other content that forms the basis of
conclusions using tick marks or other notations on the workpaper. Documents such
as agency manuals or regulations need not be individually signed. Documents in
the administrative binder that the team prepares for internal or external
communication (such as internal meeting documents or engagement letters) do not
require evidence of management review.
Other Key Elements of OIIA's Quality Control and Assurance System:
•
Internal meetings help to ensure audit quality by drawing on the strengths of
each member of the team to identify risks, develop sound methodologies, and
determine and resolve potential weaknesses in evidence and conclusions.
•
The Audit Manager is responsible for ensuring the audit is conducted in
accordance with GAS standards and internal policies and procedures.
•
Technical review of the draft report ensures that the report accurately and
objectively conveys the results of the work and that findings and conclusions in
the report are based on sufficient, appropriate evidence.
•
Project closeout reviews help to ensure our controls are working effectively and
provides the basis, along with post-project evaluations, to annually review,
assess and identify opportunities for improvement.
•
Post-project evaluation of the audit manager and the auditors working on the
project helps to provide feedback to resources participating on the project and to
identify strengths and weaknesses of individual projects to facilitate individual
and organizational learning.
•
Staff development helps to ensure audit quality by ensuring staff members are
competent and motivated.
Procedure 5.02
Page 1 of 3
6/0ffice of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 5
Procedure 5.02 -
Post-Project Evaluation
Purpose:
Post-project evaluations are to facilitate individual and organizational learning by
assessing individuals' strengths in performing primary job duties, identifying
opportunities to strengthen performance, and systematically identifying situational
factors that help or hinder performance.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
Audit projects do not end with the issuance of the audit report. Post project reviews and
evaluations apply to all audit projects and are important in ensuring quality control and
assurance. Each member of the OIIA plays a role in ensuring quality. The CAE and
other members of audit management are ultimately responsible for the system of quality
control.
Post Project Evaluation:
I.
Introduction
Post-project evaluations:
Subject
Quality Assurance
Procedure
Number
5.02
References
GAS 5.01
-
5.06, Quality Control and
Assurance; GAS 8.87-8.89 Supervision
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
6/23/2020
Procedure 5.02
Page 2 of 3
•
Provide the employee with structured feedback on performance to supplement on-
going, informal coaching and feedback.
•
Provide the employee an opportunity to assess his/her performance.
•
Provide the employee an opportunity to give feedback on performance
management and systems and team performance.
•
Provide a basis for the CAE to compile annual performance reviews to fulfill
County requirements.
•
Serve as a mechanism to monitor whether our controls are working effectively.
The quality of work products is assessed through documentation of review and the
quality of process participation is assessed through observation. The identification of
expectations for both work products and process participation are essential because
both are important aspects of performing quality audits within the context of teamwork
where successful performance requires interaction. Assessment of outcomes alone
rarely provides useful diagnostic information.
II.
Roles
The audit manager and the CAE are jointly responsible for documenting discussions
with auditors regarding performance of their primary job duties at the close of each
project. The use of the form for self-assessment and structured feedback throughout
the project are encouraged. The audit manager should generally schedule review
meetings within four weeks of the date on which the report will be released to the public.
The audit managers should use the EMPLOYEE PROJECT EVALUATION FORM and
the CAE and/or DCAE should use the MANAGER PROJECT EVALUATION FORM and
provide structured feedback throughout the project.
Steps in Post-Project Review
1. Ensure the Customer Satisfaction Survey has been completed by the audit client.
2. Incorporate feedback from the survey into the post project evaluation where
appropriate.
3. Schedule the meeting. (Audit Manager)
4. Identify tasks that the employee worked on during the project.
5. Review expectations related to each job activity and audit phase.
6. Summarize perceived strengths and opportunities for improvement related to
each job activity/audit phase in post-project review.
7. Focus on primary duties.
8. Consider both outcomes and processes.
9. Provide specific examples from work products/observations.
10. Describe performance in terms of quality and timeliness expectations, not
compared to another employee's performance.
Procedure 5.02
Page 3 of 3
11. Note factors that helped or hindered the individual's performance, which can
include others' performance, management support, technical support, adequacy
of materials and equipment, etc.
12. Hold meeting and explain the purpose of the meeting:
a. Have formal documentation of the employee's performance on each
project.
b. Allow employee the opportunity to assess his/her own performance and
compare.
c. Allow the employee the opportunity to share information on project
management, use of systems, and overall team performance.
d. Use this information as a basis for the annual performance appraisals to
fulfill County requirements.
13. Share assessments of strengths, opportunities for improvement, and factors that
helped or hindered performance. Discuss:
a. Differences in perception of performance.
b. Factors supporting most successful efforts.
c. Challenges/obstacles.
d. How the organization can support efforts to strengthen work performance.
14. Close the discussion.
a. Summarize key points of meeting and areas of agreement and
disagreement.
15. When Meeting is completed.
a. Make copies of forms for audit manager, auditor, and team members.
b. Review to identify developmental needs and consider other ways to better
support performance.
16. Use the review to prepare the annual review to fulfill County requirements.
Procedure 5.03
Page 1 of 6
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 5
Procedure 5.03-Continuous Development and CPE
Purpose:
Continuous development and/or the attainment of Continuing Professional Education
(CPE) credits are necessary ensure staff develop and maintain professional
competence to effectively perform critical job tasks.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances / Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
Every member in the OIIA is required to play a role in their continued professional
development. Participating in creating their professional development plan ensures the
employee is invested in achieving plan goals.
Subject
Quality Assurance
Procedure
Number
5.03
References
HB 599 (2015 Ga. Laws 3826); DeKalb
County, Georgia
-
Code of Ordinances
/
Organizational Act;
GAS 4.01
-
4.53 Competence and
Continuing Professional Education
(CPE)
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
6/23/2020
Y:\FORMS & TEMPLATES\GENERAL\2019\Training Request Form-vl_S.03.03
Procedure 5.03
Page 2 of 6
Continuous Development and CPE:
Continuous Professional Development
On-the-job training and other work activities intended to meet an individual's
professional development goals.
HB 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed into
Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances/ Organizational Act Section10A- Independent Internal Audit describes
certification requirements for the CAE. Acceptable OIIA certifications include:
•
CFE (Certified Fraud Examiner).
•
CGAP (Certified Government Audit Professional - No longer offered by the IIA).
•
CGFM (Certified Government Financial Manager).
•
CIA (Certified Internal Auditor).
•
CISA (Certified Information Systems Auditor).
•
CPA (Certified Public Accountant).
•
CRMA (Certification in Risk Management Assurance).
To support audit staff in becoming certified, the OIIA will provide current study guides
and allow auditors up to ten hours of scheduled work time per exam part to prepare for
a certification exam. The time must be scheduled through the auditor's manager to
avoid conflict with key deadlines. Additional in-office study hours will not be granted
for re-taking any portion of an exam. Four (4) days of approved Administrative Leave
with pay will be granted- three (3) days for exam prep and one (1) day to take the
exam.
The OIIA will reimburse one-half of the fees for each part of the exam after the staff
member has passed a part. Reimbursement is allowed only once per part; fees for
repeating a part will not be reimbursed. In addition, the OIIA will reimburse one-half of
the initial registration fees after the staff member has passed the entire exam.
Employees can request reimbursement by completing the CERTIFICATION
REIMBURSEMENT REQUEST FORM 5.03.01.
Employees that receive reimbursement under this policy must sign an agreement to
the following conditions, in a form acceptable to OIIA and HR:
1.
An employee who voluntarily separates from, retires, or is terminated for
cause from employment with the County less than two years after completing
Y:\FORMS & TEMPLATES\GENERAL\2019\Training Request Form-vl_S.03.03
Procedure 5.03
Page 3 of 6
the exam or parts thereof, will be required to return the percentage of the
reimbursement amount that is shown, in the manner described herein.
2.
Repayment will be due on the final day of employment, and/or deducted from
any payments due the employee, i.e., leave payout or paycheck, to the extent
permitted by law. If such amounts are not repaid and cannot be recovered
from the employee's final paycheck or payout, the County may take legal
action to recover the amount that the employee owes but has not returned.
Employee must return the percentage of the reimbursement funds indicated
in the chart below if the employee separates from employment within the
following numbers of months after completing the last exam for which
reimbursement was received:
Repayment Schedule if Employee Terminates:
Months
Percentage
Under 12 months
100%
12 months - under 18 months
50%
18 months - under 24 months
25%
Certification and License Incentive Pay.
Auditors who attain a professional
certification or license from the list approved by the GAE shall receive an increase in
pay for each certification and/or license. The amount of increase or decrease will be
consistently applied in accordance with a pre-established schedule. (5% for CIA,
CISA, and CPA. 2.5% for other certifications that apply to auditor's job). Failure to
maintain the certification could result in a commensurate reduction in salary.
Additional certifications.
Auditors who attain additional, approved certifications
receive incentive pay as described above.
Membership in Professional Organizations.
Auditors are encouraged to participate
in the activities of professional organizations that are related to government or
auditing, such as:
• Association of Local Government Auditors.
• American Society for Public Administration.
• Association of Airport Internal Auditors.
• Association of Certified Fraud Examiners.
• Association of Government Accountants.
Y:\FORMS & TEMPLATES\GENERAL\2019\Training Request Form-vl_S.03.03
Procedure 5.03
Page 4 of 6
• Georgia Society of Certified Public Accountants.
• Government Finance Officers Association.
• Information Systems Audit and Control Association.
• Institute of Internal Auditors.
• Institute of Management Accountants.
• National Association of Black Accountants.
• National Forum for Black Public Administrators.
• Information Systems Security Association.
Participation may include attendance at local chapter meetings or serving on a
committee or board of a professional organization. The OIIA holds group
memberships in the Association of Local Government Auditors and the Institute of
Internal Auditors. Upon approval by the GAE, the OIIA will pay the annual
membership dues for auditors who belong to other professional organizations based
on a pre-established amount and available budget resources each year. Auditors may
submit reimbursement for membership fees by submitting the MEMBERSHIP
REIMBURSEMENT REQUEST FORM 5.03.02. Auditors should ensure that
publications and other resources that are benefits of membership are shared within
the office. Place periodicals in the library.
Continuing Professional Education
For the OIIA, CPE refers to individual or group structured educational activities with
learning objectives designed to maintain or enhance participants' knowledge and skills
relevant to government performance auditing. All audit staff are required to comply
with the GAS CPE requirement that auditors should complete at least 80 hours of CPE
every two years. At least 24 of the 80 hours of CPE should be in subjects directly
related to government auditing, the government environment, or the specific or unique
environment in which the audited entity operates. At least 20 of the 80 hours should
be completed in any 1 year of the 2-year period. The OIIA budgets funds annually to
provide opportunities for CPE and monitors individual and organizational compliance
with GAS requirements. The OIIA will also budget funds to provide opportunities for
auditors to earn CPE required to maintain their professional certification or license, but
auditors are responsible for monitoring and reporting CPE to the certifying body.
Identifying CPE opportunities.
The audit managers consult with the GAE and audit
staff to identify training opportunities. Our goal is to average at least 40 hours of
training per auditor per year. The audit manager and GAE will ensure that training is
Y:\FORMS & TEMPLATES\GENERAL\2019\Training Request Form-vl_S.03.03
Procedure 5.03
Page 5 of 6
in subject matters that meet GAS requirements. Auditors are responsible for being
aware of training requirements related to their professional certifications. If the
certification is a requirement of the position or the auditor received incentive pay when
certification was obtained, the auditor must ensure that the certification remains active
and that they comply with all related requirements.
The auditor will complete and submit a TRAINING REQUEST FORM 5.03.03 for
approval by audit manager and CAE for any training they plan to attend.
Measurement period.
The OIIA uses a fixed measurement period to monitor CPE
compliance. For example, calendar year 2017-2018 is one measurement period while
2019-2020 is another measurement period. The requirements for auditors not on staff
during the entire measurement period are prorated. Auditors hired or assigned to a
GAGAS engagement after the beginning of an audit organization's 2-year CPE period
may complete a prorated number of CPE hours, the CAE will define a prorated number
of hours based on the number of full 6-month intervals remaining in the CPE period. For
example, if the CAE assigns a new auditor to a GAGAS engagement in May 2019 during
the 2-year CPE period running from January 1, 2019, through December 31, 2020. OIIA
may calculate the prorated CPE requirement for the auditor as follows:
a.
Number of full 6-month intervals remaining in the CPE period: 3
b.
Number of 6-month intervals in the full 2-year period: 4
c.
Newly assigned auditor's CPE requirement: 3/4 x 80 hours = 60 hours
Also, when auditors are newly hired or newly assigned to GAS engagements and have
had some previous CPE, the CAE has the flexibility of choosing between using a pro-
rata approach or evaluating whether, and to what extent, any CPE already taken in that
period would satisfy GAS CPE requirements.
Tracking.
Auditors are responsible for giving their CPE Certificates, which should
include the type of training activity, date, sponsoring organization, title/subject of
training, and the number of government-related and nongovernmental hours, to the
OIIA Administrative Assistant. The Administrative Assistant will maintain a
spreadsheet of every training session that an employee attends in preparation for the
OIIA peer review. OIIA's practice is to consider training that is sponsored by a
government organization, attended primarily by government auditors, or contains a
subject matter that clearly relates to government in order to fulfill the 24-hour
requirement.
The CAE will check the completeness of the spreadsheet and spot-check accuracy
quarterly.
Y:\FORMS & TEMPLATES\GENERAL\2019\Training Request Form-vl_S.03.03
Procedure 5.03
Page 6 of 6
If auditors are requesting CPE for preparing course material or publishing an article,
the record should include:
• A written statement of the number of hours claimed.
• Contact information for the publisher or sponsor of the training.
• A copy of the materials prepared or article published.
GAO's guidance describes how to calculate CPE hours for training courses and
preparing materials for presentation or articles for publication.
The auditors should use professional judgment and consult with their audit manager
and the CAE when determining what specific subjects qualify for the CPE
requirement. When approving training requests, the audit manager and the CAE may
consider probable future engagements to which the auditor may be assigned to satisfy
the 24-hour and the 56-hour CPE requirements.
Procedure 5.04
Page 1 of 5
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 5
Procedure 5.04 -
Quality Control Review Process
Purpose:
The purpose of this document is to define the engagement Quality Control Review
process. An audit organization conducting engagements in accordance with GAGAS,
must establish and maintain a system of quality control that is designed to provide the
audit organization with reasonable assurance that the organization and its personnel
comply with professional standards and applicable legal and regulatory requirements.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances/ Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
The Quality Control Review Process applies to the work of all OIIA employees and is
designed to ensure work performed on all OIIA projects is consistent with the standards
recommended by GAGAS and OIIA policies and procedures. All documentation of
compliance with OIIA policies and procedures and audit standards should be
maintained according to the County's retention guidelines as outlined in Procedure 7.03,
Subject
Quality Assurance
Procedure
Number
5.04
References
House Bill 599(2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act;
GAS 5.01
-
5.59, Quality Control and
Assurance
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
06/23/2020
Procedure 5.04
Page 2 of 5
Workpaper Retention, to enable those performing monitoring procedures and peer
reviews.
Quality Review Process:
I.
Introduction
This procedure applies to all working papers and reporting products prepared by OIIA
audit staff. Comprehensive review of working papers and report drafts is one of the
most important quality controls and is an integral part of producing a quality product.
Each staff member associated with an engagement1, at all levels within the OIIA, is
responsible for preparing quality products.
Key control steps and deliverables have been identified in the process. These steps
are:
•
Project Initiation and Administration.
•
Audit Planning
•
Audit Fieldwork.
•
Communicating Results.
The quality control review is initiated after the fieldwork phase prior to the exit
conference and is finalized after the final report is issued. The quality control review is
documented within TeamMate using the Quality Control Checklist.
II.
Working Paper/ Report Review
Working papers and draft products shall be reviewed by the Lead Auditor, personnel
of equal or higher experience, and/or the Audit Manager. The reviewer shall ensure
the working papers comply with GAGAS standards and OIIA policies, and procedures.
The purpose of the review is to ensure:
•
Accuracy.
•
Reasonableness of performance (i.e., were steps performed correctly?).
•
Reasonableness of judgments.
•
Completeness of steps.
•
Recording and validation of exceptions.
•
Questions are answered.
•
Issues are resolved.
•
Inappropriate generalizations and/or extrapolations are avoided.
Procedure 5.04
Page 3 of 5
Working papers should provide a reasonable basis for conclusions. Therefore,
evidence in working papers should be sufficient, competent, and relevant.
The reviewer is expected to:
•
Give an appraisal about the overall performance of the working papers and/or
product.
•
Explain what should be done to correct the working papers and/or product.
•
Use the review to develop staff.
•
Start and end on a positive note.
The reviewer should:
•
Focus on quality and not quantity.
•
Avoid comparing the work of one auditor to that of another - audit work
should be reviewed objectively on its own merits and deficiencies.
•
Evaluate the work against established standards and practices.
•
Give appropriate compliments/criticism openly, honestly, and timely.
•
Document work that needs to be completed or corrected - the reviewer
should not complete or correct the work of the auditor.
•
Verify that review notes are appropriately addressed before signing off on
the working paper(s).
The frequency and nature of management's review will depend on the experience
levels of staff as well as the complexity and anticipated duration of the engagement.
The manager of each engagement should conduct informal status meetings with the
staff. These status meetings are used to maintain appropriate supervisory review of
the engagement and the working papers. The status meeting notes constitute
evidence of engagement supervision and review required by professional standards.
Reviews of the working papers and draft products must be documented by each
reviewer to ensure communication with staff, and compliance with supervision and
review requirements. Reviews should be performed and documented periodically
throughout the engagement, not just during the final review.
Review notes should be positive in tone, clear, and include instructions needed to
make corrections. In general, four methods are acceptable:
1.
Prepare review notes in a single document.
2.
Prepare review notes in individual work papers using embedded comments.
3.
Prepare handwritten notes. This method is least acceptable but may be
used if circumstances dictate.
4.
Prepare notes in TeamMate for auditors to address in the workpapers or
respond to in the workpapers.
Procedure 5.04
Page 4 of 5
Auditors shall address and respond to all review notes. In some cases, an
appropriate action is to respond with "Noted." All review note responses shall
include the auditor's initials and the date the review note was addressed. It is
essential that the reviewer follow up on all review notes to make sure changes are
appropriate and adequate. Once this step is complete, the reviewer should sign-
off/approve the working papers and/or product.
The lead auditor's and manager's review of working papers is documented in the
form of review notes (as discussed above.) If the review of working papers took
place during a status meeting, the manager will prepare a "Note to the File"
documenting the extent of the review. This review includes the working papers,
draft release, distribution list and final report.
Ill.
Quality Control review
Quality control review is a mandatory engagement program step of the Reporting
phase. A quality control review is conducted to ensure:
•
The objectives of the assignment were achieved.
•
The conclusions expressed are consistent with the results of the work
performed.
•
The work was performed according to professional standards and OIIA
requirements.
•
The work performed and the results obtained are adequately documented
and support the auditor's opinion.
•
All significant matters were resolved.
This review should be performed prior to completing the draft report. The manager
will decide who will conduct the quality control review based on the engagement
scope and complexity, staff experience level, and workload. For engagements that
result in an audit report or advisory memorandum, the audit report will be reviewed
by an audit manager who is not involved in the audit project.
The working papers and the report may be submitted for quality control review by
another senior auditor if the finding and recommendations are complex and need
another detail review to verify the findings and recommendations are supported.
Procedure 5.04
Page 5 of 5
IV. Product Review Objectives
The manager is responsible for reviewing end products, including all working
papers. For complex audit engagements or findings, the GAE will instruct another
manager unassigned to the project to review crucial audit documentation. The
objectives of product reviews are to ensure that:
•
Products are accurate, objective, clear, concise, constructive, complete,
convincing, and timely.
•
Products are in proper format and comply with GAGAS audit standards
and OIIA policies and procedures.
•
All elements of an audit finding (condition, criteria, cause, effect and
recommendation (if applicable)) are present for each finding.
•
The working papers fully support the findings.
•
The working papers and report or memorandum meet GAGAS
professional standards.
V. Chief Audit Executive Review
The Chief Audit Executive will review all significant work products. The results of
the quality control and product review will be completed prior to the GAE review
and the documentation of the results of these reviews should accompany the
request for the GAE review. The CAE's review includes approval of the draft
release, distribution list, and final report. This review will typically be confined to
the report, as working paper issues should be resolved by this point.
Procedure 5.05
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 5
Procedure 5.05
-
Annual Internal Quality Assurance Self-Assessment
Purpose:
To ensure the Office of Independent Internal Audit (OIIA) is operating in compliance
with professional standards, laws, codes, ordinances, and OIIA policies and procedures.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances / Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
This procedure is performed on an annual basis and applies to all audits and reviews
performed by the OIIA. In addition, this procedure applies to administrative functions of
the OIIA.
Subject
Quality Assurance
Procedure
Number
5.05
References
House Bill 599(2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act;
GAS 5.01-5.59, Quality Control and
Assurance
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedure 5.05
Page 2 of 3
Annual Internal Quality Assurance Self-Assessment:
I. Introduction
The OIIA is dedicated to the performance of the highest quality work in fulfilling its
responsibilities. To ensure a high level of quality is maintained, a quality assurance
program will be followed. This program includes the following:
•
A system of quality control emphasizing high quality work and providing
reasonable assurance of compliance with professional standards and
applicable legal and regulatory requirements. The Chief Audit Executive
(CAE) is responsible for ensuring the quality of audits and other engagements
and for ensuring staff is knowledgeable about the OIIA's policies and
procedures relating to quality.
•
Quality control reviews of each assignment by appropriate levels of staff and
management.
•
Internal quality assurance reviews of audit reports, working papers, office
administration and operational activities performed by personnel within the
OIIA.
•
The audit activities of the OIIA shall be subject to a peer review in accordance
with applicable government auditing standards by a professional, nonpartisan
objective group utilizing guidelines endorsed by the Association of Local
Government Auditors (ALGA).
The quality control review process is detailed in
"Procedure 5.04 - Quality Review
Process"
of the OIIA Procedure Manual.
II. Annual Internal Quality Assurance Self-Assessment Program
Annually, the OIIA will conduct an Internal Quality Assessment utilizing tools from the
Peer Review Guide issued by the Association of Local Government Auditors. These
reviews are conducted to:
•
Ensure compliance with GAS standards and OIIA policies and procedures.
•
Evaluate the use of audit tools and assignment methodology.
