INTERNAL AUDITING

POLICIES AND PROCEDURES MANUAL

The Internal Auditing Policies and Procedures Manual, dated May 3, 2004 has been updated, approved and supersedes all previous policies and procedures published November 30, 1995.

Phil Wood, CIA, CFA City Auditor

PAGE

CONTENTS
SUBJECT:

1 of 4
DATE

TABLE OF CONTENTS

5/03/04

NUMBER

TITLE POLICIES

110.00 115.00 120.00 125.00 130.00 130.01 130.02 130.03 130.04 135.00 140.00 150.00 160.00

Function of Internal Audit Independence Internal Audit Program - Audit Plan Audit Reports Quality Control Standards Organization and Personnel Planning Documentation Review Personal Standards and Ethics EDP Systems Development Computer Utilization Library Utilization

PAGE

CONTENTS
SUBJECT:

2 of 4
DATE

TABLE OF CONTENTS

5/03/04

NUMBER

TITLE PROCEDURES

205.00 205.10

Internal Audit Program - Audit Plan Coordination with External Auditor Administrative:

210.10 210.20

Organizational Structure File Maintenance Time Reporting System:

220.05 220.11 220.15 220.20 220.25 220.30 220.35 220.40 230.00 230.05

Audit Project Reporting Administrative Leave Procedures Time Report Detailed Time Sheet Project Number Listing Direct Time Status Report Time Reporting Processing Toolsa Status & Summary of Audit Projects Audit Process: Job Start Letters Audit Working Papers:

240.05 240.10

Working Paper Preparation Working Paper Review and Approval

PAGE

CONTENTS
SUBJECT:

3 of 4
DATE

TABLE OF CONTENTS

5/03/04

NUMBER 240.15 240.20 240.25 240.30 240.40 240.50 240.51 240.60 240.70 245.00

TITLE Internal Control Documentation Standard Working Papers Indexing Audit Working Papers Audit Programs Control Objectives and Techniques Working Paper Tickmarks Standard Tickmarks Budget to Actual Comparison Potential Audit Findings Control Assessment Process Reporting:

250.05 254.00 254.05 254.10 254.15 254.20

Audit Report Process Special Projects / Client Requested Projects Approval Request Procedures Engagement Memos Budget Hours Audit Finding:

255.05 255.10

Corrective Action - Monitoring Data Base Definitions of Data Files

1 PAGE

CONTENTS
SUBJECT:

4 of 4
DATE

TABLE OF CONTENTS

5/03/04

NUMBER

TITLE Personnel:

260.05 260.06 260.07 260.10 260.15 260.16

Conflict of Interest Conflict of Interest Statement Audit Project Independent Statement Professional Development Personnel Feedback / Evaluation Staff Auditor Personnel Feedback / Evaluation Form In-Charge Auditor Personnel Feedback / Evaluation Form Staff Scheduling Safety and Health

260.17

260.20 260.30

Other: 270.05 270.10 270.15 270.20 General Office Security News Media Fraud, Abuse and Illegal Acts Forms Index

POLICIES

PAGE

POLICY NO.

POLICIES
SUBJECT:

1 of 3

110.00
DATE

FUNCTION OF INTERNAL AUDITING

5/03/04

Internal Auditing is an independent appraisal and evaluation function established within the City of Tulsa (City) to examine and evaluate its activities. The objective of Internal Auditing is to assist management and elected officials of the City in the effective discharge of their responsibilities by providing analyses, recommendations, counsel, and information concerning the activities reviewed. Internal Auditing is an internal control, which functions by measuring and evaluating the effectiveness of other controls and planned programs. Internal Auditing shall not assume operating responsibilities. Internal Auditing shall have no direct responsibility for or authority over any of the activities audited. Internal Auditing shall have full access to all records, facilities, properties, and personnel of the City relevant to the subject under review, and is authorized to review and appraise policies, plans, procedures, controls and records. Internal auditors shall not develop or install procedures, prepare records, perform internal control functions or engage in any other activity which they would normally review and appraise and which could reasonably be construed to compromise the independence of Internal Auditing. The independence of Internal Auditing shall not be deemed adversely affected by determining and recommending standards of control to be applied to the development of the systems and procedures being reviewed. The review and appraisal of an area by Internal Auditing shall not in any way relieve management of its given responsibilities. The audits by Internal Auditing will be conducted in accordance with the Institute of Internal Auditors "Standards for the Professional Practice of Internal Auditing." Internal Auditing will conduct financial audits and operational audits. Financial audits include financial statement and financial related audits. Financial statement audits determine (1) whether the financial statements of an audited entity present fairly the financial position, results of operations, and cash flows or changes in financial position in accordance with generally accepted accounting principles, and (2) whether the entity has complied with laws and regulations for those transactions and events that may have a material effect on the financial statements.

PAGE

POLICY NO.

POLICIES
SUBJECT:

2 of 3

110.00
DATE

FUNCTION OF INTERNAL AUDITING, continued

05/03/04

Financial related audits include determining (1) whether financial reports and related items, such as elements, accounts, or funds are fairly presented, (2) whether financial information is presented in accordance with established or stated criteria, and (3) whether the entity has adhered to specific financial compliance requirements.

Operational audits encompass the examination and evaluation of the adequacy and effectiveness of the system of internal control and the quality of performance in carrying out assigned responsibilities. Operational audits include: Review of the reliability and integrity of operating information and the means used to identify, measure, classify, and report such information; Review of compliance with policies, plans, procedures, standards, laws, and regulations; Review of the means of safeguarding and accounting for assets; Appraisal of the economical and efficient use of resources; Review of operations or programs to ascertain whether results are consistent with established objectives and goals; Review of the adequacy of existing and proposed data processing systems.

The functions of Internal Auditing shall include: Develop and execute a comprehensive audit program, as approved by the City Auditor, to ensure the activities of the City are reviewed at appropriate intervals. Review and evaluate risk management, control and governance systems and the quality of ongoing operations to the extent allowed by City Charter, recommend action to correct any deficiencies, and obtain management's response of corrective action to be taken. Conduct control assessments and facilitate control self-assessments. The Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing are applicable to all control assessments and control self-assessments conducted by City of Tulsa Internal Auditing.

PAGE

POLICY NO.

POLICIES
SUBJECT:

3 of 3

110.00
DATE

FUNCTION OF INTERNAL AUDITING, continued

5/03/04

Appraise the quality of operations in terms of compliance with policies, plans, procedures, standards, laws and regulations. Perform financial audits of the assets, liabilities, fund balances, revenues and expenditures of the City as approved in the comprehensive annual audit plan. Verify, as approved in the comprehensive audit plan, the existence of City assets and appraise whether such assets are safeguarded, accounted for, and used efficiently and economically. Appraise the reliability and operation of the accounting, financial, and reporting systems. Participate, as necessary, in the review process of the control aspects of significant new data processing systems and systems revisions before they are implemented. Coordinate, as necessary, its audit efforts with those of the external auditors, participate in the planning, and coordination of the financial audit to be undertaken by external auditors. Perform special projects as requested or approved by the City Auditor and/or City Council. Participate in special investigations of fraud, abuse or illegal acts as directed by the City Auditor, City Council, or when requested by the appropriate authorities and approved by the City Auditor. If deemed appropriate, situations or significant transactions that involve fraud, abuse or illegal acts will be referred to the Legal Department or other authorities for appropriate investigation. Report the results of audit work conducted. Evaluate the adequacy of action taken by management to correct deficiencies reported by Internal Auditing. Perform the necessary follow-up procedures to ascertain whether appropriate action is taken on significant audit findings.

PAGE

POLICY NO.

POLICIES
SUBJECT:

1 of 1

115.00
DATE

INDEPENDENCE

5/03/04

In all matters relating to the audit work, Internal Auditing and the individual auditors should be free from personal and external impairments to independence, be organizationally independent, and maintain an independent attitude and appearance. Independence, in fact as well as appearance, is necessary. The credibility of the auditor might be impaired by the existence of circumstances, which may be reasonably perceived to influence independence. Such independence will be established by adhering to the following criteria: The Internal Auditing function will be organizationally located outside the staff or line management functions. Auditors should be sufficiently removed from political pressures to ensure they can conduct their audit objectively and can report their findings, opinions, and conclusions objectively without fear of repercussion. Internal auditors should avoid personal transactions or situations in which their personal interest will conflict, or appear to conflict with the interest of the City of Tulsa or Internal Auditing. All situations involving a conflict of interest should be disclosed in an annual conflict of interest statement. Internal auditors shall complete and sign annually a conflict of interest statement, which attests to their independence or describes areas where their independence may be impaired. Internal Auditors shall complete and sign an independence statement for each project to which they are assigned responsibility for performance of audit work. The completed independence statements of all audit team members will be filed in the general section of the audit work papers.

PAGE

POLICY NO.

POLICIES
SUBJECT:

1 of 1

120.00
DATE

INTERNAL AUDIT PROGRAM ANNUAL REPORT AND AUDIT PLAN ANNUAL REPORT

5/03/04

Internal Auditing will prepare and publish an annual report of internal audit activities and performance relative to the audit plan. Consideration for contents of the annual report should include: City Auditors Mission Statement, Goals, and Methodologies Prior Period Audit Results
o Audit Projects Completed o Audit Abstracts o Significant Highlights of the Period

Office of the City Auditor Profile

o Internal Audit Process o Audit Staff o Professional Certification

Current Period Internal Audit Program

o Process for Selection of Audits o Summary of Audit Program o Project Descriptions

Feedback Forms
o Suggestions for Audits o Comments on the Conduct or the Office of City Auditor

Significant Risk Exposures and Control Issues Governance Issues Other Matters Requested by Elected Officials and Management

AUDIT PLAN Periodically, an audit plan for the subsequent period will be developed, published, and distributed to the various City departments and the external auditors for the City. The audit plan will identify the proposed audit projects to be conducted during the next plan period. When appropriate, a block of audit hours may be projected and allocated for a given audit area, such as grants or special projects without identifying the grant or special project to be audited. The audit plan will be based on the Departments FOCUS Risk Assessment process to determine priorities of the internal audit activity. Internal Auditing will involve departmental management in the process of identifying audit projects. However, the elected City Auditor has the final determination as to which specific audit projects will be included on the audit plan. Internal Auditing will contact the external auditors of the City for review of the audit plan to identify areas of common interest. For those areas identified to be of common interest to Internal Auditing and the external auditors, Internal Auditing will coordinate its work with the external auditors. However, the elected City Auditor has the final approval as to the nature, timing and extent of internal audit work to be performed.

PAGE

POLICY NO.

POLICIES
SUBJECT:

1 of 1

125.00
DATE

COMMUNICATING AUDIT RESULTS

5/03/04

Internal Auditing will issue reports communicating the results of each audit project. The form of the report should be appropriate for its intended use, but written reports are preferred. Written reports communicate results to officials and management, make the results less susceptible to misunderstanding, make the results available for public inspection, and facilitate follow-up to determine whether appropriate corrective action has been taken. A draft copy of written reports will be reviewed, in advance of the final release of the report, with management personnel responsible for activities examined. Communications should be accurate, objective, clear, concise, constructive, complete, and timely. Communications should include the engagements objectives and scope as well as applicable conclusions, recommendations, and action plans. Final communication of engagement results should, where appropriate, contain the internal auditors overall opinion and/or conclusions. Internal auditors are encouraged to acknowledge satisfactory performance in communications. Audit results should be communicated to appropriate parties. At a minimum, communication should be made to the Mayor, City Council, and other parties who can ensure the results are given due consideration. Prompt and timely audit reporting is important to enable effective improvement or corrective actions for internal audit recommendations. The following guidelines for timeliness of audit reporting should normally apply: Draft audit reports should be complete within two weeks from the date of the end of audit fieldwork Any revisions to draft audit reports resolution from the exit meetings should be completed within one week following the final exit meeting date Final audit reports should be completed and issued within one month of the final exit meeting date.

