| Written by Bernard F. Zaucha,
|
Introduction
In 2000, Summit County underwent a special audit by the State Auditor’s office based on allegations of fraud by employees of the County Executive’s office. The newly appointed Executive sponsored legislation to create an Audit Committee and Internal Audit Department to oversee the operations and performance of the County as a whole. The voters, by a resounding majority, approved it.
The Summit County Internal Audit Department (IAD) officially hung out its shingle and opened for business on July 29, 2002. My assistant and I walked into our new offices accompanied by maintenance men who told us to be careful not to touch the walls because the paint was still wet. Two desks lay on the floor in pieces. No chairs were to be found. This pretty much set the tone for the first few months of work. We were on our own – setting out on an adventure to learn about Summit County, one of the largest counties in Ohio. We ordered supplies, put up pictures, signed forms for network/email access (even though we didn’t have computers) to get the department up and running.
It became very apparent that due to the size and divergent entities that comprise Summit County, and that internal audits were never completed within its offices, agencies and commissions, our first order of business would be to perform a countywide risk assessment.
Risk Assessment is a process used to assign a number or score to potential audit areas based upon specific risk factors related to an auditee’s operations, internal controls, and liability to the County. Dollar amounts of budgeted expenditures, complexity of transactions, time since the last audit, management experience and compliance with laws and regulations are some examples of specific risk factors used to formulate the risk assessment model and audit plan.
To begin life as a department that is looked upon by the County as independent and accountable only to the Audit Committee, we determined that an outside consulting firm should be hired to work with the IAD to perform the risk assessment. A Request for Proposal (RFP) was developed, outlining the scope of the project. An Independent Public Accountant (IPA) was requested to work closely with the IAD to:
Define and identify the total population of potential audits. Identify risk factors. Develop the rating and weighting systems to be utilized in the model. Create a risk calculation worksheet and guidelines for preparing and completing the worksheets. Prepare an audit priority listing and preliminary five-year audit coverage plan.This plan will provide: A basis for scheduling audits to maximize resources and balance work loads. A basis to coordinate the audit approach with external auditors, thus producing more cost effective and timely audits
Make recommendations on the staffing needs of the IAD. Report any illegal acts or indication of illegal acts, which may result in findings for recovery, of which they become aware to the Audit Committee.
The RFP also requested a well-defined timetable for the project and a schedule of all-inclusive fees and expenses.
The RFP process consisted of many steps from putting the project out for bid to the acceptance process. The Audit Committee approved the RFP scope of services. They also approved the consulting firm after all of the bids were received. After the selection of the firm, the County’s Board of Control and then the County Council had to formally accept the consultant’s bid. Two months had passed by the time we jumped through the approval hoops. We had begun the research portion of the project during the approval process and our work was well underway by the time the consultant was on board. Risk Assessment Process
Risk Assessment is a process of assigning a number or score to potential audit areas based upon specific risk factors related to a department’s operations. The Risk Management Team (RMT) was comprised of three members of the consulting firm and all of the Internal Audit Department staff. The RMT utilized the risk assessment model to rank and prioritize each of the potential audit areas. This process provided a tool to assign available audit personnel for the purpose of reducing the risk and liability exposure through findings and recommendations. Some of the benefits of the systematic approach to risk assessment are: The process and basis for decisions can be documented. Training is enhanced since staff can study the model and processes that are documented. Review and consultation are facilitated. Decisions that are based upon documentation may be easier to explain and justify. A direct link can be provided between the administrative structure and budget of the internal audit department. New data can be more easily incorporated into the analysis as it becomes available. Consistency may be enhanced since it may be easier to set operational guidelines for quantitative risk assessment methods. Quantitative judgments of risk can be incorporated to help ensure the appropriate intensity and frequency of auditing the departments. This will help reduce the possibility of over-auditing or under-auditing the departments.