•
Provide recommendations for improving OIIA functions;
•
Provide insight into the level of effectiveness and efficiency;
•
Prepare the OIIA for the external peer review
Procedure 5.05
Page 3 of 3
A. Ongoing assessments are conducted through:
1. The use of checklists to assist the reviewer in determining whether processes
adopted by the audit activity (e.g., as documented in OIIA's Policies and
Procedures Manual) are being followed;
2. Feedback from audit customers and other stakeholders;
3. Quality control reviews of each engagement;
B. Annual internal assessments are conducted using a program based on the
Association of Local Government Auditors Peer Review Guide. This program
has been loaded into TeamMate.
1. The CAE will select a manager to complete the self-assessment;
2. The manager will select audits to include in the assessment that were not
under their management;
3. A draft report will be prepared with the results of the assessment and this
report will be distributed to the CAE for a response. Once the CAE prepares
a response the final report will be distributed to the:
a. Chief Audit Executive
b. Audit Oversight Committee
C. The OIIA will obtain an independent assessment (peer review) every three years
(
See procedure 5.06, Peer Review).
The CAE will schedule and arrange the
review and ensure results are communicated to the:
1. Chief Audit Executive
2. Audit Oversight Committee
3. Board of County Commissioners
4.
01IA staff
Procedure 5.06
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 5
Procedure 5.06
-
Peer Review
Purpose:
The peer review is performed to get an independent assessment of whether OIIA's
internal quality control system is adequately designed and was followed over a defined
period to provide reasonable assurance that its work complied with GAS.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances / Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
Peer reviews apply to all OIIA audit activities and the system of quality control followed
by employees during engagements. They provide an opportunity to obtain constructive
feedback from other audit professionals on practices that are functioning well and
opportunities for improvement.
Subject
Quality Assurance
Procedure
Number
5.06
References
House Bill 599(2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act;
GAS, Quality Control and Peer Review
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedure 5.06
Page 2 of 3
Peer Review:
The audit activities of the Office of Independent Internal Audit shall be subject to a peer
review in accordance with applicable government auditing standards by a professional,
nonpartisan objective group utilizing guidelines endorsed by the Association of Local
Government Auditors (ALGA).
The peer review will use applicable government auditing standards to evaluate the
quality of audit effort and reporting. Specific quality review areas include staff
qualifications, adequacy of planning and supervision, sufficiency of work paper
preparation and evidence, and the adequacy of systems for reviewing internal controls,
fraud and abuse, program compliance, and automated systems. The peer review also
assesses the content, presentation, form, timelines, and distribution of audit reports.
The Commission will pay for the costs of the peer review.
The peer review should be sufficient in scope to provide a reasonable basis for
determining whether, for the period under review, (1) OIIA's system of quality control
was suitably designed and (2) OIIA is complying with its quality control system so that it
has reasonable assurance that it is performing and reporting in conformity with
professional standards and applicable legal and regulatory requirements in all material
respects.
A copy of the written report of such independent review will be furnished to the:
1. Audit Oversight Committee
2. Board of County Commissioners
3. Chief Audit Executive
4. OIIA Staff
The CAE is responsible for scheduling and arranging the review and communicating
results to the Audit Oversight Committee and Board of County Commissioners.
Reviewers will be provided full access to documents and staff needed to conduct the
review.
OIIA will carefully review the opportunities for improvement with the peer review team
and take steps to correct deficiencies in a timely manner.
The CAE strongly encourages the audit staff to obtain the appropriate training and to
participate in peer reviews of other organizations.
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 5
Procedure 5.07 -
Project Completion & Closeout
Purpose:
The project closeout is to prepare working papers for archiving and to provide a
mechanism to monitor whether our quality control procedures are being effectively
applied in each engagement to reasonably assure compliance with GAS.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances / Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
This procedure applies to project completion and finalization and supplements ongoing
monitoring.
Procedure 5.07
Page 1 of 4
Subject
Quality Assurance
Procedure
Number
5.07
References
House Bill 599 (2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act;
GAS 3.82b, 3.96-3.104, Quality Control
and Assurance
Issue
Date:
08/24/2017
I
Effective:
08/24/2017
Approved: John L. Greene, Chief Audit Executive
Amended:
05/17/2019
Procedure 5.07
Page 2 of 4
Project Closeout:
I.
Introduction
Project closeout checklists provide the basis, along with post-project evaluations, to
annually review and assess our quality assurance system to identify opportunities for
improvement.
II.
Project closeout checklist
The audit manager is responsible for completing or delegating completion of the project
closeout checklist using the Project Closeout Checklist template
5.07-A.
The Lead
Auditor should complete the checklist as part of preparing post-project evaluations (see
Procedure 5.02 Post-Project Evaluation). The completed checklist is reviewed/signed-
off by the project manager.
The checklist summarizes GAS requirements and our procedures for meeting
requirements. The team auditor should link to workpapers where applicable to
document that the team followed the procedure in conducting the audit. Note that not
all our procedures will have documentation within the workpaper files - some records,
such as the CPE log and annual financial disclosures, are maintained centrally. Some
documents will only be applicable in certain cases, such as when the team identifies
indicators of potential fraud during the course of audit work.
The audit manager assesses whether the team followed our procedure, didn't follow
the procedure, or whether the procedure was not applicable to the engagement, and
provides explanatory comments, particularly when the procedure wasn't followed.
One of the audit managers not assigned to the project should review the completed
checklist review within 4 weeks of an audit's public release.
The completed Project Closeout Checklist should be uploaded to the related step in
the project Reporting & Wrap-up program group in TeamMate.
If we find a significant error after the report is released, we will assess the impact of
the error on the overall report with the CAE and Audit Oversight Committee to
determine how to correct the report. We will follow the same report distribution
policies with a correction or revision as we did with the initial report.
Project Finalization (TeamMate):
I.
Introduction
Project finalization occurs when the fieldwork and final reports have been issued.
TeamMate EWP contains a finalization process that checks each procedure step,
procedure summary, exception, supporting workpaper, and coaching notes for
preparation and review sign-offs.
Procedure 5.07
Page 3 of 4
Note:
Prior to finalization, the Audit Manager must review the 'Sign-off Status' to
ensure that all procedures, schedules, coaching notes have been signed-off as
prepared and reviewed. It is also OIIA policy to discontinue finalization if, during the
finalization process, TeamMate detects any of the following:
• Procedure steps not signed-off as prepared or reviewed.
• Work papers not signed-off as prepared and/or reviewed.
• Exceptions not signed-off as prepared and reviewed.
• Coaching notes not addressed and cleared.
As a policy, coaching notes are
not
deleted during finalization of OIIA projects.
The finalization process converts all team roles to read-only status. Only a team
member with Reviewer rights, at a minimum, can perform the finalization process. In
the unlikely event that changes to the project file are required after finalization,
TeamMate also creates an emergency back-up copy of the master file that can be
restored.
First step, the project "Milestones" under the EWP "Home" tab should be updated to
reflect actual dates.
The project 'Status' under the "Home" tab in EWP will be updated as follows, no steps
should be skipped:
•
Post Fieldwork (Draft Report) - the project file will be scanned to verify that all
schedules and procedures have been signed-off and coaching notes do not
remain open. If schedules and procedures are not signed-off, or coaching notes
remain open, a warning will be displayed listing the items not meeting the scan
criteria. The preparer must stop at this point and address any identified issues
before proceeding.
•
Responses Accepted - set the actual date for this status.
•
Issued (Final Report) - set the actual date for this status. Also changes the
entire project to read-only status. All issues are included in TeamCentral reports
but are not yet released to TeamCentral Implementation Tracking.
•
Implementation Tracking (Released to TeamCentral). the project status is set to
Implementation Tracking, and the project is sent to/available in TeamCentral.
II.
TeamStore Sharing (Optional - requires Manager/GAE Approval Only)
TeamMate can help to promote consistency and improve efficiencies by allowing you to
share information between teams and projects. If approved by the Manager and CAE,
Work Programs, Work Papers, Issues, Risks and Controls can be made available in the
for use by other teams and projects. This is done through the TeamStore.
Procedure 5.07
Page 4 of 4
To send to TeamStore:
1. Go to the Review ribbon
I
TeamStore Sharing panel and then select Send
Programs, Send Work Papers, Send Issues, Send Risks or Send Controls.
2. Complete the selections in the TeamStore Send Wizard. You can select
All
or
include only the items you need. Click Next to page through the options.
3. Select the Destination.
4. Select the replace Options at the bottom of the page and then click Finish.
5. This place the information in a 'holding cabinet, which is later reviewed by the
Project Manager/GAE. Once items have been reviewed and approved, they are
moved to the current database (OIIA Team Store).
Procedure 5.08
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 5
Procedure 5.08 -
Post Engagement Client Survey
Purpose:
The post client survey is intended to solicit the client feedback on the performance of
the audit, value of audit report, client engagement and interaction. The results of the
survey should be considered, and action plans developed to address identified areas of
improvement for the OIIA.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances / Organizational Act Section
1
0A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States
Government Accountability Office.
ApplicabiIity:
This procedure supports on-going performance monitoring and improvement. Each
member of the OIIA plays a role in ensuring quality.
Subject
Quality Assurance
Procedure
Number
5.08
References
House Bill 599 (2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act;
GAS 3.85f, 3.93-3.95, Quality Control and
Assurance
Issue
Date:
I
Effective:
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedure 5.08
Page 2 of 3
Post Engagement Client Survey (TeamMate):
I.
Introduction
After the project is complete and the final report is issued, a Post Audit Client Survey
should be administered to the key contact (s) engaged during the audit to solicit their
feedback on their experience during the audit and suggestions for improvement.
II.
Administering the Survey
The survey should be sent after the final report is issued but before the project
completion and close out step and before the project is finalized and sent to Team
Central. Use the following steps should be performed by the auditor in charge of the
project.:
1. From within Teammate EWP module, select the 'Review" tab/ribbon.
2. Select the Survey Manager button
I
from the Survey manger pop-up window
select "Create Survey" button and select available Post Client Survey with title:
"OIIA Post Engagement Client Survey''.
3. The default end date is 14 days from the date the survey is created. This
should be adjusted as needed.
4. Select project contacts to receive survey.
5. Click "Next", review details then click "Publish".
Note:
Next complete the "Audit Satisfaction Survey" procedure under the Reporting and
Wrap-up Program group in EWP. Enter the date the survey was sent and estimated end
date. The Audit Manager is responsible for verifying that survey has been sent to client
before approving step. All survey sent can be seen verified in Team Central module.
Important
- to increase survey responses the Client should be informed at least during
the exit conference that they will receive a post engagement survey and the importance
of completing. After the survey is sent the client should be follow-up with to confirm
receipt and address any questions or issues the client may have.
Ill.
View/Access Surveys Results
Survey results are reported/recorded in the Team Central Module. Open Team Central
and click "Survey" from menu. Locate the survey with project title and open.
The CAE, Managers and project staff can view survey results; however, the survey
results cannot be edited and
should never be deleted.
Procedure 5.08
Page 3 of 3
Note: There is no automatic notification for receipt of survey results. The auditor should
make periodic checks in Team Central
IV.
Survey Result Impact/ Action Plans
The GAE has primary responsibility for review survey. The project manager also
reviews results and should meet with the GAE and project team members to review
results, identify areas for improvement. A comprehensive log of areas of improvement
identified across projects should be maintained by the GAE with supported by
managers. Action plans should be put in place to address issues as needed.
At least annually the GAE should review the log of survey identified opportunities to
identify issues/themes common across projects/teams. Actions plans should be
developed to address systemic issues as necessary, which may require staff
(re)training, clarification of OIIA manual, etc.
Procedure 6.01
Page 1 of 5
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 6 Reviewed by John Greene on 6/2/20
Procedure 6.01 -Audit Follow-Up
(Monitoring Progress of disposition of
Audit Results)
and Reporting
Purpose:
The CAE establishes a follow-up process to monitor and ensure that management actions
have been effectively implemented or that senior management has accepted the risk of
not taking action. The follow-up process is conducted as "Other Services Provided by
Government Audit Organizations" that provides independent verification of the
implementation status of management action plans outlined in the management response
to the audit report.
When the CAE concludes that management has accepted a level of risk that may be
unacceptable to the organization, the CAE will report the matter with senior management.
If the CAE determines that the matter has not been resolved satisfactorily, the CAE must
communicate the matter to the Audit Oversight Committee, the CEO, and the Board of
County Commissioners.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, and incorporated into DeKalb County, Georgia - Code of
Ordinances / Organizational Act Section10A- Independent Internal Audit. Government
Auditing Standards (GAS) also known as the "Yellow Book" promulgated by the
Comptroller General of the United States and published by the United States Government
Accountability Office.
Subject
Audit Follow-up
Procedure
Number
6.01
References
House Bill 599 (2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinances
/
Organizational Act;
GAS 3.72, Other Services Provided by
Government Audit Organizations
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
06/02/2020
Procedure 6.01
Page 2 of 5
ApplicabiIity:
Following up on the status of audit recommendations and management action plans
documented in management's response to the audit report helps ensure that
management has taken effective action to address significant risks to the organization.
While the resolution of the risk is not the responsibility of the CAE, the audit
organization should identify the risk accepted by management through monitoring
progress on actions taken by management to address prior audit findings and
recommendations.
Audit Follow-Up and Reporting:
I.
Introduction
One of the OIIA duties under House Bill 599 (2015 Ga. Laws 3826) enacted by the
Georgia General Assembly signed into Law on May 12, 2015, and incorporated into
DeKalb County, Georgia - Code of Ordinances/ Organizational Act Section10A-
lndependent Internal Audit is the CAE shall submit an annual report to the Audit
Oversight Committee, Chief Executive, and the Commission indicating audits
completed, major findings, corrective actions taken by administrative managers, and
significant issues which have not been fully addressed by management. The annual
report, in written or some other retrievable form, shall be made available to the public
through the county website within ten days of submission to the Commission.
The OIIA has developed a database to track internal audit reports, recommendations,
and management action plans outlined in their response. The TeamMate Central
system contains:
•
Audit report titles.
•
Recommendations and owners.
•
Management responses and action plans.
•
Target and actual implementation dates.
•
Follow-up plans.
•
Implementation status (Implemented/Partially Implemented/Not Implemented/In
Progress/Follow-up Pending/No Verification).
•
Follow-up status (Open/Closed).
•
Analysis.
•
Future notes.
•
Next follow-up.
•
Type of risk.
•
Level of management agreement.
Procedure 6.01
Page 3 of 5
II.
Follow-up and Reporting
The
CAE
has developed a dashboard to fulfill HB 599 annual reporting requirement. The
dashboard contains data on implementation status, follow-up status, management
agreement, and aging. Additionally, a downloadable spreadsheet contains analysis
about each recommendation and the CAE maintains a spreadsheet about the finding
and the status of reporting on them.
Audit staff should become familiar with the follow-up database - TeamMate
Implementation tracking. The TeamMate Central Implementation tracking database
Instructions document, which is available on Teammate by pressing "F1" while in
TeamMate Central.
These procedures supplement the technical instructions to summarize auditors'
responsibilities for entering information into the database and how the information will be
used.
Ill.
Updating the Database and Communicating Follow-Up Schedule to Auditee
Management When Reports are Issued
During the course of the audit, the audit team will request the estimated timeline for
management to complete the action plan documented in the response. The audit
follow-up will be scheduled based on the timeline management has indicated. If the
audit manager believes this date is unreasonable, it will be brought to the attention of
the CAE and discussed with management to determine the final follow-up date. The
final follow-up date determined by the CAE and the audit manager will be
communicated to management before the final report is issued. The audit lead is
responsible for entering the required data into the database within one week after the
report is issued.
The normal monitoring process for audits will follow the schedule outlined below:
1. Twelve months after the report is issued or immediately after the anticipated
completion date supplied in management's response, communication will be
initiated with the program area to identify the status of the management action
plans included in the management response. This may be done by sending an
email with the spreadsheet where management will provide the status of the
management action plan. (See Follow-up OIIA Audit Findings Status Update
Form)
2. The auditor should request all documentation which supports the current status of
the management action plan. This information will be used to verify the information
provided by management in the status update. The CAE will issue a report on the
status of the recommendation to the auditee, CEO and BOC and post of the OIIA
website.
3. If management action plans are still open after the second follow-up 24 months,
the audit lead will notify the audit manager, the audit manager and the CAE will
evaluate the situation and conclude regarding additional follow-ups.
4. If the CAE concludes that the issue will most likely not be resolved, a report
communicating the status of the findings and that management has accepted the
risk of the unresolved findings will be issued. The report will be distributed to
Procedure 6.01
Page 4 of 5
senior management, the Audit Oversight Committee, and the Board of
Commissioners.
As an example, if a report is issued in March, the twelve-month follow-up process will
be scheduled for the beginning of April. Once the follow-up work is complete, the CAE
will issue a report to management, CEO, BOC, and AOC regarding the status of each
finding. If there are management action plans that are still outstanding after 24
months, the CAE will determine whether to perform additional follow-ups or report that
management has accepted the risk associated with the open action plans.
The audit team is responsible for communicating the follow-up schedule to the auditee
at the completion of the audit, documenting work to determine the implementation
status, follow-up status, and to summarize auditor analysis of the recommendations.
If the management action plans remain open, the audit team is responsible for
updating management intent, future notes, and next follow-up date. The audit
manager and CAE are responsible for documenting approval of the implementation
status and follow-up status.
The audit team is responsible for completing the follow-up communications template
and submitting it to the CAE. The CAE is responsible for reviewing the
communication and sending it to management.
The audit team is responsible for updating the follow-up sections under management
data and auditor data within one week after the CAE communicates the results to
management.
Procedure
7.01
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 7
Procedure 7.01
-
Open Record Requests
Purpose:
Comply with Georgia Open Records Act to support transparent, accountable
government.
Authority:
Government Auditing Standards (GAS) also known as the "Yellow Book" promulgated
by the Comptroller General of the United States and published by the United States
Government Accountability Office and Georgia Open Records Act.
ApplicabiIity:
Audit workpapers for completed projects generally meet the definition of a public record
open to the public for inspection.
Open Record Requests:
I.
Introduction
Workpapers sometimes contain information that is specifically exempted from the
open records act, such as social security numbers, an individual's medical history,
bank account numbers, information related to pending investigations, information
related to pending real estate acquisitions, cost estimates or bids prior to the final
award, and privileged attorney-client communications.
Subject
Record Retention
Procedure
Number
7.01
References
GAS 5.06; GAS 6.36; Georgia Open
Records Act
Issue
Date:
08/24/2017
I
Effective:
08/24/2017
Approved: John L. Greene, Chief Audit Executive
Amended:
05/17/2019
Procedure
7.01
Page 2 of 3
Audit staff should be familiar with the general requirements of the Georgia Open
Records Act. All requests for copies of workpapers should be directed to the GAE or
Audit Manager for guidance on how to respond. We will seek guidance from the Audit
Oversight Committee Attorney to ensure that we fully comply and only release
allowable information.
When requested workpapers contain information exempted from the Georgia Open
Records Act, audit staff will copy the document(s) containing exempted information,
redact the exempted information, and substitute the redacted copy for the original
copy in the workpapers. The original copy of the documents will be moved to a
separate file and retained. The working paper index should be annotated to indicate
which documents have had information redacted from them.
Audit staff is responsible for coordinating with their audit manager to estimate the cost
of searching, retrieving, and copying documents and providing that information to their
audit manager or GAE for communication to the requestor prior to fulfilling the request.
The administrative assistant will prepare an invoice for the allowable charges to the
requestor and will provide copies of the requested working papers to the requestor
after receiving approval for their release from the GAE or Audit Manager.
The act does not require requestors to make their request in writing or to mention the
Georgia Open Records Act. It is preferable to get the request in writing to avoid
misunderstanding.
The act does not require agencies to summarize, compile or produce reports or
information not in existence at the time of the request or to provide access to
computer systems or programs.
II.
Key Parts of the Georgia Open Records Act
Broad definition of public record.
The act defines 'public record' to mean all
documents, papers, letters, maps, books, tapes, photographs, computer based or
generated information, or similar material prepared and maintained or received in the
course of the operation of a public office or agency. O.C.G.A. § 50-18-70 (a).
Narrow interpretation of exemptions.
Exemptions are interpreted narrowly so as to
exclude from disclosure only that portion of a public record to which an exclusion is
directly applicable. The agency having custody of a record is required to provide all
other portions of a record for public inspection or copying. O.C.G.A. § 50-18-72 (g).
Three business days to respond to the request.
The individual in control of such
public record or records shall have a reasonable amount of time to determine whether
or not the record or records requested are subject to access under this article and to
permit inspection and copying. In no event shall this time exceed three business
days. O.C.G.A. § 50-18-70 (f). If records exist and are subject to production, but
Procedure
7.01
Page 3 of 3
cannot be made available within three (3) business days, the OIIA will respond in
writing to the Open Records Act Requestor within three (3) business days, describing
the responsive records and communicating a timeframe for their availability.
Agency can recover direct costs of complying with the request. Any agency
receiving a request for public records shall be required to notify the party making the
request of the estimated cost of the copying, search, retrieval, and other administrative
fees authorized by Code Section 50-18-71 as a condition of compliance with the
provisions of this article prior to fulfilling the request as a condition for the assessment
of any fee. O.C.G.A.
§
50-18-71.2.
(c) Where no fee is otherwise provided by law, the agency may charge and collect a
uniform copying fee not to exceed 25 cents per page.
(d) In addition, a reasonable charge may be collected for search, retrieval, and other
direct administrative costs for complying with a request under this Code section. The
hourly charge shall not exceed the salary of the lowest paid full-time employee who, in
the discretion of the custodian of the records, has the necessary skill and training to
perform the request; provided, however, that no charge shall be made for the first
quarter hour.
(e) An agency shall utilize the most economical means available for providing copies
of public records.
(f) Where information requested is maintained by computer, an agency may charge
the public its actual cost of a computer disk or tape onto which the information is
transferred and may charge for the administrative time involved as set forth in
subsection (d) of this Code section. O.C.G.A. § 50-18-71.
OPEN RECORDS REQUEST SAMPLE LETTERS 7.01.01 should be used when
responding to Open Records Request.
Y:\OPEN RECORDS REQUEST\GENERAL INFO\Open Records Requests - Sample Letters_7.0l.01
Procedure 7.02
Page 1 of 3
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 7
Procedure 7.02
-
Workpaper Retention
Purpose:
Comply with State and county regulations regarding record retention and "Yellow Book"
requirements.
