| In 2000, Article X was added to the Summit County Charter forming the Summit County Audit Committee and Internal Audit Department (IAD). The legislation was the brainchild of the new County Executive, James B. McCarthy. The County had just suffered through a scandal in the previous Executive's office that prompted a special audit by the State Auditor. The investigation resulted in the resignation of the Executive and arrests and jail time for several of his cabinet. |  |
Mr. McCarthy spearheaded the legislation to form an Audit Committee overseeing an Internal Audit Department and took the legislation to the voters of Summit County who approved it by a landslide. Summit County is the only charter county in Ohio and also the only county of Ohio’s 88 counties to have mandated an internal audit department.
IAD hung out its shingle in August 2002 and chose to first perform a risk assessment of the County, in conjunction with an outside auditing firm to affirm the independence of the department. The risk assessment most importantly educated the department about the County’s systems, processes, and operations.
Why Preliminary Audit Reviews d.b.a. (doing business as) Snapshot Audits?
| During the course of the countywide risk assessment, it became apparent to the IAD that a general lack of understanding of basic business processes and practices and internal controls was widespread. Due to the nature of the many and varied risks, time was of the essence. It was decided that the best course of action to ascertain and address the highest risks in the shortest time possible was to perform a high level review of the operations of each of the identified audit population. IAD anticipated developing comprehensive internal audit programs in conjunction with the preliminary audit reviews and to begin to stock the shelves of its perm file library. |  |
IAD’s goal in performing these reviews has been:
- To address internal control implementation and management;
- To encourage development of department-specific policies and procedures;
- To review current or recommend development of new disaster recovery plans and make recommendations on best practices; and
- To address the numerous security issues inherent in a government workplace.
Preliminary Audit Reviews vs. Comprehensive Audits
Taking into consideration the present audit staff of 5, it was estimated that it would take 4-5 years to complete the rotation of the 40 identified governmental entities. Using the review program, IAD could review them on a top level basis in approximately 2 ½ years. IAD obtained the Audit Committee’s approval and began the snapshots in February 2004.
The chart below compares timeframes and scopes of IAD’s snapshot audits and comprehensive audits.
Preliminary Audit Reviews
| Comprehensive Audits
| Timeframe: 4-5 weeks
| Timeframe: 2-6 months
| Time to complete 40 identified auditees: 2½ yrs
| Time to complete 40 identified auditees: 5‑7 yrs
| Document client processes and procedures
| Specific planning and research
| Evaluate internal controls
| Document and test internal controls
| Perform policies and procedures overview
| Identify and evaluate organizational risk areas
| Perform general overview of physical environment and document security
| Perform analytical reviews
| Identify audit issues and provide recommendations
| Detail review and testing of processes and procedures
| Follow up review of corrective management action plan
| Conduct compliance testing
|
| Review reconciliation processes
|
| Assess operational efficiency and effectiveness
|
| Identify audit issues and provide recommendations
|
| Follow up review of corrective management action plan
|
Risk Assessment Questionnaires
The Risk Management Team recognized the need and importance of gaining a better understanding of the County departments and their operations. As a result, the Risk Management Team developed general and detailed questionnaires that were used in conducting interviews with elected office holders, department heads, and staff members.
Through the interview process, IAD learned of many issues that the department felt required prompt attention due to the potential liabilities to the County. IAD’s decision to perform the “snapshot” audit reviews is easily seen upon reading the lists below.
