2019 Internal Audit Guide...^,dK / v v o µ ] ' µ ] î ì í õ ] ] } v d o } ( } v v d > K& KEd...

1

o

2019 Edition

AASHTO Internal Audit Guide 2019 Edition Table of Contents

TABLE OF CONTENTS

CHAPTER 1 — INTRODUCTION

1.1 Overview ....................................................................................................................... 1 1.2 Why a Guide? ................................................................................................................ 1 1.3 Auditing Standards ........................................................................................................ 2 1.4 Engagements ................................................................................................................. 2

CHAPTER 2 — AUDITING STANDARDS

2.1 Generally Accepted Government Auditing Standards (GAGAS) ................................... 3 2.2 International Standards for the Professional Practice of Internal Auditing (IIA) ......... 3 2.3 Comparison of IIA and GAGAS Standards ..................................................................... 5 2.4 References .................................................................................................................... 6

CHAPTER 3 — TYPES OF ENGAGEMENTS

3.1 Overview ....................................................................................................................... 7 3.2 Types of Audits .............................................................................................................. 7 3.3 Attestation Engagements ........................................................................................... 10 3.4 Non-Audit Services or Consulting Services ................................................................. 11

CHAPTER 4 — AUDIT RISK ASSESSMENT AND AUDIT PLAN

4.1 Overview ..................................................................................................................... 13 4.2 Identify Audit Universe or Auditable Units ................................................................. 13 4.3 Benefits of Auditable Units ......................................................................................... 13 4.4 Develop Permanent Files ............................................................................................ 14 4.5 Risk Assessment .......................................................................................................... 15 4.6 Risk Assessment Criteria ............................................................................................. 16 4.7 Consideration of Internal Controls ............................................................................. 17 4.8 Internal Control Weaknesses ...................................................................................... 18 4.9 Analysis of Internal Audit Resources .......................................................................... 19 4.10 Developing the Audit Work Plan................................................................................. 19

CHAPTER 5 — INTERNAL CONTROL

5.1 Overview ..................................................................................................................... 21 5.2 COSO Categories ......................................................................................................... 21 5.3 Five Components of COSO .......................................................................................... 22 5.4 COBIT ........................................................................................................................... 25 5.5 Understanding an Auditee’s Internal Controls ........................................................... 27 5.6 Documenting Internal Controls .................................................................................. 28 5.7 Internal Control over Financial Reporting .................................................................. 29 5.8 Evaluation of Internal Controls ................................................................................... 29 5.9 Classifying Internal Control Weaknesses for Reporting ............................................. 30

AASHTO Internal Audit Guide 2019 Edition Table of Contents

CHAPTER 6 — USDOT AGENCIES AND DESCRIPTIONS

6.1 USDOT Agencies and Descriptions .............................................................................. 31 6.2 Office of the Secretary ............................................................................................... .32 6.3 Federal Aviation Administration ................................................................................. 33 6.4 Federal Highway Administration ................................................................................ 34 6.5 Federal Motor Carrier Safety Administration ............................................................. 37 6.6 Federal Railroad Administration ................................................................................. 37 6.7 Federal Transit Administration ................................................................................... 38 6.8 Maritime Administration ............................................................................................ 40 6.9 National Highway Traffic Safety Administration ........................................................ 40 6.10 Office of Inspector General ......................................................................................... 42 6.11 Pipeline and Hazardous Materials Safety Administration .......................................... 42 6.12 Research and Innovative Technology Administration ................................................ 43 6.13 Saint Lawrence Seaway Development Corporation ................................................... 44 6.14 Surface Transportation Board ..................................................................................... 44

CHAPTER 7 – STEWARSHIP, OVERSIGHT, LAWS, AND REGULATIONS

7.1 Stewardship and Oversight Agreement between the FHWA and State Transportation Agencies ............................................................................................. 46 7.2 Hierarchy ..................................................................................................................... 47 7.3 Federal Requirements (2 CFR 200) ............................................................................. 48 7.4 Audit Requirements .................................................................................................... 48 7.5 Catalog of Federal Domestic Assistance ..................................................................... 49 7.6 State Law ..................................................................................................................... 49