Authority:
Georgia Records Retention Schedule and the Government Auditing Standards (GAS)
also known as the "Yellow Book" promulgated by the Comptroller General of the United
States and published by the United States Government Accountability Office.
ApplicabiIity:
Applies to all audit reports and audit workpaper files. We retain completed audit reports
permanently and we retain workpaper files for 5 years or two successive audits,
whichever is longer, as required by state regulation.
Workpaper Retention:
I.
Introduction
The audit organization should establish policies and procedures that require retention
of engagement documentation for a period of time sufficient to permit those
performing monitoring procedures and peer review of the organization to evaluate its
Subject
Record Retention
Procedure
Number
7.02
References
Georgia Open Records Retention
Schedule; GAS 5.46
Issue
Date:
08/24/2017
I
Effective:
08/24/2017
Approved: John L. Greene, Chief Audit Executive
Amended:
06/12/2020
Procedure 7.02
Page 2 of 3
compliance with its system of quality control or for a longer period if required by law or
regulation.
1
The Office of Independent Internal Audit must comply with State laws and county
ordinances regarding record retention. Audit workpapers meet the definition of
records that must be retained for at least 7 years.
Internal Auditing
Description
Retention Period
Source
Date
Records
Records
documenting
the conduct
5 years or two
LG-08-003- Internal
Updated
October
of an internal review of agency
successive
audits,
Auditing Records
20, 2016
financial
accounts
and
processes
whichever
is longer
Source: Georgia Archives-University System of Georgia retention schedule for local government records
Workpaper retention should consider changes made in the original operating system,
other software, and hardware to ensure the continued retrievability of electronic
working papers throughout the retention cycle.
II.
Records Retention
The office Administrative Assistant serves as the OIIA records officer and is
responsible for creating and updating an annual inventory of the department/unit's
records; developing and maintaining a current retention schedule for the
department/unit's records; working with the Finance- Risk Management, Records
Manager to ensure the appropriate and timely transfer of OIIA records to the DeKalb
County Records Center; and working with the Records Manager to ensure OIIA
records are maintained and ultimately destroyed in accordance with the approved
departmental retention schedules. The Administrative Assistant keeps an inventory of
records stored on and off site and prepares the necessary forms for transferring,
retrieving, and disposing of records.
The Administrative Assistant prepares the boxes for transfer to the Records Center,
numbering the boxes consecutively with a felt tip marker starting with the number 1 for
the first cardboard storage carton in each shipment and noting the contents on
Records Transfer Form. The number should be written in the upper right-hand corner
of the small end of the cardboard storage carton.
Ill.
Finalization
-
Archiving of electronic files (Teammate EWP)
Once a project is completed, the file can be cleaned up by finalizing the project.
Finalizing the Project.
The Finalize process prepares the project file for archiving
purposes. It is not a mandatory process. Project files should only be finalized when
1
GAS 5.46
Procedure 7.02
Page 3 of 3
the work has been completed and no more changes are necessary as once the
project file has been finalized it will be marked as Read Only to everybody -regardless
of their role.
The Finalization process:
•
Checks the status of work papers and schedules.
•
Provides the option to remove Review Notes. - Select to keep.
•
Provides the option to removes Edit Histories of work papers. - Select to keep.
•
Makes the project file 'Read-Only'.
•
Marks the project file as 'Finalized'.
Our policy is to
not
remove review notes and edit histories of work papers.
The Finalize Wizard will guide you through the multi-step process. The wizard
performs a number of checks on the project and, depending on the policies set, allows
the finalization process to continue or not continue.
To Finalize a project, go to the Review ribbon
I
Wrap-up panel and select Finalize.
NOTE:
In TeamMate Explorer, a checkered flag next to the status indicates the
Project is Finalized. In addition, Finalized/ Archived projects are in a read only state.
No changes can or should be made to the project at this point.
Page 1 of 11
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 8
Procedure 8.01 -
Recruiting and Professional Development
Purpose:
Establish a process for recruitment, hiring, continuous development, and evaluation of
personnel so that the Office of Independence Internal Audit (OIIA) has the essential
knowledge, skills, and abilities necessary to conduct engagements.
Authority:
House Bill 599 (2015 Ga. Laws 3826) enacted by the Georgia General Assembly signed
into Law on May 12, 2015, Human Resources and Merit System Policies and Procedures
and the Government Auditing Standards (GAS), GAS 4.04 Competence; GAS 5.15-5.19
Human Resources.
Applicability:
Professional Development procedures apply to hiring, recruiting, and development of OIIA
staff.
Procedure
8.01
Subject
General Administrative
Procedure
Number
8.01
References
House Bill 599 (2015 Ga. Laws 3826);
DeKalb County, Georgia
-
Code of
Ordinance/Organizational Act Section
100A-lndependent Internal Audit; Human
Resources and Merit System Policies
and Procedures;
GAS 4.04 Competence, 5.15-5.19 Human
Resources
Issue
Date:
03/10/2021
I
Effective:
03/09/2021
Approved: John L. Greene, Chief Audit Executive
Amended:
Hiring and Recruiting:
I.
Introduction
When the Office of Independent Internal Audit has a vacancy, we follow the DeKalb
County's Human Resources and Merit System Department (Human Resources) recruiting
and hiring guidelines.
II.
Recruiting
To recruit qualified candidates, OIIA's administrative assistant or the manager creates a
requisition in Taleo. Taleo is an applicant tracking system that DeKalb County
Government utilizes to recruit and hire prospective employees. Once the requisition has
been created, an email notification is sent to each person listed as an approver. After all
approvals have been accepted, the Human Resources Generalist assigned to OIIA will
open the Requisition and post it to DeKalb County's Human Resources' website and
external career sites. In some cases, positions may be posted to the Institute of Internal
Auditors (IIA), !IA-Atlanta Chapter and/or Information Systems Audit and Control
Association (ISACA) websites. Positions are advertised with a variety of educational and
professional organizations. The Internal Auditor Series 8.01.01, Internal Audit Manager
Series 8.01.02 and Chief Audit Executive 8.01.03 job specifications are located under
OIIA's shared drive.
Ill. Hiring
The Chief Audit Executive (GAE) designates a hiring panel for each open position that
generally consists of members from the management team and sometimes one other
senior employee. The Manager and administrative assistant are responsible for
coordinating hiring efforts and ensuring that OIIA follows all applicable County policies
and retaining appropriate documentation. The designated hiring panel is responsible for
screening candidates, conducting interviews, and identifying finalists to be interviewed by
the GAE. The GAE is responsible for the final decision on all hiring.
Employee Orientation
I.
Introduction
All new employees shall receive orientation specific to the OIIA.
II.
Employee Orientation
1)
The GAE, Managers, and Administrative Assistant should utilize the New Employee
Checklist prior to the new employee start date to ensure a smooth transition into the
office.
2)
Prior to the new employee's start date, the Manager will consult with the GAE to
assign a mentor for the new employee.
Procedure 8.01
Page 2 of 11
Procedure
8.01
Page 3 of 11
3)
The new employee is required to attend the following:
1. Countywide Orientation:
The DeKalb County new employee orientation is conducted by the Human
Resources and is typically provided on the first day of employment for regular
status employees. DeKalb County new employee orientation is not necessary if
the new employee is already employed with the County employee (i.e., has
transferred to the office from another department). In addition to countywide
orientation, each new employee should also participate in County Ethics training
within 90 days of countywide orientation.
2. Office Orientation:
Timing will vary depending upon office priorities, but orientation should begin and
end within a reasonable timeframe related to the employee's start date. The level
of training will be tailored to the individual depending on the new employee's
previous experience.
Orientation will occur in two phases:
First, the new employee will be onboarded beginning on the second day of
employment and will be required to complete the tasks on the Welcome Letter and
Onboarding Checklist 8.01.04 and New Employee Checklist 8.01.05. The new
employee and their assigned Manager should meet to discuss the materials in this
folder. Completion of all tasks will likely take 1-3 weeks.
Second, the new employee will be required to complete the OIIA New Employee
Training which lasts approximately 8 weeks. OIIA New Employee Training is
mandatory and usually held once per week. Below are the class topics that make
up the program:
i. Introduction to Auditing
ii. Auditing Standards
iii. DeKalb County Board of Commissioners (BOC), Clerk to the CEO and BOC
iv. DeKalb County Organizational Chart
v. Key County Departments (CEO, Finance, Human Resources, Watershed
Management)
vi. Audit Oversight Committee
vii. OIIA Basics (Organizational Act-Independent Internal Audit, Charter, etc.)
viii. OIIA Procedures Overview
ix. Audit Process Overview
x. Planning and Risk Assessment
xi. Audit Fieldwork (Methods)
xii. Audit Findings and Reporting
TeamMate
Procedure
8.01
Page 4 of 11
xiii. Audit Tools and Techniques
Upon hiring, as part of the onboarding activities described above, each new
employee should review OIIA Procedures Manual and Government Auditing
Standards on impairments to independence and discuss any potential impairments
with their assigned manager. The employee should ensure that any impairments
identified are communicated to the CAE and Manager in writing for consideration in
project assignments. In addition, new employees will be required to sign an
acknowledgement form confirming their understanding of the OIIA Procedures
Manual, which incorporates Government Auditing Standards.
Performance Appraisals
I.
Introduction
All OIIA employees shall adhere to a set of performance expectations that address
professional skills and behavior. All employees shall regularly receive feedback from their
managers regarding their performance, as well as guidance and support for agreed-upon
areas of focused development. Members of the management team and office
administrative staff will receive performance appraisals in accordance with the County's
Performance Management Plan (PMP). Managers, auditors, investigators, and
administrative staff will receive performance appraisals using OIIA's performance
expectation and evaluation process described below.
II.
Performance Appraisals
The County has established the following universal annual PMP timelines:
Timelines
Appraisal Period: October 1, 20XX to September 30, 20XX
Appraisal Period After October 1: Date of Hire to September 30, 20XX
Human Resources Due Date: October 31, 20XX
Annual Appraisals
1)
After hiring, each manager, auditor, investigator, or administrative assistant will
receive a Performance Management Plan, which outlines the job expectations based
on the job title.
2)
Once a year, after September 30, but no later than October 31, each auditor or
investigator will receive an annual evaluation from their manager. The appraisal will
factor in all project appraisals received during the evaluation period and will be
discussed with other managers working with the employees during the evaluation
period.
3)
Two weeks prior to the Appraisal Period end date, the CAE or Manager (evaluator) will
email an electronic copy of the Performance Evaluation Form to the Manager, auditor,
investigator or administrative assistant (evaluatee) for feedback on their performance
Procedure
8.01
Page 5 of 11
Y:\FORMS & TEMPLATES\GENERAL\2019\ Employee Separation Survey 8.01.12
Y:\HR FORMS\HR FORMS\ County Property Inventory Form 8.01.13
during the appraisal period. The Chief Audit Executive or manager shall also
complete the Performance Evaluation Form to provide feedback utilizing the PMP
timelines. Evaluator should also give specific examples of performance for each
performance category listed on the performance evaluation form. The remainder of
this policy applies to auditors and investigators.
In conducting appraisals, the evaluator will use the following latest approved appraisal
templates.
Performance Evaluation Form Internal Auditor 8.01.06 - Internal Auditor position
Performance Evaluation Form Internal Auditor Senior 8.01.07 - Internal Auditor Senior
position
Performance Evaluation Form Manager 8.01.08 - Internal Audit Manager
4)
Annual appraisals will include an overall rating and a rating for each category as
assessed by the manager providing the evaluation. The possible ratings are: Far
Exceeds Standards, Exceeds Standards, Consistently Meets Standards, Marginal
Standards, and Below Standards.
5)
Prior to providing an annual appraisal, the manager will share the appraisal with the
GAE for review.
Interim Appraisals (Periodic Feedback on Performance)
1)
The overall objective of this process is to ensure that there are periodic discussions
with auditors and their managers regarding their performance and professional
development. This feedback is not meant to be the only interaction between the
manager and the auditor. It is also not meant to be a performance appraisal. The
process seeks to learn, encourage, coach, and motivate. It should be used as an
opportunity to address any deficiencies before they are noted in the annual appraisal.
It also should be a two way conversation and an opportunity for the auditor to share
their thoughts, opinions and feedback with management.
2)
Throughout the appraisal period (usually October through September), the manager
should provide feedback on performance to each employee on their team. This
feedback can be formal and informal and as frequent as need be to provide the
employee the level of guidance and coaching to ensure their success.
Manager's
performance expectations require these discussions to occur at least twice during the
appraisal period. These discussions do not eliminate the need for an annual appraisal
and the need for project specific appraisals.
3)
Each quarter during the appraisal period, each auditor will receive periodic feedback
on their performance from their manager. The feedback will factor in any project
appraisals received during the period, any feedback received from the audit clients,
any feedback received from other audit managers working with the auditor, and any
feedback received from the DCAE and GAE...\..\FORMS &
TEMPLATES\PERFORMANCE EVALUATION\PERIODIC EMPLOYEE UPDATE AND
Procedure
8.01
Page 6 of 11
Y:\FORMS & TEMPLATES\GENERAL\2019\ Employee Separation Survey 8.01.12
Y:\HR FORMS\HR FORMS\ County Property Inventory Form 8.01.13
PERFORMANCE FEEDBACK .dotx.docx
The manager should consolidate this
information from all sources to provide the auditor with a overall perspective of their
current performance and establish 'one voice'. This should include information on the
auditor's strengths as well as information on areas that the auditor should seek to
improve or enhance. The manager should be careful to provide the auditor with an
accurate picture of their overall current performance, information on their professional
potential and goals, guidance regarding enhancing and improving their skills and
performance, information to address any concerns shared, specific plan tor upcoming
projects and goals, and a specific plan regarding areas where auditor has requested
assistance.
4)
The auditor should be provided an opportunity to self evaluate their performance and
share any comments or concerns they have as well as desires for assistance in their
development This self-assessment should include information regarding current
projects they are working on: 1) a status on current projects, 2) what things have gone
well on the project, and 3) what they have learned working on the project. In addition,
the assessment should also include information about the coming quarter: 1)
information about any goals or projects that they expect to work on, 2) information on
anticipated accomplishments, and 3) thoughts and concerns regarding upcoming
projects or goals. Lastly, the assessment should include information on assistance
the auditor would like to receive from management as it relates to the any of the
projects or goals that they are personally working on. This section should specifically
outline how management can assist the auditor in accomplishing their goals, being
successful on their assigned projects, or further development and enhancing their
audit skills.
5)
Prior to providing the feedback to the auditor, the manager should share the feedback
with the DCAE and GAE for review.
6)
Again, these discussions and documentation should provide the bases for the annual
appraisal and to demonstrate that communication regarding performance is occurring
with the employee throughout the year.
Audit Project Appraisals
1)
Once the final audit report has been issued and the project has been finalized in
TeamMate EWP, the manager will ensure that the Auditor-in-Charge and each team
member charging 80 or more hours to the project receives a project appraisal utilizing
the approved appraisal templates. A Manager may also provide a project appraisal of
by another Manager to be incorporated into an annual appraisal, if the manager
participates as a team member on a project. In conducting this appraisal, the
appraiser will use Research and Reporting Phase Form (See Procedure 5.02 Post-
Project Evaluation).
Procedure
8.01
Page 7 of 11
Y:\FORMS & TEMPLATES\GENERAL\2019\ Employee Separation Survey 8.01.12
Y:\HR FORMS\HR FORMS\ County Property Inventory Form 8.01.13
2)
Unless otherwise determined by the Manager, the Auditor-in-Charge will provide a
project appraisal to each team member after the Manager reviews it and the Manager
will provide a project appraisal to the Auditor-in-Charge after the GAE reviews it.
These appraisals should be shared in person. Each team member will provide an
upward appraisal to the Auditor-in-Charge and the Auditor-in-Charge will provide one
for the Manager that incorporates any comments from team members.
Pay Progression
1)
Pay progression decisions will be made by the GAE based on auditor/investigator
performance, organizational need, and affordability. At the completion of each annual
appraisal, the responsible manager will make a recommendation to the GAE regarding
movement to the next level for an employee that is consistently exceeding
expectations. The GAE will discuss this recommendation and any other pertinent
information with the management team, consider organizational need and available
funding, and determine the appropriate action.
2)
Movement based on performance will be suspended temporarily when sufficient
funding is not available.
Development Improvement Plans
If an auditor or investigator receives an overall rating of Marginal Standards or Below
Standards, the manager will work with the auditor or investigator to develop a Development
Improvement Plan 8.01.09 in accordance with Human Resources procedures. If an auditor
or investigator receives an overall rating of Consistently Meets Standards, or above but does
not receive a Consistently Meets Standards rating or above for one or more performance
category, the manager will work with the auditor/investigator to identify relevant development
opportunities and incorporate them into the auditor or investigator's Development and
Training plan.
Development and Training Plan
I.
Introduction
OIIA shall utilize a systematic approach to identify training and development needs for
each employee and track related progress.
II.
Overall Office Assessment
1)
As part of Annual Work Plan development (See Procedure 2.01 Annual Audit Plan),
the GAE will work with the management team to conduct an overall skills assessment
to identify any areas where further training or competency building are necessary.
Procedure
8.01
Page 8 of 11
Y:\FORMS & TEMPLATES\GENERAL\2019\ Employee Separation Survey 8.01.12
Y:\HR FORMS\HR FORMS\ County Property Inventory Form 8.01.13
2)
Following this assessment, the management team will identify in-house training (by
office employees, Human Resources, or by external parties) to be provided during the
calendar year. This may be general training or project-specific training.
Ill. Individual Development and Training Plan
1)
An individual Development and Training Plan 8.01.10 will be created for each
auditor/investigator after their annual appraisal. This plan should reflect agreed-upon
areas for training and development based on past performance, development needs,
office need (e.g. areas identified through the annual audit planning process), and
employee's development objectives.
2)
The auditor/investigator will propose their Development and Training Plan, using the
recommendations by level documented for reference.
3)
The responsible manager will review and agree to the plan, then track projects and
refer to plan for subsequent evaluations. Priority for training will be given to training
identified in the plan.
4)
Each employee is responsible for tracking Development and Training Plan progress
and each manager is responsible for monitoring Development and Training Plan
progress for the employees that report to them.
5)
Upon hiring, new employees will go through an onboarding process that will serve as
a tool for their development through the first year of employment.
Requesting, Reporting, and Monitoring Training
I.
Introduction
OIIA employees shall request approval from their manager to attend any training course not
offered through Human Resource, Organizational and Employee Development Division,
using the OIIA Training Request Form (See Procedure 5.03 Continuous Development and
CPE). OIIA shall maintain records related to training hours obtained by employees and
periodically review those records for accuracy and completeness. The office shall also
periodically monitor to ensure compliance with Government Auditing Standards for
continuing professional education.
II.
Requesting Training
1)
Each employee is responsible for completing an OIIA Training Request Form and
submitting it to their supervisor for approval. The employee should ensure that
requested training has been researched and corresponds with their training plan,
applicable professional certification requirements, and/or a specific office need.
2)
The manager will review the request based on the purpose, cost, and other office
priorities, and will consider the requesting employee's training history and annual
Development and Training Plan.
Procedure
8.01
Page 9 of 11
Y:\FORMS & TEMPLATES\GENERAL\2019\ Employee Separation Survey 8.01.12
Y:\HR FORMS\HR FORMS\ County Property Inventory Form 8.01.13
3)
If approved by the manager and training costs exceed $250.00 per day or includes
overnight travel must be approved by the GAE. Approval of the request will be based
on availability of funds and needs of the office.
4)
Once the training has been approved, the Administrative Assistant will enroll the
requestor in the respective training course and process the payment for the training.
Ill.
Reporting Training
1)
After training completion, the attending employee will provide the certificate of
completion to Administrative Assistant as soon as possible after taking the training.
2)
The Administrative Assistant will enter the information from the training course
certificates into the OIIA Training Record Log spreadsheet and file the certificates in
the employee's training files.
IV. Monitoring Training Records:
1)
All employees are responsible for coordinating with the Administrative Assistant to
check their progress toward meeting Government Auditing Standards requirements in
terms of the number of government-related hours obtained, total hours, and minimum
hours per year.
2)
The GAE will conduct a review of training records at least twice a year, including
verifying that:
a. Training records listed on the spreadsheet can be substantiated with appropriate
certificates.
b. Certificates contained in employee files are properly represented in the
spreadsheet.
c. Training records in the spreadsheet are accurate and complete.
d. Each employee is making appropriate progress toward meeting Government
Auditing Standards requirements.
e. Any employees leaving the office have met Government Auditing Standards
requirements prior to their last day of employment.
3)
Afterwards, the GAE shall import the training records into an Employee Training
Records Log 8.01.11 for review and acknowledgment by the employee.
(Note:
Required Continuing Professional Education hours will be prorated for newly hired staff)
Employee Separation
I.
Introduction
The management team will take steps to ensure transfer of knowledge and safeguarding of
OIIA's resources when an employee leaves OIIA. For voluntary separations, the
management team will collect feedback from departing employees regarding their
experience in the office to facilitate and improve OIIA management in accordance with the
Procedure
8.01
Page 10 of 11
Y:\FORMS & TEMPLATES\GENERAL\2019\ Employee Separation Survey 8.01.12
Y:\HR FORMS\HR FORMS\ County Property Inventory Form 8.01.13
procedures below. For involuntary separations, the management team will work with
Human Resources to address the separation in accordance with the County's policy and
procedures.
II.
Prior to the Employee's Last Day of Employment
1)
When an employee first informs OIIA management of their intention to leave, the
employee's manager should work with the management team and separating
employee to confirm and document the employee's current assignments (including
audits, internal projects, and other duties).
2)
The management team should meet to discuss how to transition those assignments to
others, and how to handle any gaps in technical specialties and/or skills that OIIA may
lose when the separating employee departs.
3)
If applicable, the manager should notify other County employees (i.e. auditees/audit
client) that responsibilities for specific tasks have transitioned from the separating
employee to the newly assigned employee.
4)
The manager should confirm with the office Administrative Assistant that the
separating employee's training is up-to-date and in compliance with Government
Auditing Standards.
5)
If not already provided, the manager should obtain from the separating employee a
letter of resignation stating his/her last date of employment with OIIA. The manager
should provide the details on the employee resignation for an announcement to OIIA
staff.
6)
Administrative Assistant shall complete a Personnel Action (PA) Form, to update
Human Resource system (PeopleSoft) in accordance with the County's policies. In
addition, the Administrative Assistant shall open a help desk ticket to the Department
of Innovation and Technology (DolT) to request that system(s) access be removed at
the time of the employee's separation. This access includes removal from
applications, emails account, shared drive, etc.