PAGE

POLICY NO.

POLICIES
SUBJECT:

1 of 3

130.00
DATE

QUALITY CONTROL STANDARDS

5/03/04

The quality control standards adhered to by Internal Auditing are as follows: 130.01 Organization and Personnel: (a) Internal Auditing is independent of the area being audited or appropriate disclosure has been made in the report. Independence statements are required annually for all internal auditors and for each specific audit project for all auditors assigned to the project. Written job descriptions are maintained which set forth the purpose, authority and responsibilities of each internal auditor position. A schedule of personnel assignments will be maintained. Personnel evaluations will be conducted as outlined in the Personnel Policies and Procedures manual. Also, the Staff Auditor Personnel Feedback form will be completed for each staff auditor assigned to an audit project for 80 hours or more. An audit project reporting system is maintained to monitor the overall implementation of the general audit plan.

(b)

(c)

(d) (e)

(f)

130.02 Planning: (a) (b) (c) (d) (e) (f) A periodic written approved audit plan is prepared. Scope and objective statements are written for each audit conducted. Written audit programs are used. An approved staff time budget is used. A manager is assigned for each audit. An in-charge auditor is designated for each audit.

PAGE

POLICY NO.

POLICIES
SUBJECT:

2 of 3

130.00
DATE

QUALITY CONTROL STANDARDS, continued

5/03/04

(g)

Background information about the activities to be audited is obtained and where appropriate, on-site surveys are conducted.

130.03 Documentation: (a) A risk assessment is prepared and updated annually documenting the risk exposures, control environment, accounting information systems, and control evaluation of the City. Standardized programs are used for: 1. 2. 3. (c) General Matters ProgramForm, General Matters - Supplement for Financial Audits, Audit Working Paper Approval Form.

(b)

Flowcharts, internal control questionnaires or written narratives are used to document the systems of internal control. An internal control objectives and techniques working paper is used, when applicable, to evaluate the applicable internal controls for each audit. Written conclusions are required for each major audit area and such conclusions are reviewed for appropriateness. Audit finding sheets supported by working papers containing sufficient evidential matter are used to document all findings included in a report. A working paper retention schedule is used. Adequate written evidential matter is included in the audit working papers to support the audit conclusions.

(d)

(e)

(f)

(g) (h)

PAGE

POLICY NO.

POLICIES
SUBJECT:

3 of 3

130.00
DATE

QUALITY CONTROL STANDARDS, continued

5/03/04

130.04 Review: (a) Working papers are reviewed by the in-charge auditor, audit manager, and Chief Internal Auditor. An internal quality assurance review is conducted annually. An external quality assurance review is conducted every five years.

(b) (c)

PAGE

POLICY NO.

POLICIES
SUBJECT:

1 of 2

135.00
DATE

PERSONAL STANDARDS AND ETHICS

5/03/04

The following personal standards apply to all auditors assigned to Internal Auditing. An internal auditor shall: Have adequate technical training and proficiency, Maintain a sufficiently independent state of mind to clearly demonstrate objectivity in matters affecting audit conclusions, Respect the confidentiality of information acquired while performing the audit function, Only engage in activities that do not conflict with the interests of the City, Adhere to conduct that enhances the professional stature of internal auditing, and Exercise due professional care in the performance of all duties and in the fulfillment of all responsibilities.

The following ethical standards which were derived from the Code of Ethics of the Institute of Internal Auditors shall be adhered to by Internal Auditing: 1. Internal auditors shall have an obligation to exercise honesty, objectivity, and diligence in the performance of their duties and responsibilities. Internal auditors, in holding the trust of their employers, shall exhibit loyalty in all matters pertaining to the affairs of the City of Tulsa or to whomever they may be rendering a service. However, an internal auditor shall not knowingly be a party to any illegal or improper activity. Internal auditors shall respect and contribute to legitimate and ethical objectives of the City of Tulsa. Internal auditors shall refrain from entering into any activity which may be in conflict with the interest of the City of Tulsa or which would prejudice their ability to carry out objectively their duties and responsibilities. Internal auditors shall not accept a fee or a gift from an employee, a customer, or a business associate of the City of Tulsa without the knowledge and consent of their senior management.

2.

3.

4.

5.

PAGE

POLICY NO.

POLICIES
SUBJECT:

2 of 2

135.00
DATE

PERSONAL STANDARDS AND ETHICS, continued

5/03/04

6.

Internal auditors shall be prudent in the use of information acquired in the course of their duties. They shall not use confidential information for any personal gain nor in a manner, which would be detrimental to the welfare of the City of Tulsa. Internal auditors, in expressing an opinion, shall use all reasonable care to obtain sufficient factual evidence to warrant such expression. In their reporting, an internal auditor shall reveal such material facts known to them which, if not revealed, could either distort the report of the results of operations under review or conceal unlawful practice. Internal auditors shall continually strive for improvement in the proficiency and effectiveness of their service. Internal auditors shall be provided a copy of the Institute of Internal Auditors Code of Ethics upon employment. See New Employee Orientation Checklist item #10, IA-270.

7.

8.

9.

PAGE

POLICY NO.

POLICIES
SUBJECT:

1 of 1

140.00
DATE

EDP SYSTEMS DEVELOPMENT

5/03/04

Internal Auditing may review the control aspects of significant new data processing systems or significant system revisions before they are implemented.

POLICIES
Subject: COMPUTER USAGE POLICY

Page 1 of 1

Policy No. 150.00 Date: 5/03/04

Internal Auditing will adhere to all City of Tulsa policies related to computer usage. Below, for your reference, is a listing of City of Tulsa computer usage policies documented in Human Resources Policies Section 800, General Administration.

HR Policy No. 817 818 819 821

HR Policy Title Internet/Intranet Policy E-Mail Policy Personal Computer (PC) Usage Policy Information Systems Security Policy

USE AT HOME Individually assigned computers may be taken home for use overnight, weekends, and holidays. The City does not insure PCs. If one is lost, stolen or damaged while in your custody, we will lose use of the unit unless your household insurance covers the loss.

PAGE

POLICY NO.

POLICIES
SUBJECT:

1 of 1

160.00
DATE

LIBRARY UTILIZATION

5/03/04

Internal Auditing provides the staff with a library for personal or professional use. This library is maintained by the Assistant Staff Auditor and located in the conference room. The Internal Auditing staff is allowed to remove these materials from the library and out of the office by checking out the materials through the Assistant Staff Auditor. A limit of five (5) items at a time per individual may be checked out from the library. Materials may be checked out for a two-week period. If absolutely necessary, materials may be checked out for an additional two weeks as approved by the Assistant Staff Auditor. No one person is allowed to check out any one item for more than one month. All material must be turned in by the due date to the Assistant Staff Auditor. At that time, the name of the individual who checked out the material will be marked as to show the material being returned in a timely manner. If an individual does not return materials by the due date, there may be a suspension or loss of library privileges. The Assistant Staff Auditor will report any over due items to the Chief Internal Auditor and the suspension or loss of privileges will be determined by the Chief Internal Auditor.

PROCEDURES

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

205.00
DATE

INTERNAL AUDIT PROGRAM ANNUAL REPORT AND AUDIT PLAN

5/03/04

Periodically, an audit plan for the subsequent period should be developed, published, and distributed to the various City departments. Audit projects to be included in the plan should be identified using the FOCUS risk assessment process. Procedures for this process are described in the Annual Risk Assessment Procedures form. Factors to be considered in evaluating the risk of an audit area are described in the FOCUS form and include the following: 1. Size - Determined by considering the size of the most logical measure of the activity. (Examples of measures: assets, liabilities, revenues, expenditures) 2. Security - Determined by considering how safe the assets of the activity may be from conversion to private use 3. Trust - Determined by considering the impact of the activity on customers (Usually customers are defined as citizens of Tulsa) 4. Simplicity - Determined by considering how complicated the business of the activity is (Examples: degree of regulation, number of services, transactions or processes done by the activity, degree of automation) 5. Stability - Determined by considering the degree of change of the activitys operations in the last 12 months (Examples: personnel turnover in critical positions, reorganizations, major systems changes) 6. Responsibility - Determined by considering the five components of internal control of the activity (The components are: 1) employee competency, commitment and ethical values, 2) established objectives, 3) clearly defined procedures, 4) good information and communication, and 5) management monitoring) In addition to the risk assessment evaluation, the following should also be considered when selecting projects for inclusion in the audit plan: The date since the area was last audited Requests for projects to be scheduled from management, elected officials and citizens Certain projects shall be designated as ongoing projects and included in each annual plan. These projects include Report of Management Actions, Sensitive Payments, Internal Quality Assurance Review, Annual Planning/Risk Assessment, Information Systems Monitoring, and Auditing Miscellaneous. In addition, a pool of hours will be allocated in the audit plan to be available for external auditor support, unscheduled special projects, and client requests for projects.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

205.00
DATE

INTERNAL AUDIT PROGRAM - AUDIT PLAN

5/03/04

Potential for actual cost savings or increased revenues; and Potential for indirect cost savings through better management.

In addition, a pool of hours will be allocated in the audit plan to be available for special projects and client requests for projects. It is the intent of Internal Auditing to involve departmental management in the process of identifying audit projects. However, the elected City Auditor has the final determination as to which specific audit projects will be conducted. The Chief Internal Auditor and Internal Audit Manager assigned to development of the audit plan will contact the external auditors of the City for review of the audit plan to identify areas of common interest. Internal Auditing will coordinate its work with the external auditors for the areas identified to be of common interest. However, the elected City Auditor has the final approval as to the nature, timing and extent of internal audit work to be performed.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

205.10
DATE

COORDINATION WITH EXTERNAL AUDITOR

5/03/04

Soon after being completed, the audit plan should be reviewed with the external auditors to identify areas of common interest. The internal audit manager responsible for development of the audit plan will arrange for Internal Auditing to meet with the external auditors to perform this review. Those audits identified to be of common interest will be documented in Internal Audit Department files. These files will be researched during the planning phases of each audit project throughout the year to determine if coordination with the external auditor will take place. For those audit projects which will be coordinated, the internal audit manager assigned to the audit will contact the external audit manager for review and input regarding internal and external audit programs and workpapers.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

210.10
DATE

ORGANIZATIONAL STRUCTURE

5/03/04

Internal Auditing is a division of the Office of the City Auditor. The individual internal auditors are organized under a pooled staff concept. The direct supervisor of any individual staff member will depend on the staff assigned to a particular audit project. One auditor will be designated the in-charge auditor for each audit project and will report directly to the audit manager responsible for the audit project. Other staff auditors assigned to the audit project will report directly to the in-charge auditor. The staffing for each individual audit project will vary according to the needs of the project.

PAGE

POLICY NO .

