o Internal Audit Guide 2014 Edition 1 TABLE OF CONTENTS CHAPTER 1 — INTRODUCTION 1.1 1.2 1.3 1.4 Overview ....................................................................................................................... 1 Why a Guide? ................................................................................................................ 1 Auditing Standards ........................................................................................................ 2 Engagements................................................................................................................. 2 CHAPTER 2 — AUDITING STANDARDS 2.1 2.2 2.3 2.4 GAGAS ........................................................................................................................... 3 International Standards for the Professional Practice of Internal Auditing ................. 3 Comparison of IIA and GAGAS Standards ..................................................................... 4 References .................................................................................................................... 5 CHAPTER 3 — TYPES OF ENGAGEMENTS 3.1 3.2 3.3 3.4 Overview ....................................................................................................................... 6 Types of Audits.............................................................................................................. 6 Attestation Engagements ............................................................................................. 9 Non-Audit Services or Consulting Services ................................................................. 10 CHAPTER 4 — AUDIT RISK ASSESSMENT AND AUDIT PLAN 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 Overview ..................................................................................................................... 12 Identify Audit Universe or Auditable Units ................................................................. 12 Benefits of Auditable Units ......................................................................................... 12 Develop Permanent Files ............................................................................................ 13 Risk Assessment .......................................................................................................... 14 Risk Assessment Criteria ............................................................................................. 15 Consideration of Internal Controls ............................................................................. 16 Internal Control Weaknesses ...................................................................................... 17 Analysis of Internal Audit Resources .......................................................................... 18 Developing the Audit Work Plan................................................................................. 18 CHAPTER 5 — INTERNAL CONTROL 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 Overview ..................................................................................................................... 20 COSO Categories ......................................................................................................... 20 Five Components of COSO .......................................................................................... 21 COBIT ........................................................................................................................... 23 Understanding an Auditee’s Internal Controls ........................................................... 26 Documenting Internal Controls .................................................................................. 27 Internal Control over Financial Reporting .................................................................. 28 Evaluation of Internal Controls ................................................................................... 28 Classifying Internal Control Weaknesses for Reporting ............................................. 29 AASHTO Internal Audit Guide 2014 Edition Table of Contents CHAPTER 6 — USDOT AGENCIES AND DESCRIPTIONS 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 USDOT Agencies and Descriptions .............................................................................. 30 Office of the Secretary ............................................................................................... .31 Federal Aviation Administration ................................................................................. 32 Federal Highway Administration ................................................................................ 33 Federal Motor Carrier Safety Administration ............................................................. 36 Federal Railroad Administration ................................................................................. 36 Federal Transit Administration ................................................................................... 37 Maritime Administration ............................................................................................ 39 National Highway Traffic Safety Administration ........................................................ 39 Office of Inspector General ......................................................................................... 41 Pipeline and Hazardous Materials Safety Administration .......................................... 41 Research and Innovative Technology Administration ................................................ 42 Saint Lawrence Seaway Development Corporation ................................................... 43 Surface Transportation Board..................................................................................... 43 CHAPTER 7 – STEWARSHIP, OVERSIGHT, LAWS, AND REGULATIONS 7.1 7.2 7.3 7.4 7.5 7.6 Stewardship and Oversight Agreement between the FHWA and State Transportation Agencies ............................................................................................. 45 Hierarchy ..................................................................................................................... 46 Federal Requirements (2 CFR 200) ............................................................................. 47 Audit Requirements .................................................................................................... 47 Catalog of Federal Domestic Assistance ..................................................................... 48 State Law ..................................................................................................................... 48 CHAPTER 8 — INNOVATIVE FINANCING AND CONSTRUCTION DELIVERY METHODS 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 Grant Anticipation Revenue Vehicle (GARVEE) .......................................................... 49 Transportation Infrastructure Finance and Innovation Act (TIFIA) ............................ 49 Section 129 Loans (23 U.S.C. 129 (A)(7)) .................................................................... 49 Tax Increment Financing (TIF) ..................................................................................... 49 Private Activity Bonds (PABs) ...................................................................................... 49 Public-Private Partnerships (P3s) ................................................................................ 50 Design-Build (DB) ........................................................................................................ 50 Construction Manager/General Contractor (CMGC) .................................................. 50 CHAPTER 9 – GENERAL AUDIT AND ATTESTATION PROGRAMS 9.1 9.2 9.3 Audit Program Purpose and Scope ............................................................................. 51 Phases ...................................................... ……………………………………………………………….51 Attestation Program Purpose and Scope ................................................................... 53 GLOSSARY ..................................................................................................................................... 58 AASHTO Internal Audit Guide 2014 Edition Table of Contents Chapter 1 – Introduction 1.1—OVERVIEW This guide was developed by a task force of the American Association of State Highway and Transportation Officials (AASHTO) Audit Subcommittee with input from various federal partners. State Transportation Agencies (STAs) have the same overall mission, but are structured differently across the United States. Most STAs have internal auditors, external auditors, and inspector generals. Some audit groups are organized as standalone units and others are included as part of larger organizational components of the STA. This guide focuses on the goals, functions, and services of internal audit groups within STAs. In addition, detailed practice aids are provided as a supplement to the guide. The Institute of Internal Auditors (IIA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” 1.2—WHY A GUIDE? This guide is designed to strengthen stewardship and oversight functions performed by STA internal audit groups. An essential role of government is the stewardship and oversight of public expenditures. As government transportation expenditures grow and budgets and staffing shrink, the stewardship and oversight process for transportation programs must be enhanced. The purpose of this internal audit guide is to provide a tool that can be used by STA internal auditors to perform audits of transportation processes and programs. This guide is intended to help auditors understand processes, terminology, policies, audit techniques, and sources for laws and regulations. The guide’s objective is to identify the audit universe in a general sense and provide a reference guide for the following items: Internal Controls Risk Assessment Compliance with applicable laws and regulations Federal programs Innovative financing Effective use of resources AASHTO Internal Audit Guide 2014 Edition Chapter 1 Page 1 1.3—AUDITING STANDARDS STA internal audit groups follow basically two sets of auditing standards – Generally Accepted Government Auditing Standards (GAGAS) issued by the Comptroller General of the United States and the IIA standards for internal audit. We will discuss the different auditing standards in the next chapter. When necessary, internal auditors obtain additional guidance from standards issued by the American Institute of Certified Public Accountants (AICPA) and guidance from the IIA. 1.4—ENGAGEMENTS Internal auditors perform a variety of engagements, ranging from attestation engagements consisting of reviews, examinations, and agreed-upon procedures, to performance audits. STA internal auditors may be responsible for: Reviewing STA internal controls to ensure they are adequately designed and are functioning properly Reviewing STA programs and processes to ensure they comply with applicable federal and state laws and regulations as well as STA policies and procedures Reviewing STA processes to ensure they operate effectively and efficiently Reviewing programs to ensure that management has adequately safeguarded STA assets and used taxpayer resources properly Reporting to the head of the STA or governing body and management, noting any weaknesses or areas of improvement AASHTO Internal Audit Guide 2014 Edition Chapter 1 Page 2 Chapter 2 – Auditing Standards 2.1—GAGAS Generally Accepted Government Auditing Standards (GAGAS) produced by the Government Accountability Office (GAO) contains requirements and guidance for entities conducting government audits within the United States. Professional auditors must follow these standards when conducting financial audits of government and non-profit organizations receiving federal funds subject to the audit requirements in Subpart F of 2 CFR 200 — Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. In the United States, use of GAGAS is also mandatory for federal inspectors general, many state and local government auditors and some internal auditors, as well as CPA firms when conducting single audits and other government audits. In addition, many auditors and audit organizations choose to voluntarily perform their work in accordance with GAGAS. GAGAS contains requirements for financial audits, attestation engagements and performance audits. Many international government audit organizations use GAGAS as guidance when conducting financial and performance audits, even when there is no specific legal requirement to do so. 2.2—INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING For internal auditors, there is another set of standards, the International Standards for the Professional Practice of Internal Auditing, produced by the IIA. Internal auditors throughout the world use these standards. Certified Internal Auditors are required to follow the IIA Standards, and anyone who wishes to state their audits are conducted in accordance with IIA Standards must follow the IIA Standards. The IIA Standards are divided between Attribute and Performance Standards. Attribute Standards address the attributes of organizations and individuals who perform internal auditing. The Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. Some government organizations conduct their engagements in accordance with both the IIA Standards and GAGAS. The IIA Standards are often implemented along with the performance audit requirements of GAGAS (chapters 1-3, 6 and 7). While GAGAS is used for conducting government audits by both external and internal audit organizations, it contains some specific requirements and guidance related to internal auditors and internal audit organizations. Each STA should determine which standards they follow and document that as part of their policies and procedures. Some STAs have laws that require they follow one of the two standards and some states require their agencies to follow both. AASHTO Internal Audit Guide 2014 Edition Chapter 2 Page 3 2.3—COMPARISON OF IIA AND GAGAS STANDARDS GAGAS is commonly referred to as “Yellow Book” and IIA Standards are commonly referred to as “Red Book.” The Institute of Internal Auditors (IIA) provides a comparison of the IIA and GAGAS Standards on IIA’s website. The following is a list of some of the most notable differences between the standards: Each starts from a different definition of auditing and auditors. GAGAS emphasizes accountability; IIA emphasizes governance, risk and controls to add value. IIA requires an internal audit charter; GAGAS does not. GAGAS discourages non-audit consulting services, noting that they could compromise objectivity and independence; the IIA recognizes consulting as a service that internal auditors provide to their organizations and have established ‘consulting standards’. The IIA defines consulting services to include counsel, advice, facilitation and training but states services must be provided without assuming any management responsibility for them. Under GAGAS, auditors must document consideration of independence; IIA has no formal requirement to document independence. However, the IIA Standards require internal auditors to have independence and states an auditor “must have an impartial, unbiased attitude and avoid any conflict of interest.” The Standards also require “organizational independence” and provides definitions of “independence” and “objectivity.” GAGAS requires external peer reviews every three years; IIA requires external peer reviews every five years. GAGAS defines three types of assurance engagements: financial, attestation, and performance; IIA discusses assurance services but focuses on the auditor’s work and governance, risk assessment and controls. IIA requires the development of an audit universe and annual work plan; GAGAS has no such requirement. Under GAGAS, auditors write ‘findings’ when fraud, abuse, internal control weaknesses and noncompliance are found; IIA requires auditors to “communicate engagement results and where appropriate, the communication must contain the internal auditor’s opinion and/or conclusions.” These results must include issues of fraud, abuse, internal control weaknesses, and noncompliance. Each issue noted must include the condition, criteria, cause and effect. AASHTO Internal Audit Guide 2014 Edition Chapter 2 Page 4 GAGAS requires 80 hours of CPE every two years; IIA Standards state, “Internal Auditors must enhance their knowledge, skills, and other competencies through continuing professional development”, but it does not specify a required number of hours for noncertified members. However, Certified Internal Auditors are required to have a minimum of 40 hours of continuing education every year. Certified Government Auditing Professionals are required to have 25% of their hours in government related training. 