7)
GAE should ensure a member of the management team meets with the separating
employee to conduct an exit interview. At that time, the manager should explain the
purpose of the Employee Separation Survey and request the separating employee
complete the survey prior to their separation.
8)
The manager should send the Employee Separation Survey 8.01.12 electronically
(Jotform.com) to the separating employee at least three days prior to that employee's
last date of employment with OIIA.
9)
The separating employee should be prompted by his/her manager to remove any
unnecessary files from their computer and ensure all files and relevant to work are
saved in places accessible to OIIA team members.
Ill.
On the Employee's Last Day of Employment
Procedure
8.01
Page 11 of 11
Y:\FORMS & TEMPLATES\GENERAL\2019\ Employee Separation Survey 8.01.12
Y:\HR FORMS\HR FORMS\ County Property Inventory Form 8.01.13
1)
Administrative Assistant will meet with the separating employee to obtain office
items in accordance with the County Property Inventory Form 8.01.13.
2)
Administrative Assistant will confirm the separating employee's office is clean and all
office-owned items are accounted for prior to the employee's departure.
IV. After the Employee's Last Day of Employment
1)
The management team shall confirm that the separated employee's essential
assignments have been transferred to other employees.
2)
The CAE and Manager should meet to analyze the results of the Employee
Separation Survey.
3)
Administrative Assistant shall confirm that the separated employee no longer has
access to County's systems and applications.
Procedure
8.02
Page
1
of
6
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 8
Procedure 8.02
-
Time Keeping and Flexible Work Schedule
Purpose:
OIIA adheres to DeKalb County's personnel time keeping practices and uses the
KRONOS system to report hours to the County's Finance- Division of Risk Management
& Employee Services (Payroll Unit). DeKalb County personnel code allows for Flexible
Work Schedule to increase productivity and improve work-life balance.
Authority:
DeKalb County KRONOS Policy, DeKalb County Ordinance Sec. 20-161. - Hours of
work, Administrative Procedures to DeKalb County Personnel Code Chapter 20, and
Flexible Work Schedule Policy.
ApplicabiIity:
Each member of the OIIA is responsible for reporting time and managing their
established work schedule. DeKalb County Personnel Code Section 20-161 does not
specifically address an employee flexible work schedule but is broad enough to allow
Flexible Work Schedule or teleworking.
Subject
General Administrative
Procedure
Number
8.02
References
DeKalb County KRONOS Policy;
DeKalb County Ordinance Sec. 20-161.
-
Hours of work; Administrative
Procedures to DeKalb County Personnel
Code Chapter 20; Flexible Work
Schedule Policy
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
Procedure
8.02
Page
2
of
6
Time Keeping and Flexible Work Schedule:
I.
Introduction
County utilizes the KRONOS time keeping system for tracking and paying overtime
eligible ("non-exempt") employees. Employees who clock in/out are required to have
and utilize the DeKalb County Human Resources issued identification cards. Each
employee must use his or her own card to clock in/out.
FLSA exempt employees (exempt employees) do not clock in or out using KRONOS.
Exempt employees' timecards are automatically populated in KRONOS with 40 hours
for each week.
"Flexible scheduling promotes employee engagement by providing increased personal
control over work schedule, while the County gains through increased employee
morale. Other benefits can include reduced absenteeism, tardiness and turnover, and
extended hours of operation to serve customers. In the interest of promoting employee
work-life balance, the implementation of flexible work schedules makes good business
sense."
1
II.
Time Keeping and Payroll
Biweekly, employees should enter their hours on any one of the applicable TIMESHEET
8.02.01 spreadsheets, print their timesheets, and attach the required LEAVE REQUEST
FORM 8.02.02 and other documentation such as jury summons, verification of the death
for bereavement leave, etc. to support non-working hours. Employees are responsible
for ensuring they have adequate vacation and/or sick hours available when requesting
leave. Managers are responsible for verifying that employees have sufficient earned
hours when approving leave request on time reports. Employees should then submit
their timesheets to their Managers for review on the Friday ending the pay period.
The Manager should review their assigned employee's timesheets, checking the
accuracy of hours worked by the employee, that the correct payroll codes are used, the
accuracy of the accumulated and used compensating time, and that all necessary
supporting documentation is approved and attached to the timesheet(s). The Manager
should then sign the timesheets and submit the timesheet to Administrative Assistant by
10:00am on the Monday after pay period ended or unless notified to do so earlier. If the
Administrative Assistant identify any issue with the employee's timesheet, it is to be
returned to the manager. If the manager is not available, the timesheet is to be returned
to the DCAE or the GAE. The manager, DCAE or GAE will coordinate with the
employee to make the necessary corrections and ensure approval.
1
DeKalb Flex Work Schedule Policy 8 20 13
Procedure
8.02
Page
3
of
6
The Administrative Assistant should ensure that timesheet processing complies with
DeKalb County requirements. This includes entering timesheets into the KRONOS
system, review them for accuracy, and submitting them electronically to the Finance-
Division of Risk Management
&
Employee Services (Payroll Unit). Timecards should
be completed and signed off on by the Administrative Assistant by Tuesday at noon.
At the end of each pay period, the Administrative Assistant should obtain a leave
report and a compensation time report and submit to the DCAE. The DCAE will review
and reconcile the information with the Office's internal payroll records. The deadline
date may change when a holiday occurs during the pay period. Advance notification
will be provided by - Division of Risk Management
&
Employee Services (Payroll Unit)
when changes occur.
Ill. Compensatory Time (Comp Time)
Overtime and Comp Time for Employees Non-Exempt from FLSA
"As amended, the Fair Labor Standards Act allows local governments to compensate
overtime-eligible (non-exempt) employees for hours worked in excess of the standard
work period by giving them time off in lieu of cash overtime payments. The Board of
Commissioners amended the DeKalb County Personnel Code to enable use of
compensatory time in lieu of cash compensation for overtime. Employees in the
regular pay plan, scheduled for 40 hours per week, may accrue compensatory time up
to a maximum of 240 hours unless otherwise stipulated in these procedures."
2
OIIA will report comp time accrual and usage by FLSA non-exempt employees in
KRONOS. To compensate FLSA non-exempt employee hours worked in excess of
the standard work period with comp time off, the OIIA will code excess hours worked
as "006" (Comp Time Accrual) in KRONOS. When comp time is taken, it will be coded
in KRONOS as "017" and reported on the actual day taken.
Comp Time for Employees Exempt from FLSA - DeKalb Ordinance Section 20-161(c)
"Department heads at their discretion may grant compensatory time at up to an hour-
for-hour rate to FLSA-exempt employees who work substantially beyond their normal
work schedules during an emergency or in connection with a special project that
requires hours beyond the standard. FLSA-exempt employees must use
compensatory time within one calendar year of the date granted and are not eligible to
receive cash compensation, at separation or otherwise, for any amount of unused
compensatory time accrued while FLSA-exempt. FLSA-exempt employees may not
claim a balance of more than 160 compensatory hours at any time."
3
2
Administrative Procedures to DeKalb County Personnel Code Chapter 20, page Vlll-4
3
Administrative Procedures to DeKalb County Personnel Code Chapter 20, page Vlll-5
Procedure
8.02
Page
4
of
6
All accrued comp time is subject to the prior approval by GAE and/or Audit Manager.
Once the scheduled time off has been approved by the manager, a copy of the
approved requests should be submitted to the Administrative Assistant and the DCAE.
When scheduling the use of comp time as any other types of leave, OIIA management
must consider the workload and scheduling concerns when approving use of accrued
comp time. The DeKalb County encourages employees to use accrued comp time as
soon as possible after it is earned. Since comp time for FLSA-exempt employees is
not accrued in KRONOS, the Administrative Assistant will track comp time for FLSA-
exempt using a spreadsheet. When comp time is taken, it will be coded in KRONOS
as "071" and reported on the actual day taken.
IV. Vacation, Sick, and Other Leave
Vacation and other planned time off from the office must be approved in advance by
your manager and in some cases by the GAE. If your time off will result in you being
out of the office for more than one week, will conflict with any office work, or will result in
you receiving leave without pay, you will need to obtain prior approval from the GAE as
well as your manager. Also, if your time out of the office results in leave without pay,
this will need to be reviewed and discussed with the GAE prior to obtaining your
manager's approval. All requests for vacation and planned time off should be submitted
to the Administrative Assistant as soon as the leave requests has been approved. A
copy of the leave request should also be forwarded to the DCAE, once it has been
approved by the GAE, so that the internal payroll records can be updated.
Sick or unplanned leave requests should be completed immediately upon your return to
the office. It is important that these documents are submitted for review and approval
timely. Each manager is responsible for notifying the DCAE or the GAE when
employees are away from the office on unplanned leave. An email should be sent as
soon as the employee communicates with the manager.
V.
Work Schedules and Work at Home
Employees shall request using the Dekalb Flexible Work Agreement Form 8.02.03 and, if
approved, maintain an established work schedule and manage that schedule by providing
proper notification(s) when deviations are made. OIIA provides the opportunity for
permanent employees in good standing to telework when appropriate, as a means of
contributing to County initiatives to reduce air pollution and traffic congestion. Employees
are responsible for following the County's Personnel Policies and related guidance in
establishing and managing their schedule.
Work Schedules.
All employees are required to submit a written request to their manager
to establish or change their work schedule.
The appropriate manager will consider and either approve the schedule or request
modifications based on office needs.
Employees will make a good faith effort to schedule internal team meetings to
accommodate established work schedules.
Employees should work with their Manager to coordinate hours scheduled on and around
official County holidays, training days, or other similar circumstances, as appropriate, to
assure that work schedules are adjusted to accommodate the remaining work hours within
the two-week pay period.
Employees should keep their schedule up to date in Microsoft Outlook.
When a work schedule has been established, employees shall minimize deviations from
the established schedule. In the event that an employee must deviate from their
established schedule, the employee shall follow applicable County Personnel Policies and
communicate or make arrangements to communicate with their manager and affected
internal and external staff, as appropriate.
Telework.
Permanent employees who are in good standing can request to telework by
sending an email to their manager and copying other managers they are working with at
least one day in advance. The request should include the proposed work hours and an
overview of the work to be accomplished. The manager will approve or deny the request
by email.
After receiving approval to work offsite, the employee should place an appointment on
their Outlook calendar indicating the day/hours approved for teleworking. Upon returning
to the office, the employee should be prepared to discuss work conducted with their
manager.
Y:\FORMS & TEMPLATES\GENERAL\2019\DeKalb Flexible Work Agreement Form 8.02.03 Procedure 8.02
Page 6 of 6
Telework can be recurring or one-time. For example, an employee could ask to work
remotely for two hours each morning (e.g. 8 am to 10 am), could ask to work remotely
every Wednesday, or could ask to work remotely for a particular Wednesday.
As with any alternative work schedule, the employee will need to accommodate
scheduled internal and external meetings as needed. In addition, employees who
telework are expected to be accessible (by phone and email) during the hours they
work offsite.
Procedure 8.02
Page 1 of 2
Office of Independent Internal Audit
Audit Function
Procedures Manual
I
Chapter 8
Procedure 8.03 - Safety Policy
Purpose:
Office of Independent Internal Audit (OIIA) employees adheres to DeKalb County's
safety policies established by the County's Finance- Division of Risk Management &
Employee Services (Safety & Loss Prevention Unit), OIIA's Safety Policy and Accident
Prevention Plan.
Authority:
DeKalb County Occupant Emergency Plan, Safety and Loss Prevention Manual,
and Other County Safety polices and/or procedures.
ApplicabiIity:
Each member of the
OIIA
is committed to providing a work environment that is
reasonably free from recognized and potential hazards that could damage office
property or cause injury to any person that may work in, visit, or enter our workplace.
Safety Policy:
It is our policy to conduct and manage our business operations in a manner that
protects employees and persons that may be affected by our operations.
The Chief Audit Executive (CAE) will ensure safety-related materials (including the
OIIA's Accident Prevention Plan 08.03.01 and the Continuity of Operations Plan
Y:\SAFETY\Accident Prevention Plan_8.03.01 Procedure 8.03
Subject
General Administrative
Procedure
Number
8.03
References
DeKalb County Emergency Evacuation
Plan;
Safety and Loss Prevention Manual
Issue
Date:
06/24/2019
I
Effective:
07/01/2019
Approved: John L. Greene, Chief Audit Executive
Amended:
Page 2 of 2
(COOP) are routinely updated and significant changes to these plans are
communicated to employees (see current plans embedded at end of policy).
The CAE assigns the Office Safety Coordinator. As needed, the CAE may assign
employees serving on the Safety Team member.
The roles and responsibilities of the Office Safety Coordinator include, but are not
limited to:
• Coordinating with Finance-Risk Management safety drills as well as
emergency events. This includes informing individuals of the nearest exits and
assembly areas, instructing individuals to use the stairwells and proper exits,
and walking the assigned area in approximately 60 seconds or less to inform
all occupants of the evacuation notice.
• Ensuring all new employees receive safety information as part of their initial
orientation.
• Ensuring employees receive ongoing updates regarding safety and any related
changes.
• Serving as the point of contact for employees to contact when they have
safety-related concerns and/or questions.
• Communicating concerns or deficiencies to Facilities Management and/or
Finance- Risk Management and Employee Services.
• Keeping OIIA management apprised of potential safety threats.
Procedure 8.03
Appendix A
Page 1 of 9
Office of Independent Internal Audit
Audit Function
Procedures Manual
Appendix A
GA Law 3826 LOCAL AND SPECIAL ACTS
AND RESOLUTIONS,
VOL. II
DEKALB COUNTY - INDEPENDENT
INTERNAL AUDITS.
No. 206 (House Bill No. 599)
Appendix A
Page 2 of 9
D.
KALB, 1
•
Lf
'tY - ,[
DIEP .. D , 1· TER AL AUDITS.
A
ACT
ti anhlndam Act re i ing,
sa.1p
m;icilirig, and .1 .n of
:ning
Hit
la
!i:
ti13latlli1.g
roth.
a1.Hh · ·cyof DeKalb ·'uwm:·
and rea1:u1g a c.haimui.n and board of
..
l!ln'L'.)',approv
·l<.l
.Maiteb
8
l · 56
,t
1-a.
L.
1·
5
,
p.
3:.:_37
,
am.ood
ap.pmv
.
,
pri.l
] ·
.1
1(
ra
L.
1·
l ,
p.
1
3
t
a,'1
Lo
provi.d,•
f
·mdL1l
n.dent
im
ma.I
audJ for 01.'!K:alb "mtn.tj'; . pr,O·' .t forpHctie!1I'.c poli. i
and
.mi.l.i:u101'l
l!DW,r,ovid.· filir
!'t
in
:i
1
r
in:mers; L
1
rt':l;
to pm1'idc fo.
m:idin_g;
tu
:pro1
i
,
.
1
dc.
f
r
i
repeal rul!lili lino: la\
; and for o!heJ: putp
_
ovcT
ight;
1
pro,,•id
foli
r lated
.
E
U.).
t.
.
, n·,
tr,
i
in.•
1.1.pe:rsedin,•
and
lid:uin
lhit.
la'WSTela.1.ing
co
rnie
g
·
•ITTJ.ino:
autl:irn:i['.)I
DeKal
,
b
OWJ'E}' aad cr t'in .hi:dnnan and hoard f sa 'd · )W'.l,ty,
approvt.xi
Ma:rcb
.,
l'95&
,
'
:1a.
L
.1956..
p.
3
2-3
, ru aincnd.d,par( 11 filly b an t awrov,1td
,
.p:ril
·
1
•
l
. l
·
.
h;
,am!t,'Iid-ooby
rl1)00lin,g.
uh!
;1-i,i:m
d
o
ootion
1.·
in it n.lire1y.
1·1:
(
]1
A..
Ia:dlj])L'liide.t11 [n1,t
·ma.I
udil!,
.mlial
t
me ·
op:m:
u.dministiration,and
,
··r-.:1.tion
,of
the
DeKalb
mmc:ii'll
tba1:
:ptibli
,
f'
ciaL;,
)',•<5t'lmaC:n'.Ll
m.an.age:rs,
and
pri•alle
ciriz:.{:rn·
kn
\
11.m
.h
ilt.e.rg
,romern
lun
are
.bandlcdpmpL>rlj,
mad
in,ou.mplia1il.
·· -
h
la
and
:iregnla
ti,
â–¡
!l1,s
bu[
a
I.so·
hi:iLhier po'blic.
pmgrn:m.
aru a
ihic-
irig
the
]'.i'l:Up
for
whi
h
th _
ll er..attthori :ed .and. flladed. ar:id wh th !l" ili y ar Joi11so
b· lly, ·
frelivel.}, and
11.i
b
,
J
_
.
n
i:ndttpill:l.den,t
int al
a1Jdit fu:nt1ion can pro·.
i
,e obj '.liv
in ,oanati.non
Lh
opt.'I1:1.tlC!lil'
f
g
vesl'li:J:ooni
pmgr.m1.1.\
,a. i
t
manage-ts
in
caaymg
m
lhefr
I'
'Sp
mibi!if ' 3.11d lt .lp iil,Sll!.TC
r Lu
'I.tan. parc:r:icy a.llld .il ,m1i:abilicy lO the p1.1bli. .
lmemaLallld11ingi"1deturu:;:d
asan rn(fopcill.&mt, obj
,'Ct
.a..
1Lrr::1.no
.am:l.
.EJS ltirigaicti,,,i.ry
de·igned .· 1a<ld \'alue and implio\lc a.11o1:i]:all'l.ization
1
qpet.ations hy bl-ingingli. ystmnatic-.
d:isciplinoo approa h to e . ala-a
oontrol..arid
gov;
man
p:ro·;
•
and
imp:1to'!.•e
lht;
eff1.:
:,ii
'11·l
.
s
,of
:risk
,m::rnag men'!:,
Appendix A
Page 3 of 9
2 fa pubIk jnle,t
l tirc.."1lh-
a:1
lh
'
en
:mil
A.s
it!
bl
y
p:mv
ad
ro
m
r
3827
"
Pfi)pru'.
ad.mini..
trati
.n
m1d
bpt,"IBti.ain
•
f the
D Kal.b
'{lti1nry
govc:mmmH
by
rahlishin
.
by la.·
a:n.
i.nd
ndutJl
i:nten:la
l
aE.!.di
1 ,
1mutio111 10
a
i.1
t
lli gcweming
amhon
y tu
aeu tj
II
i .
objt""Cti
by
hri.11gi.tJg
a, .
tern·
tic
i. iplin:ixlHppruacli
I.O
cvahll'l 1n1d
improv13
th
ffo
,tiY1b11e.:s
f
ri
k
malila
m rn.r,
0011.1ml,
and
gpvemarn
_
::
p
·
mu
,[hl
The
I
me ·
f
J.11
:rnal ·
ooh
i
htire,
llibl.i.ood
which
slm.11 c
n
i.
i.
of
tb.e
hicf
Aadit
8&ctmt.i
;Aa,dhot
and
lb.Os·
ru
is
wns,
mploy
s,
and
per.,;o.nn
I
H,
<l
.
.
13<l
n .
1
aiy
b
tth
Am.liror
fonhrt!
rfi
·i
m.t and
ff,·
ti.
.c
ad.minis
1r,.nio11
of
tlHHtffaim
o(
th
arffi
.and
ov
r
w
b.0111
Un
A
Lid.hot •
hall ha
>:
th
..
1
-lmi.b.ori
ty
app >inl
e.mplu
, and
remov.•.
,
Th
Of
te£
off.mmrnal
Audi1
hall be
mp
•[dy
ind •pt d,i::nt and
hall
not
t1bj
-
l
to
onrrol or
Hp.
rvi
ion
by
the Chief
E.
ccmi
Vl'i.
Lhc
om.mi
siun.
or any
mil.er
of
•i •
iaL
ei11pJoy
•
d!.:lpa:rtniJ!trit..
orage:n
.
of
tlie
mnly
6
0
mment
,
d
"he Am:foor.
halJ be appoi1:Hed
by
,a
majD:rity
vme of
lhe D
Kalb
otmty
.Boord of
run i.ss:
iontJ'li
ltom a lh,r of n
r
l.twer
Lb.an
two mot m.o.re than
three
rundid
8.1.CS
pro.ided
to
the
ho.ard 'by
lite
,andi to ers
I
gh
Olirlntil1i•
_
teh
appom.l1ntt.m.t
sh
all
he:made wi:lllin 30
d-ayso
tt.'-00:ipt
of
ti
1
noro.inc• by Loo bnard. ln
i:be
jjvenl that theCrunmi..ion ails
to
a.pp•
nr
a
TIUntin,ce
wilhin
3 )
dajll; th
Aud:itt'.H'
.
hall
be
a.pp.
in1 d
by
a
ma
j
rit
vote
of
lbc
u.dit ovm ighr o.mmiuee,
,
d
-be. renn
ofoffire
u
Lhe
.
ndho.
hall he
fiv(;l
y,i,!a,_
ilfld
nntil
.hi or
'he-!.
11
es.oris
qutJ.l.ified
arid appointed. h,e
1diLor
sh all bi:
luniled
[o
aJruf:'l!.im
rnn of two
IemlS
ifl.
ot
lfoe.
A
vacm
.'Y
in
th
position.
of
nditor
.shall exJ
t
bj'
tt:a.
n
of
1,npira1i
tJ.
f
Ienn,
l6!
igi:ialio.n,,dca!.h.
removal
fmm
ofl:i
b)'
lh • vole
of
a
supcrmajuri!.y
of
!he
m mbc:is
of
I.h,
e
ommis
·om,
1Jr
i
lhe
,
ndiia
booom •
ineligibl
to
.h
Id civH
o
1
·e
W'il:bin
i:hie
n1C'.1ning
o
,
ode .
tion 5-2 ] o
1.he .
, '.G. • ,and th.al indigibility i l"SmMished by
d ::isio:nof a rollrt f mporon.t jLlrllidictio.n , him dcdar' Lhc o ·
..·
va ant hocaU! of
i.11ch
ineligibility. A vacanar
1ruJ
be fiJI
W1lhin, 0
{liays
b; a majoril)' vo
of 1h
andil
o,vcrsigl11 oomlt!littot;t:bi
ihcaind(ctt
o
I.he
1mm
otfi.
.