CHAPTER 8 — INNOVATIVE FINANCING AND CONSTRUCTION DELIVERY METHODS

8.1 Grant Anticipation Revenue Vehicle (GARVEE) .......................................................... 50 8.2 Transportation Infrastructure Finance and Innovation Act (TIFIA) ............................ 50 8.3 Section 129 Loans (23 U.S.C. 129 (A)(7)) .................................................................... 50 8.4 Tax Increment Financing (TIF) ..................................................................................... 50 8.5 Private Activity Bonds (PABs) ...................................................................................... 51 8.6 Public-Private Partnerships (P3s) ................................................................................ 51 8.7 Design-Build (DB) ........................................................................................................ 51 8.8 Construction Manager/General Contractor (CMGC) .................................................. 51

CHAPTER 9 – GENERAL AUDIT AND ATTESTATION PROGRAMS

9.1 Audit Program Purpose and Scope ............................................................................. 53 9.2 Phases ...................................................... ……………………………………………………………….53 9.3 Attestation Program Purpose and Scope ................................................................... 55

GLOSSARY ..................................................................................................................................... 60

AASHTO Internal Audit Guide 2019 Edition Chapter 1 Page 1

Chapter 1 – Introduction

1.1—OVERVIEW This guide was developed by the Internal Audit Guide Subcommittee of the American Association of State Highway and Transportation Officials (AASHTO) Committee on Internal and External Audit with input from various federal partners. State Transportation Agencies (STAs) have the same overall mission but are structured differently across the United States. Most STAs have internal auditors, external auditors, and inspector generals. Some audit groups are organized as standalone units and others are included as part of larger organizational components of the STA. This guide focuses on the goals, functions, and services of an internal audit function within STAs. In addition, detailed practice aids are provided as a supplement to the guide. The Practice Aids provide overviews of the program area or activity and suggested audit objectives and steps for engagements related to various programs, activities and responsibilities of an STA. The Institute of Internal Auditors (IIA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” 1.2—WHY A GUIDE? This guide is designed to strengthen stewardship and oversight functions performed by STA internal audit function. An essential role of government is the stewardship and oversight of public expenditures. As government transportation expenditures grow and budgets and staffing shrink, the stewardship and oversight process for transportation programs must be enhanced. The purpose of this internal audit guide is to provide a tool that can be used by STA internal auditors to perform audits of transportation processes and programs. This guide is intended to help auditors understand processes, terminology, policies, audit techniques, and sources for laws and regulations. The guide’s objective is to identify the audit universe in a general sense and provide a reference guide for the following items: Internal Controls

Risk Assessment

Compliance with applicable laws and regulations

Federal programs

Effective use of resources


1.3—AUDITING STANDARDS STA internal audit functions normally follow one of two sets of commonly followed auditing standards – Generally Accepted Government Auditing Standards (GAGAS) issued by the Comptroller General of the United States and The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing (Standards). We will discuss the different auditing standards in the next chapter. When necessary, internal auditors obtain additional guidance from standards issued by the American Institute of Certified Public Accountants (AICPA), Enterprise Risk Management and Internal Control Frameworks from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), guidance from the IIA, and other sources necessary for regulatory compliance requirements. 1.4—ENGAGEMENTS Internal auditors perform a variety of assurance and consulting engagements. STA internal auditors may be responsible for: Reviewing STA internal controls to ensure they are adequately designed and are functioning

as intended.

Reviewing STA programs to ensure compliance with applicable federal and state laws and regulations, as well as STA policies and procedures.

Reviewing STA policies, procedures and processes to ensure operational effectiveness and efficiency.

Reviewing programs to ensure that management has adequately safeguarded STA assets and proper use of taxpayer resources.

Reporting areas of risk, weaknesses, and/or improvement to the head of the STA or governing body and management.