2.4—REFERENCES https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx http://gao.gov/yellowbook/overview The Institute of Internal Auditors, Supplemental Guidance: IIA International Standard for the Professional Practice of Internal Auditing/ Government Accountability Office Government Audit Standards (GAGAS)/ A Comparison, 2nd Edition Leita Hart-Fanta, CPA, CGFM, CGAP, For the Orange, April 9, 2013 AASHTO Internal Audit Guide 2014 Edition Chapter 2 Page 5 Chapter 3 – Types of Engagements 3.1—OVERVIEW This chapter describes the different types of government audits, attestation engagements, and other non-audit services provided by internal audit organizations. This description is not intended to limit or require the types of services that may be conducted. In conducting the services described in this chapter, auditors should follow the applicable standards adopted by their STA. 3.2—TYPES OF AUDITS Financial audits provide an independent assessment of whether an entity’s reported financial statements are presented fairly in all material respects in conformity with an acceptable financial framework. Other objectives of financial audits, which provide for different levels of assurance and entail various scopes of work, may include: Providing an opinion for specified elements, accounts, or items of a financial statement Reviewing interim financial information Issuing letters for underwriters and certain other requesting parties Reporting on the processing of transactions by service organizations Auditing compliance with applicable requirements relating to governmental financial assistance Financial audits for states, local governments, and non-profit organizations are generally performed through the Single Audit process by outside entities. In addition, many STAs have “external audit” groups that conduct financial-related audits of architectural and engineering firms to provide assurance that their indirect cost rates are developed in compliance with federal requirements. Performance audits are objective and systematic examinations of evidence against specific criteria in order to provide an independent assessment of the control design and operating effectiveness of a program or processes implemented to meet agency objectives. Performance audits provide an objective analysis to assist management and those charged with governance and oversight in using the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to transparency and public accountability. AASHTO Internal Audit Guide 2014 Edition Chapter 3 Page 6 Performance audit objectives vary widely and include assessments of program effectiveness, economy, and efficiency; internal control; compliance; and prospective analyses (defined later). These overall objectives are not mutually exclusive. Consequently, a performance audit may have more than one objective. Program effectiveness and results audits are frequently interrelated with economy and efficiency audits. Audit objectives that focus on program effectiveness and results typically measure the extent to which a program is achieving its goals and objectives. Audit objectives that focus on economy and efficiency address the costs and resources used to achieve program results. Examples of program effectiveness and results audits include assessing: The extent to which legislative, regulatory, or organizational goals and objectives are being achieved, with outcomes that support the objectives of the program The relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness The relative cost and benefits or cost effectiveness of program performance Whether a program produces results or effects not intended by the objectives The extents to which programs duplicate, overlap, or conflict with other programs Whether the audited entity is following sound procurement practices The validity and reliability of performance measures concerning the program’s effectiveness and efficiency The reliability, validity, or relevance of financial information related to the performance of a program Whether the outcomes achieved the objectives of the program Internal control audits are an assessment of one or more components of an organization’s system of internal control. They are designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal controls include the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations, and management’s system for measuring, AASHTO Internal Audit Guide 2014 Edition Chapter 3 Page 7 reporting, and monitoring program performance. Examples of audit objectives related to internal control include the extent to which a program provides reasonable assurance that: Organizational missions, goals, and objectives are achieved effectively and efficiently. Resources are used in compliance with laws, regulations, or other requirements. Resources are safeguarded against unauthorized acquisition, use, or disposition. Management information and public reports that are produced, such as performance measures, are complete, accurate, and consistent to support performance and decisionmaking. Security over computerized information systems will prevent or detect unauthorized access. Contingency planning for information systems provides essential back-up to prevent unwarranted disruption of activities and functions the systems support. Compliance audits are assessments of compliance with criteria established by provisions of laws, regulations, contracts, grant agreements, internal policies, or other requirements that could affect the acquisition, protection, use, and disposition of the entity’s resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance requirements can be either financial or nonfinancial. Information technology audits include the evaluation of internal controls related to the development, operation, maintenance, and management of the information technology environment, infrastructure, and data. Some of the areas addressed include: Governance of policy and process documentation. Physical and logical security. Application and infrastructure assets. Monitoring. Business continuity/disaster recovery. System development review. IT audits are becoming increasingly important as record keeping and transmission of non-public personal information rely on automation. AASHTO Internal Audit Guide 2014 Edition Chapter 3 Page 8 When an information system is significant to the audit objective, the audit should include an evaluation of the information technology controls to provide reasonable assurance that the information being processed and produced by the system is valid and reliable. Follow-up audits are designed to test the status and evaluate the effectiveness of corrective actions taken on audit issues reported in prior released reports. 3.3—ATTESTATION ENGAGEMENTS The subject matter for attestation engagements may take many forms, including historical or prospective performance or condition, physical characteristics, analyses, system processes and behavior. Attestation engagements may cover a broad range of financial or non-financial subjects and can be part of a performance review. Possible subjects of attestation engagements can include reporting on: An entity’s internal control over financial reporting An entity’s compliance with requirements of specified laws, regulations, rules, contracts or grants The effectiveness of an entity’s internal control over compliance with specified requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts Management’s discussion and analysis presentation Prospective financial statements or pro-forma financial information The reliability of performance measures Final contract cost Allowability and reasonableness of proposed contract amounts and specific procedures performed on a subject matter (agreed-upon procedures) There are three types of attestation engagements: 1. Examination Examinations consist of obtaining sufficient evidence to express an opinion on whether the subject matter is based upon or in conformity with the criteria in all material respects or the assertion is presented or fairly stated, in all material respects, based upon the criteria. Examinations provide the highest level of assurance outside of an audit. Since assurance is provided in an examination, the risk of undetected material misstatement must be reduced to a tolerable amount. AASHTO Internal Audit Guide 2014 Edition Chapter 3 Page 9 2. Review Reviews consist of performing sufficient testing to express a conclusion about whether any information came to the auditors’ attention that indicates the subject matter is not based upon or in conformity with the criteria in all material respects. The auditor may conclude the assertion is not presented, in all material respects, based upon the criteria. Reviews provide negative assurance. Negative assurance means that nothing came to the auditors’ attention that would lead them to believe the subject matter did not conform to the criteria. 3. Agreed-upon procedures Agreed-upon procedures consist of performing specific procedures on a subject matter and issuing a report of findings based upon the agreed-upon procedures. The auditors do not express an opinion about the subject matter but issue a report of findings based upon specific procedures performed on the subject matter. 3.4—NON-AUDIT SERVICES OR CONSULTING SERVICES Internal audit organizations may provide non-audit services or consulting services. These types of services are generally performed at the discretion of the head of the audit organization, requested by management of a bureau/division within the STA, or for an oversight body or independent external organization. Designed and executed appropriately, these services generally do not impair the auditors’ independence. These services may be considered advisory services provided by an Internal Audit group to the STA. They are services, other than specific audit work, that are provided and are intended to add value and improve the organization’s governance, risk management, and control processes. Consulting services include counsel, advice, facilitation, or training regarding issues such as internal control structure, compliance, governance and risk management. Consulting may come in the form of informal or formal consulting services. Informal consulting services generally consist of meeting with STA management and staff to discuss issues and requirements and provide advice. Generally no formal documentation of these services is required. They might consist of discussing with management or staff where they can find information regarding certain requirements or explaining how the requirements are generally viewed by an auditor. They may include an explanation or training on the types of internal controls or their use. Formal consulting comes in the form of a special project and requires documentation to support the services. The extent of the documentation required to support the services will depend upon the scope of the project and the work performed. However, sufficient evidence must be obtained to support any conclusions that are made. AASHTO Internal Audit Guide 2014 Edition Chapter 3 Page 10 Other examples of non-audit/consulting services include the following: Gathering and providing information to a requesting party without providing an evaluation or verification of the information Providing advice on potential improvements of standards, methodologies, policies, procedures, and internal control Providing assistance and technical expertise to legislative bodies or developing questions for the use at legislative hearings Advising an entity regarding its performance of internal control assessments Providing advice to management officials to help them identify good business practices Conducting OMB A-133 Desk Reviews Audit organizations may also be asked to perform prospective analysis engagements. These engagements provide analysis or conclusions about information that is based upon assumptions about events that may occur in the future, along with possible actions that the entity may take in response to future events. Examples of prospective analysis engagements may include: Performing risk assessments to determine program or policy alternatives, including forecasting program outcomes under various assumptions Assessing the advantages and disadvantages of legislative proposals Analyzing views of stakeholders on policy proposals for decision-makers Identifying best practices for use in evaluating program or management system approaches, including financial and information management systems Producing a high-level summary that affects multiple programs or entities on issues studied or under study AASHTO Internal Audit Guide 2014 Edition Chapter 3 Page 11 Chapter 4 – Audit Risk Assessment and Audit Plan 4.1—OVERVIEW This section describes general steps for developing an STA’s Audit Risk Assessment and Audit Plan. The audit plan is usually developed annually but should be considered a living document that will change and grow. Most audit plans are works in progress, and schedules change to meet department needs. A new program, department realignment/reorganization, or unexpected occurrences may change management’s needs, shifting some engagements to higher priority status and inserting engagements of new programs. The audit plan should be based upon the risks of the organization. The internal audit manager should prioritize the internal audit work based upon the risks of the various areas of responsibility of the STA. 4.2—IDENTIFY AUDIT UNIVERSE OR AUDITABLE UNITS In order to determine appropriate audit coverage, the internal audit manager, with input from executive management, should identify the auditable units within the STA. This enables internal audit to link the Internal Audit Plan to the STA risks based upon the primary owner of the process. Any additional areas responsible for completion of that particular process should also be identified within the auditable units. This is a vital component of the risk assessment process and consists of dividing the entire STA into various control areas that cover all responsibilities and functions of the STA. The key to maintaining a good schedule of auditable units is to periodically verify that there have been no changes or additions to the auditable units. The auditable units should be updated to reflect any changes in structure, functions or responsibility on at least an annual basis. When responsibility changes occur, historic data should be retained to reflect the previous responsibilities and audit coverage that was given. Once identified, engagements performed and scheduled for each auditable unit can be tracked to ensure regular engagements are performed as necessary. This will also assist in developing the audit plan based upon length of time since last audit and ensure that all auditable units are considered in the audit plan. Some auditable units, however, may be low risk and not receive an engagement due to limited internal audit resources. The limited internal audit resources should be scheduled for areas of the STA which pose the highest risk. Using the identified audit universe, prepare a matrix of engagements performed for each auditable unit. It is helpful to maintain at least three to five years of data to facilitate scheduling future engagements. 4.3—BENEFITS OF AUDITABLE UNITS There are many benefits to developing the auditable units of the STA. These include, but are not necessarily limited to, the following: AASHTO Internal Audit Guide 2014 Edition Chapter 4 Page 12 Provides the framework for monitoring the internal control structure of the STA by operational area and provides the foundation for the risk assessment process Allows Internal Audit to communicate with each division or office of the STA in a standardized manner to monitor the STA’s internal controls Provides a mechanism for confirming whether all processes have been captured Provides a means for monitoring historic audit coverage for all functions and activities of the STA Demonstrates compliance with the standards and laws that may govern the internal audit function Considered an Internal Audit best practice 4.4—DEVELOP PERMANENT FILES A permanent file is a useful tool to assist with the audit process. It provides basic and historic information for Internal Audit in assessing auditable units. These files are generally created as part of the audit process, but may be created separately as time allows. This helps provide a starting point not only for the Internal Audit Plan Risk Assessment but also for audit specific risk assessments. It is also a primary source of information for the internal auditor assigned to a particular audit. Permanent files must be updated as changes occur in order for them to be useful. Suggested information for permanent files includes, but is not necessarily limited to, the following: Applicable statutes, rules, and regulations Policies and procedures, manuals, guidelines Prior Audits--external, internal, federal--that relate to the area Internal control certifications List of information technology systems used Interview notes System narratives AASHTO Internal Audit Guide 2014 Edition Chapter 4 Page 13 4.5—RISK ASSESSMENT Internal Audit should develop procedures to be followed each year in performing the STA’s internal audit risk assessment. Management input should be one of the factors considered. Internal Audit should consider holding meetings with various levels of management to gain a further understanding of the risks and controls of the auditable units. Internal auditors are the internal control and risk management experts in their agency. Audit planning should be used as an opportunity to educate and increase management’s understanding of the internal audit function and the risk assessment process, and ensure that there is a common understanding of definitions. A risk assessment questionnaire could be provided to management to assist them in determining their sections’ risks and needs. The risk assessment questionnaire might include the following: Any changes to the auditable units New programs or initiatives Rapid growth or significant increases in funding or expenditures Turnover of key management or key personnel Reviews or audits by a federal agency; e.g., FHWA, FTA, FRA, FAA, NHTSA, FMCSA, GAO Media exposure Law changes Administrative rule changes Information technology that was developed or had major modifications in the last year or any that are currently in process or planned Any fraudulent activity, improper conduct, blatant disregard for procedures, suspected or improper use of assets or state resources Any processes or programs they would like Internal Audit to review Rank what they consider to be the five most significant areas or processes for which they are responsible AASHTO Internal Audit Guide 2014 Edition Chapter 4 Page 14 Meetings should be scheduled with Executive Management and the Audit Committee, if applicable, to obtain their audit requests and areas of concern they would like considered. Consider informal sources of audit requests, such as, concerns noted in conversations and emails from STA staff members, anonymous tips, and auditor observations and concerns noted in other audits. Perform risk assessments on all the auditable units to determine priorities taking into consideration any audit requests that are received. Each year, new audit requests may be added and a risk assessment conducted to prioritize and insert new requests into the ongoing list. 4.6—RISK ASSESSMENT CRITERIA A formal risk assessment should be developed which includes various criteria deemed significant to the STA. A risk assessment usually includes consideration of both the impact and the probability of occurrence for any given risk. Impact is somewhat conspicuous in the suggestion criteria below. However, the probability of occurrence should also be kept in mind. Suggested criteria may include, though are not limited to, the following: Revenues/expenditures Federal responsibilities/requirements Legal responsibilities/requirements Public impact or exposure Impact to the STA Management needs Date of last audit Prior experience with auditee Inherent risk factors (high activity, high volume, complexity of operations, dollar value of assets, etc.) Potential for fraud (improper conduct, suspected misuse, improper use of assets, blatant disregard for procedures) Strength of internal controls AASHTO Internal Audit Guide 2014 Edition Chapter 4 Page 15 Reported problems on last audit, external audit, or U.S. Department of Transportation (USDOT) reviews Potential efficiency improvements New programs, initiatives or activities Change in key personnel New IT systems or major changes to IT systems key to department Estimated audit time 4.7—CONSIDERATION OF INTERNAL CONTROLS To achieve the objectives of the agency, management must sometimes place assets at risk. It is management's responsibility to decide how much and what risk it is willing to accept to achieve the objectives of the agency. Management mitigates risks and ensures that management’s objectives are met through the use of internal controls. Identifying and assessing threats helps management recognize vulnerabilities in the internal control system. Based upon this information, management can provide appropriate controls to mitigate risk. The internal auditor should consider these areas during their meeting with management to assess which programs and functions pose the highest risk to the agency and should therefore receive internal audit coverage first. Some common threats include the following: Management override - Controls are readily set aside at the option of management or personnel. Optional or incomplete controls - Controls that say “may” or those that give options without guidance for making decisions on how to proceed are not effective. Clear direction regarding the choice should be made. Form over substance - Controls appear to be well designed but are ineffective or miss their intended mark. Conflicts of interest - Causes personnel to place their interest above that of the organization. AASHTO Internal Audit Guide 2014 Edition Chapter 4 Page 16 Access to assets - Having improper or unauthorized access to assets can result in theft, misuse or abuse. Inadequately trained or informed personnel - Personnel who don’t understand the reason or necessity for a particular control or the desired result may not properly execute the necessary steps. Inadequate separation of duties – Multiple control points are the responsibility of one person. Chapter 5 discusses internal control in more detail. 