,
c
The
A1Hil:i
or :mu.
t
haveadeq
Ltalt:
prot
,Kional
pm
1d,fe'1l
y
for Lhujob
a-n
d
shall:
]
a
ccmfitid
puMfoaooo1J.1!1tanr
Ota
c¢j!Jfie.d
in·tt',mal
am'li1:or,
.1). Have a ba.cli.d r's degree in pubLi pe!icy a Lml1ng, h m.•!i:S admini 1:ratim1,,
t,OtJ11.om:ics, or
a
rela:ted.
r·
d;
a.n.d
,
3
,
Hav¢at l
-t
fi\l •
y,ea
f
expcrienoe
in
gQl/eni.n'ic-J!U
auditing,
c\•al
ua
ion,
or
analysis.
{
The
11:iun of
the _
uditor.
halJ
oo
:n01fipataSiUJ
,
.
1.1al
i
fying
or d.eerion
lo
a
pu
hhc
offi
shall onstitul.e re.(!1griation ftom.lhe po:.il:ion m of th dare of qualifying,
'hie
â–¡
cl:imr
hall
hav,c.a.rn:horitj'
lO
ro:lldu
·I·.
m.al!'.ICial
a'!'ld perforrnano
audits of aU
ckpanme;n.is, f.hc, boe:rds, aciivili . agBlil.cie,, .and program. o !he }mncyin rrda to
i pcn n.dJ,
1
a:11d
obj ti
•
·dc:temtin.e
wldher:
,
l
.
,livities
andprogram
being imp
nl(l;JJ[<."d
have
DL't-n
a1,11hori
d
by
rhis
l t
r rgia
La
,
or,app1icabl.e fcdt-ral
law
or:reguls.lions and ar, b
in,gcrnxh.1
tcd amd fonds
e.qi:cndcd in
compLia.n.
• wilh a.pp.Ii .ible laws:
Appendix A
Page 4 of 9
3828
L
Tlac
up.artm.!;ffi.t_oHl
:.e.,
ho;ard,
0.1" :ag,1.mcy
1
acquiring,
maJu1.gililg, p1il0tecting,
and
LL'iin
i
F
• ,
m:-,
.
ind
u.ding pl!lbli frtnd , mnd., prop itt , u1pmient, and
sp.ru
onorui·ally, Bffi.ci,t'mly.
fif:e
ti
cly, and in. a ·m,a.nnill"' ru il.Len1. wil:b. he objoorj!,!
i:liilr·ndoo
by
!he
a
trfh..'.ldzi:ng
tm.t1ly or
ci;,u!i'.bl
ing
logislarion;
3 11u.:
nn.ity, progra:n1s, r1-ti.v.1t:i-., fonc.i.ions, or poliLeies ti.fc effective, in.duding h
id mtii:iral:io:n
f .i]j]y ca f 1n •ffi.okm .·- ur ltn 11 mical pi"i rfo ;.
,
Thi de.
1
,itred. Isl.Its rbt..1!1 :1 .m:
Elg
a.chi \ il;.
5 .
Pl.lil8.ll'ic:ial
and
or&ct
r
poirt.
al'c
·111,g
,PRJ1\ii.d'ed
that di, do. p
11:ain_
,
.au
trr,l!l'.l!t!ll
,
and
fotl
y
al.I
tiJfonna1tion
req uiFe..d
by
la,·.,
to
a
1t:rin:in
ti
na.rnro. and
soopL:l:
of
p:r
gra.ms
and
a tivi·tie , and
to
l:"
M
.
i
11 .a pi:iope,r hasis or cvaliU.8ain
0
rn.
pmgram..s .and
,ac,livitii.::::.
in ludmg Oru
cllkclio]l
I
.000011n.·tfo r«, and dl;positi:ng
[.
.r,i.;
-e-11:tl:K"-.!
,M
o,thc:r
:1reSQ,1.1£
Managcm.,mtt
ha!
tabli:s.hoo
adeq,li.l&tie
opt;:ralin.g
and
a..d:mini
1trati
p..ooodu:ru.
.a.lill.d
_pra,i.;C
c .•
-
y.H
im·
or
L1ntin.g
internal
con,trol
sy!.M:ms.
an.<l
i:m.cnial
manage.inim1
,o:nools-;and
,
,
luclication_of
fr.a1:J.d.
a'bu
, or Hie :al
a
-bl
arcvalid
andnC/cd .funhe.rfo\l<t igal'i.o.n,
LI
,o
1 ers .and cmployrnt. of DeKalb,
.
lrr11J,ty
hall
am· h
IJ-ie
lldil:Orunrc.m ·led
s tQ cmplo· ,t.t.,;; in onation,, a.11d rroor&
rn: lu<ling ek: 1JOni data
.
0
lhin. th ir
c-LJJ:S o<ly garrling_'P:)\\leJS, dmie , ac1ivifie , rnrgan1za:ti 11, property, :urnmcial rra:n tiuns.
con'l!:ta.
ts
and 1netl:u:)ili o
liH'l:S
inc.
1Uquir
d
m
onduc
l
.anaridi.t or
o!'.herwj, c
:pc.er
,OEJn
a:ndi.t
dl!Hi
_
hn.addition. th I}' shall provide ac .1.cJ' for
die
1.1diror
10
irupi,-cl .all pn)pt;n:y.
,eq 1ipntJimL.amlfacilitil(.· within. fih ":rclislody.
[
,
uc.ho fire urruipfuy
· faiJ1.0pinvide-
OFP.. uce och .ae - ;Sand infrnm.aii
_
en, Lhe
D!IJcUi.ormay
ini1:iace .a ca:reh to he made and
ex:hi bitS lo be
r::a-kn
from any buok papeJ"" or -ro ord of an.;,
:s
nch ficial or empJo)-tt or
()LHside cc1.lilrrae1.m or subcaorrac101r, ex.C(;'])t as go emed by:ina:tute_
n
f
.h.i.7,:all con1tni.ch$
W'i
1:b
ui:siide ni:ramoL and ubroru:ractnr.s halJ nra:i:n
J.'l.
1
:right-
al!J.<lU
•l,au._
.a.lilld
pinvid lbr Auditor a, . s I tliie o:nn:ra l!Ol"$
1
m1pfuy and al.I fnlancia.l .alilld
wmourum
"I"
la.OC':d
n,-oor
•
propeny.
and
cqm1>:rnC]l[
J1un1ha:
ed
in ·.
b.
le
a
in
pan
w:i:1.h
_g ·
\"'l.:.m:n1'ell.ial
fnn
.
J
.r Lh
ptu:poso f tbis u
-i,ori,
ID tidit r hall
ha-.,,
tliie
auth 1ty to i
u
,
t:1.bpomas-and may a:ppty to '!h upcriar mtrt , :
bcl{a.l
,
b
Lhe ent'io:reem.1ra
of
any
ub:pr: en.a
isst:
db
the
Ill
imT.
unu}
or
rhe D.1cli r :may )btain the :S i
-
s
f
"
tificd
]J•l!lbli- a •
Lllltan .
q1J.tJ.lificd
n
anagem
.
.c:nt
a:
uhant.,
or
ofu rpm:
sionaJ
c;
:pL-rts
m.
c.::
ary to p,crfonn
audi.t
wod.
, n
a. uii.l' that i.
l)i!i:forni(xi
by oorra
r
f.rilli
rhe ndootetl
by
.,sun
who bav n
_
:mmci
al
ime:rei in lhc affuiTIS or I.he g vcrnmt.'1!1taJ n icyor its
officer._ rhc
ttd.il.Or all
C< o:rdinaro .a-ad m-onilca-a1J.dining pe.rfornicd }' :!irtificd p111bli a ·,ou.mi:ng fi]'llls- or otfarr
o,;gani.zatian - mpJoyed m1dcr conti:.act by the
gov(. g
-:1Hthori l)'
- 1$1
\..-it.hal!ldit
:related acti itic. ,
"· 10.n-ami:ng Cm- the exkrnal a 1 "l , rill
ollov. lhe ll. nna I COil.tractm.g
•
_
d
the gov,eming ar,lho.rity o De.Kalb, l..lltl)'
,q-opl
-for th
-
p:a.•-
ipallon
aw1d
o,,,
'ight
by
ili,
auditmie-Y
ightoommitte@·,and .-ltdit
T.
1:i
I· .1:1fl o,fa Cl.mi .-uidpu'M:ic
,areotrn.ting fiu:r1for lh .a Mual fina
o
·
c
a
l.andi t m t be apprm
.
cl 'by
th
,
om:mi
.
iOEI.
Appendix A
Page 5 of 9
3829
U)(ll At1diis shaOhe rondl led m acoordan wiili r gl1i.md go emment a!ldit.in,g
st&r1d-
ard£.
21 AU.l:uslx:giwfo oftsa hfi. ··a.Ly m:: tlruAudhotsbalL ub.mitami<H w -year.audit
.. hedal
to lhe.a11dit liS.gh:t
n'!l.tl.it
• 'l:!"!ld !.he C
mm
ir>n (orre 1i,11tand nmrt11.,'ttt
The lie d!.ll • shaU
ioo
l!ld the
propo,
ed plan. and lh
.
ratio,nal for
tll
kttio,ns, for
.auditing dcpartm.ents, on ···, brni:rd, a :tiviltitl!
p.rogrru:n.s, pol.idei. cuni:ra t:oni,
, ub-oanttactoics,a11d.a n.ci 1:0. p-L->nod. Thi..
hed11lc
may b am£-nood.athr:re1i ·w
wi1.bthc
aiidti
o
1."17.-;:i_gln
t
1mmi:ttce8:lld [he
ommi . ion,
bttl lhcAudJ10:r
.hall
have
Ca:naJ
aurn. ri ty o sde I tla- a1M1its plmnoo.
,
3}- ln the sdoe!ltJl!l o audit.are.as and a u:l.il obj
t:i,,. ,
rk
deterniiilation of
at1<lit.
oop
and lli.e timing fou.dir wmk, th Allliim.r. lt-aU
"il u.h wimfcdc:raJ and sta1c audit.. ,. and
e;os;1cmal
awlilCJnsl o
t.h:at. Lil<)
d•·rable
at1dit oov 'Tilgc is provided.and audit efibrts at
pmpMly rdinatctl.
A finaldmft o tll..u audil:r purt .shaUk tbrwardl'.ld to the audil Q. ersightc(:inun:ime.e.
!he 'hief
:i:..
'tui .
the,
'omm· ion,.and
thc.a11d'.ited age,11
y
,oncvie,wand oo.mmimt
rngarding- fa ][tal oontem prior lO
i!:S
n;,le.a
_
,
Toe agen y baUI
sp
IJlld
in vril:ing;,
specifying die
agn. nein
Wll:h
at1dil fuldings amd r muu ;ndrtti ns; or
reaso
R
r
disagrc.L"lllrol wilh ·rndings and -reoomn cndalion , plam; for
implcmL'1lL-
ing
_
httlOin. to
i..
till:: idmti1cd, amda Lint table t,u mpfok:
st1
hactivi1>s. 'he re.spon_· shtt.ll
frmi.'-ardoo to lhc .
u.dil.Or
\vithiE 50 day.. Th.c Aurli[or . hall n,.•,cw and Iepo:ri on
infrm:narioo
indude-.d
in the agency's
R:i.!
pon:.e_
a
TIO re..wc1il.Se
is
:re,d'fod;
me
At1di1.0r
_
hall not . that
fa{)'t
m
the
rram.$.ttl.imal
I
·uer and sliall
:rd
the audil.epuri..
, 5
· ch audit. hall n:-. ult in ,a u1al repon, -in wriuen or $Orne oilmr relric.,..ab fonn..
The r{.-por1 ·halJ rn1tam 1relevanl ba.cl.gronnd in ormaliori and ii11.din_g:s an.d
reoonuru: ndalion. .and .shaU mmunica ,e.sult.g to the a11dit o...ersigltte.rm1mitroe. tb,e-
auditcl agtmC)'., and me pl< eming aurn.t)Ji:lly.
, 6
Th,e,Aâ–¡d:itor
_
ha.I l $ ubmil ,an an:1rn.a..:lreport lo th amii t
V4..'l1si.ght
rommi ll , ::hfof
fixoo mi vie. .and the mmi:ii;on ind:k-alimg amEts oorn.plt;tOO., ma:j r tnding, , oi:Jrrcm:i t!
acli:am ta cti hy iad:minfa1r.a iv • mamg,crs. a,nd significant i, ue.s whi .h lrn. vt: not
Ix.tit
fmUy
.add:re.r;.-sed
by
mauag<:m.cnt.
·
c
a.m1. 1al TOplJltl.
in
wriuen
or
'oorne other n.itticv able
Corrn, sha:Uhe roade:a\ll.l.ila.ble rn £he pubJfo d:u:-ongh ilie l!ln.EY ell.sire within ten d::tys
of
subm
i
.s:ion
to
Lhc ·
ommissiOil.
'
k
u
dun.ng
.al!l
and.a[,
the Andi.IOI" h
OOliil.e!
awm"e of
aba '
(}r
ilhigal
ai.:1:,-.
ill
i:l'ldications
ot Slt acis that uld, af oct lhe. go,;ernm<:11 t" entity,
Lh'-"
Audi Lor
_
ha.U repor-1 d,,e-
irr •gular.il:it"li
>
lb :amii[ 'l'-vsight co:m.mitte-it, the hiof 'iJ.live, .all.d tile·. ommi ion.
if a in.em of the go e;mng aL11b.oiity
-i.
belie c.dio
b!:J
a pan_ u.ah[ eor ill·.gal
a:i.:l!
.
t.h,e-
ALt<lil.ors.hall n;_pan thio a tx directly to lhe a:udiwv1:night oommitl.ee. tlie 'hicf IEX '.utive.
and Lim ommissio:n_ If it appears Lb.a the u:regularity i'il:rriroinal in natur4t, me Andilor
shaJJ notify the
11ist:rict attnmes
in.
ad<lil:ioe
lo
Lh
_
official.s
p:!i61;11ous:ly
id&i.tifiod
in
thi.-.
.u lion.
Appendix A
Page 6 of 9
3830 L
(] 1.hl'.A' 111dimr shall foll upon;aklili l:reeom11Mndation. todeumninc if oorra"l.tveaelion
ha,
DL'.lt..'"il
taken. t.h ndi1o-r slrnll :ii1itJ111
:.s
l
p.i.:rioili, rottts :reports trorn au ,red :agenei .
rogaroing a tion takt-m i.o a<ldros rop>rk'.d den 1rn i •s an:d audit r · mm.endarion-s.
ntl ] )
'
h al!ld-i a tiviti:•s of
Il
,
ic
f
-
f liit ma.I Audii. shall he lclbjoot
ti>
a ]J'bCl'
nr · ·\ rna LIOJ'danoo wilh applicable gov -rnllilbni au.diting sIBrJdm by a p:roftssio.na1,
u npani a:n bj mi
1p m.il.izm·g
guid
Jin.
endorsed by
lbc A. odario11of Local
,
1
\I rnm("".Ill At.Id.ho . (AL 1
LI The Pffi-T re icw sh l
1!1.1;ri:l
appl1 abl 'Oventm.ent .imditi.Rgstandard;.,
r,o
c
alual'<J
the
q_Mli.r.yo[ :audiic •ffo-rl ,:ind n:-po.ning_
S dfw
qtmlity .re !·•w
an..,a.s
sJrn.1.1
in
h.t,d\ltaff
q111aliticatiorn . adeiqna
o plmming .and
n rvi
10.n,
_
l'I. 1ciency of iiit paptrr'
p,i'i"J?
and 1.1,.•j<l o •, md lhc a
.IJl'.i:lta
y
oL
.
:irms
Cm-
t'tf icwiioig in.rertial - nlml ,
fraud and abuse, prugr.am oomplianec, and Mtoin:all.'.d y. tems. h pyer n
..
w
shall
also a. s s the nt:cnt pre •ntati,o:n, fomi.,
time:lill<.'."
and disir:lhnltoc of andil::niports.
lie onunission .s.ball pay for Lhc oos of me
p<-:et
.cview.
oo:py t the w:rhlen rep :n of such ind rpendt.mnevie · shall
b-e
L:!.mi
he'd i:o
&1c,h
tttemk"T f the governing authority and to the audit o'lle'r. ight mmin·e.
,
n) 1
1
el:11
l'i.R;
indcpt'J11dcnc·e of
th
:a 1dil
fLtilr'tio:n
an
.a 1dit
o
n.iglu
commit
•·is
hi01"chy e!.
!a
blished_
Im iaudit
ersight corru:ni tu.ie, h.alJ :nsi$t of frve voling mcmh.crs.
.
2)
AJJ
m.ei,uhms of the audito. ersight oommil:t shaU
,
A
He r sidt-'11U.
of Kalb
'oimty;
,
B)
1:-1v. .c xprrti in pel'.fotma!l.oe.audiling; and
,
· ·
I-lave a: :mininltllll o Ii •
j'
ars' experienoc ru. a ..-.rtified pt!!hh.c acroLmtam.. a
re1ti fied imemal
a111dilarr,
a :g-
!:ificd
pi:.,-rf. rm1rnc-e a Ltdi lOF. a ll"tified manag.eimm1t
acoou:rna.nt, or Len yoarg f mhe:r n;-mw.ni. pruf ional experi(..-n
-
31
.
m
later
ma
,
n
Nolx.-:r
311, _o] 5,
tli.e1ncm ber:s
,o
I.lie
a111d:irnv
msighl
OO'ltl.D:liuc
shall
he, clcet:{rl a. tol l.ov,•s:
,
A
ne m mbL":r sl1a.JJ k
app:n:m.wd
'.by
L:ho
chairpersml
of
the
DeKalb
'oumy
delegatioll.in the, corgi,a Hmt..e of.Rep:rc:.'lt:ntative.'>:
,
B c memher shaU be .appninted
by lhe chaiipcr.
Jl of lhe De.Ka.lb Coun y
delegation in
th
,
e
corgi.a,. enaie:
,
1
n¢ miemher sh alJ be ,a.pp. imed b
the Chit:f mi e o DcKalb
_
:ru:i tYi and
D wo mmtilier.. sh alJ be appt int d by
tb
,
e
·
:om:rnissii n.
,
'.
The mtlmbL"TS shalJ ·rvc for
lemic
of 1ve yca.FS
1
pm,,.idecl, howeyer, tha:r lh:e initial
te-.rn1 of the
irsi.
appointee
of
I.he,· ,cmmlu sion shall b.c
one year
and u:m:il his or hcr
rc.'f[}CCiivc u
•i::;
iIDr
i. app
.inltti amd nalified;
the initial tcnn o
the apporni.re of lh:e
d1:1irpeison
of
lhu DeKalb
,u.n11i.1de e-gatioE -in lhe Ge :r:gfa Hom
of Represerua.li v ·
. ha!I
two
ycat
_
and u.miJ
.hi
or
her re1,,i;rooti ve
u.
.o
i
r
.
a p p c i n
ted and qnalifie<l.: rh:e
ini lial term of t.he awuintt!¢ of the :hi ,f
1
.
ni,,
s.halI be three
yea
a
mi
l!lllti I
hi.or
h& ru,
.frvc
.sm:u or is appr,inEedand qlutli,icd; the mi1i1d
tffll'l
o
Lhu scoo.ll.d
app,oin •i.iof the Comni.i! · ion hall hi fuu:r yeaFs andunlilhis or he'.:rt Cl...'ti e lt •
!llr
is 3:ppuinte<l..and
qnali
1
·d'.
and
th
initial
lc'11l11
oflll .appl imrt
o
the
hai:rp1;,--r
on
f lh:e
Appendix A
Page 7 of 9
DeK:alb
C
llnlJ
a
I
•gatinn jn
rn
l:'
G11:
m:gia
S•b"nS:f
shall
btJ
£i
\I
•
jleUTI
arid
IJ.ntil
hi,
her
r l1 v • Lit • ·slIDii i. appointc,uland qllUilificd_
:5 Sue
ssors ·to all mcm t"-tS of lh:e andh o e i@I oomm.itr c &1d r uu.w :Stt •
, haU b ap_poi.ale<1
too
:1t. Jh--"Cli
l3
ap_pointtng
a 1thon·t1e
ndl
k:s
lhan 3U
<la•
pd
rr tn
I.he 'kprration of oa.d1, a.d:imember' t'eml of< ffioc, a.nt JlU h ttcce:s$Ofllshall t.ttke of'
on .!Jmil!.1M)' 1 foll v.ting tlt"h a:w,ofotm cm:1. a rid hall
ei:v •
lllillt
(
fl
w. y •a .
a.11d
u11tt.l
Lhei.r rospoctive
ucces:sor..
re
app
>inmd and
qtLa.11m<L
LC
u
mcmbar of
1h
3.lfiltl
ver: sght oomm.ittoo
·.u
·
lo
b-e
a resid(-rrL
of
Dd{.alb
,
.
,1!.fnty
mat m mber'
p, -
iti
.
n
·'tl. llw boam, by opera11oa of la\ , liihaU
b1c
am
•
,acm:n
11pu11
Lh.¢
errohU
lnnt$nt of
Lilt,¢
·ai::l of sILi! h no1m:sidMC)', i
oon
t.ed,
b<y
a
ooLu:li
ol
cmnp-N
mljurisd'
• ott. A v.acamc:
on
t.lie
andiLOV1t'T$i
•hloommiuee
sh.all
x.iB1.by
reasort
of death. resigm:1:li,on, i :.apacity tr} sa-.·e for days or k111ge1-:, or lo.-s - of :i:esidt.'Il- a ·
d .
rib.t.'!d
in !his s
uh fion.
· mcmbcr of lh audit
ovi,,-
:rs i hl: c.onun.iHee may a L
b
:remo
ed
from
fi-1tc dminga
Lenn
j[tbc
member
bt'-00.mcs
indigib ·
rh
hold civil of1c-e
,...ithin ilic meaning ol" de &m"an
'5-=-l f
th
,
e
.
.
rA.
and
min ineligibility is
e.
tablished by deci! iun of a rooun of oomper.em juri ·(.ition which. drelam Lim of
vac.ruH
b(;)Ca 'Lse
of
.s
oc.h imc ligibi
I
ity
or
by
a
vore of
twq-Lh1rd,;;of
fih,c
nu:.-mbers
of
th
le,gi lati e ddq .-atio:n. A va .ancy iiliall
IJ.i.:
filkd wilhi:nl 60 days by l:h¢
I
gi. lat1;,;c
dflf · ati.o:llfor Lh¢ mmai.n<k.irof the wiexpired· rm.
I
•
I
The me.t-nbe of
Lh.¢
a aiit
OV!t.J".
i'ghl ooinmitl e sliaJJ dLJcl fmm
L:b.eu
own
mernbL"TI'l'hip
a-haii:per:s0n and Qlherwiseprovi e fm
rh.eir
o:wn uue:mal orga:nizati n.
