What Compliance Professionals Should Know about OIG Audits

OIG Standards Can Be Adopted for Internal Audits

Originally published in Journal of Health Care Compliance, May-June 2001

By Hank Vanderbeek,
Director of Healthcare Policy, IRP, Inc.

Professional and meaningful audits are an important part of a compliance program. An effective audit requires a solid understanding of the process and ingredients that make audits successful and should persuade the audited entity to correct deficiencies. This article discusses the steps necessary to conduct professional and meaningful audits that will stand up to scrutiny and motivate the user to action.

The Office of Inspector General is highly effective at conducting audits of federal programs. One factor the OIG uses to measure the success of its audits is how well the audited entity responds to the results of the audit. The OIG has learned that adhering to a common set of widely accepted standards has given the OIG and its audit reports credibility.

The bible for writing audit reports and developing audit findings is the Government Auditing Standards, or yellow book, issued by the comptroller general of the United States. These standards are often referred to as generally accepted government auditing standards (GAGAS). The lessons from ineffectual audits learned along the way became part and parcel of the yellow book. Consequently, every audit by every federal OIG has to be, by federal mandate, conducted in accordance with GAGAS.

Why Use the OIG Auditing Standards?

At this point you are probably asking yourself, what do government auditing standards have to do with me as a compliance professional in a nongovernmental organization? Good question! The answer is that the OIG has literally written the book on the how to conduct an audit. The yellow book contains battle-tested techniques that, if followed, will result in successful audits of any type and size of a program.

In addition to governmental applicability, the standards apply to audits of institutions of higher education and other nonprofit organizations that receive federal financial assistance, such as affiliated teaching hospitals. The yellow book also incorporates many American Institute of Certified Public Accounts' standards. In addition, the Institute of Internal Auditors and the American Evaluation Association have issued related standards. These are highly respected organizations that are always at the forefront in setting policy.

Accountability and Responsibility

Stockholders, employees, and other stakeholders want assurance that their employer is responsible and accountable, just as taxpayers want assurance that government is handling tax dollars properly and in accordance with applicable laws and regulations. The yellow book contains the auditing standards that can provide citizens and employees the accountability they demand of government and nongovernment employers.

Public and private officials are responsible for ensuring that goals and objectives are met, resources are safeguarded, laws are followed, and reliable information is maintained and fairly disclosed. Auditing is an essential part of public control and accountability. Therefore, it is vitally important that auditors and compliance professionals clearly understand and use the tools needed to assess performance and integrity of the accountable organization.

General Standards

The yellow book contains four general standards for conducting financial and nonfinancial audits. These standards are different and distinct from standards that relate to field work and preparing reports, which we will discuss later in this article. The standards apply to both governmental and nongovernmental organizations and are as follows:

•  Qualifications

Audits should be staffed with those who collectively have knowledge and skills necessary to conduct an audit. Outside consultants with requisite knowledge may need to be hired to complement audit staff. The OIG ensures that its staff receives a minimum number of hours of continuing education each year and maintains a record of training. Compliance professionals should also keep a record of their training.

•  Independence

Each auditor is responsible for maintaining independence so that opinions, conclusions, judgements, and recommendations will be viewed as impartial by third parties. This includes personal, external, and organizational impairments. A personal impairment might be a financial relationship, and an external impairment might be unreasonable restrictions on the time to complete an audit. To achieve organizational independence audit organizations and compliance professionals should report the results of their audits and be accountable to the head of the organization and should be located organizationally outside the staff or line function being audited. This helps to ensure that staff are free from political repercussion.

•  Due Professional Care

The OIG includes úaudit was conducted in accordance with generally accepted government auditing standardsî in audit reports. While it is not necessary that this statement be included in nongovernment audit reports, it is every auditor's responsibility to use sound professional judgment in determining standards that apply to audit work.

•  Quality Control

Every audit organization (e.g., the OIG and internal audit departments) should have an internal mechanism in place that reasonably assures that it has adopted and is following applicable audit standards, policies, and procedures and undergoes periodic external quality control reviews.