(Note: For more information about the Risk Assessment, please see ALGA Quarterly, March 2004 article, Risk Assessment: Conduit for Internal Audit Planning)
Major issues identified by management and staff during the various interviews
| Auditor issues identified throughout the interview process
| - HIPAA concerns re: compliance
- Retention of well-trained professionals on staff
- Disparate computer systems
- Staffing experience and qualifications and skills
- Standardization and uniformity of County HR matters
- Maintaining local authority over monies/programs
- Levy plan implementation
- State funding sources – budget crunch
- Insurance concerns
- Ability of cashiers to override fees in the system
- Some entities have their own financial system in place and staff have to do dual entries into County and its systems
- Paying contractors
- EPA/ODOT mandates
- Salary scale is a determent to recruitment/ retention
- Annexation/incorporations – no longer have maintenance responsibilities
- Revenue stream is fixed and flat
- Unfunded mandates
- Stormwater management, Phase II – EPA mandates
- Union v. nonunion employees
- Kronos payroll system’s interface with Banner financial system
- Insufficient trained staff
- Need for trained project managers
- Real estate reappraisal every six years (the amount of work it produces)
- Daily average for conveyance is around $25,000 to $35,000
- Daily average for records collection is around $55,000 to $65,000
- Tax bills mailed in a timely fashion
- Collection of delinquent taxes - $7M
- Cash handling procedures for foreclosures
- Tax lien certificate program instituted ($17 million collected last year)
- Offices are extremely overcrowded, file room is beyond capacity
- State and federal suits for wrongful termination (whistleblower laws)
- Contract Services, Inmate Services, Medical Food Services, Commissary
- Liability issues with using inmates for work duties
- Training
- Attendance problems
- Lawsuit issues for services that are subcontracted
| - Cash handling procedures review – segregation of duties
- Pay-in review
- Deposit and reconciliation review
- Review of the many checking accounts currently opened
- Inmate account procedure review
- Court is in a major transition with a new building and a new judge
- Files are on top of the cabinets and not in their proper shelving because of lack of space
- Office space is EXTREMELY small and overcrowded
- OSHA, fire, safety issues
- Door to the file room is unlocked
- Issues related to State SETS system and cramped cubicles
- No polices and procedure
- It’s not clear if they have job descriptions
- One IT staff with no succession plan or cross training
- Grant monitoring
- Wired funds
- Past history
- Contract review
- Review of two financial systems and how they work together - or not
- Credit card procedure review
- Chargebacks procedure review
- Purchasing and documentation review
- Election materials review
- Compliance issues with state/federal labor laws
- This department has never been audited
- Fee overrides, with no policy in place
- Review of policies & procedures for new OBMV program setting up wire transfers
- Conflicts between the Ohio Revised Code and the Summit County Codified Ordinances
- No A/P reconciliation is performed
- No review or monitoring of tax assessment departmental transactions
- Length of time before payroll department is notified of terminations/transfers
- Review inventory of hardware and software
(Note: IAD is unable to identify security and infrastructure issues due to Ohio law)
|
Audit Population
The Risk Management Team identified the primary audit population as County departments using County Resolution 2002-778, which related to the 2003 Operating Budget. Based on the Resolution, 40 departmental units were identified. The below chart reflects the audit population and its rank at the time the risk assessment was completed. The report stated that the audit population was dynamic and would change as the department performed its work.
It was decided by the Audit Committee that IAD should begin its reviews with some of the smaller departments to rapidly address the audit population. The Committee approves an audit schedule of 4-5 reviews at its quarterly meetings based on previous audits, special projects and requests.