,
S
The irndit ovm-siglrr
com.mill.ct::
shalJ ooru ult.
v<l!.h
lhe
u<litor
re,ganiing
:iss 1.es .and
woirk.
tu
il.!.
ure
n1a
.im.l!.l.m
roo:rdinarioo
betW'een
I.he
woik
of
Lhe
offire and e:<.tcmal audit effort..
,
'l
llw
aad:i
t
ov :rr:Sight
roinmitl
•
shal I meet
as-
nee.dt-:d.10
p,erfomt
its d-u.ti s but
iii
aJJ
nm
me 1Jc.Hllan un
q1:1arl1r.rly
and
shall
be
r )}OI1$ihle
for.
,
A
Se.
c:tio.g
not fowcr
l:han
two-
n
r
more
!lia1J
ili:rc,c 11omime-e.J
fur
Lb1.;
positi
n of
udiE.Oir
who
m.ct.11.
lhe
mq
w
rmnen.rsoul1111'.l(td
ins11.1b$b.
....
ion,e
Iof
lhi, ,
-
ion
which.
sh
a.I.I
'l:m
.subm
ttti:d
LO
tli¢
om-mission
or
fie
b l.:ion
.and appui111:1'.I:IDm of
oo o
Lb.e t'.LOIIlUl.l:!'eS
[0
I.lie
p(!Siti
n
of
ud-il:Or:
,
B
Perfuming regnla re· alttai.ioo. fllle
De.Kai
,
b otm.ry audit unm'ioo.;
,
,
') Pro\ i fog su
tion.
and o
nnnents
for
Lh¢ aninltf!:I attdit plar.i;
,
D
nal!i.rin_g
dta
audit repori:s .a:i:e
tranamittod
Llw gc ,·ernmg a11.u.h.o.rity and
to
1·.he
JJ'Llbr ·;
,
E
Monitoring
fo!Jov,'-u.]) on
rq:,oned
findings
[0
a.
m
oo:rttmh1e.acLi·
n
i$
raken
by
mana:geinim1;
,
F R,eporring lO Lhc g
v ming attth ril_y
un
prohlrn.n
or probk·m ar as at.s tch tim ·
ft$ dcimte-d app-tropriat:c;
I
'
·on.ducting
or
()',•
T,
,c
ing
I.he
rcq
Ue'c'>I
or
p
pos.al
and .
.
I
!ion
p:rocess
for
!.h
um
OOFJ
du-cting the
.annual
fin,nK.-i
al
_
talcmtm
t
au.di
!.li,
and oanking
andT
mmendin
inordcl!"of
profomnce n.o foi1-'er
than
three
firms
doomed
t
be I.he
moi'!l
highlj,• quaJificd
.l:mical
Appendix A
Page 8 of 9
_portonn. th. re 1ured crvi · . i..ffi wer
1.h.an
ihr,uc firm n::sp nd 1
the:-
t!.iquci!.for
[J'l'Opol'al, l:h a11dil o t!r_ighL•-mmiu 1e shaU rccomm •nd Sli·h .lrnlll as il doonnl I. br:-
the::nt L Jiiuhl qU,1liiied
,
H
•valt.iating
th
firm
providing
a.mitial
financial
Sffiluml..'Ill
,:mditin
se-rv,i
ai:1,d
{l!lt)v-iding
o
c-rsigb.t
of
!hat
aucll.it,
iaA1.tcl:in
"liL Uim.g
trfill.!:,-missiOl'I.
o
·
reyor
and
foUow 111p 011 com:
l.ivc .action
D)'
:managrnntml
,
1
â—„
valrurting
llil!
fin
ing' and .t1Cunn:nc11dmion.sof
I.ht:
pc
·1
.r
vi
cw
&
1'
c:riR.'lti
by
:recognized
govC'ililillt:mt
.mdiling:
:standards;
•
J} -011. nmng with l:h Andi iot regarding k.-chni :al is.,;iuci. wilh lbc x .ITTiiia.(1tdi t fiml
and
·
o
·
ng lQ a! uto :max.iml.llllcooro.inal:ion
•
tw,ce!1the -work of iht: , !lie • of
wlemal udil and ill tra
kd
andit cftor
and _thl'f
C>!.lru
uhilJ,g ·ngagem rn
.
K-) .ainlaim:n_glfrn ·onfid l:iaJi1yofpt•
mtclmau
whikt.akingro:;p
·,w:ibilityfu
app:rqniale d·
closim
to the govc.rnmg authority, the lcgi.sla1:1tt'
O T
,
i.h
p111
Li.c;
and
1
L
J
AtmuaJJ
m{.'Jjjtin_g
v.-i
th.mem.h-
l.T.'
0
l
1
111
""'
)nt ·
sion
t
di
tl
.
cmll'
L,
lt."li:
and
d
k
.and
]lCo-r.fi
rnll:l:n •
of
the
audii
fhm,
and to
disc•.
s:01.1:!cnnaltas l.h.a1
th
audit
fimi
1
I.he Al!dinn, or iaff de..ire:., OJ i :ruqti.ired t hriilg tu the
Coiimii
·
ion'
altirnlioi:J
_,;;uch
fill
fra.l!l.d,
tllcga.la
, filld fi.Dan.eiaJand ooifitrol
w
aknl,,.'(.'>'.!
_
!
JOI The:a tdit Ovtmi{g1H c mmi me hall .M\11·.l3h aul:h rily t hire mitsid • perl:S
in 1udind ·g:al Lm l ·wh ·n.n ·i
ry.
,
J l
.
'lb
audi l ov•rsighl
mm.i
lt
shaHb:a\/\;
ili
authority
10
propo.se
th.fl!:mdgicl
of the
ffi r lntt.mal Audil, in I tdin
I.ht.:
udi
tor'
.s
sal.tr)' and l:affing,
.t11d
hull th El
m. lIIIIlmtd ihc
bl!ldgd
10 I.he,.Cmruni ion for appro'II , •ho shall l\md
il
a. a prionty.
{L
uffidt.."Elt
ru um · a req11 tcd y th am1il o e!'Sighlcommittea hatl oo pm\iided
by
ilic,
ram
i
imt
t
mabk
lh .
aud.i
t
O\'l.-r
,j
ght
c
lmI!i.u.e .
m
ca.rr;i
m
ill!
:rcsp111:1.i;ihilil!i
_
,
o) The p:w,•i i ru of tlii
;cliulilatt. cverab.ki,
aoo
if
an
i!
provision
haJJ
he
held
lllll(,SOl!l. -t.itwtional
nr
i1l:valid
by
a
l."-Olllrt
of compc(ctn
j
mi
dit'.'!ioo,
lhe
d
isioa
o
the
-
un
shall n l affi:;cl rr impair ai1y of th- 1t:mainin qno\/isio •
"'lr:CllOr
].
All la,:v andpar ofl.w,
in
nflicLwitlnh:is
l
rurc repi.::a1
cl
ALLE• lSL
U,
ti1..,
is given lliail thmc will be imttQdbt ·d. M th· rcgufa:r 20)5 •
i
'El
1,t:ncral
A·
·mb1y
of eiorgia.a.bill 1n
anHmd
alil A.et re i in.g,
gl!l.pt.-r.Hro.ing,
::til.d
_'imi 6darin • lhc
law relating tu llieg
t..'ITI.Ul.t
amlh rity of DcKal
'
ol!llll!i'aild
ere.aring
a
cl.ai.ana:n
and
brn:utl
o
com.nus
10n ·
·
said.
c
nmty.
aPP'iO od arch.8, 1
S
,
ra. L_ 1'95&, p. 3
21-
,
a
amended
£ll8:lft:ic1:1la:rl,
b:J
2II
.er
appro'\led pa1
1'\
198l
,(
Ga_L l
y,i:n,
P- 304)
as l
p:rovld • for ind P, l!ldimt fulfil1l81 audits for D Kalb
,
muy. to ptovi.d• for pr0t'Odur ;
Appendix A
Page 9 of 9
Repre-.,£-uLaii ve. Distri t 8 ]
3!!3
polietcs, amd Iim
i
E:rtion. ; to provioo.for oo,t:ain
,ep-Olf't:!
;
to prov
iu.
for
f
l!.ll'lding;
to pro
id
for
over.si t;
prov.id.0
[one:!1:t:l'.00
mattmJi;
mid for
>lhi:=
pmpoSt.:..
GE RGIA, F
Lu;.
UTY
P
nl0!1ally
appeare,
b foru
IM'
the
IL't.MISniigncd
au
hnrity,
dul
auih::iri2tid
t
admitw
er
oo 11, S
m. H
loomb
wl
on oath
d ipo1
.and says i.rurt
.he-
i
Lh
R
pr
nl.ativ •
irt;m1
01.o;:t:ncot
8]
and fi.1:rdmr
dt:,
and .
a:ys
lha:L
l"h
att:i.ched
dru of llm ·nt:ion
1.0
lnmw
•
Loral
Legisla!iain
wai
published
111
ll:i:0
Champion
which
i.,:,
tb
of,
tci..J
Ol'ga.n
of
DeKalb
.ounty onlan 1ary 15, 20b,.and that the notice n:q 1iremc.n o
e Secrioâ–¡.2g.]-l
.ha c
btt."FJ.
mm.
S,,.iurn
t
and
ubs:
zlbt:d:
bt:fOR: me.
this; Lit day of· 43.rch. 20]5.
(FER BURGE .
rn'llifer Burg -
_otary
Pt1.blic,
Fulion
,County,
G
rgia
: y
1.Jmnti.ssion
Expir:
b
mi
bcr
2
•
20
t
,EAL
A
1
1LL
R
-
H
AU
;
I)[
amend,an Ad crcalmg u1 Saiilfa Re iona I V at.Jrand. ewct
1ahonly.prcVlOU.'lly kn0iwn
.as;
1.h-
e.
Ware
Otil'.Ll)'
\I
amrand
Sc-
er
,
uth.oril:y,
appmved, cl.obcd,
2{101
,
Ga. L 200].
Ex. S
·l<S.
p.
7
5
M:1
8.ll:ICD.•dctl;
so
a
torm,i..e
1.he
nt:amlcl!'
of
k-:e
tion o
'tile
meiltbt-"IS
o
I.he
·
Appendix B
Page 1 of 7
Office of Independent Internal Audit
Audit Function
Procedures Manual
Appendix B
DeKalb County, Georgia - Code
Ordinances/Organizational Act Section10A-
lndependent Internal Audit
Appendix B
Page 2 of 7
Sec. 10. - Audits.
(a)
The commission shall choose three (3) of its members to serve as an audit committee. The term of
members serving as the audit committee and their manner of selection shall be as determined by the
commission. The audit committee shall screen and recommend to the commission an independent
auditing firm to serve as an outside auditor of the county government to make an annual continuous
general audit of all county finances and financial records.
(b)
The outside auditor shall be employed pursuant to written contract to be entered upon the minutes of
the commission, and the contract shall state clearly and concisely the depth and scope of the audit
and that it shall be conducted in accordance with the requirements of the act providing uniform
standards for audits of municipalities and counties within the State of Georgia, approved April 21, 1967
(Ga. Laws 1967, p. 883), as amended, by an act approved March 28, 1968 (Ga. Laws 1968, p. 464)
[O.C.G.A. § 36-60-8]. The auditor shall immediately inform the commission in writing of any
irregularities found in the management of county business by an officer or department of the county
government.
(c)
The outside auditor shall complete the audit in compliance with Article 1 of Chapter 81 of Title 36 of
the Official Code of Georgia Annotated each year, and, within ten (10) days after its completion, the
auditor shall deliver a copy of the audit to each commissioner, the chief executive, and the grand jury
of the DeKalb County superior court then in session.
(Acts 1981,
p.
4304, § l;
Acts 1915, p. 3826, § 1 ; Acts. 2016, p. 4219, § 2) Sec. l0A. - Independent
internal audit.
(a)
(1) It is essential to the proper administration and operation of the DeKalb County government that
public officials, government managers, and private citizens know not only whether government
funds are handled properly and in compliance with laws and regulations but also whether public
programs are achieving the purposes for which they were authorized and funded, and whether
they are doing so efficiently, effectively, and equitably. An independent internal audit function can
provide objective information on the operations of government programs, assist managers in
carrying out their responsibilities, and help ensure full transparency and accountability to the
public. Internal auditing is defined as an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.
(2) The public interest requires that the general assembly provide for the proper administration and
operation of the DeKalb County government by establishing by law an independent internal audit
function to assist the governing authority to accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.
(b)
The office of internal audit is hereby established which shall consist of the chief audit executive
("auditor") and those assistants, employees, and personnel as deemed necessary by such auditor for
the efficient and effective administration of the affairs of the office, and over whom the auditor shall
have the sole authority to appoint, employ, and remove.
(c)
The office of internal audit shall be completely independent and shall not be subject to control or
supervision by the chief executive, the commission, or any other official, employee, department, or
agency of the county government.
(d)
The auditor shall be appointed by a majority vote of the DeKalb County Board of Commissioners from
a list of not fewer than two (2) nor more than three (3) candidates provided to the board by the audit
oversight committee. Such appointment shall be made within thirty (30) days of receipt of the list of
nominees by the board. In the event that the commission fails to appoint a nominee within thirty (30)
days, the auditor shall be appointed by a majority vote of the audit oversight committee.
Appendix B
Page 3 of 7
(d)
The term of office of the auditor shall be five (5) years and until his or her successor is qualified and
appointed. The auditor shall be limited to a maximum of two (2) terms in office. A vacancy in the
position of auditor shall exist by reason of expiration of term, resignation, death, removal from office
by the vote of a supermajority of the members of the commission, or if the auditor becomes ineligible
to hold civil office within the meaning of O.C.G.A. § 45-2-1 and that ineligibility is established by
decision of a court of competent jurisdiction which declares the office vacant because of such
ineligibility. A vacancy shall be filled within sixty (60) days by a majority vote of the audit oversight
committee for the remainder of the term of office.
(e)
The auditor must have adequate professional proficiency for the job and shall:
(1)
Be a certified public accountant or a certified internal auditor;
(2)
Have a bachelor's degree in public policy, accounting, business administration, economics, or a
related field; and
(3)
Have at least five (5) years of experience in government auditing, evaluation, or analysis.
(f)
The position of the auditor shall be nonpartisan. Qualifying for election to a public office shall constitute
a resignation from the position as of the date of qualifying.
(g)
The auditor shall have authority to conduct financial and performance audits of all departments,
offices, boards, activities, agencies, and programs of the county in order to independently and
objectively determine whether:
(1)
Activities and programs being implemented have been authorized by this Act, Georgia law, or
applicable federal law or regulations and are being conducted and funds expended in compliance
with applicable laws;
(2)
The department, office, board, or agency is acquiring, managing, protecting, and using its
resources, including public funds, personnel, property, equipment, and space, economically,
efficiently, effectively, and in a manner consistent with the objectives intended by the authorizing
entity or enabling legislation;
(3)
The entity, programs, activities, functions, or policies are effective, including the identification of
any causes of inefficiencies or uneconomical practices;
(4)
The desired results or benefits are being achieved;
(5)
Financial and other reports are being provided that disclose fairly, accurately, and fully all
information required by law, to ascertain the nature and scope of programs and activities, and to
establish a proper basis for evaluating the programs and activities including the collection of,
accounting for, and depositing of, revenues and other resources;
(6)
Management has established adequate operating and administrative procedures and practices,
systems or accounting internal control systems, and internal management controls; and
(7)
Indications of fraud, abuse, or illegal acts are valid and need further investigation.
(h)
All officers and employees of DeKalb County shall furnish to the auditor unrestricted access to
employees, information, and records including electronic data within their custody regarding powers,
duties, activities, organization, property, financial transactions, contracts, and methods of business
required to conduct an audit or otherwise perform audit duties. In addition, they shall provide access
for the auditor to inspect all property, equipment, and facilities within their custody. If such officers or
employees fail to provide or produce such access and information, the auditor may initiate a search to
be made and exhibits to be taken from any book, paper, or record of any such official or employee or
outside contractor or subcontractor, except as governed by statute. Further, all contracts with outside
contractors and subcontractors shall contain a "right-to-audit" clause and provide for auditor access to
the contractors' employees and to all financial and performance related records, property, and
equipment purchased in whole or in part with governmental funds. For the purpose of this subsection,
the auditor shall have the authority to issue subpoenas and may apply to the Superior Court of DeKalb
County for the enforcement of any subpoena issued by the auditor.
Appendix B
Page 4 of 7
(i)
The auditor may obtain the services of certified public accountants, qualified management consultants,
or other professional experts necessary to perform audit work. An audit that is performed by contract
must be conducted by persons who have no financial interests in the affairs of the governmental entity
or its officers. The auditor shall coordinate and monitor auditing performed by certified public
accounting firms or other organizations employed under contract by the governing authority to assist
with audit related activities. Contracting for the external audit will follow the normal contracting
processes of the governing authority of DeKalb County except for the participation and oversight by
the audit oversight committee and auditor. The selection of a certified public accounting firm for the
annual financial audit must be approved by the commission.
U)
(1) Audits shall be conducted in accordance with recognized government auditing standards.
(2)
At the beginning of each fiscal year, the auditor shall submit a one- to five-year audit schedule
to the audit oversight committee and the commission for review and comment. The schedule shall
include the proposed plan, and the rationale for the selections, for auditing departments, offices,
boards, activities, programs, policies, contractors, subcontractors, and agencies for the period.
This schedule may be amended after review with the audit oversight committee and the
commission, but the auditor shall have final authority to select the audits planned.
(3)
In the selection of audit areas and audit objectives, the determination of audit scope and the
timing of audit work, the auditor shall consult with federal and state auditors and external auditors
so that the desirable audit coverage is provided and audit efforts are properly coordinated.
(4)
A final draft of the audit report shall be forwarded to the audit oversight committee, the chief
executive, the commission, and the audited agency for review and comment regarding factual
content prior to its release. The agency shall respond in writing, specifying the agreement with
audit findings and recommendations or reasons for disagreement with findings and
recommendations, plans for implementing solutions to issues identified, and a timetable to
complete such activities. The response shall be forwarded to the auditor within sixty (60) days.
The auditor shall review and report on information included in the agency's response. If no
response is received, the auditor shall note that fact in the transmittal letter and shall release the
audit report.
(5)
Each audit shall result in a final report, in written or some other retrievable form. The report shall
contain relevant background information and findings and recommendations and shall
communicate results to the audit oversight committee, the audited agency, and the governing
authority.
(6)
The auditor shall submit an annual report to the audit oversight committee, chief executive, and
the commission indicating audits completed, major findings, corrective actions taken by
administrative managers, and significant issues which have not been fully addressed by
management. The annual report, in written or some other retrievable form, shall be made
available to the public through the county website within ten (10) days of submission to the
commission.
(k)
If, during an audit, the auditor becomes aware of abuse or illegal acts or indications of such acts that
could affect the governmental entity, the auditor shall report the irregularities to the audit oversight
committee, the chief executive, and the commission. If a member of the governing authority is believed
to be a party to abuse or illegal acts, the auditor shall report the acts directly to the audit oversight
committee, the chief executive, and the commission. If it appears that the irregularity is criminal in
nature, the auditor shall notify the district attorney in addition to those officials previously identified in
this subsection.
(I) The auditor shall follow up on audit recommendations to determine if corrective action has been taken.
The auditor shall request periodic status reports from audited agencies regarding actions taken to
address reported deficiencies and audit recommendations.
(m)
(1) The audit activities of the office of internal audit shall be subject to a peer review in accordance
with applicable government auditing standards by a professional, nonpartisan objective group
utilizing guidelines endorsed by the Association of Local Government Auditors (ALGA).
Appendix B
Page 5 of 7
(2)
The peer review shall use applicable government auditing standards to evaluate the quality of
audit effort and reporting. Specific quality review areas shall include staff qualifications, adequacy
of planning and supervision, sufficiency of work paper preparation and evidence, and the
adequacy of systems for reviewing internal controls, fraud and abuse, program compliance, and
automated systems. The peer review shall also assess the content, presentation, form, timelines,
and distribution of audit reports. The commission shall pay for the costs of the peer review.
(3)
A copy of the written report of such independent review shall be furnished to each member of
the governing authority and to the audit oversight committee.
(n)
(1)
To ensure independence of the audit function, an audit oversight committee is hereby
established. The audit oversight committee shall consist of five (5) voting members.
(2)
All members of the audit oversight committee shall:
a.
Be residents of DeKalb County;
b.
Have expertise in performance auditing; and
c.
Have a minimum of five (5) years' experience as a certified public accountant, a certified
internal auditor, a certified performance auditor, a certified management accountant, or ten
(10) years of other relevant professional experience.
(3)
Not later than October 31, 2015, the members of the audit oversight committee shall be selected
as follows:
a.
One (1) member shall be appointed by the chairperson of the DeKalb County delegation in
the Georgia House of Representatives;
b.
One (1) member shall be appointed by the chairperson of the DeKalb County delegation in
the Georgia Senate;
c.
One (1) member shall be appointed by the Chief Executive of DeKalb County; and
d.
Two (2) members shall be appointed by the commission.
(4)
The members shall serve for terms of five (5) years; provided, however, that the initial term of
the first appointee of the commission shall be one (1) year and until his or her respective
successor is appointed and qualified; the initial term of the appointee of the chairperson of the
DeKalb County delegation in the Georgia House of Representatives shall be two (2) years and
until his or her respective successor is appointed and qualified; the initial term of the appointee of
the chief executive shall be three (3) years and until his or her respective successor is appointed
and qualified; the initial term of the second appointee of the commission shall be four (4) years
and until his or her respective successor is appointed and qualified; and the initial term of the
appointee of the chairperson of the DeKalb County delegation in the Georgia Senate shall be five
(5)
years and until his or her respective successor is appointed and qualified.
(5)
Successors to all members of the audit oversight committee and future successors shall be
appointed by the respective appointing authorities not less than thirty (30) days prior to the
expiration of each such member's term of office, and such successors shall take office on January
1 following such appointment and shall serve terms of five (5) years and until their respective
successors are appointed and qualified.
