What is the difference between internal and external auditors?
- Objectives are set primarily by statute (Section 218.39, Florida Statutes and the Rules of the Auditor General) and their primary client – the City Commission
- Primary mission is to provide an independent opinion on the organization's financial statements, annually
- Materiality threshold is driven mainly by extent of financial impact
- Objectives determined by professional standards, risk analysis, and clients
- Clients are management and the City Commission
- Concerned with all aspects of organization - both financial & non-financial and prevention of fraud; focus is on:
- Whether organizational goals and objectives are met
- Effectiveness and efficiency of operations
- Reliability and integrity of financial and operational information
- Safeguarding of assets
- Compliance with laws, regulations, and contracts
- Materiality threshold is driven by non-financial and financial exposure to the organization (ethics, publicity, etc)
At what point does an audit report become public record?
Section 119.0713(2), Florida Statutes, states:
The audit report of an internal auditor prepared for or on behalf of a unit of local government becomes a public record when the audit becomes final. As used in this subsection, the term “unit of local government” means a county, municipality, special district, local agency, authority, consolidated city-county government, or any other local governmental body or public body corporate or politic authorized or created by general or special law. An audit becomes final when the audit report is presented to the unit of local government. Audit work papers and notes related to such audit report are confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution until the audit is completed and the audit report becomes final.
At the City of Sarasota, upon completion of audit fieldwork, auditors prepare a draft report for management. Management is then permitted 30 days to respond to the report. Once responses are returned to auditors, they are integrated into the report and the report is finalized and distributed to the City Commission and management in its final form. It is at this distribution point that the audit becomes final and is considered public record.
How can Departments prepare for an audit?
Departments should view audits as a learning experience and an opportunity to enhance their operations. The internal auditors are in place to act as consultants through providing independent assessments of a variety of functional areas. These assessments can benefit both staff and management as departments may not have the resources or time to review all departmental areas or to perform in-depth testing as well as that provided by Internal Audit.
To best prepare for an audit, department directors should:
- Notify staff of the upcoming audit and request full cooperation,
- Advise staff to provide the auditors with full access to records and be available to answer questions, and
- Assign a key department contact person (and a back-up person) for the audit.
Internal Audit staff will work with staff and management to accommodate the department or staff’s peak work periods to ensure minimal disruption to key City business.
How are audits selected?
Areas are selected for audit based on their respective levels of risk, which are determined as part of the City’s annual Risk Assessment. Any department, division, business process, or other area may be selected for an audit. Some factors used to identify high-risk areas are:
- Complexity of the department, volume of transactions, etc.
- Financial exposure
- Significant changes within the department/ division
- Time since last audit, results of previous audits
- Suspicion of current or past fraud/ theft, ethics violations, or conflicts of interests
Audits may also be scheduled based on requests received by management, Charter Officials, and/or City Commissioners. Requests are evaluated by staff and, if they represent areas of significant risk, are included in the audit schedule.
Follow-up audits are also routinely scheduled to determine whether recent audit recommendations have been sufficiently implemented.
What happens during an audit?
The typical audit includes the following phases:
Phase 1: Planning
This phase is performed in advance of the on-site work and usually does not require substantial departmental involvement. Audit staff reviews any past audit work, information on the area selected for audit, and statistical or financial information. Auditors also prepare the audit program, which lays out a roadmap for how and when the audit will be conducted.
Phase 2: Audit Entrance Meeting/ Preliminary Audit Survey
A formal audit entrance meeting is held to introduce the audit team and discuss the upcoming audit work and audit process. During this meeting, management can request any additional areas that they would like to see reviewed as part of the audit. Timeframes for audit steps, objectives, and logistics (facilities, availability of personnel, primary contacts, etc.) are established at this time.
Auditors gather information and enhance understanding of key business processes by conducting interviews, observing departmental procedures, performing process walkthroughs and flowcharting processes. Results of the work done during this phase determines the amount of additional testing to be performed
Phase 3: Fieldwork and Testing
Fieldwork may include testing transactions, procedures, administrative or managerial functions, automated systems or technology used, and various other areas specific to each department/business process audited. This is the longest phase of the audit and normally takes up about fifty percent of the audit time budget.
If the auditors find anything during testing that may be included in a report, it is analyzed and discussed with staff/ management of the area under review to ensure that all information necessary to understand the item is obtained to avoid inaccurate conclusions.
Phase 4: Reporting
Upon conclusion of the fieldwork, internal auditors prepare a draft report for the department director to review and respond. Responses should be brief and limited to the observations. All responses must include the following:
- Concur or Do not concur: Departments should indicate “Concur” if they agree with the audit observation that there is an area that needs to be corrected, or “Do not concur” if they do not agree that any correction is necessary and provide further explanation. “Do not concur” responses are extremely rare, as the parties normally strive to reach consensus during the fieldwork phase.
- Action to be taken: This must state specifically how the observation will be addressed.
- Estimated Completion Date: This answer must contain a month, day and year that the observation is expected to be addressed. It is management’s best estimate of completion date at the audit report date and may be changed on later updates.
Once audit responses are reviewed, approved and incorporated into the report, the final audit report is distributed to management and the City Commission. Final reports are public records and are posted on the Internal Audit web page.
Phase 5: Follow-up
Depending on the nature of the audit or the audit findings, a follow-up audit or other limited review may be scheduled at a future date.
Who gets audited?All City departments/ divisions and business processes under the supervision of each of the three Charter Officials are eligible to be audited. Outside entities and vendors may also be audited in conjunction with City business.