Chapter 2 – Auditing Standards

2.1—GENERALLY ACCEPTED GOVERNMENT AUDITING STANDARDS (GAGAS) Generally Accepted Government Auditing Standards (GAGAS) produced by the Government Accountability Office (GAO) contain requirements and guidance for entities conducting government audits and attestation engagements within the United States. Professional auditors must follow these standards when conducting financial audits or attestation engagements of government and non-profit organizations receiving federal funds subject to the audit requirements in Subpart F of 2 CFR 200 — Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. The use of GAGAS is also mandatory for federal inspectors general, many state and local government auditors and some internal auditors, as well as CPA firms when conducting single audits and other government audits. In addition, many auditors and audit organizations choose to voluntarily perform their work in accordance with GAGAS. GAGAS contains requirements for financial audits, attestation engagements and reviews of financial statements and performance audits. Many international government audit organizations use GAGAS as guidance when conducting financial and performance audits, even when there is no specific legal requirement to do so. 2.2—INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL

AUDITING (IIA) The International Standards for the Professional Practice of Internal Auditing produced by the IIA, is a globally recognized set of internal auditing standards used by internal audit functions throughout the world. The IIA states that the purpose of the Standards is to:

1. Guide adherence with mandatory elements of the International Professional Practices Framework.

2. Provide a framework for performing and promoting a broad range of value-added internal auditing services.

3. Establish the basis for evaluation of internal audit performance. 4. Foster improved organization processes and operations.

The Standards are a set of principles-based, mandatory requirements consisting of:

Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels.

Interpretations clarifying terms or concepts within the Standards.


The Standards, together with the Code of Ethics, encompass all mandatory elements of the International Professional Practices Framework; therefore, conformance with the Code of Ethics and the Standards demonstrates conformance with all mandatory elements of the International Professional Practices Framework (PPF). The Standards comprise two main categories: Attribute and Performance Standards. Attribute Standards address the attributes of organizations and individuals performing internal auditing. Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. Attribute and Performance Standards apply to all internal audit services. Implementation Standards expand upon the Attribute and Performance Standards by providing the requirements applicable to assurance or consulting services. Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature and scope of an assurance engagement are determined by the internal auditor. Generally, three parties are participants in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter — the process owner, (2) the person or group making the assessment — the internal auditor, and (3) the person or group using the assessment — the user. Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice — the internal auditor, and (2) the person or group seeking and receiving the advice — the engagement client. When performing consulting services, the internal auditor should maintain objectivity and not assume management responsibility. The Standards apply to individual internal auditors and the internal audit activity. All internal auditors are accountable for conforming with the standards related to individual objectivity, proficiency, and due professional care and the standards relevant to the performance of their job responsibilities. Chief audit executives are additionally accountable for the internal audit activity’s overall conformance with the Standards. If internal auditors or the internal audit activity is prohibited by law or regulation from conformance with certain parts of the Standards, conformance with all other parts of the Standards and appropriate disclosures are needed. If the Standards are used in conjunction with requirements issued by other authoritative bodies, internal audit communications may also cite the use of other requirements, as appropriate. In such a case, if the internal audit activity indicates conformance with the Standards, and inconsistencies exist between the Standards and other requirements, internal auditors, and the


internal audit activity must conform with the Standards and may conform with the other requirements if such requirements are more restrictive. Some government organizations conduct their engagements in accordance with both the IIA Standards and GAGAS. The IIA Standards are often implemented along with the performance audit requirements of GAGAS (chapters 1-3, 6 and 7). While GAGAS is used for conducting government audits by both external and internal audit organizations, it contains some specific requirements and guidance related to internal auditors and internal audit organizations. Each STA should determine which standards they follow and document that as part of their policies and procedures. Some STAs have laws that require they follow one of the two standards and some states require their agencies to follow both. 2.3—COMPARISON OF IIA AND GAGAS STANDARDS GAGAS is commonly referred to as “Yellow Book” and IIA Standards are commonly referred to as “Red Book.” The Institute of Internal Auditors (IIA) supplies a comparison of the IIA and GAGAS Standards on IIA’s website: https://na.theiia.org/standards-guidance/Public%20Documents/IIA%20International%20Standards%20and%20Government%20Audit%20Standards%20(GAGAS)%20-%20A%20Comparison,%202nd%20Edition.pdf

The following is a list of some of the most notable differences between the standards: Each starts from a different definition of auditing and auditors.

