chapter 2 — auditing standards - AASHTO

advertisement
o
Internal Audit Guide
2014 Edition
1
TABLE OF CONTENTS
CHAPTER 1 — INTRODUCTION
1.1
1.2
1.3
1.4
Overview ....................................................................................................................... 1
Why a Guide? ................................................................................................................ 1
Auditing Standards ........................................................................................................ 2
Engagements................................................................................................................. 2
CHAPTER 2 — AUDITING STANDARDS
2.1
2.2
2.3
2.4
GAGAS ........................................................................................................................... 3
International Standards for the Professional Practice of Internal Auditing ................. 3
Comparison of IIA and GAGAS Standards ..................................................................... 4
References .................................................................................................................... 5
CHAPTER 3 — TYPES OF ENGAGEMENTS
3.1
3.2
3.3
3.4
Overview ....................................................................................................................... 6
Types of Audits.............................................................................................................. 6
Attestation Engagements ............................................................................................. 9
Non-Audit Services or Consulting Services ................................................................. 10
CHAPTER 4 — AUDIT RISK ASSESSMENT AND AUDIT PLAN
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
Overview ..................................................................................................................... 12
Identify Audit Universe or Auditable Units ................................................................. 12
Benefits of Auditable Units ......................................................................................... 12
Develop Permanent Files ............................................................................................ 13
Risk Assessment .......................................................................................................... 14
Risk Assessment Criteria ............................................................................................. 15
Consideration of Internal Controls ............................................................................. 16
Internal Control Weaknesses ...................................................................................... 17
Analysis of Internal Audit Resources .......................................................................... 18
Developing the Audit Work Plan................................................................................. 18
CHAPTER 5 — INTERNAL CONTROL
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
Overview ..................................................................................................................... 20
COSO Categories ......................................................................................................... 20
Five Components of COSO .......................................................................................... 21
COBIT ........................................................................................................................... 23
Understanding an Auditee’s Internal Controls ........................................................... 26
Documenting Internal Controls .................................................................................. 27
Internal Control over Financial Reporting .................................................................. 28
Evaluation of Internal Controls ................................................................................... 28
Classifying Internal Control Weaknesses for Reporting ............................................. 29
AASHTO Internal Audit Guide 2014 Edition Table of Contents
CHAPTER 6 — USDOT AGENCIES AND DESCRIPTIONS
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
USDOT Agencies and Descriptions .............................................................................. 30
Office of the Secretary ............................................................................................... .31
Federal Aviation Administration ................................................................................. 32
Federal Highway Administration ................................................................................ 33
Federal Motor Carrier Safety Administration ............................................................. 36
Federal Railroad Administration ................................................................................. 36
Federal Transit Administration ................................................................................... 37
Maritime Administration ............................................................................................ 39
National Highway Traffic Safety Administration ........................................................ 39
Office of Inspector General ......................................................................................... 41
Pipeline and Hazardous Materials Safety Administration .......................................... 41
Research and Innovative Technology Administration ................................................ 42
Saint Lawrence Seaway Development Corporation ................................................... 43
Surface Transportation Board..................................................................................... 43
CHAPTER 7 – STEWARSHIP, OVERSIGHT, LAWS, AND REGULATIONS
7.1
7.2
7.3
7.4
7.5
7.6
Stewardship and Oversight Agreement between the FHWA and State
Transportation Agencies ............................................................................................. 45
Hierarchy ..................................................................................................................... 46
Federal Requirements (2 CFR 200) ............................................................................. 47
Audit Requirements .................................................................................................... 47
Catalog of Federal Domestic Assistance ..................................................................... 48
State Law ..................................................................................................................... 48
CHAPTER 8 — INNOVATIVE FINANCING AND CONSTRUCTION DELIVERY METHODS
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
Grant Anticipation Revenue Vehicle (GARVEE) .......................................................... 49
Transportation Infrastructure Finance and Innovation Act (TIFIA) ............................ 49
Section 129 Loans (23 U.S.C. 129 (A)(7)) .................................................................... 49
Tax Increment Financing (TIF) ..................................................................................... 49
Private Activity Bonds (PABs) ...................................................................................... 49
Public-Private Partnerships (P3s) ................................................................................ 50
Design-Build (DB) ........................................................................................................ 50
Construction Manager/General Contractor (CMGC) .................................................. 50
CHAPTER 9 – GENERAL AUDIT AND ATTESTATION PROGRAMS
9.1
9.2
9.3
Audit Program Purpose and Scope ............................................................................. 51
Phases ...................................................... ……………………………………………………………….51
Attestation Program Purpose and Scope ................................................................... 53
GLOSSARY ..................................................................................................................................... 58
AASHTO Internal Audit Guide 2014 Edition Table of Contents
Chapter 1 – Introduction
1.1—OVERVIEW
This guide was developed by a task force of the American Association of State Highway and
Transportation Officials (AASHTO) Audit Subcommittee with input from various federal
partners. State Transportation Agencies (STAs) have the same overall mission, but are
structured differently across the United States. Most STAs have internal auditors, external
auditors, and inspector generals. Some audit groups are organized as standalone units and
others are included as part of larger organizational components of the STA. This guide focuses
on the goals, functions, and services of internal audit groups within STAs. In addition, detailed
practice aids are provided as a supplement to the guide.
The Institute of Internal Auditors (IIA) defines internal auditing as “an independent, objective
assurance and consulting activity designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.”
1.2—WHY A GUIDE?
This guide is designed to strengthen stewardship and oversight functions performed by STA
internal audit groups. An essential role of government is the stewardship and oversight of
public expenditures. As government transportation expenditures grow and budgets and
staffing shrink, the stewardship and oversight process for transportation programs must be
enhanced. The purpose of this internal audit guide is to provide a tool that can be used by STA
internal auditors to perform audits of transportation processes and programs.
This guide is intended to help auditors understand processes, terminology, policies, audit
techniques, and sources for laws and regulations. The guide’s objective is to identify the audit
universe in a general sense and provide a reference guide for the following items:
 Internal Controls
 Risk Assessment
 Compliance with applicable laws and regulations
 Federal programs
 Innovative financing
 Effective use of resources
AASHTO Internal Audit Guide 2014 Edition Chapter 1
Page 1
1.3—AUDITING STANDARDS
STA internal audit groups follow basically two sets of auditing standards – Generally Accepted
Government Auditing Standards (GAGAS) issued by the Comptroller General of the United
States and the IIA standards for internal audit. We will discuss the different auditing standards
in the next chapter.
When necessary, internal auditors obtain additional guidance from standards issued by the
American Institute of Certified Public Accountants (AICPA) and guidance from the IIA.
1.4—ENGAGEMENTS
Internal auditors perform a variety of engagements, ranging from attestation engagements
consisting of reviews, examinations, and agreed-upon procedures, to performance audits.
STA internal auditors may be responsible for:
 Reviewing STA internal controls to ensure they are adequately designed and are functioning
properly
 Reviewing STA programs and processes to ensure they comply with applicable federal and
state laws and regulations as well as STA policies and procedures
 Reviewing STA processes to ensure they operate effectively and efficiently
 Reviewing programs to ensure that management has adequately safeguarded STA assets
and used taxpayer resources properly
 Reporting to the head of the STA or governing body and management, noting any
weaknesses or areas of improvement
AASHTO Internal Audit Guide 2014 Edition Chapter 1
Page 2
Chapter 2 – Auditing Standards
2.1—GAGAS
Generally Accepted Government Auditing Standards (GAGAS) produced by the Government
Accountability Office (GAO) contains requirements and guidance for entities conducting
government audits within the United States. Professional auditors must follow these standards
when conducting financial audits of government and non-profit organizations receiving federal
funds subject to the audit requirements in Subpart F of 2 CFR 200 — Uniform Administrative
Requirements, Cost Principles, and Audit Requirements for Federal Awards.
In the United States, use of GAGAS is also mandatory for federal inspectors general, many state
and local government auditors and some internal auditors, as well as CPA firms when
conducting single audits and other government audits. In addition, many auditors and audit
organizations choose to voluntarily perform their work in accordance with GAGAS. GAGAS
contains requirements for financial audits, attestation engagements and performance audits.
Many international government audit organizations use GAGAS as guidance when conducting
financial and performance audits, even when there is no specific legal requirement to do so.
2.2—INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL
AUDITING
For internal auditors, there is another set of standards, the International Standards for the
Professional Practice of Internal Auditing, produced by the IIA. Internal auditors throughout the
world use these standards. Certified Internal Auditors are required to follow the IIA Standards,
and anyone who wishes to state their audits are conducted in accordance with IIA Standards
must follow the IIA Standards.
The IIA Standards are divided between Attribute and Performance Standards. Attribute
Standards address the attributes of organizations and individuals who perform internal
auditing. The Performance Standards describe the nature of internal auditing and provide
quality criteria against which the performance of these services can be measured.
Some government organizations conduct their engagements in accordance with both the IIA
Standards and GAGAS. The IIA Standards are often implemented along with the performance
audit requirements of GAGAS (chapters 1-3, 6 and 7). While GAGAS is used for conducting
government audits by both external and internal audit organizations, it contains some specific
requirements and guidance related to internal auditors and internal audit organizations.
Each STA should determine which standards they follow and document that as part of their
policies and procedures. Some STAs have laws that require they follow one of the two
standards and some states require their agencies to follow both.
AASHTO Internal Audit Guide 2014 Edition Chapter 2
Page 3
2.3—COMPARISON OF IIA AND GAGAS STANDARDS
GAGAS is commonly referred to as “Yellow Book” and IIA Standards are commonly referred to
as “Red Book.” The Institute of Internal Auditors (IIA) provides a comparison of the IIA and
GAGAS Standards on IIA’s website.
The following is a list of some of the most notable differences between the standards:
 Each starts from a different definition of auditing and auditors.
 GAGAS emphasizes accountability; IIA emphasizes governance, risk and controls to add
value.
 IIA requires an internal audit charter; GAGAS does not.
 GAGAS discourages non-audit consulting services, noting that they could compromise
objectivity and independence; the IIA recognizes consulting as a service that internal
auditors provide to their organizations and have established ‘consulting standards’. The IIA
defines consulting services to include counsel, advice, facilitation and training but states
services must be provided without assuming any management responsibility for them.
 Under GAGAS, auditors must document consideration of independence; IIA has no formal
requirement to document independence. However, the IIA Standards require internal
auditors to have independence and states an auditor “must have an impartial, unbiased
attitude and avoid any conflict of interest.” The Standards also require “organizational
independence” and provides definitions of “independence” and “objectivity.”
 GAGAS requires external peer reviews every three years; IIA requires external peer reviews
every five years.
 GAGAS defines three types of assurance engagements: financial, attestation, and
performance; IIA discusses assurance services but focuses on the auditor’s work and
governance, risk assessment and controls.
 IIA requires the development of an audit universe and annual work plan; GAGAS has no
such requirement.
 Under GAGAS, auditors write ‘findings’ when fraud, abuse, internal control weaknesses and
noncompliance are found; IIA requires auditors to “communicate engagement results and
where appropriate, the communication must contain the internal auditor’s opinion and/or
conclusions.” These results must include issues of fraud, abuse, internal control
weaknesses, and noncompliance. Each issue noted must include the condition, criteria,
cause and effect.
AASHTO Internal Audit Guide 2014 Edition Chapter 2
Page 4
 GAGAS requires 80 hours of CPE every two years; IIA Standards state, “Internal Auditors
must enhance their knowledge, skills, and other competencies through continuing
professional development”, but it does not specify a required number of hours for noncertified members. However, Certified Internal Auditors are required to have a minimum of
40 hours of continuing education every year. Certified Government Auditing Professionals
are required to have 25% of their hours in government related training.
2.4—REFERENCES
https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx
http://gao.gov/yellowbook/overview
The Institute of Internal Auditors, Supplemental Guidance: IIA International Standard for the
Professional Practice of Internal Auditing/ Government Accountability Office Government Audit
Standards (GAGAS)/ A Comparison, 2nd Edition
Leita Hart-Fanta, CPA, CGFM, CGAP, For the Orange, April 9, 2013
AASHTO Internal Audit Guide 2014 Edition Chapter 2
Page 5
Chapter 3 – Types of Engagements
3.1—OVERVIEW
This chapter describes the different types of government audits, attestation engagements, and
other non-audit services provided by internal audit organizations. This description is not
intended to limit or require the types of services that may be conducted. In conducting the
services described in this chapter, auditors should follow the applicable standards adopted by
their STA.
3.2—TYPES OF AUDITS
Financial audits provide an independent assessment of whether an entity’s reported financial
statements are presented fairly in all material respects in conformity with an acceptable
financial framework. Other objectives of financial audits, which provide for different levels of
assurance and entail various scopes of work, may include:
 Providing an opinion for specified elements, accounts, or items of a financial statement
 Reviewing interim financial information
 Issuing letters for underwriters and certain other requesting parties
 Reporting on the processing of transactions by service organizations
 Auditing compliance with applicable requirements relating to governmental financial
assistance
Financial audits for states, local governments, and non-profit organizations are generally
performed through the Single Audit process by outside entities. In addition, many STAs have
“external audit” groups that conduct financial-related audits of architectural and engineering
firms to provide assurance that their indirect cost rates are developed in compliance with
federal requirements.
Performance audits are objective and systematic examinations of evidence against specific
criteria in order to provide an independent assessment of the control design and operating
effectiveness of a program or processes implemented to meet agency objectives. Performance
audits provide an objective analysis to assist management and those charged with governance
and oversight in using the information to improve program performance and operations,
reduce costs, facilitate decision making by parties with responsibility to oversee or initiate
corrective action, and contribute to transparency and public accountability.
AASHTO Internal Audit Guide 2014 Edition Chapter 3
Page 6
Performance audit objectives vary widely and include assessments of program effectiveness,
economy, and efficiency; internal control; compliance; and prospective analyses (defined later).
These overall objectives are not mutually exclusive. Consequently, a performance audit may
have more than one objective.
Program effectiveness and results audits are frequently interrelated with economy and
efficiency audits. Audit objectives that focus on program effectiveness and results typically
measure the extent to which a program is achieving its goals and objectives. Audit objectives
that focus on economy and efficiency address the costs and resources used to achieve program
results.
Examples of program effectiveness and results audits include assessing:
 The extent to which legislative, regulatory, or organizational goals and objectives are being
achieved, with outcomes that support the objectives of the program
 The relative ability of alternative approaches to yield better program performance or
eliminate factors that inhibit program effectiveness
 The relative cost and benefits or cost effectiveness of program performance
 Whether a program produces results or effects not intended by the objectives
 The extents to which programs duplicate, overlap, or conflict with other programs
 Whether the audited entity is following sound procurement practices
 The validity and reliability of performance measures concerning the program’s effectiveness
and efficiency
 The reliability, validity, or relevance of financial information related to the performance of a
program
 Whether the outcomes achieved the objectives of the program
Internal control audits are an assessment of one or more components of an organization’s
system of internal control. They are designed to provide reasonable assurance of achieving
effective and efficient operations, reliable financial and performance reporting, or compliance
with applicable laws and regulations. Internal control objectives also may be relevant when
determining the cause of unsatisfactory program performance. Internal controls include the
plans, policies, methods, and procedures used to meet the organization’s mission, goals, and
objectives. Internal controls include the processes and procedures for planning, organizing,
directing, and controlling program operations, and management’s system for measuring,
AASHTO Internal Audit Guide 2014 Edition Chapter 3
Page 7
reporting, and monitoring program performance. Examples of audit objectives related to
internal control include the extent to which a program provides reasonable assurance that:
 Organizational missions, goals, and objectives are achieved effectively and efficiently.
 Resources are used in compliance with laws, regulations, or other requirements.
 Resources are safeguarded against unauthorized acquisition, use, or disposition.
 Management information and public reports that are produced, such as performance
measures, are complete, accurate, and consistent to support performance and decisionmaking.
 Security over computerized information systems will prevent or detect unauthorized access.
 Contingency planning for information systems provides essential back-up to prevent
unwarranted disruption of activities and functions the systems support.
Compliance audits are assessments of compliance with criteria established by provisions of
laws, regulations, contracts, grant agreements, internal policies, or other requirements that
could affect the acquisition, protection, use, and disposition of the entity’s resources and the
quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance
requirements can be either financial or nonfinancial.
Information technology audits include the evaluation of internal controls related to the
development, operation, maintenance, and management of the information technology
environment, infrastructure, and data. Some of the areas addressed include:
 Governance of policy and process documentation.
 Physical and logical security.
 Application and infrastructure assets.
 Monitoring.
 Business continuity/disaster recovery.
 System development review.
IT audits are becoming increasingly important as record keeping and transmission of non-public
personal information rely on automation.
AASHTO Internal Audit Guide 2014 Edition Chapter 3
Page 8
When an information system is significant to the audit objective, the audit should include an
evaluation of the information technology controls to provide reasonable assurance that the
information being processed and produced by the system is valid and reliable.
Follow-up audits are designed to test the status and evaluate the effectiveness of corrective
actions taken on audit issues reported in prior released reports.
3.3—ATTESTATION ENGAGEMENTS
The subject matter for attestation engagements may take many forms, including historical or
prospective performance or condition, physical characteristics, analyses, system processes and
behavior. Attestation engagements may cover a broad range of financial or non-financial
subjects and can be part of a performance review. Possible subjects of attestation
engagements can include reporting on:

An entity’s internal control over financial reporting

An entity’s compliance with requirements of specified laws, regulations, rules, contracts or
grants

The effectiveness of an entity’s internal control over compliance with specified
requirements, such as those governing the bidding for, accounting for, and reporting on
grants and contracts

Management’s discussion and analysis presentation

Prospective financial statements or pro-forma financial information

The reliability of performance measures

Final contract cost

Allowability and reasonableness of proposed contract amounts and specific procedures
performed on a subject matter (agreed-upon procedures)
There are three types of attestation engagements:
1. Examination
Examinations consist of obtaining sufficient evidence to express an opinion on whether the
subject matter is based upon or in conformity with the criteria in all material respects or the
assertion is presented or fairly stated, in all material respects, based upon the criteria.
Examinations provide the highest level of assurance outside of an audit. Since assurance is
provided in an examination, the risk of undetected material misstatement must be reduced
to a tolerable amount.
AASHTO Internal Audit Guide 2014 Edition Chapter 3
Page 9
2. Review
Reviews consist of performing sufficient testing to express a conclusion about whether any
information came to the auditors’ attention that indicates the subject matter is not based
upon or in conformity with the criteria in all material respects. The auditor may conclude
the assertion is not presented, in all material respects, based upon the criteria. Reviews
provide negative assurance. Negative assurance means that nothing came to the auditors’
attention that would lead them to believe the subject matter did not conform to the
criteria.
3.
Agreed-upon procedures
Agreed-upon procedures consist of performing specific procedures on a subject matter and
issuing a report of findings based upon the agreed-upon procedures. The auditors do not
express an opinion about the subject matter but issue a report of findings based upon
specific procedures performed on the subject matter.
3.4—NON-AUDIT SERVICES OR CONSULTING SERVICES
Internal audit organizations may provide non-audit services or consulting services. These types
of services are generally performed at the discretion of the head of the audit organization,
requested by management of a bureau/division within the STA, or for an oversight body or
independent external organization. Designed and executed appropriately, these services
generally do not impair the auditors’ independence.
These services may be considered advisory services provided by an Internal Audit group to the
STA. They are services, other than specific audit work, that are provided and are intended to
add value and improve the organization’s governance, risk management, and control processes.
Consulting services include counsel, advice, facilitation, or training regarding issues such as
internal control structure, compliance, governance and risk management. Consulting may
come in the form of informal or formal consulting services.
 Informal consulting services generally consist of meeting with STA management and staff to
discuss issues and requirements and provide advice. Generally no formal documentation of
these services is required. They might consist of discussing with management or staff
where they can find information regarding certain requirements or explaining how the
requirements are generally viewed by an auditor. They may include an explanation or
training on the types of internal controls or their use.
 Formal consulting comes in the form of a special project and requires documentation to
support the services. The extent of the documentation required to support the services will
depend upon the scope of the project and the work performed. However, sufficient
evidence must be obtained to support any conclusions that are made.
AASHTO Internal Audit Guide 2014 Edition Chapter 3
Page 10
Other examples of non-audit/consulting services include the following:
 Gathering and providing information to a requesting party without providing an evaluation
or verification of the information
 Providing advice on potential improvements of standards, methodologies, policies,
procedures, and internal control
 Providing assistance and technical expertise to legislative bodies or developing questions for
the use at legislative hearings
 Advising an entity regarding its performance of internal control assessments
 Providing advice to management officials to help them identify good business practices
 Conducting OMB A-133 Desk Reviews
Audit organizations may also be asked to perform prospective analysis engagements. These
engagements provide analysis or conclusions about information that is based upon
assumptions about events that may occur in the future, along with possible actions that the
entity may take in response to future events. Examples of prospective analysis engagements
may include:
 Performing risk assessments to determine program or policy alternatives, including
forecasting program outcomes under various assumptions
 Assessing the advantages and disadvantages of legislative proposals
 Analyzing views of stakeholders on policy proposals for decision-makers
 Identifying best practices for use in evaluating program or management system approaches,
including financial and information management systems
 Producing a high-level summary that affects multiple programs or entities on issues studied
or under study
AASHTO Internal Audit Guide 2014 Edition Chapter 3
Page 11
Chapter 4 – Audit Risk Assessment and Audit Plan
4.1—OVERVIEW
This section describes general steps for developing an STA’s Audit Risk Assessment and Audit
Plan. The audit plan is usually developed annually but should be considered a living document
that will change and grow. Most audit plans are works in progress, and schedules change to
meet department needs. A new program, department realignment/reorganization, or
unexpected occurrences may change management’s needs, shifting some engagements to
higher priority status and inserting engagements of new programs. The audit plan should be
based upon the risks of the organization. The internal audit manager should prioritize the
internal audit work based upon the risks of the various areas of responsibility of the STA.
4.2—IDENTIFY AUDIT UNIVERSE OR AUDITABLE UNITS
In order to determine appropriate audit coverage, the internal audit manager, with input from
executive management, should identify the auditable units within the STA. This enables
internal audit to link the Internal Audit Plan to the STA risks based upon the primary owner of
the process. Any additional areas responsible for completion of that particular process should
also be identified within the auditable units. This is a vital component of the risk assessment
process and consists of dividing the entire STA into various control areas that cover all
responsibilities and functions of the STA. The key to maintaining a good schedule of auditable
units is to periodically verify that there have been no changes or additions to the auditable
units. The auditable units should be updated to reflect any changes in structure, functions or
responsibility on at least an annual basis. When responsibility changes occur, historic data
should be retained to reflect the previous responsibilities and audit coverage that was given.
Once identified, engagements performed and scheduled for each auditable unit can be tracked
to ensure regular engagements are performed as necessary. This will also assist in developing
the audit plan based upon length of time since last audit and ensure that all auditable units are
considered in the audit plan. Some auditable units, however, may be low risk and not receive
an engagement due to limited internal audit resources. The limited internal audit resources
should be scheduled for areas of the STA which pose the highest risk.
Using the identified audit universe, prepare a matrix of engagements performed for each
auditable unit. It is helpful to maintain at least three to five years of data to facilitate
scheduling future engagements.
4.3—BENEFITS OF AUDITABLE UNITS
There are many benefits to developing the auditable units of the STA. These include, but are
not necessarily limited to, the following:
AASHTO Internal Audit Guide 2014 Edition Chapter 4
Page 12
 Provides the framework for monitoring the internal control structure of the STA by
operational area and provides the foundation for the risk assessment process
 Allows Internal Audit to communicate with each division or office of the STA in a
standardized manner to monitor the STA’s internal controls
 Provides a mechanism for confirming whether all processes have been captured
 Provides a means for monitoring historic audit coverage for all functions and activities of
the STA
 Demonstrates compliance with the standards and laws that may govern the internal audit
function
 Considered an Internal Audit best practice
4.4—DEVELOP PERMANENT FILES
A permanent file is a useful tool to assist with the audit process. It provides basic and historic
information for Internal Audit in assessing auditable units. These files are generally created as
part of the audit process, but may be created separately as time allows. This helps provide a
starting point not only for the Internal Audit Plan Risk Assessment but also for audit specific risk
assessments. It is also a primary source of information for the internal auditor assigned to a
particular audit. Permanent files must be updated as changes occur in order for them to be
useful. Suggested information for permanent files includes, but is not necessarily limited to,
the following:
 Applicable statutes, rules, and regulations
 Policies and procedures, manuals, guidelines
 Prior Audits--external, internal, federal--that relate to the area
 Internal control certifications
 List of information technology systems used
 Interview notes
 System narratives
AASHTO Internal Audit Guide 2014 Edition Chapter 4
Page 13
4.5—RISK ASSESSMENT
Internal Audit should develop procedures to be followed each year in performing the STA’s
internal audit risk assessment. Management input should be one of the factors considered.
Internal Audit should consider holding meetings with various levels of management to gain a
further understanding of the risks and controls of the auditable units. Internal auditors are the
internal control and risk management experts in their agency. Audit planning should be used as
an opportunity to educate and increase management’s understanding of the internal audit
function and the risk assessment process, and ensure that there is a common understanding of
definitions. A risk assessment questionnaire could be provided to management to assist them
in determining their sections’ risks and needs. The risk assessment questionnaire might include
the following:
 Any changes to the auditable units
 New programs or initiatives
 Rapid growth or significant increases in funding or expenditures
 Turnover of key management or key personnel
 Reviews or audits by a federal agency; e.g., FHWA, FTA, FRA, FAA, NHTSA, FMCSA, GAO
 Media exposure
 Law changes
 Administrative rule changes
 Information technology that was developed or had major modifications in the last year or
any that are currently in process or planned
 Any fraudulent activity, improper conduct, blatant disregard for procedures, suspected or
improper use of assets or state resources
 Any processes or programs they would like Internal Audit to review
 Rank what they consider to be the five most significant areas or processes for which they
are responsible
AASHTO Internal Audit Guide 2014 Edition Chapter 4
Page 14
Meetings should be scheduled with Executive Management and the Audit Committee, if
applicable, to obtain their audit requests and areas of concern they would like considered.
Consider informal sources of audit requests, such as, concerns noted in conversations and
emails from STA staff members, anonymous tips, and auditor observations and concerns noted
in other audits. Perform risk assessments on all the auditable units to determine priorities
taking into consideration any audit requests that are received. Each year, new audit requests
may be added and a risk assessment conducted to prioritize and insert new requests into the
ongoing list.
4.6—RISK ASSESSMENT CRITERIA
A formal risk assessment should be developed which includes various criteria deemed
significant to the STA. A risk assessment usually includes consideration of both the impact and
the probability of occurrence for any given risk. Impact is somewhat conspicuous in the
suggestion criteria below. However, the probability of occurrence should also be kept in mind.
Suggested criteria may include, though are not limited to, the following:
 Revenues/expenditures
 Federal responsibilities/requirements
 Legal responsibilities/requirements
 Public impact or exposure
 Impact to the STA
 Management needs
 Date of last audit
 Prior experience with auditee
 Inherent risk factors (high activity, high volume, complexity of operations, dollar value of
assets, etc.)
 Potential for fraud (improper conduct, suspected misuse, improper use of assets, blatant
disregard for procedures)
 Strength of internal controls
AASHTO Internal Audit Guide 2014 Edition Chapter 4
Page 15
 Reported problems on last audit, external audit, or U.S. Department of Transportation
(USDOT) reviews
 Potential efficiency improvements
 New programs, initiatives or activities
 Change in key personnel
 New IT systems or major changes to IT systems key to department
 Estimated audit time
4.7—CONSIDERATION OF INTERNAL CONTROLS
To achieve the objectives of the agency, management must sometimes place assets at risk. It is
management's responsibility to decide how much and what risk it is willing to accept to achieve
the objectives of the agency. Management mitigates risks and ensures that management’s
objectives are met through the use of internal controls.
Identifying and assessing threats helps management recognize vulnerabilities in the internal
control system. Based upon this information, management can provide appropriate controls to
mitigate risk. The internal auditor should consider these areas during their meeting with
management to assess which programs and functions pose the highest risk to the agency and
should therefore receive internal audit coverage first. Some common threats include the
following:
 Management override - Controls are readily set aside at the option of management or
personnel.
 Optional or incomplete controls - Controls that say “may” or those that give options without
guidance for making decisions on how to proceed are not effective. Clear direction
regarding the choice should be made.
 Form over substance - Controls appear to be well designed but are ineffective or miss their
intended mark.
 Conflicts of interest - Causes personnel to place their interest above that of the
organization.
AASHTO Internal Audit Guide 2014 Edition Chapter 4
Page 16
 Access to assets - Having improper or unauthorized access to assets can result in theft,
misuse or abuse.
 Inadequately trained or informed personnel - Personnel who don’t understand the reason
or necessity for a particular control or the desired result may not properly execute the
necessary steps.
 Inadequate separation of duties – Multiple control points are the responsibility of one
person.
Chapter 5 discusses internal control in more detail.
4.8—INTERNAL CONTROL WEAKNESSES
Another key component of the risk assessment process is gaining an understanding of why
internal control weaknesses occur. Understanding these weaknesses helps management
monitor for appropriate and effective internal controls. Internal Audit should consider these
factors and determine whether they exist as they walk through the risk assessment process
with management. Some common reasons internal control weaknesses occur may include the
following:
 Poorly designed or implemented internal control processes--the process becomes routine
due to familiarity and steps in the process are overlooked
 Information concerning a law, rule or procedure was not adequately communicated
 Employees not properly trained or instructed
 Personnel not knowledgeable of the importance of a step or process and its impact on
another area
 Confusion over who is responsible (each area incorrectly thinks the other is handling the
process)
 Time constraints
 Inadequate resources devoted to the process
 Employees unknowingly overlooked something
 Personnel are comfortable with the current process and resistant to change
AASHTO Internal Audit Guide 2014 Edition Chapter 4
Page 17
4.9—ANALYSIS OF INTERNAL AUDIT RESOURCES
To determine the number of internal engagements to be scheduled, an analysis of available
staff hours should be conducted. The internal audit manager should consider the following in
determining hours available:
 Total annual hours
 Holidays
 Annual leave
 Sick leave
 Training
 Miscellaneous administrative
Other considerations might include:
 Additional annual leave for long-term employees
 Retirements/resignations
 Time required to replace employees who retire or resign
 Furlough days
 Extended use of leave (family & medical leave, military leave, disability, and sick leave)
 Other types of reviews, consulting, and non-audit services
4.10—DEVELOPING THE AUDIT WORK PLAN
Based on the risk assessment and analysis of staff availability, an audit work plan should be
developed. Remember to include any needs for audit follow-ups (e.g. 90 – 120 days). It may be
helpful to develop two types of audit work plans. One type would give a narrative describing
the engagement. The second type would be a scheduling tool to assign auditors to each
selected engagement with time estimates across the twelve months. Another consideration for
scheduling engagements is the auditee’s schedule, which may include deadlines or busy
seasons. These factors as well as others specific to your STA should be taken into account when
scheduling.
AASHTO Internal Audit Guide 2014 Edition Chapter 4
Page 18
It may also be helpful to prepare a two-year audit plan in order to assist with prioritizing
engagements and resources. However, the second year of the internal audit plan is always
given reconsideration at the time of the development of the next year’s two year plan. This is
due to changes in circumstances and risks that may occur over the one-year period since the
plan was last developed.
Final meetings with the STA’s chief executive officer and the audit committee, if applicable,
should be scheduled to obtain concurrence and approval of the proposed audit work plan. Any
scheduling concerns should be communicated at this time.
AASHTO Internal Audit Guide 2014 Edition Chapter 4
Page 19
Chapter 5– Internal Control
5.1—OVERVIEW
Internal control is a system implemented by an organization’s governing body and management
that helps ensure key financial, operational, and regulatory objectives are achieved. Internal
control is affected by an entity’s management and other personnel; it is not merely policy
manuals and forms, but involves people at every level of an organization. Internal control is
pervasive, impacting people, process, and technology. It can be expected to provide
reasonable assurance, not absolute assurance, to an organization’s management.
This review guide adopts the internal control direction provided by the Committee of
Sponsoring Organizations (COSO) of the Treadway Commission. In May 2013, COSO updated its
Internal Control – Integrated Framework to take into account changes in business environment
and operations over the last 20 years.
5.2—COSO CATEGORIES
Internal control is broadly defined as a process, affected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following three COSO categories:
1. Reporting - related to the internal and external financial and nonfinancial reporting to
stakeholders, encompassing reliability, timeliness, transparency, or other elements as
established by regulators, standard setters, or the entity’s policies
2. Compliance - adhering to those laws and regulations to which the entity is subject, where
non-compliance could result in penalties, fines or negative impacts to reputation
3. Operations - addresses an entity’s basic business objectives, including performance and
goals and safeguarding of resources.
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 20
In assessing the design and operating effectiveness of internal controls under the COSO
framework, management also considers the five components of internal control as depicted in
the COSO “Cube”. If designed and operating effectively, controls within these five components
in totality provide a framework for internal control. The 2013 framework incorporates 17
principles that support these five components. For effective internal controls, the 2013
framework requires that each of the five components and 17 relevant principles be present and
functioning, and that the five components must operate together in an integrated manner.
“Present” means that the components and relevant principles exist in the design and
implementation of the system of internal control.
“Functioning” means that the components and relevant principles continue to exist in the
conduct of the system of internal control.
5.3—FIVE COMPONENTS OF COSO
1. Control Environment
The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the set of standards, processes, and structures that
provides the basis for carrying out internal control across the organization. It is the
foundation for all other components of internal control, providing discipline and structure.
The five principles relating to control environment are:
1) The organization demonstrates a commitment to integrity and ethical values.
2) The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control.
3) Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
4) The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
5) The organization holds individuals accountable for their internal control responsibilities
in the pursuit of objectives.
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 21
2. Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be
assessed. Risk assessment is the identification and analysis of relevant risks that could
affect the achievement of the entity’s objectives, forming a basis for determining how the
risks should be managed.
The four principles relating to risk assessment are:
1) The organization specifies objectives with sufficient clarity to enable the identification
and assessment of risks relating to objectives.
2) The organization identifies risks to the achievement of its objectives across the entity
and analyzes risks as a basis for determining how the risks should be managed.
3) The organization considers the potential for fraud in assessing risks to the achievement
of objectives.
