In fulfilling the Internal Audit Plan for Bossier Parish Community College, the Compliance Officer shall prepare a formal report on the scope and results of each audit project performed. This report shall contain an opinion on the adequacy, effectiveness and efficiency of the system of control and the quality of ongoing operations; the degree of compliance with laws and regulations; or an explanation of why an opinion cannot be expressed. It is the OPINION statement within the audit report that communicates Internal Audit’s evaluation of the system of control, and not the specific exceptions detailed in the report. The specific exceptions that appear in the audit report can and do vary widely in terms of significance and exposure that exist in the absence of corrective action. Internal Audit evaluates these exceptions in light of their significance and exposure, weighed against compensating control strengths within a system, and uses the results to formulate and render an OPINION. Therefore, any exception or “weakness in the system of control” must be read within the context of the controlling opinion for the area, with the understanding that the findings are supportive evidence for the type of opinion rendered.
Prior to Writing Report
The auditor shall ensure that the workpapers have been completed, the exception summary prepared, and the review process completed prior to drafting the report.
Discussions with Management Prior To Audit Report Issuance
Exception Procedures during the Examination
As exceptions are noted during the examination, the auditor will bring them to the attention of the responsible auditee staff person. This is done to provide the auditee with an opportunity to clear the matter by explanation and/or providing additional documentation. If the auditee staff person is able to demonstrate that no exception exists, no mention of the matter need be made either at the audit exit conference or in the report. If the matter cannot be cleared during the audit fieldwork and an exception still exists, it will be discussed at the audit exit conference.
Audit Exit Conference
When the audit fieldwork is complete and before the final audit report is issued, the auditor will conduct an exit conference with the manager of the audited entity and any supervisors the manager elects to include in the conference. All exceptions noted during the examination will be discussed. If the auditee staff is able to demonstrate that no exception exists, no mention of the matter will be made in the final audit report. Those items not cleared or which continue to represent exceptions worthy of corrective action will be included as exceptions in the audit report. While relatively insignificant exceptions will be discussed with auditee management, they will not be included in the audit report. Finally, the auditee will be made aware of any portion(s) of the system audited on which the Compliance Officer will express, in the audit report, the opinion that the accounting and administrative procedures did not provide effective control.
Content of Audit Reports
The structure of the audit report will generally include the following elements:
- Cover page
- Cover letter addressed to the Chancellor
- Scope of Examination
- Summary of findings
- Findings and Recommendations
- Auditee’s Responses & Targeted Completion Dates
- Exit Conference
- Management Response
The following describe the purpose and content of each of the above listed elements of the report.
The page identifies the area audited and the date of audit report.
Cover letter addressed to the Chancellor
This will formally notify the Chancellor of completion of the audit work performed and the issuance of the audit report.
Scope of Examination
The “scope of examination” section of the report includes the nature and scope of the audit, the period covered, and a description of the major parts of the audit work. This section will also identify any limitations on the examination.
The “Opinion” section of the report represents the Compliance Officer’s professional judgment as to the overall adequacy of the systems of control within the area audited. The types of opinions rendered shall be as indicated on Exhibit A.
Summary of Findings
This section provides a listing of all of the findings discussed in detail later in the report. This informs the reader quickly as to the nature and scope of the findings dealt with in the report, without a detailed examination of the entire audit report. The section may also include findings disclosing areas with exceptionally good control.
Findings and Recommendations
The “Findings and Recommendations” section includes all major findings, disclosed by the examination procedures. The findings are the facts produced by the auditor’s fieldwork. These represent the foundation upon which the auditor’s opinion, as expressed in the “Opinion” section is based.
Auditee’s Responses and Targeted Completion Dates
The “Auditee Action” section should include management’s procedures and controls that will be implemented to correct audit finding and prevent future exceptions. Targeted Completion Date is the date management anticipates completion of all corrective action.
This section of the report summarizes the pertinent information regarding the Audit Exit Conference. It includes:
- The date the conference was held.
- The persons in attendance and their titles.
- A statement that a summary of the Findings and Recommendations was discussed.
- A statement as to whether general agreement was or was not reached with regard to the need for corrective action.
- The date by which the Division Manager or Department Head should submit a written response on the audit report to the Compliance Officer.
The “Management Response” section is simply a statement indicating that the Auditee Manager has reviewed the audit report and has entered the specific auditee corrective action taken or pending in the appropriate section (“Auditee Action”) of the findings included in the report. The appropriate Manager(s) should sign and date this section on the lines provided.
Audit Report Review And Distribution
After the Audit Exit Conference, the final audit report will be written and reviewed prior to issuance to the Auditee Manager. The “Exit Conference” section of the report contains the date on which the Manager’s written response to the report is due. This will generally be 10 business days after the issuance of the report by the Compliance Officer. When the manager’s response is received by Audit, it will then be sent to the Division Manager for review and signature. The Auditor will also track and follow-up as necessary on audit reports for timely responses and corrective action taken.
Audit Reports Follow-up Procedure
It is the policy of the Audit Department to require TARGETED COMPLETION DATES for all corrective action planned in the auditee report responses. A quarterly status report will include a report on achievement/non-achievement of these goals.
In order to ensure that auditee’s correct critical control weaknesses as promised in responses to audit reports; and in order to limit the college’s exposure as much as possible, the auditor will at the end of each quarter:
- Identify all reports received in the current quarter with outstanding findings, and regardless to Opinion (“Standard”, “Needs Improvement”, “Substandard”, or “NO OPINION”), plus any pending items from the previous quarter.
- Determine the extent of correction of the related findings by auditee management. Obtain satisfactory matter to support auditee actions and so document in audit files.
- If warranted, issue a status report to the Auditee, noting any deficiencies outstanding.
- Prepare a quarterly summary report to the Chancellor of the above results for each applicable report.
AUDIT OPINIONS – QUALITY RATINGS ON THE SYSTEMS OF INTERNAL CONTROL
- OUTSTANDING – The overall system of control meets all of the basic requirements. With perhaps a few exceptions that are relatively minor and infrequent in occurrence, the area is in compliance with sound operating procedures and internal controls. Some risk of loss or exposure may exist, but it is relatively low. In rare cases an asterisk (*) may be assigned to this rating when the systems of control go beyond all requirements, and the area’s compliance with policies and procedures of this system is at or near 100%.
- STANDARD – The systems of control meet most, if not all, of the basic requirements. However, there have been compliance breakdowns that represent departures from sound operating procedures and internal controls. As a result, risk of loss or exposure has been incurred, but this is still at an acceptable level.
- NEEDS IMPROVEMENT – One or both of the two following conditions is present:
- Some of the systems of control do not meet established standards and/or do not represent sound operating procedures.
- There have been a substantial number of compliance breakdowns.
As a result of one or both of the conditions mentioned above, risk of loss or exposure is relatively high. Corrective action should be stressed, as some improvement is needed.
- SUBSTANDARD – The established systems of control do not meet the minimum requirements in most or all cases. In addition, there have been numerous exceptions to sound operating procedures and internal controls. Risk of loss and exposure in internal fraud and/or theft is very high. Immediate corrective action is necessary.
- NO OPINION – The scope of the examination has been so severely limited by external factors that it was not possible to gather sufficient competent evidential matter on which to base an opinion. This rating should be an extreme rarity, but could occur if: (1) the auditee refused to submit financial or other records to be audited; (2) the records were in such poor condition that an audit was not possible; or (3) the records had been altered or destroyed.