4.8—INTERNAL CONTROL WEAKNESSES Another key component of the risk assessment process is gaining an understanding of why internal control weaknesses occur. Understanding these weaknesses helps management monitor for appropriate and effective internal controls. Internal Audit should consider these factors and determine whether they exist as they walk through the risk assessment process with management. Some common reasons internal control weaknesses occur may include the following: Poorly designed or implemented internal control processes--the process becomes routine due to familiarity and steps in the process are overlooked Information concerning a law, rule or procedure was not adequately communicated Employees not properly trained or instructed Personnel not knowledgeable of the importance of a step or process and its impact on another area Confusion over who is responsible (each area incorrectly thinks the other is handling the process) Time constraints Inadequate resources devoted to the process Employees unknowingly overlooked something Personnel are comfortable with the current process and resistant to change AASHTO Internal Audit Guide 2014 Edition Chapter 4 Page 17 4.9—ANALYSIS OF INTERNAL AUDIT RESOURCES To determine the number of internal engagements to be scheduled, an analysis of available staff hours should be conducted. The internal audit manager should consider the following in determining hours available: Total annual hours Holidays Annual leave Sick leave Training Miscellaneous administrative Other considerations might include: Additional annual leave for long-term employees Retirements/resignations Time required to replace employees who retire or resign Furlough days Extended use of leave (family & medical leave, military leave, disability, and sick leave) Other types of reviews, consulting, and non-audit services 4.10—DEVELOPING THE AUDIT WORK PLAN Based on the risk assessment and analysis of staff availability, an audit work plan should be developed. Remember to include any needs for audit follow-ups (e.g. 90 – 120 days). It may be helpful to develop two types of audit work plans. One type would give a narrative describing the engagement. The second type would be a scheduling tool to assign auditors to each selected engagement with time estimates across the twelve months. Another consideration for scheduling engagements is the auditee’s schedule, which may include deadlines or busy seasons. These factors as well as others specific to your STA should be taken into account when scheduling. AASHTO Internal Audit Guide 2014 Edition Chapter 4 Page 18 It may also be helpful to prepare a two-year audit plan in order to assist with prioritizing engagements and resources. However, the second year of the internal audit plan is always given reconsideration at the time of the development of the next year’s two year plan. This is due to changes in circumstances and risks that may occur over the one-year period since the plan was last developed. Final meetings with the STA’s chief executive officer and the audit committee, if applicable, should be scheduled to obtain concurrence and approval of the proposed audit work plan. Any scheduling concerns should be communicated at this time. AASHTO Internal Audit Guide 2014 Edition Chapter 4 Page 19 Chapter 5– Internal Control 5.1—OVERVIEW Internal control is a system implemented by an organization’s governing body and management that helps ensure key financial, operational, and regulatory objectives are achieved. Internal control is affected by an entity’s management and other personnel; it is not merely policy manuals and forms, but involves people at every level of an organization. Internal control is pervasive, impacting people, process, and technology. It can be expected to provide reasonable assurance, not absolute assurance, to an organization’s management. This review guide adopts the internal control direction provided by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. In May 2013, COSO updated its Internal Control – Integrated Framework to take into account changes in business environment and operations over the last 20 years. 5.2—COSO CATEGORIES Internal control is broadly defined as a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three COSO categories: 1. Reporting - related to the internal and external financial and nonfinancial reporting to stakeholders, encompassing reliability, timeliness, transparency, or other elements as established by regulators, standard setters, or the entity’s policies 2. Compliance - adhering to those laws and regulations to which the entity is subject, where non-compliance could result in penalties, fines or negative impacts to reputation 3. Operations - addresses an entity’s basic business objectives, including performance and goals and safeguarding of resources. AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 20 In assessing the design and operating effectiveness of internal controls under the COSO framework, management also considers the five components of internal control as depicted in the COSO “Cube”. If designed and operating effectively, controls within these five components in totality provide a framework for internal control. The 2013 framework incorporates 17 principles that support these five components. For effective internal controls, the 2013 framework requires that each of the five components and 17 relevant principles be present and functioning, and that the five components must operate together in an integrated manner. “Present” means that the components and relevant principles exist in the design and implementation of the system of internal control. “Functioning” means that the components and relevant principles continue to exist in the conduct of the system of internal control. 5.3—FIVE COMPONENTS OF COSO 1. Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the set of standards, processes, and structures that provides the basis for carrying out internal control across the organization. It is the foundation for all other components of internal control, providing discipline and structure. The five principles relating to control environment are: 1) The organization demonstrates a commitment to integrity and ethical values. 2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3) Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4) The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 21 2. Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed. Risk assessment is the identification and analysis of relevant risks that could affect the achievement of the entity’s objectives, forming a basis for determining how the risks should be managed. The four principles relating to risk assessment are: 1) The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2) The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3) The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4) The organization identifies and assesses changes that could significantly affect the system of internal control. 3. Control Activities Control activities are the policies and procedures that help determine if management directives are carried out. They help facilitate the necessary actions required to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. The three principles relating to control activities are: 1) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 2) The organization selects and develops general control activities over technology to support the achievement of objectives. 3) The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action. 4. Information and Communication Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but with information about external reporting as well. Effective communication must also occur in a broader sense, flowing down, across, and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 22 They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and stakeholders. The three principles relating to information and communication are: 1) The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 2) The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 3) The organization communicates with external parties about matters affecting the functioning of internal control. 5. Monitoring Activities Internal control systems need to be monitored (a process that assesses the quality of the system’s performance over time). This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The 2013 Framework distinguishes between a management review control as a control activity and a monitoring activity. A management review control that is a control activity responds to a specified risk and is designed to detect and correct errors. However, a management review control that is a monitoring activity would ask why the errors exist, and then assign the responsibility of fixing the process to the appropriate personnel. The two principles relating to monitoring activities are: 1) The organization selects, develops, and performs ongoing or separate evaluation to ascertain whether the components of internal control are present and functioning. 2) The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. The COSO 2013 Framework became effective December 15, 2014. 5.4—COBIT While COSO is commonly accepted as the internal control framework for organizations, the Control Objectives for Information and related Technology (COBIT) is the accepted internal control framework for the information technology (IT) environment. COBIT was first released by the Information Systems Audit and Control Foundation (ISACF) in 1996 and has been updated to include current IT governance principles and emerging international, technical, professional, regulatory, and industry specific standards. The resulting control objectives have been developed for application to organization-wide information systems. Now in Edition 4.1, COBIT AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 23 is intended to meet the multiple needs of management by bridging gaps between business risks, control needs and technical issues. The COBIT framework is based on the following principle: To provide the information that the organization requires to achieve its objectives, the organization needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required organization information. The COBIT framework identifies 34 IT processes and has an approach to provide control over these processes. It provides a generally applicable and acceptable standard for sound IT security and control practices to support management’s needs in determining and monitoring the appropriate level of IT controls for their organizations. The COBIT framework is structured in four principle domains. Each domain includes unique processes which sum to the 34 IT processes discussed above. This structure serves as a process model for an enterprise to manage IT activities. 1. PLAN AND ORGANIZE (PO) The Plan and Organize domain covers strategy and tactics and identifies how IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated, and managed for different perspectives. A proper organization as well as technological infrastructure should be put in place. The Plan and Organize domain addresses the following processes: PO1—Define a strategic IT plan PO2—Define the information architecture PO3—Determine technological direction PO4—Define the IT processes, organizations, and relationships PO5—Manage the IT investment PO6—Communicate management aims and direction PO7—Manage IT human resources PO—Manage quality PO9—Assess and manage IT risks PO10—Manage projects AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 24 2. ACQUIRE AND IMPLEMENT (AI) To realize the Acquire and Implement IT strategy, IT solutions need to be identified, developed or acquired, and implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to ensure the solutions continue to meet business objectives. The Acquire and Implement domain addresses the following processes: AI1—Identify automated solutions AI2—Acquire and maintain application software AI3—Acquire and maintain technology infrastructure AI4—Enable operation and use AI5—Procure IT resources AI—Manage changes AI7—Install and accredit solutions and changes 3. DELIVER AND SUPPORT The Delivery and Support domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It addresses the following processes: DS1—Define and manage service levels DS2—Manage third-party services DS3—Manage performance and capacity DS4—Ensure continuous service DS5—Ensure systems security DS6—Identify and allocate costs DS7—Educate and train users DS8—Manage service desk and incidents DS9—Manage the configuration DS10—Manage problems DS11—Manage data DS12—Manage the physical environment DS13—Manage operations AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 25 4. MONITOR AND EVALUATE (ME) All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. The Monitor and Evaluate domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It addresses the following processes: ME—Monitor and evaluate IT performance ME—Monitor and evaluate internal control ME3—Ensure compliance with external requirements ME4—Provide IT governance 5.5—UNDERSTANDING AN AUDITEE’S INTERNAL CONTROLS The auditor’s understanding of the client’s internal control is usually gained through the following procedures: Prior experience with the entity This can be a major source of audit efficiency in recurring audits. Because systems and controls usually don’t change frequently or significantly from year to year, information obtained by the auditor in previous audits of the entity can be updated and carried forward to the current year’s audit. Inquiries of management, supervisory, and staff personnel within the entity The auditor may inquire about the types of accounting documents used to process transactions and about control activities that have been placed in operation for authorizing, for example, a credit. Observation of client activities and procedures The auditor can observe client personnel in the process of preparing accounting records and documents and carrying out their assigned accounting and control functions. Inspection of accounting documents and records By inspecting actual, completed documents and records, the auditor can better understand their application to the entity’s internal control. The auditor may wish to obtain copies of sample documents used by the entity for inclusion in the permanent file. Entity’s policy and system manuals This includes both (1) policy manuals and documents, and (2) system manuals and documents, such as an accounting manual and an organization chart. AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 26 5.6—DOCUMENTING INTERNAL CONTROLS The auditor documents their understanding of internal controls to: Provide evidence of the understanding of the design of significant processes Identify key risks within the process. Identify controls that would prevent or detect errors from occurring within the process. Identify control gaps and process improvement opportunities. This documentation may take several forms such as: Flowchart – A diagram that shows step-by-step progression through a procedure or system especially using connecting lines and a set of conventional symbols. The purpose of flowcharting is to: Be a tool for analyzing processes. Break down processes into individual events and activities, usually by process or event owner. Identify interdependencies across the business. Link system and manual activities. Identify control gaps, segregation of duties, problems and inefficiencies. Narrative – A document that describes a process or transaction flow using words rather than a pictorial representation. The purpose of a narrative is to: Provide evidence of understanding of a process. Identify and document key risks, controls and control gaps. Confirm understanding with the process owner. Provide knowledge that can be used in future years by other employees. Walkthrough – A document that traces one representative transaction through a process from beginning to end. The purpose of a walkthrough is to: Confirm understanding of the significant flow of transactions. Confirm understanding of the relevant controls. Confirm that relevant controls have been placed in operation. Confirm process documentation. Internal Control Questionnaire – Designed to identify basic control issues and used as a guide for improving or implementing good business practices and complying with policies and procedures. AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 27 5.7—INTERNAL CONTROL OVER FINANCIAL REPORTING Auditors must understand the concepts of internal control; specifically, internal control over financial reporting. The AICPA’s Statement on Auditing Standards No. 115, as applicable, requires auditors to evaluate whether identified internal control deficiencies are significant deficiencies or material weaknesses, as they relate to financial reporting reliability. In addition, the conclusion that significant internal control deficiencies or material internal control weaknesses exist should be communicated in writing to management and the entity’s governing body. A sound system of internal control over financial reporting includes control design and operating effectiveness to provide reasonable assurance that the entity’s financial statements are fairly presented in accordance with generally accepted accounting principles. Internal controls over financial reporting are evaluated based upon the auditor’s risk assessment procedures to determine whether controls are designed adequately and operating effectively to provide reasonable assurance of financial reporting reliability. The entity’s ability to prevent and detect financial misstatement is evaluated and determines whether a significant deficiency or material weakness exists. 