2013 internal audit guide - draft (2)

Internal Audit Guide

2013 Edition

Insert specialized text or graphic here if desired

DRAFT

AASHTO Internal Audit Guide 2013 Edition Table of Contents

TABLE OF CONTENTS

CHAPTER 1 — INTRODUCTION 1.1 Overview ....................................................................................................................... 1 1.2 Why a Guide? ................................................................................................................ 1 1.3 Auditing Standards ........................................................................................................ 2 1.4 Engagements ................................................................................................................. 2

CHAPTER 2 — AUDITING STANDARDS

2.1 GAGAS ........................................................................................................................... 1 2.2 International Standards for the Professional Practice of Internal Auditing ................. 1 2.3 Comparison of IIA and GAGAS Standards ..................................................................... 2 2.4 References .................................................................................................................... 3

CHAPTER 3 — TYPES OF AUDITS

3.1 Overview ....................................................................................................................... 1 3.2 Types of Audits .............................................................................................................. 1 3.3 Attestation Engagements ............................................................................................. 3 3.4 Non‐Audit Services ........................................................................................................ 5 3.5 Consulting Services ....................................................................................................... 5

CHAPTER 4 — AUDIT RISK ASSESSMENT AND AUDIT PLAN 4.1 Overview ....................................................................................................................... 1 4.2 Identify Audit Universe or Auditable Units ................................................................... 1 4.3 Benefits of Auditable Units ........................................................................................... 1 4.4 Develop Permanent Files .............................................................................................. 2 4.5 Risk Assessment ............................................................................................................ 3 4.6 Risk Assessment Criteria ............................................................................................... 4 4.7 Consideration of Internal Controls ............................................................................... 5 4.8 Internal Control Weaknesses ........................................................................................ 5 4.9 Analysis of Internal Audit Resources ............................................................................ 6 4.10 Developing the Audit Work Plan ................................................................................... 7

CHAPTER 5 — INTERNAL CONTROL 5.1 Overview ....................................................................................................................... 1 5.2 COSO Categories ........................................................................................................... 1 5.3 COSO Cube .................................................................................................................... 2 5.4 Eight Components of COSO .......................................................................................... 2 5.5 COBIT ............................................................................................................................. 5 5.6 Plan and Organize (PO) ................................................................................................. 6 5.7 Acquire and Implement (AI) .......................................................................................... 6 5.8 Deliver and Support (DS) .............................................................................................. 7

AASHTO Internal Audit Guide 2013 Edition Table of Contents

5.9 Monitor and Evaluate (ME) ........................................................................................... 7 5.10 Understanding an Auditee’s Internal Controls ............................................................. 8 5.11 Documenting Internal Controls .................................................................................... 8 5.12 Internal control over Financial Reporting ..................................................................... 9 5.13 Evaluation of Internal Controls ................................................................................... 10 5.14 Classifying Internal Control Weaknesses for Reporting ............................................. 10

CHAPTER 6 — LAWS AND REGULATIONS 6.1 Hierarchy ....................................................................................................................... 1 6.2 Administrative Requirements ....................................................................................... 2 6.3 Cost Principle Requirements ......................................................................................... 2 6.4 OMB Circular A‐133 ...................................................................................................... 3 6.5 Catalog of Federal Domestic Assistance ....................................................................... 3

CHAPTER 7 — GENERAL AUDIT PROGRAM 7.1 Purpose and Scope........................................................................................................ 1 7.2 Phases ........................................................................................................................... 1

PRACTICE AIDS PA‐1 Disadvantaged Business Enterprise (DBE) Initial Certification Process

GLOSSARY

AASHTO Internal Audit Guide 2013 Edition Chapter 1 Page 1

Chapter 1 – Introduction

1.1—OVERVIEW This guide was developed by an American Association of State Highway and Transportation Officials (AASHTO) Audit Subcommittee task force of state transportation auditors with input from various Federal partners. This guide contains a broad overview of State Transportation Agency (STA) engagements, with more detailed practice aids attached as appendices. STAs have the same overall mission, but are structured differently among the United States. Most STAs have internal auditors, external auditors, and inspector generals. Some are their own offices and some are a part of another office. This Guide focuses on internal auditing groups. The Institute of Internal Auditors defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes} 1.2—WHY A GUIDE? An essential role of government is the stewardship and oversight of public expenditures. STAs, in particular, state DOT audit groups provide the stewardship and oversight of Federal‐aid and State funded transportation programs. As government transportation expenditures grow and budgets and staffing shrinks, the stewardship and oversight process for transportation programs must be enhanced. The purpose of this internal audit guide is to provide a tool that can be used by individual STA internal auditors that perform audits of transportation processes and programs. This guide is intended to help individual auditors understand processes, terminology, policies, audit techniques, and sources for laws and regulations. The guide’s objective is to lay out the audit universe in a general sense and identify and report on the following items: Internal Controls

Risk Assessment

Compliance with applicable laws and regulations

Federal programs

Innovative Financing

Effective use of resources


1.3—AUDITING STANDARDS STA audit groups follow basically two sets of auditing standards – Generally Accepted Government Auditing Standards (GAGAS) issued by the Comptroller General of the United States, and the Institute of Internal Auditors (IIA) standards for internal audit. We will discuss the different auditing standards in the next chapter. When necessary, internal auditors obtain additional guidance from standards issued by the American Institute of Certified Public Accountants (AICPA) and the Institute of Internal Auditors (IIA). 1.4—ENGAGEMENTS Internal auditors perform a variety of engagements, ranging from attestation engagements consisting of reviews, examinations, and agreed‐upon procedures, to performance audits. STA internal auditors may be responsible for: Reviewing STA internal controls to ensure they are adequately designed and are functioning

properly

Reviewing STA programs and processes to ensure they comply with applicable federal and state laws and regulations as well as STA policies and procedures

Reviewing STA processes to ensure they operate effectively and efficiently

Reviewing programs to ensure that management has adequately safeguarded STA assets and used taxpayer resources properly

Reporting to the head of the STA or governing body and management, noting any weaknesses or areas of improvement


Chapter 2 – Auditing Standards

2.1—GAGAS Generally Accepted Government Auditing Standards (GAGAS) produced by the Government Accountability Office (GAO) contains requirements and guidance for entities conducting government audits within the United States. Professional auditors must follow these standards when conducting financial audits of government and non‐profit organizations receiving federal funds subject to the audit requirements of U.S. OMB Circular A‐133 – Audits of States, Local Governments, and Non‐Profit Organizations. In the United States, GAGAS is also required to be used by federal inspectors general and by many state and local government auditors and some internal auditors, as well as CPA firms when conducting single audits and other government audits. In addition, many auditors and audit organizations choose to voluntarily perform their work in accordance with GAGAS. GAGAS contains requirements for financial audits, attestation engagements and performance audits. Many government audit organizations internationally use GAGAS as guidance when conducting financial and performance audits, even when there is no specific legal requirement to do so. 2.2—INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL

AUDITING For internal auditors, there is another set of standards, the International Standards for the Professional Practice of Internal Auditing, produced by the International Internal Audit Standards Board. Internal auditors throughout the world use these standards. Certified Internal Auditors are required to follow the IIA Standards, and anyone who wishes to state their audits are conducted in accordance with IIA Standards must follow the IIA Standards. The IIA Standards are divided between Attribute and Performance Standards. “Attribute Standards address the attributes of organizations and individuals who perform internal auditing. The Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.” Some government organizations conduct their engagements in accordance with both the IIA Standards and GAGAS. The IIA Standards are often implemented along with the performance audit requirements of GAGAS (chapters 1‐3, 6 and 7). While GAGAS is used for conducting government audits by both external and internal audit organizations, it contains some specific requirements and guidance related to internal auditors and internal audit organizations. Each STA should determine which standards they follow and document that as part of their policies and procedures. Some STAs have laws that require they follow one of the two standards and some states require their agencies to follow both.


2.3—COMPARISON OF IIA AND GAGAS STANDARDS The Institute of Internal Auditors (IIA) provides a comparison of the IIA and GAGAS Standards1 https://na.theiia.org/Pages/IIAHome.aspx. GAGAS is commonly referred to as “Yellow Book” and IIA Standards are commonly referred to as “Red Book.” The following is a list of some of the most notable differences between the standards: Each starts from a different definition of auditing and auditors

GAGAS emphasizes accountability; IIA emphasizes governance, risk and controls to add

value

IIA requires an internal audit charter; GAGAS does not

GAGAS discourages non‐audit consulting services, noting that they could compromise objectivity and independence; The IIA recognizes consulting as a service that internal auditors provide to their organizations and have established ‘consulting standards’. The IIA defines consulting services to include counsel, advice, facilitation and training but states services must be provided without assuming any management responsibility for them.

Under GAGAS, auditors must document consideration of independence; IIA has no formal requirement to document independence however, the IIA Standards require internal auditors to have independence and states an auditor “must have an impartial, unbiased attitude and avoid any conflict of interest.” The Standards also require “Organizational Independence” and provides definitions of “Independence” and “Objectivity.”

GAGAS requires external peer reviews every three years; IIA requires external peer reviews every five years

GAGAS defines three types of assurance engagements: Financial, Attestation and Performance; IIA discusses assurance services but focuses on the auditor’s work and governance, risk assessment and controls

IIA requires the development of an audit universe and annual work plan; GAGAS has no such requirement

Under GAGAS, auditors write ‘findings’ when fraud, abuse, internal control weaknesses and noncompliance are found; IIA requires auditors to “communicate engagement results and where appropriate, the communication must contain the internal auditor’s opinion and/or conclusions.” These results must include issues of fraud, abuse, internal control weaknesses and noncompliance. Each issue noted must include the condition, criteria, cause and effect.


GAGAS requires 80 hours of CPE every two years; IIA Standards state, “Internal Auditors

must enhance their knowledge, skills, and other competencies through continuing professional development” but it does not specify a required number of hours for non‐certified members. However, Certified Internal Auditors are required to have a minimum of 40 hours of continuing education every year. Certified Government Auditing Professionals are required to have 25% of their hours in government related training.

2.4—REFERENCES The Institute of Internal Auditors, Supplemental Guidance: IIA International Standard for the Professional Practice of Internal Auditing/ Government Accountability Office Government Audit Standards (GAGAS)/ A Comparison, 2nd Edition Leita Hart‐Fanta, CPA, CGFM, CGAP, For the Orange, April 9, 2013


Chapter 3 – Types of Audits

3.1—OVERVIEW This chapter describes the different types of government audits, attestation engagements and other non‐audit services provided by internal audit organizations. This description is not intended to limit or require the types of services that may be conducted. In conducting the services described in this chapter, the auditors should follow the applicable standards adopted by their STA.