Principles of Risk Assessment and Audit Planning
The RMT utilized the following principles when developing the model: Consideration was given to unique situations and circumstances (i.e., special audits) which would supersede scheduled audits with higher risk scores. The approach to developing an audit plan recognizes that audit resources of personnel and dollars are limited, which prohibits 100% audit coverage each year. This limiting factor is inherent in the concept of utilizing a risk assessment model to help prioritize audits. Work performed by other auditors that may have been mandated by grant provisions, State and Federal Agencies, or special audits was taken into consideration. The risk assessment criteria used in the ranking of the audit universe places an emphasis on perceived or actual knowledge of the department’s system of internal controls. The audit plan was developed with an understanding that there are inherent risks and limitations associated with any method or system of prioritizing audits. The risk factors and scoring process are dynamic and will be re-evaluated and modified if warranted. In general, the types of audits would include one or more of the following:
It was decided that the risk assessment model would encompass all the County’s specific budgeted programs and/or revenue sources and compare specific risk factors to determine the high-risk areas. Specific risk factors related to programs, and considerations for each, include: Financial Impact Proposed revenues and expenses for fiscal year Expenditures and revenue trend over last three years Fund type Negative fund balances Value of fixed assets Capital expenditures Proposed budget cuts
Results of Prior Years Audit Occurrence of fraud Information obtained from external reviewers Date of last audit
Changes in Organization and/or Management Management and staff capabilities High employee turnover or new management Management accountability
Systems Stability and reliability of information technology Disaster recovery
Political and/or Economic Environment Regulations of a specific program’s activities Adverse criticism or public embarrassment
Impact of Not Providing Service Central control responsibility Complexity of operations Dependency on centralized processing
For each specific budgeted program or revenue source, the model assigns a score to each of the above factors according to their relative importance. The model then sorts these weighted scores from highest to lowest and identifies the specific budgeted programs or revenue sources with the weighted scores. Because the scoring system is evenly applied across the entire countywide organization, the process promotes a sense of equality and ensures that audit resources will be focused on those areas with the greatest risk and liability. The audit plan would benefit the County by providing the following: Assigning responsibility for budgetary funds and approval. Prioritizing departmental audits on an ongoing basis. Permitting an efficient allocation of limited resources. Identifying inefficiencies or uneconomical practices. Managing audit personnel. Discovering ways to maximize revenues and/or cost savings. Reducing potential for overlapping audits within departments and with other auditing entities.
Due to the fact that the Annual Audit Work Plan and risk assessment are a dynamic process, risk factors and the scoring process may be refined periodically or as needed. Organizational Chart
The IAD had begun collecting data from its inception in July 2002 by requesting departmental organizational charts (OC) to learn the flow of work and who reports to whom. Surprisingly, many of the departments did not have an OC. In 2002, the County’s Office of Budget and Management requested that all budgets include an OC with their 2003 budget requests that assisted the IAD with developing a countywide OC for use in its efforts. The RMT identified the primary audit population, utilizing the 2003 Operating Budget. Based on the budget and information gleaned from early interviews and research, 40 departmental units were identified. Audit Prioritization and Selection
The objective of the process of risk assessment is to identify and prioritize potential audit areas which pose the greatest risk and liability to the County. Risk is identified as a potential for loss due to: Risk Factors
The nine risk factors that the RMT identified for the project were as follows: Budgeted Expenditures Financial Exposure Off CAFR Funds - a measure of exposure to potential loss or embarrassment for resources which pass through the Department (i.e., Federal assistance transactions) and are not reported in the County Budget or CAFR (Comprehensive Annual Financial Report)Number of Staff Compliance With Laws and Regulations Public Exposure Management Experience Complexity of Transactions Time Expired Since Last Audit
 Questionnaires
Questionnaires based on the risk factors were developed and sent to 115 County elected officials and senior staff members. The RMT received a 100% response rate. The responses received from the questionnaires were tabulated by department and averaged by the employees’ responses for various risk factors and documented on the risk calculation worksheet. Interviews
The RMT recognized the need and importance of gaining a better understanding of the County departments and their operations. As a result, the RMT developed general and detailed questionnaires which were utilized in conducting interviews with elected office holders, department heads, and staff members. The RMT developed interview questions for specific job titles and asked for information on the following topics: Major concerns Security issues Interaction with press Number of people in department/agency Conflicts of interest policy Cash transactions Written policies and procedures manual Written job descriptions and classifications Formal training, cross training and/or orientation programs Regulations, laws and/or compliance issues Written disaster recovery plan
The general questionnaire was used for interviews of Elected Office Holders/Department Directors. Both the general and detailed questionnaires were used during interviews of Deputy Directors and Senior Staff. A combination of one or both questionnaires was used during staff interviews. The RMT evaluated each department by the individual risk factors as noted on the risk calculation worksheet. The RMT then calculated the average score for each risk factor. Weighting Factors
The RMT also recognized the necessity to account for the relative measure of importance between each of the risk factors and the resultant impact on the overall risk score for each audit. Having each evaluator perform a comparison of each specific risk factor with all the other risk factors derived a “weighting” factor. Risk Assessment Model
The audit areas in the audit population were then ranked based upon highest to lowest total risk scores, thereby producing an audit priority listing, otherwise known as a risk assessment model. Audit Plan
The Audit Plan was developed utilizing the following: 1. Risk Assessment – the model developed to identify the audit population and priority of the audits. 2. Types of Audits: Fixed – audits are scheduled based on the risk potential of the departments using a fixed schedule. Conditional - identified units are monitored continuously or at specified intervals for signs of increases or decreases in risk exposure. Cost of performing an audit in relation to its ability to reduce risk.