(6)
If a member of the audit oversight committee ceases to be a resident of DeKalb County, that
member's position on the board, by operation of law, shall become vacant upon the establishment
of the fact of such nonresidency, if contested, by a court of competent jurisdiction. A vacancy on
the audit oversight committee shall exist by reason of death, resignation, incapacity to serve for
ninety (90) days or longer, or loss of residency as described in this subsection. A member of the
audit oversight committee may also be removed from office during a term if the member becomes
ineligible to hold civil office within the meaning of O.C.G.A. § 45-2-1 of the O.C.G.A. and that
ineligibility is established by decision of a court of competent jurisdiction which declares the office
vacant because of such ineligibility or by a vote of two-thirds ( 2/3 ) of the members of the
legislative delegation. A vacancy shall be filled within sixty (60) days by the legislative delegation
for the remainder of the unexpired term.
Appendix B
Page 6 of 7
(7)
The members of the audit oversight committee shall elect from their own membership a
chairperson and otherwise provide for their own internal organization.
(8)
The audit oversight committee shall consult with the auditor regarding technical issues and work
to assure maximum coordination between the work of the auditor's office and external audit
efforts.
(9)
The audit oversight committee shall meet as needed to perform its duties but shall not meet less
than once quarterly and shall be responsible for:
a.
Selecting not fewer than two (2) nor more than three (3) nominees for the position of auditor
who meet the requirements outlined in subsection (e) of this section which shall be submitted
to the commission for selection and appointment of one (1) of the nominees to the position
of auditor;
b.
Performing regular evaluations of the DeKalb County audit function;
c.
Providing suggestions and comments for the annual audit plan;
d.
Ensuring that audit reports are transmitted to the governing authority and to the public;
e.
Monitoring follow-up on reported findings to assure corrective action is taken by
management;
f.
Reporting to the governing authority on problems or problem areas at such times as deemed
appropriate;
g.
Conducting or overseeing the requests for proposal and selection process for the firm
conducting the annual financial statement audits, and ranking and recommending in order
of preference no fewer than three (3) firms deemed to be the most highly qualified to perform
the required services. If fewer than three (3) firms respond to the request for proposal, the
audit oversight committee shall recommend such firms as it deems to be the most highly
qualified;
h.
Evaluating the firm providing annual financial statement auditing services and providing
oversight of that audit, including ensuring transmission of reports and follow-up on corrective
action by management;
i.
Evaluating the findings and recommendations of the peer review as required by recognized
government auditing standards;
j.
Consulting with the auditor regarding technical issues with the external audit firm and working
to assure maximum coordination between the work of the office of internal audit and
contracted audit efforts and other consulting engagements;
k.
Maintaining the confidentiality of personnel matters while taking responsibility for appropriate
disclosure to the governing authority, the legislature, or to the public; and
I.
Annually meeting with members of the commission to discuss controls, systems and risk, and
performance of the audit firm, and to discuss other matters that the audit firm, the auditor, or
staff desires or is required to bring to the commission's attention such as fraud, illegal acts,
and financial and control weaknesses.
(10)
The audit oversight committee shall have the authority to hire outside experts, including legal
counsel, when necessary.
(11)
The audit oversight committee shall have the authority to propose the budget of the office of
internal audit, including the auditor's salary and staffing, and shall then recommend the budget to
the commission for approval, who shall fund it as a priority.
(12)
Sufficient resources as requested by the audit oversight committee shall be provided by the
commission to enable the audit oversight committee to carry out its responsibilities.
Appendix B
Page 7 of 7
(o)
The provisions of this section are severable, and if any of its provisions shall be held
unconstitutional or invalid by a court of competent jurisdiction, the decision of the court shall not affect or
impair any of the remaining provisions.
( Acts 1915, p. 3826, § 2)
Appendix C
Page
1
of
25
Office of Independent Internal Audit
Audit Function
Procedures Manual
Appendix
C
THE OPEN RECORDS ACT 50-18-70
THE
OPEN
RECORDS
ACT
Appendix C
Page
2
of
25
50-18-70.
(a)
The General Assembly finds and declares that the strong public policy of this state is in
favor of open government; that open government is essential to a free, open, and
democratic society; and that public access to public records should be encouraged to foster
confidence in government and so that the public can evaluate the expenditure of public
funds and theefficient and proper functioning of its institutions. The General Assembly
further finds and declares that there is a strong presumption that public records should be
made available for public inspection without delay. This article shall be broadly construed
to allow the inspection of governmental records. The exceptions set forth in this article,
together with any other exception located elsewhere in the Code, shall be interpreted
narrowly to exclude only those portions of records addressed by such exception.
(b)
As used in this article, the term:
(1)
'Agency shall have the same meaning as in Code Section
50-14-1
and shall
additionally include any association, corporation, or other similar organization that has a
membership or ownership body composed primarily of counties, municipal
corporations, or school districts of this state, their officers, or any combination thereof
and derives more than
33 1/3
percent of its general operating budget from payments
from such political subdivisions.
(2)
'Public record' means all documents, papers, letters, maps, books, tapes,
photographs, computer based or generated information, data, data fields, or similar
material prepared and maintained or received by an agency or by a private person
or entity in the performance of a service or function for or on behalf of an agency
or when such documents have been transferred to a private person or entity by an
agency for storage or future governmental use.
50-18-71.
(a)
All public records shall be open for personal inspection and copying, except those
which by order of a court of this state or by law are specifically exempted from disclosure.
Records shall be maintained by agencies to the extent and in the manner required by Article
5
Appendix C
Page
3
of
25
of this chapter. (b)(l)(A) Agencies shall produce for inspection all records responsive to a
request within a
reasonable amount of time not to exceed three business days of receipt of a request;
provided, however, that nothing in this chapter shall require agencies to produce
records in response to a request if such records did not exist at the time of the request.
In those instances where some, but not all, records are available within three business
days, an agency shall make available within that period those records that can be
located and produced. In any instance where records are unavailable within three
business days of receipt of the request, and responsive records exist, the agency shall,
within such time period, provide the requester with a description of such records and a
timeline for when the records will be available for inspection or copying and provide
the responsive records or access thereto as soon as practicable.
(B)
A request made pursuant to this article may be made to the custodian of a public
record orally or in writing. An agency may, but shall not be obligated to, require that
all written requests be made upon the responder's choice of one of the following: the
agency's director, chairperson, or chief executive officer, however denominated; the
senior official at any satellite office of an agency; a clerk specifically designated by an
agency as the custodian of agency records; or a duly designated open records officer of
an agency; provided, however, that the absence or unavailability of the designated
agency officer or employee shall not be permitted to delay the agency's response. At
the time of inspection, any person may make photographic copies or other electronic
reproductions of the records using suitable portable devices brought to the place of
inspection. Notwithstanding any other provision of this chapter, an agency may, in its
discretion, provide copies of a record in lieu of providing access to the record when
portions of the record contain confidential information that must be redacted.
(2)
Any agency that designates one or more open records officers upon whom
requests for inspection or copying of records may be delivered shall make such
designation in writing and shall immediately provide notice to any person upon request,
orally or in writing, of those open records officers. If the agency has elected to
designate an open records officer, the agency shall so notify the legal organ of the
county in which the agency's principal offices reside and, if the agency has a website,
Appendix C
Page
4
of
25
shall also prominently display such designation on the agency's website. In the event
an agency requires that requests be made upon the individuals identified in
subparagraph (B) of paragraph (I) of this subsection, the three-day period for response
to a written request shall not begin to run until the request is made in writing upon such
individuals. An agency shall permit receipt of written requests by e-mail or facsimile
transmission in addition to any other methods of transmission approved by the agency,
provided such agency uses e-mail or facsimile in the normal course of its business.
(3)
The enforcement provisions of Code Sections
50-18-73
and
50-18-74
shall be
available only to enforce compliance and punish noncompliance when a written
request is made consistent with this subsection and shall not be available when such
request is made orally.
(c)(l) An agency may impose a reasonable charge for the search, retrieval, redaction, and
production or copying costs for the production of records pursuant to this article. An
agency shall utilize the most economical means reasonably calculated to identify and
produce responsive, non excluded documents. Where fees for certified copies or other
copies or records are specifically authorized or otherwise prescribed by law, such specific
fee shall apply when certified copies or other records to which a specific fee may apply are
sought. In all other instances, the charge for the search, retrieval, or redaction of records
shall not exceed the prorated hourly salary of the lowest paid full-time employee who, in
the reasonable discretion of the custodian of the records, has the necessary skill and
training to perform the request; provided, however, that no charge shall be made for the
first quarter hour.
(2)
In addition to a charge for the search, retrieval, or redaction of records, an agency
may charge a fee for the copying of records or data, not to exceed
lOC
per page for letter
or legal size documents or, in the case of other documents, the actual cost of producing
the copy. In the case of electronic records, the agency may charge the actual cost of the
media on which the records or data are produced.
(3)
Whenever any person has requested to inspect or copy a public record and does not
pay the cost for search, retrieval, redaction, or copying of such records when such
charges have been lawfully estimated and agreed to pursuant to this article, and the
agency has incurredthe agreed-upon costs to make the records available, regardless of
Appendix C
Page
5
of
25
whether the requester inspects or accepts copies of the records, the agency shall be
authorized to collect such charges in any manner authorized by law for the collection of
taxes, fees, or assessments by such agency.
(d)
In any instance in which an agency is required to or has decided to withhold all or part of
a requested record, the agency shall notify the requester of the specific legal authority
exempting
the requested record or records from disclosure by Code section, subsection, and
paragraph within a reasonable amount of time not to exceed three business days or in the event the
search and retrieval of records is delayed pursuant to this paragraph or pursuant to subparagraph
(b)(l)(A) of this Code section, then no later than three business days after the records have been
retrieved.
In any instance in which an agency will seek costs in excess of $25.00 for responding to a
request, the agency shall notify the requester within a reasonable amount of time not to exceed
three business days and inform the requester of the estimate of the costs, and the agency may
defer search and retrieval of the records until the requester agrees to pay the estimated costs
unless the requester has stated in his or her request a willingness to pay an amount that
exceeds the search and retrieval costs. In any instance in which the estimated costs for
production of the records exceeds $500.00, an agency may insist on prepayment of the costs
prior to beginning search, retrieval, review, or production of the records. Whenever any
person who has requested to inspect or copy a public record has not paid the cost for search,
retrieval, redaction, or copying of such records when such charges have been lawfully
incurred, an agency may require prepayment for compliance with all future requests for
production of records from that person until the costs for the prior production of records have
been paid or the dispute regarding payment resolved.
(e)
Requests by civil litigants for records that are sought as part of or for use in any ongoing
civil or administrative litigation against an agency shall be made in writing and copied to
counsel of record for that agency contemporaneously with their submission to that agency.
The agency shall provide, at no cost, duplicate sets of all records produced in response to the
request to counsel of record for that agency unless the counsel of record for that agency
elects not to receive the records.
(f)
As provided in this subsection, an agency's use of electronic record-keeping systems
must not erode the public's right of access to records under this article. Agencies shall
Appendix C
Page
6
of
25
produce electronic copies of or, if the requester prefers, printouts of electronic records or
data fromdata base fields that the agency maintains using the computer programs that the
agency has in its possession. An agency shall not refuse to produce such electronic
records, data, or data fields on the grounds that exporting data or redaction of exempted
information will require inputting range, search, filter, report parameters, or similar
commands or instructions into an agency's computer system so long as such commands or
instructions can be executed using existing computer programs that the agency uses in the
ordinary course of business to access, support, or otherwise manage the records or data. A
requester may request that electronic records, data, or data fields be produced in the format in
which such data or electronic records are kept by the agency, or in a standard export format such as
a flat file electronic American Standard Code for Information Interchange (ASCII) format, if the
agency's existing computer programs support such an export format. In such instance, the data or
electronic records shall be downloaded in such format onto suitable electronic media by the agency.
(g)
Requests to inspect or copy electronic messages, whether in the form of e-mail, text
message, or other format, should contain information about the messages that is
reasonably calculated to allow the recipient of the request to locate the messages sought,
including, if known, the name, title, or office of the specific person or persons whose
electronic messages are sought and, to the extent possible, the specific data bases to be
searched forsuch messages.
(h)
In lieu of providing separate printouts or copies of records or data, an agency may
provide access to records through a website accessible by the public. However, if an
agency receives a request for data fields, an agency shall not refuse to provide the
responsive data on the grounds that the data is available in whole or in its constituent parts through
a website if the requester seeks the data in the electronic format in which it is kept. Additionally, if
an agency
contracts with a private vendor to collect or maintain public records, the agency shall
ensure that the
arrangement does not limit public access to those records and that the vendor does
not impede public record access and method of delivery as established by the agency or as
otherwise provided for in this Code section.
(i)
Any computerized index of county real estate deed records shall be printed for purposes
of public inspection no less than every 30 days, and any correction made on such index
shall be made a part of the printout and shall reflect the time and date that such index
Appendix C
Page
7
of
25
50-18-72.
(a) Public disclosure shall not be required for records that are:
wascorrected.
(j)
No public officer or agency shall be required to prepare new reports,
summaries, or compilations not in existence at the time of the request.
(1)
Specifically required by federal statute or regulation to be kept confidential;
(2) Medical or veterinary records and similar files, the disclosure of which would
be an invasion of personal privacy;
(3)
Except as otherwise provided by law, records compiled for law enforcement or
prosecution purposes to the extent that production of such records is reasonably
likely to disclose the identity of a confidential source, disclose confidential
investigative or prosecution material which would endanger the life or physical
safety of any person or persons, or disclose the existence of a confidential
surveillance or investigation;
(4)
Records of law enforcement, prosecution, or regulatory agencies in any pending
investigation or prosecution of criminal or unlawful activity, other than initial police
arrest reports and initial incident reports; provided, however, that an investigation or
prosecution shall no longer be deemed to be pending when all direct litigation involving
such investigation and prosecution has become final or otherwise terminated; and
provided, further, that this paragraph shall not apply to records in the possession of an
agency that is the subject of the pending investigation or prosecution;
(5)
Individual Georgia Uniform Motor Vehicle Accident Reports, except upon the
submission of a written statement of need by the requesting party to be provided to the
custodian of records and to set forth the need for the report pursuant to this Code
section; provided, however, that any person or entity whose name or identifying
information is contained in a Georgia Uniform Motor Vehicle Accident Report shall be
entitled, either personally or through a lawyer or other representative, to receive a copy
of such report; and provided, further, that Georgia Uniform Motor Vehicle Accident
Reports shall not be available in bulk for inspection or copying by any person absent a
written statement showing the need for each such report pursuant to the requirements
Appendix C
Page
8
of
25
of this Code section. For the purposes of this subsection, the term 'need' means that the
natural person or legal entity who is requesting in person or by representative to inspect
or copy the Georgia Uniform Motor Vehicle Accident Report:
(A)
Has a personal, professional, or business connection with a party to the
accident;
(B) Owns or leases an interest in property allegedly or actually damaged in
the accident;
(C)
Was allegedly or actually injured by the accident;
(D) Was a witness to the accident;
(E) Is the actual or alleged insurer of a party to the accident or of property
actuallyor allegedly damaged by the accident;
(F) Is a prosecutor or a publicly employed law enforcement officer;
(G)
Is alleged to be liable to another party as a result of the accident;
(H)
Is an attorney stating that he or she needs the requested reports as part of a
criminal case, or an investigation of a potential claim involving contentions that a
roadway, railroad crossing, or intersection is unsafe;
(I)
Is gathering information as a representative of a news media organization;
(J)
Is conducting research in the public interest for such purposes as accident
prevention, prevention of injuries or damages in accidents, determination of fault in
an accident or accidents, or other similar purposes; provided, however, that
this subparagraph shall apply only to accident reports on accidents that occurred
more than 30 days prior to the request and which shall have the name, street
address, telephone number, and driver's license number redacted; or
(K) Is a governmental official, entity, or agency, or an authorized agent thereof,
requesting reports for the purpose of carrying out governmental functions or
legitimate governmental duties;
(6) Jury list data, including, but not limited to, persons' names, dates of birth, addresses,
ages, race, gender, telephone numbers, social security numbers, and when it is available,
the person's ethnicity, and other confidential identifying information that is collected and
used by the Council of Superior Court Clerks of Georgia for creating, compiling, and
maintaining state-wide master jury lists and county master jury lists for the purpose of
Appendix C
Page
9
of
25
establishing and maintaining county jury source lists pursuant to the provisions of
Chapter /2 of Title 15; provided, however, that when ordered by the judge of a court
having jurisdiction over a case in which a challenge to the array of the grand or trial jury
has been filed, the Council of Superior Court Clerks of Georgia or the clerk of the county
board of jury commissioners of any county shall provide data within the time limit
established by the court for the limited purpose of such challenge. Neither the Council of
Superior Court Clerks of Georgia nor the clerk of a county board of jury
commissioners shall be liable for any use or misuse of such data;
(7) Records consisting of confidential evaluations submitted to, or examinations
prepared by, a governmental agency and prepared in connection with the appointment or
hiring of a public officer or employee;
(8) Records consisting of material obtained in investigations related to the
suspension, firing, or investigation of complaints against public officers or employees
until ten days after the same has been presented to the agency or an officer for action
or the investigation is otherwise concluded or terminated, provided that this paragraph
shall not be interpreted to make such investigatory records privileged;
(9) Real estate appraisals, engineering or feasibility estimates, or other records
made for or by the state or a local agency relative to the acquisition of real property
until such time as the property has been acquired or the proposed transaction has been
terminated or abandoned;
(10) Pending, rejected, or deferred sealed bids or sealed proposals and detailed cost
estimates related thereto until such time as the final award of the contract is made, the
project is terminated or abandoned, or the agency in possession of the records takes a
public vote regarding the sealed bid or scaled proposal, whichever comes first;
(11)
Records which identify persons applying for or under consideration for employment
or appointment as executive head of an agency or of a unit of the University System of
Georgia; provided, however, that at least 14 calendar days prior to the meeting at which
final action or vote is to be taken on the position of executive head of an agency or five
business days prior to the meeting at which final action or vote is to be taken on the
position of president of a unit of the University System of Georgia, all documents
Appendix C
Page
10
of
25
concerning as many as three persons under consideration whom the agency has
determined to be the best qualified for the position shall be subject to inspection and
copying. Prior to the release of these documents, an agency may allow such a person to
decline being considered further for the position rather than have documents pertaining
to such person released. In that event, the agency shall release the documents of the
next most qualified person under consideration who does not decline the position. If
an agency has conducted its hiring or appointment process without conducting
interviews or discussing or deliberating in executive session in a manner otherwise
consistent with Chapter 14 of this title, it shall not be required to delay final action on
the position. The agency shall not be required to release such records of other applicants
or persons under consideration, except at the request of any such person. Upon request,
the
hiring agency shall furnish the number of applicants and the composition of the list by
such factors as race and sex. The agency shall not be allowed to avoid the provisions of
this paragraph by the employment of a private person or agency to assist with the search
or application process;
(12)
Related to the provision of staff services to individual members of the General
Assembly by the Legislative and Congressional Reapportionment Office, the Senate
Research Office, or the House Budget and Research Office, provided that this exception
shall not have any application to records related to the provision of staff services to any
committee or subcommittee or to any records which are or have been previously publicly
disclosed by or pursuant to the direction of an individual member of the General
Assembly;
(13)
Records that are of historical research value which are given or sold to public
archival institutions, public libraries, or libraries of a unit of the Board of Regents of the
University System of Georgia when the owner or donor of such records wishes to place
restrictions on access to the records. No restriction on access, however, may extend more
than
75
years from the date of donation or
sale.
This exemption shall not apply to any
records prepared in the course of the operation of state or local governments of the
State of Georgia;
Appendix C
Page
11
of
25
(14) Records that contain information from the Department of Natural Resources
inventory and register relating to the location and character of a historic property or of
historic properties as those terms are defined in Code Sections 12-3-50.1 and 12-3-
50.2 if the Department of Natural Resources through its Division of Historic
Preservation determines that disclosure will create a substantial risk of harm, theft, or
destruction to the property or properties or the area or place where the property
or properties are located;
(15) Records of farm water use by individual farms as determined by water-measuring
devices installed pursuant to Code Section 12-5-31 or 12-5-105; provided, however, that
compilations of such records for the 52 large watershed basins as identified by the eight-
digit United States Geologic Survey hydrologic code or an aquifer that do not reveal
farm water use by individual farms shall be subject to disclosure under this article;
(16)
Agricultural or food system records, data, or information that are considered by
the Department of Agriculture to be a part of the critical infrastructure, provided that
nothing in this paragraph shall prevent the release of such records, data, or information to
another state or federal agency if the release of such records, data, or information is
necessary to prevent or
control disease or to protect public health, safety, or welfare. As used in this paragraph,
the term 'critical infrastructure' shall have the same meaning as in 42 U.S.C. Section
5195e(e). Such records, data, or information shall be subject to disclosure only upon the
order of a court of competent jurisdiction;
(17)
Records, data, or information collected, recorded, or otherwise obtained that is
deemed confidential by the Department of Agriculture for the purposes of the national
animal identification system, provided that nothing in this paragraph shall prevent the
release of such records, data, or information to another state or federal agency if the
release of such records, data, or information is necessary to prevent or control disease or
to protect public health, safety, or welfare. As used in this paragraph, the term 'national
animal identification program' means a national program intended to identify animals and
track them as they come into contact with or commingle with animals other than
herdmates from their premises of origin. Such records, data, or information shall be
Appendix C
Page
12
of
25
subject to disclosure only upon the order of a court of competent jurisdiction;
(18) Records that contain site-specific information regarding the occurrence of rare
species of plants or animals or the location of sensitive natural habitats on public or
private property if the Department of Natural Resources determines that disclosure will
create a substantial risk of harm, theft, or destruction to the species or habitats or the
area or place where the species or habitats are located; provided, however, that the
owner or owners of private property upon which rare species of plants or animals occur
or upon which sensitive natural habitats are located shall be entitled to such information
pursuant to this article;
(19) Records that reveal the names, home addresses, telephone numbers, security
codes, e-mail addresses, or any other data or information developed, collected, or
received bycounties or municipalities in connection with neighborhood watch or public
safety notification programs or with the installation, servicing, maintaining, operating,
selling, or leasing of burglar alarm systems, fire alarm systems, or other electronic
security systems; provided, however, that initial police reports and initial incident reports
shall remain subject to disclosure pursuant to paragraph
(4)
of this subsection;
(20)(A) Records that reveal an individual's social security number, mother's birth name,
credit card information, debit card information, bank account information, account
number, utility account number, password used to access his or her account, financial
data or information, insurance or medical information in all records, unlisted telephone
number if so designated in a public record, personal e-mail address or cellular
telephone number, day and month of birth, and information regarding public utility,
television, Internet, or telephone accounts held by private customers, provided that
nonitemized bills showing amounts owed and amounts paid shall be available. Items
exempted by this subparagraph shall be redacted prior to disclosure of any record
requested pursuant to this article; provided, however, that such information shall not be
redacted from such records if the person or entity requesting such records requests
such information in a writing signed under oath by such person or a person legally
authorized to represent such entity which states that such person or entity is gathering
information as a representative of a news media organization for use in connection
with news gathering and reporting; and provided, further, that such access shall be
Appendix C
Page
13
of
25
limited to social security numbers and day and month of birth; and provided, further,
that the news media organization exception in this subparagraph shall not apply to
paragraph (21) of this subsection.