4) The organization identifies and assesses changes that could significantly affect the
system of internal control.
3. Control Activities
Control activities are the policies and procedures that help determine if management
directives are carried out. They help facilitate the necessary actions required to address
risks to achievement of the entity’s objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of activities as diverse as
approvals, authorizations, verifications, reconciliations, reviews of operating performance,
security of assets, and segregation of duties.
The three principles relating to control activities are:
1) The organization selects and develops control activities that contribute to the mitigation
of risks to the achievement of objectives to acceptable levels.
2) The organization selects and develops general control activities over technology to
support the achievement of objectives.
3) The organization deploys control activities through policies that establish what is
expected and in procedures that put policies into action.
4. Information and Communication
Pertinent information must be identified, captured, and communicated in a form and
timeframe that enables people to carry out their responsibilities. Information systems
produce reports, containing operational, financial, and compliance-related information, that
make it possible to run and control the business. They deal not only with internally
generated data, but with information about external reporting as well. Effective
communication must also occur in a broader sense, flowing down, across, and up the
organization. All personnel must receive a clear message from top management that
control responsibilities must be taken seriously. They must understand their own role in
the internal control system, as well as how individual activities relate to the work of others.
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 22
They must have a means of communicating significant information upstream. There also
needs to be effective communication with external parties, such as customers, suppliers,
regulators and stakeholders.
The three principles relating to information and communication are:
1) The organization obtains or generates and uses relevant, quality information to support
the functioning of internal control.
2) The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal
control.
3) The organization communicates with external parties about matters affecting the
functioning of internal control.
5. Monitoring Activities
Internal control systems need to be monitored (a process that assesses the quality of the
system’s performance over time). This is accomplished through ongoing monitoring
activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in
the course of operations. It includes regular management and supervisory activities, and
other actions personnel take in performing their duties. The 2013 Framework distinguishes
between a management review control as a control activity and a monitoring activity. A
management review control that is a control activity responds to a specified risk and is
designed to detect and correct errors. However, a management review control that is a
monitoring activity would ask why the errors exist, and then assign the responsibility of
fixing the process to the appropriate personnel.
The two principles relating to monitoring activities are:
1) The organization selects, develops, and performs ongoing or separate evaluation to
ascertain whether the components of internal control are present and functioning.
2) The organization evaluates and communicates internal control deficiencies in a timely
manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
The COSO 2013 Framework became effective December 15, 2014.
5.4—COBIT
While COSO is commonly accepted as the internal control framework for organizations, the
Control Objectives for Information and related Technology (COBIT) is the accepted internal
control framework for the information technology (IT) environment. COBIT was first released by
the Information Systems Audit and Control Foundation (ISACF) in 1996 and has been updated
to include current IT governance principles and emerging international, technical, professional,
regulatory, and industry specific standards. The resulting control objectives have been
developed for application to organization-wide information systems. Now in Edition 4.1, COBIT
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 23
is intended to meet the multiple needs of management by bridging gaps between business
risks, control needs and technical issues.
The COBIT framework is based on the following principle:
To provide the information that the organization requires to achieve its objectives,
the organization needs to invest in and manage and control IT resources using a
structured set of processes to provide the services that deliver the required
organization information.
The COBIT framework identifies 34 IT processes and has an approach to provide control over
these processes. It provides a generally applicable and acceptable standard for sound IT
security and control practices to support management’s needs in determining and monitoring
the appropriate level of IT controls for their organizations.
The COBIT framework is structured in four principle domains. Each domain includes unique
processes which sum to the 34 IT processes discussed above. This structure serves as a process
model for an enterprise to manage IT activities.
1. PLAN AND ORGANIZE (PO)
The Plan and Organize domain covers strategy and tactics and identifies how IT can best
contribute to the achievement of the business objectives. The realization of the strategic vision
needs to be planned, communicated, and managed for different perspectives. A proper
organization as well as technological infrastructure should be put in place. The Plan and
Organize domain addresses the following processes:
 PO1—Define a strategic IT plan
 PO2—Define the information architecture
 PO3—Determine technological direction
 PO4—Define the IT processes, organizations, and relationships
 PO5—Manage the IT investment
 PO6—Communicate management aims and direction
 PO7—Manage IT human resources
 PO—Manage quality
 PO9—Assess and manage IT risks
 PO10—Manage projects
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 24
2. ACQUIRE AND IMPLEMENT (AI)
To realize the Acquire and Implement IT strategy, IT solutions need to be identified, developed
or acquired, and implemented and integrated into the business process. In addition, changes in
and maintenance of existing systems are covered by this domain to ensure the solutions
continue to meet business objectives. The Acquire and Implement domain addresses the
following processes:
 AI1—Identify automated solutions
 AI2—Acquire and maintain application software
 AI3—Acquire and maintain technology infrastructure
 AI4—Enable operation and use
 AI5—Procure IT resources
 AI—Manage changes
 AI7—Install and accredit solutions and changes
3. DELIVER AND SUPPORT
The Delivery and Support domain is concerned with the actual delivery of required services,
which includes service delivery, management of security and continuity, service support for
users, and management of data and operational facilities. It addresses the following processes:
 DS1—Define and manage service levels
 DS2—Manage third-party services
 DS3—Manage performance and capacity
 DS4—Ensure continuous service
 DS5—Ensure systems security
 DS6—Identify and allocate costs
 DS7—Educate and train users
 DS8—Manage service desk and incidents
 DS9—Manage the configuration
 DS10—Manage problems
 DS11—Manage data
 DS12—Manage the physical environment
 DS13—Manage operations
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 25
4. MONITOR AND EVALUATE (ME)
All IT processes need to be regularly assessed over time for their quality and compliance with
control requirements. The Monitor and Evaluate domain addresses performance management,
monitoring of internal control, regulatory compliance and governance. It addresses the
following processes:
 ME—Monitor and evaluate IT performance
 ME—Monitor and evaluate internal control
 ME3—Ensure compliance with external requirements
 ME4—Provide IT governance
5.5—UNDERSTANDING AN AUDITEE’S INTERNAL CONTROLS
The auditor’s understanding of the client’s internal control is usually gained through the
following procedures:
 Prior experience with the entity
This can be a major source of audit efficiency in recurring audits. Because systems and
controls usually don’t change frequently or significantly from year to year, information
obtained by the auditor in previous audits of the entity can be updated and carried forward
to the current year’s audit.
 Inquiries of management, supervisory, and staff personnel within the entity
The auditor may inquire about the types of accounting documents used to process
transactions and about control activities that have been placed in operation for authorizing,
for example, a credit.
 Observation of client activities and procedures
The auditor can observe client personnel in the process of preparing accounting records and
documents and carrying out their assigned accounting and control functions.
 Inspection of accounting documents and records
By inspecting actual, completed documents and records, the auditor can better understand
their application to the entity’s internal control. The auditor may wish to obtain copies of
sample documents used by the entity for inclusion in the permanent file.
 Entity’s policy and system manuals
This includes both (1) policy manuals and documents, and (2) system manuals and
documents, such as an accounting manual and an organization chart.
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 26
5.6—DOCUMENTING INTERNAL CONTROLS
The auditor documents their understanding of internal controls to:
 Provide evidence of the understanding of the design of significant processes
 Identify key risks within the process.
 Identify controls that would prevent or detect errors from occurring within the process.
 Identify control gaps and process improvement opportunities.
This documentation may take several forms such as:
 Flowchart – A diagram that shows step-by-step progression through a procedure or system
especially using connecting lines and a set of conventional symbols. The purpose of
flowcharting is to:
 Be a tool for analyzing processes.
 Break down processes into individual events and activities, usually by process or event
owner.
 Identify interdependencies across the business.
 Link system and manual activities.
 Identify control gaps, segregation of duties, problems and inefficiencies.
 Narrative – A document that describes a process or transaction flow using words rather
than a pictorial representation. The purpose of a narrative is to:
 Provide evidence of understanding of a process.
 Identify and document key risks, controls and control gaps.
 Confirm understanding with the process owner.
 Provide knowledge that can be used in future years by other employees.
 Walkthrough – A document that traces one representative transaction through a process
from beginning to end. The purpose of a walkthrough is to:
 Confirm understanding of the significant flow of transactions.
 Confirm understanding of the relevant controls.
 Confirm that relevant controls have been placed in operation.
 Confirm process documentation.
 Internal Control Questionnaire – Designed to identify basic control issues and used as a
guide for improving or implementing good business practices and complying with policies
and procedures.
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 27
5.7—INTERNAL CONTROL OVER FINANCIAL REPORTING
Auditors must understand the concepts of internal control; specifically, internal control over
financial reporting. The AICPA’s Statement on Auditing Standards No. 115, as applicable,
requires auditors to evaluate whether identified internal control deficiencies are significant
deficiencies or material weaknesses, as they relate to financial reporting reliability. In addition,
the conclusion that significant internal control deficiencies or material internal control
weaknesses exist should be communicated in writing to management and the entity’s
governing body.
A sound system of internal control over financial reporting includes control design and
operating effectiveness to provide reasonable assurance that the entity’s financial statements
are fairly presented in accordance with generally accepted accounting principles.
Internal controls over financial reporting are evaluated based upon the auditor’s risk
assessment procedures to determine whether controls are designed adequately and operating
effectively to provide reasonable assurance of financial reporting reliability. The entity’s ability
to prevent and detect financial misstatement is evaluated and determines whether a significant
deficiency or material weakness exists.
5.8—EVALUATION OF INTERNAL CONTROLS
Auditors can verify if controls are implemented as designed through testing, reviews,
observations, and analytical procedures. Auditors can determine the validity and accuracy of
transactions, as well as determine compliance with applicable rules, laws and procedures, and
assess the adequacy of existing controls. Evaluation tools include:
 Testing by statistical sampling – focuses on sampling techniques that provide assurance
based on sampling risk that the auditor and stakeholders deem acceptable
 Testing by direct sampling – focuses more closely on specific transactions or certain types of
transactions and can be used when the population under review is not homogeneous
 Reviews/interviews – used when the performance of a process does not lend itself to
normal testing procedures
 Observation – looks at actual practices to see if appropriate controls are actually in place
and working
 Analytical procedure – takes information as a whole and applies some set standard, analysis
or comparison
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 28
5.9—CLASSIFYING INTERNAL CONTROL WEAKNESSES FOR REPORTING
Upon determining that controls are inadequately designed or implemented, auditors shall
communicate the weakness to management based upon the likelihood and magnitude of the
concern. This communication may be verbal, written via an informal management letter, or
reported formally, such as in the audit report. The matrix below can help auditors determine
how or where to report the weakness to management.
Likelihood of
Misstatement
or Error
Magnitude of Misstatement (or Error) that Occurred or Could Occur
More than
Inconsequential
Inconsequential but
Material
Less than Material
Not a significant
Not a significant
Not a significant
deficiency or material
deficiency or material
deficiency or material
weakness
weakness
weakness
Remote
Do not report
More than
remote
Not a significant
deficiency or material
weakness
Report informally,
verbally or via
management letter
Report informally,
verbally or via
management letter
Significant deficiency
Report informally,
verbally or via
management letter
Material weakness
Report formally, via
audit report
Report formally, via
audit report
AASHTO Internal Audit Guide 2014 Edition Chapter 5
Page 29
6
Chapter 6 –USDOT Agencies and Descriptions
6.1—USDOT AGENCIES AND DESCRIPTIONS
The United States Department of Transportation (USDOT) is responsible for overseeing all
federal transportation programs. The USDOT was established by an act of Congress, signed into
law by President Lyndon B. Johnson on October 15, 1966. The Department's first official day of
operation was April 1, 1967. The USDOT consists of the Office of the Secretary, an independent
Office of Inspector General (OIG), and the following 11 individual Operating Administrations:
the Federal Aviation Administration (FAA), the Federal Highway Administration (FHWA), the
Federal Motor Carrier Safety Administration (FMCSA), the Federal Railroad Administration
(FRA), the National Highway Traffic Safety Administration (NHTSA), the Federal Transit
Administration (FTA), the Maritime Administration (MARAD), the Saint Lawrence Seaway
Development Corporation (SLSDC), the Research and Innovative Technologies Administration
(RITA), the Pipeline and Hazardous Materials Safety Administration (PHMSA), and the Surface
Transportation Board (STB). The Office of the Secretary, the OIG, and the 11 Administrations of
USDOT are discussed in more detail on their website at:
http://www.dot.gov/administrations
Office of the Secretary of
Transportation (OST)
National Highway Traffic Safety
Administration (NHTSA)
Federal Aviation Administration
(FAA)
Office of Inspector General (OIG)
Federal Highway Administration
(FHWA)
Pipeline and Hazardous Materials Safety
Administration (PHMSA)
Federal Motor Carrier Safety
Administration (FMCSA)
Research and Innovative Technology
Administration (RITA)
Federal Railroad Administration
(FRA)
Saint Lawrence Seaway Development
Corporation (SLSDC)
Federal Transit Administration
(FTA)
Surface Transportation Board (STB)
Maritime Administration
(MARAD)
The next several sections provide more information about the Office of the Secretary, Office of
Inspector General and 11 Administrations of USDOT.
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 30
6
6.2—OFFICE OF THE SECRETARY http://www.dot.gov/office-of-secretary
Leadership of USDOT is provided by the Secretary of Transportation through the Office of the
Secretary. The Secretary of Transportation is the principal adviser to the President of the
United States in all matters relating to federal transportation programs. The Secretary of
Transportation is assisted in their responsibilities by a Deputy Secretary of Transportation. The
Office of the Secretary is responsible for the formulation of national transportation policy and
promotes intermodal transportation. Specifically, they are responsible for:
 Negotiating and implementing the international transportation agreements
 Ensuring the fitness of U.S. airlines and enforcing airline consumer protection regulations
 Coordinating an effective highway transportation system
 Ensuring motor carrier safety for the operation of commercial motor vehicles
 Promoting safe and environmentally sound rail transportation
 Promoting, developing, and maintaining an adequate water transportation system
 Reducing deaths, injuries and economic losses resulting from motor vehicle crashes
 Issuing regulations to prevent alcohol and illegal drug misuse in transportation systems
 Developing improved mass transportation systems for cities and communities nationwide
 Overseeing the safety of shipments of hazardous materials in the United States and the
nation's energy that is transported by pipelines
 Identifying and facilitating solutions to the challenges and opportunities facing America’s
transportation system
 Operating and maintaining a safe, reliable, and efficient waterway for commercial and
noncommercial vessels between the Great Lakes and the Atlantic ocean
 Ensuring that competitive, efficient, and safe transportation services are provided to meet
the needs of shippers, receivers, consumers
 Preparation of transportation related legislation
These tasks are accomplished through the 11 USDOT operating administrations discussed
below. Primary state interaction is through various grant programs; for specific information
regarding the available programs and their significant compliance requirements, see the
Catalog of Federal Domestic Assistance (CFDA) web site at:
https://www.cfda.gov/
In addition, federal grant guidance has been combined and is now located at 2 CFR Part 200:
“Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal
Awards.”
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 31
6
6.3—FEDERAL AVIATION ADMINISTRATION http://www.faa.gov/
The Federal Aviation Administration (FAA) oversees the safety of civil aviation. The FAA sees as
its main priority its mission of safety, which includes the issuance and enforcement of
regulations and standards related to the manufacture, operation, certification and maintenance
of aircraft. The agency is responsible for the rating and certification of airmen and for
certification of airports serving air carriers. It also regulates a program to protect the security
of civil aviation, and enforces regulations under the Hazardous Materials Transportation Act for
shipments by air. Programs implemented by states for oversight of aeronautics are based upon
these federal regulations.
The FAA operates a network of airport towers, air route traffic control centers, and flight
service stations; develops air traffic rules; allocates the use of airspace; and provides for the
security control of air traffic to meet national defense requirements. Other responsibilities
include the construction or installation of visual and electronic aids to air navigation and
promotion of aviation safety internationally. The FAA, which regulates and encourages the U.S.
commercial space transportation industry, also licenses commercial space launch facilities and
private sector launches.
Primary interaction of STAs pertains to the issuance of grants for the planning and development
of public use airports through the Airport Improvement Program (AIP). In some states, these
grants are passed through the STA, and in other states grants are issued directly to airports or
airport authorities, depending upon that state’s authority and laws. To promote the
development of a system of airports to meet the nation's needs, the federal government
embarked upon a grants-in-aid program for units of state and local governments shortly after
the end of World War II. The first program was the Federal-Aid Airport Program (FAAP), which
was authorized by the Federal Airport Act of 1946. In 1970, a more comprehensive program
was established with the passage of the Airport and Airway Development Act of 1970. This Act
provided grants for airport planning under the Planning Grant Program (PGP) and for airport
development under the Airport Development Aid Program (ADAP).
The current grant program, AIP, was established by the Airport and Airway Improvement Act of
1982 (Public Law 97-248). Since then, the AIP has been amended several times, most recently
with the passage of the FAA Modernization and Reform Act of 2012. Funds obligated for the
AIP are drawn from the Airport and Airway Trust fund, which is supported by user fees, fuel
taxes, and other similar revenue sources.
Grants through AIP are provided for improvements to public use airports. A public use airport
is an airport that has been included in the National Plan of Integrated Airport Systems (NPIAS).
The NPIAS, which is prepared and published every 2 years, identifies public-use airports that are
important to public transportation and contribute to the needs of civil aviation, national
defense, and the Postal service.
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 32
6
A public-use airport is an airport open to the public that also meets one of the following
criteria:

Publicly owned

Privately owned but designated by FAA as a reliever

Privately owned but having scheduled service and at least 2,500 annual enplanements
Recipients of grants are referred to as "sponsors." The description of eligible grant activities is
described in the authorizing legislation and relates to capital items serving to develop and
improve the airport in areas of safety, capacity, and noise compatibility. In addition to these
basic principles, a sponsor must be legally, financially, and otherwise able to carry out the
assurances and obligations contained in the project application and grant agreement. Eligible
projects include those improvements related to enhancing airport safety, capacity, security, and
environmental concerns. In general, sponsors can use AIP funds on most airfield capital
improvements or repairs and in some specific situations, for terminals, hangars, and nonaviation development. Other eligible activities include any professional services that are
necessary for eligible projects, such as planning, surveying, and design. Aviation demand at the
airport must justify the projects, which must also meet Federal environmental and
procurement requirements.
6.4—FEDERAL HIGHWAY ADMINISTRATION http://www.fhwa.dot.gov/
The Federal Highway Administration (FHWA) coordinates highway transportation programs in
cooperation with states and other partners to enhance the country's safety, economic vitality,
quality of life, and the environment. The first comprehensive federal highway program was
signed into law by President Woodrow Wilson on July 11, 1916. This launched the partnership
between the federal and state governments which became known as the Federal-aid Highway
Program. It was endorsed by the American Association of State Highway Officials (AASHTO),
which had been formed in December, 1914, by the various state transportation officials in an
effort to coordinate transportation. FHWA was created on October 15, 1966, and in 1967 the
functions of the Bureau of Public Roads were transferred to FHWA. The Office of Road Inquiry
was the first predecessor to FHWA formed October 3, 1893. The name of the Office of Road
Inquiry was changed to the Office of Public Roads in 1918.
FHWA provides grants to states through the Federal-Aid Highway Program, which provides
federal financial assistance to the states to construct and improve the National Highway
System, urban and rural roads, and bridges. Programs include:
 Highway Planning and Construction
 Highway Research and Development
 Highway Training and Education
 Recreation Trails Program
 Transportation Infrastructure Finance and Innovation Act (TIFIA)
 Fuel Tax Evasion – Intergovernmental Enforcement Effort
 Federal Lands Highway
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 33
6
Through its various programs, FHWA provides funds for general improvements and
development of safe highways and roads. The main revenue source for these grants is the
Federal Motor Fuel Tax. USDOT provides support to the state highway system by providing
financial assistance for the construction, maintenance, and operation of the nation’s 3.9
million-mile highway network, including the interstate highway system, primary highways, and
secondary local roads. The program is administered by FHWA in cooperation with state and
local governments. Local governments or local public agencies (LPAs) are the country’s cities,
towns, and other municipal forms of government that operate about 75% or 2.9 million-miles
of the nation’s roadways.
The first major federal road program was established pursuant to the Federal Aid Road Act of
1916. Funding to state highway agencies was apportioned by a formula based upon land area,
population and road miles. The Federal Aid Highway Act of 1956 provided for the development
of the interstate highway system, which is now known as the Eisenhower Interstate System
after President Eisenhower, who pushed for its enactment. President Eisenhower’s support for
the interstate system was based largely upon civilian needs to support economic development,
improved highway safety, and congestion relief, as well as reduction of motor vehicle-related
lawsuits. He also understood the military value of the interstate system, as well as its use in
evacuations. It has made travel between the states more efficient, economical, safe, and
timely. That is why, since its inception, it has been considered a vital national interest.
Federal-aid highway program funds are provided to assist STAs in the planning and
development of an integrated, interconnected transportation system important to interstate
commerce and travel by constructing and rehabilitating the National Highway System (NHS),
including the Eisenhower Interstate System; and for transportation improvements to many
other public roads. Funds may be used for:
 Providing aid for the repair of Federal-aid highways following disasters
 Fostering safe highway design
 Replacing or rehabilitating deficient or obsolete bridges
 Environmental studies
 Engineering and design services
 Right-of-way acquisition and relocation assistance, and construction for capital
improvement projects classified as new construction
 Reconstruction
 Restoration
 Rehabilitation, and resurfacing, or for functional, geometric, or safety reasons
 Planning; research, development, and technology transfer
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 34
6
 Intelligent transportation systems projects
 Roadside beautification
 Wetland and natural habitat mitigation
 Traffic management and control improvements
 Improvements necessary to accommodate other transportation modes
 Development and establishment of transportation management systems
 Billboard removal
 Construction of bicycle facilities and pedestrian walkways
 Fringe and corridor parking
 Car pool and van pool projects
 Transportation alternatives and enhancements such as scenic and historic highway
improvements; and, recreational trail
 Other special purposes regarding transportation
Funds generally cannot be used for routine highway operational activities, such as police
patrols, mowing, snow plowing, or maintenance, unless it is preventative maintenance. In
addition, funds authorized for the National Highway Performance Program (NHPP), Surface
Transportation Program (STP), Congestion Mitigation and Air Quality (CMAQ) Improvement
Program, and some additional programs may be used for mass transportation improvements.
CMAQ funds are limited to projects and programs in air quality, non-attainment, and
maintenance areas for ozone, carbon monoxide, and small particulate matter that reduce
transportation-related emissions, though provision is made for states without air quality issues.
Eligibility criteria for the programs differ, so program guidance should be consulted. Projects in
urban areas of 50,000 or more population must be based on a transportation planning process
carried out by a metropolitan planning organization (MPO) in cooperation with the state and
transit operators, and the projects must be included in metropolitan transportation plans and
improvement programs. Projects in non-metropolitan areas of a state must be consistent with
a statewide transportation plan. Projects in both metropolitan and non-metropolitan areas
must also be included in a fiscally constrained Statewide Transportation Improvement Program
(STIP) developed as part of the required statewide transportation planning process. The FHWA
and the Federal Transit Administration (FTA) must approve the STIP jointly. Program
requirements and restrictions are contained in Title 23 United States Code. There are
discretionary funds remaining from previous authorizations, which may remain available until
expended.
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 35
6
6.5—FEDERAL MOTOR CARRIER SAFETY ADMINISTRATION http://www.fmcsa.dot.gov/
The Federal Motor Carrier Safety Administration (FMCSA) was established within the
Department of Transportation on January 1, 2000, pursuant to the Motor Carrier Safety
Improvement Act of 1999, which was effective December 9, 1999. The FMCSA's primary
mission is to prevent commercial motor vehicle-related fatalities and injuries. To accomplish
these activities, the Administration works with federal, state, and local agencies, the motor
carrier industry, and labor safety interest groups. FMSCA activities contribute to:
 Ensuring safety in motor carrier operations through strong enforcement of safety
regulations, targeting high-risk carriers and commercial motor vehicle drivers.
 Improving safety information systems and commercial motor vehicle technologies,
strengthening commercial motor vehicle equipment and operating standards.
 Increasing safety awareness.
Funding for the activities of the various states for this program is provided through the National
Motor Carrier Safety program grants which include the following:
 Commercial Motor Carrier Inspections
 Performance and Registration Information Systems Management
 Commercial Driver’s License Program Improvement Grant
 Border Enforcement Grants
 Safety Data Improvement Program
 Commercial Motor Vehicle Operator Training Grants
 Commercial Vehicle Information Systems and Network
 Commercial Driver’s License Information System (CDLIS) Modernization Grant
 Motor Carrier Research and Technology Programs
6.6—FEDERAL RAILROAD ADMINISTRATION http://www.fra.dot.gov/Page/P0001
The Federal Railroad Administration (FRA) promotes safe and environmentally sound rail
transportation. With the responsibility of ensuring railroad safety throughout the nation, the
FRA employs safety inspectors to monitor railroad compliance with federally mandated safety
standards including track maintenance, inspection standards, and operating practices. The FRA
conducts research and development tests to evaluate projects in support of its safety mission
and to enhance the railroad system as a national transportation resource. Public education
campaigns on highway-rail grade crossing safety and the danger of trespassing on rail property
are also administered by FRA.
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 36
6
The FRA was created by the Department of Transportation Act of 1966. A series of
bankruptcies and consolidations left the rail system in the hands of a few large operations by
the 1980s. Almost all long-distance passenger traffic was shifted to Amtrak, which was formed
during President’s Nixon’s administration in 1971 when Congress passed the Rail Passenger
Service Act of 1970. This legislation established the National Railroad Passenger Corporation to
take over the intercity passenger rail service that had been operated by private railroads.
Amtrak began service on May 1, 1971, serving 43 states with a total of 21 routes. This greatly
relieved the railroads from the burden of supplying the less profitable passenger rail service.
FRA supports passenger and freight railroading through a variety of competitive grants,
dedicated grant and loan programs to develop safety improvements, relieve congestion, and
encourage the expansion and upgrade of passenger and freight rail infrastructure and services.
FRA also provides training and technical assistance to grantees and stakeholders. The FRA
provides grants primarily through states for the development of rail transportation through
various programs including:
 Railroad safety
 Railroad research and development
 Railroad development
 National railroad passenger corporation grants
 Railroad rehabilitation and Improvement Financing Program
 Capital assistance to States-Intercity Passenger Rail Service
 Maglev project Selection Program
 High-speed rail corridors and intercity passenger rail service capital assistance grants
 Rail line relocation and improvement and railroad safety technology grants
6.7—FEDERAL TRANSIT ADMINISTRATION http://www.fta.dot.gov/
The Federal Transit Administration (FTA) assists development of improved mass transportation
systems for cities and communities nationwide. The responsibilities of the FTA were originally
handled by the Department of Housing and Urban Development (HUD). President Lyndon
Johnson transferred most of HUD’s responsibility for mass transit to the USDOT, effective July 1,
1968. Through its grant programs, delivered primarily through STAs, FTA helps plan, build, and
operate transit systems with convenience, cost and accessibility in mind. While buses and rail
vehicles are the most common type of public transportation, other kinds include commuter
ferryboats, trolleys, inclined railways, subways, and people movers. In providing financial,
technical, and planning assistance, the agency provides leadership and resources for safe and
technologically advanced local transit systems while assisting in the development of local and
regional traffic reduction. Funds may be used for capital projects to finance the planning,
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 37
6
acquisition, construction, cost-effective lease, improvement, and maintenance of equipment
and facilities for use in transit for both urban and non-urban areas; and assist in development
of transportation improvement programs, long-range transportation plans, and other technical
studies in metropolitan areas.
Activities include:
 Preparation of transportation plans including transportation improvement programs and
management systems
 Studies related to transportation management
 Operations, capital requirements, and economic feasibility
 Evaluation of previously funded capital projects
 Other related activities in preparation for the construction, acquisition, or improved
operation of transportation systems, facilities, and equipment
The FTA's research program seeks to deliver solutions that improve public transportation. Its
primary goals are to increase transit ridership, improve safety and emergency preparedness,
improve operating efficiencies, protect the environment, promote energy independence, and
provide transit research leadership. To accomplish this, FTA funds research on:
 Mobility management
 Transit operational efficiency
 Safety and emergency preparedness
 Transit capacity building
 Energy independence and environmental protection
 Infrastructure and equipment protection and innovation
 Strategic research program planning
Funds may be used to assist in the development of cost effective multimodal transportation
improvement programs, which include the planning, engineering, and designing of federal
transit projects, and other technical studies in a program for a unified and officially coordinated
statewide transportation system.
The FTA maintains the National Transit library (NTL), a repository of reports, documents, and
data generated by professionals and others from around the country. The NTL is designed to
facilitate document sharing among people interested in transit and transit related topics.
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 38
6
6.8—MARITIME ADMINISTRATION http://www.marad.dot.gov/
The Maritime Administration (MARAD) promotes development and maintenance of an
adequate, well-balanced United States merchant marine, sufficient to carry the nation's
domestic waterborne commerce and a substantial portion of its waterborne foreign commerce,
and capable of serving as a naval and military auxiliary in time of war or national emergency.
MARAD also seeks to ensure that the United States enjoys adequate shipbuilding and repair
service, efficient ports, effective intermodal water and land transportation systems, and reserve
shipping capacity in time of national emergency. President Harry S. Truman established
MARAD in 1950 under his Reorganization Plan No. 21. However, MARAD traces its origins to
the Shipping Act of 1916, which established the U.S. Shipping Board.
The Marine Highway Program does not develop or operate marine highway services. The
private sector or state/local governments develop and operate marine highway services. The
program was designed to reduce landside congestion by integrating the commercially operated
marine highway services into the nation's surface transportation system. Once integrated,
these marine highway services connect seamlessly with all modes of transportation for freight
and passengers, thus providing a convenient transportation alternative alongside congested
landside transportation corridors. America’s marine highways are navigable waterways that
have been designated by the Secretary of Transportation and have demonstrated the ability to
provide additional capacity to relieve congested landside routes serving freight and passenger
movement. Each marine highway has a corridor designation that reflects the congested
landside route it parallels. For example, M-95 stretches from Maine to Florida and is the
designation for the shipping lane along the Atlantic Coast paralleling interstate highway I-95.
6.9—NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION http://www.nhtsa.gov/
The National Highway Traffic Safety Administration (NHTSA) is responsible for reducing deaths,
injuries and economic losses resulting from motor vehicle crashes. NHTSA sets and enforces
safety performance standards for motor vehicles and equipment, and through grants to state
and local governments, enables them to conduct effective local highway safety programs. In
1970, the Highway Safety Act authorized the establishment of NHTSA. Although the law added
somewhat to USDOT’s safety mission, the FHWA originally had handled most of the functions
that NHTSA assumed. Besides establishing another operating administration and adding to the
secretary's span of control and coordination workload, the Highway Safety Act separated
highway administration into two parts:
1. Design, construction, and maintenance
2. Highway and automobile safety
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 39
6
Under the oversight of NHTSA, formula grant funds may be used for problems identified within
the nine national priority program areas of:
1. Alcohol and other drug countermeasures
2. Police traffic services
3. Occupant protection
4. Traffic records
5. Emergency medical services
6. Motorcycle safety
7. Pedestrian/bicycle safety
8. Speed control
9. Roadway safety
Other program areas identified by a state as constituting a highway safety problem in that state
may be eligible for federal funding if they encompass a major highway safety problem in that
state and the state has identified effective countermeasures. One such example that has
received federal funding is pupil transportation safety programs. The law provides that at least
40 percent of these federal funds apportioned to a state for any fiscal year will be expended by
the political subdivisions of such state.
NHTSA is responsible for the following:
 Investigating safety defects in motor vehicles
 Setting and enforcing fuel economy standards