Risk Assessment Ranking
| Department, Court, Agency | Risk Assessment Ranking
| Department, Court, Agency
| 1
| Executive Office - Job & Family Services
| 21
| Fiscal Office - MIS
| 2
| Sheriff Office - Operations
| 22
| Executive Office - Department of Development
| 3
| Prosecutor Office - CSEA
| 23
| Executive Office - Medical Examiner
| 4
| Executive Office - Insurance & Risk Management
| 24
| Fiscal Office - Real Estate
| 5
| Engineer Office
| 25
| Summit County Council
| 6
| Executive Office - Administrative Services
| 26
| Board of Elections
| 7
| Clerk Of Courts Office - Legal
| 27
| Veterans Services Commission
| 8
| Executive Office - D.O.E.S
| 28
| Court of Common Pleas - General
| 9
| Juvenile Court - Operations
| 29
| Executive Office - General Administrative
| 10
| Fiscal Office - Treasurer
| 30
| Domestic Relations Court
| 11
| Prosecutor Office - Operations
| 31
| Fiscal Office - Services
| 12
| Fiscal Office - Finance
| 32
| Executive Office - Human Resources Dept
| 13
| Executive Office - Finance & Budget
| 33
| Executive Office - Dept of Communication
| 14
| Alcohol, Drug Abuse & Mental Health Board
| 34
| Human Resource Commission
| 15
| Childrens Services Board
| 35
| Court of Common Pleas - Probation
| 16
| MRDD
| 36
| Executive Office - Department of Law
| 17
| Fiscal Office - Recorder
| 37
| Executive Office - Emergency Management Agency
| 18
| Juvenile Court - Detention
| 38
| Court of Appeals
| 19
| Clerk Of Courts Office - Title
| 38
| Probate Court
| 20
| Sheriff Office - Corrections
| 40
| Internal Audit Department
|
How to Prepare for an Internal Audit: Getting Your Ducks in a Row
| Since the majority of the governmental units in Summit County had not experienced an internal audit, IAD decided to invite all offices, agencies, boards, commissions, and courts to a presentation on how to prepare for an internal audit. The mini-seminar was welcomed and well attended by all of the countywide entities. |  |
The Director introduced the IAD staff who were present on stage for the training session. The presentation given by the IAD Director and Assistant Director covered the following aspects of the department’s history, internal auditing, and the upcoming audits:
- IAD Organizational Chart and Introduction of Staff
- Summit County Charter mandates
- State Auditor’s Special Audit Report: reason for legislation forming the Audit Committee and the IAD
- What is internal auditing?
- Sarbanes Oxley Act and its expected impact on government
- Management Responsibility
- Types of Audits
- IAD’s Independence
- IAD’s Ethical Principles
- Audit Issues and Recommendations
- Final Audit Reports
- Follow-up Reviews
- What will IAD Provide?
| - Risk Assessment
- Audit Scope
- Overview of Preliminary Audits
- Preliminary Audits: What to Expect
- Planning and Preliminary Review
- Learning the Client’s Operations
- Sources of Information and Key Concepts
- Requests for Information
- Policies and Procedures
- Fieldwork Steps
- Internal Control Objectives
- Internal Control Responsibilities
- Internal Control Evaluation
- Physical and Document Security
- Communication of Results/Audit Report
|
Preparing For and Executing Each Audit Engagement
Audit Scope
The audit scope is narrow, based on the time limitations of the snapshot audits. It encompasses a high-level review of the operations and performance of the auditees. Scope: An overview and evaluation of the existing policies, processes, procedures, contracts and internal control structure used by the department/agency for a particular period of time.
Audit Objectives
The audit objectives remain the same for every review, as does the scope. The objectives for all reviews are:
- To obtain and review the current policies and procedures.
- To review the internal control structure through employee interviews and observation.
- To perform a general overview of existing contracts in the department/agency
- To perform a general overview of the physical environment and security of the facilities, data, records and departmental personnel.
Audit Planning and Brainstorming
As stated previously, the IAD is using these snapshot audits as information gathering tools to develop its perm files and in preparation for future comprehensive audits. Extensive planning is completed by the department prior to beginning the fieldwork. The auditors spend two days planning and brainstorming in-house before they move on-site with the auditee.
Notice of Upcoming Audit
An audit notice is e-mailed two weeks prior to the anticipated beginning of a review, requesting an entrance meeting and with the following attachments.
- Audit entrance memorandum
- Standard document request form
- Copy of the IAD PowerPoint presentation, “How to Prepare for an Internal Audit”
- Copies of informational materials on preparing for and living through an audit
Entrance Meeting During the entrance meeting, the auditors go over the following requests for information and resources that they will require during the course of the audit. More importantly, they discuss the audit process.
- Access to personnel files
- Testing systems
- Contact personnel for detail questions
- Any resources that would aid in testing
- Workspace requirements
Management Concerns The last agenda item of the entrance conference is management concerns. The reaction to this question runs the gamut from the short answer of “None,” to whatever political agenda or flavor of the day is hot, to the real issues and challenges facing the department.