3.2—TYPES OF AUDITS Financial audits provide an independent assessment of whether an entity’s reported financial statements are presented fairly in all material respects in conformity with an acceptable financial framework. Other objectives of financial audits, which provide for different levels of assurance and entail various scopes of work, may include:

Providing an opinion for specified elements, accounts, or items of a financial statement.

Reviewing interim financial information.

Issuing letters for underwriters and certain other requesting parties.

Reporting on the processing of transactions by service organizations.

Auditing compliance with applicable requirements relating to governmental financial assistance.

Financial audits for States, local governments and non‐profit organizations are generally performed through the Single Audit process by outside entities. In addition, many STAs have “external audit” groups that conduct financial related audits of architectural and engineering firms to provide assurance that their indirect cost rates are developed in compliance with federal requirements.

Performance audits are objective and systematic examinations of evidence against specific criteria in order to provide an independent assessment of management’s performance. Performance audits provide an objective analysis to assist management and those charged with governance and oversight in using the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. Performance audit objectives vary widely and include assessments of program effectiveness, economy, and efficiency; internal control; compliance; and prospective analyses. These overall objectives are not mutually exclusive. Consequently, a performance audit may have more than one objective.

Program effectiveness and results audits are frequently interrelated with economy and efficiency audits. Audit objectives that focus on program effectiveness and results typically measure the extent to which a program is achieving its goals and objectives. Audit objectives that focus on economy and efficiency address the costs and resources used to achieve program results.


Examples of program effectiveness and results audits include assessing: The extent to which legislative, regulatory, or organizational goals and objectives are being

achieved. Outcomes should support the objectives of the program.

The relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness.

The relative cost and benefits or cost effectiveness of program performance.

Whether a program produces results or effects not intended by the objectives.

The extents to which programs duplicate, overlap, or conflict with other programs.

Whether the audited entity is following sound procurement practices.

The validity and reliability of performance measures concerning the program’s effectiveness and results or economy and efficiency.

The reliability, validity, or relevance of financial information related to the performance of a program.

Whether the outcomes achieved the objectives of the program.

Internal control audits are an assessment of one or more components of an organization’s system of internal control. They are designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal controls include the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations, and management’s system for measuring, reporting, and monitoring program performance. Examples of audit objectives related to internal control include the extent to which a program provides reasonable assurance that: Organizational missions, goals, and objectives are achieved effectively and efficiently.

Resources are used in compliance with laws, regulations, or other requirements.

Resources are safeguarded against unauthorized acquisition, use, or disposition.

Management information and public reports that are produced, such as performance measures, are complete, accurate, and consistent to support performance and decision‐making.

Security over computerized information systems will prevent or detect unauthorized access.

Contingency planning for information systems provide essential back‐up to prevent unwarranted

disruption of activities and functions the systems support.


Compliance audits are assessments of compliance with criteria established by provisions of laws, regulations, contracts, grant agreements, internal policies, or other requirements that could affect the acquisition, protection, use, and disposition of the entity’s resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance requirements can be either financial or nonfinancial. Audit organizations also perform prospective analysis audits. These audits provide analysis or conclusions about information that is based on assumptions about events that may occur in the future, along with possible actions that the entity may take in response to future events. Examples of objective pertaining to these audits may include: Assessing program or policy alternatives, including forecasting program outcomes under various

assumptions.

Assessing the advantages and disadvantages of legislative proposals.

Analyzing views of stakeholders on policy proposals for decision‐makers.

Identifying best practices for uses in evaluating program or management system approaches, including financial and information management systems.

Producing high‐level summary or a report that affects multiple programs or entities on issues studied or under study.

Information technology audits include the evaluation of internal controls related to the development, operation, maintenance, and management of the information technology environment, infrastructure, and data. Some of the areas addressed include: governance of policy and process documentation; physical and logical security; application and infrastructure assets; monitoring; and business continuity/disaster recovery. IT audits are becoming increasingly important as record keeping processes are automated. When an information system is significant to the audit objective, the audit should include an evaluation of the information technology controls to provide reasonable assurance that the information being processed and produced by the system is valid and reliable. Follow‐up audits are generally conducted a few months after an audit report has been issued. They are designed to test the status and evaluate the effectiveness of corrective actions taken on audit issues reported in prior released reports. 3.3—ATTESTATION ENGAGEMENTS There are three types of attestation engagements: Examination

Examinations consist of obtaining sufficient evidence to express an opinion on whether the subject matter is based on or in conformity with the criteria in all material respects or the


assertion is presented or fairly stated, in all material respects, based on the criteria. Examinations provide the highest level of assurance outside of an audit. Since assurance is provided in an examination, the risk of undetected material misstatement must be reduced to a tolerable amount.

Review

Reviews consist of performing sufficient testing to express a conclusion about whether any information came to the auditors’ attention that indicates the subject matter is not based on or in conformity with the criteria in all material respects. The auditor may conclude the assertion is not presented, in all material respects, based on the criteria. Reviews provide negative assurance. Negative assurance means that nothing came to the auditors’ attention that would lead them to believe the subject matter did not conform to the criteria.

Agreed‐upon procedures.

Agreed upon procedures consist of performing specific procedures on a subject matter and issuing a report of findings based on the agreed upon procedures. The auditors do not express an opinion about the subject matter but issue a report of findings based on specific procedures performed on the subject matter. The subject matter for the attestation engagements may take many forms, including historical or prospective performance or condition, physical characteristics, analyses, system processes and behavior. Attestation engagements may cover a broad range of financial or non‐financial subjects and can be part of a performance review. Possible subjects of attestation engagements can include reporting on: An entity’s internal control over financial reporting. An entity’s compliance with requirements of specified laws, regulations, rules, contracts

or grants. The effectiveness of an entity’s internal control over compliance with specified

requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts.

Management’s discussion and analysis presentation. Prospective financial statements or pro‐forma financial information. The reliability of performance measures. Final contract cost. Allowability and reasonableness of proposed contract amounts and specific procedures

performed on a subject matter (agreed‐upon procedures).


3.4—NON‐AUDIT SERVICES Internal audit organizations may provide non‐audit services. These types of services are generally performed at the discretion of the head of the audit organization, requested by management of a bureau or division within the transportation entity, or for an oversight body or independent external organization. These services generally do not impair the auditors’ independence. Examples of different types of non‐audit services include the following: Gathering and providing information to a requesting party without providing an evaluation

or verification of the information.

Providing advice on potential improvements of standards, methodologies, policies, procedures and internal control.

Providing assistance and technical expertise to legislative bodies or developing questions for the use at legislative hearings.

Compiling or reviewing financial statements, rates or other information to assist entities and management officials.

Advising an entity regarding its performance of internal control assessments.

Providing advice to management officials to help them identify good business practices.

Providing audit, investigative, and oversight‐related services that do not involve an audit (but which could be performed as an audit, if the audit organization elected to do so):

Investigations of alleged fraud, embezzlement, violation of contract provisions or grant agreements, or abuse.

Review level work such as sales or gas tax reviews that are designed to determine whether the transportation entity is receiving the appropriate tax amount from merchants and vendors.

Reviewing the collection of fees for overweight permits or signs to ensure the funds collected by the transportation entity are being deposited into the entity’s fund correctly.

3.5—CONSULTING SERVICES Consulting services are advisory services provided by an Internal Audit group to the STA. They are services that are provided other than specific audit work, that are intended to add value and improve the organization’s governance, risk management, and control processes. Consulting services include counsel, advice, facilitation, or training regarding issues such as internal controls, compliance, governance and risk management. Consulting may come in the form of informal or formal consulting services.


Informal consulting services generally consist of meeting with STA management and staff to discuss issues and requirements and provide advice. Generally no formal documentation of these services is required. It might consist of discussing with management or staff where they can find information regarding certain requirements or explaining how the requirements are generally viewed by an auditor. It may include an explanation or training on the types of internal controls or their use.

Formal consulting comes in the form of a special project and requires documentation to support the services. The extent of the documentation required to support the services will depend upon the scope of the project and the work performed. However, sufficient evidence must be obtained to support any conclusions that are made.


Chapter 4 – Audit Risk Assessment and Audit Plan 4.1—OVERVIEW

This section describes general steps for developing a STAs Audit Risk Assessment and Work Plan. The audit plan is usually developed on an annual basis but should be considered a living document that will change and grow. Most audit plans are works in progress and schedules change to meet department needs. A new program, department realignment/reorganization, or unexpected occurrences may change management’s needs, shifting some audits to higher priority status and inserting audits of new programs. The audit plan should be based upon the risks of the organization. The internal audit manager should prioritize the internal audit work based upon the risks of the various areas of responsibility of the STA. 4.2—IDENTIFY AUDIT UNIVERSE OR AUDITABLE UNITS

In order to determine appropriate audit coverage, the internal audit manager, with input from executive management, should identify the auditable units within the STA. This enables internal audit to link the Internal Audit Plan to the STA risks based upon the primary owner of the process. Any additional areas responsible for completion of that particular process should also be identified within the auditable units. This process is a vital component of the risk assessment process and consists of dividing the entire STA into various control areas that cover all responsibilities and functions of the STA. The key to maintaining a good schedule of auditable units is to periodically verify that there have been no changes or additions to the auditable units. he auditable units should be updated to reflect any changes in structure, functions or responsibility on at least an annual basis. When responsibility changes occur, historic data should be retained to reflect the previous responsibilities and audit coverage that was given.

Once identified, audits performed and scheduled for each auditable unit can be tracked to ensure regular reviews and audits are performed as necessary. This will also assist in developing the audit plan based on length of time since last audit and ensure that all auditable units are considered in the audit plan. Some auditable units, however, may be low risk and not receive an audit due to limited internal audit resources. The limited internal audit resources should be scheduled for areas of the department which pose the highest risk.

Using the identified audit universe, prepare a matrix of audits performed for each auditable unit. It is helpful to maintain at least three to five years of data to facilitate scheduling future audits.

4.3—BENEFITS OF AUDITABLE UNITS

There are many benefits to developing the auditable units of the STA. These include, but are not necessarily limited to, the following:


Provides the framework for monitoring the internal control structure of the STA by

operational area and provides the foundation for the risk assessment process.

Allows Internal Audit to communicate with each Division or Office of the STA in a

standardized manner to monitor the STA’s internal controls.

Provides a mechanism for confirming whether all processes have been captured.

Provides a means for monitoring historic audit coverage for all functions and activities of

the STA.