GAGAS emphasizes accountability; IIA emphasizes governance, risk, and controls to add

value.

IIA requires an internal audit charter; GAGAS does not.

GAGAS audit focuses on audit risk when planning an engagement; while IIA focuses on the organizational and process risks when planning an engagement.

Under GAGAS, an auditor must document his or her consideration of independence; The IIA

Standards require internal auditors to have independence and states an auditor “must have an impartial, unbiased attitude and avoid any conflict of interest.” The Standards also require “organizational independence” and provides definitions of “independence” and “objectivity.

GAGAS requires external peer reviews every three years; IIA requires external peer reviews

every five years.

GAGAS defines fieldwork and reporting standards for three types of engagements: financial audits, attestations, and reviews of financial statements, and performance audits. IIA


discusses assurance services and focuses on the auditor’s work and governance, risk assessment, and controls.

IIA requires the development of an audit universe and an annual risk-based internal audit work plan, with approval of the plan by a governing body; GAGAS has no such requirement.

The concept of fraud is widely discussed in GAGAS. IIA requires auditors to perform work with due professional care by considering the probability of significant errors, fraud, or noncompliance. GAGAS has specific requirements for reporting fraud, waste, or abuse. Under GAGAS, auditors write ‘findings’ when fraud, abuse, internal control weaknesses and noncompliance are found; IIA requires auditors to “communicate engagement results and where appropriate, the communication must contain the internal auditor’s opinion and/or conclusions.” These results must include issues of fraud, abuse, internal control weaknesses, and noncompliance. Both standards require findings to include the condition, criteria, cause and effect, as well as a recommendation for each finding.

GAGAS requires 80 hours of certain types of CPE every two years; IIA Standards state,

“Internal Auditors must enhance their knowledge, skills, and other competencies through continuing professional development”, but it does not specify a required number of hours for non-certified members. However, Certified Internal Auditors are required to have a minimum of 40 hours of continuing education every year. Certified Government Auditing Professionals are required to have 25% of their hours in government related training.

2.4—REFERENCES https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx http://gao.gov/yellowbook/overview The Institute of Internal Auditors, Supplemental Guidance: IIA International Standard for the Professional Practice of Internal Auditing/ Government Accountability Office Government Audit Standards (GAGAS)/ A Comparison, 2nd Edition Leita Hart-Fanta, CPA, CGFM, CGAP, For the Orange, April 9, 2013


Chapter 3 – Types of Engagements 3.1—OVERVIEW This chapter describes the different types of government audits, attestation engagements, and other non-audit services provided by internal audit organizations. This description is not intended to limit or require the types of services that may be conducted. In conducting the services described in this chapter, auditors should follow the applicable standards adopted by their STA. 3.2—TYPES OF AUDITS Financial audits provide an independent assessment of whether an entity’s reported financial statements are presented fairly in all material respects in conformity with an acceptable financial framework. Other objectives of financial audits, which provide for different levels of assurance and entail various scopes of work, may include:

Providing an opinion for specified elements, accounts, or items of a financial statement

Reviewing interim financial information

Issuing letters for underwriters and certain other requesting parties

Reporting on the processing of transactions by service organizations

Auditing compliance with applicable requirements relating to governmental financial

assistance

Financial audits for states, local governments, and non-profit organizations are generally performed through the Single Audit process by outside entities. In addition, many STAs have “external audit” groups that conduct financial and compliance audits of architectural and engineering firms to provide assurance that their indirect cost rates are developed in compliance with federal requirements. Performance audits are objective and systematic examinations of evidence against specific criteria to provide an independent assessment of the control design and operating effectiveness of a program or processes implemented to meet agency objectives. Performance audits provide an objective analysis to assist management and those charged with governance and oversight in using the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to transparency and public accountability.