4. Audit Intensity - complex function of time, samples, sizes, and internal controls.
5. Audit Timing Fixed – audits are scheduled to address specific functions (i.e. property tax collection time). Random – timing is unpredictable to allow for motivation to maintain controls. Conditional – scheduled when an increase in risk is noted.
6. Preliminary Reviews Based on information obtained through the risk assessment interviews, it was decided to conduct preliminary reviews (high-level operational snapshots) of the 40 identified entities of the County. It was estimated that the IAD would allow 150 hours for the majority of these reviews and 300 hours to complete the more complex agency reviews. The objectives of the preliminary reviews are as follows: Document client processes and procedures. Evaluate internal controls. Perform policies and procedures overview. Perform a general overview of the physical environment and security of the facilities, data, records, and departmental personnel. Identify audit issues and provide recommendations.
7. Risk Assessment Model Evaluation - additional risk factors may be identified during the preliminary reviews and it can be used to re-evaluate the audit population, which allows for optimal resource and assignment focus. 8. Comprehensive Audits – these extensive audit programs will be developed based on the information obtained during the preliminary reviews. Time frames will be based on the complexity of transactions, budget, number of staff, and past audit evaluations. 9. Internal Audit Department Staffing
It was stated in the consultant’s report that no internal audit department is of a sufficient size to carry out all the necessary audits simultaneously, or even within the time span of one fiscal year. An internal audit department should be of a sufficient size and capability to address the areas of concern to management, with an adequate frequency, over a reasonable time horizon of three to five years. If risk factors reflect management concerns, then they can be used as a basis for establishing the department size required to address the most important audit units. 10. Audit Committee - the status of each audit will be conveyed to the County Audit Committee on a regular basis. Audit Committee Presentation
On May 20, 2003, the consulting firm presented for approval its “Countywide Risk Assessment and Audit Plan” to the Audit Committee. Utilizing a PowerPoint presentation developed in conjunction with the IAD, the firm outlined the risk assessment process and its recommendations. The plan was well received and approved. The IAD then disseminated the report to all of the entities in the County that participated in the project. The IAD is currently scheduling the preliminary audits of the 40 identified entities in the County and looks forward to establishing itself as a driving force in keeping the County – “In the Black.” In the Black
The IAD’s motto “In Atramento” (translated from Latin as “In the Black”) refers to Black Friday, stemming from the shift to profitability during the holiday season. Black Friday was the period when retailers went from being unprofitable, or “in the red” to being profitable, or “in the black,” at a time when accounting records were kept by hand and red ink indicated loss and black ink indicated a profit. Although government’s goal is not to produce a profit, having its funds balanced is a positive and admirable objective, particularly in this day of cutbacks in governmental services, lay-offs and budget deficits. The performance and oversight operation that is internal audit effectively contributes to achieving that goal. Note: If you would like to receive a copy of the Countywide Risk Assessment and Audit Plan, Summit County, Ohio, please email me at
This email address is being protected from spam bots, you need Javascript enabled to view it
';
document.write( ' ' );
document.write( addy_text60106 );
document.write( '<\/a>' );
//-->\n This email address is being protected from spam bots, you need Javascript enabled to view it
or give me a call at 330-643-2655. About the author: Bernie’s entrepreneurial spirit has driven him to grow organizations and hire teams with the vision and enthusiasm to make them successful. He gained experience while working at Myers Industries as General Manager of accounting and continued his mission of training leaders while teaching accounting and business courses at the University of Akron. While teaching at the University, he established an accounting practice with two partners. As the business grew, he left the University to devote his time to acting as administrator of the firm as well as performing client service duties. In 1997, when his firm merged with another he continued as a practice development consultant, working with such high profile clients as David Copperfield. In 2000, James B. McCarthy, Summit County Executive, tapped Bernie to act as a member of the newly formed Audit Committee of Summit County because of his reputation and expertise. Bernie accepted and served on the Committee during 2001-2002 when he was approached to form the Internal Audit Department of Summit County. He has been charged with bringing government in line with business models by monitoring, assessing, and analyzing organizational risk and controls. Bernie is a CPA and obtained his CIA certification in 2002. He graduated from the College of Business with an accounting degree and obtained his MBA from the University of Akron. He is joined ALGA in 2002 and is a member of its Education Committee.
|
Quarterly Articles