PROCEDURES
SUBJECT:

2 of 2

210.10
DATE

ORGANIZATIONAL STRUCTURE, continued

5/03/04

CITY AUDITORS OFFICE INTERNAL AUDITING 13 POSITIONS City Auditor 2705-0001 UC-18 Office Assistant II 2172-0169 UC-08 Chief Internal Auditor 5379-0001 EX-52 Internal Audit Manager 5377-0002 EX-48 EDP Auditor 5376-0001 EX-40 Senior Internal Auditor 5375-0002 EX-36 Staff II Auditor 5374-0004 AT032 Staff I Auditor 5368-0001 AT-28 Internal Audit Manager 5377-0001 EX-48 Senior Internal Auditor 5375-0003 EX-36 Senior Internal Auditor 5375-0001 EX-36 Staff II Auditor 5374-0003 AT-32 Assistant Staff Auditor 5373-0001 AT-23

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

210.20
DATE

FILE MAINTENANCE & RETENTION

5/03/04

Any file should be retained for as long as it is of continuing usefulness. A retention schedule is set forth below to ensure files are maintained for a reasonable period. The types of files to be maintained and their retention periods are as follows:
File Type Description Retention Period

Annual report and audit Sets forth accomplishments for the fiscal year and the Program annual plan for the subsequent fiscal year. One copy is retained in central files Publications Professional periodicals. One copy is retained in the library. Master copy of audit Master copy of each audit report produced by Internal reports Auditing. One copy is retained in central files In-process project files In-process project files are stored in electronic format in a directory that can be accessed by auditors assigned to the project. Paper files for in-process projects are maintained by the auditor in charge of the project. Completed project files Electronic project files are to be printed out and filed in a binder, along with all paper files collected during the project. Electronic files are also to be archived in the electronic directory designated for that purpose. Permanent files Documents, schedules or analyses that are of continuing audit interest Continuing education Official documentation for all staff members continuing education. Documentation is to be maintained by the Assistant Staff Auditor. Confidential files This file is maintained for Internal Auditing use only. No one else is allowed in this file, unless approved by the City Auditor or Chief Internal Auditor. Future audit notes Information pertinent to pending or potential future audits. Folders are classified by audit area and retained in central files. Other records and All other miscellaneous files, such as travel expense correspondence reports, payment records, time reports, and official correspondence received or sent by Internal Auditing Personnel files Relevant information about each individual Internal Auditing employee during their employment

7 years

2 years Indefinite* As long as project is in process 7 years

Indefinite* 5 years

Indefinite*

Indefinite*

3 years

While employed & 5 years after termination

*File is retained for as long as it remains useful.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

220.05
DATE

AUDIT PROJECT REPORTING

05/23/04

The Internal Auditing time reporting system provides a method of collecting and monitoring the amount of time spent on each audit project and to determine and monitor the time utilization of auditors. All auditors are to submit a Time Report (procedure 220.15) to the Assistant Staff Auditor and a Detailed Time Sheet (procedure 220.20) to the audit projects In-charge Auditor on a semimonthly basis. Semimonthly periods begin the 1st and the 16th of each month, and end the 15th and last day of each month. An auditor may complete Time Reports and Detailed Time Sheets on a computer as long as the format complies with the form as seen at procedure 220.15 and 220.20. The Time Report should be completed using the assigned audit project numbers and activity codes, in increments of not less than fifteen minutes per code per day. Each Time Report is due to the Assistant Staff Auditor by 10:00 a.m. the first working day following the close of the reporting period. If an employee is scheduled to be away from the office when Time Reports are due, the Time Report is to be completed and submitted before departure. The auditor should estimate how the remaining hours in the time period will be spent and complete the Time Report accordingly. Any corrections necessary to adjust the estimated hours to actual hours incurred will be made on a subsequent Time Report. If unscheduled absences occur, the Assistant Staff Auditor shall be so notified. The Assistant Staff Auditor shall record the Time Report data as follows: From the Time Reports, the Assistant Staff Auditor will input information into the Cumulative Hours for Open Projects, Cumulative Hours for Completed Projects and Indirect Time Cumulative History of Hours electronic files. An explanation of these three files is below: A. Cumulative History for Open Projects. (&Domain\adminBB\STATUS.RPT\Cumulative History for Open Projects) This spreadsheet records hours charged to open projects. The Assistant Staff Auditor inputs data provided from Time Reports into this spreadsheet which is only used for processing. See example at procedure 220.35. B. Cumulative Hours for Completed Projects. (&Domain\adminBB\STATUS.RPT\ Cumulative Hours for Completed Projects) This spreadsheet records hours charged to closed projects. The Assistant Staff Auditor inputs data provided from Time Reports into this file which is only used for processing and to maintain history. See example at procedure 220.35.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

220.05
DATE

AUDIT PROJECT REPORTING, continued

05/03/04

C.

Indirect Time Cumulative History of Hours. (&Domain\adminBB\STATUS.RPT\ Indirect Time Cumulative History of Hours) This spreadsheet records hours charged to indirect categories. The Assistant Staff Auditor inputs data provided from Time Reports into this spreadsheet which is only used for processing and to maintain history. See example at procedure 220.35.

When Time Report data has been recorded into the Cumulative Hours for Open Projects, Cumulative Hours for Completed Projects and Indirect Time Cumulative History of Hours electronic files, two reports are generated from this information: the Status and Summary of Audit Projects (see example at procedure number 220.40) and the Direct Time Status Report (see example at procedure number 220.30). A. Status and Summary of Audit Projects (&Domain\adminBB\STATUS.RPT\ Status and Summary of Audit Projects) This report is used to keep track of audit projects. The report lists the estimated hours to complete, actual hours incurred by project, estimated project hours, planned project hours, estimated report date, days beyond estimate, and hours beyond planned. The projects are separated into Open Direct Audit Time Scheduled projects, Indirect Time, Direct Time Completed projects, and Scheduled Not Started projects. Estimated hours to complete and completion due dates for each project are determined by management after input by the Incharge auditor of each project. B. Direct Time Status Report (&Domain\adminBB\STATUS.RPT\ Direct Time Status Report) This report is used to keep track of direct audit time. This report lists for each auditor: direct time, indirect administrative time; total direct time percentage, total actual hours worked and total available hours worked for the current period and the fiscal year to date. Total variance of time is also shown on this report for each auditor. Totals for each period for each category are shown at the bottom of this report. Detailed Time Sheets Each auditor is responsible for turning in Detailed Time Sheets to the In-Charge Auditor for each audit project he/she is assigned. In-Charge Auditors are responsible for recording time from Detailed Time Sheets to the audit projects BUDGET TO ACTUAL COMPARISON (see procedure number 240.60). In-Charge Auditors are responsible for reconciling accumulated audit project time recorded on the BUDGET TO ACTUAL COMPARISON to the time recorded to the Status and Summary of Audit Projects.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

220.11
DATE

ADMINISTRATIVE LEAVE PROCEDURES

05/03/04

Exempt employees are allowed to work unscheduled overtime to adequately perform their jobs (for example, working late to finish a report, working on the weekend to finish a project that is behind schedule). Such overtime shall not be monetarily compensated. However, administrative leave may be granted by department management under the following guidelines: 1. Non-Exempt employees are limited to administrative leave only within their work week schedule. Requests for administrative leave shall be submitted in advance. If an employee is unable to make request in advance, the employee shall make contact with department management when administrative leave time off is taken. Approval of administrative leave is based on: Other employee absences anticipated for the date of the requested time off. Adequate coverage of the office will be maintained. Accumulated overtime recorded for an employee. Except for approved administrative leave for professional certification examinations and continuing education programs, an employee is not allowed to take off more time than their accumulated overtime. 4. Requests for administrative leave will not exceed four hours per day. Time off exceeding four hours per day will be reported as vacation or sick leave. Requests for administrative leave will be kept to a minimum. Except under special circumstances, an employee will not be granted more than four requests per month. An employee who has a need for more frequent, recurring time off will arrange it through the flex-time alternate work schedule. See flex-time alternate work schedule policy No. 223 in the Personnel Policies and Procedures manual. Accumulated overtime shall be tracked on a fiscal-year basis using the departments time reporting forms and reports. Accumulated overtime is not carried over to succeeding years. Overtime worked on lunch breaks will not exceed one-half hour.

2.

3.

5.

6.

7.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

220.15
DATE

TIME REPORT

05/03/04

TIME REPORT
AUDITOR'S NAME: PROJECT NUMBER PROJECT DESCRIPTION DIRECT AUDIT TIME: 0.00 0.00 0.00 EXPANDED DESCRIPTION PERIOD ENDED: 1 16 2 17 3 18 4 19 5 20 6 21 7 22 8 23 9 24 10 25 11 26 12 27 13 28 14 29 15 30 31 TOTAL HOURS

SUB-TOTAL - CHARGEABLE HOURS INDIRECT TIME:

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80

Holiday Holiday Personal Leave Vacation Sick Training (in-house/outside CPE) Budget Preparation & Monitoring Performance Planning & Review Attend City Meetings Status Reports / Time Sheets Departmental / Staff Meetings Professional Organizations Professional Reading Technology Activities Funeral Leave Professional Study Jury Duty Office Administration Office Management Administration Library Reorganization Project (IM, RW) Other Miscellaneous SUBTOTAL - NON-CHARGEABLE HOURS 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

0.00

GRAND TOTAL

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

220.20
DATE

DETAILED TIME SHEET

05/03/04

Detailed Time Sheet

Project Name:

Project Number:

Auditor's Name:

Period Ended:

DESCRIPTION OF WORK COMPLETED Background & Planning Supervision and Review Budget Findings / CAPs / Final Report Wrap Up Data Confirmation / Interviews Internal Control Evaluation (ICE) Risk Assessment Meetings Test I Test II Test III Test IV Test V Test VI Test VII Test VIII Test IX Test X

1 16

2 17

3 18

4 19

5 20

6 21

7 22

8 23

9 24

10 25

11 26

12 27

13 28

14 29

15 30 31

TOTAL HOURS 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

TOTAL

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

220.25
DATE

PROJECT NUMBER LISTING

05/03/04

Audit Project Numbers are assigned by the Assistant Staff Auditor. The Assistant Staff Auditor will maintain a list of audit project numbers and make it electronically available to staff members. (&Domain\adminBB\INFOLIST\Project Numbers). The general format of this listing is as follows:

PROJECT NUMBER XX - XX (1) (2) (1) (2)

DESCRIPTION (Title of the audit project)

First two digits represent the fiscal year in which the audit project was originally scheduled. Last two digits are the sequentially assigned number assigned by the Assistant Staff Auditor for a given audit project.

Audit project numbers are assigned as specified below: YY = year the audit is assigned a project number YY-01 through YY-10 = On-going Projects YY-11 through YY-29 = Regular Audit Projects YY-30 through YY-39 = Follow-Up Audit Projects YY-40 through YY-49 = Special Projects YY-50 through YY-59 = Control Assessments YY-60 through YY-69 = Continuous Monitoring Projects. YY-70 through YYXX = Anything else

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

220.30
DATE

DIRECT TIME STATUS REPORT

05/03/04

DIRECT TIME STATUS REPORT DATE: MM/DD/YY CURRENT PERIOD INDIRECT DIRECT ADMIN. (1) (1) (2) (2) TOTAL DIRECT% (3) (3) TOTAL ACTUAL HOURS WORKED (4) (4) FISCAL YEAR TO DATE TOTAL ACTUAL ACTUAL TOTAL AVAILABLE INDIRECT TOTAL HOURS AVAILABLE TOTAL WORKED DIRECT ADMIN. DIRECT% WORKED WORKED VARIANCE (5) (5) (6) (6) (7) (7) (8) (8) (9) (9) (10) (10) (14) (14)

NAME MGR MGR

T OTAL MGR (11) STAFF STAFF STAFF STAFF STAFF STAFF STAFF STAFF STAFF (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (2) (2) (2) (2) (2) (2) (2) (2) (3) (3) (3) (3) (3) (3) (3) (3) (3) (4) (4) (4) (4) (4) (4) (4) (4) (4) (5) (5) (5) (5) (5) (5) (5) (5) (5) (6) (6) (6) (6) (6) (6) (6) (6) (6) (7) (7) (7) (7) (7) (7) (7) (7) (7) (8) (8) (8) (8) (8) (8) (8) (8) (8) (9) (9) (9) (9) (9) (9) (9) (9) (9) (10) (10) (10) (10) (10) (10) (10) (10) (10) (14) (14) (14) (14) (14) (14) (14) (14) (14)