5.8—EVALUATION OF INTERNAL CONTROLS Auditors can verify if controls are implemented as designed through testing, reviews, observations, and analytical procedures. Auditors can determine the validity and accuracy of transactions, as well as determine compliance with applicable rules, laws and procedures, and assess the adequacy of existing controls. Evaluation tools include: Testing by statistical sampling – focuses on sampling techniques that provide assurance based on sampling risk that the auditor and stakeholders deem acceptable Testing by direct sampling – focuses more closely on specific transactions or certain types of transactions and can be used when the population under review is not homogeneous Reviews/interviews – used when the performance of a process does not lend itself to normal testing procedures Observation – looks at actual practices to see if appropriate controls are actually in place and working Analytical procedure – takes information as a whole and applies some set standard, analysis or comparison AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 28 5.9—CLASSIFYING INTERNAL CONTROL WEAKNESSES FOR REPORTING Upon determining that controls are inadequately designed or implemented, auditors shall communicate the weakness to management based upon the likelihood and magnitude of the concern. This communication may be verbal, written via an informal management letter, or reported formally, such as in the audit report. The matrix below can help auditors determine how or where to report the weakness to management. Likelihood of Misstatement or Error Magnitude of Misstatement (or Error) that Occurred or Could Occur More than Inconsequential Inconsequential but Material Less than Material Not a significant Not a significant Not a significant deficiency or material deficiency or material deficiency or material weakness weakness weakness Remote Do not report More than remote Not a significant deficiency or material weakness Report informally, verbally or via management letter Report informally, verbally or via management letter Significant deficiency Report informally, verbally or via management letter Material weakness Report formally, via audit report Report formally, via audit report AASHTO Internal Audit Guide 2014 Edition Chapter 5 Page 29 6 Chapter 6 –USDOT Agencies and Descriptions 6.1—USDOT AGENCIES AND DESCRIPTIONS The United States Department of Transportation (USDOT) is responsible for overseeing all federal transportation programs. The USDOT was established by an act of Congress, signed into law by President Lyndon B. Johnson on October 15, 1966. The Department's first official day of operation was April 1, 1967. The USDOT consists of the Office of the Secretary, an independent Office of Inspector General (OIG), and the following 11 individual Operating Administrations: the Federal Aviation Administration (FAA), the Federal Highway Administration (FHWA), the Federal Motor Carrier Safety Administration (FMCSA), the Federal Railroad Administration (FRA), the National Highway Traffic Safety Administration (NHTSA), the Federal Transit Administration (FTA), the Maritime Administration (MARAD), the Saint Lawrence Seaway Development Corporation (SLSDC), the Research and Innovative Technologies Administration (RITA), the Pipeline and Hazardous Materials Safety Administration (PHMSA), and the Surface Transportation Board (STB). The Office of the Secretary, the OIG, and the 11 Administrations of USDOT are discussed in more detail on their website at: http://www.dot.gov/administrations Office of the Secretary of Transportation (OST) National Highway Traffic Safety Administration (NHTSA) Federal Aviation Administration (FAA) Office of Inspector General (OIG) Federal Highway Administration (FHWA) Pipeline and Hazardous Materials Safety Administration (PHMSA) Federal Motor Carrier Safety Administration (FMCSA) Research and Innovative Technology Administration (RITA) Federal Railroad Administration (FRA) Saint Lawrence Seaway Development Corporation (SLSDC) Federal Transit Administration (FTA) Surface Transportation Board (STB) Maritime Administration (MARAD) The next several sections provide more information about the Office of the Secretary, Office of Inspector General and 11 Administrations of USDOT. AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 30 6 6.2—OFFICE OF THE SECRETARY http://www.dot.gov/office-of-secretary Leadership of USDOT is provided by the Secretary of Transportation through the Office of the Secretary. The Secretary of Transportation is the principal adviser to the President of the United States in all matters relating to federal transportation programs. The Secretary of Transportation is assisted in their responsibilities by a Deputy Secretary of Transportation. The Office of the Secretary is responsible for the formulation of national transportation policy and promotes intermodal transportation. Specifically, they are responsible for: Negotiating and implementing the international transportation agreements Ensuring the fitness of U.S. airlines and enforcing airline consumer protection regulations Coordinating an effective highway transportation system Ensuring motor carrier safety for the operation of commercial motor vehicles Promoting safe and environmentally sound rail transportation Promoting, developing, and maintaining an adequate water transportation system Reducing deaths, injuries and economic losses resulting from motor vehicle crashes Issuing regulations to prevent alcohol and illegal drug misuse in transportation systems Developing improved mass transportation systems for cities and communities nationwide Overseeing the safety of shipments of hazardous materials in the United States and the nation's energy that is transported by pipelines Identifying and facilitating solutions to the challenges and opportunities facing America’s transportation system Operating and maintaining a safe, reliable, and efficient waterway for commercial and noncommercial vessels between the Great Lakes and the Atlantic ocean Ensuring that competitive, efficient, and safe transportation services are provided to meet the needs of shippers, receivers, consumers Preparation of transportation related legislation These tasks are accomplished through the 11 USDOT operating administrations discussed below. Primary state interaction is through various grant programs; for specific information regarding the available programs and their significant compliance requirements, see the Catalog of Federal Domestic Assistance (CFDA) web site at: https://www.cfda.gov/ In addition, federal grant guidance has been combined and is now located at 2 CFR Part 200: “Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.” AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 31 6 6.3—FEDERAL AVIATION ADMINISTRATION http://www.faa.gov/ The Federal Aviation Administration (FAA) oversees the safety of civil aviation. The FAA sees as its main priority its mission of safety, which includes the issuance and enforcement of regulations and standards related to the manufacture, operation, certification and maintenance of aircraft. The agency is responsible for the rating and certification of airmen and for certification of airports serving air carriers. It also regulates a program to protect the security of civil aviation, and enforces regulations under the Hazardous Materials Transportation Act for shipments by air. Programs implemented by states for oversight of aeronautics are based upon these federal regulations. The FAA operates a network of airport towers, air route traffic control centers, and flight service stations; develops air traffic rules; allocates the use of airspace; and provides for the security control of air traffic to meet national defense requirements. Other responsibilities include the construction or installation of visual and electronic aids to air navigation and promotion of aviation safety internationally. The FAA, which regulates and encourages the U.S. commercial space transportation industry, also licenses commercial space launch facilities and private sector launches. Primary interaction of STAs pertains to the issuance of grants for the planning and development of public use airports through the Airport Improvement Program (AIP). In some states, these grants are passed through the STA, and in other states grants are issued directly to airports or airport authorities, depending upon that state’s authority and laws. To promote the development of a system of airports to meet the nation's needs, the federal government embarked upon a grants-in-aid program for units of state and local governments shortly after the end of World War II. The first program was the Federal-Aid Airport Program (FAAP), which was authorized by the Federal Airport Act of 1946. In 1970, a more comprehensive program was established with the passage of the Airport and Airway Development Act of 1970. This Act provided grants for airport planning under the Planning Grant Program (PGP) and for airport development under the Airport Development Aid Program (ADAP). The current grant program, AIP, was established by the Airport and Airway Improvement Act of 1982 (Public Law 97-248). Since then, the AIP has been amended several times, most recently with the passage of the FAA Modernization and Reform Act of 2012. Funds obligated for the AIP are drawn from the Airport and Airway Trust fund, which is supported by user fees, fuel taxes, and other similar revenue sources. Grants through AIP are provided for improvements to public use airports. A public use airport is an airport that has been included in the National Plan of Integrated Airport Systems (NPIAS). The NPIAS, which is prepared and published every 2 years, identifies public-use airports that are important to public transportation and contribute to the needs of civil aviation, national defense, and the Postal service. AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 32 6 A public-use airport is an airport open to the public that also meets one of the following criteria: Publicly owned Privately owned but designated by FAA as a reliever Privately owned but having scheduled service and at least 2,500 annual enplanements Recipients of grants are referred to as "sponsors." The description of eligible grant activities is described in the authorizing legislation and relates to capital items serving to develop and improve the airport in areas of safety, capacity, and noise compatibility. In addition to these basic principles, a sponsor must be legally, financially, and otherwise able to carry out the assurances and obligations contained in the project application and grant agreement. Eligible projects include those improvements related to enhancing airport safety, capacity, security, and environmental concerns. In general, sponsors can use AIP funds on most airfield capital improvements or repairs and in some specific situations, for terminals, hangars, and nonaviation development. Other eligible activities include any professional services that are necessary for eligible projects, such as planning, surveying, and design. Aviation demand at the airport must justify the projects, which must also meet Federal environmental and procurement requirements. 6.4—FEDERAL HIGHWAY ADMINISTRATION http://www.fhwa.dot.gov/ The Federal Highway Administration (FHWA) coordinates highway transportation programs in cooperation with states and other partners to enhance the country's safety, economic vitality, quality of life, and the environment. The first comprehensive federal highway program was signed into law by President Woodrow Wilson on July 11, 1916. This launched the partnership between the federal and state governments which became known as the Federal-aid Highway Program. It was endorsed by the American Association of State Highway Officials (AASHTO), which had been formed in December, 1914, by the various state transportation officials in an effort to coordinate transportation. FHWA was created on October 15, 1966, and in 1967 the functions of the Bureau of Public Roads were transferred to FHWA. The Office of Road Inquiry was the first predecessor to FHWA formed October 3, 1893. The name of the Office of Road Inquiry was changed to the Office of Public Roads in 1918. FHWA provides grants to states through the Federal-Aid Highway Program, which provides federal financial assistance to the states to construct and improve the National Highway System, urban and rural roads, and bridges. Programs include: Highway Planning and Construction Highway Research and Development Highway Training and Education Recreation Trails Program Transportation Infrastructure Finance and Innovation Act (TIFIA) Fuel Tax Evasion – Intergovernmental Enforcement Effort Federal Lands Highway AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 33 6 Through its various programs, FHWA provides funds for general improvements and development of safe highways and roads. The main revenue source for these grants is the Federal Motor Fuel Tax. USDOT provides support to the state highway system by providing financial assistance for the construction, maintenance, and operation of the nation’s 3.9 million-mile highway network, including the interstate highway system, primary highways, and secondary local roads. The program is administered by FHWA in cooperation with state and local governments. Local governments or local public agencies (LPAs) are the country’s cities, towns, and other municipal forms of government that operate about 75% or 2.9 million-miles of the nation’s roadways. The first major federal road program was established pursuant to the Federal Aid Road Act of 1916. Funding to state highway agencies was apportioned by a formula based upon land area, population and road miles. The Federal Aid Highway Act of 1956 provided for the development of the interstate highway system, which is now known as the Eisenhower Interstate System after President Eisenhower, who pushed for its enactment. President Eisenhower’s support for the interstate system was based largely upon civilian needs to support economic development, improved highway safety, and congestion relief, as well as reduction of motor vehicle-related lawsuits. He also understood the military value of the interstate system, as well as its use in evacuations. It has made travel between the states more efficient, economical, safe, and timely. That is why, since its inception, it has been considered a vital national interest. Federal-aid highway program funds are provided to assist STAs in the planning and development of an integrated, interconnected transportation system important to interstate commerce and travel by constructing and rehabilitating the National Highway System (NHS), including the Eisenhower Interstate System; and for transportation improvements to many other public roads. Funds may be used for: Providing aid for the repair of Federal-aid highways following disasters Fostering safe highway design Replacing or rehabilitating deficient or obsolete bridges Environmental studies Engineering and design services Right-of-way acquisition and relocation assistance, and construction for capital improvement projects classified as new construction Reconstruction Restoration Rehabilitation, and resurfacing, or for functional, geometric, or safety reasons Planning; research, development, and technology transfer AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 34 6 Intelligent transportation systems projects Roadside beautification Wetland and natural habitat mitigation Traffic management and control improvements Improvements necessary to accommodate other transportation modes Development and establishment of transportation management systems Billboard removal Construction of bicycle facilities and pedestrian walkways Fringe and corridor parking Car pool and van pool projects Transportation alternatives and enhancements such as scenic and historic highway improvements; and, recreational trail Other special purposes regarding transportation Funds generally cannot be used for routine highway operational activities, such as police patrols, mowing, snow plowing, or maintenance, unless it is preventative maintenance. In addition, funds authorized for the National Highway Performance Program (NHPP), Surface Transportation Program (STP), Congestion Mitigation and Air Quality (CMAQ) Improvement Program, and some additional programs may be used for mass transportation improvements. CMAQ funds are limited to projects and programs in air quality, non-attainment, and maintenance areas for ozone, carbon monoxide, and small particulate matter that reduce transportation-related emissions, though provision is made for states without air quality issues. Eligibility criteria for the programs differ, so program guidance should be consulted. Projects in urban areas of 50,000 or more population must be based on a transportation planning process carried out by a metropolitan planning organization (MPO) in cooperation with the state and transit operators, and the projects must be included in metropolitan transportation plans and improvement programs. Projects in non-metropolitan areas of a state must be consistent with a statewide transportation plan. Projects in both metropolitan and non-metropolitan areas must also be included in a fiscally constrained Statewide Transportation Improvement Program (STIP) developed as part of the required statewide transportation planning process. The