ErieCountyGuidelines for Auditees
Office of theErieCountyComptroller
Stefan I. Mychajliw – Erie County Comptroller
Teresa M. Fraas – Deputy Comptroller – Audit
EFFECTIVE JANUARY 1, 2013
The Erie County Comptroller’s Office, Division of Audit and Control was established with the passage of Erie County Local Law #1 (1959) thereto known as the Erie County Charter (“Charter”).
The Charter, as amended, and Erie County Administrative Code (“Code”) provide the authority for the Comptroller’s Office to conduct audits and provide for an internal audit function in County government.
Article 19, Section 1902 (a) of the Charter provides that the Comptroller is the “chief fiscal, accounting, reporting and auditing officer of the county.”
Article 19, Section 1902 (e) of the Charter states that the Comptroller shall “Conduct financial and compliance audits of the records and accounts of all officers and employees charged with any duty relating to county funds or funds for which the county is responsible in conformity with generally accepted auditing standards as prescribed by the american institute of certified public accountants and the comptroller general of the United States, and submit such audit reports to the legislature.”
Article 19, Section 1902 (g) of the Charter states that the Comptroller shall “Conduct management and performance audits of county administrative units and county funded programs in conformity with generally accepted auditing standards as prescribed by the american institute of certified public accountants and the comptroller general of the United States and submit such audit reports to the legislature.”
Article 12, Section 12.03 of the Code provides authority for the Comptroller to appoint a deputy comptroller for audit and to maintain a Division of Audit and Control.
“Comptroller” refers to the elected Erie County Comptroller
“Audit Deputy” refers to the Deputy Comptroller – Audit
“GAGAS” refers to Generally Accepted Government Auditing Standards as established by the US Government Accountability Office (“GAO”)
“Yellow Book Standards” or the “Yellow Book” refers to GAGAS as published by the GAO
“Internal Audit” refers to the Comptroller’s Office, Division of Audit and Control
SCOPE OF AUTHORITY
The Comptroller has the authority under the Charter to conduct expanded scope audits of allErieCountydivisions, departments, boards, activities and agencies to independently determine whether:
1) Activities and programs being implemented have been authorized by management, county law (Charter), state law or applicable federal law or regulations;
2) Activities and programs are being conducted in a manner contemplated to accomplish the objectives intended by management, county law (Charter), state law or applicable federal law or regulations;
3) Activities or programs efficiently and effectively serve the purpose intended by management, county law (Charter), state law or applicable federal law or regulations;
4) Activities and programs are being conducted and funds expended in compliance with applicable laws;
5) Revenues are being properly collected, deposited and accounted for;
6) Resources, including funds, property and personnel, are adequately safeguarded, controlled and used in a faithful, effective and efficient manner;
7) Reports that are provided disclose fairly and fully all information that is required by law, that is necessary to ascertain the nature and scope of programs and activities and that is necessary to establish a proper basis for evaluating the programs and activities;
8) During the course of audit work, there are indications of fraud, abuse or illegal acts; and
9) There are adequate operating and administrative procedures and practices, systems or accounting internal control systems and internal management controls which have been established by management.
Furthermore, it is the policy of the Comptroller’s Office that audits shall be conducted in accordance with GAGAS as applicable to financial, operational, compliance and performance audits and as provided for in the Erie County Audit Manual. The Deputy Comptroller – Audit or members of his/her staff shall not conduct nor supervise an audit of an activity for which he/she was responsible or within he/she was employed during the preceding two years.
ACCESS TO RECORDS AND PROPERTY
Pursuant to the power vested in the Comptroller by the Charter, upon request, all officers and employees ofErieCountyshall furnish the Comptroller’s Office Internal Audit staff with requested information and records within their custody regarding powers, duties, activities, organization, property, financial transactions and methods of business required to conduct an audit or otherwise perform audit duties. In addition, they shall provide access for the audit staff to inspect all property, equipment and facilities within their custody.
In the event the above requested information shall not be provided to the Comptroller’s Office, Article 27, Section 2707 of the Charter provides the Comptroller with the “power to subpoena and compel the attendance of witnesses and the production of books and papers.”
THE INTERNAL AUDIT PROCESS
An internal audit is an independent appraisal within an organization. The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. This objective includes promoting effective internal and management control at reasonable cost. To accomplish the objective, internal auditing provides analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed.
Internal audits are generally organized to progress through four phases: planning and survey (which includes the Entrance Conference), fieldwork, reporting, and follow-up. It is important to note that these phases are not distinct. Areas that should be tested may be identified throughout the audit, which may result in overlap between phases, particularly between planning and fieldwork.
Written Notification of Audit
When the Comptroller’s Office determines an audit is necessary, the Audit Deputy will send the auditee a letter announcing the intention to start an audit, providing details regarding the preliminary scope of the audit and requesting a meeting to hold an Entrance Conference.
The Entrance Conference
When an audit is announced by the Comptroller’s Office, an Entrance Conference will be scheduled with the auditee. At the Entrance Conference, the auditor and auditee will discuss the information included in the Erie County Guidelines for Auditees, tailored for the specific audit being commenced. Under long-standingCountyAdministrationaudit response policy, a representative from the Division of Budget and Management may attend the Entrance Conference as well.
