Chapter 5

Planning the Audit Engagement

A. Purpose for Planning the Engagement

Engagement planning is performed to provide a means for developing an understanding of the business objectives of the auditee, the methods used to achieve those objectives, the risks associated with those methods, and the controls implemented by management to mitigate those risks and provide assurance of achieving the desired objectives. The understanding developed of the auditee allows the auditor to identify significant audit objectives and to prepare an audit program that tests significant controls and operations. The audit planning process should consider the needs of potential report users, significance of the programs to be audited, the potential for fraud, abuse or significant violations of legal and regulatory requirement, results of prior audits and the availability of data that could be used as audit evidence. B. Determination of Preliminary Audit Objectives and Assignment of Staff

The Internal Auditor and Audit Manager will establish preliminary audit objectives based on the annual audit plan and any other information available prior to assigning appropriate staff to the engagement. The preliminary objectives will be discussed with the Lead Auditor prior to commencing the engagement and will form the basis for the audit planning effort. C. Preliminary Planning

Preliminary engagement planning begins shortly before the entrance conference with the auditee and continues through a review with audit management at which proposed audit objectives are determined. The primary focus of this phase of planning is completion of the Risk Matrix presented in Chapter 3. The Risk Matrix supports the identification of various business objectives with their associated methods, risks and controls which are necessary to finalize audit objectives. Prior to the entrance conference the auditor should review the annual budget, semi-annual reports and prior audits relative to the auditee to get a general idea of the nature of the operations of the auditee. Most of the effort in preliminary planning will be on interviewing appropriate officials to complete the Risk Matrix. The interview should solicit input from each official as to as many elements of the Risk Matrix as the official can address. They should tell us what their objectives are, how they accomplish them and what risks and controls they have identified and implemented. We may need to direct them in this by guiding the interview. The officials should identify to us what policies, procedures, rules and

Chapter 5 - Page 1 of 5

regulations are applicable to them. This helps us determine criteria for evaluating auditee performance. At this point in planning we are attempting to establish that there are criteria in place without studying those criteria. The auditor will also develop background information relative to the purpose, size and complexity of the auditee for inclusion in the audit report. This should require little, if any, documentation other than that described above. The preliminary planning process ends with a conference with audit management to go over the completed Risk Matrix and audit objectives proposed by the auditor. During this conference we will discuss the information gathered and presented in the Risk Matrix, evaluate the proposed audit objectives, and consider how, if at all, fraud, waste and abuse may be possible relative to the proposed audit objectives. The result of the conference is approval of audit objectives and authorization to continue to the detailed planning phase of the engagement. The planning conference should occur no later than the 4th or 5th day of in-field work. The Lead Auditor should request a planning conference as soon as preliminary planning has been completed but not later than the 5th day of in-field work. Documentation required for the planning conference consists of interview notes and the completed Risk Matrix. Subsequent to the planning conference the auditor will prepare and submit a planning memo containing a background narrative, a summary of the discussion of fraud, waste and abuse, and the agreed upon audit objectives. The planning memo should be submitted along with the audit program. This documentation will remain with the audit work papers and will provide evidence of planning as required by the GAS. D. Detailed Audit Planning

After approval of the audit objectives resulting from the preliminary planning process, the Lead Auditor will develop additional information regarding the specific objectives identifying and evaluating relevant criteria such as policies, procedures, contracts and regulations; identifying potentially auditable records for availability, nature and volume; and finally determining specific audit procedures to be used to gather and evaluate evidence. The audit program is based on the specific audit objectives approved at the planning conference. The audit program establishes the work to be done to achieve the stated audit objectives. Field work on the audit will not begin until the audit program has been approved by audit management. The approved program may be modified if conditions warrant subject to approval by audit management. The audit program will contain the following material: Audit Objectives Audit Scope Audit Methodology (including a sampling plan if some type of audit sampling is proposed)

Chapter 5 - Page 2 of 5

Detailed audit plan Audit Time budget Milestone dates for completion of key elements of the audit program and preparation of the discussion draft