FHWA and the Federal Transit Administration (FTA) must approve the STIP jointly. Program requirements and restrictions are contained in Title 23 United States Code. There are discretionary funds remaining from previous authorizations, which may remain available until expended. AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 35 6 6.5—FEDERAL MOTOR CARRIER SAFETY ADMINISTRATION http://www.fmcsa.dot.gov/ The Federal Motor Carrier Safety Administration (FMCSA) was established within the Department of Transportation on January 1, 2000, pursuant to the Motor Carrier Safety Improvement Act of 1999, which was effective December 9, 1999. The FMCSA's primary mission is to prevent commercial motor vehicle-related fatalities and injuries. To accomplish these activities, the Administration works with federal, state, and local agencies, the motor carrier industry, and labor safety interest groups. FMSCA activities contribute to: Ensuring safety in motor carrier operations through strong enforcement of safety regulations, targeting high-risk carriers and commercial motor vehicle drivers. Improving safety information systems and commercial motor vehicle technologies, strengthening commercial motor vehicle equipment and operating standards. Increasing safety awareness. Funding for the activities of the various states for this program is provided through the National Motor Carrier Safety program grants which include the following: Commercial Motor Carrier Inspections Performance and Registration Information Systems Management Commercial Driver’s License Program Improvement Grant Border Enforcement Grants Safety Data Improvement Program Commercial Motor Vehicle Operator Training Grants Commercial Vehicle Information Systems and Network Commercial Driver’s License Information System (CDLIS) Modernization Grant Motor Carrier Research and Technology Programs 6.6—FEDERAL RAILROAD ADMINISTRATION http://www.fra.dot.gov/Page/P0001 The Federal Railroad Administration (FRA) promotes safe and environmentally sound rail transportation. With the responsibility of ensuring railroad safety throughout the nation, the FRA employs safety inspectors to monitor railroad compliance with federally mandated safety standards including track maintenance, inspection standards, and operating practices. The FRA conducts research and development tests to evaluate projects in support of its safety mission and to enhance the railroad system as a national transportation resource. Public education campaigns on highway-rail grade crossing safety and the danger of trespassing on rail property are also administered by FRA. AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 36 6 The FRA was created by the Department of Transportation Act of 1966. A series of bankruptcies and consolidations left the rail system in the hands of a few large operations by the 1980s. Almost all long-distance passenger traffic was shifted to Amtrak, which was formed during President’s Nixon’s administration in 1971 when Congress passed the Rail Passenger Service Act of 1970. This legislation established the National Railroad Passenger Corporation to take over the intercity passenger rail service that had been operated by private railroads. Amtrak began service on May 1, 1971, serving 43 states with a total of 21 routes. This greatly relieved the railroads from the burden of supplying the less profitable passenger rail service. FRA supports passenger and freight railroading through a variety of competitive grants, dedicated grant and loan programs to develop safety improvements, relieve congestion, and encourage the expansion and upgrade of passenger and freight rail infrastructure and services. FRA also provides training and technical assistance to grantees and stakeholders. The FRA provides grants primarily through states for the development of rail transportation through various programs including: Railroad safety Railroad research and development Railroad development National railroad passenger corporation grants Railroad rehabilitation and Improvement Financing Program Capital assistance to States-Intercity Passenger Rail Service Maglev project Selection Program High-speed rail corridors and intercity passenger rail service capital assistance grants Rail line relocation and improvement and railroad safety technology grants 6.7—FEDERAL TRANSIT ADMINISTRATION http://www.fta.dot.gov/ The Federal Transit Administration (FTA) assists development of improved mass transportation systems for cities and communities nationwide. The responsibilities of the FTA were originally handled by the Department of Housing and Urban Development (HUD). President Lyndon Johnson transferred most of HUD’s responsibility for mass transit to the USDOT, effective July 1, 1968. Through its grant programs, delivered primarily through STAs, FTA helps plan, build, and operate transit systems with convenience, cost and accessibility in mind. While buses and rail vehicles are the most common type of public transportation, other kinds include commuter ferryboats, trolleys, inclined railways, subways, and people movers. In providing financial, technical, and planning assistance, the agency provides leadership and resources for safe and technologically advanced local transit systems while assisting in the development of local and regional traffic reduction. Funds may be used for capital projects to finance the planning, AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 37 6 acquisition, construction, cost-effective lease, improvement, and maintenance of equipment and facilities for use in transit for both urban and non-urban areas; and assist in development of transportation improvement programs, long-range transportation plans, and other technical studies in metropolitan areas. Activities include: Preparation of transportation plans including transportation improvement programs and management systems Studies related to transportation management Operations, capital requirements, and economic feasibility Evaluation of previously funded capital projects Other related activities in preparation for the construction, acquisition, or improved operation of transportation systems, facilities, and equipment The FTA's research program seeks to deliver solutions that improve public transportation. Its primary goals are to increase transit ridership, improve safety and emergency preparedness, improve operating efficiencies, protect the environment, promote energy independence, and provide transit research leadership. To accomplish this, FTA funds research on: Mobility management Transit operational efficiency Safety and emergency preparedness Transit capacity building Energy independence and environmental protection Infrastructure and equipment protection and innovation Strategic research program planning Funds may be used to assist in the development of cost effective multimodal transportation improvement programs, which include the planning, engineering, and designing of federal transit projects, and other technical studies in a program for a unified and officially coordinated statewide transportation system. The FTA maintains the National Transit library (NTL), a repository of reports, documents, and data generated by professionals and others from around the country. The NTL is designed to facilitate document sharing among people interested in transit and transit related topics. AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 38 6 6.8—MARITIME ADMINISTRATION http://www.marad.dot.gov/ The Maritime Administration (MARAD) promotes development and maintenance of an adequate, well-balanced United States merchant marine, sufficient to carry the nation's domestic waterborne commerce and a substantial portion of its waterborne foreign commerce, and capable of serving as a naval and military auxiliary in time of war or national emergency. MARAD also seeks to ensure that the United States enjoys adequate shipbuilding and repair service, efficient ports, effective intermodal water and land transportation systems, and reserve shipping capacity in time of national emergency. President Harry S. Truman established MARAD in 1950 under his Reorganization Plan No. 21. However, MARAD traces its origins to the Shipping Act of 1916, which established the U.S. Shipping Board. The Marine Highway Program does not develop or operate marine highway services. The private sector or state/local governments develop and operate marine highway services. The program was designed to reduce landside congestion by integrating the commercially operated marine highway services into the nation's surface transportation system. Once integrated, these marine highway services connect seamlessly with all modes of transportation for freight and passengers, thus providing a convenient transportation alternative alongside congested landside transportation corridors. America’s marine highways are navigable waterways that have been designated by the Secretary of Transportation and have demonstrated the ability to provide additional capacity to relieve congested landside routes serving freight and passenger movement. Each marine highway has a corridor designation that reflects the congested landside route it parallels. For example, M-95 stretches from Maine to Florida and is the designation for the shipping lane along the Atlantic Coast paralleling interstate highway I-95. 6.9—NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION http://www.nhtsa.gov/ The National Highway Traffic Safety Administration (NHTSA) is responsible for reducing deaths, injuries and economic losses resulting from motor vehicle crashes. NHTSA sets and enforces safety performance standards for motor vehicles and equipment, and through grants to state and local governments, enables them to conduct effective local highway safety programs. In 1970, the Highway Safety Act authorized the establishment of NHTSA. Although the law added somewhat to USDOT’s safety mission, the FHWA originally had handled most of the functions that NHTSA assumed. Besides establishing another operating administration and adding to the secretary's span of control and coordination workload, the Highway Safety Act separated highway administration into two parts: 1. Design, construction, and maintenance 2. Highway and automobile safety AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 39 6 Under the oversight of NHTSA, formula grant funds may be used for problems identified within the nine national priority program areas of: 1. Alcohol and other drug countermeasures 2. Police traffic services 3. Occupant protection 4. Traffic records 5. Emergency medical services 6. Motorcycle safety 7. Pedestrian/bicycle safety 8. Speed control 9. Roadway safety Other program areas identified by a state as constituting a highway safety problem in that state may be eligible for federal funding if they encompass a major highway safety problem in that state and the state has identified effective countermeasures. One such example that has received federal funding is pupil transportation safety programs. The law provides that at least 40 percent of these federal funds apportioned to a state for any fiscal year will be expended by the political subdivisions of such state. NHTSA is responsible for the following: Investigating safety defects in motor vehicles Setting and enforcing fuel economy standards Helping states and local communities reduce the threat of drunk drivers Promoting the use of safety belts, child safety seats and airbags Investigating odometer fraud Establishing and enforcing vehicle antitheft regulations Providing consumer information on motor vehicle safety topics Researching driver behavior and traffic safety to develop the most efficient and effective means of bringing about safety improvements Maintaining a toll-free Auto Safety Hotline, which furnishes consumers with a wide range of auto safety information. Callers also can help identify safety problems in motor vehicles, tires and automotive equipment such as child safety seats. AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 40 6 6.10—OFFICE OF INSPECTOR GENERAL https://www.oig.dot.gov/ On October 12, 1978, the Inspector General (IG) Act established twelve federal Offices of Inspector General (OIG), including the Department of Transportation OIG. The Act passed the House of Representatives by a vote of 388 to 6 and was later approved by the Senate by unanimous consent. Two OIGs had previously been established, one in 1976 and another the following year. President Jimmy Carter signed the IG Act into law and described the new statutory IGs as “perhaps the most important new tools in the fight against fraud.” The President charged the IGs to always remember that their ultimate responsibility is not to any individual but to the public interest. The OIG is committed to fulfilling its statutory responsibilities and supporting members of Congress, the Secretary, senior department officials, and the public in achieving a safe, efficient, and effective transportation system. It builds on its long-standing record as a highly respected contributor to the department's mission. They are USDOT’s sole in-house source for objective examination of its programs and their integrity. Their core values and audit and investigative expertise ensure they remain highly responsive to the needs of the Secretary, Congress, and the American people. Their mission is to protect USDOT programs from fraud, waste, abuse, and violations of law and promote effectiveness of the USDOT’s programs. They accomplish this through audits and investigations. The OIG also consults with Congress about programs in progress and proposed new laws and regulations. The Inspector General Act of 1978 gives the Office of Inspector General autonomy to do its work without interference. The Inspector General is chosen by the President; this choice is based not on political affiliation but rather on integrity and ability. IG candidates can show accomplishment in several fields, including accounting, auditing, law, financial or management analysis, public administration or investigations. Inspector General appointees are subject to Senate confirmation. Only the President has the power to remove an inspector general and the reasons for doing so must be communicated to Congress. The Inspector General Act of 1978 prevents officials in the scrutinized agency from interfering with audits or investigations; it also requires the IG to keep the Secretary of Transportation and Congress informed of findings. However, much of OIG's most significant work is accomplished with the cooperation of the officials whose programs are being reviewed. 6.11—PIPELINE AND HAZARDOUS MATERIALS SAFETY ADMINISTRATION http://www.phmsa.dot.gov/ The Pipeline and Hazardous Materials Safety Administration (PHMSA) oversees the safety of more than 800,000 daily shipments of hazardous materials in the United States and 64 percent of the nation's energy that is transported by pipelines. PHMSA is dedicated solely to safety by working toward the elimination of transportation-related deaths and injuries in hazardous materials and pipeline transportation, and by promoting transportation solutions that enhance AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 41 6 communities and protect the natural environment. PHMSA was created within the U.S. DOT under the Norman Y. Mineta Research and Special Programs Improvement Act of 2004. The purpose of the act was to provide the U.S. Department of Transportation with a more focused research organization and to establish a separate operating administration for pipeline safety and hazardous materials transportation safety operations. PHMSA is authorized to reimburse a state agency for up to 80 percent of the agency's actual cost of carrying out its pipeline safety program, including the cost of personnel and equipment. The actual amount of federal reimbursement depends upon the availability of appropriated funds and the state's pipeline safety program's performance. A state agency's program performance is based on PHMSA's annual Program Evaluation and Progress Report scoring of each state agency. The Program Evaluation includes an on-site review of the state’s inspection, compliance, accident investigation, training, and excavation damage prevention records and activities. The Progress Report scoring gives consideration to the state’s extent of safety authority over pipeline operators, inspector qualifications, inspection days accomplished, adoption of maximum civil penalty amounts, progress adopting amendments to federal regulations, adoption of one call requirements, and attendance at the National Association of Pipeline Safety Representative meetings. PHMSA also provides federal grant funding in support of preventing excavation damage to underground facilities which is a leading cause of pipeline incidents. Programs include: State pipeline safety program base grants Technical assistance grants State damage prevention grants PHMSA pipeline safety program One Call Grant PHMSA pipeline safety research and development 6.12—RESEARCH AND INNOVATIVE TECHNOLOGY ADMINISTRATION http://www.rita.dot.gov/ The Research & Innovative Technology Administration (RITA) is an agency whose mission is to identify and facilitate solutions to the challenges and opportunities facing America's transportation system. RITA's focus is to promote transportation research that will foster the use of innovative technology. RITA includes the Volpe National Transportation Systems Center, an organization dedicated to enhancing the effectiveness, efficiency, and responsiveness of other federal organizations with critical transportation-related functions and missions. RITA was created in 2005 to advance transportation science, technology, and analysis, and to improve the coordination of transportation research within the Department and throughout the transportation community. With responsibility for research policy and technology sharing, AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 42 6 the agency partners with national and international organizations and universities. RITA also includes the Bureau of Transportation Statistics, the Transportation Safety Institute, and the University Transportation Centers program. RITA performs four basic functions: 1. Coordinates the USDOT's research and education programs 2. Shares advanced technologies with the transportation system 3. Offers transportation statistics and analysis for decision-making 4. Supports national efforts to improve education and training in transportation-related fields 6.13—SAINT LAWRENCE SEAWAY DEVELOPMENT CORPORATION http://www.seaway.dot.gov/ The Saint Lawrence Seaway Development Corporation (SLSDC) operates and maintains a safe, reliable and efficient waterway for commercial and noncommercial vessels between the Great Lakes and the Atlantic Ocean. Saint Lawrence Seaway Development Corporation is a wholly owned government corporation created by statute May 13, 1954, to construct, operate, and maintain that part of the St. Lawrence Seaway between the Port of Montreal and Lake Erie, within the territorial limits of the United States. Trade development functions aim to enhance Great Lakes/St. Lawrence Seaway System utilization without respect to territorial or geographic limits. The SLSDC, in tandem with the Saint Lawrence Seaway Authority of Canada, oversees operations safety, vessel inspections, traffic control, and navigation aids on the Great Lakes and the Saint Lawrence Seaway. SLSDC works to develop trade opportunities to benefit port communities, shippers and receivers, and related industries in the area to provide economic development of the Great Lakes Region. The mission of the Corporation is to serve the U.S. intermodal and international transportation system by improving the operation and maintenance of a safe, reliable, efficient, and environmentally responsible deep-draft waterway, in cooperation with its Canadian counterpart. The SLSDC also encourages the development of trade through the Great Lakes Seaway System, which contributes to the comprehensive economic and environmental development of the entire Great Lakes region. 