How To Conduct An Audit As Told By GIFs
One of the key functions of Massachusetts Office of State Auditor Suzanne M. Bump’s office is producing audits with the goal of promoting accountability, innovation, and transparency to improve public trust in government. While each audit is unique, and takes a distinct path toward completion, we’re taking you behind the scenes to show you, through gifs, how an audit goes from an idea to a tool to make government work better.
1. Identify Auditee and Topic
The first step to conducting an audit is identifying an auditee and potential audit topics. To do this, the Massachusetts Office of the State Auditor (OSA) staff considers a combination of factors such as the OSA’s statutory audit requirements, the complexity of an entity’s activities, any complaints or allegations against the entity, the significance of any findings identified during prior audits of the entity and in some instances, audits performed by other government organizations. In many cases we also use data analytics to assess the risk for waste, fraud or abuse. Further, we typically meet with organizations and stakeholders across the Commonwealth that work with state agencies and programs to understand what is and isn’t working so that our audits can help address the most pressing problems. The goal is to identify audits that target the highest risk areas in state government, while ensuring we meet our legislative requirements.
2. Conduct Preliminary Planning
OSA staff then conduct a high level review of the audited entity and its activities. During this phase, our team of auditors develop specific preliminary audit objectives and identify potential areas for review.
3. Send a letter to the auditee notifying them of the upcoming audit
The OSA then sends the auditee an engagement letter informing them that they have been selected for audit. The letter, which is also copied to the applicable oversight entity, includes information about the OSA’s authority to conduct the audit and when the audit team would like to begin the audit. This letter includes such things as a description of the initial scope of the audit, a list of records that the audit team would like available upon its arrival, and other logistical information.
4. Hold initial meeting with auditee
Before beginning their formal work, the audit team meets with officials from the audited agency. During this meeting they will discuss, among other things, the preliminary scope and objectives of the audit, the audit process, the protocol the audit team would like to follow to obtain necessary documents and information, and the procedures the OSA will follow if fraud or potential fraud is detected.
5. Begin Audit Planning Field Work
This is the initial phase of audit field work where the audit team gathers additional information on-site about the auditee’s activities. During this phase, auditors seek to gain an understanding of the auditee’s programs, internal controls, information system controls, provisions of relevant laws, regulations, contracts and grant agreements, previous audits, and ongoing investigations. The data analytics performed early on is particularly helpful in this stage because it helps auditors narrow down areas and programs they want to review.
6. Start General Field Work and Testing
Our audit team then begins collecting and analyzing information that will help them meet their audit objectives. This can include collection of physical evidence from examination of property, events, and people. It also includes examinations of documentary evidence, such as letters, contracts, accounting records, and invoices. In addition, the collection of information can include interviews, focus groups, public forums, and questionnaires. During this phase, auditors also inspect records and files to analyze, check, verify and confirm that the information obtained during the planning phase is correct.
7. Host Informal Exit Conference
After completion of field work, auditors meet with the auditee management for a preliminary discussion about potential audit findings and recommendations, as well as a discussion of next steps in the audit process.
8. Prepare and Review Audit Report
At this time, audit staff will draft the audit report. Audit reports include an overview of the agency, the time period being audited, the specific questions to be answered, the methodology used to answer the questions, analysis of findings during field work, relevant statutory and regulatory requirements, and recommendations for addressing issues identified in the audit. The draft goes through a series of reviews and edits to ensure that conclusions are fully supported by data, and are logical and consistent.
9. Receive Auditee Responses to Findings
If the audit identifies problems at an audited entity, the entity is given the opportunity to review the findings, and draft a written response. This response can include such things as reasons for noncompliance with relevant rules and regulations, information on steps they have taken or plan to take to correct problems, and reasons they dispute the findings if they don’t agree with the audits conclusions. The audit team considers the auditee’s comments in drafting the final audit report and may draft a formal reply to the auditee’s comments, which is then included in the report.
10. Hold Formal Exit Conference
In most cases when problems have been identified at an auditee, the audit team will hold a formal exit conference with auditee management. During this meeting, the audit team goes over the audit findings, reviews the auditee’s response with agency officials, and talks about next steps.
11. Release Final Audit
After the final audit report has been drafted, checked, and re-checked, it is released to the audited entity, officials charged with primary oversight of that entity, the public, government officials, and other stakeholders. Oversight officials could include a board of directors or an Executive Office. Government officials include the Governor’s office, relevant Executive Offices, legislative leadership, relevant legislative committees, the Comptroller’s office, and state and local officials that represent the area served by the audited entity. Stakeholders who receive copies of the audit often include relevant organizations with an interest in the audit topic, such as advocacy groups, business organizations, professional organizations, labor unions and public policy organizations.
12. Conduct Six-month Follow-up Survey
Six months after an audit is issued, the OSA sends a survey to the auditee to see what actions, if any, the auditee has taken to address the OSA’s findings. Since 2011, auditees report implementing 95% of recommendations from the Massachusetts Office of the State Auditor.
13. Return 3 Years Later to Conduct Another Audit
The OSA is statutorily required to audit most state agencies at least every three years. So three years after the audit is released, our office is back to do it all over again.