(B)
This paragraph shall have no application to:
(i)
The disclosure of information contained in the records or papers of any court
or derived therefrom including without limitation records maintained
pursuant to Article 9 of Title 11;
(ii)
The disclosure of information to a court, prosecutor, or publicly employed
law enforcement officer, or authorized agent thereof, seeking records in an
official capacity;
(iii)
The disclosure of information to a public employee of this state, its
political subdivisions, or the United States who is obtaining such
information for administrative purposes, in which case, subject to applicable
laws of the
United States, further access to such information shall continue to be
subject to
the provisions of this paragraph;
(iv)
The disclosure of information as authorized by the order of a court of
competent jurisdiction upon good cause shown to have access to any or all of
such information upon such conditions as may be set forth in such order;
(v)
The disclosure of information to the individual in respect of whom such
information is maintained, with the authorization thereof, or to an authorized
agent thereof; provided, however, that the agency maintaining such information shall
require proper identification of such individual or such individual's agent, or proof of
authorization, as determined by such agency;
(vi)
The disclosure of the day and month of birth and mother's birth
name ofa deceased individual;
(vii)
The disclosure by an agency of credit or payment information in
connection with a request by a consumer reporting agency as that term is
defined under the federal Fair Credit Reporting Act (15 U.S.C. Section 1681,
et seq.);
(viii)
The disclosure by an agency of information in its records in connection with
Appendix C
Page
14
of
25
the agency's discharging or fulfilling of its duties and responsibilities, including,
but not limited to, the collection of debts owed to the agency or individuals or
entities whom the agency assists in the collection of debts owed to the individual
or entity,
(ix)
The disclosure of information necessary to comply with legal or
regulatory requirements or for legitimate law enforcement purposes; or
(x)
The disclosure of the date of birth within criminal records.
(C)
Records and information disseminated pursuant to this paragraph maybe used
only by the authorized recipient and only for the authorized purpose. Any person
who obtains records or information pursuant to the provisions of this paragraph and
knowingly and willfully discloses, distributes, or sells such records or information to
an unauthorized recipient or for an unauthorized purpose shall be guilty of a
misdemeanor of a high and aggravated nature and upon conviction thereof shall be
punished as provided in Code Section 17-10-4. Any person injured thereby shall have
a cause of action for invasion of privacy.
(D)
In the event that the custodian of public records protected by this
paragraph has good faith reason to believe that a pending request for such
records has been made fraudulently, under false pretenses, or by means of false
swearing, such custodian shall apply to the superior court of the county in which
such records are maintained for a protective order limiting or prohibiting access
to such records.
(E)
This paragraph shall supplement and shall not supplant, overrule, replace, or
otherwise modify or supersede any provision of statute, regulation, or law of the
federal government or of this state as now or hereafter amended or enacted
requiring, restricting, or prohibiting access to the information identified in subparagraph (A)
of this paragraph and shall constitute only a regulation of the methods of such access where
not otherwise provided for, restricted, or prohibited;
(21)
Records concerning public employees that reveal the public employee's home
address, home telephone number, day and month of birth, social security number,
insurance or medical information, mother's birth name, credit card information, debit
Appendix C
Page
15
of
25
card information, bank account information, account number, utility account
number, password used to access his or her account, financial data or information other
than compensation by a government agency, unlisted telephone number if so
designated in a public record, and the identity of the public employee's immediate
family members or dependents. This paragraph shall not apply to public records that do
not specifically identify public employees or their jobs, titles, or offices. For the
purposes of this paragraph, the term 'public employee' means any officer, employee, or
former employee of:
(A)
The State of Georgia or its agencies, departments, or commissions;
(B) Any county or municipality or its agencies, departments, or commissions;
(C)
Other political subdivisions of this state;
(D)
Teachers in public and charter schools and nonpublic schools; or
(E) Early care and education programs administered through the Department of
Early Care and Learning;
(22)
Records of the Department of Early Care and Learning that contain the:
(A)
Names of children and day and month of each child's birth;
(B) Names, addresses, telephone numbers, or e-mail addresses of
parents, immediate family members, and emergency contact persons; or
(C)
Names or other identifying information of individuals who report violations to
the department;
(23)
Public
records
containing information that would disclose or might lead to the disclosure
of any component in the process used to execute or adopt an electronic signature, if such
disclosure would or might cause the electronic signature to cease being under the sole control
of the person using it. For purposes of this paragraph, the term 'electronic signature' has the
same meaning as that term is defined in Code Section 10-12-2;
(24)
Records acquired by an agency for the purpose of establishing or implementing, or
assisting
in the establishment or implementation of, a carpooling or ridesharing program, including,
but not limited to, the formation of carpools, vanpools, or bus pools, the provision of transit
routes, rideshare research, and the development of other demand management strategies such
as variable working hours and telecommuting;
Appendix C
Page
16
of
25
(25)(A) Records the disclosure of which would compromise security against sabotage
or criminal or terrorist acts and the nondisclosure of which is necessary for the
protection of life, safety, or public property, which shall be limited to the
following:
(i)
Security plans and vulnerability assessments for any public utility,
technology infrastructure, building, facility, function, or activity in effect at
the time of the request for disclosure or pertaining to a plan or assessment in
effect at such time;
(ii)
Any plan for protection against terrorist or other attacks that depends for
its effectiveness in whole or in part upon a lack of general public knowledge
of its details;
(iii)
Any document relating to the existence, nature, location, or function of
security devices designed to protect against terrorist or other attacks that
depend for their effectiveness in whole or in part upon a lack of general public
knowledge;
(iv)
Any plan, blueprint, or other material which if made public could
compromise security against sabotage, criminal, or terroristic acts; and
(v)
Records of any government sponsored programs concerning training
relative to governmental security measures which would identify persons being
trained or instructors or would reveal information described in divisions (i)
through (iv) of this subparagraph.
(B) In the event of litigation challenging nondisclosure pursuant to this paragraph
by an agency of a document covered by this paragraph, the court may review
the documents in question in camera and may condition, in writing, any disclosure
upon such measures as the court may find to be necessary to protect against
endangerment of life, safety, or public property.
(C)
As used in division (i) of subparagraph (A) of this paragraph, the term
'activity' means deployment or surveillance strategies, actions mandated
by
changes in the federal threat level, motorcades, contingency plans, proposed or
alternative motorcade routes, executive and dignitary protection, planned responses
to
Appendix C
Page
17
of
25
criminal orterrorist actions, after-action reports still in use, proposed or actual plans and
responses to bioterrorism, and proposed or actual plans and responses to requesting and
receiving the National Pharmacy Stockpile;
(26)
Unless the request is made by the accused in a criminal case or by his or her
attorney, public records of an emergency 9-1-1 system, as defined in paragraph (3) of Code
Section 46-5-122, containing information which would reveal the name, address, or
telephone number of a person placing a call to a public safety answering point. Such
information may be redacted from such records if necessary to prevent the disclosure of
the identity of aconfidential source, to prevent disclosure of material which would
endanger the life or physical safety of any person or persons, or to prevent the disclosure of
the existence of a confidential surveillance or investigation;
{27)
Records of athletic or recreational programs, available through the state or a
political subdivision of the state, that include information identifying a child or children
12 years of age or under by name, address, telephone number, or emergency contact,
unlesssuch identifying information has been redacted;
(28)
Records of the State Road and Tollway Authority which would reveal the
financial accounts or travel history of any individual who is a motorist upon any toll
project;
(29)
Records maintained by public postsecondary educational institutions in this state and
associated foundations of such institutions that contain personal information
concerning donors or potential donors to such institutions or foundations; provided,
however, that the name of any donor and the amount of donation made by such donor
shall be subject to disclosure if such donor or any entity in which such donor has a
substantial interest transacts business with the public postsecondary educational
institution to which the donation is made within three years of the date of such donation. As
used in this paragraph, the term 'transact business' means to sell or lease any personal
property, real property, or services on behalf of oneself or on behalf of any third party as an
agent, broker, dealer, or representative in an amount in excess of $10,000.00 in the
aggregate in a calendar year; and the term 'substantial interest' means the direct or indirect
ownership of more than 25 percent of the assets or stock of an entity;
Appendix C
Page
18
of
25
47-1-14 and47-7-127;
{30)
Records of the Metropolitan Atlanta Rapid Transit Authority or of any other
transit system that is connected to that system's TransCard, SmartCard, or successor or
similar system which would reveal the financial records or travel history of any
individual who isa
purchaser of a TransCard, SmartCard, or successor or similar fare medium. Such financial
records shall include, but not be limited to, social security number, home address, home
telephone number, e-mail address, credit or debit card information, and bank account
information but shall not include the user's name;
{31)
Building mapping information produced and maintained pursuant to Article
l0of Chapter 3 of Title 38;
{32)
Notwithstanding the provisions of paragraph (4) of this subsection, any physical
evidence or investigatory materials that are evidence of an alleged violation of Part 2 of
Article3 of Chapter 12 of Title 16 and are in the possession, custody, or control of law
enforcement, prosecution, or regulatory agencies;
(33)
(34)
Any trade secrets obtained from a person or business entity that are required by
law, regulation, bid, or request for proposal to be submitted to an agency. An entity
submitting records containing trade secrets that wishes to keep such records confidential
under this paragraph shall submit and attach to the records an affidavit affirmatively
declaring that specific information in the records constitute trade secrets pursuant to
Article 27 of Chapterl of Title 10. If such entity attaches such an affidavit, before
producing such records in response to a request under this article, the agency shall notify
the entity of its intention to produce such records as set forth in this paragraph. If the
agency makes a determination that the specifically identified information does not in
fact constitute a trade secret, it shall notify the entity submitting the affidavit of its intent
to disclose the information within ten days unless prohibited from doing so by an
appropriate court order. In the event the entity wishes to prevent disclosure of the
requested records, the entity may file an action in superior court to obtain an order that
the requested records are trade secrets exempt from disclosure. The entity filing such
Records that are expressly exempt from public inspection pursuant to Code Sections
Appendix C
Page
19
of
25
action shall serve the requestor with a copy of its court filing. If the agency makes a
determination that the specifically identified information does constitute a trade secret,
the agency shall withhold the records, and the requester may file an action in superior
court to obtain an order that the requested records are not trade secrets and are subject
to disclosure;
(35)
Data, records, or information of a proprietary nature, produced or collected by or
for
faculty or staff of state institutions of higher learning, or other governmental agencies, in the
conduct of, or as a result of, study or research on commercial, scientific, technical, or
scholarly issues, whether sponsored by the institution alone or in conjunction with a
governmental body or private concern, where such data, records, or information has not been
publicly released, published, copyrighted, or patented;
(36)
Any data, records, or information developed, collected, or received by or on
behalfof faculty, staff, employees, or students of an institution of higher education or any
public or private entity supporting or participating in the activities of an institution of
higher education in the conduct of, or as a result of, study or research on medical,
scientific, technical, scholarly, or artistic issues, whether sponsored by the institution
alone or in conjunction with a governmental body or private entity, until such
information is published, patented, otherwise publicly disseminated, or released to an
agency whereupon the request must be made to the agency. This paragraph shall apply
to, but shall not be limited to, information provided by participants in research, research
notes and data, discoveries, research projects, methodologies, protocols, and creative
works;
(37)
Any record that would not be subject to disclosure, or the disclosure of which
would jeopardize the receipt of federal funds, under 20 U.S.C. Section 1232g
or its implementing regulations;
(38)
Unless otherwise provided by law, records consisting of questions, scoring keys,
and other materials constituting a test that derives value from being unknown to the test
taker prior to administration which is to be administered by an agency, including, but not
limited to, any public school, any unit of the Board of Regents of the University System of
Georgia, any public technical school, the State Board of Education, the Office of Student
Appendix C
Page
20
of
25
Achievement, the Professional Standards Commission, or a local school system, if
reasonable measures are taken by the owner of the test to protect security and
confidentiality; provided, however, that the State Board of Education may establish
procedures whereby a person may view, but not copy, such records if viewing will not, in
the judgment of the board, affect the result of administration of such test. These
limitations shall not be interpreted by any court of law to include or otherwise exempt
from inspection the records of any athletic association or other nonprofit entity promoting
intercollegiate athletics;
{39)
Records disclosing the identity or personally identifiable information of any person
participating in research on commercial, scientific, technical, medical, scholarly, or
artistic issues conducted by the Department of Community Health, the Department of
Public Health, the Department of Behavioral Health and Developmental Disabilities, or
a state institution of higher education whether sponsored by the institution alone or in
conjunction with a governmental body or private entity;
(40)
Any permanent records maintained by a judge of the probate court pursuant to
Code Section
16-11-129,
relating to weapons carry licenses, or pursuant to any
other requirement for maintaining records relative to the possession of firearms,
except to the extent that such records relating to licensing and possession of firearms
are sought by law enforcement agencies as provided by law;
(41)
Records containing communications subject to the attorney-client privilege
recognized by state law; provided, however, that this paragraph shall not apply to the
factual findings, but shall apply to the legal conclusions, of an attorney conducting an
investigation on behalf of an agency so long as such investigation does not pertain to
pending or potential litigation, settlement, claims, administrative proceedings, or other
judicial actions brought or to be brought by or against the agency or any officer or
employee; and provided, further, that such investigations conducted by hospital
authorities to ensure compliance with federal or state law, regulations, or
reimbursement policies shall be exempt from disclosure if such investigations are
otherwise subject to the attorney-client privilege. Attorney-client communications,
however, may be obtained in a proceeding under Code Section
50-18-73
to prove
Appendix C
Page
21
of
25
justification or lack thereof in refusing disclosure of documents under this Code section
provided the judge of the court in which such proceeding is pending shall first determine
by an in camera examination that such disclosure would be relevant on that issue. In
addition, when an agency withholds information subject to this paragraph, any
party authorized to bring a proceeding under Code Section 50-18-73 may request that
the judgeof the court in which such proceeding is pending determine by an in camera
examination whether such information was properly withheld;
(42)
Confidential attorney work product; provided, however, that this paragraph shall
not apply to the factual findings, but shall apply to the legal conclusions, of an attorney
conducting an investigation on behalf of an agency so long as such investigation does not
pertain to pending or potential litigation, settlement, claims, administrative proceedings,
or other judicial actions brought or to be brought by or against the agency or any officer or
employee; and provided, further, that such investigations conducted byhospital authorities to
ensure compliance with federal or state law, regulations, or reimbursement policies shall be
exempt from disclosure if such investigations are otherwise subject to confidentiality as
attorney work product. In addition, when an agency withholds information subject to this
paragraph, any party authorized to bring a proceeding under Code Section 50-18-73 may request
that the judge of the court in which such proceeding is pending determine by an in camera
examination whether such information was properly withheld;
{43)
Records containing tax matters or tax information that is confidential under
state or federal law;
(44)
Records consisting of any computer program or computer software used or
maintained in the course of operation of a public office or agency; provided, however, that
data generated, kept, or received by an agency shall be subject to inspection and copying
as provided in this article;
(45)
Records pertaining to the rating plans, rating systems, underwriting rules,
surveys, inspections, statistical plans, or similar proprietary information used to
provide or administer liability insurance or self-insurance coverage to any agency;
(46)
Documents maintained by the Department of Economic Development pertaining
to an economic development project until the economic development project is secured
Appendix C
Page
22
of
25
by binding commitment, provided that any such documents shall be disclosed upon
proper request after a binding commitment has been secured or the project has been
terminated. No later than five business days after the Department of Economic
Development secures a binding commitment and the department has committed the use
of state funds from the OneGeorgia Authority or funds from Regional Economic Business
Assistance for the project pursuant to Code Section
50-8-8,
or other provisions of law,
the Department of Economic Development shall give notice that a binding commitment
has been reached by posting on its website notice of the project in conjunction with
a copy of the Department of Economic Development's records documenting the
bidding commitment made in connection with the project and the negotiation relating
thereto and by publishing notice of the project and participating parties in the legal organ
of each county in which the economic development project is to be located. As used in
this paragraph, the term 'economic development project' means a plan or proposal to
locate a business, or to expand a business, that would involve an expenditure of more than $25
million by the business or the hiring of more than 50 employees by the business; or
(47)
Records related to a training program operated under the authority of Article 3 of
Chapter 4 of Title
20
disclosing an economic development project prior to a binding
commitment having been secured, relating to job applicants, or identifying proprietary
hiring practices, training, skills, or other business methods and practices of a private
entity. Asused in this paragraph, the term 'economic development project' means a plan
or proposal to locate a business, or to expand a business, that would involve an
expenditure of more than
$25
million by the business or the hiring of more than
50
employees by thebusiness.
(b)
This Code section shall be interpreted narrowly so as to exclude from disclosure only
that portion of a public record to which an exclusion is directly applicable. It shall be the
duty of the agency having custody of a record to provide all other portions of a record for
public inspection or copying.
(c)(1) Notwithstanding any other provision of this article, an exhibit tendered to the court as
evidence in a criminal or civil trial shall not be open to public inspection without approval
of the judge assigned to the case.
Appendix C
Page
23
of
25
(2)
Except as provided in subsection (d) of this Code section, in the event inspection is
not approved by the court, in lieu of inspection of such an exhibit, the custodian of
such an exhibit shall, upon request, provide one or more of the following:
(A)
A photograph;
(B)
A photocopy,
(C)
A facsimile; or
(D)
Another
reproduction.
(3)
The provisions of this article regarding fees for production of a record, including, but
not limited to, subsections (c) and (d) of Code Section 50-18-71, shall apply to exhibits
produced according to this subsection.
(d) Any physical evidence that is used as an exhibit in a criminal or civil trial to show or
support an alleged violation of Part 2 of Article 3 of Chapter 12 of Title 16 shall not be open to
public inspection except by court order.
If
the judge approves inspection of such physical
evidence, the judge shall designate, in writing, the facility owned or operated by an agency of
the state or local government where such physical evidence may be inspected.
If
the judge
permits inspection,
such property or material shall not be photographed, copied, or reproduced by any means.
Any person who violates the provisions of this subsection shall be guilty of a felony and,
upon conviction thereof, shall be punished by imprisonment for not less than one nor more
than 20 years, a fine of not more than $100,000.00, or both.
50-18-73.
(a)
The superior courts of this state shall have jurisdiction in law and in equity to entertain
actions against persons or agencies having custody of records open to the public under this
article to enforce compliance with the provisions of this article. Such actions may be
brought by any person, firm, corporation, or other entity. In addition, the Attorney General
shall have authority to bring such actions in his or her discretion as may be appropriate to
enforce compliance with this article and to seek either civil or criminal penalties or both.
(b)
In any action brought to enforce the provisions of this chapter in which the court
determines that either party acted without substantial justification either in not complying
Appendix C
Page
24
of
25
with this chapter or in instituting the litigation, the court shall, unless it finds that special
circumstances exist, assess in favor of the complaining party reasonable attorney's fees and
other litigation costs reasonably incurred. Whether the position of the complaining party
was substantially justified shall be determined on the basis of the record as a whole which is
made in the proceeding for which fees and other expenses are sought.
(c) Any agency or person who provides access to information in good faith reliance on
the requirements of this chapter shall not be liable in any action on account of such
decision.
50-18-74.
(a)
Any person or entity knowingly and willfully violating the provisions of this article by
failing or refusing to provide access to records not subject to exemption from this article, by
knowingly and willingly failing or refusing to provide access to such records within the time
limits set forth in this article, or by knowingly and willingly frustrating or attempting to
frustrate the access to records by intentionally making records difficult to obtain or
review shall be guilty of a misdemeanor and upon conviction shall be punished by a fine not
to exceed $1,000.00 for the first violation. Alternatively, a civil penalty may be imposed
by the court in any civil action brought pursuant to this article against any person who negligently
violates the terms of this article in an amount not to exceed $1,000.00 for the first violation. A civil
penalty or criminal fine not to exceed $2,500.00 per violation may be imposed for each additional
violation that the violator commits within a 12 month period from the date the first penalty or fine
was imposed. It shall be a defense to any criminal action under this Code section that a person has
acted in good faith in his or her actions. In addition, persons or entities that destroy records for the
purpose of preventing their disclosure under this article may be subject to prosecution under Code
Section 45-11-1.
(b)
A prosecution under this Code section may only be commenced by issuance of a
citation in the same manner as an arrest warrant for a peace officer pursuant to Code
Section 17-4-40; such citation shall be personally served upon the accused. The defendant
shall not be arrested prior to the time of trial, except that a defendant who fails to appear
for arraignment or trial may thereafter be arrested pursuant to a bench warrant and
Appendix C
Page
25
of
25
required to post a bond for his or her future appearance.
50-18-75.
Communications between the Office of Legislative Counsel and the following persons shall
be privileged and confidential: members of the General Assembly, the Lieutenant Governor,
and persons acting on behalf of such public officers; and such communications, and records
and work product relating to such communications, shall not be subject to inspection or
disclosure under this article or any other law or under judicial process; provided, however,
that this privilege shall not apply where it is waived by the affected public officer or officers.
The privilege established under this Code section is in addition to any other constitutional,
statutory, or common law privilege.
50-18-76.
No form, document, or other written matter which is required by law or rule or regulation to be
filed as a vital record under the provisions of Chapter 10 of Title 31, which contains information
which is exempt from disclosure under Code Section 31-10-25, and which is temporarily kept
or maintained in any file or with any other documents in the office of the judge or clerk of any
court
prior to filing with the Department of Public Health shall be open to inspection by the general
public, even though the other papers or documents in such file may be open to inspection.
50-18-77.
The procedures and fees provided for in this article shall not apply to public records,
including records that are exempt from disclosure pursuant to Code Section 50-18-72,
which are requested in writing by a state or federal grand jury, taxing authority, law
enforcement
agency, or prosecuting attorney in conjunction with an ongoing administrative, criminal, or
tax investigation. The lawful custodian shall provide copies of such records to the
requesting agency unless such records are privileged or disclosure to such agencies is
specifically restricted by law.