Demonstrates compliance with the Standards and laws that may govern the internal audit

function.

Considered an Internal Audit best practice.

4.4—DEVELOP PERMANENT FILES

A Permanent File is a useful tool to assist with the audit process. It provides basic and historic information for Internal Audit in assessing auditable units. These files are generally created as part of the audit process, but may be created separately as time allows. This helps provide a starting point not only for the Internal Audit Plan Risk Assessment but also for audit specific Risk Assessments. It is also a primary source of information for the internal auditor assigned to a particular audit. Permanent files must be updated as changes occur in order for them to be useful. Suggested information for permanent files include, but are not necessarily limited to, the following: Applicable Statutes, Rules & Regulations;

Policies and Procedures, Manuals, Guidelines;

Prior Audits‐ External, Internal, Federal that relate to the area;

Internal Control Certifications;

List of Information Technology Systems Used;

Interview Notes;

System Narratives.


4.5—RISK ASSESSMENT

Internal Audit should develop procedures to be followed each year in performing the STA’s audit risk assessment. Management input should be one of the factors considered. Internal Audit should consider holding meetings with various levels of management to gain a further understanding of the risks and controls of the auditable units. Internal Auditors are the internal control and risk management experts in their agency. Use audit planning as an opportunity to educate and increase management’s understanding of the Internal Audit function and the risk assessment process and ensure that there is a common understanding of definitions. A risk assessment questionnaire could be provided to management to assist them in determining their sections’ risks and needs. The risk assessment questionnaire might include the following: Any changes to the Auditable Units;

New Programs or Initiatives;

Rapid growth or significant increases in funding or expenditures;

Turnover of Key Management or Key Personnel;

Reviews or audits by a Federal Agency: e.g. FHWA, FTA, FRA, FAA, NHTSA, FMCSA, GAO;

Media exposure;

Law changes;

Administrative Rule changes;

Information technology that was developed or had major modifications in the last year or

any that are currently in process or planned;

Any fraudulent activity, improper conduct, blatant disregard for procedures, suspected or

improper use of assets or State resources;

Any processes or programs they would like internal audit to review;

Rank what they consider to be the five most significant areas or processes for which they

are responsible.

Meetings should be scheduled with Executive Management and the Audit Committee, if applicable, to obtain their audit requests and areas of concern they would like considered. Consider informal sources of audit requests, such as, concerns noted in conversations and emails from STA staff members, anonymous tips, and auditor observations and concerns noted in other audits. Perform risk assessments on all the auditable units to determine priorities


taking into consideration any audit requests that are received. Each year, new audit requests may be added and a risk assessment conducted to prioritize and insert new requests into the ongoing list.

4.6—RISK ASSESSMENT CRITERIA A formal risk assessment should be developed which includes various criteria deemed significant to the STA. Criteria may include, though are not limited to, the following: Revenues/Expenditures

Federal responsibilities/requirements

Legal responsibilities/requirements

Public impact or exposure

Impact to the STA

Management needs

Date of last audit

Prior experience with auditee

Inherent risk factors (high activity, high volume, complexity of operations, dollar value of

assets, etc.)

Potential for fraud (improper conduct, suspected misuse, improper use of assets, blatant

disregard for procedures)

Strength of internal controls

Reported problems on last audit, external audit or USDOT Reviews

Potential efficiency improvements

New programs, initiatives or activities

Change in key personnel

New IT systems or major changes to IT systems key to department

Estimated audit time


4.7—CONSIDERATION OF INTERNAL CONTROLS To achieve the objectives of the agency, management must sometimes place assets at risk. It is management's responsibility to decide how much and what risk it is willing to accept to achieving the objectives of the agency. Management mitigates risks and ensures that management’s objectives are met through the use of internal controls.

Identifying and assessing threats helps management recognize vulnerabilities in the Internal Control System. Based on this information, management can provide appropriate controls to mitigate risk. The Internal Auditor should consider these areas during their meeting with management in assessing which programs and functions pose the highest risk to the agency and should therefore receive internal audit coverage first. Some common threats include the following: Management Override ‐ Controls are readily set aside at the option of management or

personnel.

Optional or Incomplete Controls‐ Controls that say “may” or those that give options without

guidance for making decisions on how to proceed are not effective. Clear direction

regarding the choice should be made.

Form Over Substance ‐ Controls appear to be well designed but are ineffective or miss their

intended mark.

Conflicts of Interest ‐ Causes personnel to place their interest above that of the

organization.

Access to Assets ‐ Having improper or unauthorized access to assets can result in theft,

misuse or abuse.

Inadequately Trained or informed Personnel‐ Personnel not understanding the reason or

necessity for a particular control or the desired result may not properly execute the

necessary steps.

4.8—INTERNAL CONTROL WEAKNESSES Another key component of this process is gaining an understanding of why internal control weaknesses occur. Understanding these weaknesses helps management monitor for appropriate and effective internal controls. Internal Audit should consider these factors and whether they exist as they walk through the risk assessment process with management. Some common reasons internal control weaknesses occur may include the following: The process becomes routine due to familiarity and steps in the process to be overlooked;


Information concerning a law, rule or procedure was not communicated to an employee;

Employees not properly trained or instructed;

Personnel not knowledgeable in the importance of a step or process and its impact on

another area;

Confusion over who is responsible (each area incorrectly thinks the other is handling the

process);

Time constraints;

Inadequate resources devoted to the process;

Employees unknowingly overlooked something;

Personnel are comfortable with the current process and resistant to change.

4.9—ANALYSIS OF INTERNAL AUDIT RESOURCES

To determine the number of internal audits to be scheduled, an analysis of available staff hours should be conducted. The Internal Audit Manager should consider the following in determining hours available: Total annual hours

Holidays

Annual leave

Sick leave

Training

Miscellaneous administrative

Other considerations might include: Additional annual leave for long‐term employees

Retirements/Resignations

Time required to replace employees who retire or resign


Furlough days

Extended use of leave (family & medical leave, military leave, disability, and sick leave)

Other types of reviews, consulting and non‐audit services

4.10—DEVELOPING THE AUDIT WORK PLAN

Based on the risk assessment and analysis of staff availability, an Audit Work Plan should be developed. Remember to include any needs for audit follow‐ups (e.g. 90 – 120 days). It may be helpful to develop two types of Audit Work Plans. One type would give a narrative describing the audit project. The second type would be a scheduling tool to assign auditors to each selected audit or review with audit time estimates across the twelve months. Another consideration for scheduling audits is the auditee’s schedule which may include deadlines or busy seasons. These factors as well as others specific to your STA should be taken into account when scheduling.

It may also be helpful to prepare a two‐year Audit Plan in order to assist with prioritizing audits and resources. However, the second year of the Internal Audit Plan is always given reconsideration at the time of the development of the next year’s two year plan. This is due to changes in circumstances and risks that may occur over the one‐year period since the plan was last developed.

Final meetings with the STA’s Chief Executive Officer and the Audit Committee, if applicable should be scheduled to obtain concurrence and approval of the proposed Audit Work Plan. Any scheduling concerns should be communicated at this same time.


Chapter 5– Internal Control 5.1—OVERVIEW

Internal control is a system implemented by an organization’s governing body/management that helps ensure that key financial, operational and regulatory business objectives are achieved. Internal control is affected by an entity’s management and other personnel and is not merely policy manuals and forms, but people at every level of an organization. Internal control is pervasive, impacting all aspects including people, process and technology. It can be expected to provide reasonable assurance, not absolute assurance, to an organization’s management.

This review guide adopts the internal control direction provided by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. In May 2013, COSO updated its Internal Control – Integrated Framework to take into account changes in the business environment and operations over the last 20 years. 5.2—COSO CATEGORIES

Internal control is broadly defined as a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three COSO categories:

Reporting ‐ related to the internal and external financial and nonfinancial reporting to stakeholders, encompassing reliability timeliness, transparency or other terms as established by regulators, standard setters, or the entity’s policies.

Compliance ‐ adhering to those laws and regulations to which the entity is subject, where non‐compliance could result in penalties, fines and/or negative impacts to reputation.

Operations ‐ addresses an entity’s basic business objectives, including performance and profitability goals and safeguarding of resources.

In assessing the design and operating effectiveness of internal controls, under the COSO framework, management also considers the following five components of internal control as depicted in the COSO “Cube”. If designed and operating effectively, controls within these five components in totality provide a framework for internal control. The 2013 Framework incorporates 17 principles that support these five components. For effective internal controls, the 2013 Framework requires that each of the five components and 17 relevant principles be present and functioning, and that the five components must operate together in an integrated manner. Present means that the components and relevant principles exist in the design and implementation of the system of internal control, and functioning means that the components and relevant principles continue to exist in the conduct of the system of internal control.


5.3—COSO CUBE (2013 EDITION)

5.4—FIVE COMPONENTS OF COSO 1. Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. It is the foundation for all other components of internal control, providing discipline and structure.

The five principles relating to Control Environment are:

The organization demonstrates a commitment to integrity and ethical values.

The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.


2. Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed. Risk assessment is the identification and analysis of relevant risks that could impact the achievement of the entity’s objectives, forming a basis for determining how the risks should be managed.

The four principles relating to Risk Assessment are:

The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

The organization considers the potential for fraud in assessing risks to the achievement of objectives.

The organization identifies and assesses changes that could significantly impact the system of internal control.

3. Control Activities

Control activities are the policies and procedures that help determine if management directives are carried out. They help facilitate the necessary actions required to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

The three principles relating to Control Activities are:

The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

The organization selects and develops general control activities over technology to support the achievement of objectives.

The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.

4. Information and Communication

Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance‐related information, that


make it possible to run and control the business. They deal not only with internally generated data, but also information about external reporting. Effective communication must also occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

The three principles relating to Information and Communication are:

The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

The organization communicates with external parties about matters affecting the functioning of internal control.

5. Monitoring Activities

Internal control systems need to be monitored (a process that assesses the quality of the system’s performance over time). This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The 2013 Framework distinguishes between a management review control as a control activity and a monitoring activity. A management review control that is a control activity responds to a specified risk and is designed to detect and correct errors. However, a management review control that is a monitoring activity would ask why the errors exist, and then assign the responsibility of fixing the process to the appropriate personnel.

The two principles relating to Monitoring Activities are:

The organization selects, develops, and performs ongoing and/or separate evaluation to ascertain whether the components of internal control are present and functioning.

The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The COSO 2013 Framework becomes effective after December 14, 2014. However, application of the 2013 Framework may occur before that date.