Performance audit objectives vary widely and include assessments of program effectiveness, economy, and efficiency; internal control; compliance; and prospective analyses (defined later). These overall objectives are not mutually exclusive. Consequently, a performance audit may have more than one objective.

Program effectiveness and results audits are frequently interrelated with economy and efficiency audits. Audit objectives that focus on program effectiveness and results typically measure the extent to which a program is achieving its goals and objectives. Audit objectives that focus on economy and efficiency address the costs and resources used to achieve program results. Examples of program effectiveness and results audits include assessing:

The extent to which legislative, regulatory, or organizational goals and objectives are being achieved, with outcomes that support the objectives of the program

The relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness

The relative cost and benefits or cost effectiveness of program performance

Whether a program produces results or effects not intended by the objectives

The extent to which programs duplicate, overlap, or conflict with other programs

Whether the audited entity is following sound procurement practices

The validity and reliability of performance measures concerning the program’s effectiveness and efficiency

The reliability, validity, or relevance of financial information related to the performance of a program

Whether the outcomes achieved the objectives of the program

Internal control audits relate to an assessment of one or more aspects of an entity’s system of internal control. They are designed to provide reasonable assurance of achieving effective and efficient operations, reliability of reporting for internal and external use, or compliance with provisions of applicable laws and regulations. Internal control is a process effected by an entity’s oversight body, management and other personnel that provides reasonable assurance that the objectives of the entity will be achieved. Internal controls consist of the plans, policies, methods, and procedures used to fulfill the organization’s mission, strategic plan, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations, and management’s system for measuring, reporting, and


monitoring program performance. Examples of audit objectives related to internal control include the extent to which a program provides reasonable assurance that: Organizational missions, goals, and objectives are achieved effectively and efficiently.

Resources are used in compliance with laws, regulations, or other requirements.

Resources are safeguarded against unauthorized acquisition, use, or disposition.

Management information and public reports that are produced, such as performance

measures, are complete, accurate, and consistent to support performance and decision-making.

Security over computerized information systems will prevent or detect unauthorized access.

Contingency planning for information systems provides essential back-up to prevent unwarranted disruption of activities and functions the systems support.

Compliance audits relate to assessments of compliance with criteria established by provisions of laws, regulations, contracts, grant agreements, internal policies, or other requirements that could affect the acquisition, protection, use, and disposition of the entity’s resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance requirements can be either financial or nonfinancial.

Information technology audits include the evaluation of internal controls related to the development, operation, maintenance, and management of the information technology environment, infrastructure, and data. Some of the areas addressed include: Governance of policy and process documentation.

Physical and logical security.

Application and infrastructure assets.

Monitoring.

Business continuity/disaster recovery.

System development review. IT audits are becoming increasingly important as record keeping and transmission of non-public personal information rely on automation.


When an information system is significant to the audit objective, the audit should include an evaluation of the information technology controls to provide reasonable assurance that the information being processed and produced by the system is valid and reliable. Follow-up audits are designed to test the status and evaluate the effectiveness of corrective actions taken on audit issues reported in prior released reports. 3.3—ATTESTATION ENGAGEMENTS and Reviews of Financial Statements The subject matter for attestation engagements may take many forms, including historical or prospective performance or condition, physical characteristics, analyses, system processes and behavior. Attestation engagements may cover a broad range of financial or non-financial subjects and can be part of a performance review. Possible subjects of attestation engagements can include reporting on:

An entity’s internal control over financial reporting

An entity’s compliance with requirements of specified laws, regulations, rules, contracts or grants

The effectiveness of an entity’s internal control over compliance with specified requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts

Management’s discussion and analysis presentation

Prospective financial statements or pro-forma financial information

The reliability of performance measures

Final contract cost

Allowability and reasonableness of proposed contract amounts, and specific procedures performed on a subject matter (agreed-upon procedures)

There are three types of attestation engagements: 1. Examination

Examinations consist of obtaining sufficient evidence to express an opinion on whether the subject matter is based upon or in conformity with the criteria in all material respects or the assertion is presented or fairly stated, in all material respects, based upon the criteria. Examinations provide the highest level of assurance outside of an audit. Since assurance is provided in an examination, the risk of undetected material misstatement must be reduced to a tolerable amount.