Audit Program The audit program changes based on the various control specificities of each auditee. The program could change further during the course of the audit. As in comprehensive audits, this is contingent on testing and information obtained during departmental interviews. These changes can extend the time spent on the engagement
Time Estimates In keeping with our philosophy that communication is key and because we are mandated by the Summit County Charter to bill for our services, we inform our auditees of an estimated time for completion of the audit. Below is an example of a Time Estimate given to our auditees at the entrance meeting of the preliminary audit. This is an example of a time estimate, these change based upon the department and its risks.
TIME ESTIMATES: The following are estimates only and not meant to be restrictive in achieving the audit objectives. The Internal Audit Department will work closely with management to keep them apprised of our progress.
| Planning | 20 | | Advance Memo | 1 | | Audit Planning Memo | 16 | | Audit Program | 15 | | Entrance Meeting | 5 | | Planning | 30 | | Documentation of operations and controls | 200 | | Testing and analytical reviews | 225 | | Reporting | 20 | | Closing Conference | 5 | | Preliminary Audit Report | 25 | | Review of Management Action Plans | 5 | | Final Audit Report | 10 | | Follow Up Action Plan | 2 | | Work paper review comments | 16 | | Total hours: | 575 |
Reporting Process
Upon completion of the audit review, two preliminary reports (general report and security report), are prepared and forwarded to management for its response. After approval by the Audit Committee, the final general report becomes public record and the security report remains confidential as mandated by O.R.C. §149.433, Exemption of Security and Infrastructure Records.
Develop Permanent Files IAD began business with a blank slate because the majority of the departments, courts, and agencies of Summit County had never undergone an internal audit. The majority of the IAD staff had come from private industry and were unfamiliar with the government model. Based on the information gleaned from top-level overviews of countywide operations and controls, the department began building its comprehensive permanent files on its auditees. IAD continues to acquire perm file data in anticipation of the comprehensive audits.
Value-Added Scorecard Throughout the risk assessment and going forward into the snapshots, IAD found a considerable need in the majority of departments in the County for management tools and training. To address these needs, which will promote more efficient and effective performance and operations, IAD has provided value-added materials, tools, and consulting, keeping in mind the audit standards of independence and objectivity.
We have found the majority of management completely open and very appreciative. The audit reports include a chart, referencing any value-added activities performed by the IAD during the audit (an example is shown below.)
INTERNAL AUDIT VALUE ADDED SCORECARD DETAIL
Risk
| Description
| Value
| Lack of segregation of duties for cash collection in XYZ Departments.
| Observation identified instances where the same person is responsible for receiving, recording, and depositing all monies
| Audit testing revealed the importance of developing internal procedures for cash collection to ensure the receipt of all revenue.
| Daily reconciliation of permits sold to cash collected.
| IAD, with the assistance of the executive assistant and ABC Software personnel, produced reports for 2003 and 2004 indicating balances due for permits and other charges associated with the permit process (i.e. miscellaneous charges/fees which are incurred after the permit has been issued such as reinspection fees, penalties, etc.). The total amounts due for each year are $16,508.95 for 2003 and $14,860.80 for 2004 as of 11/8/04.
| IAD monitored the accounting software update of ABC Software to reconcile permits sold to cash collected. IAD also attended the training session of the cashier, back-up cashier and executive assistant to confirm that they had been properly trained on the reconciliation process.
| Timely deposits for XYZ Departments.
| Deposits are not made with the Treasurer’s office on a timely basis for the XYZ Departments in accordance with ORC §9.38.
| IAD worked with each individual department to ensure that the Treasurer’s Office receives timely deposits.
| E&Y Management Representative Letter Findings have not been corrected for XYZ Department.
| Inquiry and observation revealed that E&Y audit findings have not been corrected by the various departments.
| IAD recommended corrective follow up procedures to management to ensure that the same audit issues are not identified next year
|
Follow-Up Audits
IAD recommended to the Audit Committee to begin the follow-up reviews approximately six months after the snapshot audits were completed to monitor progress on management’s action plans. The department began these follow-ups in June 2005 and has found that the majority of the action items were implemented or are in process.
