BOARD OF EDUCATION OF BALTIMORE COUNTY OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL INTERNAL AUDIT OPERATIONS MANUAL

(1)

BOARDOFEDUCATIONOFBALTIMORECOUNTY OFFICE OF INTERNAL AUDIT -OPERATIONS MANUAL

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL

BOARD OF EDUCATION OF BALTIMORE COUNTY

INTERNAL AUDIT

OPERATIONS MANUAL

(2)

OFFICE OF INTERNAL AUDIT -OPERATIONS MANUAL

BACKGROUND

The Office of Internal Audit – Operations Manual was developed to be used as a guide and resource for the Office of Internal Audit staff. The manual contains information, standards, processes and procedures regarding:

• The audit profession;

• The relationship between the Office of Internal Audit, the Board of Education and Baltimore County Public Schools;

• Audit policies overview;

• The planning and performance of audits;

• Resources, staffing and development; and,

• General office procedures.

The Essentials: An Internal Audit Operations Manual, issued by the Institute of Internal Auditors, was used as a basis for the Office of Internal Audit’s Operations Manual. In addition, the existing office standards and procedures were incorporated into this Operations Manual.

The Institute of Internal Auditors Manual titled, Essentials: An Internal Audit Operations Manual, is an extensive compilation of resource material for internal auditors looking to improve their operations through creating or updating their own manual, policies, procedures, and practices. Essentials: An Internal Audit Operations Manual represents contemporary practices as employed by our profession. Additionally, the processes throughout the manual incorporate a quality assurance and improvement program that is designed to help add value and improve the organization’s operations.

This Operations Manual was adopted October 2012

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL

(3)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL TOC-1

TABLE OF CONTENTS Glossary of Acronyms

Document Title ... Standard

SECTION A: Internal Audit Profession

A-1 The Institute of Internal Auditors ... 1200 A-2 The Professional Practices Framework ... 1200 A-3 The Definition of Internal Auditing ... 1000

A-4 The Institute of Internal Auditors Code of Ethics ... Code of Ethics A-5 The International Standards for the

Professional Practice of Internal Auditing ... All

SECTION B: BCPS, Internal Audit, and the Baltimore County Board of Education B-1 Relationships of Internal Audit to BOE and BCPS

B-2 Internal Audit organization chart B-3 Operations Protocol

B-4 Reporting Protocol

SECTION C: Internal Audit Policy and Overview

C-1 Management of Internal Controls ... 1000, 2100 C-2 Audit Policy ... 1000, 2100 C-3 Vision, Mission, and Value Statements ... 2100 C-4 Internal Audit Charter ... 1000

C-5 Objectivity ... 1120,

Code of Ethics

C-6 Due Professional Care ... 1220 C-7 Personal Conduct, Objectivity, and Confidentiality ... 1120 C-8 Reports for the Audit Committee ... 2020, 2060

SECTION D: Planning and Performance

D-1 Internal Audit Risk Assessment/Annual Audit Planning ... 2010 D-1-1 Risk Assessment Example ... 2010 D-1-2 Risk Assessment Form ... 2010 D-2 Audit Objectives and Planning ... 2000, 2200 D-2-1 Audit Objectives and Planning Form ... 2210 D-2-2 Audit File Record Form ... 2000 D-3 Preliminary Survey ... 2201, 2210,

2220, 2300

D-3-1 Preliminary Survey Techniques ... 2300 D-4 Flowcharting Documentation Standards ... 2300

D-5 Audit Program ... 2240 D-6 Marketing the Internal Audit Activity: An Internal

Audit Customer's Introduction to Internal Auditing ... 2000 D-7 Entrance Conference ... 2400 D-8 Evaluating Internal Controls ... 2300 D-8-1 Sampling Guidance

D-9 Attributes of a Well-developed Audit Finding ... 2410, 2420 D-9-1 Audit Finding Form ... 2410, 2420

(4)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL TOC-2

Document Title ... Standard

D-10 Internal Audit Workpapers ... 2300

D-11 Internal Audit Workpaper Review Checklist ... 2340

D-11-1 Internal Audit Workpaper Review Checklist Form ... 2340

D-11-2 Technical Review Comments Form ... 2340

D-11-3 Supervisory Review Comments Form ... 2340

D-12 Security and Control of Workpapers ... 2340

D-13 Exit Conference ... 2400

D-14 Internal Audit Reports ... 1330, 2400 D-14-1 Internal Audit Report Status Monitor ... 2400