The Entrance Conference includes the audit staff that will work on the audit and the Deputy Comptroller – Audit, as well as representatives of the auditee. As an Entrance Conference is a meeting run by the Comptroller’s Office, we reserve the right to limit discussion and limit attendance at these meetings.
The Planning Phase
The purpose of this phase is to identify the risks to the audited organization as they relate to the activity being audited. In this context, risk is the probability that an event or action may adversely affect the organization. Risks can be considered in three different ways. First, risks can be considered in traditional financial terms, such as the risk that assets are not adequately safeguarded. Second, risks can be considered in operational terms, such as the risks that policies are not being complied with or that resources are not being used as efficiently as they could be. And third, risks can be considered in performance terms, such as the risk that operations are not effective in meeting organizational goals.
To identify the risks associated with an activity, we gather background data to understand the activity and we conduct a survey to identify those areas where the risks appear greatest. During this phase we generally review records and files and conduct interviews, and we often select and review small samples. A key element of this effort is to obtain management’s insight about risk areas. At the completion of the survey we establish the scope of the audit and develop an audit program detailing specific steps to accomplish the scope.
Through the Entrance Conference, we inform the auditee about the scope of our audit, the general areas of our planned fieldwork, the expected time frames for our remaining work, and the expected report date. We may find during our fieldwork that adjustments will be required in expected time frames and reporting dates due to the time it takes to gather evidence or due to the need to consider additional areas. The auditee also maintains the ability at the Entrance Conference to bring information to our attention which may shape or assist in the development and scope of the audit.
In this phase we gather evidence about the areas of risk identified during our survey. This is generally done by examining statistical samples of transactions or files, or by examining other documents. We may also conduct interviews with managers, staff members, or other affected parties. As we carry out our audit program we often find there are areas that should be considered but were not included in our original planning, and we may incorporate steps to test these areas.
When the evidence we gather indicates that a condition should be reported and warrants corrective action, we will discuss the condition with the auditee. We will work closely with the auditee to identify those conditions that limit its ability to be effective and to develop corrective actions that deal with those conditions. To that end we will be available to meet with the auditee regarding those conditions not only during our fieldwork and while we are developing our audit report, but even after our report is issued. If corrective actions or improvements in structures or processes are initiated prior to completion of our audit, we will note that in our report.
During our fieldwork, we may issue Internal Audit Memorandums (“IAM”) to inform the auditee of an audit finding.
Internal Audit Memorandums
Once a finding has been documented, it can be written as an IAM. An IAM is a memorandum we send to the auditee documenting an audit finding. An IAM is composed of five sections, a summary, detail supporting the finding, the impact of the finding, the recommendation and a request for a written response from the auditee.
Whenever we find instances of noncompliance to applicable laws, rules, and regulations; significant problems discovered during our testing; or internal control deficiencies or inefficiencies, these will be disclosed to the auditee in writing. The IAM is the primary vehicle for communicating such items to the auditee before the audit report is released. IAM's are prepared after testing in that area is completed, or before if it is considered to be a serious financial or operational exception.
Upon receiving an auditee’s response to the IAM, we analyze the response, in terms of the effect on the audit or audit report and if necessary, we follow-up with the auditee.
Some audit findings will not become apparent until late in the audit process. As a result, not every audit finding will result in an IAM. If in the opinion of the Deputy Comptroller – Audit, it would be quicker to finish the report and discuss the finding at the Exit Conference, no IAM need be issued.
The Audit Report and Exit Conference
All audit reports are addressed to the Erie County Legislature. Audit reports are public documents, and are posted on the Comptroller’s website for public review.
At the completion of our fieldwork we will prepare a draft report and submit it to the auditee for its response. We ask the auditee to review it and note any facts that it does not think are accurate and any instances where the auditee believes we have misrepresented facts. If we agree, we will modify the report.
Draft audit reports are confidential in nature. The release of a confidential draft report prior to the Exit Conference and the Comptroller’s official release of the final audit is a violation of Erie County Local Law 10-1989. The unauthorized release of a draft audit report not only violates County law and policy, but it also denies the auditee the opportunity to challenge or change the draft audit. It is Comptroller’s Office policy that released draft reports shall become final audit reports.
The Exit Conference is attended by the audit staff that developed the report, the Deputy Comptroller – Audit and management from the audited entity. Under long-standingCountyAdministrationaudit response policy, a representative from the Division of Budget and Management may attend Exit Conferences as well. As an Exit Conference is a meeting run by the Comptroller’s Office, we reserve the right to limit discussion and limit attendance at these meetings.
We ask the auditee to provide a written response to our report and recommendations, and to describe the actions it plans to take on any findings or recommendations the audit made. Since the audit report is addressed to the Erie County Legislature, this response should be addressed to the Erie County Legislature. Traditionally, the auditee has thirty days from the date of the report to issue their response to the Legislature.
We will summarize in the final audit whatever oral comments were made by the auditee at the Exit Conference.
If we disagree with an auditee’s comments, in sum or in part, we maintain the right to explain why we disagree.
The auditee will receive a copy of the final report on the day of its release. All audit reports are filed with the Erie County Legislature on the day of release.
Follow Up to the Audit Report
At various intervals after our report is issued, we will determine the current status of actions proposed by management in response to our recommendations. Our findings will be communicated to the responsible parties and we will issue an Audit Follow-Up Report to the Erie County Legislature and other parties as necessary.