2. Review Reviews consist of performing sufficient testing to express a conclusion about whether any information came to the auditors’ attention that indicates the subject matter is not based upon or in conformity with the criteria in all material respects. The auditor may conclude the assertion is not presented, in all material respects, based upon the criteria. Reviews provide negative assurance. Negative assurance means that nothing came to the auditors’ attention that would lead them to believe the subject matter did not conform to the criteria.

3. Agreed-upon procedures Agreed-upon procedures consist of performing specific procedures on a subject matter and issuing a report of findings based upon the agreed-upon procedures. The auditors do not express an opinion about the subject matter but issue a report of findings based upon specific procedures performed on the subject matter.

3.4—NON-AUDIT SERVICES OR CONSULTING SERVICES Internal audit organizations may provide non-audit services or consulting services. These types of services are generally performed at the discretion of the head of the audit organization, requested by management of a bureau/division within the STA, or for an oversight body or independent external organization. Designed and executed appropriately, these services generally do not impair the auditors’ independence. These services may be considered advisory services provided by an Internal Audit group to the STA. They are services, other than specific audit work, that are provided and are intended to add value and improve the organization’s governance, risk management, and control processes. Consulting services include counsel, advice, facilitation, or training regarding issues such as internal control structure, compliance, governance and risk management. Consulting may come in the form of informal or formal consulting services. Informal consulting services generally consist of meeting with STA management and staff to

discuss issues and requirements and provide advice. Generally, no formal documentation of these services is required. They might consist of discussing with management or staff where they can find information regarding certain requirements or explaining how the requirements are generally viewed by an auditor. They may include an explanation or training on the types of internal controls or their use.

Formal consulting comes in the form of a special project and requires documentation to support the services. The extent of the documentation required to support the services will depend upon the scope of the project and the work performed. However, sufficient evidence must be obtained to support any conclusions that are made.


Other examples of non-audit/consulting services include the following: Gathering and providing information to a requesting party without providing an evaluation

or verification of the information

Providing advice on potential improvements of standards, methodologies, policies, procedures, and internal control

Providing assistance and technical expertise to legislative bodies or developing questions for the use at legislative hearings

Advising an entity regarding its performance of internal control assessments

Providing advice to management officials to help them identify good business practices

Conducting single audit desk reviews in accordance with 2 CFR 200. Audit organizations may also be asked to perform prospective analysis engagements. These engagements provide analysis or conclusions about information that is based upon assumptions about events that may occur in the future, along with possible actions that the entity may take in response to future events. Examples of prospective analysis engagements may include: Performing risk assessments to determine program or policy alternatives, including

forecasting program outcomes under various assumptions

Assessing the advantages and disadvantages of legislative proposals

Analyzing views of stakeholders on policy proposals for decision-makers

Identifying best practices for use in evaluating program or management system approaches, including financial and information management systems

Producing a high-level summary that affects multiple programs or entities on issues studied or under study