 Helping states and local communities reduce the threat of drunk drivers
 Promoting the use of safety belts, child safety seats and airbags
 Investigating odometer fraud
 Establishing and enforcing vehicle antitheft regulations
 Providing consumer information on motor vehicle safety topics
 Researching driver behavior and traffic safety to develop the most efficient and effective
means of bringing about safety improvements
 Maintaining a toll-free Auto Safety Hotline, which furnishes consumers with a wide range of
auto safety information. Callers also can help identify safety problems in motor vehicles,
tires and automotive equipment such as child safety seats.
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 40
6
6.10—OFFICE OF INSPECTOR GENERAL https://www.oig.dot.gov/
On October 12, 1978, the Inspector General (IG) Act established twelve federal Offices of
Inspector General (OIG), including the Department of Transportation OIG. The Act passed the
House of Representatives by a vote of 388 to 6 and was later approved by the Senate by
unanimous consent. Two OIGs had previously been established, one in 1976 and another the
following year.
President Jimmy Carter signed the IG Act into law and described the new statutory IGs as
“perhaps the most important new tools in the fight against fraud.” The President charged the
IGs to always remember that their ultimate responsibility is not to any individual but to the
public interest.
The OIG is committed to fulfilling its statutory responsibilities and supporting members of
Congress, the Secretary, senior department officials, and the public in achieving a safe,
efficient, and effective transportation system. It builds on its long-standing record as a highly
respected contributor to the department's mission. They are USDOT’s sole in-house source for
objective examination of its programs and their integrity. Their core values and audit and
investigative expertise ensure they remain highly responsive to the needs of the Secretary,
Congress, and the American people. Their mission is to protect USDOT programs from fraud,
waste, abuse, and violations of law and promote effectiveness of the USDOT’s programs. They
accomplish this through audits and investigations. The OIG also consults with Congress about
programs in progress and proposed new laws and regulations.
The Inspector General Act of 1978 gives the Office of Inspector General autonomy to do its
work without interference. The Inspector General is chosen by the President; this choice is
based not on political affiliation but rather on integrity and ability. IG candidates can show
accomplishment in several fields, including accounting, auditing, law, financial or management
analysis, public administration or investigations. Inspector General appointees are subject to
Senate confirmation. Only the President has the power to remove an inspector general and the
reasons for doing so must be communicated to Congress.
The Inspector General Act of 1978 prevents officials in the scrutinized agency from interfering
with audits or investigations; it also requires the IG to keep the Secretary of Transportation and
Congress informed of findings. However, much of OIG's most significant work is accomplished
with the cooperation of the officials whose programs are being reviewed.
6.11—PIPELINE AND HAZARDOUS MATERIALS SAFETY ADMINISTRATION
http://www.phmsa.dot.gov/
The Pipeline and Hazardous Materials Safety Administration (PHMSA) oversees the safety of
more than 800,000 daily shipments of hazardous materials in the United States and 64 percent
of the nation's energy that is transported by pipelines. PHMSA is dedicated solely to safety by
working toward the elimination of transportation-related deaths and injuries in hazardous
materials and pipeline transportation, and by promoting transportation solutions that enhance
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 41
6
communities and protect the natural environment. PHMSA was created within the U.S. DOT
under the Norman Y. Mineta Research and Special Programs Improvement Act of 2004. The
purpose of the act was to provide the U.S. Department of Transportation with a more focused
research organization and to establish a separate operating administration for pipeline safety
and hazardous materials transportation safety operations.
PHMSA is authorized to reimburse a state agency for up to 80 percent of the agency's actual
cost of carrying out its pipeline safety program, including the cost of personnel and equipment.
The actual amount of federal reimbursement depends upon the availability of appropriated
funds and the state's pipeline safety program's performance. A state agency's program
performance is based on PHMSA's annual Program Evaluation and Progress Report scoring of
each state agency.
The Program Evaluation includes an on-site review of the state’s inspection, compliance,
accident investigation, training, and excavation damage prevention records and activities. The
Progress Report scoring gives consideration to the state’s extent of safety authority over
pipeline operators, inspector qualifications, inspection days accomplished, adoption of
maximum civil penalty amounts, progress adopting amendments to federal regulations,
adoption of one call requirements, and attendance at the National Association of Pipeline
Safety Representative meetings. PHMSA also provides federal grant funding in support of
preventing excavation damage to underground facilities which is a leading cause of pipeline
incidents.
Programs include:
 State pipeline safety program base grants
 Technical assistance grants
 State damage prevention grants
 PHMSA pipeline safety program One Call Grant
 PHMSA pipeline safety research and development
6.12—RESEARCH AND INNOVATIVE TECHNOLOGY ADMINISTRATION http://www.rita.dot.gov/
The Research & Innovative Technology Administration (RITA) is an agency whose mission is to
identify and facilitate solutions to the challenges and opportunities facing America's
transportation system. RITA's focus is to promote transportation research that will foster the
use of innovative technology. RITA includes the Volpe National Transportation Systems Center,
an organization dedicated to enhancing the effectiveness, efficiency, and responsiveness of
other federal organizations with critical transportation-related functions and missions. RITA
was created in 2005 to advance transportation science, technology, and analysis, and to
improve the coordination of transportation research within the Department and throughout
the transportation community. With responsibility for research policy and technology sharing,
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 42
6
the agency partners with national and international organizations and universities. RITA also
includes the Bureau of Transportation Statistics, the Transportation Safety Institute, and the
University Transportation Centers program.
RITA performs four basic functions:
1. Coordinates the USDOT's research and education programs
2. Shares advanced technologies with the transportation system
3. Offers transportation statistics and analysis for decision-making
4. Supports national efforts to improve education and training in transportation-related fields
6.13—SAINT LAWRENCE SEAWAY DEVELOPMENT CORPORATION http://www.seaway.dot.gov/
The Saint Lawrence Seaway Development Corporation (SLSDC) operates and maintains a safe,
reliable and efficient waterway for commercial and noncommercial vessels between the Great
Lakes and the Atlantic Ocean. Saint Lawrence Seaway Development Corporation is a wholly
owned government corporation created by statute May 13, 1954, to construct, operate, and
maintain that part of the St. Lawrence Seaway between the Port of Montreal and Lake Erie,
within the territorial limits of the United States. Trade development functions aim to enhance
Great Lakes/St. Lawrence Seaway System utilization without respect to territorial or geographic
limits. The SLSDC, in tandem with the Saint Lawrence Seaway Authority of Canada, oversees
operations safety, vessel inspections, traffic control, and navigation aids on the Great Lakes and
the Saint Lawrence Seaway. SLSDC works to develop trade opportunities to benefit port
communities, shippers and receivers, and related industries in the area to provide economic
development of the Great Lakes Region.
The mission of the Corporation is to serve the U.S. intermodal and international transportation
system by improving the operation and maintenance of a safe, reliable, efficient, and
environmentally responsible deep-draft waterway, in cooperation with its Canadian
counterpart. The SLSDC also encourages the development of trade through the Great Lakes
Seaway System, which contributes to the comprehensive economic and environmental
development of the entire Great Lakes region.
6.14—SURFACE TRANSPORTATION BOARD http://www.stb.dot.gov/stb/index.html
The Surface Transportation Board (STB) is an independent, bipartisan adjudicatory body
organizationally housed within the USDOT. STB was created pursuant to the ICC Termination
Act of 1995 and is the successor agency to the Interstate Commerce Commission. The STB is an
economic regulatory agency that Congress has charged with resolving railroad rate and service
disputes and reviewing proposed railroad mergers. Although it is administratively affiliated
with USDOT, it is required to maintain its independence in its decisions. The agency has
jurisdiction over railroad rate and service issues; rail restructuring transactions, such as
mergers, lines sales, line construction, and line abandonments; certain trucking companies;
moving vans; non-contiguous ocean shipping rates; certain intercity passenger bus company
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 43
6
structure, financial and operational matters; and rates and services of pipelines not regulated
by the Federal Energy Regulatory Commission.
It is responsible for the economic regulation of interstate surface transportation, primarily
railroads, within the United States. The STB's mission is to ensure that competitive, efficient,
and safe transportation services are provided to meet the needs of shippers, receivers, and
consumers. The Board is charged with promoting, where appropriate, substantive and
procedural regulatory reform in the economic regulation of surface transportation, and with
providing an efficient and effective forum for the resolution of disputes.
The Board continues to strive to develop, through rulemakings and case disposition, new and
better ways to analyze unique and complex problems, to reach fully justified decisions more
quickly, to reduce the costs associated with regulatory oversight, and to encourage privatesector negotiations and resolutions to problems where appropriate.
AASHTO Internal Audit Guide 2014 Edition Chapter 6
Page 44
7
Chapter 7 – Stewardship, Oversight, Laws, and Regulations
7.1—STEWARDSHIP AND OVERSIGHT AGREEMENT BETWEEN THE FEDERAL HIGHWAY
ADMINISTRATION AND STATE TRANSPORTATION AGENCIES
The Secretary of the United States Department of Transportation (USDOT) has delegated to the
Administrator of the Federal Highway Administration (FHWA) the responsibility of
administering the Federal-aid highway program (FAHP) under Title 23 and other associated
laws. In addition, Title 23 allows states to assume the Secretary’s responsibilities in the design,
construction, award, and inspection of certain federal-aid projects. Section 106 of Title 23,
United States Code (USC), requires that the FHWA and STA enter into a stewardship and
oversight agreement documenting the extent to which the STA assumes the responsibilities of
the Secretary (and by delegation, FHWA) under Title 23, and where FHWA retains
responsibilities. The purpose of the Stewardship/Oversight (S&O) Agreement is to formalize
the roles and responsibilities of the FHWA division offices and each STA to address how the
FAHP will be administered in the STA, and delineates a comprehensive FHWA and individual
STA approach to FAHP stewardship and oversight.
The most recent highway reauthorization act, the Moving Ahead for Progress in the 21st
Century Act (MAP-21), was signed into law on July 6, 2012. While this legislation still allows
states to assume the responsibilities previously delegated, MAP-21 further defines the
requirements of stewardship and oversight responsibilities, including the need to have a
stronger data-driven performance element, and a more formal application of risk management
principles.
FHWA revised the guidance regarding S&O on March 28, 2014. The intent of the revisions was
to provide a consistent approach to developing future agreements with STAs, and to clarify
distinctions with FHWA’s risk-based, data-driven stewardship and oversight framework. This
revised guidance supersedes all previous guidance on this topic, and is available at:
http://www.fhwa.dot.gov/federalaid/stewardship/
Section 106 of Title 23, United States Code, requires the FHWA and each STA to enter into an
agreement documenting the extent to which the state will assume specific responsibilities
under Title 23. The S&O Agreement formalizes these assumed responsibilities to address how
the FAHP will be administered in each state. Rather than specifying mandatory procedures, the
guidance outlines the basic S&O concepts and approaches that FHWA division offices should
follow.
Section 1503 of MAP-21 contains changes to the requirements for oversight and approval of
Federal-aid projects. Specifically, Section 106 eliminated the provision prohibiting states from
assuming responsibilities for new construction and reconstruction projects on the Interstate
System exceeding $1 million in cost. In addition, MAP-21 prohibits STAs from assuming
responsibility for projects determined by FHWA to be high risk. The S&O Agreement Guidance
implements these changes.
AASHTO Internal Audit Guide 2014 Edition Chapter 7
Page 45
7
A significant change in FHWA’s project-level S&O of the FAHP is the transition from “fulloversight” of projects to oversight activities primarily focused on areas of higher risk and
opportunity. The FHWA’s use of a risk-based approach for project S&O is intended to optimize
the successful delivery of projects and to assure compliance with federal requirements.
Risk-based project S&O has three main components:
1. Required project approval actions
2. Data-driven compliance assurance, i.e., the FHWA’s national Compliance Assessment
Program (CAP)
3. Risk-based S&O of Projects of Division Interest and Projects of Corporate Interest.
This S&O Agreement Guidance also implements a process for conducting legal reviews of
these agreements by the FHWA Office of Chief Counsel before they are signed by the STAs
and FHWA division offices. Upon completion of the legal review, FHWA division
administrators are authorized to execute and sign S&O Agreements with their respective
STA.
The Project Action Responsibility Matrix (an attachment to the guidance) is the cornerstone of
the S&O Agreement for assumptions of project-level responsibilities. Deviations from this
matrix must be consistent with specific responsibilities that 23 U.S.C. 106 allows the STAs to
assume from the FHWA.
The S&O Agreement may include S&O indicators as agreed to by the STAs and FHWA divisions
to help in managing the FAHP. See Federal Rules for specific requirements regarding
performance measures that are a requirement of MAP-21. These rules pertain to the Highway
Safety Improvement Program (HSIP), statewide and metropolitan and non-metropolitan
planning regulations, pavement, bridges, asset management, system performance, congestion,
emissions, freight and public transportation.
7.2—HIERARCHY
There is a hierarchy of law that all STAs must understand and follow. The United States Code
(U.S.C.) is the codification by subject matter of general and permanent laws of the United
States as passed by Congress and is specific to each federal agency. The U.S.C. is further
detailed in specific statutes like Safe, Accountable, Flexible, Efficient Transportation Equity Act:
A Legacy for Users (SAFETEA-LU) or Moving Ahead for Progress in the 21st Century Act (MAP21). The Code of Federal Regulations (CFR) are programmatic and administrative requirements
created by individual federal agencies as an interpretation and clarification of U.S.C. In addition
to U.S.C. and CFRs, individual federal agencies will also have guidance to further explain how to
carry out statutes and federal regulations.
AASHTO Internal Audit Guide 2014 Edition Chapter 7
Page 46
7
FEDERAL LAW
US Code, 49 and 23 USC
Code of Federal Regulations
49 and 23 CFR
Federal Agency Guidance
STATE LAW
The specific regulatory information pertaining to transportations programs are listed below.
 49 United States Code, Transportation (49 U.S.C.)
 23 United States Code, Highways (23 U.S.C.)
7.3- FEDERAL REQUIREMENTS (2 CFR 200)
(a) Administrative requirements. Subparts B through D 2 CFR 200 set forth the uniform
administrative requirements for grant and cooperative agreements, including the requirements
for Federal awarding agency management of Federal grant programs before the Federal award
has been made, and the requirements Federal awarding agencies may impose on non-Federal
entities in the Federal award.
(b) Cost Principles. Subpart E—Cost Principles of 2 CFR 200 establishes principles for
determining the allowable costs incurred by non-Federal entities under Federal awards. The
principles are for the purpose of cost determination and are not intended to identify the
circumstances or dictate the extent of Federal government participation in the financing of a
particular program or project. The principles are designed to provide that Federal awards bear
their fair share of cost recognized under these principles except where restricted or prohibited
by statute.
(c) Single Audit Requirements and Audit Follow-up. Subpart F—Audit Requirements in 2 CFR
200 are issued pursuant to the Single Audit Act Amendments of 1996, (31 U.S.C. 7501-7507). It
sets forth standards for obtaining consistency and uniformity among Federal agencies for the
audit of non-Federal entities expending Federal awards. These provisions also provide the
policies and procedures for Federal awarding agencies and pass-through entities when using
the results of these audits. The Compliance Supplement is contained in 2 CFR 200 Subpart F
Appendix XI: The link for the electronic version of the Code of Regulations is as follows:
http://www.ecfr.gov/cgibin/retrieveECFR?gp=1&SID=ab3a2671992eacd9725f23b8fce9ab6c&ty=HTML&h=L&r=SUBPART&n=2y1.1.2.2.1.6
7.4—AUDIT REQUIREMENTS
The Code of Federal Regulations 2 CFR sets forth standards for obtaining consistency and
uniformity among federal agencies for the audit of states, local governments, and non-profit
organizations expending federal awards. Currently, if an entity receives $500,000 or more in