Communicating with the Entity Audited

Regardless of audit type § financial, performance, or a combination § one of the most important and often underestimated steps is communicating with the client. Clients can be the audit committee or anyone else who, in auditors' judgement, will be impacted and have oversight over an audit.

This communication should start with planning the audit. Planning includes a consideration of materiality and determining nature, timing, and extent of auditing procedures and in evaluating results of those procedures. Professional judgement should be used in determining form and content of communication, and the record should reflect the who, what, when, and where of the communication.

Communicating with appropriate officials early on reduces the risk that the needs or expectations of requestors and affected party may be misrepresented or misconstrued. It also vastly improves the chance of a successful audit by reducing or eliminating surprises.

Fraud and Illegal Acts

The yellow book has a straightforward way of explaining the difference between fraud and error. For example, an act that resulted in a material misstatement in a financial statement that is intentional is fraud.

Auditors and compliance professionals should be aware of the types of fraud that could surface in the subject matter undergoing an audit. The planning stage should include steps that will provide reasonable assurance of detecting fraud. Designing audits to readily identify incidents indicative of fraud or illegal acts has become increasingly important over the last several years. Federal auditors are required to be aware of characteristics of and types of fraud and potential effect on financial statements. They should proceed with caution not to interfere with potential future investigations and legal proceedings. The importance of this standard is recognized by both the AICPA and GAGAS and cannot be emphasized enough.

Know the Control Environment

A vital objective of all organizations is safeguarding assets and compliance with laws and regulations. Organizations establish control systems to meet this objective. A system of controls is often referred to as a control environment. A healthy and well-designed control environment will help to ensure that assets are safeguarded against waste, loss, misuse, and illegal acts. Financial controls should be designed to prevent and detect unauthorized transactions and unauthorized access to assets.

It is incumbent upon an auditor during the planning stage to gain a solid understanding of an organization's control environment and controls specific to high-risk subjects under review. In gaining an understanding of a system of controls related to processing computer data, an auditor would, as a minimum, consider the:

• extent computer-processed data can materially affect audited financial statements or management information systems;
• complexity of computer operations; and
• organizational structure of computer processing activities.

Compliance professionals relying on information from internal audit departments or outside audit reports should be aware of and assure themselves that a sufficient understanding of the pertinent controls audited was obtained. The yellow book requires that this understanding be well documented in audit working papers.

Anatomy of an Audit Finding

Audit reports contain audit findings.Audit findings usually contain five elements. They are condition, criteria, cause, effect, and recommendation. Let's discuss them:

1. Condition
   This is a situation that exists. For example, a large sum of money has been misappropriated.
2. Cause
   What happened that allowed a condition. To continue our example: One person opened mail, recorded checks, made deposits, and reconciled bank accounts. In other words, this condition would not exist had there been adequate separation of duties for handling cash receipts in accounts receivable.
3. Criteria
   This is a rule, standard, or measuring stick that guides performance. There cannot be a condition without criteria. Criteria has been violated, needs to be established or strengthened to prevent a condition from reoccurring. To continue our example: Generally accepted accounting principles regarding the separation of financial duties were not followed, and there was no organizational policy that addressed cash receipt handling.
4. Effect
   The yellow book describes effect as úthe extent to which negative or positive changes in actual physical, social, or economic conditions can be identified and attributed to program operations.î An audit objective may be to confirm a positive or determine existence or extent of a negative. Effect is often used to demonstrate the need for corrective action. The author has been involved in OIG audits involving theft of $25 from a nursing home patients' personal fund and waste and mismanagement of millions of dollars. To continue our example: Based on an exhaustive review of cancelled checks it was determined that $3,000 was misappropriated over a three-month period.
5. Recommendation
   A recommendation can prevent a condition from reoccurring if it is directed at what caused a problem. It should be action oriented, specific, addressed to the person with authority to act, feasible, practical, and cost-effective. To continue our example: The CFO should write and implement a policy that addresses separation of duties for handling cash receipts in accounts receivable.