6.14—SURFACE TRANSPORTATION BOARD http://www.stb.dot.gov/stb/index.html The Surface Transportation Board (STB) is an independent, bipartisan adjudicatory body organizationally housed within the USDOT. STB was created pursuant to the ICC Termination Act of 1995 and is the successor agency to the Interstate Commerce Commission. The STB is an economic regulatory agency that Congress has charged with resolving railroad rate and service disputes and reviewing proposed railroad mergers. Although it is administratively affiliated with USDOT, it is required to maintain its independence in its decisions. The agency has jurisdiction over railroad rate and service issues; rail restructuring transactions, such as mergers, lines sales, line construction, and line abandonments; certain trucking companies; moving vans; non-contiguous ocean shipping rates; certain intercity passenger bus company AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 43 6 structure, financial and operational matters; and rates and services of pipelines not regulated by the Federal Energy Regulatory Commission. It is responsible for the economic regulation of interstate surface transportation, primarily railroads, within the United States. The STB's mission is to ensure that competitive, efficient, and safe transportation services are provided to meet the needs of shippers, receivers, and consumers. The Board is charged with promoting, where appropriate, substantive and procedural regulatory reform in the economic regulation of surface transportation, and with providing an efficient and effective forum for the resolution of disputes. The Board continues to strive to develop, through rulemakings and case disposition, new and better ways to analyze unique and complex problems, to reach fully justified decisions more quickly, to reduce the costs associated with regulatory oversight, and to encourage privatesector negotiations and resolutions to problems where appropriate. AASHTO Internal Audit Guide 2014 Edition Chapter 6 Page 44 7 Chapter 7 – Stewardship, Oversight, Laws, and Regulations 7.1—STEWARDSHIP AND OVERSIGHT AGREEMENT BETWEEN THE FEDERAL HIGHWAY ADMINISTRATION AND STATE TRANSPORTATION AGENCIES The Secretary of the United States Department of Transportation (USDOT) has delegated to the Administrator of the Federal Highway Administration (FHWA) the responsibility of administering the Federal-aid highway program (FAHP) under Title 23 and other associated laws. In addition, Title 23 allows states to assume the Secretary’s responsibilities in the design, construction, award, and inspection of certain federal-aid projects. Section 106 of Title 23, United States Code (USC), requires that the FHWA and STA enter into a stewardship and oversight agreement documenting the extent to which the STA assumes the responsibilities of the Secretary (and by delegation, FHWA) under Title 23, and where FHWA retains responsibilities. The purpose of the Stewardship/Oversight (S&O) Agreement is to formalize the roles and responsibilities of the FHWA division offices and each STA to address how the FAHP will be administered in the STA, and delineates a comprehensive FHWA and individual STA approach to FAHP stewardship and oversight. The most recent highway reauthorization act, the Moving Ahead for Progress in the 21st Century Act (MAP-21), was signed into law on July 6, 2012. While this legislation still allows states to assume the responsibilities previously delegated, MAP-21 further defines the requirements of stewardship and oversight responsibilities, including the need to have a stronger data-driven performance element, and a more formal application of risk management principles. FHWA revised the guidance regarding S&O on March 28, 2014. The intent of the revisions was to provide a consistent approach to developing future agreements with STAs, and to clarify distinctions with FHWA’s risk-based, data-driven stewardship and oversight framework. This revised guidance supersedes all previous guidance on this topic, and is available at: http://www.fhwa.dot.gov/federalaid/stewardship/ Section 106 of Title 23, United States Code, requires the FHWA and each STA to enter into an agreement documenting the extent to which the state will assume specific responsibilities under Title 23. The S&O Agreement formalizes these assumed responsibilities to address how the FAHP will be administered in each state. Rather than specifying mandatory procedures, the guidance outlines the basic S&O concepts and approaches that FHWA division offices should follow. Section 1503 of MAP-21 contains changes to the requirements for oversight and approval of Federal-aid projects. Specifically, Section 106 eliminated the provision prohibiting states from assuming responsibilities for new construction and reconstruction projects on the Interstate System exceeding $1 million in cost. In addition, MAP-21 prohibits STAs from assuming responsibility for projects determined by FHWA to be high risk. The S&O Agreement Guidance implements these changes. AASHTO Internal Audit Guide 2014 Edition Chapter 7 Page 45 7 A significant change in FHWA’s project-level S&O of the FAHP is the transition from “fulloversight” of projects to oversight activities primarily focused on areas of higher risk and opportunity. The FHWA’s use of a risk-based approach for project S&O is intended to optimize the successful delivery of projects and to assure compliance with federal requirements. Risk-based project S&O has three main components: 1. Required project approval actions 2. Data-driven compliance assurance, i.e., the FHWA’s national Compliance Assessment Program (CAP) 3. Risk-based S&O of Projects of Division Interest and Projects of Corporate Interest. This S&O Agreement Guidance also implements a process for conducting legal reviews of these agreements by the FHWA Office of Chief Counsel before they are signed by the STAs and FHWA division offices. Upon completion of the legal review, FHWA division administrators are authorized to execute and sign S&O Agreements with their respective STA. The Project Action Responsibility Matrix (an attachment to the guidance) is the cornerstone of the S&O Agreement for assumptions of project-level responsibilities. Deviations from this matrix must be consistent with specific responsibilities that 23 U.S.C. 106 allows the STAs to assume from the FHWA. The S&O Agreement may include S&O indicators as agreed to by the STAs and FHWA divisions to help in managing the FAHP. See Federal Rules for specific requirements regarding performance measures that are a requirement of MAP-21. These rules pertain to the Highway Safety Improvement Program (HSIP), statewide and metropolitan and non-metropolitan planning regulations, pavement, bridges, asset management, system performance, congestion, emissions, freight and public transportation. 7.2—HIERARCHY There is a hierarchy of law that all STAs must understand and follow. The United States Code (U.S.C.) is the codification by subject matter of general and permanent laws of the United States as passed by Congress and is specific to each federal agency. The U.S.C. is further detailed in specific statutes like Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (SAFETEA-LU) or Moving Ahead for Progress in the 21st Century Act (MAP21). The Code of Federal Regulations (CFR) are programmatic and administrative requirements created by individual federal agencies as an interpretation and clarification of U.S.C. In addition to U.S.C. and CFRs, individual federal agencies will also have guidance to further explain how to carry out statutes and federal regulations. AASHTO Internal Audit Guide 2014 Edition Chapter 7 Page 46 7 FEDERAL LAW US Code, 49 and 23 USC Code of Federal Regulations 49 and 23 CFR Federal Agency Guidance STATE LAW The specific regulatory information pertaining to transportations programs are listed below. 49 United States Code, Transportation (49 U.S.C.) 23 United States Code, Highways (23 U.S.C.) 7.3- FEDERAL REQUIREMENTS (2 CFR 200) (a) Administrative requirements. Subparts B through D 2 CFR 200 set forth the uniform administrative requirements for grant and cooperative agreements, including the requirements for Federal awarding agency management of Federal grant programs before the Federal award has been made, and the requirements Federal awarding agencies may impose on non-Federal entities in the Federal award. (b) Cost Principles. Subpart E—Cost Principles of 2 CFR 200 establishes principles for determining the allowable costs incurred by non-Federal entities under Federal awards. The principles are for the purpose of cost determination and are not intended to identify the circumstances or dictate the extent of Federal government participation in the financing of a particular program or project. The principles are designed to provide that Federal awards bear their fair share of cost recognized under these principles except where restricted or prohibited by statute. (c) Single Audit Requirements and Audit Follow-up. Subpart F—Audit Requirements in 2 CFR 200 are issued pursuant to the Single Audit Act Amendments of 1996, (31 U.S.C. 7501-7507). It sets forth standards for obtaining consistency and uniformity among Federal agencies for the audit of non-Federal entities expending Federal awards. These provisions also provide the policies and procedures for Federal awarding agencies and pass-through entities when using the results of these audits. The Compliance Supplement is contained in 2 CFR 200 Subpart F Appendix XI: The link for the electronic version of the Code of Regulations is as follows: http://www.ecfr.gov/cgibin/retrieveECFR?gp=1&SID=ab3a2671992eacd9725f23b8fce9ab6c&ty=HTML&h=L&r=SUBPART&n=2y1.1.2.2.1.6 7.4—AUDIT REQUIREMENTS The Code of Federal Regulations 2 CFR sets forth standards for obtaining consistency and uniformity among federal agencies for the audit of states, local governments, and non-profit organizations expending federal awards. Currently, if an entity receives $500,000 or more in AASHTO Internal Audit Guide 2014 Edition Chapter 7 Page 47 7 total federal funding during a fiscal year, the entity is required to obtain an audit of Federal expenditures from a qualified Certified Public Accountant (CPA). STAs are responsible for engaging their own A-133 audit and monitoring those entities to which they’ve passed federal funds. The STA project managers are responsible for monitoring any audit findings for resolution. 7.5—CATALOG OF FEDERAL DOMESTIC ASSISTANCE The Catalog of Federal Domestic Assistance (CFDA) contains detailed program descriptions for federal assistance programs, including type of assistance offered, the agency offering the assistance, contact information, and eligibility criteria. 7.6—STATE LAW Each state has its own set of laws passed by the state legislature. These codes of law provide the legal authority to a state agency or department (for example an STA) to plan, design, operate, construct and maintain public roads and other transportation modes. States may also pass legislation on special transportation initiatives, public-private partnerships, tolls, oversize vehicle permits, outdoor advertising, highway enhancement, and other transportation programs. Some state laws implement federal law and can generally be more restrictive than federal law, such as contractor prompt payment laws. STAs may be authorized to waive certain provisions of state law when inconsistent with federal requirements, such as congressional district balancing requirements. Other state laws exist for activities not federally mandated, such as contractor prequalification or audit requirements. State laws typically establish governance of STAs, state employee codes of conduct, and rules for various administrative operations within STAs. In addition to codes of law, some states have rules and regulations promulgated directly from the STA which provide further governance of transportation matters, such as outdoor advertising, contractor prequalification, design-build contracting, and grant programs. AASHTO Internal Audit Guide 2014 Edition Chapter 7 Page 48 8 Chapter 8 – Innovative Financing And Construction Delivery Methods INNOVATIVE FINANCING Innovative financing provides options during challenging economic times by offering alternatives to overcome the constraints of limited resources. Financial innovations can increase the ability of STAs to deliver transportation projects by accelerating construction, reducing costs, and providing the revenues required to deliver projects. We have briefly covered the more popular innovative financing methods below. For further information and a discussion of other innovative financing methods, visit the U.S. Department of Transportation Federal Highway Administration (FHWA), Innovative Program Delivery website at: www.fhwa.dot.gov/ipd. 8.1—GRANT ANTICIPATION REVENUE VEHICLE (GARVEE) GARVEE debt financing provides up-front capital for major highway projects. U.S. Code Title 23, Section 122 allows the use of future federal funds to repay the debt and related financing costs. This allows projects to be constructed sooner and at less cost due to inflation savings. The public realizes safety and economic benefits, and costs are spread over the useful life of the project. 8.2—TRANSPORTATION INFRASTRUCTURE FINANCE AND INNOVATION ACT (TIFIA) The TIFIA program provides federal credit assistance through direct loans, loan guarantees, and standby lines of credit for surface transportation projects of national and regional significance. TIFIA credit assistance provides access to capital markets, flexible repayment schedules, and more favorable interest rates than private capital markets can offer. 8.3—SECTION 129 LOANS (23 U.S.C. 129 (A)(7)) An STA may fund loans to a public or private entity to construct a toll or non-toll project that has a dedicated revenue source up to an amount equal to the federal share of the project. Dedicated revenue sources may include tolls, excise taxes, sales taxes, motor vehicle use fees, tax on real property, and tax increment financing. 8.4—TAX INCREMENT FINANCING (TIF) TIF is a mechanism allocating any increase in total property tax revenues toward public investment within a designated district. All or a portion of the increase can be dedicated to repay the debt incurred in building the transportation improvement. 8.5—PRIVATE ACTIVITY BONDS (PABs) PAB are debt instruments that may be issued by STAs and used to construct projects with significant private involvement. In an effort to increase private sector investment in AASHTO Internal Audit Guide 2014 Edition Chapter 8 Page 49 8 transportation infrastructure, the federal government has provided access to these tax-exempt bonds. State projects receiving a PAB allocation must also receive assistance under U.S.C. Title 23 or Title 49. These bonds are limited to $15 billion and are allocated by the Secretary of Transportation to qualified projects. 8.6—PUBLIC-PRIVATE PARTNERSHIPS (P3s) P3s are contractual agreements between a public agency and a private entity in which the private entity takes on more risk than traditional project agreements. The private entity may participate in design, finance, operations, and maintenance, increasing the level of risk accepted. P3s are actually a procurement option and not a revenue source. P3s may increase financing capacity and reduce costs; however, a revenue source still needs to be identified for the project. By using P3s, a private entity may operate a facility over a specified term in exchange for annual payments. The entity may receive the right to collect toll revenues from the project, or other similar arrangements may be identified. INNOVATIVE CONSTRUCTION DELIVERY METHODS Innovative construction delivery methods help to provide efficiency and a smooth, effective transition from design to construction. Two such methods are described below. 8.7—DESIGN-BUILD (DB) DB is a project delivery method in which one entity assumes responsibility for the design and construction of a project under one contract. The DB team may be composed of a single firm, a consortium, or a joint venture. This method provides collaboration and coordination between the designer and the contractor, thus enabling early intervention to address project complexities, advance project delivery, reduce costs, and enhance quality. Coordination of design and construction processes result in time savings due to improved communication. Typically a two-step selection process is used. The first step is qualifications-based selection using a Request for Qualifications (RFQ). Best-value is then determined based upon the shortlisted firms technical expertise and price components using a Request for Proposals (RFP). Please refer to 23 CFR 636 for regulations covering DB. 8.8—CONSTRUCTION MANAGER/GENERAL CONTRACTOR (CMGC) The CMGC project delivery method is divided into two contract phases: 1. During the design phase, the project owner hires a contractor who acts as a consultant to provide feedback to the design team, identify risks, provide cost projections, and refine the project schedule while design is being completed. 