D-14-2 Auditor’s Opinion in an Audit Report D-15 Internal Audit Follow-up ... 2500

D-15-1 Internal Audit Follow-up Form ... 2500

D-16 Project Checklist and Audit Considerations ... 2300

D-17 Internal Audit Customer Survey Criteria 1300 D-17-1 Internal Audit Customer Survey Form 1300

D-18 Project Evaluation and Team Appraisals ... 1300, 2200, 2340 D-18-1 Project Evaluation and Team Appraisal Form ... 1300, 2200, 2340 D-19 Reporting on Other Than Audit Assignments... 2400

D-19-1 Reporting on Other Than Audit Assignments Form ... 2400

D-20 Internal Audit Data Backups ... 2300

D-21 Internal Auditor's Right to a Third Opinion ... 2300

D-22 Fraud/Irregularities/Investigations ... 1210.A2 D-23 Oversight of Contracted / Co-sourced Resources ... 1210,2030,2340 D-24 Coordination with External Auditors ... 2050

SECTION E: Resources, Staffing, and Development E-1-1 Chief Audit Executives ... 2000

E-1-2 Internal Audit Manager ... 1210, 2030 E-1-3 Auditor In-Charge ... 1210, 2030 E-1-4 Staff Internal Auditor ... 1210, 2030 E-1-5 Audit Intern ... 1210, 2030 E-2 Orientation Program ... 1200

E-2-1 New Employee Checklist ... 1200

E-3 Staff Rotation Policy ... 2030

E-4 Policy on Professional Certification, Organizations, and Meetings ... 1230

E-5 Evaluation/Performance Appraisals ... 2000

E-5-1 Performance Appraisal Report - Project ... 2000

SECTION F: General Office Administration F-1 Internal Audit Schedule and Assignments ... 2010

F-2 Working Conditions F-2-1 Leave Request Form F-3 Flextime F-3-1 Flextime Request Form F-4 Telework Agreement F-4-1 Telework Agreement Form F-5 Internal Audit Time Reports ... 2000 F-6 System Administrator

(5)

GLOSSARY OF ACRONYMS

AICPA – American Institute of Certified Public Accountants BCPS – Baltimore County Public Schools

BOE – Board of Education

CAATs – Computer Assisted Auditing Techniques CAE – Chief Audit Executives

CAFR – Comprehensive Annual Financial Report

CASE – Council of Administrative and Supervisory Employees CCSA – Certification in Control Self-Assessment

CFE – Certified Fraud Examiner CFO – Chief Financial Officer

CFSA – Certified Financial Services Auditor

CGAP – Certified Government Auditing Professional CIA – Certified Internal Auditor

COSO – Committee of Sponsoring Organizations CPA – Certified Public Accountant

EAMP – Employee Attendance Monitoring Program ERM – Enterprise Risk Management

ESPBC – Education Support Professionals of Baltimore County GAAP – Generally Accepted Accounting Principles

GAAS – Generally Accepted Auditing Standards GAO – Government Accountability Office

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL page i

(6)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL page ii

GASB – Governmental Accounting Standards Board IIA – Institute of Internal Auditors

IPPF – International Professional Practices Framework IT – Information Technology

REF – Risk Evaluation Factor SAF – School Activity Funds TM – Timelog Manager

(7)

OFFICE OF INTERNAL AUDIT

OPERATIONS MANUAL

SECTION A

INTERNAL AUDIT PROFESSION

(8)

OFFICE OF INTERNAL AUDIT -OPERATIONS MANUAL A-1

THE INSTITUTE OF INTERNAL AUDITORS

The Institute of Internal Auditors (IIA), established in 1941, is a global professional association dedicated to the continuing professional development of the individual internal auditor and the internal audit profession. The IIA serves over 140,000 members in internal auditing, governance and internal control, IT, audit education, and security in more than 165 countries. The IIA stewards and promulgates the International Standards for the Professional Practice of Internal Auditing and is the profession’s global voice, recognized authority, acknowledged leader, chief advocate, and principal educator:

advocating its value, promoting best practice, and providing exceptional service to its members.