Each audit program will be unique in that each audit will have different objectives and will be conducted in a different environment. Every audit program is similar in that each audit is focused on gathering evidence to satisfy audit objectives and providing information to develop audit findings and an audit report. Audit Objectives are specific statements about some aspect of a particular subject. The audit objectives must be clearly stated, specific, capable of being evaluated by the available audit evidence, sufficient to render an audit opinion and likely to result in a useful audit report. For example: The overall audit objective will be: Did the Criminal Justice Commission (CJC) administer the LLEBG grant in accordance with County regulations and Federal grant requirements? Specifically, did the CJC ensure that: Projects proposed to the BCC for funding met eligibility requirements? Revisions to project funding were approved by appropriate authority as required in County-wide procedures? Selected expenditures of LLEBG funds were allowable, allocable, and reasonable as provided in Office of Management and Budget Circular A-87? Federal reporting requirements were complied with? Project purposes were achieved? Audit Scope refers to the limits established for the audit such as: a particular period of time; a specific process, system or organizational unit; whether the audit is financial, attestation or performance; or other statements conveying an understanding of what was examined and what was not. For example: Scope statement - AThe scope of our audit will be all construction contracts awarded during fiscal year 2007. Audit Methodology refers to the data gathering and analytical methods the auditor plans to use. There should be a clear relationship between the audit methodology used and the audit objectives supporting the appropriateness of the selected methodology. For example: To test the reasonableness of M/WBE statistics used in reporting, we will take statistical samples of data reported to OSBA by Contract Development and Control (CDC) and the Procurement Department. The statistical sample will be based on an expected error rate of 2% with a 4% deviation rate for a population of approximately 5,000 items.

Chapter 5 - Page 3 of 5

We will also review all adjustments made to this reported data by OSBA to determine their appropriateness and accuracy. To evaluate OSBAs compliance effort, we will review a judgmentally selected sample of 20 project files maintained by OSBA (out of a total of 200 project files) and test for completeness in compliance with departmental PPMs. We will also review a judgmentally selected sample of 20 inspection reports prepared by OSBA on field visits to contractor sites to determine the quality control procedures performed.

The Detailed Audit Plan identifies the audit objectives and sub-objectives and the steps needed to gather and evaluate audit evidence to support conclusions on the audit objectives. Each step of the audit plan is to be initialed and dated by the auditor who completes the work. The detailed audit plan is prepared by the Lead Auditor following approval of the proposed audit objectives at the planning conference. The audit plan is specific to each engagement and is written to address the established audit objectives. The audit plan may be revised during the engagement should circumstances warrant subject to approval by audit management. If a revision to the audit plan is approved a revision to the audit time budget will also be considered and approved by audit management if necessary. The auditor is expected to perform only audit work included in the approved audit program. Any deviation from the approved audit program must be approved by audit management. The Audit Time Budget establishes the beginning estimate of the amount of work necessary to satisfy the audit objectives. Formulation of a reasonable time budget requires an understanding of the audit objectives, knowledge of the types of data available, and an understanding of the methods and techniques that can be used to gather and analyze audit evidence. The auditor Lead Auditor of the engagement is responsible for preparing the time budget which must be approved by audit management. The time budget may be modified during the course of the engagement when circumstances warrant with approval of audit management. Audit milestone dates establish an expectation of when key aspects of the engagement will be completed. These dates are established giving consideration to the audit time budget and expected staff and auditee availabilities. The auditor Lead Auditor of the engagement is responsible for preparing the milestone dates which must be approved by audit management. The milestone dates may be modified during the course of the engagement when circumstances warrant with approval of audit management.

Chapter 5 - Page 4 of 5

Engagement Planning Audit Program

1. Meet with audit management to discuss preliminary focus and concept for engagement. 2. Conduct preliminary research to develop introductory familiarization with auditee. 3. Hold entrance conference with auditee. 4. Conduct interviews with auditee personnel to develop understanding of their operating environment including: goals and objectives; methods and risks; and controls being used. 5. Document the understanding from step 4 above by completing the Risk Matrix. 6. Meet with audit management to review results from steps 4 and 5, and determine specific audit objectives for the engagement. 7. Conduct additional interviews with auditee personnel and review specific documentation relative to controls and performance to support development of a specific audit program to answer the specific audit objectives. 8. Document results of step 6 and 7 in a Planning Memo and an Audit Program for the engagement. 9. Meet with audit management to gain approval of final audit program and planning memo.

Chapter 5 - Page 5 of 5