2. In phase two, the contractor and project owner negotiate the price of the construction contract. Once agreed upon, the construction phase begins. The benefits of CMGC include reduced costs, schedule risk, and change orders, as well as improved design quality as the contractor’s knowledge and experience are utilized up front. The CMGC process facilitates value engineering by allowing the contractor to provide cost estimates for all designs and alternatives during the design phase. AASHTO Internal Audit Guide 2014 Edition Chapter 8 Page 50 9 Chapter 9 - General Audit and Attestation Programs The following audit programs are shells to help internal auditors develop their procedures when performing an engagement. Auditors can utilize available practice aids for particular areas in the fieldwork phase. 9.1—AUDIT PROGRAM PURPOSE AND SCOPE This program has the following major objectives: Understanding the organizations’ operations Understanding the preliminary analytical procedures Identifying relevant risk factors Identifying significant compliance requirements Documenting the internal control assessment 9.2—PHASES A. 01. 02. 03. 04. 05. 06. 07. 08. 09. 10. Preliminary Survey (Planning) Phase Send an Engagement Letter to the stakeholder(s). Hold team brainstorming meeting, including IT and Fraud employees when discussing IT issues and fraud, waste, and abuse. Review previous (internal and external) State and Federal Audit and Review Reports. Document findings in those reports for appropriate follow-up. Identify reported weaknesses that have not been corrected. Review background material to become familiar with the activities of the organization. Examples are: Legislative rules Administrative code State policies and procedures Entity rules and regulations Entity manuals Federal highway regulations Traffic control regulations Internal or external peer review reports Industry standards Industry best practices Mission, vision, and goals Obtain current organization chart. Interview(s), surveys, and face-to-face meetings with organization personnel. Discuss the entity’s activities, any changes in the policy and procedures, employee turn-over rate, and general internal controls environment (performance goals, tracking/exception reporting, known issues, etc.). Ask management if they are aware of any fraud, waste or abuse. Obtain policies and procedures related to the major functions of the organization. Note any changes in rules, regulations, or laws since the last audit. Prepare and send surveys or questionnaires to the entities’ customers. Gain an understanding of key business processes. Document systems through a process map (flow chart) and/or narrative. Identify any potential control gaps and/or weaknesses, including opportunity cost of having too many controls. AASHTO Internal Audit Guide 2014 Edition Chapter 9 Page 51 9 11. 12. 13. 14. 15. 16. 17. B. 01. 02. 03. 04. 05. 06. C. 01. 02. 03. 04. 05. 06. 07. 08. 09. Document your data analysis of the organizations’ operations, including the following: Management and organization Factors affecting the organization Internal factors affecting the organization Accounting policies and issues Electronic data processing systems used in carrying out functions and activities Strategic alignment Control design Identified themes General and definable risk areas Internal environment / fraud risks Documentation reviewed Control design evaluation assessment (see appendix C) Risk assessment summary In scope and out of scope areas Validate the original objective(s) or refine your objective(s). Present your scope to the CAE and receive approval to move forward. Coordinate with General Counsel, depending on audit focus and potential for litigation. Develop a program step for each area of your scope that has compliance requirements. Summarize the requirements for testing and evaluating controls over compliance. Develop specific audit procedures and sampling plans for audit objectives (see individual practice aid for Items of Consideration). Get work program approved. Schedule and hold an entrance conference with report owners or key stakeholders as appropriate. Execution (Fieldwork) Phase Complete audit tests and write up management comments / findings and observations identified during testing. Work papers should include, at a minimum, a purpose, source, scope, and conclusion. (Refer to applicable practice aid for specific objectives and steps.) Hold weekly audit team status meetings to confirm project status and deliverables, and prepare for weekly status meetings with entity management. Provide continuous communication (weekly status meetings) with entity management on any identified problems or best practices. Work with the entity to discuss recommendations and obtain management action plans to address risks identified in the findings. Review team progress at the midpoint of your fieldwork. Ensure that audit management is aware of potential findings and observations. Prepare draft audit report, including findings, management responses/action plans and audit engagement opinion, as applicable. Closing (Reporting) Phase Hold an Opinion Meeting with audit management to receive approval of findings, management responses/action plans and audit engagement opinion, as applicable. Ensure all work papers are reviewed and approved. Hold exit conference with entity. After the CAE approves the draft report, send the approved draft report to General Counsel and the audit report owners/stakeholders, as applicable. After concurrence and/or resolution of the returned comments, issue final audit report. Complete final working paper sign-offs. Complete team performance evaluations, as related to engagement performance. Track Management Action Plans and establish follow up engagements to confirm remediation of risks. Complete internal quality assessment of the audit working papers. AASHTO Internal Audit Guide 2014 Edition Chapter 9 Page 52 9 9.3—ATTESTATION PROGRAM PURPOSE AND SCOPE The purpose of the following attestation program is to develop a general program for conducting attestation engagements. It covers steps applicable for all three types of attestations: examinations, reviews, and agreed-upon procedures. These engagements are of less scope than full audits. This program has the following major objectives: Determine the appropriate type of attestation and scope Understand the program or subject area under engagement Identify risk elements Identify significant compliance requirements Identify significant reporting requirements Program steps are based on AICPA Statement of Standards for Attestation Engagements (SSAE) and Generally Accepted Government Auditing Standards (GAGAS) promulgated by the Government Accountability Office (GAO). This program may be used for examination, review or agreed-upon procedure attestation engagements, as stated above. A. 1. 2. B. 1. 2. 3. Preplan the Attest Engagement Determine whether attest engagement will be an examination, review or agreed-upon procedure. (Refer to comparison chart of examination, review and agreed-upon procedure attestation engagements at the end of this program) In determining the assignment consider the following: Does auditor have sufficient technical training & proficiency to perform engagement? Does auditor have adequate knowledge of subject matter? Are there criteria suitable & available to evaluate the subject matter? Is auditor independent in both mind and appearance? Is auditor able to exercise due professional care in planning & performing engagement and the preparation of report? Plan the Attest Engagement Maintain timesheet of hours spent on engagement Adequately plan the attest engagement by considering the following: Plan procedures to address the objectives of the attest engagement Determine criteria which will be the basis of the engagement Make initial judgments regarding risk and materiality of engagement (may be appropriate to use lower materiality levels because of public accountability of government agencies) Consider likelihood of revising or adjusting the subject matter Consider whether attest procedures should be modified or extended Verify or adjust the nature of the attest engagement; examination, review or agreed-upon procedure Notify appropriate management, in writing, of the intent and date to conduct an attest engagement of a program or activity (engagement letter/email). Letter should include: Objective of the engagement Management’s responsibility Auditor’s responsibility Limitations of the engagement (e.g. specific scope and expected deliverables) AASHTO Internal Audit Guide 2014 Edition Chapter 9 Page 53 9 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Additional guidance for agreed-upon procedures (AUP) Terms of the AUP should be understood by the auditor and ideally expressed in an engagement letter Specific procedures on the subject matter must be agreed to by the auditor and the specified party making the request The specified party is responsible for determining the sufficiency of the procedures The criteria to be used for determining a conclusion must be agreed to by the auditor and specified party There is agreement between auditor and specified party regarding materiality, if applicable If the work of a specialist is used, the auditor and specified party should explicitly agree to that use Plan for supervision of team members, if assigned Review background information, such as applicable laws, policies and regulations, to become familiar with activities of the division or section. Consider the following: Federal regulations State laws, policies, procedures and rules Administrative code ITD department policies and rules ITD manuals affecting subject area Internal or external peer review reports Industry standards & best practices Mission, vision and goals Obtain the organizational chart for the office and define positions, functions and identify vacancies Determine if current desk manuals are available Review prior internal audit report, program and work papers, if applicable, and note areas of audit interest Document findings for appropriate follow up Identify any reported weaknesses that haven’t been corrected Search for review/audit reports from external groups If applicable, obtain printouts of the total revenue and expenditure transactions for the latest completed fiscal year Conduct an interview with the division administrator, section manager or specified party for input on perceived risks to their program or activity. Discuss: Programs and activities Any changes in policies, procedures and organization Employee turnover rate General internal control environment Performance goals, measures or tracking Ask management if they are aware of any fraud, waste or abuse Obtain policies and procedures related to program or activity under engagement Consider whether an evaluation is indicated for any of the above items Conduct an entrance conference with the Division Administrator, section manager or specified party. Discuss: Objective(s) of engagement Estimated length of engagement Responsibilities of Management regarding the engagement Responsibilities of the auditor regarding the engagement Interview executive management and other stakeholders to determine areas of interest or concern Identify programs and activities, flow chart processes and evaluate for risk Evaluate for adequate internal controls Note any gaps or weaknesses in controls Identify risks to the program or activities Verify risks with employees responsible and with management or resolve if additional mitigating information is provided AASHTO Internal Audit Guide 2014 Edition Chapter 9 Page 54 9 Prioritize risks as high, medium or low based on probability and impact Consider the probability of each risk occurring Consider the impact to the program or activity if it occurred Identify the priority level for each risk (high, medium or low) Meet with Audit Manager to verify or refine original objective(s) to focus efforts Determine scope, and resource and time budget for assignment Consider Government Accountability Office (GAO) Audit Standards Consider AICPA Statements on Standards for Attestation Engagements (SSAE) Fieldwork Phase Obtain sufficient evidence (based on nature of attest engagement) to provide a reasonable basis for a conclusion Evaluate inherent risk (inherent risk in the type of process or treatment of transactions) control risk (risk that internal controls are not present and/or not operating adequately) detection risk (risk that a material weakness or fraud, waste or abuse won’t be detected) Strive to achieve a low level of audit risk for examination engagements Strive to achieve a moderate level of audit risk for review engagements Add newly identified risks to list of risks already identified and prioritize as in step B.15 Design examination engagement to detect instances of fraud and noncompliance with laws, regulations, contracts and grant agreements that may have a material effect on the subject matter Assess risk and possible effects of fraud and noncompliance with laws, etc. Document risk factors and auditor’s conclusion regarding those risks If auditor becomes aware of abuse that could be material to subject matter, design procedures to assess the potential effect Instances of fraud; noncompliance with laws, regulations, contracts or grant agreements; or abuse should be communicated to those charged with governance If, while conducting procedures of a review or agreed-upon procedure engagement; instances of fraud, noncompliance with laws, regulations, contracts or grant agreements; or abuse come to the auditor’s attention, those charged with governance should be informed Obtain evidential matter for agreed-upon procedure to provide a reasonable basis for conclusions. Appropriate procedures may include: Conduct specific procedures as established by specified user Need not perform additional procedures outside the scope of engagement Conduct sampling according to agreed-upon parameters Inspect specified documents for evidence of certain transactions or detailed attributes Confirm specific information with third parties Compare documents, schedules or analyses with specified attributes Perform specific procedures on work performed by others Perform mathematical computations Determine scope of testing for examinations & reviews; consider quality and quantity of evidential matter Consider previous audit findings and recommendations in assessing risk and determining scope of testing Conduct interviews and observations Conduct site visits if appropriate Obtain financial reports for inspection or testing Document findings and observations Document management comments Determine whether internal controls are adequate; consider expanding testing if not Include purpose, source, scope and conclusion in work papers Document meetings to update Audit Manager on progress and status of attestation assignment 16. C. 1. 2. 3. 4. 5. 6. AASHTO Internal Audit Guide 2014 Edition Chapter 9 Page 55 9 7. 8. 9. D. 1. 2. 3. 4. 5. Provide periodic communication with administrator, section manager or specified party requesting attestation engagement and with management under audit, if different Document periodic communication Update administrator or manager on progress, any identified problems or suggested best practices Review or Agreed-Upon Procedures: Prepare draft report identifying results, conclusions and recommendations Examinations: Prepare draft report identifying findings and recommendations. Must develop elements of findings (criteria, condition, cause and effect) Reporting Phase Compliance with reporting standards Identify subject matter and character of engagement Conclusion relates to criteria used to evaluate subject matter Document the nature, timing, extent and results of the attest procedures and information obtained; quantify results if possible (experienced auditor test) In following GAGAS standards, include a statement that the attestation engagement was conducted in accordance with GAGAS If a review, GAGAS statement should include statement that a review engagement is substantially less in scope than an examination, the objective of which is to express an opinion on the subject matter, and accordingly, review reports express no such opinion If an agreed-upon procedure, GAGAS statement should include a statement that “auditors were not engaged to and did not conduct an examination or a review of the subject matter, the objective of which would be the expression of an opinion or limited assurance and that if the auditors had performed additional procedures, other matters might have come to their attention that would have been reported.” The agreed-upon procedure report is also required to state that the sufficiency of the procedures is solely the responsibility of the specified parties and must include a disclaimer of responsibility for the sufficiency of the procedures Agreed-upon procedure reports must be restricted to the specified party or parties Document any departures from GAGAS requirements and the impact on the engagement and conclusions Document any significant reservations, such as scope deficiencies and engagement reservations, and determine if a qualified conclusion or disclaimer should be reported Document instances of fraud and noncompliance with laws, regulations, contracts and agreements that have a material effect on the subject matter Document instances of abuse that have a material effect on the subject matter Document if separate reports are being issued for fraud, noncompliance or abuse Document significant deficiencies or material weaknesses in internal controls Document if confidential and sensitive information was omitted and reason for omission Determine whether to communicate internal control deficiencies not considered significant or material to those charged with governance Document meetings with team and Audit Manager to review and approve findings and/or conclusions, and recommendations Conduct preliminary close out meeting with managers and supervisors to listen and discuss the section’s input and concerns regarding findings and/or conclusions, and recommendations Hold close out meeting with division administrator, section manager, or specified party; chief officer; controller and any other executive/management stakeholders Request and review management’s responses and action plans; note whether a target date and responsible position is identified; or note audited entity did not provide comments AASHTO Internal Audit Guide 2014 Edition Chapter 9 Page 56 9 6. 7. 8. 9. E. 1. 2. 3. 