AASHTO Internal Audit Guide 2014 Edition Chapter 7
Page 47
7
total federal funding during a fiscal year, the entity is required to obtain an audit of Federal
expenditures from a qualified Certified Public Accountant (CPA). STAs are responsible for
engaging their own A-133 audit and monitoring those entities to which they’ve passed federal
funds. The STA project managers are responsible for monitoring any audit findings for
resolution.
7.5—CATALOG OF FEDERAL DOMESTIC ASSISTANCE
The Catalog of Federal Domestic Assistance (CFDA) contains detailed program descriptions for
federal assistance programs, including type of assistance offered, the agency offering the
assistance, contact information, and eligibility criteria.
7.6—STATE LAW
Each state has its own set of laws passed by the state legislature. These codes of law provide
the legal authority to a state agency or department (for example an STA) to plan, design,
operate, construct and maintain public roads and other transportation modes. States may also
pass legislation on special transportation initiatives, public-private partnerships, tolls, oversize
vehicle permits, outdoor advertising, highway enhancement, and other transportation
programs.
Some state laws implement federal law and can generally be more restrictive than federal law,
such as contractor prompt payment laws. STAs may be authorized to waive certain provisions
of state law when inconsistent with federal requirements, such as congressional district
balancing requirements. Other state laws exist for activities not federally mandated, such as
contractor prequalification or audit requirements. State laws typically establish governance of
STAs, state employee codes of conduct, and rules for various administrative operations within
STAs.
In addition to codes of law, some states have rules and regulations promulgated directly from
the STA which provide further governance of transportation matters, such as outdoor
advertising, contractor prequalification, design-build contracting, and grant programs.
AASHTO Internal Audit Guide 2014 Edition Chapter 7
Page 48
8
Chapter 8 – Innovative Financing And Construction Delivery
Methods
INNOVATIVE FINANCING
Innovative financing provides options during challenging economic times by offering
alternatives to overcome the constraints of limited resources. Financial innovations can
increase the ability of STAs to deliver transportation projects by accelerating construction,
reducing costs, and providing the revenues required to deliver projects.
We have briefly covered the more popular innovative financing methods below. For further
information and a discussion of other innovative financing methods, visit the U.S. Department
of Transportation Federal Highway Administration (FHWA), Innovative Program Delivery
website at:
www.fhwa.dot.gov/ipd.
8.1—GRANT ANTICIPATION REVENUE VEHICLE (GARVEE)
GARVEE debt financing provides up-front capital for major highway projects. U.S. Code Title 23,
Section 122 allows the use of future federal funds to repay the debt and related financing costs.
This allows projects to be constructed sooner and at less cost due to inflation savings. The
public realizes safety and economic benefits, and costs are spread over the useful life of the
project.
8.2—TRANSPORTATION INFRASTRUCTURE FINANCE AND INNOVATION ACT (TIFIA)
The TIFIA program provides federal credit assistance through direct loans, loan guarantees, and
standby lines of credit for surface transportation projects of national and regional significance.
TIFIA credit assistance provides access to capital markets, flexible repayment schedules, and
more favorable interest rates than private capital markets can offer.
8.3—SECTION 129 LOANS (23 U.S.C. 129 (A)(7))
An STA may fund loans to a public or private entity to construct a toll or non-toll project that
has a dedicated revenue source up to an amount equal to the federal share of the project.
Dedicated revenue sources may include tolls, excise taxes, sales taxes, motor vehicle use fees,
tax on real property, and tax increment financing.
8.4—TAX INCREMENT FINANCING (TIF)
TIF is a mechanism allocating any increase in total property tax revenues toward public
investment within a designated district. All or a portion of the increase can be dedicated to
repay the debt incurred in building the transportation improvement.
8.5—PRIVATE ACTIVITY BONDS (PABs)
PAB are debt instruments that may be issued by STAs and used to construct projects with
significant private involvement. In an effort to increase private sector investment in
AASHTO Internal Audit Guide 2014 Edition Chapter 8
Page 49
8
transportation infrastructure, the federal government has provided access to these tax-exempt
bonds. State projects receiving a PAB allocation must also receive assistance under U.S.C. Title
23 or Title 49. These bonds are limited to $15 billion and are allocated by the Secretary of
Transportation to qualified projects.
8.6—PUBLIC-PRIVATE PARTNERSHIPS (P3s)
P3s are contractual agreements between a public agency and a private entity in which the
private entity takes on more risk than traditional project agreements. The private entity may
participate in design, finance, operations, and maintenance, increasing the level of risk
accepted. P3s are actually a procurement option and not a revenue source. P3s may increase
financing capacity and reduce costs; however, a revenue source still needs to be identified for
the project. By using P3s, a private entity may operate a facility over a specified term in
exchange for annual payments. The entity may receive the right to collect toll revenues from
the project, or other similar arrangements may be identified.
INNOVATIVE CONSTRUCTION DELIVERY METHODS
Innovative construction delivery methods help to provide efficiency and a smooth, effective
transition from design to construction. Two such methods are described below.
8.7—DESIGN-BUILD (DB)
DB is a project delivery method in which one entity assumes responsibility for the design and
construction of a project under one contract. The DB team may be composed of a single firm, a
consortium, or a joint venture. This method provides collaboration and coordination between
the designer and the contractor, thus enabling early intervention to address project
complexities, advance project delivery, reduce costs, and enhance quality. Coordination of
design and construction processes result in time savings due to improved communication.
Typically a two-step selection process is used. The first step is qualifications-based selection
using a Request for Qualifications (RFQ). Best-value is then determined based upon the shortlisted firms technical expertise and price components using a Request for Proposals (RFP).
Please refer to 23 CFR 636 for regulations covering DB.
8.8—CONSTRUCTION MANAGER/GENERAL CONTRACTOR (CMGC)
The CMGC project delivery method is divided into two contract phases:
1. During the design phase, the project owner hires a contractor who acts as a consultant to
provide feedback to the design team, identify risks, provide cost projections, and refine the
project schedule while design is being completed.
2. In phase two, the contractor and project owner negotiate the price of the construction
contract. Once agreed upon, the construction phase begins. The benefits of CMGC include
reduced costs, schedule risk, and change orders, as well as improved design quality as the
contractor’s knowledge and experience are utilized up front. The CMGC process facilitates
value engineering by allowing the contractor to provide cost estimates for all designs and
alternatives during the design phase.
AASHTO Internal Audit Guide 2014 Edition Chapter 8
Page 50
9
Chapter 9 - General Audit and Attestation Programs
The following audit programs are shells to help internal auditors develop their procedures
when performing an engagement. Auditors can utilize available practice aids for particular
areas in the fieldwork phase.
9.1—AUDIT PROGRAM PURPOSE AND SCOPE
This program has the following major objectives:
 Understanding the organizations’ operations
 Understanding the preliminary analytical procedures
 Identifying relevant risk factors
 Identifying significant compliance requirements
 Documenting the internal control assessment
9.2—PHASES
A.
01.
02.
03.
04.
05.
06.
07.
08.
09.
10.
Preliminary Survey (Planning) Phase
Send an Engagement Letter to the stakeholder(s).
Hold team brainstorming meeting, including IT and Fraud employees when discussing IT issues and
fraud, waste, and abuse.
Review previous (internal and external) State and Federal Audit and Review Reports. Document
findings in those reports for appropriate follow-up. Identify reported weaknesses that have not been
corrected.
Review background material to become familiar with the activities of the organization. Examples are:
 Legislative rules
 Administrative code
 State policies and procedures
 Entity rules and regulations
 Entity manuals
 Federal highway regulations
 Traffic control regulations
 Internal or external peer review reports
 Industry standards
 Industry best practices
 Mission, vision, and goals
Obtain current organization chart.
Interview(s), surveys, and face-to-face meetings with organization personnel. Discuss the entity’s
activities, any changes in the policy and procedures, employee turn-over rate, and general internal
controls environment (performance goals, tracking/exception reporting, known issues, etc.).
Ask management if they are aware of any fraud, waste or abuse.
Obtain policies and procedures related to the major functions of the organization. Note any changes
in rules, regulations, or laws since the last audit.
Prepare and send surveys or questionnaires to the entities’ customers.
Gain an understanding of key business processes. Document systems through a process map (flow
chart) and/or narrative. Identify any potential control gaps and/or weaknesses, including opportunity
cost of having too many controls.
AASHTO Internal Audit Guide 2014 Edition Chapter 9
Page 51
9
11.
12.
13.
14.
15.
16.
17.
B.
01.
02.
03.
04.
05.
06.
C.
01.
02.
03.
04.
05.
06.
07.
08.
09.
Document your data analysis of the organizations’ operations, including the following:
 Management and organization
 Factors affecting the organization
 Internal factors affecting the organization
 Accounting policies and issues
 Electronic data processing systems used in carrying out functions and activities
 Strategic alignment
 Control design
 Identified themes
 General and definable risk areas
 Internal environment / fraud risks
 Documentation reviewed
 Control design evaluation assessment (see appendix C)
 Risk assessment summary
 In scope and out of scope areas
Validate the original objective(s) or refine your objective(s).
Present your scope to the CAE and receive approval to move forward. Coordinate with General
Counsel, depending on audit focus and potential for litigation.
Develop a program step for each area of your scope that has compliance requirements. Summarize
the requirements for testing and evaluating controls over compliance.
Develop specific audit procedures and sampling plans for audit objectives (see individual practice aid
for Items of Consideration).
Get work program approved.
Schedule and hold an entrance conference with report owners or key stakeholders as appropriate.
Execution (Fieldwork) Phase
Complete audit tests and write up management comments / findings and observations identified
during testing. Work papers should include, at a minimum, a purpose, source, scope, and conclusion.
(Refer to applicable practice aid for specific objectives and steps.)
Hold weekly audit team status meetings to confirm project status and deliverables, and prepare for
weekly status meetings with entity management.
Provide continuous communication (weekly status meetings) with entity management on any
identified problems or best practices.
Work with the entity to discuss recommendations and obtain management action plans to address
risks identified in the findings.
Review team progress at the midpoint of your fieldwork. Ensure that audit management is aware of
potential findings and observations.
Prepare draft audit report, including findings, management responses/action plans and audit
engagement opinion, as applicable.
Closing (Reporting) Phase
Hold an Opinion Meeting with audit management to receive approval of findings, management
responses/action plans and audit engagement opinion, as applicable.
Ensure all work papers are reviewed and approved.
Hold exit conference with entity.
After the CAE approves the draft report, send the approved draft report to General Counsel and the
audit report owners/stakeholders, as applicable.
After concurrence and/or resolution of the returned comments, issue final audit report.
Complete final working paper sign-offs.
Complete team performance evaluations, as related to engagement performance.
Track Management Action Plans and establish follow up engagements to confirm remediation of risks.
Complete internal quality assessment of the audit working papers.
AASHTO Internal Audit Guide 2014 Edition Chapter 9
Page 52
9
9.3—ATTESTATION PROGRAM PURPOSE AND SCOPE
The purpose of the following attestation program is to develop a general program for
conducting attestation engagements. It covers steps applicable for all three types of
attestations: examinations, reviews, and agreed-upon procedures. These engagements are of
less scope than full audits.
This program has the following major objectives:
 Determine the appropriate type of attestation and scope
 Understand the program or subject area under engagement
 Identify risk elements
 Identify significant compliance requirements
 Identify significant reporting requirements
Program steps are based on AICPA Statement of Standards for Attestation Engagements (SSAE)
and Generally Accepted Government Auditing Standards (GAGAS) promulgated by the
Government Accountability Office (GAO). This program may be used for examination, review or
agreed-upon procedure attestation engagements, as stated above.
A.
1.
2.
B.
1.
2.
3.
Preplan the Attest Engagement
Determine whether attest engagement will be an examination, review or agreed-upon procedure. (Refer
to comparison chart of examination, review and agreed-upon procedure attestation engagements at the
end of this program)
In determining the assignment consider the following:
 Does auditor have sufficient technical training & proficiency to perform engagement?
 Does auditor have adequate knowledge of subject matter?
 Are there criteria suitable & available to evaluate the subject matter?
 Is auditor independent in both mind and appearance?
 Is auditor able to exercise due professional care in planning & performing engagement and the
preparation of report?
Plan the Attest Engagement
Maintain timesheet of hours spent on engagement
Adequately plan the attest engagement by considering the following:
 Plan procedures to address the objectives of the attest engagement
 Determine criteria which will be the basis of the engagement
 Make initial judgments regarding risk and materiality of engagement (may be appropriate to use
lower materiality levels because of public accountability of government agencies)
 Consider likelihood of revising or adjusting the subject matter
 Consider whether attest procedures should be modified or extended
 Verify or adjust the nature of the attest engagement; examination, review or agreed-upon procedure
Notify appropriate management, in writing, of the intent and date to conduct an attest engagement of a
program or activity (engagement letter/email). Letter should include:
 Objective of the engagement
 Management’s responsibility
 Auditor’s responsibility
 Limitations of the engagement (e.g. specific scope and expected deliverables)
AASHTO Internal Audit Guide 2014 Edition Chapter 9
Page 53
9
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Additional guidance for agreed-upon procedures (AUP)
 Terms of the AUP should be understood by the auditor and ideally expressed in an engagement
letter
 Specific procedures on the subject matter must be agreed to by the auditor and the specified party
making the request
 The specified party is responsible for determining the sufficiency of the procedures
 The criteria to be used for determining a conclusion must be agreed to by the auditor and specified
party
 There is agreement between auditor and specified party regarding materiality, if applicable
 If the work of a specialist is used, the auditor and specified party should explicitly agree to that use
Plan for supervision of team members, if assigned
Review background information, such as applicable laws, policies and regulations, to become familiar
with activities of the division or section. Consider the following:
 Federal regulations
 State laws, policies, procedures and rules
 Administrative code
 ITD department policies and rules
 ITD manuals affecting subject area
 Internal or external peer review reports
 Industry standards & best practices
 Mission, vision and goals
Obtain the organizational chart for the office and define positions, functions and identify vacancies
Determine if current desk manuals are available
Review prior internal audit report, program and work papers, if applicable, and note areas of audit
interest
 Document findings for appropriate follow up
 Identify any reported weaknesses that haven’t been corrected
Search for review/audit reports from external groups
If applicable, obtain printouts of the total revenue and expenditure transactions for the latest completed
fiscal year
Conduct an interview with the division administrator, section manager or specified party for input on
perceived risks to their program or activity. Discuss:
 Programs and activities
 Any changes in policies, procedures and organization
 Employee turnover rate
 General internal control environment
 Performance goals, measures or tracking
 Ask management if they are aware of any fraud, waste or abuse
 Obtain policies and procedures related to program or activity under engagement
 Consider whether an evaluation is indicated for any of the above items
Conduct an entrance conference with the Division Administrator, section manager or specified party.
Discuss:
 Objective(s) of engagement
 Estimated length of engagement
 Responsibilities of Management regarding the engagement
 Responsibilities of the auditor regarding the engagement
Interview executive management and other stakeholders to determine areas of interest or concern
Identify programs and activities, flow chart processes and evaluate for risk
 Evaluate for adequate internal controls
 Note any gaps or weaknesses in controls
 Identify risks to the program or activities
 Verify risks with employees responsible and with management or resolve if additional mitigating
information is provided
AASHTO Internal Audit Guide 2014 Edition Chapter 9
Page 54
9