The IIA’s Mission

The mission of the IIA is to provide dynamic leadership for the global profession of internal auditing. Activities in support of this mission will include, but will not be limited to:

• Advocating and promoting the value that internal audit professionals add to their organizations;

• Providing comprehensive professional educational and development opportunities; standards and other professional practice guidance; and certification programs;

• Researching, disseminating, and promoting to practitioners and stakeholders knowledge concerning internal auditing and its appropriate role in control, risk management, and governance;

• Educating practitioners and other relevant audiences on best practices in internal auditing; and

• Bringing together internal auditors from all countries to share information and experiences.

Click here to link to a history of The IIA. This link will take you to The IIA’s Web site.

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-1.1

(9)

BOARDOFEDUCATIONOFBALTIMORECOUNTY

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK The International Professional Practices Framework (IPPF), developed and maintained by The IIA, offers practitioners a full range of internal audit guidance. A new version of the framework, the International Professional Practices Framework (IPPF), was approved by The IIA's Board of Directors in July 2007.

In general, the framework provides a structural blueprint of how a body of knowledge and guidance fit together. As a coherent system, it facilitates consistent development, interpretation, and application of concepts, methodologies, and techniques useful to the profession. The overall purpose of the IPPF is to organize internal audit guidance in a manner that is readily accessible on a timely basis. By encompassing current internal audit practice, the IPPF is intended to assist practitioners throughout the world in being responsive to the expanding market for high quality internal audit services.

The IPPF will take the following format:

Definition Statement of fundamental purpose, nature, and scope of internal auditing.

Code of Ethics

Statement of principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing.

Description of minimum requirements for conduct. Describes behavioral expectations rather than specific activities.

International Standards for the Professional Practice of Internal Auditing

Provides guidance for the conduct of internal auditing at both the organizational and individual auditor levels.

Attribute Standards

Standards that address the characteristics of organizations and individuals performing internal audit services.

Performance Standards

Standards that describe the nature of internal audit services and provide quality criteria against which the performance of these services can be measured.

The Attribute and Performance Standards apply to all internal audit services. The Implementation Standards expand upon the Attribute and Performance Standards, providing guidance applicable in specific types of engagements. These standards ultimately may deal with industry-specific, regional, or specialty types of audit services.

Position IIA statements to assist a wide range of interested parties, including

(10)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-2.2 Papers those not in the internal audit profession, in understanding

significant governance, risk or control issues and delineating the related roles and responsibilities of the internal audit profession.

Practice Advisories

Address approach, methodology and considerations, but not detailed processes and procedures. Concise and timely guidance to assist internal auditors in applying Code of Ethics and Standards and promoting good practices. Includes practices relating to:

international, country, or industry specific issues; specific types of engagements; and legal or regulatory issues.

Practice Guides

Detailed guidance for conducting internal audit activities. This includes detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables.

(11)

THE DEFINITION OF INTERNAL AUDITING Per the IIA, the definition of internal auditing is as follows:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

(12)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-4.1 THE INSTITUTE OF INTERNAL AUDITORS

CODE OF ETHICS Introduction

The purpose of the IIA Code of Ethics is to promote an ethical culture in the profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance. The IIA’s Code of Ethics extends beyond the definition of internal auditing (see A-3) to include two essential components:

1. Principles that are relevant to the profession and practice of internal auditing;

2. Rules of conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.

The IIA’s Code of Ethics, together with its International Professional Practices Framework and other relevant IIA pronouncements, provide guidance to internal auditors serving others. "Internal auditors" refers to IIA members, recipients of or candidates for IIA professional certifications, and those who provide internal audit services within the definition of internal auditing (see A-3).

Applicability and Enforcement

The IIA’s Code of Ethics applies to both individuals and entities that provide internal audit services.

For IIA members and recipients of or candidates for IIA professional certifications, breaches of The IIA’s Code of Ethics will be evaluated and administered according to The IIA’s Bylaws and Administrative Directives (can be accessed on www.theiia.org).

The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and, therefore, the member, certification holder, or candidate can be liable for disciplinary action.

Principles

Internal auditors are expected to apply and uphold the following principles:

Integrity

The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

(13)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-4.2 Objectivity

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

Confidentiality

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

Competency

Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.

Rules of Conduct 1. Integrity

Internal auditors:

1.1 Shall perform their work with honesty, diligence, and responsibility.

1.2 Shall observe the law and make disclosures expected by the law and the profession.

1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

1.4 Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity Internal auditors:

2.1 Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.