TOTAL (12) GRAND TOTAL (13)

(1) Is total direct/chargeable time for each staff member for the time period. Number comes from individual staff members Time Report. (2) Is total indirect/non-chargeable time for each staff member for the time period. Number comes from individual staff members Time Report. (3) Is a formula in the Excel spreadsheet to calculate the percentage of direct/chargeable time. (4) Is a formula in the Excel spreadsheet to calculate the total time a staff member worked during that time period. (5) Is a number input by the Assistant Staff Auditor. Is the number of available work hours for that time period. (6) Is a number calculated by the Assistant Staff Auditor. Last periods number is added to current periods number. This is cumulative direct/chargeable time for each staff member. (7) Is a number calculated by the Assistant Staff Auditor. Last periods number is added to current periods number. This is cumulative indirect/non-chargeable time for each staff member. (8) Is a formula (similar to that in number 3 in the Excel spreadsheet to calculate the percentage of cumulative direct/chargeable time. (9) Is a number calculated and input by the Assistant Staff Auditor. Is the number of hours available to work for that current fiscal year time period. Last periods number is added to number 1. (10) Is a number input by the Assistant Staff Auditor. Is the number of available work hours for that current fiscal year time period. Last periods number is added to number 2. (11) Is the managers cumulative total for their chargeable and non-chargeable time work for both current time period and fiscal year to date. (12) Is staffs cumulative total for their chargeable and non-chargeable time worked for both current time period and fiscal year to date. (13) Is managers and staffs cumulative total for chargeable and non-chargeable time worked for both current time period and fiscal year to date. (14) Is the amount of time staff has over or under worked. If overage, can be used as flex time. If under, time must be made up. Variances will show almost every time period for staff members working flex hours.

IA-226 (SEE PROCEDURE NUMBER 220.05, AUDIT PROJECT REPORTING)

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

220.35
DATE

Time Reporting Processing Tools

05/03/04

Following are examples of the spreadsheets described at procedure 220.05. These spreadsheets are used to process information for the Status & Summary of Audit Projects and the Direct Time Status Report: A. Cumulative History for Open Projects. (&Domain\adminBB\STATUS.RPT\Cumulative History for Open Projects) Cumulative Hours for Completed Projects. (&Domain\adminBB\STATUS.RPT\ Cumulative Hours for Completed Projects) Indirect Time Cumulative History of Hours. (&Domain\adminBB\STATUS.RPT\ Indirect Time Cumulative History of Hours)

B.

D.

All three spreadsheets are in the format shown below:

Project Name
Project Name Date Number Hours Worked Running Total Hours Worked

Year/Year Total

(SEE PROCEDURE NUMBER 220.05, AUDIT PROJECT REPORTING)

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 3

220.40
DATE

STATUS & SUMMARY OF AUDIT PROJECTS

05/03/04

STATUS & SUMMARY OF AUDIT PROJECTS FY ENDING JUNE 30, 200x AS OF MM/DD/YY Est. Hours Total Planned Est. Days Completion Report Beyond Date Date Estimate Hours Beyond Planned

Projects

Hours to Complete

Actual Hours

Planned Hours

Direct Audit Time Scheduled Projects: (1&2) (3) (4) Total In-Process

(5)

(6)

(7)

(8)

(9)

(10)

Indirect Time: (1&2) Total Indirect Time Total Actual Direct & Indirect Time Total Estimated Direct & Actual Indirect Hours

(4) === === ===

Estimated hours available FY xx-xx Actual in process hours carried over from previous year Total estimated hours available in FY xx-xx TOTAL DIRECT HOURS TO DATE Completed Projects In-Process Projects Prior Years Projects Deleted Projects Total Direct Hours Used to Date Estimated Direct Hours Remaining Hours to Complete In-Process Projects Estimated Hours Needed for Schedule not Started Projects Net Hours Available Check

(11) (12) (13)

(14) (15) (16) (17) (18) (19) (20) (21) (22) (23)

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 3

220.40
DATE

STATUS & SUMMARY OF AUDIT PROJECTS, continued

5/03/04

STATUS & SUMMARY OF AUDIT PROJECTS FY ENDING JUNE 30, 200x AS OF MM/DD/YY Page 2 Est. Hours Total Actual Planned Actual Days Completion Complet.Beyond Date Date Estimate Actual Hours Beyond Planned

Projects

Actual Hours

Planned Hours

Direct Completed:
(1&2) (4) (5) (6) (7) (8) (9) (10) Total Completed Total Direct, Indirect and Completed Time Total Estimated Direct, Actual, Indirect and Completed

Scheduled Not Started:

Audits: (1&2) Total Audits Control Assessments: (1&2) Total Control Assessments Total Schedule Not Started Total of All Projects (5) (6) (7) (8)

(5)

(6)

Note: A project is considered in process only when hours have actually been incurred.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

3 of 3

220.40
DATE

STATUS & SUMMARY OF AUDIT PROJECTS, continued

5/03/04

EXPLANATION OF DATA (1) (2) (3) (4) (5) (6) (7) (8) (9) Audit Project Number. Title of Project. A calculation of hours left to complete project. Numbers 4 and 5 are used in this calculation. Amount of actual hours incurred on audit project. Are the estimated hours it will take to complete the audit. Is the amount of hours planned by management and published in the departments Annual Report and Audit Program. Is the date planned by management and published in the departments Annual Report and Audit Program. Is the estimated completion date for audit report agreed upon by management and the audits In-Charge Auditor. Is a calculation of the difference between planned and actual completion date for audit. A formula within the Status & Summary of Audit Projects spreadsheet in Excel provides the number of days. Is a calculation of the difference between the planned and actual hours to complete the audit. A formula within the Status & Summary of Audit Projects spreadsheet in Excel provides the number of hours. Number is determined by management and published in the departments Annual Report and Audit Program. Number is provided on the previous years June 30th Status & Summary of Audit Projects. If the difference between numbers 11 and 12. Is taken from number 4 total on page 2 of the Status & Summary of Audit Projects for the Direct Completed section. Is taken from number 4 of the Actual Hours for Direct Audit Time projects. Is a number input by the Assistant Staff Auditor from the Cumulative hours for Completed Projects. Is a record of time spent on projects that management later decides to delete. Is the accumulated total for numbers 14, 15, 16, and 17. Is number 18 subtracted from number 13 Is the same number as number 3 Is the same number as the Total Scheduled Not Started Estimated Hours Total, number 5 of page 2 of the Status & Summary of Audit Projects. Is a calculation of numbers 19, 20, and 21. Is a formula to assist the Assistant Staff Auditor in double matching to the Direct Fiscal Year to Date total on the Direct Time Status Report.

(10)

(11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23)

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

230.00
DATE

AUDIT PROCESS

5/03/04

The audit process is a formalized method of performing each audit project. The process should be followed in each project unless authorized by the Chief Internal Auditor. Each of the following phases are completed when an audit is conducted: Planning - Applicable permanent file, prior year working paper file and regulatory resource material are reviewed. The scope of the audit and the audit objectives are established and the planning memo is completed with all pertinent information. A job start letter is prepared for a pre-audit conference (see procedure number 230.05). Control and Risk Evaluation - Internal control objectives and techniques for the audit area are identified and evaluated. This phase identifies the internal control strengths and weaknesses (see procedure number 240.40). Audit Program - An audit program is designed and includes compliance and substantive tests, as necessary. The audit managers and Chief Internal Auditor approve the audit program (see procedure number 240.30). Fieldwork - Perform applicable compliance and substantive program steps. The in-charge auditor reviews the working papers and prepares a draft report. Review - The working papers and report are reviewed by the audit managers and Chief Internal Auditor (see procedure number 240.10). Exit Conference - A draft report is provided to the auditee at least 24 hours prior to scheduled exit conference. The report is reviewed in the conference. Response - After the auditee response is received, review the adequacy of the responses and incorporate the responses into the final report. Permanent File - Update the permanent file if necessary. Filing - Prior to filing of working papers, have the audit manager and Chief Internal Auditor review and initial approval for filing.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

230.05
DATE

JOB START LETTER

5/03/04

A letter identifying the beginning of an audit should be sent to the head of the department(s) being audited. The letter should be reviewed and approved by the assigned project manager. Job start letters should indicate the following: The scope and objectives of the audit The timing and anticipated duration of the audit Anticipated reporting dates The audit manager and in-charge auditor responsible for the audit project

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

240.05
DATE

WORKING PAPER PREPARATION

5/03/04

A record of the work performed by an auditor shall be retained in the form of working papers. The working papers will serve as a record of the results of the audit and the basis of the opinions, findings and recommendations of the auditor. The working papers should be prepared based on a written audit program and contain sufficient information so that supplemental oral explanations are not required. The working papers should be legible with adequate indexing and cross-referencing, and include summaries and lead schedules, as appropriate. The working papers should contain only that information which is materially important and relevant to the objectives of the audit. Such working papers should contain evidence of supervisory reviews of the work conducted. Each working paper should be signed and dated by the auditor preparing the working paper. The working paper should indicate the purpose of the working paper and the source of the information from which it was prepared. The auditor should reflect in the working papers a written audit conclusion for each major audit area. Audit working papers are classified as follows: Current Audit Working Papers: The current audit project working papers are used to document the audit work, results, findings and recommendations of the audit project currently being conducted. All such working papers are subject to the requirements of the Open Records Act. Confidential Audit Working Papers: Confidential audit working papers are those working papers that contain confidential data, which should not be released under the provisions of the Open Records Act. Such working papers should be organized and bound in a separate binder clearly marked as not subject to the Act. Items that are generally not subject to the act include proprietary information, allegations of wrongdoing or items related to pending or possible legal actions. Permanent Files Some documents, schedules or analyses obtained or completed during a project may have lasting importance and usefulness. The auditor should take this into consideration when filing completed project files. Such files should be placed in a permanent file. Consideration should be given to whether the file should be scanned and retained electronically.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

240.10
DATE

WORKING PAPER REVIEW AND APPROVAL

5/03/04

The in-charge auditor for a given audit project will review all working papers prepared by other staff auditors assigned to the audit. The applicable audit manager will review all working papers prepared by the in-charge auditor and other staff auditors. Such reviews are documented by initialing and dating the applicable working papers. The Chief Internal Auditor will review and initial and date those working papers of all significant audit areas. The working paper review is also documented on the Audit Working Paper Approval Form. The purpose of the Audit Working Paper Approval Form is to provide an aid to the final review of the adequacy of working paper documentation and to document that such a review has been done. This form may be found in Internal Auditing Electronic Files located at: http://www.cityauditorphilwood.com/forms/approvalform.doc

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

240.10
DATE

WORKING PAPER REVIEW AND APPROVAL, continued

5/03/04

Audit Name Audit Working Paper Approval Form As of DETAILED REVIEW (to be completed by the in-charge auditor) Initials 1. 2. 3. 4. I have reviewed all workpapers prepared by the personnel in my charge on this engagement. I have compared the work performed as evidenced by our working papers with the procedures called for by the audit program and find that our examination complies with the requirements of the audit program. I have reviewed the completed audit program and am satisfied that our examination has accomplished the audit objectives. I have reviewed the completed audit program and am satisfied that our examination, as evidenced by the workpapers reviewed by me, was performed with proficiency and due professional care and the workpapers adequately support the findings and recommendations. Completed by: ____________________________________________ Date: __________ Date

MANAGER REVIEW Initials 1. 2. 3. I have reviewed all workpapers prepared by the personnel in my charge on this audit, which were not reviewed as a part of the detailed review described above. I have made a review of sufficient additional workpapers to be satisfied with the adequacy of our examination. I have reviewed the completed audit program and am satisfied that our examination, as evidenced by the workpapers reviewed by me, was performed with proficiency and due professional care and the workpapers adequately support the findings and recommendations. I have reviewed the audit report and am satisfied that it properly reports the results of the audit. I approve issuance of our report of the results of this audit. Completed by: ____________________________________________ Date: __________ Date

4. 5.

