Keep That Opinion!

By: Andrew C. Lewis, CGFM, CPA

Andrew C. Lewis, CGFM, CPA, is a senior manager with KPMG LLP’s government audit practice in Washington, D.C., and is an adjunct professor at The George Washington University. Mr. Lewis has also been on the board of the Montgomery-Prince Georges’ County AGA chapter for the past nine years.

Since the inception of the statutory requirements for federal agencies to prepare financial statements and subject them to audit, the quest for an unqualified audit opinion has been at the forefront of federal agencies’ financial management agendas. With two exceptions (the U.S. Departments of Defense and Homeland Security), all agencies that are significant to the Financial Report of the United States Government have successfully obtained an audit opinion (either qualified or unqualified) at least once.

However, history has shown that without sustained attention to developing an effective financial management infrastructure and maintaining strong financial management, an agency can lose the ability to prepare reliable financial statements. Further, the oversight by the U.S. Office of Management and Budget (OMB), along with the very public nature of the President’s Management Agenda (PMA) and the associated PMA Scorecard, has helped to drive some agencies from the sidelines and on to the field.

It’s important to point out that this discussion is not just limited to members of the federal community. State and local government personnel encounter the same obstacles and triumphs faced by their peers in the federal community.

So, after all of the long days of meetings to discuss policies and procedures, after chasing paperwork and documentation far and wide, after the countless weekends in the office surrounded mostly by financial management personnel and auditors, and after responding to the auditors’ questions (and questions and questions), what else have you achieved along your agency’s quest for an unqualified opinion?

In summary I ask, what good is a clean opinion?

What are the best ways to keep that opinion?

What are those significant risks and issues that could threaten your agency’s opinion?

MONDAY: Marie Force, AGA Communications Director, on "Do You Trust Your Government?"

Federal Auditing a Half-Century Ago: Some Personal Recollections

By: Edward W. Stepnick, CPA

Edward W. Stepnick, CPA (retired), a member of AGA’s Washington, D.C. Chapter, served as the first assistant inspector general for auditing in two federal departments—the former Department of Health, Education, and Welfare, and the Department of Labor—and as an associate director in the U.S. General Accounting Office.

In 1949, the GAO established a comprehensive audit program to modernize its audits of executive branch agencies. Professional audits were to be conducted at agency sites of operations instead of examining vouchers on a centralized basis. In September 1952, with two years of small CPA firm experience in Chicago, newly married, and the proud possessor of an Illinois CPA certificate and a shiny new Plymouth, I became one of the many accountants recruited for the program. My 15 years at GAO were the best of my professional career. I have never regretted what some of my family and friends regarded as my foolish decision to go to Washington, D.C., and become a federal auditor. Why were they worried? I would be a GS-11 making almost $6,000 a year!

My first GAO assignments were at the Treasury Department, principally the Bureau of Engraving and Printing, Bureau of the Public Debt, and Office of the Treasurer of the United States. Because the Bureau of Engraving and Printing, which manufactures U.S. and Federal Reserve currency and U.S. postage stamps, operated as a revolving fund and was required by law to prepare auditable financial statements, this assignment was one of very few at that time involving financial statements and thus provided a good transition from private sector work. (Government-wide requirements for audited financial statements were not established until almost 40 years later.)

Initially, my major concern was not getting lost in a strange city where streets suddenly disappear only to reappear elsewhere. “Here is a streetcar token,” the GAO personnel officer said, “Take the G Street car west to 14th Street, go south to the end of the line, and ask the guard at the Annex door for Vince. He will be your supervisor.” (Vince became a lifelong friend.) Later, I had even more anxious moments when I was left alone during an inventory observation in a room with hundreds of millions of dollars of completed currency piled next to me. When I nervously informed Vince, he advised, “When you begin to think of this stuff as anything other than just paper, let me know and we will reassign you.” Then, a few years later after I became the auditor-in-charge, a Bureau employee managed to stuff a large bundle of $100 bills down a toilet and recover it at a drainage outlet by the Anacostia River. Luckily, another employee noted during the daily inventory control count that one currency package seemed to weigh too little, and the U.S. Secret Service was able to recover much of the money before it was spent and before anybody thought about blaming the auditors.