5.5—COBIT

While COSO is commonly accepted as the internal control framework for organizations, COBIT is the accepted internal control framework for the information technology (IT) environment. Control Objectives for Information and related Technology (COBIT) was first released by the Information Systems Audit and Control Foundation (ISACF) in 1996 and has been updated to include current IT governance principles and emerging international, technical, professional, regulatory and industry specific standards. The resulting control objectives have been developed for application to organization‐wide information systems. Now in Edition 4.1, COBIT is intended to meet the multiple needs of management by bridging gaps between business risks, control needs and technical issues.

The COBIT framework is based on the following principle:

To provide the information that the organization requires to achieve its objectives, the organization needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required organization information.

The COBIT framework identifies thirty‐four (34) IT processes and an approach to control over these processes. It provides a generally applicable and accepted standard for sound IT security and control practices to support management’s needs in determining and monitoring the appropriate level of IT controls for their organizations.

The COBIT framework is structured in four principle domains. Each domain includes unique processes which sum to the thirty‐four (34) IT processes discussed above. This structure serves as a process model for an enterprise to manage IT activities. 5.6—PLAN AND ORGANIZE (PO)

This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological infrastructure should be put in place. This domain addresses the following processes:

PO1‐‐‐Define a Strategic IT Plan

PO2‐‐‐Define the Information Architecture

PO3‐‐‐Determine Technological Direction

PO4‐‐‐Define the IT Processes, Organization and Relationships

PO5‐‐‐Manage the IT Investment

PO6‐‐‐Communicate Management Aims and Direction


PO7‐‐‐Manage IT Human Resources

PO8‐‐‐Manage Quality

PO9‐‐‐Assess and Manage IT Risks

PO10‐‐Manage Projects 5.7—ACQUIRE AND IMPLEMENT (AI)

To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain addresses the following processes:

AI1‐‐Identify Automated Solutions

AI2‐‐Acquire and Maintain Application Software

AI3‐‐Acquire and Maintain Technology Infrastructure

AI4‐‐Enable Operation and Use

AI5‐‐Procure IT Resources

AI6‐‐Manage Changes

AI7‐‐Install and Accredit Solutions and Changes

5.8—DELIVER AND SUPPORT (DS)

This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It addresses the following processes:

DS1‐‐‐Define and Manage Service Levels

DS2‐‐‐Manage Third‐Party Services

DS3‐‐‐Manage Performance and Capacity

DS4‐‐‐Ensure Continuous Service

DS5‐‐‐Ensure Systems Security

DS6‐‐‐Identify and Allocate Costs

DS7‐‐‐Educate and Train Users


DS8‐‐‐Manage Service Desk and Incidents

DS9‐‐‐Manage the Configuration

DS10‐‐Manage Problems

DS11‐‐Manage Data

DS12‐‐Manage the Physical Environment

DS13‐‐Manage Operations

5.9—MONITOR AND EVALUATE (ME)

All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It addresses the following processes:

ME1‐‐Monitor and Evaluate IT Performance

ME2‐‐Monitor and Evaluate Internal Control

ME3‐‐Ensure Compliance with External Requirements

ME4‐‐Provide IT Governance 5.10—UNDERSTANDING AN AUDITEE’S INTERNAL CONTROLS

The auditor’s understanding of the client’s internal control is usually gained through the following procedures:

Prior experience with the entity

This can be a major source of audit efficiency in recurring audits. Because systems and controls usually don’t change frequently or significantly from year to year, information obtained by the auditor in previous audits of the entity can be updated and carried forward to the current year’s audit.

Inquiries of management, supervisory, and staff personnel within the entity

The auditor may inquire about the types of accounting documents used to process sales transactions and about the entities control activities that have been placed in operation for authorizing a credit sale, for example.

Observation of client activities and procedures

The auditor can observe client personnel in the process of preparing accounting records and document and carrying out their assigned accounting and control functions.


Inspection of accounting documents and records

By inspecting actual, completed documents and records, the auditor can better understand their application to the entity’s internal control. The auditor may wish to obtain copies of sample documents used by the entity for inclusion in the permanent file.

Entity’s policy and system manuals

This includes both (1) policy manuals and documents, and (2) system manuals and documents, such as an accounting manual and an organization chart.

5.11—DOCUMENTING INTERNAL CONTROLS

The auditor documents their understanding of internal controls to:

Provide evidence of the understanding of the design of significant processes.

Identify key risks within the process.

Identify controls that would prevent or detect errors from occurring within the process.

Identify control gaps and process improvement opportunities.

This documentation may take several forms such as:

Flowcharts – A diagram that shows step‐by‐step progression through a procedure or system

especially using connecting lines and a set of conventional symbols. The purpose of

flowcharting is to:

Be a tool for analyzing processes.

Break down processes into individual events and activities, usually by process or event

owner.

Identify interdependencies across the business.

Link system and manual activities.

Identify control gaps, segregation of duties problems and inefficiencies.

Narratives – A document that describes a process or transaction flow using words rather

than a pictorial representation. The purpose of a narrative is to:

Provide evidence of understanding of a process.

Identify and document key risks, controls and control gaps.

Confirm understanding with the process owner.

Provide knowledge that can be used in future years by other employees.


Walkthrough – A document that traces one representative transaction through a process

from beginning to end. The purpose of a walkthrough is to:

Confirm understanding of the significant flow of transactions.

Confirm understanding of the relevant controls.

Confirm that relevant controls have been placed in operation.

Confirm process documentation.

Internal Control Questionnaire – Designed to identify basic control issues and is used as a guide

for improving and/or implementing good business practices and complying with policies and

procedures.

5.12—INTERNAL CONTROL OVER FINANCIAL REPORTING

Auditors must understand the concepts of internal control, specifically internal control over financial reporting. The AICPA’s Statement on Auditing Standards No. 115, requires auditors to evaluate whether internal control deficiencies identified are significant deficiencies or material weaknesses, as they relate to financial reporting reliability. In addition, the conclusion that significant internal control deficiencies or material internal control weaknesses should be communicated in writing to management and the entity’s governing body.

A sound system of internal control over financial reporting includes control design and operating effectiveness to provide reasonable assurance that the entity’s financial statements are fairly presented in accordance with Generally Accepted Accounting Principles.

Internal controls over financial reporting are evaluated based on the auditor’s risk assessment procedures to determine whether controls are designed adequately and operating effectively to provide reasonable assurance of financial reporting reliability. The entity’s ability to prevent and detect financial misstatement is evaluated and determines whether a significant deficiency or material weakness exists. 5.13—EVALUATION OF INTERNAL CONTROLS

Auditors can verify if controls are implemented as designed through testing, reviews, observations and analytical procedures. Auditors can determine the validity and accuracy of transactions as well as determine compliance with applicable rules, laws and procedures and assess the adequacy of existing controls. Evaluation tools include:

Testing by Statistical Sampling – focuses on sampling techniques that provide assurance

based on sampling risk that the auditor and stakeholders deem acceptable.

Testing by Direct Sampling – focuses more closely on specific transactions or certain types

of transactions. Can be used when the population under review is not homogeneous.


Reviews/Interviews – used when the performance of a process does not lend itself to

normal testing procedures.

Observation – looks at actual practices to see if appropriate controls are actually in place

and working.

Analytical Procedure – takes information as a whole and applies some set standard, analysis

or comparison.

5.14—CLASSIFYING INTERNAL CONTROL WEAKNESSES FOR REPORTING

Upon determining that controls are inadequately designed or implemented, auditors shall communicate the weakness to management based upon the likelihood and magnitude of the concern. This communication may be verbal, written via an informal management letter, or formally such as in the audit report. The matrix below can help auditors determine how or where to report the weakness to management.

Likelihood of Misstatement

or Error

Magnitude of Misstatement (or Error) that Occurred or Could Occur

Inconsequential More than

Inconsequential but Less than Material

Material

Remote

Not a significant deficiency or material weakness

Do not report


Report informally, verbally or via management letter



More than remote



Significant deficiency

Report formally, via audit report

Material weakness

Report formally, via audit report


Chapter 6 – Laws and Regulations 6.1—HIERARCHY

There is a hierarchy of law that all State DOTs must understand and follow. The United States Code (U.S.C.) is the codification by subject matter of general and permanent laws of the United States as passed by Congress and is specific to each Federal agency. The U.S.C. is further detailed in specific statutes like Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (SAFETEA‐LU) or Moving Ahead for Progress in the 21st Century Act (MAP‐21). The Code of Federal Regulations (CFR) are programmatic and administrative requirements created by individual Federal agencies as an interpretation and clarification of U.S.C. In addition to U.S.C. and CFRs, individual Federal Agencies will also have guidance to further explain how to carry out statutes and federal regulations.

OMB CIRCULARS

FEDERAL AGENCY GUIDANCE

CODE OF FEDERAL REGULATIONS, 49 and 23 CFR

US CODE, 49 and 23 USC

Federal Law

State Law


The specific regulatory information pertaining to transportations programs are listed below.

49 United States Code, Transportation (49 U.S.C.)

23 United States Code, Highways (23 U.S.C.)

6.2—ADMINISTRATIVE REQUIREMENTS Administrative requirements are guidance setting forth standards for obtaining consistency and uniformity in the administration of grants and agreement and are common to all federal grants. Administrative requirements are codified into the following two CFRs: 49 CFR Part 18 (A‐102), Grants & Cooperative Agreements with State & Local Governments,

establishes uniform administrative rules for Federal grants and cooperative agreements and sub‐awards to State, local and Indian tribal governments.

2 CFR Part 215 (A‐110), Uniform Administrative Requirements for Grants & Other Agreements with Institutes of Higher Education, Hospitals & Other Nonprofit Organizations, contains OMB guidance to Federal agencies on the administration of grants to and agreements with institutions of higher education, hospitals, and other non‐profit organizations.

It should be noted that administrative requirements include regulation on financial management systems, matching, non‐federal audits, sub‐awards to debarred or suspended parties, monitoring, record retention, etc. On the other hand, programmatic requirements address matters that can only be treated on a program‐by‐program basis. Examples of programmatic requirements are: Title VI of the Civil Rights Act of 1964 (23 CFR Part 200), Americans with Disabilities Act of 1990 (49 CFR Part 37), and Disadvantaged Business Enterprise (DBE) (23 CFR Part 230 Subpart A).

6.3—COST PRINCIPLE REQUIREMENTS

The cost principle requirements are used to determine if costs are allowable, not if they are eligible. A cost could be allowable but not eligible for a particular federal program. For example a boat may be considered an allowable cost per the cost principle however particular federal programs have deemed boats as not eligible as a project cost. Currently there are three different sets of cost principles depending on what type of entity is using the cost principles and are codified as follows:

2 CFR Part 225 (A‐87): Cost Principles for State, Local & Tribal Governments

This part establishes principles and standards for determining costs for Federal awards carried out through grants, cost reimbursement contracts, and other agreements with State and local governments and federally‐recognized Indian tribal governments (governmental units).