CHIEF INTERNAL AUDITOR REVIEW Initials 1. 2. 3. 4. The other review sections of this form have been completed to my satisfaction. I have made a review of sufficient workpapers to be satisfied with the adequacy of our examination. I have reviewed the audit report and am satisfied that it properly reports the results of the audit. I approve issuance of our report of the results of this audit. Completed by: ____________________________________________ Date: __________ Date

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

240.15
DATE

INTERNAL CONTROL DOCUMENTATION

5/03/04

The review of internal controls should be documented in the working papers. Any one or combination of the following can accomplish the documentation: Flowcharting Narrative descriptions Questionnaire

The Control Objectives and Techniques working paper (see procedure number 240.40) is one method that can be used to assist in the evaluation of the documented internal controls.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

240.20
DATE

STANDARD WORKING PAPERS

5/03/04

The working papers prepared for an audit are generally unique to the particular audit being conducted. However, certain working papers, which document the administrative and control aspects of an audit are not unique. Such working papers are applicable to any audit and can be standardized. Standard working papers consist of the following:
DESCRIPTION ELECTRONIC FILE LOCATION
. . . ./S/AuditFindingForm.doc . . . ./S/BudgetvsActual.xls . . . ./S/CondensedReportTemplate.doc . . . ./S/ControlObjectivesandTechniques.doc . . . ./S/CorrectiveActionPlanCAP.doc . . . ./S/DetailedProgramForm.doc . . . ./S/DraftAuditReportControl.doc . . . ./S/EngagementRiskAnalysis.xls . . . ./S/Full-LengthreportTemplate.doc . . . ./S/GeneralMattersProgram.doc . . . ./S/IndependenceStatement.doc . . . ./S/LeadMemoForm.doc . . . ./S/ReportDistributionList.doc . . . ./S/SummaryofInternalControl.doc . . . ./S/WorkpaperApprovalForm.doc . . . ./S/WorkpaperIndex.xls Audit Finding Form Budget vs. Actual Condensed Report Template Control Objectives & Techniques Corrective Action Plan (CAP) Detailed Program Form Draft Audit Report Control Engagement Risk Analysis Full-length Report Template General Matters Program Independence Statement Lead Memo Form Report Distribution List Summary of Internal Control Workpaper Approval Form Workpaper Index

The content of such standardized working papers will be revised, when applicable, to reflect any applicable changes in the accounting or auditing standards.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

240.25
DATE

INDEXING AUDIT WORKING PAPERS

5/03/04

All working papers should be indexed in a consistent logical manner using a standard indexing system. The audit manager may authorize deviations from the standard system as deemed necessary. GENERAL BINDER The general binder working papers should be indexed as follows: GB X - X GB X - X: The letters GB stand for the General Binder. Each working paper is then sequentially indexed (i.e. GB 1, GB 2, etc.) Supporting or sub-workpapers within each index should be indexed as GB1-1, GB1-2, etc. as needed. OTHER BINDERS Working papers in other than the general binder should be indexed as follows: DEPT X - X DEPT (Department): An abbreviation for the applicable department may be used if the audit involves more than one department and the separation or organization of working papers by department is deemed necessary. (i.e. PARK for Parks and Recreation Department). The use of the department designation is optional. If the audit only involves one department, the dept should not be used. X - X: The X - X represents a sequential indexing of working papers. The first digit is the same number as the audit program step which the working paper supports. The second digit represents a sequentially assigned index identifying the first and subsequent working paper for the same audit program step. If one working paper consists of more than one page, the same index is used on all pages and each page is numbered i.e., 1x2, 2x2, etc. The working paper page numbering is separate from and does not affect the working paper indexing.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

240.30
DATE

AUDIT PROGRAMS

5/03/04

Written audit programs will be used on all audit projects. The audit program lists the specific procedures to be done in each audit area. The audit procedures listed in the program are derived from a review of the internal control system, completion of the Control Objectives and Techniques Working paper (see procedure number 240.40), and other planning or system documentation. The audit procedures are designed to accomplish the related written audit objectives. Audit program steps are cross-referenced, where appropriate, to the applicable working paper where the steps are performed. Each step should be initialed by the auditor(s) who actually performed the audit procedure. The applicable audit manager should approve all written audit programs prior to the audit procedures being done. Revisions to the audit program are often necessary, due to the actual information obtained during the course of the audit field work being different from that known during the planning phase or unknown at the planning phase. The audit manager should approve all changes to the written audit plan. Changes, which significantly affect the scope or objectives of the audit, are to be approved by the Chief Internal Auditor.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

240.40
DATE

CONTROL OBJECTIVES AND TECHNIQUES

5/03/04

Internal Auditing uses the control objectives and techniques methodology as one means for the preliminary review and evaluation of risks and internal control relevant to the activity under review. This methodology involves evaluation of control techniques and management of risks toward accomplishment of desired control objectives. This analysis assists the auditor with planning compliance and substantive testing to be performed for the audit. The Control O&T and Engagement Risk Analysis forms are used to document the analysis. Evaluation of control objectives and techniques involves the following procedures: 1. Determine and list all control objectives applicable to the audit scope. Control objectives specify what should be achieved by the internal controls exercised in the audit area and provide specific guidelines against which existing control techniques can be compared. Control objectives are determined from various sources including published audit reference material, published industry standards, discussion with auditee management and professional auditor judgement based upon the nature of the activities to be controlled. The auditor should note the source(s) from which the control objectives were derived to document support for the validity of the control objectives listed, unless the source(s) are obvious or generally understood under the audit circumstances. 2. Identify and list the risks relevant to the control objectives. Discussion with management is the key starting point in risk identification and evaluation. References to authoritative documents are also valuable. 3. Measure risks by measuring the severity of consequences and likelihood of occurrence. Severity of consequences measures the magnitude of the negative event. Likelihood of occurrence measures the probability or frequency of the risk event happening. Management input on these measurements is crucial to obtaining accurate results. 4. Identify and list the control techniques in place within the system of internal controls as applicable to the control objectives. Control techniques are the specific methods and measures designed to control an activity and manage risks. Control techniques include organization structure and task assignments, performance standards and criteria, policies and procedures, checks and balances, and forms and physical devices. Control techniques are identified by various information-gathering methods such as review of written documentation, interviews and auditor observations. 5. Evaluate the control techniques identified, both individually and taken as a whole assuming the techniques are functioning as intended, and write a conclusion as to whether the techniques are adequate to reasonably assure the related control objective is achieved. Any control deficiencies (missing controls) and/or control weaknesses (ineffective controls) determined from this evaluation should be noted as part of the written conclusion and cross-referenced to an audit finding sheet for reporting to management. The auditor should also be alert for possible excessive controls, which could be reported in order to increase efficiency and reduce costs.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

240.40
DATE

CONTROL OBJECTIVES AND TECHNIQUES

5/03/04

6. Select the individual control technique(s) to be compliance tested based upon the evaluation performed and cross-reference to the audit program step used to test the control technique. This selection should consider and be concentrated on the individual techniques or combinations of techniques that are most effective in assuring achievement of the related control objective. Ineffective control techniques should not be tested. 7. Reference any audit program steps for substantive testing applicable to the control techniques. Substantive testing is necessary in some circumstances depending on the nature of the audit (i.e. financial audits) and for instances where the control techniques have been determined ineffective in achieving a control objective. Also, substantive testing may be required or planned according to the audit scope regardless of the condition of the internal control system. In such circumstances the auditor should consider the planned substantive testing in relation to selection of the control techniques to be compliance tested. The auditor may decide not to perform compliance testing under these conditions to maximize efficiency in performing the audit.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

240.50
DATE

WORKING PAPER TICKMARKS

5/03/04

Audit working papers must indicate all procedures performed. Symbols or "tickmarks" are used to indicate the procedures performed. The following conventions apply to the use of tickmarks: Tickmarks can be electronic or completed using a red pencil to distinguish them from penciled figures and notations. A different tickmark symbol is used for different work performed. The same symbol but different colored tickmark should not be used since working papers are often photocopied and all writing will appear black. Tickmarks must be explained. The tickmark legend should appear at the bottom of each page on which the tickmarks are used or on a standard tickmark sheet. The location of the standard tickmark sheet is appropriately referenced on the individual working papers where the tickmarks appear. Tickmarks should be used to indicate a procedure was performed. Tickmarks of intricate design should not be used. Such tickmarks are difficult to distinguish and confusing.

To facilitate the use of tickmarks to indicate or explain audit procedures that are common and frequently used, Internal Auditing uses certain standard tickmarks. A working paper indicating the standard tickmarks should be placed in the front of each binder. See procedure number 240.51 for standard tickmarks to be used.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

240.51
DATE

STANDARD TICKMARKS

5/03/04

The following standard tickmarks are designated to provide uniformity within the Internal Audit Division. Unless otherwise stated on the audit working papers, the use of these standard tickmarks indicates certain, specific procedures have been applied.

Electronic F

Pencil \/\ FOOTED A column of figures has been footed by the auditor and agreed with the subtotal or total. FOOTED AND CROSS-FOOTED A horizontal series of figures has been cross-footed by the auditor and agreed with the subtotal or total at the end of the line. In the case of a subtotal or total at the end of the line that is also a subtotal or total for a column of figures, the use of the tickmark indicates the footing of the column has also been checked by the auditor. CONFIRMATION REQUESTED An audit confirmation was requested with an outside source. Whether the request was positive or negative should be indicated on the working paper. CONFIRMED WITHOUT EXCEPTION For positive confirmations, this tickmark indicates the reply to the confirmation request stated the data confirmed was in agreement with the outside source's records. For negative confirmations, this tickmark indicates a reply was not received and the data confirmed is considered in agreement with the outside source's records. CONFIRMED WITH EXCEPTION This tickmark indicates that a confirmation (either positive or negative) was requested with an outside source and the reply to the request stated the data confirmed was not in agreement with the outside source's records. TRACED When placed by an item or figure, this indicates tracing from/to the source/destination of the item or figure. Additional notation on the working paper of the description of the supporting documentation or data used may be appropriate.

Fx

\/\

Cx

||

||

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

240.51
DATE

STANDARD TICKMARKS, continued

5/03/04

VOUCHED This indicates the nature, propriety and amount of an item that has been ascertained by the examination or testing of outside supporting documentation or data. Additional notation on the working paper of the description of the supporting documentation or data used may be appropriate.

CCx

CCx CANCELED CHECK EXAMINED When placed by a figure representing an issued check, this indicates the check paid by the bank was examined by the auditor and compared with the related transaction for check number, account number, date, amount, payee, endorsement and authorized signature. Dx DEPOSIT SLIP EXAMINED When placed by a figure representing a deposit of funds with a depository institution, this indicates the auditor examined the deposit slip and compared with the related transaction for account number, date and amount. RECALCULATED, CALCULATION CHECKED When a figure has been derived by mathematical calculation, the auditor has re-performed the calculation and the results agree with the figure being checked. FIGURE AGREES WITH GENERAL LEDGER This indicates the figure was compared by the auditor and determined to agree with the applicable general ledger balance or amount.