Succeeding assignments at Treasury were much different, consisting mostly of first-time surveys of large-scale public debt and treasury operations for the purpose of establishing specific audit objectives and preparing audit programs—documenting procedures, tracing the flow of transactions numbering in the millions, identifying internal control, and analyzing reports and forms. We felt like pioneers in the Wild West, exploring uncharted territory that had never before been subject to penetrating audit scrutiny. By today’s standards, records were primitive, with vast amounts of paper, punched cards but no computers, and hundreds of ledgers that were manually posted for each redeemed U.S. savings bond.

This work identified a major problem with the comprehensive audit approach: an audit of an entire agency at one time took too long and was very difficult to manage. The audits needed to be segmented with narrower, more focused objectives.

Some of the work was based on congressional requests with political overtones. For example, a Republican administration under President Eisenhower had come to power after 20 years of Democratic rule, and they wondered whether the gold was still in Ft. Knox. Our audit team was sent there to inspect the seals, which fortunately were still intact. Also, for a short time I was detailed to help a congressional committee chairman (who was a persistent critic of “big city” banks) identify shortcomings in the internal audit reports of the Federal Reserve banks.

Why do these early audit experiences still engender vivid, fond memories? Although my later audit work carried much heavier responsibilities, resulted in more significant findings and received greater recognition, I don’t remember it as well. Was it because the first audits were less disciplined, more creative and more fun? Or perhaps—to an octogenarian—it has something to do with happy days and youthful exuberance! A little like remembering your first kiss!

What do you remember about the early days of your government career and how have things changed since then?

TOMORROW: Martin Ives, CGFM, CPA, CIA, distinguished professor of public administration at New York University’s R. F. Wagner Graduate School of Public Administration, on “Monitoring Government-Wide Financial Condition Risk”

Forensic Auditing—A Window to Identifying and Combating Fraud, Waste and Abuse

By: Jeffrey C. Steinhoff, CGFM, CPA, CFE

Jeffrey C. Steinhoff, CGFM, CPA, CFE, a member of AGA's Washington, D.C. and Northern Virginia Chapters, retired earlier this year as the managing director, Financial Management and Assurance, U.S. Governmental Accounting Office. He is an AGA Past National President.

“The rapid expansion of our nation’s benefit plans and costs over recent years has been accompanied by a parallel growth in the potential for fraud, waste, and abuse. One of the best ways of addressing the challenge of fraud, waste, and abuse is through computer matching. ….. Regarded as effective management tools, matching techniques can be used to examine extremely large amounts of computerized data quickly and cheaply.” This sounds like something you would hear today at an AGA educational event. But these are the words of Jim Durnil, the then Assistant Inspector General for Audit at the Department of Veterans Affairs, in an article published 25 years ago in the spring 1983 issue of AGA’s Journal of Government Financial Management.

Our ability to computer match, or in modern terms “data mine”, has come a long way in 25 years as evidenced by the burgeoning forensic auditing field. Unfortunately, the use of these tools has typically been the purview of the auditor and not management .

This blog essay provides a snapshot of an article I wrote for the Summer 2008 issue of the AGA Journal of Government Financial Management. The article was written for management from the perspective of an auditor, who has seen first hand the power of forensic auditing. The techniques used by auditors are equally applicable to management, who should always be the first line of defense against fraud, waste and abuse. My hope is that this paradigm will shift so that management becomes the predominant user of forensic auditing.

The article highlights three case studies using recent Government Accountability Office (GAO) reports, which used forensic auditing to identify internal control weaknesses that were exploited, resulting in fraud, waste, and abuse. A common thread in all three case studies is that it was unfortunate an audit had to put a face on the problem. The information was readily available to agency management from information they either owned or could have had access to just as GAO had access. It was just a matter of mining the data and then analyzing the anomalies. In this way, management would have known whether it had a problem that needed attention, rather than being embarrassed by an audit report that received widespread national media attention.

The article explores what management can do to avail itself of the powers of forensic auditing techniques as a first-line of defense against fraud, waste and abuse.