4. Present final attestation report to Director/Secretary, obtain concurrence, signature and distribute (electronically and/or hardcopy) Distribute report to those charged with governance, the audited section’s management and other stakeholders as appropriate If subject matter involves material that is classified for security reasons or contains confidential or sensitive information, auditor should limit distribution Include statement if restricted distribution, “This report is intended solely for the information and use of __________________.” (e.g. agreed-upon procedures) Consider need to report findings or conclusions to outside agencies Finalize work paper documentation and obtain internal quality control assessment of attest work papers Retain documents according to department policy Administrative procedures are in place to maintain the confidentiality of attest documentation References AICPA AT Section 50 establishes the SSAE Hierarchy AICPA AT Section 101 provides guidance and practice aids for examinations and reviews Checklists for an examination and review report Sample examination and review reports AICPA AT Section 201 provides guidance and practice aids for agreed-upon procedures Checklist for an agreed-upon procedure report Sample agreed-upon procedure report GAGAS incorporates AICPA standards by reference AASHTO Internal Audit Guide 2014 Edition Chapter 9 Page 57 GLOSSARY Actual Costs — Amounts determined based on costs incurred and supported by source documentation, such as invoices, receipts, and cancelled checks. Actual costs are generally not determined based on forecasts or historical averages. Administrative Expenses — Costs that are not directly identified with any one item of work, but when taken as a whole, support or contribute to all activities of a firm. Agreement — An obligation between two parties that is less formal than a contract, which identifies the deliverable goods or services to be provided, under what conditions, and the method of reimbursement for such goods and services. An agreement may include both federal and state requirements that must be met by the S T A and entity. Agreements usually indicate start and finish dates, record retention requirements, and other pertinent information relative to the work to be performed. In the context of this guide, generally refers to intergovernmental obligations, such as grant agreements. Allocable — A cost is allocable to a government contract if the cost is incurred specifically for the contract; benefits both the contract and other work, and can be distributed to them in reasonable proportion to the benefits received; or is necessary to the overall operation of the business, although a direct relationship to any particular cost objective cannot be shown. Allowable — A cost is an allowable charge to a government contract only if the cost is reasonable, allocable, compliant with GAAP, compliant with terms of the contract, and not prohibited by federal cost principles. Analytical Procedure — An audit procedure whereby an auditor assesses information by comparing it to certain parameters or expectations selected by the auditor. It involves the auditor reasonably expecting a certain relationship among certain information and expecting those relationships to continue unless there are known conditions that should cause the relationship to not exist. The expected conditions should be developed by the auditor through the use of reliable sources to ensure an unbiased comparison. Some common analytical procedures include ratio analysis, trend analysis, comparison between periods, comparison to budgets and forecasts, external benchmarking, and internal benchmarking. AASHTO — American Association of State Highway and Transportation Officials AICPA — American Institute of Certified Public Accountants, the national professional organization of Certified Public Accountants AASHTO Internal Audit Guide 2014 Edition Glossary Page 58 Audit Confirmation — An audit procedure whereby an auditor obtains direct written verification of the accuracy of information from a third party. Positive confirmation is obtained by asking the third party to respond b y stating whether or not they believe the information is correct. Negative confirmation asks the third party to respond only if there is an issue. Positive confirmation is more reliable because, with negative confirmation, there is no certainty if the party does not respond that there is no issue. Audit Inquiry — An audit procedure that involves asking questions of the auditee or other parties in order to obtain oral and written information. Evidence gathered through inquiry is considered indirect evidence, which is rarely considered sufficient by itself to support a finding. However, it is supportive documentation when corroborated through other means. Audit Planning — An overall strategy developed for conduct and scope of the audit. The nature, extent, and timing of planning vary with size and complexity of the entity, experience with the entity, and knowledge of the business. In planning the audit, the auditor considers the entity's business and its industry, its accounting policies and procedures, the methods it uses to process accounting information, the planned assessed level of control risk, and the auditor's preliminary judgment about audit materiality. Audit Risk — A combination of the risk that material errors exist and the risk t h at the errors will not be discovered by audit tests. Audit risk includes uncertainties because of sampling (sampling risk) and other factors (nonsampling risk). Audit Trail — A record of transactions in an accounting system that provides verification of the activity of the system. A complete audit trail allows auditors to trace transactions in a client’s accounting records from original source documents into subsidiary ledgers through the general ledger and into basic financial statements and billings/invoices prepared and submitted by the entity. Audit Universe — All potential audit activities within an organization; comprises all auditable units within an organization. These units can include a range of programs, activities, functions, structures, and initiatives, which collectively contribute to the achievement of the STA’s strategic objectives. Auditable Units — Any organizational process or activity that can be audited. Internal auditors divide an organization into manageable auditable activities (auditable units) to define the audit universe, assess risk, and prioritize the use of audit resources. Benford's Law — A mathematical law that applies to any population of numbers derived from other numbers (such as the dollar amount of a sale, found by multiplying the quantity sold times the unit price). It holds, for example, that 30% of the time the first non‐zero digit of this derived number will be one, and it will be a nine only 4.6% of the time. Benford's law is used by auditors to identify unusual data patterns that may signal the presence of errors or fraud. AASHTO Internal Audit Guide 2014 Edition Glossary Page 59 Change Order — Document required when work is added to or deleted from the original scope of work of a contract which alters the original contract amount and/or completion date. Code of Federal Regulations (CFR) — The codification of the general and permanent rules published in the Federal Register by the executive departments and agencies of the federal government. The CFR is divided into 50 titles that represent broad areas subject to the federal regulation. Contract Modification — A change to an existing contract for a change in scope or other factors which must be agreed to by all parties of the contract. Control Environment — The attitude, awareness, and actions of the board, management, owners, and others about the importance of control. This includes integrity and ethical rules, commitment to competence, board or audit committee participation, organizational structure, assignment of authority and responsibility, and human resource policies and practices. Cost Center — A grouping of incurred costs identified with a specific final cost objective. Cost Principles — Federal cost principles are intended to establish a uniform approach for determining costs and promoting effective program delivery, efficiency, and better relationships between grant recipients, subrecipients, and the federal government. The principles are promulgated to determine allowable costs, enforce compliance with federal grant requirements, and ensure that the federal government bears its fair share of costs except where restricted or otherwise prohibited by law. Detection Risk — The risk audit procedures will lead to a conclusion that material error does not exist when, in fact, such error does exist. DOT — A state Department of Transportation. Direct Cost — Any cost that is identified specifically with a particular final cost objective. Direct costs are not limited to items that are incorporated in the end product as material or labor. Costs identified specifically with a contract are direct costs of that contract. All costs identified specifically with other final cost objectives of the contractor are direct costs of those cost objectives. Direct costs can include labor, materials, and reimbursable expenses incurred specifically for an agreement. Engagement Letter — A letter that represents the understanding between the client and the CPA about the engagement. The letter identifies the financial statements and/or schedules and describes the nature of procedures to be performed. It includes the objectives of the procedures, an explanation that the financial information is the responsibility of the company's management, and a description of the form of auditor’s report. AASHTO Internal Audit Guide 2014 Edition Glossary Page 60 Entrance Conference — A meeting between the auditor and the auditee during which the purpose and scope of the audit are discussed. Exit Conference — A meeting between the auditor and the auditee held after completion of the audit that generally focuses on preliminary audit findings, which could change based on further audit testing, supervisory review, and additional information submitted by the auditee. Federal Travel Regulation (FTR) — As contained in 41CFR 300‐304. The FTR implements policies for travel by federal civilian employees and others authorized to travel at the federal government’s expense. Finding — Results from deficiencies in internal controls, fraud, illegal acts, violations of contract or grant provisions, and/or abuse. In accordance with GAGAS, when documenting a finding, the auditor should include the condition, criteria, cause, effect, and a recommendation for correction. Generally, auditors include management responses to reportable findings within the final audit report. GAAP — Generally Accepted Accounting Principles – Widely accepted set of rules, conventions, standards, and procedures for reporting financial information, as established by the Financial Accounting Standards Board (FASB). GAAS — Generally Accepted Auditing Standards – The ten auditing standards adopted by the membership of the AICPA. Auditing standards differ from audit procedures in that "procedures" relate to acts to be performed, whereas "standards" pertain to the quality of the performance of those acts and the objectives of the procedures. GAGAS — Generally Accepted Government Auditing Standards – Also known as the “Yellow Book,” issued by the U.S. Government Accountability Office (GAO). GAGAS prescribe general procedures and professional standards that auditors must apply when performing government audits or attestation engagements. General Administrative Expenses — Costs of operating a company that are incurred by, or allocated to, a business unit and are not directly linked to the company’s products or services. Government Accountability Office — GAO — The audit, evaluation, and investigative arm of the United States Congress. Indirect Cost — Any cost that is not directly identified with a single, final cost objective, but is identified with two or more final cost objectives or an intermediate cost objective. Recipients recover their indirect costs in their overhead rate. Ineligible Cost — A cost that does not meet the terms of the agreement as well as federal and state statutes and regulations. AASHTO Internal Audit Guide 2014 Edition Glossary Page 61 Inherent Risk — The risk that exists in an environment without the benefit of internal controls due to other factors such as the nature of transaction or activity. For example – complexity, frequent change, etc. Inspection — An audit procedure that involves the auditor’s review of a document or record through physical examination to provide direct evidence of its content. This is a means of gathering direct evidence. Internal Control — The plan of an entity and the methods and procedures adopted by management to ensure that the entity’s goals and objectives are met; that resources are used consistently with laws, regulations, and policies; that resources are safeguarded against waste, loss, and misuse; and that reliable data are obtained, maintained, and fairly disclosed in reports. Narrative — A written description of an internal control system, procedure, or process. Observation — An audit procedure that involves the auditor seeing or experiencing something first hand. It could include having the auditee walk through a process while the auditor observes and monitors the activities, procedures, and steps performed and observes security practices. Through the performance of this activity, the auditor is able to obtain direct evidence. Overhead Expenses — All allowable general administrative expenses and fringe benefit costs not directly identified with a single final cost objective. Depending upon the size of the auditee, these costs may be separately identified on a schedule of overhead costs. Overhead Rate — A rate computed by adding together all of an entity’s costs that cannot be associated with a single cost objective (e.g., general and administrative costs and fringe benefits costs), then dividing by a base value (usually direct labor cost). This rate is applied to direct labor, as incurred on projects, to allow an entity to recover the appropriate share of indirect costs allowable per the terms of the specific agreement. Peer Review — A quality control program in which the audit documentation of one STA audit group is periodically (three years for GAGAS, five years for IIA) reviewed by independent partners of other STA groups to verify that it conforms to the standards of the profession. Permanent Files — File containing information of continuing importance to engagements covering an auditable unit. Project Authorization and Agreement — A contractual obligation of the federal government for payment of the federal share of project costs. The agreement will include a description of the project, the federal-aid project number, the work covered, total cost and amount of federal aid funds, the federal share of funds, signatures of state and federal officials, and any other provision set out by 23 U.S.C. 106 and/or 23 CFR. AASHTO Internal Audit Guide 2014 Edition Glossary Page 62 Reasonable Cost — A cost is reasonable if, in its nature and amount, it does not exceed that which would be incurred by a prudent person in the conduct of competitive business. Reconcile (reconciliation) — Efforts to prepare a schedule establishing agreement between separate sources of information, such as accounting records reconciled with the financial statements. Reperformance — An audit procedure that involves the auditor redoing a certain activity or procedure to see if he or she arrives at the same results. The auditor’s reperformance of a particular control provides direct evidence to support whether a control is operating effectively. Residual Risk — The risk that exists after consideration of the controls management has implemented to mitigate or transfer risk. Resolution Process — The process used to resolve findings. It may involve negotiating a corrective action, reimbursing funds, and improving procedures. Risk — The probability that an event or activity will occur that adversely impacts the achievement of an organization’s objectives. Sample Size — The number of items selected when a sample is drawn from a population. Sampling Error — The risk that the sample results will mislead the auditor, unless the auditor examines 100% of the population. The larger the sample, the less risk of sampling error and the greater the reliability of the results. Sampling Risk — The possibility that conclusions drawn from the sample may not represent correct conclusions for the entire population. Segregation of Duties — Assigning to different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets. Segregation of duties reduces the opportunities for one person to both perpetrate and conceal errors or fraud. Single Audit — A rigorous, organization- wide audit or examination of an entity that expends $500,000 (currently) or more of federal assistance received for its operations. These are usually performed annually. The objective of a Single Audit is to provide assurance to the federal government as to the management and use of such funds by recipients such as states, cities, universities, and non‐profit organizations. These audits are typically performed by an independent certified public accountant (CPA) and encompass both financial and compliance components. Source Documentation — Documents that support the costs recorded in an entity’s records. Source documents can include timesheets, payroll registers, invoices, receipts, rental slips, cancelled checks, etc. AASHTO Internal Audit Guide 2014 Edition Glossary Page 63 Test — An audit procedure whereby the auditor reviews certain transactions and processes or attributes against established criteria. The auditor then decides whether the audited entity complied with the criteria, which are established standards, practices, laws, regulations or requirements. Tracing — An audit procedure that involves tracking information forward from one document to another subsequently prepared document or record. This test is performed as a means to test for the completeness of the document or record. Unallowable Cost — An item of cost that is ineligible for cost reimbursement. Verifying — The act of tracing a transaction from one document to the original support document. Vouching — An audit procedure that involves tracking information from one document or record back into a previously prepared document or record or to some other reliable source. This procedure is performed in order to determine the validity of the information. Walkthrough — Procedure whereby an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use. AASHTO Internal Audit Guide 2014 Edition Glossary Page 64