Dx

Rc

Rc

G/L

G/L

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

240.60
DATE

BUDGET TO ACTUAL COMPARISON

5/03/04

For each audit conducted, a Budget to Actual Comparison is prepared. The budgetary portion represents the estimated hours by audit areas necessary to complete the audit. The budget is prepared during the initial planning phase of the audit. The general audit areas are determined by the in-charge auditor and audit manager and the number and description of such areas will vary with each audit. As time is incurred on the audit project, the detailed time sheet (see procedure number 220.20) is used to post the hours worked by an individual, by audit area, to the budget to actual comparison. On a periodic basis, the number of hours by audit area should be totaled to facilitate comparison to the applicable budgetary amounts. Also, the audit manager provides the in-charge auditor with the total hours incurred on the audit project as accumulated on the Cumulative History of Project Hours (see procedure number 220.35). The in-charge auditor should reconcile the total hours per the Cumulative History of Project hours to the totals on the budget to actual comparison and document in the working papers an explanation of all significant time variances (i.e. overages/underages).

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

240.60
DATE

BUDGET TO ACTUAL COMPARISON, continued

5/03/04

AUDIT NAME BUDGET TO ACTUAL COMPARISON AS OF

BUDGET ACTUAL (EST) DIFFERENCE

Date

Background Auditor & Planning

Review & Sup/ ICE

Wrap Up

Report

Other General T Procedures

T 1

T 2

T 3

T 4

T 5

TOTAL

ETC TOTAL

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

240.70
DATE

AUDIT FINDINGS

12/31/01

During all phases of the audit, potential audit findings can be encountered. At the time the potential finding is encountered, an Audit Finding Form should be prepared. Audit findings should be prepared as the audit progresses and not just during the reporting phase of the audit. All audit findings should be discussed with the auditee prior to developing the written report comment or corrective action plan. The purpose of the discussion is to determine: (1) the conditions noted are factually correct, (2) to apprise the auditee of the possible report finding, and (3) to obtain the auditee's input on corrective action. After discussion with the auditee, the audit finding may be summarized on a Corrective Action Plan form. This form should be sent to the auditee for providing a written response.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

245.00
DATE

CONTROL ASSESSMENT PROCESS

5/03/04

The control assessment process uses a high-level approach based on the tools in the Internal Control - Integrated Framework publication. The focus of these assessments is the five critical components necessary for good internal control, which are the control environment, risk assessment, control procedures, information/communication, and monitoring. Control assessment methodology involves interviewing personnel in the area being reviewed and examining relevant documentation. The process is detailed in the CA Program form. The process involves the following steps: 1. Planning The projects preliminary scope and objectives are defined and a pre-audit conference is conducted 2. Evaluation of control framework - Relevant points of focus are identified from the CA Control O&T form. Interviews of auditee personnel are conducted to identify control techniques that address the points of focus. Example interview questions are provided in the CA Interview Questions form. Control techniques that address each point of focus are identified through the interviews and documented on the CA Control O&T form. Control strengths and weaknesses are identified and documented on the form. An evaluation is made of each point of focus and of the overall internal control framework. The overall evaluation is documented on the Control Framework Evaluation form. 3. Report A report of the project results is drafted. 4. Review - The working papers and report are reviewed by the audit managers and Chief Internal Auditor. 5. Exit Conference - A draft report is provided to the auditee at least 24 hours prior to scheduled exit conference. The report is reviewed in the conference. 6. Response - After the auditee response is received, review the adequacy of the responses and incorporate the responses into the final report.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

250.05
DATE

AUDIT REPORT PROCESS

12/31/01

Step 1 Prepare draft report Prepare first draft of report. Consideration should be given to whether a full-length or condensed report s better suited for the report. Some factors to consider include: users of the report and their i level of familiarity with the audited area, sensitivity of report information, and significance of the audit findings. If a full-length report is selected, the Full-Length Audit Report form will be used. If a condensed report is selected, the Condensed Audit Report and Corrective Action Plan (CAP) forms will be used. Step 2 Obtain management review of draft report Obtain reviews by Audit Manager and Chief Internal Auditor. Include review comments in first draft. Provide copy of first draft to City Auditor for review. Include any changes recommended by City Auditor. Step 3 Schedule and conduct exit conference A copy of the first draft should be delivered to the auditee at least 24 hours in advance of exit conference. Hold exit conference with auditee and discuss preliminary draft. Who will participate in the exit conference depends on the nature of the report and on the interest or concern of management. The draft report may be reviewed with: * Management personnel directly responsible for audit area. * Management required to take action. * Management responsible for the area or condition needing corrective action - whether or not they personally would take action or would be affected by the action. At a minimum, the draft report should be reviewed with the individual responsible for the activity and, if appropriate, with his/her immediate superior. A copy of the draft report will be furnished to all personnel attending the exit conference. The report will be marked Preliminary Draft for Discussion Purposes Only. The draft should be reviewed to the extent necessary to: * Resolve conflicts. * Reach agreement on the facts. * Prevent incomplete or erroneous replies * Permit the auditee to see in advance the written report, which sometimes may appear different from the previous oral discussion of audit findings. The purpose of the review is to obtain agreement on the facts and to make sure management understands the key statements in the report. The report is the responsibility of the auditor, not the auditee; hence, the review process is designed to ensure a proper interpretation of what the auditor has written, not what the auditee would like to see written. If there is a disagreement concerning the facts stated in the report, the auditor should make an earnest effort to resolve such disagreements. If the differences cannot be reconciled, the report should clearly set forth the positions of both the auditor and the auditee.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

250.05
DATE

AUDIT REPORT PROCESS

12/31/01

At the close of the exit conference, the auditor should inform the auditee of the procedures followed for: issuing the final report, who will get copies of the final report, and agree on a written response completion date normally within ten working days. The auditor should provide the auditee a copy of the Internal Auditings Guidelines for Responding. Step 4 Prepare second draft Incorporate any changes resulting from the exit conference in a second draft for review by Audit Manager and Chief Internal Auditor. Step 5 Obtain and evaluate auditee response When a written response from management is received, the response is reviewed to determine that it addresses all recommendations in the report and includes all required elements. The individual responses should clearly indicate concurrence or nonconcurrence with the finding and recommendation presented and identify what corrective action, if applicable, is planned and an estimate of when such action will be completed. If the response expresses opposition with the findings or recommendations of the report, the auditor should evaluate the basis for the opposition. If the response is incomplete or includes an invalid reason for disagreement, a second response should be requested from the auditee. When the auditor and management cannot reach agreement on a valid response, the auditor may choose to state in the audit report under the caption Auditors' Comments the reasons for rejecting the response. Such reasons should be documented in the audit working papers. Responses are usually included in the report verbatim. If the response is extremely lengthy, the auditor should summarize the response of the auditee to each finding, including the corrective action to be taken, and include a copy of the full response as an attachment to the audit report. Step 6 Prepare final draft Incorporate departmental responses and other changes into report and prepare a final draft for review by Audit Manager, City Auditor, Chief Internal Auditor, and Auditee. Incorporate any changes from the review into the final report. Present report with the Draft Audit Report Control form for signature of Chief Internal Auditor and City Auditor. Prepare Distribution List form and provide to Chief Internal Auditor for approval. Step 7 Distribute and present report Distribute final report using Distribution List form. Present final report to the City Council or Council Sub-Committee and the Mayors Audit Advisory Committee as requested or required.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

254.00
DATE

SPECIAL PROJECTS / CLIENT REQUESTED PROJECTS

5/03/04

A pool of hours is allocated in the audit plan to be available for special projects and client requests for projects. 254.05 Approval: Special projects are generated from within the Office of the City Auditor and may be directed by the City Auditor and/or Chief Internal Auditor. Other special projects suggested by Internal Audit Managers and Staff may be conducted upon approval by the City Auditor or the Chief Internal Auditor. Client requested projects are generated from outside the Office of the City Auditor by the City Council, Mayor, City employees, citizens or other interested parties. Client requested projects may be conducted upon approval by the City Auditor. Other duties and services the Council may require by ordinance or resolution shall be conducted according to the City Charter.

254.10 Request Procedures: Special projects may be initiated with or without a written request at the discretion of the City Auditor and/or Chief Internal Auditor. Client requests for projects should be submitted in writing for consideration by the City Auditor.

254.15 Engagement memos: Special projects may or may not require an engagement memo as determined by the City Auditor. All client requested projects shall require an engagement memo setting forth the nature of the project requested and the specific audit work to be performed in order to assure an adequate understanding between the requestor and Internal Auditing. The engagement memo shall be reviewed and approved by the requestor and City Auditor.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

254.00
DATE

SPECIAL PROJECTS / CLIENT REQUESTED PROJECTS, continued

5/03/04

254.20 Budget Hours: All special projects and client requested projects to be conducted with hours allocated in the pool specified in the audit plan shall require establishment of project budgeted hours and approval by the City Auditor and/or Chief Internal Auditor. Budgeted and actual hours applied to the project shall be documented in the project work papers.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

255.05
DATE

AUDIT FINDING / CORRECTIVE ACTION - MONITORING

5/03/04

Internal Auditing will perform an annual process to monitor and ensure that corrective actions resulting from audit recommendations have been implemented. A database of audit findings will be maintained to facilitate monitoring of corrective action. The purpose of the database is to provide a means of: Controlling, updating and reporting the proposed corrective actions to audit findings. Reporting the number, type and description of corrective actions taken. Reporting to management which finding recommendations have not been implemented and therefore remain a risk exposure. Identifying which audit findings require additional follow-up action by Internal Auditing based on risk exposure. Establishing a reporting system to obtain information concerning the current implementation status of proposed corrective actions from the responsible departmental heads. The database will contain the following information:
Audit number The format is FY-NN. The first two digits represent the fiscal year the project was conducted. The last two digits represent the sequential assigned project number used in the Internal Auditing time reporting system. Title assigned by Internal Auditing to the audit project Date the audit report was issued Name of the department where the audit was performed Name of the person who was the audit contact or other person who is most likely to know the status of corrective action. The number assigned to the finding in the audit report and/or audit workpapers Brief summary of the original audit finding Brief summary or the recommendation in the original audit finding Initially, the original response is entered. As updates are received on status of corrective action, new information is entered in this field Choose one of the following to indicate status of corrective action: 1 In-Process - Corrective Action is being implemented 2 Pending - Corrective action agreed to but no action taken yet 3 Completed per report response 4 Complete per status inquiry response 5 Complete per follow-up report response 6 Complete - verified by follow-up procedures 7 Recommendation declined - Corrective action will not be taken. 8 Will not be implemented due to changed conditions 9 Complete, will not be verified by Internal Audit Enter the date, in a YY/MM/DD format, when the corrective action was completed

Audit title Report date Department Contact person Audit finding number Finding Description Recommendation Response Status Code

Date of corrective action

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

255.05
DATE

AUDIT FINDING / CORRECTIVE ACTION - MONITORING

5/03/04

An annual project is scheduled for input of all findings issued during the previous fiscal year into the database and to follow-up on open findings with expired completion dates. A work program setting forth the steps to be completed for this annual project is maintained in the Report of Management Actions permanent electronic files. After updating the status, the Chief Internal Auditor will provide reports to elected officials and management. Such reports could include, but not be limited to, the following: Findings with completed corrective actions. Findings with corrective action in process and the status of such corrective action. Audit recommendations that will not be implemented. Findings with corrective action not completed.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

255.10
DATE

AUDIT FINDING / DATA BASE DEFINITIONS OF DATA FILES

5/03/04

AUDIT NUMBER The audit number is the numerical designation made by Internal Auditing to identify each audit project. The format is FY-NN. The first two digits (FY) represent the fiscal year the project was conducted. The last two digits (NN) represent the sequential assigned project number used in the Internal Auditing time reporting system.