2 CFR Part 220 (a‐21): Cost Principles for Educational Institutions

This part established principles for determining costs applicable to grants, contracts, and other agreements with educational institutions.

2 CFR Part 230 (A‐122): Cost Principles for Nonprofit Organizations

This part establishes principles for determining costs of grants, contracts, and other agreements with non‐profit organizations.

Cost principles and procedures applicable to commercial organizations for pricing contracts, subcontracts and modifications to contracts whenever cost analysis is performed and during the determination, negotiation, or allowance of costs when required by a contract clause are codified in the following CFR:

48 CFR Part 31 (FAR 31): Federal Acquisition Regulations, Contract Cost Principles and Procedures

State DOTs rely on FAR Part 31 for guidance when negotiating costs and reviewing project proposals with engineering consultants.

6.4—OMB CIRCULAR A‐133

The Office of Management and Budget has rules for Federal government to follow and is under the direction of the President. OMB Circular A‐133, Audits of States, Local Governments & Nonprofit Organizations, sets forth standards for obtaining consistency and uniformity among Federal agencies for the audit of States, local governments, and non‐profit organizations expending Federal awards. Currently, if an entity receives $500,000 or more in total federal funding during a fiscal year, the entity is required to obtain an OMB Circular A‐133 audit from a qualified Certified Public Accountant (CPA). 6.5—CATALOG OF FEDERAL DOMESTIC ASSISTANCE

The Catalog of Federal Domestic Assistance (CFDA) contains detailed program descriptions for Federal assistance programs including type of assistance offered, the agency offering the assistance, contact information, and eligibility criteria.


Chapter 7 – General Audit Program

7.1—PURPOSE AND SCOPE

This program has the following major objectives:

Understand the organizations’ operations.

Understand the preliminary analytical procedures.

Identifying relevant risk factors.

Identifying significant compliance requirements.

Documenting the Internal Control Assessment.

7.2—PHASES

A. Preliminary Survey (Planning) Phase

01. Send an Engagement Letter to the Stakeholder(s).

02. Hold Team Brainstorming meeting including IT and Fraud employees when discussing IT issues and fraud, waste and abuse.

03. Review previous (internal and external) audit reports. Document findings in those reports for appropriate follow‐up. Identify reported weaknesses that have not been corrected.

04. Review background material to become familiar with the activities of the organization. Examples are:

Legislative rules

Administrative Code

State policies and procedures

Entity rules and regulations

Entity manuals

Federal Highway Regulations

Traffic Control Regulations

Internal or external Peer Review reports

Industry standards

Industry best practices

Mission, vision and goals

05. Obtain current organization chart.

06. Interview(s), surveys and face‐to‐face meetings with the organization personnel. Discuss the entity’s activities, any changes in the policy and procedures, employee turn‐over rate and general internal controls environment (performance goals, tracking/exception reporting, known issues, etc.).

07. Ask management if they are aware of any fraud, waste or abuse.

08. Obtain policies and procedures related to the major functions of the organization. Note any changes in rules, regulations, or laws since the last audit.

09. Prepare and send surveys or questionnaires to the entities’ customers.

10. Gain an understanding of key business processes. Document systems through a process map (flow chart) and/or narrative. Identify any potential control gaps and/or weaknesses, including opportunity cost of having too many controls.


11. Document your data analysis of the organizations’ operations including the following:

management and organization

factors affecting the organization

internal factors affecting the organization

accounting policies and issues

electronic data processing systems used in carrying out functions and activities.

strategic alignment

control design

identified themes

general & definable risk areas

internal environment / fraud risks

documentation reviewed

control design evaluation assessment (see appendix C)

risk assessment summary

in scope and out of scope areas

12. Validate the original objective(s) or refine your objective(s).

12. Present your scope to the CAE and receive approval to move forward. Coordinate with General Counsel, depending on audit focus and potential for litigation.

13. Develop a program step for each area of your scope that has compliance requirements. Summarize the requirements for testing and evaluating controls over compliance.

14. Develop specific audit procedures and sampling plans for audit objectives. (see appendix E for Items of Consideration)

15. Get work program approved.

16. Schedule and hold an Entrance Conference with Report Owners and/or key stakeholders, as appropriate.

B. Execution (Fieldwork) Phase

01. Complete audit tests and write up management comments / findings and observations identified during testing. Work papers should include, at a minimum, a purpose, source, scope and conclusion.

02. Hold weekly audit team status meetings to confirm project status, deliverables and prepare for weekly status meetings with entity management.

03. Provide continuous communication (weekly status meetings) with entity management on any identified problems or best practices.

04. Work with the entity to discuss recommendations and obtain management action plans to address risks identified in the findings.

05. Review team progress at the midpoint of your fieldwork. Ensure Audit management is aware of potential findings and observations.

06. Prepare draft audit report, including findings, management responses/action plans and audit engagement opinion, as applicable.

C. Closing (Reporting) Phase

01. Hold an Opinion Meeting with Audit Management to receive approval of findings, management responses/action plans and audit engagement opinion, as applicable.

02. Ensure all work papers are reviewed and approved.

03. Hold exit conference with entity.

04. After the CAE approves the draft report, send the approved draft report to General Counsel and the audit report owners/stakeholders, as applicable.

05. After concurrence and/or resolution of the returned comments, issue final audit report.

06. Complete final working paper sign‐offs.

07. Complete team performance evaluations, as related to engagement performance.

08. Track Management Action Plans and establish follow up engagements to confirm remediation of risks.

09. Complete internal quality assessment of the audit working papers.

PA‐1

AASHTO Internal Audit Guide 2013 Edition DBE Practice Aid Page 1

Disadvantaged Business Enterprise (DBE) Initial Certification Process

PA‐1


Program Description Participation of a State Transportation Agency (STA) in a Disadvantaged Business Enterprise Program (DBE) program is a requirement of receiving Federal‐aid highway funds, Federal transit funds, Federal aid funds and Federal airport funds 49 CFR 26.3. This Practice Aid focuses on the process for the initial certification of a business as a DBE. The CFR defines a DBE as a for‐profit business that is at least 51% owned by one or more individuals who are both socially and economically disadvantaged, or in the case of a corporation, at least 51% of the stock of the entity is owned by one or more socially and economically disadvantaged individuals. The management and daily business operations of the firm must also be controlled by one or more of the socially or economically disadvantaged owners of the firm. The DBE Program provides an opportunity for firms that meet specific eligibility requirements to participate in contracts funded by the United States Department of Transportation (USDOT) under its various programs for assistance for highway, transit, rail and airport programs. The certification of a firm as a DBE involves a review of applications and supporting documentation submitted by that firm. This information is assessed by the STA in order to determine the firm’s eligibility under the program. The objectives of the program are stated in the CFR as the following: A means to ensure nondiscrimination in the award and administration of USDOT assisted

contracts

Create a level playing field on which DBEs can compete fairly

Ensure that the DBE program is narrowly tailored in accordance with applicable law

Ensure only firms that fully meet eligibility standards participate in the program

Help remove barriers to participation, assist the development of firms so they can compete successfully

Provide appropriate flexibility to recipients of Federal financing assistance

Provide opportunities for DBEs.

In addition, 49 CFR part 26.81 requires that all recipients of Federal‐aid within a State implement a “one‐stop” certification process for DBEs. Therefore, if there is more than one entity in the State that certifies DBE participation, there must be a coordination of effort between all of those entities and an acceptance of the certification given by all of those entities regardless of which one performed the certification. A DBE must not be required to certify with each entity separately. As a result of this requirement, STAs create Unified Certification Programs, which governs and coordinates the DBE process for that State.

PA‐1


Statutes and Regulations Code of Federal Regulations (CFR) 49, Part 26 contains the Federal regulations pertaining to DBE programs. Specifically, 49 CFR, Part 26, Subpart D pertains to certification standards and 49 CFR Part 26, Subpart E pertains to the certification procedures that must be followed. Subpart E also identifies the requirements that pertain specifically to Unified Certification Programs.

PA‐1


Catalogue of Federal Domestic Assistance (CFDA#)

There is no specific CFDA# for this program as it is not a direct assistance program. However, the DBE program pertains to all Federal USDOT programs and therefore all USDOT programs listed in the CFDA relate to this program.

Scope and Objectives The scope of this engagement includes a review of the controls over the initial DBE certification process. AUDIT OBJECTIVES Specifically, the audit objectives are to determine whether internal controls were adequate to ensure: Firms certified as DBE firms met required Federal certification standards concerning group

membership or individual disadvantage, business size, ownership, and control. General rules pertaining to the DBE certification process were met. Required procedures for the certification process are followed. Written procedures were in place to provide for maintaining confidentiality of information

pertaining to DBE firms where applicable. Procedures fully incorporate Unified Certification Procedures (UCP). Objective A Determine whether internal controls were adequate to ensure firms certified as DBE firms met required Federal certification standards concerning group membership or individual disadvantage, business size, ownership, and control. 49 CFR 26.61. For a sample of DBE firms determine whether: Internal controls were adequate to ensure firms certified as DBE firms met required Federal

certification standards concerning group membership or individual disadvantage. Specifically:

DBE status was granted upon determination of both social and economic disadvantage at the time of certification 49 CFR 26.67 (b) (4).

An assessment of economic disadvantage was determined first.

Note: A determination that an individual is not economically disadvantaged automatically precludes award of DBE status 49 CFR 26.67 (b) (4); (d); however, an

PA‐1


individual that is not presumptively socially disadvantaged may still be determined to be socially disadvantaged based on criteria identified in 49 CFR Appendix E, 49 CFR 26.67 (d).

A signed notarized statement of membership in a presumptively disadvantaged group was included in the DBE file from one or more individuals who collectively own at least 51 percent of the firm and whose management and daily operations are controlled by one or more of those persons.

Note: According to 49 CFR 26.67 (a) (1) presumptively disadvantaged groups are women, Black Americans, Hispanic Americans, Native Americans, Asian‐Pacific Americans, Subcontinent Asian Americans, or other minorities found to be disadvantaged by the Small Business Administration (SBA).

An assessment was included in the DBE file as to the acceptability of the notarized

statement of membership in a presumptively disadvantaged group. Note: 49 CFR 26.63 (a)(1) requires that if there is a well‐founded reason to question an individual’s membership in that group, the STA must require the individual to present additional evidence of membership.