Results to Date
To date, the IAD has conducted 21 reviews, 7 special projects, and 12 follow-ups. The department has noted significant improvement in the following areas.
- Initial development and/or updating of operational policies and procedures
- Improved security measures
- Improved safekeeping of confidential documents
- Segregation of duties issues addressed
- Tightening of cash handling controls
- Reconciliation of accounts being performed
- Human resources policies and procedures development
- Performance evaluations conducted
These improvements to basic business practices and mandated areas within a six-month time period (some changes were made during the course of the audits) are encouraging. This audit model has confirmed IAD’s original supposition that quickly addressing as many of the major challenges as possible that were identified in the risk assessment would measurably improve County operations. They would establish the IAD as a source that can be tapped to address each department’s performance upgrade and enhancement.
Bridge to Comprehensive Audits
| With the completion of audit reviews and the valuable information obtained while conducting them, IAD will be fully prepared to tackle the comprehensive audits of Summit County. Developing audit programs, forming working relationships, establishing credibility, identifying and offering recommendations to address the biggest risks, and learning the County’s strengths and weaknesses have all been accomplished due to the rapid deployment of staff in performing the snapshots of the various offices, courts, and agencies of Summit County. |  |
IAD has found that working in a consultative role rather than the traditional, “Oh no, here comes the auditor,” role has proven to be the best road to walk down to date. It remains to be seen if this philosophy plays out during the more intensive comprehensive audits, but we anticipate continuing in this role or some flavor of it whenever possible.
We have seen the gamut of change during the past year, from little steps like securing a door, to requests for special projects by our Criminal Justice Advisory Board and Audit Committee for a review of the entire criminal justice system. IAD worked with a consultant on the ever-present jail overcrowding issue and the caseflow through the criminal justice system. We are very encouraged by the results of the audits and by the reaction of our auditees, as evidenced by the comments below, and are looking forward to a long run here in Summit County.
AUDITEE QUOTES
MRDD Controller
“Very professional and extremely helpful.”
Director Civil Division – Prosecutor’s Office
“Bernie, you have such pleasant employees!”
Common Pleas Court Administrative Judge
“You will note that all of the questions were answered in the affirmative as I thought the audit was highly professional and aided us in developing some of the weaknesses in our security and personnel practices and procedures. We will make haste to implement your recommendations.
The reason I am writing this is that I thought the audit staff had done a very excellent analysis of those areas which they were assigned….I think this staff of auditors could do a very competent job analyzing the problem between the courts and the justice system.”
Chief of Operations/Administration, Sheriff Office
“The audit team was extremely helpful and professional.”
Jail Commander – Sheriff Corrections Division
“Audit went very smoothly. Pointed out areas that needed corrected and updated. Hardly knew they were here at times. Audit team was very professional. I think they learned a lot about the corrections side of the Sheriff’s Office and how complex it can be.”
|
In 2000, Jim McCarthy, Summit County Executive, tapped Bernie to act as a member of the newly formed Audit Committee of Summit County. Summit County is the only charter form of local government in Ohio and therefore has more flexibility in its operation. Bernie accepted and served on the Committee from 2001-2002 when he was approached to form the Internal Audit Department of Summit County. Bernie is a pioneer in the State of Ohio, setting up a structure much like that in the corporate world with the department taking direction from and answering to an Audit Committee. His goal is to bring government in line with business practices by monitoring, assessing and analyzing organizational risk and controls.
Teri is an innovative and resourceful professional with experience in private industry, government, and the academic setting with expertise in the information technology and legal fields. She has more than 15 years experience in office management, human resources, operations, customer service, marketing and event planning. She strategically planned and affected the spin-off of an incubator technology company from Kent State University of which she was senior management and a partner. One of Teri’s major accomplishments both professionally and personally was her role in the renovation, opening, and administration of Kent State University’s Moulton Hall Learning Technology Center. Continuing her penchant for tackling new and diverse projects as well as diving into the completely new work world of government, she coordinated and administered the opening of the new Summit County Internal Audit Department and acts as business manager for the department.
|