2.2 Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

(14)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-4.3 3. Confidentiality

Internal auditors:

3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

4. Competency Internal auditors:

4.1 Shall engage only in those services for which they have the necessary knowledge, skills, and experience.

4.2 Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.

4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.

(15)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.1 THE INTERNATIONAL STANDARDS FOR THE

PROFESSIONAL PRACTICE OF INTERNAL AUDITING

Throughout the world, internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, and structure; and by persons within or outside the organization. These differences may affect the practice of internal auditing in each environment. However, compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) is essential if the responsibilities of internal auditors are to be met.

The purpose of the Standards is to:

1. Delineate basic principles that represent the practice of internal auditing as it should be.

2. Provide a framework for performing and promoting a broad range of value-added internal audit activities.

3. Establish the basis for the measurement of internal audit performance.

4. Foster improved organizational processes and operations.

ATTRIBUTE STANDARDS

1000 – Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.¹

1000.A1 – The nature of assurance services provided to the organization should be defined in the audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances should also be defined in the charter

1000.C1 – The nature of consulting services should be defined in the audit charter.

1100 – Independence and Objectivity

The internal audit activity should be independent, and internal auditors should be objective in performing their work.

1110 – Organizational Independence

1When used in these Standards, the term “board” is an organization's governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a non- profit organization, or any other designated body of the organization, including the audit committee, to whom the chief audit executive may functionally report.

(16)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.2 The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.

1110.A1 – The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results.

1120 – Individual Objectivity

Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.

1130 – Impairments to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

1130.A1 – Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an auditor provides assurance services for an activity for which the auditor had responsibility within the previous year.

1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity.

1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.

1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement.

1200 – Proficiency and Due Professional Care

Engagements should be performed with proficiency and due professional care.

1210 – Proficiency

Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

1210.A1 – The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.

(17)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.3 1210.A2 – The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

1210.A3 – Internal auditors should have knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

1210.C1 – The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1220 – Due Professional Care

Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A1 – The internal auditor should exercise due professional care by considering the:

• Extent of work needed to achieve the engagement's objectives.

• Relative complexity, materiality, or significance of matters to which assurance procedures are applied.

• Adequacy and effectiveness of risk management, control, and governance processes.

• Probability of significant errors, irregularities, or noncompliance.

• Cost of assurance in relation to potential benefits.

1220.A2 – In exercising due professional care the internal auditor should consider the use of computer-assisted audit tools and other data analysis techniques

1220.A3 - The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

1220.C1 – The internal auditor should exercise due professional care during a consulting engagement by considering the:

• Needs and expectations of clients, including the nature, timing, and communication of engagement results.

(18)

• Relative complexity and extent of work needed to achieve the engagement’s objectives.

• Cost of the consulting engagement in relation to potential benefits.

1230 – Continuing Professional Development

Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development.

1300 – Quality Assurance and Improvement Program

The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program should be designed to help the internal auditing activity add value and improve the organization's operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.

1310 – Quality Program Assessments

The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments.

1311 – Internal Assessments Internal assessments should include:

• Ongoing reviews of the performance of the internal audit activity;

and

• Periodic reviews performed through self-assessment or by other persons within the organization, with knowledge of internal auditing practices and the Standards.

1312 – External Assessments

External assessments should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The potential need for more frequent external assessments as well as the qualifications and independence of the external reviewer or review team, including any potential conflict of interest, should be discussed by the CAE with the Board. Such discussions should also consider the size, complexity and industry of the organization in relation to the experience of the reviewer or review team.

1320 – Reporting on the Quality Program

The chief audit executive should communicate the results of external assessments to the board.

(19)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.5 1330 – Use of “Conducted in Accordance with the Standards”

Internal auditors are encouraged to report that their activities are “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.” However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards.

1340 – Disclosure of Noncompliance

Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board.

PERFORMANCE STANDARDS

2000 – Managing the Internal Audit Activity

The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization.

2010 – Planning

The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals.

2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process.

2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Those engagements that have been accepted should be included in the plan.

2020 – Communication and Approval

The chief audit executive should communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations.

2030 – Resource Management

The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

(20)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.6 2040 – Policies and Procedures

The chief audit executive should establish policies and procedures to guide the internal audit activity.