For each individual owner listed in the STA summary report a statement of personal net worth from each individual who collectively owns at least 51 percent of the firm was included in the DBE files that:

Was signed by the owner

Was notarized

Was mathematically correct

Was supported with appropriate supporting documentation.

Identified each owner’s personal net worth did not exceed $750,000 (49 CFR 26.67 (a) (2) (i); (ii)) ($1.32 million effective February 28, 2011. Note: 49 CFR 26.67 (a) (2) (ii) states, “This statement and documentation must not be unduly lengthy, burdensome, or intrusive.”

In addition:

Documentation was included in the DBE file that in assessing each individual’s net worth:

The individual’s ownership in the applicant firm was excluded 49 CFR 26.67 (a) (2) (iii) (A).

PA‐1


The individual’s equity in his or her primary residence was excluded (except any portion of such equity attributable to excessive withdrawal from the applicant firm) 49 CFR 26.67 (a) (2) (iii) (B).

Any contingent liabilities were excluded 49 CFR 26.67 (a) (2) (iii) (C).

Only the present value any assets held in vested pension plans, Individual Retirement Accounts, 401(k) accounts, or other retirement savings or investment programs less the tax and interest penalties that would accrue if the asset were distributed at the present time were included in the calculation of net worth 49 CFR 26.67 (2) (iii) (D).

Internal controls were adequate to ensure firms certified as DBE firms met required Federal

certification standards concerning business size. Specifically:

Tax returns were included in the DBE file to support that the firm was a for profit entity.

The DBE file includes documentation that the firm was a small business concern at the time of certification as follows:

The firm's average annual gross receipts over the firm's three previous fiscal years was calculated.

The firm's average annual gross receipts over the firm's three previous fiscal years did not exceed the overall small business gross receipts dollar limit during FY 2011. See 49 CFR 26.65 for requirements regarding this attribute.

The firm's annual receipts did not exceed the 2011 small business size limit for the firm's North American Industry Classification System (NAICS) code classification, and the (NAICS) code provided was consistent with the type of work approved to be performed by the firm as a DBE.

The number of persons employed at the firm did not exceed the FY 2011 small business size limit for the firm's NAICS classification, and the number of persons employed at the firm was compared to the 2011 small business size limit for the firm's NAICS classification.

Note: Whether a business is a “small business” is based upon its annual receipts, number of employees, and North American Industry Classification System (NAICS) code 13 CFR 121.201. For the DBE program, 49 CFR 26.65 (b) further restricts eligibility to those firms whose average annual gross receipts over the firm’s previous three fiscal years was 22.41 million or less. 49 CFR 26.65 (c) states the 22.41 million is to be adjusted by the United States Department of Transportation (USDOT) annually using Department of Commerce price deflators for purchases by State and local governments as the basis for this adjustment.


certification standards concerning business ownership.

PA‐1


Documentation was included in the DBE file that eligibility was determined by identifying ownership of socially and economically disadvantaged individuals as being:

In the case of a corporation, 51 percent of each class of voting stock outstanding and 51 percent of the aggregate of all stock outstanding 49 CFR 26.69 (b) (1).

In the case of a partnership, 51 percent of each class of partnership interest and that interest must be reflected in the partnership agreement 49 CFR 26.69 (b) (2).

In the case of a limited liability company, at least 51 percent of each class of member interest 49 CFR 26.69 (b) (3).

In the case of a parent or holding company established for tax, capitalization or other purposes consistent with industry practice, at least 51 percent cumulative ownership in the firm by the disadvantaged individuals through the parent or holding company 49 CFR 26.73 (e) (1); (2).

More than the pro forma ownership of the firm as reflected in the ownership documents 49 CFR 26.69 (c).

Note: This would include documentation that the individual participated in board decisions in the case of a corporation or that the individual participated in strategic business planning including plan approval and in the development and approval of business policy decisions affecting the firm as a whole rather than only for a particular business unit.

In instances where marital assets (other than the assets of the business in question) held jointly or as community property by both spouses are used to acquire ownership interest asserted by one spouse, a copy of the document legally transferring and renouncing the other spouse’s rights (in the manner sanctioned by the laws of the state in which either spouse or the firm is domiciled) to the jointly owned or community assets used to acquire the ownership interest in the firm was included as part of the firm’s application for DBE certification 49 CFR 26.69 (i) (1).

All owners listed in the STA summary report were listed in the application for DBE certification.

Documentation was included in the DBE file that it was determined that contributions of capital or expertise by the socially and economically disadvantaged owners to acquire their ownership interests were real and substantial 49 CFR 26.69 (e).

Specifically:

Capital contributed to acquire ownership interests was evidenced by:

Debt instruments from a financial organization that lends such funds in the normal course of business.

PA‐1


Personal account cash withdrawal from a depository account in a financial organization that accepts deposits in the normal course of business.

Owner's expertise used to acquire ownership interests in the firm met all of the following characteristics (i.e., the expertise was):

In a specialized field 49 CFR 26.69 (f) (1) (i) and

Of outstanding quality 49 CFR 26.69 (f) (1) (ii) and

In areas critical to the firm’s operations 49 CFR 26.69 (f) (1) (iii) and

Indispensable to the firm’s potential success 49 CFR 26.69 (f) (1) (iv) and

Specific to the work the firm performs 49 CFR 26.69 (f) (1) (v) and

Clearly documented in the records of the firm as to the contribution of expertise and its value to the firm 49 CFR 26.69 (f) (1) (vi).

Documentation was included in the DBE file that it was determined that contribution of capital or expertise by the socially and economically disadvantaged owners to acquire their ownership interests did not include:

A promise to contribute capital.

An unsecured note payable to the firm or an owner who is not a disadvantaged individual.

Participation in a firm’s activities as an employee rather than an owner. 49 CFR 26.69 (e).

Documentation was included in the DBE file that for the purposes of determining ownership by a socially and economically disadvantaged individual, all interests in the firm were not included that were obtained as the result of a gift or transfer without adequate compensation from any non‐disadvantaged individual or non‐DBE firm 49 CFR 26.69 (h).

Documentation was included in the DBE file that for the purposes of determining ownership by a socially and economically disadvantaged individual, that all interests in the firm were included that were obtained:

As a result of a final property settlement or court order in a divorce or legal separation, provided that no term or condition of the agreement or divorce decree is inconsistent with the requirements of 49 CFR 26.69 (49 CFR 26.69 (g) (1) or

Through inheritance, or otherwise because of the death of the former owner 49 CFR 26.69 (g) (2)

Documentation included in the DBE file identified that there was direct ownership in all securities that constitute the ownership of each of the individual owners listed in the STA summary report.

PA‐1


Note: A direct ownership is not required if:

A trustee that is the same individual as the beneficial owner or the trustee is another socially and economically disadvantaged individual 49 CFR 26.69 (d) (1).

A trustee that does not exercise effective control over the management, policymaking, and daily operational activities of the firm but rather the beneficial owner of the trust performs those activities 49 CFR 26.69 (d) (2).

Note: Assets held in a revocable living trust may be counted only where the same disadvantaged individual is the sole grantor, beneficiary, and trustee 49 CFR 26.69 (d) (2).


certification standards concerning business control.

Documentation was in included in the DBE file that the firm was determined to be an independent business (i.e., its viability does not depend on its relationship with another firm or firms) because:

Personnel, facilities, equipment, financial and/or bonding support, and other resources were not shared with a non‐DBE firm or firms 49 CFR 26.71 (b) (1).

There were no present or recent employer/employee relationships between the disadvantaged owner(s) of the potential DBE and non‐DBE firms or persons associated with non‐DBE firms that compromised the independence of the potential DBE firm 49 CFR 26.71 (b) (2).

There was a consistency of relationship between the potential DBE and non‐DBE firms within normal industry practice (49 CFR 26.71 (b) (3).

The firm was not subject to any formal or informal restrictions which limit the customary discretion of the socially and economically disadvantaged owners to prevent the socially and economically disadvantaged owners, without cooperation or vote of any non‐disadvantaged individual (excluding spousal co‐signature on documents as provided for in 49 CFR 26.69 (j) (2), from making any business decision of the firm such as through:

The corporate charter

By‐law provisions

Contracts

Cumulative voting rights

Voting powers attached to different classes of stock

Employment contracts

Requirements for concurrence by non‐disadvantaged partners

Conditions precedent or subsequent

PA‐1


Executory agreements

Voting trusts

Restrictions on assignment of voting rights 49 CFR 26.71 (c).

Documentation was in included in the DBE file that the socially and economically disadvantaged owners were determined to possess the power to direct or cause the direction of the management and policies of the firm and to make day‐to‐day as well as long term decisions on matters of management, policy, and operations because:

A disadvantaged owner held the highest officer position in the firm (e.g., chief executive officer or president) 49 CFR 26.71 (d) (1) and

For a corporation, disadvantaged owners controlled the board of directors 49 CFR 26.71 (d) (2) or

For a partnership, one or more disadvantaged owners served as general partners, with control over all partnership decisions 49 CFR 26.71 (d) (3) and

Individuals involved in the firm as owners, managers, employees, stockholders, officers, and/or directors who were not socially and economically disadvantaged did not possess or exercise the power to control the firm, or be disproportionately responsible for the operation of the firm 49 CFR 26.71 (e) and

Delegations of authority to various areas of the management, policymaking, or daily operations by socially and economically disadvantaged owners were revocable, and the owners retained the power to hire and fire any person to whom authority was delegated 49 CFR 26.71 (f),.

The expertise of socially and economically disadvantaged owners was not limited to office management, administration, or bookkeeping functions unrelated to the principle business activities of the firm 49 CFR 26.71 (g).

The socially and economically disadvantaged owners have an overall understanding of, and managerial and technical competence and experience directly related to, the type of business in which the firm is engaged and the firms operations (i.e., have the ability to intelligently and critically evaluate information presented by other participants in the firm’s activities and to use this information to make independent decisions concerning the firms daily operations, management, and policymaking) 49 CFR 26.71 (g).

In instances where State or local law requires a person to have a particular license or other credential to own and/or control a certain type of firm, the socially and economically disadvantaged owners possessed the required license or credential 49 CFR 26.71 (h).

Note: Certification as a DBE firm cannot be denied if the socially and economically disadvantaged owners do not have a license or credential and State or local law does not require it; however, the condition can be used as a factor in assessing control of the firm 49 CFR 26.71 (h).

PA‐1


Remuneration of the socially and economically disadvantaged owners was consistent with duties of persons involved, normal industry practices, the firm’s policy and practice concerning reinvestment of income, and any other explanations for the differences provided by the firm 49 CFR 26.71 (i) (1).