If you consider the following nine steps, you can be on your way to using forensic auditing on an ongoing, proactive basis, in a cost-effective manner as part of routine internal controls. These nine steps tie directly to what is needed to meet the objectives of OMB Circular A-123, Management’s Responsibility for Internal Control, so certain steps, or portions of steps, will hopefully have already been accomplished by management.

Now let’s quickly look at the nine steps to establish a viable, ongoing forensic auditing program. The article provides a richer discussion of the nine steps.

Step 1: Take Stock of Your Risks

Step 2: Determine How Your Risks Can be Exploited

Step 3: Determine What Information Is Available to Test for Fraud, Waste, and Abuse

Step 4: Develop Forensic Testing Protocols

Step 5: Perform Data Mining

Step 6: Analyze the Results of Data Mining

Step 7: Use the Results of Data Mining

Step 8: Sharing Experiences and Best Practices

Step 9: Do It All Over Again

Question for the bloggers: Should management take the initiative and seize the opportunity that technology provides today to establish a forensic auditing program or should we continue to view these powerful tools as largely the purview of the auditor?

TOMORROW: Michael Jacobson, Director of Performance Management, King County, WA, on "AGA's Certificate of Excellence for Performance Reporting Process: An Insider's Advice"

Questions on posting comments or wish to subscribe to the feed that sends blogs right to your e-mail? Find instructions here. Want to be our guest on the Blog? Contact Marie Force, AGA communications director, at mforce@cox.net.

Compliance with IIA and GAO Peer Review Standards

By: Sam M. McCall, CGFM, CPA, CIA, CGAP

AGA Past National President Sam M. McCall, CGFM, CPA, CIA, CGAP, a member of AGA’s Tallahassee Chapter, is the city auditor, City of Tallahassee, FL.

In reviewing the Institute of Internal Auditors (IIA) and U.S. Government Accountability Office (GAO) standards for audit organizations, I find it interesting, and inconsistent, that the GAO standards allow an audit organization to state compliance with GAO standards when the organization starts fieldwork on its first audit; whereas, the IIA does not allow the compliance statement until an external peer review has been completed.

In Standard 1330 of the International Standards for the Professional Practice of Internal Auditing, Red Book, internal auditors are encouraged to report that their activities are “conducted in accordance with The International Standards for the Professional Practice of Internal Auditing”; whereas, the Yellow Book in paragraphs 1.11 and 8.30, states that auditors should refer to compliance with GAGAS in the auditor’s report. The Yellow Book is more prescriptive in referencing audit standards followed.

In Standard 1330 of the Red Book, internal auditors can use the statement that the International Standards for the Professional Practice of Internal Auditing were followed only if assessments of the quality improvement program demonstrate compliance with the Standards. Further, Practice Advisory 1330-1 states that initial use of the compliance phrase is not appropriate until an external review performed within the past five years, has demonstrated the activity is in compliance with the Standards and Code of Conduct.

By comparison, the Yellow Book, in paragraph 3.53f allows the compliance statement to be made when starting the first audit under GAGAS with the understanding that an internal quality control process is in place, is being monitored, and supports the statement. Also, paragraph 3.55 (and the related footnote number 40) supports this understanding by stating that an external review requirement is effective within three years from the date an organization begins field work on its first assignment in accordance with GAGAS.

It would seem to me that the IIA should review and reconsider Standard 1330 and Practice Advisory 1330-1 to allow internal audit organizations to make the compliance statement when supported by an effective system of internal quality control and when beginning field work on the first audit under the IIA Standards. This would be allowed if any organization intends to comply with the external quality assessment review requirements.

I am wondering if other internal auditors are even aware of this more restrictive requirement of the IIA. Also, do they believe the IIA compliance statement should be allowed for internal auditors (1) when the organizations feels its internal quality control system is in place and starting fieldwork on their first audit or (2) only after an external quality control review has been performed and verifies that the organization is complying with IIA Standards?

TOMORROW: Wednesday: Steven Berkowitz, Independent Consultant in Federal Accounting, Budget, and Risk Management, on "Accounting for Human Capital"

Questions on posting comments or wish to subscribe to the feed that sends blogs right to your e-mail? Find instructions here. Want to be our guest on the Blog? Contact Marie Force, AGA communications director, at mforce@cox.net.