Prioritize risks as high, medium or low based on probability and impact
Consider the probability of each risk occurring

Consider the impact to the program or activity if it occurred

Identify the priority level for each risk (high, medium or low)
Meet with Audit Manager to verify or refine original objective(s) to focus efforts
 Determine scope, and resource and time budget for assignment
 Consider Government Accountability Office (GAO) Audit Standards
 Consider AICPA Statements on Standards for Attestation Engagements (SSAE)
Fieldwork Phase
Obtain sufficient evidence (based on nature of attest engagement) to provide a reasonable basis for a
conclusion
 Evaluate inherent risk (inherent risk in the type of process or treatment of transactions)
 control risk (risk that internal controls are not present and/or not operating adequately)
 detection risk (risk that a material weakness or fraud, waste or abuse won’t be detected)
 Strive to achieve a low level of audit risk for examination engagements
 Strive to achieve a moderate level of audit risk for review engagements
 Add newly identified risks to list of risks already identified and prioritize as in step B.15
Design examination engagement to detect instances of fraud and noncompliance with laws, regulations,
contracts and grant agreements that may have a material effect on the subject matter
 Assess risk and possible effects of fraud and noncompliance with laws, etc.
 Document risk factors and auditor’s conclusion regarding those risks
 If auditor becomes aware of abuse that could be material to subject matter, design procedures to
assess the potential effect
 Instances of fraud; noncompliance with laws, regulations, contracts or grant agreements; or abuse
should be communicated to those charged with governance
If, while conducting procedures of a review or agreed-upon procedure engagement; instances of fraud,
noncompliance with laws, regulations, contracts or grant agreements; or abuse come to the auditor’s
attention, those charged with governance should be informed
Obtain evidential matter for agreed-upon procedure to provide a reasonable basis for conclusions.
Appropriate procedures may include:
 Conduct specific procedures as established by specified user
 Need not perform additional procedures outside the scope of engagement
 Conduct sampling according to agreed-upon parameters
 Inspect specified documents for evidence of certain transactions or detailed attributes
 Confirm specific information with third parties
 Compare documents, schedules or analyses with specified attributes
 Perform specific procedures on work performed by others
 Perform mathematical computations
Determine scope of testing for examinations & reviews; consider quality and quantity of evidential
matter
 Consider previous audit findings and recommendations in assessing risk and determining scope of
testing
 Conduct interviews and observations
 Conduct site visits if appropriate
 Obtain financial reports for inspection or testing
 Document findings and observations
 Document management comments
 Determine whether internal controls are adequate; consider expanding testing if not
 Include purpose, source, scope and conclusion in work papers
Document meetings to update Audit Manager on progress and status of attestation assignment

16.
C.
1.
2.
3.
4.
5.
6.
AASHTO Internal Audit Guide 2014 Edition Chapter 9
Page 55
9
7.
8.
9.
D.
1.
2.
3.
4.
5.
Provide periodic communication with administrator, section manager or specified party requesting
attestation engagement and with management under audit, if different
 Document periodic communication
 Update administrator or manager on progress, any identified problems or suggested best practices
Review or Agreed-Upon Procedures: Prepare draft report identifying results, conclusions and
recommendations
Examinations: Prepare draft report identifying findings and recommendations. Must develop elements
of findings (criteria, condition, cause and effect)
Reporting Phase
Compliance with reporting standards
 Identify subject matter and character of engagement
 Conclusion relates to criteria used to evaluate subject matter
 Document the nature, timing, extent and results of the attest procedures and information obtained;
quantify results if possible (experienced auditor test)
 In following GAGAS standards, include a statement that the attestation engagement was conducted
in accordance with GAGAS

If a review, GAGAS statement should include statement that a review engagement is
substantially less in scope than an examination, the objective of which is to express an opinion
on the subject matter, and accordingly, review reports express no such opinion

If an agreed-upon procedure, GAGAS statement should include a statement that “auditors were
not engaged to and did not conduct an examination or a review of the subject matter, the
objective of which would be the expression of an opinion or limited assurance and that if the
auditors had performed additional procedures, other matters might have come to their attention
that would have been reported.”