Note: Remuneration of a firm’s owners need not necessarily be greater than some other participants in the firm 49 CFR 26.71 (i) (1).

In instances where a non‐disadvantaged individual formally owned or controlled the firm and a socially and economically disadvantaged individual now owns or controls it, remuneration of the disadvantaged individual is now greater than the non‐disadvantaged individual 49 CFR 26.71 (i) (2) and there was clear and convincing evidence that:

The transfer of ownership and/or control to the disadvantaged individual was made for reasons other than obtaining certification as a DBE 49 CFR 26.71 (l) (1); and

The disadvantaged individual actually controls the management, policy, operations of the firm, notwithstanding the continuing participation of a non‐disadvantaged individual who formally owned or controlled the firm 49 CFR 26.71 (1) (2).

Note: A lack of control by the disadvantaged individual could be indicated when the non‐disadvantaged individual remains involved with the firm and continues to receive greater compensation than the disadvantaged individual 49 CFR 26.71 (i) (2).

The disadvantaged owner did not engage in outside employment or other business interests that conflicted with the management of the firm or prevent the disadvantaged owner from devoting sufficient time and attention to the affairs of the firm to control its activities 49 CFR 26.71 (j).

Note: Absentee ownership of a business and part‐time work in a full time firm are not viewed as constituting control; however, operation of a part‐time business by an owner for all the time the business is operating would be viewed as having control of that firm 49 CFR 26.71 (j).

In instances where the socially and economically disadvantaged individual(s) have immediate family members who are not socially and economically disadvantaged that also participate in the firm, the socially and economically disadvantaged individual(s) control of the firm is clearly distinct from the family as a whole 49 CFR 26.71 (k) (1); (k) (2).

Note: This assessment is to be made as it is with any other persons involved in the firm without regard to whether or not those persons are immediate family members 49 CFR 26.71 (k) (1).

PA‐1


In instances where the firm was operating under a license or franchise agreement, the franchiser or licenser was not affiliated with the franchisee or licensee 49 CFR 26.71 (o).

Note: Affiliation generally does not occur in instances relating to standardized quality, advertising, accounting format, and other provision imposed upon the franchisee or licensee by the franchise agreement or license provided that the franchisee or licensee has the right to profit from its efforts and bears the risk of loss commensurate with ownership. However, affiliation could arise through other means such as common management or excessive restrictions on the sale or transfer of the franchise interest or license 49 CFR 26.71 (o).

In instances where the firm leased equipment necessary to perform its work:

Leasing such equipment was normal industry practice 49 CFR 26.71 (m) and

The lease did not involve a relationship with a prime contractor or other party that compromised the independence of the firm 49 CFR 26.71 (m).

With regard to a partnership, any non‐disadvantaged partners did not have the power, without the specific written concurrence of the socially and economically disadvantaged partner(s), to contractually bind the partnership or subject the partnership to contract or tort liability 49 CFR 26.71 (p).

In instances where an employee leasing company was used, the socially and economically disadvantaged individuals were responsible for hiring, firing, training, assigning, and otherwise controlling the on‐the‐job activities of the employees and had the ultimate responsibility for wage and tax obligations related to those employees 49 CFR 26.71 (q).

Objective B Determine whether internal controls were adequate to ensure general rules pertaining to the DBE certification process were met. For a sample of DBE firms determine whether supervisory review of the certification analysis included a determination that: All the facts in the record, viewed as a whole, were used in the determination whether

socially and economically disadvantaged participants in a firm own and control the firm 49 CFR 26.69 (a); 49 CFR 26.71 (a).

Whether a firm performs a commercially useful function was not considered in any way in

making DBE certification decisions 49 CFR 26.73 (a) (1) except to the extent a firm has exhibited a pattern of conduct indicating its involvement in attempts to evade or subvert the intent or requirements of the DBE program 49 CFR 26.73 (a) (2).

The firm applying for DBE certification was not owned by another firm (even a DBE firm) (49

CFR 26.73 (e)) unless the firm is an operating subsidiary of a parent or holding company, established for tax, capitalization or other purposes consistent with industry practice that is

PA‐1


owned and controlled by socially and economically disadvantaged individuals 49 CFR 26.73 (e) (1); (2).

Recognition of a business as a separate entity for tax or corporate purposes was not

sufficient to demonstrate that a firm is an independent business, owned and controlled by socially and economically disadvantaged individuals 49 CFR 26.73 (f).

DBE certification was not dependent upon prequalification 49 CFR 26.73 (g).

Note: Providing for a firm to be prequalified before it can be certified as a DBE is allowed only when all firms are required to be prequalified to participate in its contracts and subcontracts 49 CFR 26.73 (g).

The firm had not applied for, and been denied, DBE certification within one year 49 CFR 26.86 (c) of the current application date by any of the UCP members.

Effective February 28, 2011 the firm was allowed to resubmit an application for DBE

certification the firm had withdrawn before a certification decision was reached without a waiting period before the re‐submittal could be accepted 49 CFR 26.83 (m).

Note: The one year waiting period for re‐submittal provided under 49 CFR 26.86 (c) may be applied if the firm has established a pattern of frequently withdrawing applications before a certification decision is reached 49 CFR 26.83 (m).

Objective C Determine whether internal controls were adequate to ensure required procedures for the certification process are followed. For a sample of DBE firms determine whether documentation was in included in the DBE file that: Effective February 28, 2011, each applicant was advised within 30 days of receipt of the

application:

Whether the application is complete and suitable for evaluation or

What additional information or action is required 49 CFR 26.83 (l).

A decision on application for DBE certification was made within 90 days of receiving all required information under 49 CFR 26 from the applicant firm unless the decision period was extended an additional 60 days upon written notification to the firm or a different timeframe was established and approved by the concerned operating 49 CFR 26.83 (k).

Note: Failure to make a certification decision by the applicable deadline is deemed constructive denial of the application on which the firm may appeal to USDOT under 49 CFR 26.89 (49 CFR 26.83 (k).

PA‐1


An on‐site visit was made to the offices of the firm 49 CFR 26.83 (c) (1). The principal officers of the firm were interviewed 49 CFR 26.83 (c) (1).

Resumes and/or work histories of the principal officers were reviewed during the on‐site

interview 49 CFR 26.83 (c) (1). An on‐site visit or visits were performed to job sites on which the firm was working at the

time of the eligibility 49 CFR 26.83 (c) (1). An analysis was performed of the bonding and financial capacity of the firm 49 CFR 26.83 (c)

(3). The firm’s work history was determined, including:

Contracts it has received

Work it has completed 49 CFR 26.83 (c) (4). A statement was received from the firm of the type of work it prefers to perform as part of

the DBE program and its preferred location for performing the work, if any 49 CFR 26.83 (c) (5).

A list of equipment owned by or available to the firm was obtained or compiled for

performing the work it seeks to do as part of the DBE program 49 CFR 26.83 (c) (6). A list of licenses the:

Firm possesses was obtained or compiled for performing the work it seeks to do as part of the DBE program.

Firm’s key personnel possesses was obtained or compiled for performing the work it seeks to do as part of the DBE program 49 CFR 26.83 (c) (6).

A DBE application form:

Was completed by the firm (unless the potential DBE is a Small Business Administration (SBA) certified firm applying pursuant to the United States Department of Transportation / Small Business Administration Memorandum of Understanding (USDOT/SBA MOU) and the application included:

All elements of the form identified in 49 CFR 26 Appendix F.

Supplemental information that was not inconsistent with the requirements of 49 CFR 26 49 CFR 26.83 (c) (7).

PA‐1


The applicant attested to the truth and accuracy of the information provided on the application in the form of an:

Affidavit sworn to by the applicant before a person who is authorized by state law to administer oaths or

An unsworn declaration executed under penalties of perjury of the laws of the United States 49 CFR 26.83 (c) (7) (ii).

Documentation was included in the DBE certification file that the applicant was required to go through the application process without regard to the action of any other USDOT recipient of Federal funds that the firm was eligible for DBE certification 49 CFR 26.83 (e) (3).

Note: Prior to February 28, 2011, the firm will be certified as a DBE for a period of at least three years so long as the firm continues to meet eligibility requirements during that period 49 CFR 26.83 (h).

For February 28, 2011 and after, the firm will be certified as a DBE indefinitely so long as the firm continues to meet eligibility requirements 49 CFR 26.83 (h).

Objective D Determine whether the STA has written procedures in place to provide for confidentiality of DBE certification records where applicable and for processing information requests about DBE eligible firms or the certification process. Information gathered as part of the certification process that may reasonably be regarded

as proprietary or other confidential business information is safeguarded from disclosure to unauthorized persons consistent with applicable Federal, State, and local law 49 CFR 26.83 (g). Specifically, procedures clearly define:

Proprietary and confidential business information.

Confidential business information includes applications for DBE certification and supporting information 49 CFR 26.109 (a) (2).

The process for safeguarding proprietary and confidential business information from unauthorized persons.

Safeguarding proprietary and confidential business information from unauthorized persons includes requiring that such information is transmitted to:

A third party only upon written consent of the firm who submitted the information 49 CFR 26.109 (a) (2) or

USDOT in any certification appeal proceeding under 49 CFR 26.89 or

PA‐1


Any other State to which the firm has applied for certification under 49 CFR 26.85 as revised effective February 28, 2011 or

Another recipient of highway funds, Federal transit funds, and Federal airport funds 49 CFR 26.3 to which the firm has applied for DBE certification prior to February 28, 2011.

Safeguarding an individual’s personal net worth statement and any documentation supporting it from unauthorized persons includes requiring that such information is transmitted to:

A third party only upon written consent of the individual who submitted the information 49 CFR 26.109 (a) (2); or

USDOT in any certification appeal proceeding under 49 CFR 26.89 49 CFR 26.67 (a) (2) (iv).

Any other State to which the firm has applied for certification under 49 CFR 26.85 as revised effective February 28, 2011.

Objective E Determine whether UCP procedures for certifying firms as DBE were included in the STA’s Policies, Procedures and Manuals.

Compare UCP procedures for certifying firms as a DBE to the STA’s Policies, Procedures and

Manuals to assess whether UCP procedures have been incorporated into the STA DBE certification procedures.

Objective F Determine whether the STA has implemented written procedures for the process of

verifying that a firm is not shopping for DBE certification. For example, the firm has not applied to multiple UCP members for DBE certification or has not applied to a UCP member for DBE certification within one year after having been rejected for certification by another UCP member.

Determine whether the STA’s Policies, Procedures and Manuals identify the processes that personnel must follow to verify that firms are not shopping among UCP members for DBE certification.