2050 – Coordination

The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

2060 – Reporting to the Board and Senior Management

The chief audit executive should report periodically to the board and senior management on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.

2100 – Nature of Work

The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.

2110 – Risk Management

The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.

2110.A1 – The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.

2110.A2 – The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the:

• Reliability and integrity of financial and operational information.

• Effectiveness and efficiency of operations.

• Safeguarding of assets.

• Compliance with laws, regulations, and contracts.

2110.C1 – During consulting engagements, internal auditors should address risk consistent with the engagement’s objectives and should be alert to the existence of other significant risks.

2110.C2 – Internal auditors should incorporate knowledge of risks gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization.

(21)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.7 2120 – Control

The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include:

• Reliability and integrity of financial and operational information.

• Effectiveness and efficiency of operations.

• Safeguarding of assets.

• Compliance with laws, regulations, and contracts.

2120.A2 – Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization.

2120.A3 – Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.

2120.A4 – Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria.

2120.C1 – During consulting engagements, internal auditors should address controls consistent with the engagement’s objectives and be alert to the existence of any significant control weaknesses.

2120.C2 – Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization.

2130 – Governance

The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization.

(22)

• Ensuring effective organizational performance management and accountability.

• Effectively communicating risk and control information to appropriate areas of the organization.

• Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.

2130.A1 – The internal audit activity should evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs and activities.

2130.C1 – Consulting engagement objectives should be consistent with the overall values and goals of the organization.

2200 – Engagement Planning

Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations.

2201 – Planning Considerations

In planning the engagement, internal auditors should consider:

• The objectives of the activity being reviewed and the means by which the activity controls its performance.

• The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.

• The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model.

• The opportunities for making significant improvements to the activity’s risk management and control systems.

2201.A1 - When planning an engagement for parties outside the organization, internal auditors should establish a written understanding with them about objectives, scope, respective responsibilities and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.

2201.C1 – Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented.

2210 – Engagement Objectives

(23)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.9 Objectives should be established for each engagement.

2210.A1 – Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives should reflect the results of the risk assessment.

2210.A2 – The internal auditor should consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives.

2210.C1 – Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client.

2220 – Engagement Scope

The established scope should be sufficient to satisfy the objectives of the engagement.

2220.A1 – The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.

2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.

2220.C1 – In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed- upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations should be discussed with the client to determine whether to continue with the engagement.

2230 – Engagement Resource Allocation

Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.

2240 – Engagement Work Program

Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded.

(24)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.10 2240.A1 – Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement.

The work program should be approved prior to the commencement of work, and any adjustments approved promptly.

2240.C1 – Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.

2300 – Performing the Engagement

Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.

2310 – Identifying Information

Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.

2320 – Analysis and Evaluation

Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.

2330 – Recording Information

Internal auditors should record relevant information to support the conclusions and engagement results.

2330.A1 – The chief audit executive should control access to engagement records. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

2330.A2 – The chief audit executive should develop retention requirements for engagement records. These retention requirements should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

2330.C1 – The chief audit executive should develop policies governing the custody and retention of engagement records, as well as their release to internal and external parties. These policies should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

2340 – Engagement Supervision

Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.

(25)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page A-5.11 2400 – Communicating Results

Internal auditors should communicate the engagement results.

2410 – Criteria for Communicating

Communications should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans.

2410.A1 – Final communication of engagement results should, where appropriate, contain the internal auditor's overall opinion and or conclusions.

2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications.

2410.C1 – Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client.

2420 – Quality of Communications

Communications should be accurate, objective, clear, concise, constructive, complete, and timely.

2421 – Errors and Omissions

If a final communication contains a significant error or omission, the chief audit executive should communicate corrected information to all individuals who received the original communication.

2430 – Engagement Disclosure of Noncompliance with the Standards

When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the:

• Standard(s) with which full compliance was not achieved,

• Reason(s) for noncompliance, and

• Impact of noncompliance on the engagement.

2440 – Disseminating Results

The chief audit executive should disseminate results to the appropriate parties.

2440.A1 – The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration.

2440.A2 - If not otherwise mandated by legal, statutory or regulatory requirements, prior to releasing results to parties outside the organization, the chief audit executive should:

(26)

• Assess the potential risk to the organization.

• Consult with senior management and/or legal counsel as appropriate.

• Control dissemination by restricting the use of the results.