AUDIT TITLE Enter the audit title (summarized if necessary) assigned by Internal Auditing to the audit project.

REPORT DATE Enter the date the audit report was issued.

DEPARTMENT Enter the name of the department where audit was performed.

CONTACT PERSON Enter the name of the person in the auditee department who is most likely to know the current status of the audit finding. This will generally be the contact person designated by the department head for the original audit.

AUDIT FINDING NUMBER Enter the number assigned to the finding in the audit report.

FINDING DESCRIPTION The field should contain a brief summary of the original audit report findings.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

255.10
DATE

AUDIT FINDING/DATA BASE DEFINITIONS OF DATA FILES, continued

5/03/04

RECOMMENDATION The field should contain a brief summary of the recommendation contained in the original audit report.

RESPONSE Initially, the original response of the auditee should be summarized and entered in this field. When a status update is received, the new status is entered in this field.

STATUS CODE Enter the two-digit code, which indicates the current status of corrective action. Codes to be used are as follows: 1 2 3 4 5 6 7 8 9 In-Process - Corrective Action is being implemented Pending - Corrective action agreed to but no action taken yet Completed per report response Complete per status inquiry response Complete per follow-up report response Complete - verified by follow-up procedures Recommendation declined - Corrective action will not be taken. Will not be implemented due to changed conditions Complete, will not be verified by Internal Audit

DATE OF CORRECTIVE ACTION Enter the date, in a YY/MM/DD format, when the corrective action was completed.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

260.05
DATE

CONFLICT OF INTEREST

5/03/04

In all matters relating to audit work, the audit organization and the individual auditors should be free from personal and external impairments. Such independence is necessary so that opinions, conclusions, judgments, and recommendations will be impartial and will be viewed as impartial by knowledgeable third parties. It is essential not only that auditors are, in fact, independent and impartial, but also that knowledgeable third parties consider them so. There are circumstances in which auditors may not be impartial, or may not be perceived to be impartial. In order to assist auditors in identifying any personal impairments, an annual independence statement (see file reference at annual independence procedure 260.06) should be completed. Also, to assist audit team members with review of their independence as it relates to specific audit projects to which they are assigned, an independence statement should be completed and documented in the audit project work papers as a step in the general matters - planning section of the audit program.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

260.06
DATE

ANNUAL INDEPENDENCE STATEMENT

5/03/04

CONFLICT OF INTEREST STATEMENT To the best of my knowledge and belief, I have answered the following questions correctly:

YES
1. Do you have any official, professional, personal, or financial relationships that might cause you to limit the extent of any inquiry, to limit disclosure, or to weaken or slant audit findings in any way? 2. Do you have any preconceived ideas toward individuals, groups, organizations, or objectives of a particular program that could bias the audit? 3. Did you have any previous responsibility for decision making or managing an entity that would affect current operations of any entity or program being audited? 4. Did you previously perform any duties for the City of Tulsa involving the approval of invoices, payrolls, claims, or other proposed payments? 5. 6. Do you have a financial interest, direct or substantial indirect, in the City of Tulsa or in any of the related entities, funds or programs of the City of Tulsa except for compensation and benefits provided by City policy? Do you have a financial interest, direct or substantial indirect, in any related party transaction (vendor, customers, contractors, leases, or other financial transaction, etc.) with the City, elected officials, other members of the City governing body, or affiliated government units that are not part of the report entity? I acknowledge receipt of a copy and affirm adherence to the Institute of Internal Auditors Code of Ethics. (State "none" if there are no exceptions): Are you currently or have you previously maintained the official accounting records of a fund or program of the City of Tulsa?

NO

7.

8.

EXCEPTIONS

SIGNATURE: ______________________________________

DATE:

____

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

260.07
DATE

AUDIT PROJECT INDEPENDENCE STATEMENT

5/03/04

AUDIT PROJECT INDEPENDENCE STATEMENT

Audit Name

As of
To the best of my knowledge and belief, the following statements are true. 1. I have no official, professional, personal, or financial relationships that might cause me to limit the extent of any inquiry, to limit disclosure, or to weaken or slant audit findings in any way. I have no preconceived ideas toward individuals, groups, organizations, or objectives of a particular program that could bias the audit. I have no previous responsibility for decision-making or managing an entity that would affect current operations of any entity or program being audited. I have not performed any duties for the City of Tulsa within the last five (5) years that involved the approval of invoices, payrolls, claims, or other proposed payments related to this audit. At no time within the past five (5) years have I maintained the official accounting records of a fund or program of the City of Tulsa related to this audit. I have no financial interest, direct or substantial indirect, in the City of Tulsa or in any funds, programs, or related entities of the City of Tulsa, except for compensation and benefits provided by City policy.

2.

3.

4.

5.

6.

TITLE CITY AUDITOR CHIEF INTERNAL AUDITOR AUDIT MANAGER AUDITOR IN-CHARGE STAFF AUDITOR ASSISTANT STAFF AUDITOR

SIGNATURE

DATE

Auditors should disclose, in writing, any exception(s) to these statements. Written exceptions should be filed as supplements following this page.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

260.10
DATE

PROFESSIONAL DEVELOPMENT

5/03/04

Continued professional development is necessary to refine and maintain employee skills, introduce progressive auditing and analytical techniques, and prepare individuals for greater levels of responsibility. Such development can be accomplished by on-the-job training and by attending formal training programs. Auditors should complete continuing education as follows: At least 20 hours should be completed each fiscal year. A total of 80 hours should be completed every two fiscal years. At least 24 of the 80 hours should be in subjects directly related to the government environment and to government auditing.

Each auditor is responsible for planning appropriate continuing education to meet these objectives. Such planning should be coordinated with the manager in charge of tracking CPE planning. The continuing education can be in the areas of auditing, accounting, data processing, management, or other related fields that enable the individual to increase the skills necessary to perform the duties specified as an internal auditor. Training may be done by Internal Auditing or be provided by recognized external organizations such as AICPA, Oklahoma Society of CPAs, Institute of Internal Auditors, colleges or universities or private training companies. Proof of completion of continuing education should be furnished to the Assistant Staff Auditor. Such proof may take the form of certificates of completion, transcripts, letters of confirmation, etc. To monitor the training received by the various internal auditors, the "Training Summary" (Form IA-267) will be used. The training summary will be maintained by the Assistant Staff Auditor for Internal Auditing and will be updated as necessary but no less than quarterly. Authorized time off will be provided to auditors who are taking an examination, which will result in professional certification. Registration fees or travel expenses will not be reimbursed.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

260.10
DATE

PROFESSIONAL DEVELOPMENT, continued

5/03/04

INTERNAL AUDITING TRAINING SUMMARY ACCUMULATED CONTINUING EDUCATION

NAME / TITLE / CERTIFICATIONS / PAGE #

AS OF 00/00/00
DATE 00/00/00 DESCRIPTION Name of Conference or Course 0000/0000 Fiscal Year Total LOCATION SPONSOR 00 00 HOURS

City, State Organization

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

260.15
DATE

PERSONNEL FEEDBACK / EVALUATION

5/03/04

The audit manager and in-charge auditor are responsible for the evaluation of staff personnel assigned to an audit project. The evaluation includes preparation of the applicable written evaluation form for a staff auditor or in-charge auditor and discussion of the completed form with the auditor being evaluated. The written evaluation should be prepared for projects on which the assigned auditor works more than 80 hours. The parameters for using the performance evaluation / feedback forms are as follows: 1. The evaluator may use either the standardized forms or any other format preferred. Normally, there will be only one in-charge auditor designated for an audit project. The evaluation form is to be completed by the in-charge auditor on all other staff assigned to the project. The audit manager will complete an evaluation on the in-charge auditor. The completed form should be discussed with the individual being evaluated. The evaluation should be signed by both the person being evaluated and the evaluator and then given to the audit manager of the project for review and signature. Copies of the evaluation may be provided to the person being evaluated. The evaluator should not retain copies. Additional comment pages may be attached by either the person being evaluated or by the evaluator. The Chief Internal Auditor will maintain the original copy of the evaluation. Copies of the evaluation will not be forwarded to the individual's personnel file. The forms are not intended to supersede the Performance Planning and Review Record form. The intent of the form is to provide timely feedback for improvement of performance.

2.

3. 4.

5.

6.

7.

8.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

260.16
DATE

STAFF AUDITOR PERSONNEL FEEDBACK / EVALUATION FORM

5/03/04

CITY OF TULSA INTERNAL AUDITING PROJECT FEEDBACK/EVALUATION FORM STAFF AUDITOR

NAME OF PERSON EVALUATED: ___________________________________________________ AUDIT TITLE: ____________________________________________________________________ DUTIES ON AUDIT: ________________________________________________________________

Above Average Planning

Competent

Needs Improvement

Not Rated

1. Obtains an understanding of the procedures and problems of the auditee. 2. Remains alert for improvements in planning documentation, audit programs, and budget.

Technical Competence

1. Demonstrates knowledge of auditing standards. 2. Prepares workpapers with procedures performed, nature, scope, and results of examination clearly and concisely stated. 3. Demonstrates basic documentation skills, including indexing, referencing, organization, and neatness. 4. Develops audit findings clearly presenting relevant facts, practical solutions, and discussions with the auditee.

Time Management

1. Demonstrates the ability to meet time budget. Actual results on the assigned areas: 2. Monitors own progress, keeps in-charge advised of progress and potential problems.
Communication

1. Demonstrates effective written communication. 2. Demonstrates effective oral communication, ability to sell ideas. 3. Listens to others and notes important information.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

260.16
DATE

STAFF AUDITOR PERSONNEL FEEDBACK/EVAL. FORM, continued

5/03/04

Personal Attributes

1. Maintains an effective interpersonal relationship with auditees, staff, and supervisors. 2. Accepts responsibility, shows initiative, self-motivation, and constructive attitude. 3. Maintains a professional bearing and appearance, independence from auditees. 4. Can be relied upon to meet requests from others, goals set for self.

Additional Comments:

SIGNATURE: PREPARED BY: REVIEWED BY:

______________________________________ ______________________________________ ______________________________________

DATE: DATE: DATE:

____________________ ____________________ ____________________

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

260.17
DATE

IN-CHARGE AUDITOR PERSONNEL FEEDBACK/EVAL. FORM

5/03/04

CITY OF TULSA INTERNAL AUDITING PROJECT FEEDBACK/EVALUATION FORM IN-CHARGE AUDITOR

NAME OF PERSON EVALUATED: _________________________________________________________________________________________ AUDIT TITLE: ___________________________________________________________________________________________________________ DUTIES ON AUDIT: ______________________________________________________________________________________________________

Above Average Planning

Competent

Needs Improvement

Not Rated

1. Obtains an understanding of the procedures and problems of the auditee. 2. Prepares effective and efficient audit programs and budgets. 3. Coordinates planning completion with staff availability. 4. Effectively coordinates planned audit procedures with auditee.

Technical Competence

1. Demonstrates knowledge of auditing standards. 2. Prepares workpapers with procedures performed, nature, scope, and results of examination clearly and concisely stated. 3. Develops audit findings clearly presenting relevant facts, practical solutions, and discussions with the auditee. 4. Monitors progress of the audit, keeps manager advised of progress and potential problems. Conducts team meetings periodically. 5. Exhibits the ability to prepare the audit report, knowledge of the reporting process. 6. Effectively wraps up the audit, including agreeing the workpapers to the report, ensuring workpapers receive all levels of review and all review comments are cleared. 7. Demonstrates the ability to meet time budgets. Actual results for the project:

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

260.17
DATE

IN-CHARGE AUDITOR PERSONNEL FEEDBACK/EVAL. FORM, continued

5/03/04

Above Average Supervision

Competent

Needs Improvement

Not Rated

1. Reviews workpapers on a timely basis. 2. Delegates responsibility for effective project completion to foster staff development. 3. Utilizes staff to maximize productivity. 4. Prepares thorough personnel evaluations on a timely basis, discusses performance with the individual evaluated.
Communication

1. Demonstrates effective written communication. 2. Demonstrates effective oral communication, ability to sell ideas. Conducts effective pre-audit and exit meetings. 3. Listens to others and notes important information.
Personal Attributes

1. Maintains an effective interpersonal relationship with auditees, staff, and supervisors. 2. Accepts responsibility, shows initiative, self-motivation, and constructive attitude. 3. Maintains a professional bearing and appearance, independence from auditees. 4. Can be relied upon to meet requests from others, goals set for self.