AASHTO Internal Audit Guide 2013 Edition Glossary Page 1

GLOSSARY

Actual Costs – amounts determined based on costs incurred and supported by source documentation, such as invoices, receipts and cancelled checks. Actual costs are generally not determined based on forecasts or historical averages. Agreement – A contract between a State DOT and an entity that is a binding legal document that identifies the deliverable goods or services to be provided, under what conditions and the method of reimbursement for such goods and services. An agreement may include both Federal and State requirements that must be met by the State DOT and entity. Agreements usually indicate start and finish dates, record retention requirements, and other pertinent information relative to the work to be performed. Allocable – A cost is allocable to a government contract if the cost is incurred specifically for the contract; benefits both the contract and other work and a can be distributed to them in reasonable proportion to the benefits received; or is necessary to the overall operation of the business, although a direct relationship to any particular cost objective cannot be shown. Allowable – A cost is allowable charge to a Government contract only if the costs is reasonable, allocable, compliant with GAAP, compliant with terms of the contract and not prohibited by Federal cost principles. Analytical Procedures – An audit procedure where the auditor assesses information by comparing it to certain parameters or expectations selected by the auditor. It involves the auditor reasonably expecting a certain relationship among certain information and expecting those relationships to continue unless there are known conditions that should cause the relationship to not exist. The expected conditions should be developed by the auditor through the use of reliable sources to ensure an unbiased comparison. Some common analytical procedures include ratio analysis, trend analysis, comparison between periods, comparison to budgets and forecasts, external benchmarking or internal benchmarking. AASHTO – American Association of State Highway and Transportation Officials AICPA – American Institute of Certified Public Accountants Audit Planning – Audit planning is developing an overall strategy for conduct and scope of the audit. The nature, extent, and timing of planning vary with size and complexity of the entity, experience with the entity, and knowledge of the business. In planning the audit, the auditor considers the entity's business and its industry, its accounting policies and procedures, methods used to process accounting information, the planned assessed level of control risk, and the auditor's preliminary judgment about audit materiality.


Audit Risk – A combination of the risk that material errors will occur in the accounting process and the risk the errors will not be discovered by audit tests. Audit risk includes uncertainties due to sampling (sampling risk) and to other factors (nonsampling risk). Audit Trail – A record of transactions in an accounting system that provides verification of the activity of the system. A complete audit trail allows auditors to trace transactions in a firm’s accounting records from original source documents into subsidiary ledgers through the general ledger and into basic financial statements and billings/invoices prepared and submitted by the entity. Benford's Law – is a mathematical law that applies to any population of numbers derived from other numbers (such as the dollar amount of a sale, found by multiplying the quantity sold times the unit price). It holds that 30% of the time the first non‐zero digit of this derived number will be one, and it will be a nine only 4.6% of the time. Benford's law is used by auditors to identify fictitious populations of numbers. Change Order – required when work is added to or deleted from the original scope of work of a contract, which alters the original contract amount and/or completion date Code of Federal Regulations – (CFR) the codification of the general and permanent rules published in the Federal Register by the executive departments and agencies of the Federal Government. The CFR is divided into 50 titles that represent broad areas subject to the Federal regulation. Confirmation – An audit procedure where an auditor obtains direct written verification of the accuracy of information from a third party. Positive confirmation is obtained by asking them to respond whether or not they believe the information is correct. Negative confirmation asks them to respond only if there is an issue. Positive confirmation is more reliable because with negative confirmation there is no certainty, but only an assumption, that there is no issue if the party does not respond. Contract Modification – a change to an existing contract for a change in scope or other factors that must be agreed to by all parties of the contract. Control Environment – is the attitude, awareness, and actions of the board, management, owners, and others about the importance of control. This includes integrity and ethical rules, commitment to competence, board or audit committee participation, organizational structure, assignment of authority and responsibility, and human resource policies and practices. Cost Principles – Federal cost principles are intended to establish a uniform approach for determining costs and promoting effective program delivery, efficiency, and better relationships between grant recipients, subrecipients, and the Federal government. The principles are promulgated to determine allowable costs, enforce compliance with Federal grant requirements, and ensure that the Federal Government bear its fair share of costs except where restricted or otherwise prohibited by law.


Detection Risk – The risk audit procedures will lead to a conclusion that material error does not exist when in fact such error does exist. DOT – refers to a state Department of Transportation Direct Cost – Any cost that is identified specifically with a particular final cost objective. Direct costs are not limited to items that are incorporated in the end product as material or labor. Costs identified specifically with a contract are direct costs of that contract. All costs identified specifically with other final cost objectives of the contractor are direct costs of those cost objectives. Direct costs can include labor, materials and reimbursable expenses incurred specifically for an agreement. Engagement Letter – A letter that represents the understanding about the engagement between the client and the CPA. The letter identifies the financial statements and describes the nature of procedures to be performed. It includes the objectives of the procedures, an explanation that the financial information is the responsibility of the company's management, and a description of the form of report. Entrance Conference – a meeting between the auditor and the auditee during which the purpose and scope of the audit are discussed. Exit Conference – a meeting held after completion of the audit that generally focuses on preliminary audit findings, which could change based on further audit testing, supervisory review and additional information submitted by the auditee. Federal Travel Regulation – (FTR) contained in 41 CFR 300‐304. The FTR implements policies for travel by Federal civilian employees and others authorized to travel at the Federal Government’s expense. Finding – results from deficiencies in internal controls, fraud, illegal acts, violations of contract or grant provisions, and/or abuse. In accordance with GAGAS, when documenting a finding, the auditor should include the condition, criteria, cause, effect and a recommendation for correction. Generally, auditors include management responses to reportable findings within the final audit report. GAAP – Generally Accepted Accounting Principles – widely accepted set of rules, conventions, standards and procedures for reporting financial information, as established by the Financial Accounting Standards Board (FASB). GAAS – “Generally Accepted Auditing Standards.” The ten auditing standards adopted by the membership of the AICPA. Auditing standards differ from audit procedures in that "procedures" relate to acts to be performed, whereas "standards" deal with quality of the performance of those acts and objectives of the procedures.


GAGAS – Generally Accepted Government Auditing Standards are also knows as the “Yellow Book” and are issued by the U.S. Government Accountability Office (GAO). GAGAS prescribe general procedures and professional standards that auditors must apply when performing audits or attestation engagement when conducting government audits. General Administrative Expenses – Costs of operating a company that are incurred by, or allocated to, a business unit and not directly linked to the company’s products or services. Inherent Risk – The risk that exists in an environment without the benefit of internal controls. Ineligible Cost – A cost that does not meet the terms of the agreement as well as Federal and State statutes and regulations Inspection – An audit procedure that involves the auditor reviewing documents or records through physical examination of the particular document or record to provide direct evidence of its content. This is a means of gathering direct evidence. Internal Control – Includes the plan of an entity and the methods and procedures adopted by management to ensure that the entity’s goals and objectives are met; that resources are used consistently with laws, regulations, and policies; that resources are safeguarded against waste, loss, and misuse; and that reliable data are obtained, maintained and fairly disclosed in reports. Inquiry – An audit procedure that involves asking questions of the auditee or other parties in order to obtain oral and written information. Evidence gathered through inquiry is considered indirect evidence, which is rarely considered sufficient by itself to support a finding. However, it is supportive documentation when corroborated through other means. Narrative – A written description of an internal control system. Observation – An audit procedure that involves the auditor seeing or experiencing something first hand. It could include having the auditee walk through a process and observing and monitoring the activities, procedures and steps performed, observing security practices. Through the performance of this activity, the auditor is able to obtain direct evidence. Overhead Rate – Refers to a rate computed by adding together all of an entity’s costs that cannot be associated with a single cost objective (e.g., general and administrative costs and fringe benefits costs), then dividing by a base value (usually direct labor cost) to determine a rate. This rate is applied to direct labor, as incurred on projects to allow an entity to recover the appropriate share of indirect costs allowable per the terms of the specific agreement. Peer Review – A practice monitoring program in which the audit documentation of one state DOT audit group is periodically reviewed by independent partners of other state DOT groups to determine that it conforms to the standards of the profession. Project Authorization and Agreement


Reasonable Cost – A cost is reasonable if, in its nature and amount, it does not exceed that which would be incurred by a prudent person in the conduct of competitive business. Reconcile (reconciliation) – A schedule establishing agreement between separate sources of information, such as accounting records reconciled with the financial statements. Reperformance – An audit procedure that involves the auditor redoing a certain activity or procedure to see if they arrive at the same results. The auditor’s reperformance of a particular control provides direct evidence to support whether a control is operating effectively. Residual Risk – The risk that exists after consideration of the controls management has implemented to mitigate or transfer risk. Resolution Process Risk – The probability that an event or activity will occur that adversely impacts the achievement of an organization’s objectives Sample Size – The number of population items selected when a sample is drawn from a population. Sampling Error – Unless the auditor examines 100% of the population, there is some chance the sample results will mislead the auditor. This risk is sampling error. The larger the sample, the less chance of sampling error and the greater the reliability of the results. Sampling Risk – The possibility that conclusions drawn from the sample may not represent correct conclusions for the entire population. Segregation of Duties – means assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets. Segregation of duties reduces the opportunities for one person to both perpetrate and conceal errors or fraud. Single Audit – A rigorous, organization wide audit or examination of an entity that expends $500,000 or more of Federal assistance received for its operations. These are usually performed annually and the objective is to provide assurance to the US Federal government as to the management and use of such funds by recipients such as states, cities, universities and non‐profit organizations. These audits are typically performed by an independent Certified Public Accountant (CPA) and encompass both financial and compliance components. Source Documentation – documents that support the costs recorded in an entity’s records. Source documents can include timesheets, payroll registers, invoices, receipts, rental slips, cancelled checks, etc. Test – An audit procedure were the auditor reviews certain transactions and processes or attributes against established criteria. The auditor then concludes as to whether the activity is


in compliance with the criteria, which are established standards, practices, laws, regulations or requirements. Tracing – An audit procedure that involves tracking information forward from one document or record or tangible source to another subsequently prepared document or record. This test is performed as a means to test for the completeness of the document or record. Unallowable Cost – An item of cost that is ineligible for cost reimbursement. Verify – the act of tracing a transaction from one document to the original support document. Vouching – An audit procedure that involves tracking information from one document or record back into a previously prepared document or record or to some other reliable source. This procedure is performed in order to determine the validity of the information. Walkthrough – Procedure where auditor traces a transaction from original to final process.

2013 internal audit guide - draft (2)

Documents