Sufficient, Competent, and Relevant Evidence

Another aspect of the audit process is evidence, or burden of proof. Evidence obtained to support audit findings should be well-developed, sound, and convincing. Granted, evidence can be an intimidating experience for nonlegal professionals. However, the OIG uses the guideline roughly set forth in the yellow book for developing evidence for audit findings. The yellow book says that in order to afford a reasonable basis for auditors' findings and conclusions, evidence should be sufficient, competent, and relevant.

Evidence may be physical, documentary, testimonial, and analytical. Examples include photographs, charts, letters, contracts, invoices, interviews, questionnaires, computations, comparisons, et cetera. The OIG works closely with the audited entity during the evidence-gathering process and takes considerable pains to ensure that evidence is sufficient, competent, and relevant. The OIG usually enlists attorney opinion when necessary.

The author has been handed altered documents, documents prepared after the fact, and unsupportable testimony on many occasions. The key is to not accept evidence on its face. OIG auditors have a great deal of experience with developing evidence for audit findings. Federal OIG audits usually do not fail because of poorly developed evidence.

However, the burden of proof is much different in those instances where fraud is suspected. At this point, an auditor or compliance professional should turn the case over to an appropriate law enforcement agency who then would take responsibility for developing evidence. OIG auditors receive a great deal of training on rules of evidence. Compliance professionals may want to seek training on rules of evidence pertaining to audits and how and when to refer a case of suspected fraud.

An Auditor's Work Is Well Documented

A record of an auditor's work should be retained in the form of working papers. The yellow book is very specific about format and content of working papers. They should contain:

• objectives, scope, and methodology;
• support for conclusions and judgments;
• description of transactions and records examined; and
• evidence of supervisory review of work performed.

An experienced professional having no previous connection with an audit should be able to trace conclusions back to evidence used to support a conclusion and come to the same conclusion as the author of the report. Additionally, working papers should stand-alone. That is, a person reviewing working papers, and this includes a compliance professional, should come to the same conclusions as in the audit report without having to consult with the report writer for clarification. This is a stringent standard, but one that has served the OIG well over the years.

Another important use for working papers is to allow auditors, and compliance professionals, to avoid duplicate efforts. Audits performed in accordance with the yellow book standards have a high level of credibility. This is important when considering if an auditor's work should be redone.

Writing Reports

Absolutely no one wants to read long and awkward sentences, long paragraphs, or overly detailed reports. The author's aim is to write a complete, accurate, objective, convincing, clear, and concise article. The OIG spends a great deal of time and effort in accomplishing this task in writing audit reports. However, these characteristics are universal in communications that are meant to motivate to action.

The OIG recognizes considerable judgement exists in deciding the content of reports. Intended report users ultimately guide content. Where a one-page report is sufficient for an organizational head, a very detailed account of audit scope, objectives, methodology, and audit findings are sufficient for an entity head. The key is to strive for completeness, but not at the expense of conciseness. The OIG has made tremendous strides in its report writing over the years. With practice, so will compliance professionals and others who are new to report writing.

A Late Report Is of Little Value

To be of maximum use, reports should be timely. A studiously prepared report is of little use if it is delivered to action officials late. Important issues should be brought to the attention of appropriate officials as they are uncovered. This allows for corrective action before a report is completed. OIG auditors make use of written and oral interim reporting before preparing the final report. Unforeseen problems or flaws in audit plans also have a better chance of surfacing with the practicing of interim reporting.

Conclusion

This article discussed steps necessary to conduct professional and meaningful audits that will stand up to scrutiny and motivate users to action. We also pointed out that OIG audits are effective, by and large, because they are conducted in accordance with a rigorous set of standards. It is important to remember that federal auditing standards provide credibility only through objective acquisition and evaluation of information obtained and reported on. More importantly, the professional conducting the review, monitoring function, or audit, whether a compliance professional, auditor, coder, attorney, or researcher can benefit from knowing about and understanding the standards that OIG uses to conduct audits.

Acrobat

If your browser has the Adobe Acrobat Reader 3.0 plug-in (or higher),
you may view this article in Acrobat format.

If your browser does not already have the Acrobat Reader plug-in,
you may download it from the Adobe website.

<< back to Articles