2440.C1 – The chief audit executive is responsible for communicating the final results of consulting engagements to clients.

2440.C2 – During consulting engagements, risk management, control, and governance issues may be identified. Whenever these issues are significant to the organization, they should be communicated to senior management and the board.

2500 – Monitoring Progress

The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 – The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

2500.C1 – The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client.

2600 – Management’s Acceptance of Risks

When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.

Note: This document reflects the Standards at date of publication. Visit The IIA’s Web site for updated information.

(27)

OFFICE OF INTERNAL AUDIT

OPERATIONS MANUAL

SECTION B

BCPS, INTERNAL AUDIT, AND THE BALTIMORE COUNTY

BOARD OF EDUCATION

(28)

OFFICE OF INTERNAL AUDIT -OPERATIONS MANUAL B-1

INTERNAL AUDIT RELATIONSHIPS BOARD OF EDUCATION OF BALTIMORE COUNTY:

The Office of Internal Audit reports directly to the Board of Education of Baltimore County. Currently, the office staff consists of:

• The Chief Auditor

• The Assistant Chief Auditor

• Two Auditor IVs

• Four Auditor IIIs

• One Auditor II

• One Administrative Assistant

See the current organization chart of the Office of Internal Audit on B-2

As stated in BOE Policy 8400, “The Board of Education of Baltimore County (Board) has established the Office of Internal Audit (Internal Audit) as an independent and consultant office that reports directly to the Board. The office is independent of the school system and is administratively subject to the President of the Board.”

Each year, the Office of Internal Audit submits its work plan to the Board Audit

Committee for its approval. This plan outlines the activities for the coming year. These activities include:

• Assisting with audits that are required in order to receive funding from Federal and State sources.

• Completing audits that are requested by the Board.

• Completing investigations of fraud and impropriety.

• Conducting audits of School Activity Funds.

• Conducting audits of procurement activity.

• Providing client assistance to schools and offices that includes research of current laws, regulations, and best practices, as well as analysis of relevant data.

BALTIMORE COUNTY PUBLIC SCHOOLS:

The Office of Internal Audit also works closely with the Superintendent and all of the BCPS system to provide the school system with information and recommendations to improve the achievement for all students, maintain a safe and orderly learning

environment in every school, and to use resources effectively and efficiently.

The Office of Internal Audit is here to serve the people who serve the children. We are a part of TEAM BCPS!

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page B-1.1

(29)

INTERNAL AUDIT ORGANIZATION CHART

Board of Education President

Assistant Chief Auditor Administrative

Assistant II

Auditor III

Auditor IV

Auditor III

Board Audit Committee Chairperson

Auditor III Auditor III

OFFICE OF INTERNAL AUDIT ORGANIZATION CHART

Auditor II Chief Auditor

Auditor IV

(30)

OPERATIONS PROTOCOL

Internal Audit follows Board Policy #8400. This policy establishes the Office of Internal Audit as an independent and consultant office that reports directly to the Board. This policy also includes the responsibilities and authority of the Office of Internal Audit.

The Chief Audit Executives have the responsibility to:

1. Submit a formal work plan to the Board Audit Committee for its approval. Included in the work plan are goals and strategies, the operating budget, available staff

resource hours, and the annual requirements for the upcoming fiscal year.

2. Develop a three year plan that is approved and include in the work plan.

3. Obtain approval of the work plan from the Board Audit Committee.

4. Obtain approval from the Board President and/or the Chairperson of the Board Audit Committee for any significant additions, deletions, and/or changes to the approved work plan.

5. Obtain approval from the Board President and/or the Chairperson of the Board Audit Committee prior to addressing Board member requests.

6. Submit the current year office accomplishments and a summary of the Budget-to- Actual hours by work plan category to the Board Audit Committee annually.

(31)

REPORTING PROTOCOL

Internal Audit follows Board Policy #8400. This policy establishes the Office of Internal Audit as an independent and consultant office that reports directly to the Board. Internal Audit is independent of the Baltimore County School system and is administratively subject to the President of the Board. This policy also includes the responsibilities and authority of the Office of Internal Audit.

The Chief Audit Executives have the responsibility to:

1. Notify the Board President and the Chairperson of the Board Audit Committee of any events that will have a significant impact on the Baltimore County Public Schools.