The agreed-upon procedure report is also required to state that the sufficiency of the
procedures is solely the responsibility of the specified parties and must include a disclaimer of
responsibility for the sufficiency of the procedures

Agreed-upon procedure reports must be restricted to the specified party or parties
 Document any departures from GAGAS requirements and the impact on the engagement and
conclusions
 Document any significant reservations, such as scope deficiencies and engagement reservations,
and determine if a qualified conclusion or disclaimer should be reported
 Document instances of fraud and noncompliance with laws, regulations, contracts and agreements
that have a material effect on the subject matter
 Document instances of abuse that have a material effect on the subject matter
 Document if separate reports are being issued for fraud, noncompliance or abuse
 Document significant deficiencies or material weaknesses in internal controls
 Document if confidential and sensitive information was omitted and reason for omission
 Determine whether to communicate internal control deficiencies not considered significant or
material to those charged with governance
Document meetings with team and Audit Manager to review and approve findings and/or conclusions,
and recommendations
Conduct preliminary close out meeting with managers and supervisors to listen and discuss the section’s
input and concerns regarding findings and/or conclusions, and recommendations
Hold close out meeting with division administrator, section manager, or specified party; chief officer;
controller and any other executive/management stakeholders
Request and review management’s responses and action plans; note whether a target date and
responsible position is identified; or note audited entity did not provide comments
AASHTO Internal Audit Guide 2014 Edition Chapter 9
Page 56
9
6.
7.
8.
9.
E.
1.
2.
3.
4.
Present final attestation report to Director/Secretary, obtain concurrence, signature and distribute
(electronically and/or hardcopy)
 Distribute report to those charged with governance, the audited section’s management and other
stakeholders as appropriate
 If subject matter involves material that is classified for security reasons or contains confidential or
sensitive information, auditor should limit distribution
 Include statement if restricted distribution, “This report is intended solely for the information and
use of __________________.” (e.g. agreed-upon procedures)
 Consider need to report findings or conclusions to outside agencies
Finalize work paper documentation and obtain internal quality control assessment of attest work papers
Retain documents according to department policy
Administrative procedures are in place to maintain the confidentiality of attest documentation
References
AICPA AT Section 50 establishes the SSAE Hierarchy
AICPA AT Section 101 provides guidance and practice aids for examinations and reviews
 Checklists for an examination and review report
 Sample examination and review reports
AICPA AT Section 201 provides guidance and practice aids for agreed-upon procedures
 Checklist for an agreed-upon procedure report
 Sample agreed-upon procedure report
GAGAS incorporates AICPA standards by reference
AASHTO Internal Audit Guide 2014 Edition Chapter 9
Page 57
GLOSSARY
Actual Costs — Amounts determined based on costs incurred and supported by source
documentation, such as invoices, receipts, and cancelled checks. Actual costs are generally not
determined based on forecasts or historical averages.
Administrative Expenses — Costs that are not directly identified with any one item of work,
but when taken as a whole, support or contribute to all activities of a firm.
Agreement — An obligation between two parties that is less formal than a contract, which
identifies the deliverable goods or services to be provided, under what conditions, and the
method of reimbursement for such goods and services. An agreement may include both
federal and state requirements that must be met by the S T A and entity. Agreements
usually indicate start and finish dates, record retention requirements, and other pertinent
information relative to the work to be performed. In the context of this guide, generally refers
to intergovernmental obligations, such as grant agreements.
Allocable — A cost is allocable to a government contract if the cost is incurred specifically for
the contract; benefits both the contract and other work, and can be distributed to them in
reasonable proportion to the benefits received; or is necessary to the overall operation of the
business, although a direct relationship to any particular cost objective cannot be shown.
Allowable — A cost is an allowable charge to a government contract only if the cost is
reasonable, allocable, compliant with GAAP, compliant with terms of the contract, and not
prohibited by federal cost principles.
Analytical Procedure — An audit procedure whereby an auditor assesses information by
comparing it to certain parameters or expectations selected by the auditor. It involves the
auditor reasonably expecting a certain relationship among certain information and expecting
those relationships to continue unless there are known conditions that should cause the
relationship to not exist. The expected conditions should be developed by the auditor through
the use of reliable sources to ensure an unbiased comparison. Some common analytical
procedures include ratio analysis, trend analysis, comparison between periods, comparison to
budgets and forecasts, external benchmarking, and internal benchmarking.
AASHTO — American Association of State Highway and Transportation Officials
AICPA — American Institute of Certified Public Accountants, the national professional
organization of Certified Public Accountants
AASHTO Internal Audit Guide 2014 Edition Glossary
Page 58
Audit Confirmation — An audit procedure whereby an auditor obtains direct written
verification of the accuracy of information from a third party. Positive confirmation is obtained
by asking the third party to respond b y stating whether or not they believe the information
is correct. Negative confirmation asks the third party to respond only if there is an issue.
Positive confirmation is more reliable because, with negative confirmation, there is no
certainty if the party does not respond that there is no issue.
Audit Inquiry — An audit procedure that involves asking questions of the auditee or other
parties in order to obtain oral and written information. Evidence gathered through inquiry is
considered indirect evidence, which is rarely considered sufficient by itself to support a
finding. However, it is supportive documentation when corroborated through other means.
Audit Planning — An overall strategy developed for conduct and scope of the audit. The
nature, extent, and timing of planning vary with size and complexity of the entity, experience
with the entity, and knowledge of the business. In planning the audit, the auditor considers
the entity's business and its industry, its accounting policies and procedures, the methods it
uses to process accounting information, the planned assessed level of control risk, and the
auditor's preliminary judgment about audit materiality.
Audit Risk — A combination of the risk that material errors exist and the risk t h at the errors
will not be discovered by audit tests. Audit risk includes uncertainties because of sampling
(sampling risk) and other factors (nonsampling risk).
Audit Trail — A record of transactions in an accounting system that provides verification of the
activity of the system. A complete audit trail allows auditors to trace transactions in a
client’s accounting records from original source documents into subsidiary ledgers through the
general ledger and into basic financial statements and billings/invoices prepared and
submitted by the entity.
Audit Universe — All potential audit activities within an organization; comprises all auditable
units within an organization. These units can include a range of programs, activities, functions,
structures, and initiatives, which collectively contribute to the achievement of the STA’s
strategic objectives.
Auditable Units — Any organizational process or activity that can be audited. Internal auditors
divide an organization into manageable auditable activities (auditable units) to define the audit
universe, assess risk, and prioritize the use of audit resources.
Benford's Law — A mathematical law that applies to any population of numbers derived from
other numbers (such as the dollar amount of a sale, found by multiplying the quantity sold
times the unit price). It holds, for example, that 30% of the time the first non‐zero digit
of this derived number will be one, and it will be a nine only 4.6% of the time. Benford's law is
used by auditors to identify unusual data patterns that may signal the presence of errors or
fraud.
AASHTO Internal Audit Guide 2014 Edition Glossary
Page 59
Change Order — Document required when work is added to or deleted from the original scope
of work of a contract which alters the original contract amount and/or completion date.
Code of Federal Regulations (CFR) — The codification of the general and permanent rules
published in the Federal Register by the executive departments and agencies of the federal
government. The CFR is divided into 50 titles that represent broad areas subject to the federal
regulation.
Contract Modification — A change to an existing contract for a change in scope or other
factors which must be agreed to by all parties of the contract.
Control Environment — The attitude, awareness, and actions of the board, management,
owners, and others about the importance of control. This includes integrity and ethical rules,
commitment to competence, board or audit committee participation, organizational structure,
assignment of authority and responsibility, and human resource policies and practices.
Cost Center — A grouping of incurred costs identified with a specific final cost objective.
Cost Principles — Federal cost principles are intended to establish a uniform approach for
determining costs and promoting effective program delivery, efficiency, and better
relationships between grant recipients, subrecipients, and the federal government. The
principles are promulgated to determine allowable costs, enforce compliance with federal
grant requirements, and ensure that the federal government bears its fair share of costs except
where restricted or otherwise prohibited by law.
Detection Risk — The risk audit procedures will lead to a conclusion that material error does
not exist when, in fact, such error does exist.
DOT — A state Department of Transportation.
Direct Cost — Any cost that is identified specifically with a particular final cost objective.
Direct costs are not limited to items that are incorporated in the end product as material or
labor. Costs identified specifically with a contract are direct costs of that contract. All costs
identified specifically with other final cost objectives of the contractor are direct costs of those
cost objectives. Direct costs can include labor, materials, and reimbursable expenses incurred
specifically for an agreement.
Engagement Letter — A letter that represents the understanding between the client and the
CPA about the engagement. The letter identifies the financial statements and/or schedules and
describes the nature of procedures to be performed. It includes the objectives of the
procedures, an explanation that the financial information is the responsibility of the company's
management, and a description of the form of auditor’s report.
AASHTO Internal Audit Guide 2014 Edition Glossary
Page 60
Entrance Conference — A meeting between the auditor and the auditee during which the
purpose and scope of the audit are discussed.
Exit Conference — A meeting between the auditor and the auditee held after completion of
the audit that generally focuses on preliminary audit findings, which could change based on
further audit testing, supervisory review, and additional information submitted by the auditee.
Federal Travel Regulation (FTR) — As contained in 41CFR 300‐304. The FTR implements
policies for travel by federal civilian employees and others authorized to travel at the federal
government’s expense.
Finding — Results from deficiencies in internal controls, fraud, illegal acts, violations of
contract or grant provisions, and/or abuse. In accordance with GAGAS, when documenting a
finding, the auditor should include the condition, criteria, cause, effect, and a recommendation
for correction. Generally, auditors include management responses to reportable findings within
the final audit report.
GAAP — Generally Accepted Accounting Principles – Widely accepted set of rules,
conventions, standards, and procedures for reporting financial information, as established by
the Financial Accounting Standards Board (FASB).
GAAS — Generally Accepted Auditing Standards – The ten auditing standards adopted by the
membership of the AICPA. Auditing standards differ from audit procedures in that
"procedures" relate to acts to be performed, whereas "standards" pertain to the quality of
the performance of those acts and the objectives of the procedures.
GAGAS — Generally Accepted Government Auditing Standards – Also known as the “Yellow
Book,” issued by the U.S. Government Accountability Office (GAO). GAGAS prescribe general
procedures and professional standards that auditors must apply when performing government
audits or attestation engagements.
General Administrative Expenses — Costs of operating a company that are incurred by, or
allocated to, a business unit and are not directly linked to the company’s products or services.
Government Accountability Office — GAO — The audit, evaluation, and investigative arm of
the United States Congress.
Indirect Cost — Any cost that is not directly identified with a single, final cost objective, but is
identified with two or more final cost objectives or an intermediate cost objective. Recipients
recover their indirect costs in their overhead rate.
Ineligible Cost — A cost that does not meet the terms of the agreement as well as federal
and state statutes and regulations.
AASHTO Internal Audit Guide 2014 Edition Glossary
Page 61
Inherent Risk — The risk that exists in an environment without the benefit of internal controls
due to other factors such as the nature of transaction or activity. For example – complexity,
frequent change, etc.
Inspection — An audit procedure that involves the auditor’s review of a document or record
through physical examination to provide direct evidence of its content. This is a means of
gathering direct evidence.
Internal Control — The plan of an entity and the methods and procedures adopted by
management to ensure that the entity’s goals and objectives are met; that resources are used
consistently with laws, regulations, and policies; that resources are safeguarded against waste,
loss, and misuse; and that reliable data are obtained, maintained, and fairly disclosed in reports.
Narrative — A written description of an internal control system, procedure, or process.
Observation — An audit procedure that involves the auditor seeing or experiencing something
first hand. It could include having the auditee walk through a process while the auditor
observes and monitors the activities, procedures, and steps performed and observes security
practices. Through the performance of this activity, the auditor is able to obtain direct
evidence.
Overhead Expenses — All allowable general administrative expenses and fringe benefit costs
not directly identified with a single final cost objective. Depending upon the size of the auditee,
these costs may be separately identified on a schedule of overhead costs.
Overhead Rate — A rate computed by adding together all of an entity’s costs that cannot
be associated with a single cost objective (e.g., general and administrative costs and fringe
benefits costs), then dividing by a base value (usually direct labor cost). This rate is applied to
direct labor, as incurred on projects, to allow an entity to recover the appropriate share of
indirect costs allowable per the terms of the specific agreement.
Peer Review — A quality control program in which the audit documentation of one STA audit
group is periodically (three years for GAGAS, five years for IIA) reviewed by independent
partners of other STA groups to verify that it conforms to the standards of the profession.
Permanent Files — File containing information of continuing importance to engagements
covering an auditable unit.
Project Authorization and Agreement — A contractual obligation of the federal government for
payment of the federal share of project costs. The agreement will include a description of the
project, the federal-aid project number, the work covered, total cost and amount of federal aid
funds, the federal share of funds, signatures of state and federal officials, and any other
provision set out by 23 U.S.C. 106 and/or 23 CFR.
AASHTO Internal Audit Guide 2014 Edition Glossary
Page 62
Reasonable Cost — A cost is reasonable if, in its nature and amount, it does not exceed
that which would be incurred by a prudent person in the conduct of competitive business.
Reconcile (reconciliation) — Efforts to prepare a schedule establishing agreement between
separate sources of information, such as accounting records reconciled with the financial
statements.
Reperformance — An audit procedure that involves the auditor redoing a certain activity or
procedure to see if he or she arrives at the same results. The auditor’s reperformance of a
particular control provides direct evidence to support whether a control is operating effectively.
Residual Risk — The risk that exists after consideration of the controls management has
implemented to mitigate or transfer risk.
Resolution Process — The process used to resolve findings. It may involve negotiating a
corrective action, reimbursing funds, and improving procedures.
Risk — The probability that an event or activity will occur that adversely impacts the
achievement of an organization’s objectives.
Sample Size — The number of items selected when a sample is drawn from a population.
Sampling Error — The risk that the sample results will mislead the auditor, unless the auditor
examines 100% of the population. The larger the sample, the less risk of sampling error and
the greater the reliability of the results.
Sampling Risk — The possibility that conclusions drawn from the sample may not represent
correct conclusions for the entire population.
Segregation of Duties — Assigning to different people the responsibilities of authorizing
transactions, recording transactions, and maintaining custody of assets. Segregation of duties
reduces the opportunities for one person to both perpetrate and conceal errors or fraud.
Single Audit — A rigorous, organization- wide audit or examination of an entity that
expends $500,000 (currently) or more of federal assistance received for its operations. These
are usually performed annually. The objective of a Single Audit is to provide assurance to the
federal government as to the management and use of such funds by recipients such as states,
cities, universities, and non‐profit organizations. These audits are typically performed by an
independent certified public accountant (CPA) and encompass both financial and compliance
components.
Source Documentation — Documents that support the costs recorded in an entity’s records.
Source documents can include timesheets, payroll registers, invoices, receipts, rental slips,
cancelled checks, etc.
AASHTO Internal Audit Guide 2014 Edition Glossary
Page 63
Test — An audit procedure whereby the auditor reviews certain transactions and processes or
attributes against established criteria. The auditor then decides whether the audited entity
complied with the criteria, which are established standards, practices, laws, regulations or
requirements.
Tracing — An audit procedure that involves tracking information forward from one document
to another subsequently prepared document or record. This test is performed as a means to
test for the completeness of the document or record.
Unallowable Cost — An item of cost that is ineligible for cost reimbursement.
Verifying — The act of tracing a transaction from one document to the original support
document.
Vouching — An audit procedure that involves tracking information from one document or
record back into a previously prepared document or record or to some other reliable source.
This procedure is performed in order to determine the validity of the information.
Walkthrough — Procedure whereby an auditor follows a transaction from origination through
the company's processes, including information systems, until it is reflected in the company's
financial records, using the same documents and information technology that company
personnel use.
AASHTO Internal Audit Guide 2014 Edition Glossary
Page 64
Download