Additional Comments:

SIGNATURE: PREPARED BY: REVIEWED BY:

______________________________________ ______________________________________ ______________________________________

DATE: DATE: DATE:

____________________ ____________________ ____________________

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

260.20
DATE

STAFF SCHEDULING

5/03.04

The Chief Internal Auditor is responsible for assigning the various audit projects to the audit managers and for determining when and which audit projects in the audit plan will be started. Such assignments will be based on the professional judgment of the Chief Internal Auditor after considering the audit area, audit complexity, previous experience, existing work loads, and anticipated audit report due dates. The audit scheduler is responsible for making and controlling all staff assignments. Audit managers are responsible for informing the audit scheduler of staff requirements for the audits for which they have management responsibility. The assignments are based on staff qualifications, experience and availability and upon the needs and complexity of the audit project. One auditor will be designated as the in-charge auditor for each audit project. The in-charge auditor, in conjunction with the audit manager, is responsible for the planning, implementing, controlling, and reporting functions of the assigned audit. Additional audit staff members will be assigned to the audit team based on the specific audit staffing requirements and the time budget for the audit. Scheduling of audit staff members for projects will follow development of the detailed audit program unless approved by the Internal Audit Manager assigned for the project. The in-charge auditor shall be responsible for the direct supervision of staff auditors assigned to the project. The audit manager is responsible for the direct supervision of the in-charge auditor assigned. Supervision will include involvement in all phases of the audit project, including planning, implementing, controlling, and reporting. The audit scheduler will maintain a written schedule and provide, on a periodic basis, both audit staff and audit management with copies of the schedule. Any conflicts in the schedule should be brought to the attention of the audit scheduler for a resolution mutually agreeable to all involved parties. If the conflict is a result of conflicting priorities which cannot be readily resolved, the Chief Internal Auditor will be consulted and will make a determination of overall priorities and scheduling requirements.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 3

260.30
DATE

SAFETY AND HEALTH

5/03/04

FIRE ALARM It is the City policy that employees will evacuate the building when the building fire alarm (siren) is sounded and assemble in the designated area for a personnel head-count. The department warden will take the office sign-out log when exiting the building to help account for all personnel during the headcount. Personnel should use the stairways to exit the building, preferably through the basement parking area. Do not use the elevators for a fire evacuation. The designated assembly area is east of the building in the Doubletree parking lot. This area will provide access to the parking garage for shelter from bad weather, protection from the burning building and any falling debris, and keep personnel clear of approaching fire-fighting equipment and other emergency vehicles. Personnel should remain in the area and not attempt to reenter the building until the department warden has issued an official clearance. Two fire extinguishers are located on the third floor--on the north wall outside of the Suite 300 front doors and at the east end of the hallway to the left of the south stairwell door. There are no fire hoses in the Center Office Building. Note: CPR mask, goggles, and rubber gloves are included in a safety pack kept inside the fire extinguisher cabinet located outside of Suite 300.

NATURAL DISASTER WARNING The designated area for department assembly in case of an approaching storm, tornado, or flood warning will be the third floor hallway preferably by the rest rooms. This area will provide maximum protection by concrete blocks, solid doors and away from flying glass from windows and doors. When there is warning of approaching bad weather from a radio broadcast or the Civil Defense siren, it is City policy that employees will assemble in this designated area for a personnel head-count. Employees will remain in this area until an all clear is received from a designated department warden.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 3

260.30
DATE

SAFETY AND HEALTH

5/03/04

BOMB THREAT CALLER City Safety and Health Manual, Section 310.61 Emergency Action Policy states Exit the facility immediately and call 911 from another location to report a bomb threat. Internal Audit employees should exit the building and meet in the designated fire alarm area for a personnel head-count; 911 call can be placed at the Doubletree Hotel. The current policy for alerting other occupants to evacuate the building will be to activate the fire alarm as we exit.

EXTERNAL AIR CONTAMINATION If there is a threat of contaminated outside air, employees should remain in the building until it has been determined by civil authorities that the outside air is safe. The building ventilation system has built-in safeguards that prevent the circulation of air if chemical or other contamination is detected. Personnel should rely on the department warden for updates on the air contamination and when it is safe to leave the building.

FIRST AID KIT The Internal Audit Department shall provide and maintain a first aid kit that can be used by employees for immediate, temporary attention to medical emergencies and for self-administered treatment of minor cuts and abrasions. It shall be the responsibility of the departments appointed Hazard Communication Coordinator to semiannually check the first aid kit inventory to restock depleted and obsolete items. These periodic inventory checks should be documented on a sign-off card located inside of the first aid kit metal case. General First Aid Information is located in the City Safety and Health Manual Section 111.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

3 of 3

260.30
DATE

SAFETY AND HEALTH

5/03/04

CPR (Cardiopulmonary Resuscitation) Call 911 for emergency medical service before beginning CPR. CPR For an Adult instructions are located in Section 111.31 of the City Safety and Health Manual. CPR mask, eye goggles, and rubber gloves are included in a safety pack kept inside the fire extinguisher cabinet located outside of Suite 300. CPR instruction classes are offered through the Safety/Health Section, Personnel Department.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

270.05
DATE

GENERAL OFFICE SECURITY

5/03/04

Working papers and other internal audit files should be protected from unauthorized access. All staff will be provided with the applicable keys to the offices used by Internal Auditing. An access code should be arranged through the Internal Auditing Assistant Staff Auditor to be used for access to the building during off-hours. All file cabinets and outer office doors should be locked at the end of the working day. Each auditor has a responsibility to ensure that all working papers are secure at the end of the day. In addition, if an auditor must leave working papers in an area where there are no other auditors to guard them, the auditor should cover or lock up the working papers to deter unauthorized access to the working papers.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

270.10
DATE

NEWS MEDIA

5/03/04

Within Internal Auditing, the City Auditor, Chief Internal Auditor or designee is the single point of contact with members of the news media. All inquiries from the press should be referred to the City Auditor, Chief Internal Auditor or designee.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 1

270.15
DATE

FRAUD, ABUSE AND ILLEGAL ACTS

5/03/04

If an auditor is notified of or determines during the performance of an audit that a situation or transaction involves possible fraud, abuse or illegal acts, the auditor should notify the Chief Internal Auditor. Internal Auditing will review the matter to determine the validity and extent of the possible fraud, abuse or illegal act. After obtaining the necessary background information, the Chief Internal Auditor after consultation, if appropriate, with the City Auditor, will determine if the matter should be referred to the Legal Department or other authorities for appropriate investigation.

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

1 of 2

270.20
DATE

ELECTRONIC FILE FORMS INDEX

ALPHABETICAL SUBJECT INDEX Electronic Workpapers Audit Finding Form Budget vs. Actual Condensed Report Template Control Objectives & Techniques Corrective Action Plan (CAP) Detailed Program Form Draft Audit Report Control Engagement Risk Analysis Full-length Report Template General Matters Program Independence Statement Lead Memo Form Report Distribution List Summary of Internal Control Workpaper Approval Form Workpaper Index Control Assessment Papers Agenda Preassess Mtg CA Budget & Due Dates CA Budget vs. Actual CA Control O&T CA Index CA Interview Questions CA Job Start Letter CA Program CA Report Template CA Scope & Objectives CA Workpaper Approval Form Control Framework Evaluation Practice Aids AIC Project Eval Annual Risk Assessment Procedures Conflict of Interest Statement COSO Template Detailed Time Sheet Estimate to Complete Exit Conference Agenda FAX FOCUS form General Matters Co-sourced Guidelines for Responding Interoffice Memo Form Interview Guide Asst Stf Auditor Interview Guide entry lv Interview Guide Sr Interview Guide staff

5/03/04

File Location . . . ./S/AuditFindingForm.doc . . . ./S/BudgetvsActual.xls . . . ./S/CondensedReportTemplate.doc . . . ./S/ControlObjectivesandTechniques.doc . . . ./S/CorrectiveActionPlanCAP.doc . . . ./S/DetailedProgramForm.doc . . . ./S/DraftAuditReportControl.doc . . . ./S/EngagementRiskAnalysis.xls . . . ./S/Full-LengthreportTemplate.doc . . . ./S/GeneralMattersProgram.doc . . . ./S/IndependenceStatement.doc . . . ./S/LeadMemoForm.doc . . . ./S/ReportDistributionList.doc . . . ./S/SummaryofInternalControl.doc . . . ./S/WorkpaperApprovalForm.doc . . . ./S/WorkpaperIndex.xls File Location . . . ./SCA/Agenda-PreassessMtg.doc . . . ./SCA/CABudgetandDueDates.xls . . . ./SCA/CABudgetvsActual.xls . . . ./SCA/CAControlOandT.doc . . . ./SCA/CAIndex.xls . . . ./SCA/CAInterviewQuestions.doc . . . ./SCA/CAJobStartLetter.doc . . . ./SCA/CAProgram.doc . . . ./SCA/CAReportTemplate.doc . . . ./SCA/CAScopeandObjectives.doc . . . ./SCA/CAWorkpaperApprovalForm.doc . . . ./SCA/ControlFrameWorkEvaluation.doc File Location . . . ./PA/AICPrrojectEval.doc . . . ./PA/AnnualRiskAssessmentProcedures.doc . . . ./PA/ConflictofInterestStatement.xls . . . ./PA/COSOTemplate.doc . . . ./PA/DetailedTimeSheet.xls . . . ./PA/EstimatetoComplete.xls . . . ./PA/ExitConferenceAgenda.doc . . . ./PA/FAX.doc . . . ./PA/ZFOCUSfrm.doc . . . ./PA/GeneralMattersCoSourced.doc . . . ./PA/GuidelinesforResponding.doc . . . ./PA/InterOfficeMemoForm.doc . . . ./PA/InterviewGuide-AsstStfAuditor.doc . . . ./PA/InterviewGuide-entrylvl.doc . . . ./PA/InterviewGuide-Sr.doc . . . ./PA/InterviewGuide-Staff.doc

PAGE

POLICY NO.

PROCEDURES
SUBJECT:

2 of 2

270.20
DATE

ELECTRONIC FILE FORMS INDEX (cont.) Practice Aids (cont.)

Job Start Letter Form Last Chance Memo Lead Memo Procedure List of 17 COSO Factors Pre-audit Meeting Agenda Report Cover Review Notes Form Sampling Documentation Form Staff Project Evaluation Time Report Training Summary Form IA-267

5/03/04

File Location
. . . ./PA/JobStartLetterForm.doc . . . ./PA/LastChanceMemo.doc . . . ./PA/LeadMemoProcedure.doc . . . ./PA/Listof17COSOFactors.doc . . . ./PA/Pre-auditMeetingAgenda.doc . . . ./PA/ReportCover.doc . . . ./PA/ReviewNotesForm.xls . . . ./PA/SamplingDocumentationForm.doc . . . ./PA/StfProjectEval.doc . . . ./PA/TimeReport.xls . . . ./PA/TrainingSummaryIA-267.doc