2. Notify the Board President and the Chairperson of the Board Audit Committee when access to any BCPS functions, records, property and personnel is restricted.

3. Notify the Board President, the Chairperson of the Board Audit Committee, the Superintendent, and relevant parties of audit results or investigations that indicate waste, abuse, or fraud.

4. Report monthly to the Board Audit Committee. In addition, periodic meetings with the Board President, the Chairperson of the Board’s Audit Committee, and the Chief Audit Executives are held to provide an opportunity to discuss the results of the reports issued between such meetings and any matters that are considered critical and/or confidential.

5. Distribute reports to the Board via the President of the Board and the Chairperson of the Board Audit Committee.

(32)

OFFICE OF INTERNAL AUDIT

OPERATIONS MANUAL

SECTION C

INTERNAL AUDIT

POLICY AND OVERVIEW

(33)

OFFICE OF INTERNAL AUDIT -OPERATIONS MANUAL C-1

RESPONSIBILITIES FOR INTERNAL CONTROLS Management Responsibilities:

Management is charged with the responsibility of implementing internal controls in a manner that:

Safeguards the organization’s resources;

• Ensures the accuracy and reliability of data, information, and reporting;

• Ensures compliance with applicable laws and regulations;

• Promotes efficient and effective operations; and,

• Contributes to attainment of the organization’s objectives.

Internal controls are an integral part of managing operations. As such, they are the responsibility of management at all levels of the organization to:

• Identify and evaluate the exposures related to the conduct of its operations;

• Specify and establish the policies, operating standards, procedures, systems, and other disciplines to be used to limit the risks associated with the exposures identified;

• Establish practical internal control processes that require and encourage employees to perform their tasks in a manner that achieves a positive control result; and,

• Maintain the adequacy and effectiveness of the internal control processes that have been established.

Internal Audit Responsibilities:

The role of the internal audit department is to assist management to attain organizational goals by providing an independent, objective, assurance and consulting activity designed to add value and improve an organization’s operations through independently reviewing and evaluating the effectiveness of risk management, controls, governance and operations and by providing objective analyses and constructive recommendations for improvement.

Management retains full control over the implementation of these recommendations.

The internal audit activity of the organization is responsible for periodically evaluating the processes of internal control operations throughout the organization. That responsibility is carried out in three distinct steps:

1. Ascertaining that the design of the internal controls, as they have been established and represented by management, is adequately designed in relation to the related risk;

2. Determining, through compliance testing and other procedures, that the process is, in fact, operating as intended in an effective and efficient manner; and,

3. Reporting the results of audit work performed and offering recommendations for improving the internal control process.

The frequency and scope of auditing the internal control process is determined by the chief audit executive and as approved by the Board of Education of Baltimore County.

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page C-1.1

(34)

INTERNAL AUDIT POLICY

Auditing activities play an essential and useful role in the conduct of successful operations. These activities serve to examine and evaluate financial, administrative, and operational activities of the organization, supplying management personnel at all levels with information to assist in their control of the assets and operations and their attainment of objectives for which they are responsible. This policy applies to auditing's relationship with the organization and sets forth the guidelines upon which these activities will be carried.

The Baltimore County Public Schools Policy 8400, Internal Board Operations – Office of Internal Audit, provides internal audit with its authority over the organization:

I. General

A. The Board of Education of Baltimore County (Board) has established the Office of Internal Audit (Internal Audit) as an independent and consultant office that reports directly to the Board. The office is independent of the school system and is administratively subject to the President of the Board.

B. Internal Audit shall assist the Board in the discharge of its responsibilities;

complete audits of Baltimore County Public Schools (BCPS); and furnish the Board and BCPS with analyses, recommendations, counsel, and information concerning the activities audited or reviewed. Internal Audit will also facilitate any audit processes and assist any external auditors to the degree necessary and appropriate.

C. Internal Audit is authorized to have unrestricted access to all BCPS functions, records, property, and personnel.

D. Internal Audit standards and responsibilities shall be included in its charter and annual work plan.

II. Chief Auditor and Assistant Chief Auditor

A. The Board President will forward to the Board, at the recommendation of the Audit Committee, the appointment, replacement, and/or dismissal of the Chief Auditor and Assistant Chief Auditor.

B. The Board President, or at the direction of the President, the Chairman of the Board’s Audit Committee, shall be responsible for evaluating each year, the job performance of the Chief Auditor.