Auditing in the 21st Century

By: Lealan Miller, CGFM

Lealan Miller, CGFM, a member of AGA’s Idaho Centennial Chapter, is a partner with Eide Bailly LLP, and a member of AGA’s National Executive Committee.

The challenges and opportunities associated with auditing in the 21st Century have continued to evolve since I initially heard this topic presented by our current AGA National President, Rick Fair, CGFM, at the San Diego Professional Development Conference (PDC) in 2006. Subsequent to attending this conference, I have had several opportunities to speak on this same topic, and have been amazed at how much has changed since 2006!

As a result of the changes in our industry, I believe it is valuable to discuss ways in which we can continue to embrace the challenges and opportunities of auditing in the 21st Century, which auditors and their clients are faced with regularly, including:

• Doing more with less, • Effective usage of both internal and external resources, • Creating the integrated auditor, • Adapting to new organizational environments, • “Tuning In” on an organization’s strategic relationships, • Auditing in a highly automated environment, • Effective usage of automation to audit, • Addressing management concern with the cost and other effects of fraud, • Finding new tools to meet the audit challenge, • Meeting the challenges created by the new economy, and • Generational differences (Baby Boomers, Generation X, and Generation Y).

Since there is not enough time to address all of the above items, I would like to focus primarily on the following three items from the list above:

Doing More With Less

Although the number of qualified accounting students graduating from college has increased over the years, the overall demand for these professionals has also continued to increase. This results in an overall shortage of candidates to fill the current staff accountant positions. This differential will continue to increase as Baby Boomers begin to retire from the work force, leaving the rest of us to do the same amount of work.

Creating the Integrated Auditor

Technology continues to drastically change the environment in which we operate as auditing professionals. As a result, more is expected from less; auditors are expected to become integrated to be more efficient. The use of the Internet for research, computer networking in the field, to use the paperless audit process, and to take advantage of the use of the BlackBerry and Palm Pilots in communicating are but a few items that serve in shaping an “integrated” auditor.

In addition to integrating through technology, auditors need to understand the available resources that will assist them throughout the various aspects of auditing. No longer can the auditor “do it all.” IT audits, fraud and forensic audits, management consulting, and business valuation are just a few areas of expertise that are sometimes required to complete an audit. Successful auditors will understand the importance of accessing this expertise whether through employees of the same organization or outsourced from another.

Addressing Management Concern with the Cost and Other Effects of Fraud

Auditing Standards and those within the audit profession have been “preaching to the public” regarding those auditing procedures that are not necessarily designed to detect fraud in an organization. Even though this concept is often accepted within the profession, and the perception by the public is that the auditors should be not only identify but eliminate fraud. How often do we hear of instances of fraud, and subsequently the public outcry is usually “where were the auditors?” Since the Enrons, World Coms, the Delphias and the passage of Sarbanes Oxley, the auditing standards continue to evolve requiring the auditors to do more than document procedures performed to identify material misstatements as a result of fraud, but are now required to document the consideration of fraud risk, discussions with management regarding fraud, identification of specific fraud risk areas, and document how fraud risk was adequately addressed throughout the audit.

Overall, auditors focus on reducing fraud risk by recommending to management proper internal controls over the financial reporting accounting system. Working to mitigate the risk of fraud actually helps to minimize the costs associated with fraud if the instance were to be publicized.

In making recommendations to management regarding the implementation of internal controls, auditors should be aware of the associated costs. Too many controls may reduce the risk but in turn slow down the process, which becomes costly to management. It is a fine line having the right controls to reduce the risk of fraud but not at the expense of an organization’s overall operations.

Auditing in the 21st Century may have its share of challenges. However, I firmly believe that it also presents many exciting opportunities, and at another time those can be discussed in greater detail.

What new challenges have you encountered in your recent audit engagements? How has technology changed the scope of your work?

TOMORROW: Dave Bennett, CGFM, CPA, Deputy Mayor and Finance Director, Blount County, TN, and AGA National Treasurer on “Openness Drives Accountability”

Questions on posting comments or wish to subscribe to the feed that sends blogs right to your e-mail? Find instructions here. Want to be our guest on the Blog? Contact Marie Force, AGA communications director, at mforce@cox.net.