Adopted: 01/10/06 Revised: 12/7/10

4/17/12

(35)

VISION, MISSION, AND VALUE STATEMENTS Vision

The Office of Internal Audit will be Baltimore County Public Schools most valued resource for the support of financial, operational, and control activities.

Mission

The Office of Internal Audit’s mission is to support the Board of Education of Baltimore County and the Baltimore County Public Schools in achieving system wide goals and objectives.

Values

The Office of Internal Audit is committed to certain values in carrying out its mission:

Providing excellent service to the Board of Education of Baltimore County and the Baltimore County Public Schools is our primary focus.

• Performing our examinations in accordance with applicable standards established by the Government Accounting Office (GAO), the Institute of Internal Auditors (IIA), and the American Institute of Certified Public Accountants (AICPA).

• Maintaining our independence, objectivity and confidentiality in the performance of our work.

• Adhering to the highest degree of fairness, integrity and ethical conduct.

• Characterizing our relationships with the Board of Education of Baltimore County and the Baltimore County Public Schools community with respect, helpfulness, openness, and loyalty.

• Maintaining our professionalism as internal auditors through continuance of our education and training.

(36)

INTERNAL AUDIT CHARTER INTRODUCTION

The International Standards for the Professional Practice of Internal Auditing (Standard) Attribute Standards 1000 – Purpose, Authority, and Responsibility, states “The Internal Audit Charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. It establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the Internal Audit Charter resides with the Board.”

PURPOSE

The purpose of internal auditing is to add value and improve an organization’s

operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

AUTHORITY

Board Policy #8400 establishes the authority of the Office of Internal Audit within Baltimore County Public Schools (BCPS).

RESPONSIBILITIES

The Chief Auditor and the Assistant Chief Auditor of Internal Audit are authorized by the Board to direct a broad, comprehensive program of internal auditing within BCPS. To accomplish these activities, the Chief Auditor and the Assistant Chief Auditor and

members of the audit staff are authorized to have unrestricted access to all BCPS records, personnel, and physical properties.

The Chief Auditor and the Assistant Chief Auditor are responsible for:

1. Establishing standards and procedures for the auditing activity and directing its technical and administrative activities;

2. Developing, coordinating, directing, and executing a comprehensive audit program for the evaluation of the management controls provided over all activities;

3. Evaluating the effectiveness of all levels of management in their stewardship of BCPS resources and their compliance with established policies and procedures;

4. Recommending improvement of management controls designed to safeguard resources, promote growth, and ensure compliance with government laws and regulations;

5. Reviewing procedures and records for their adequacy to accomplish intended

objectives, and appraising policies and plans relating to the activity or function under audit or review;

6. Authorizing the publication of reports on the results of audit examinations, including recommendations for improvement;

7. Appraising the adequacy of the action taken by management to correct reported deficient conditions; accepting adequate corrective action; continuing reviews with

(37)

OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL Page C-4.2 appropriate management personnel on action the Chief Auditor and the Assistant Chief Auditor consider inadequate until there has been a satisfactory resolution of the matter,

8. Conducting special examinations at the request of the Board and BCPS management, including the reviews of representations made by persons outside the BCPS system.

9. Making post-installation evaluations of major data processing systems to determine whether these systems meet their intended purposes and objectives;

10. Submitting an annual Work Plan to the Board President and the Audit Committee for review and approval;

11. Reporting monthly to the Audit Committee on whether:

a. Appropriate action has been taken on significant audit findings;

b. Audit activities have been directed toward the highest exposures to risk and toward increasing the efficiency, economy and effectiveness of operations;

c. Internal and external audits are coordinated, so as to avoid duplications;

d. Internal audit plans are adequate;

e. There is any unwarranted restriction on the staffing and authority of the internal auditing department or on the access by internal auditors to all activities, records, property, and personnel of the BCPS system;

12. Reporting on a regular basis to the Board to discuss any matters that Internal Audit or the Audit Committee considers critical and/or confidential, and

13. Reviewing the internal audit charter and presenting it to the Audit Committee for approval.

References:

• The Institute of Internal Auditors. The Professional Practices Framework, .2009

“International Standards for the Professional Practice of Internal Auditing, (Standards) 1000, 1100, 2000, and 2130.

Approved: 04/21/06 Revised: 02/26/07

10/12/10