Chapter 4 – Audit Risk Assessment and Audit Plan 4.1—OVERVIEW This section describes general steps for developing an STA’s Audit Risk Assessment and Audit Plan. The audit plan is usually developed annually but should be considered a living document that will change and grow. Most audit plans are works in progress, and schedules change to meet department needs. A new program, department realignment/reorganization, or unexpected occurrences may change management’s needs, shifting some engagements to higher priority status and inserting engagements of new programs. The audit plan should be based upon the risks of the organization. Internal audit management should prioritize the internal audit work based upon the risks of the various areas of responsibility of the STA. 4.2—IDENTIFY AUDIT UNIVERSE OR AUDITABLE UNITS In order to determine appropriate audit coverage, internal audit management, with input from executive management, should identify the auditable units within the STA. This enables internal audit to link the Internal Audit Plan to the STA risks based upon the primary owner of the process. Any additional areas responsible for completion of that process should also be identified within the auditable units. This is a vital component of the risk assessment process and consists of dividing the entire STA into various control areas that cover all responsibilities and functions of the STA. The key to maintaining a good schedule of auditable units is to periodically verify that there have been no changes or additions to the auditable units. The auditable units should be updated to reflect any changes in structure, functions or responsibility on at least an annual basis. When responsibility changes occur, historic data should be retained to reflect the previous responsibilities and audit coverage that was given. Once identified, engagements performed and scheduled for each auditable unit can be tracked to ensure regular engagements are performed as necessary. This will also assist in developing the audit plan based upon length of time since last audit and ensure that all auditable units are considered in the audit plan. Some auditable units, however, may be low risk and not receive an engagement due to limited internal audit resources. The limited internal audit resources should be scheduled for areas of the STA which pose the highest risk.

Using the identified audit universe, prepare a matrix of engagements performed for each auditable unit. It is helpful to maintain at least three to five years of data to facilitate scheduling future engagements.

4.3—BENEFITS OF AUDITABLE UNITS There are many benefits to developing the auditable units of the STA. These include, but are not necessarily limited to, the following:


Provides the framework for monitoring the internal control structure of the STA by operational area and provides the foundation for the risk assessment process

Allows Internal Audit to communicate with each division or office of the STA in a standardized manner to monitor the STA’s internal controls

Provides a mechanism for confirming whether all processes have been captured

Provides a means for monitoring historic audit coverage for all functions and activities of the STA

Demonstrates compliance with the standards and laws that may govern the internal audit function

Considered an Internal Audit best practice

4.4—DEVELOP PERMANENT FILES

A permanent file is a useful tool to assist with the audit process. It provides basic and historic information for Internal Audit in assessing auditable units. These files are generally created as part of the audit process but may be created separately as time allows. This helps provide a starting point not only for the Internal Audit Plan Risk Assessment but also for audit specific risk assessments. It is also a primary source of information for the internal auditor assigned to a particular audit. Permanent files must be updated as changes occur for them to be useful. Suggested information for permanent files includes, but is not necessarily limited to, the following:

Applicable statutes, rules, and regulations Policies and procedures, manuals, guidelines Prior Audits--external, internal, federal--that relate to the area Internal control certifications List of information technology systems used Interview notes System narratives


4.5—RISK ASSESSMENT Internal Audit should develop procedures to be followed each year in performing the STA’s internal audit risk assessment. Management input should be one of the factors considered. Internal Audit should consider holding meetings with various levels of management to gain a further understanding of the risks and controls of the auditable units. Internal auditors are the internal control and risk management experts in their agency. Audit planning should be used as an opportunity to educate and increase management’s understanding of the internal audit function, risk assessment process, and ensure that there is a common understanding of definitions. A risk assessment questionnaire could be provided to management to assist them in determining their sections’ risks and needs. The risk assessment questionnaire might include the following:

Any changes to the auditable units

New programs or initiatives

Rapid growth or significant increases in funding or expenditures

Turnover of key management or key personnel

Reviews or audits by a federal agency; e.g., FHWA, FTA, FRA, FAA, NHTSA, FMCSA, GAO

Media exposure

Law changes

Administrative rule changes

Information technology that was developed or had major modifications in the last year or any that are currently in process or planned

Any fraudulent activity, improper conduct, blatant disregard for procedures, suspected or improper use of assets or state resources

Any processes or programs they would like Internal Audit to review

Rank what they consider to be the five most significant areas or processes for which they are responsible


Meetings should be scheduled with Executive Management and the Audit Committee, if applicable, to obtain their audit requests and areas of concern they would like considered. Consider informal sources of audit requests, such as concerns noted in conversations and emails from STA staff members, anonymous tips, and auditor observations and concerns noted in other audits. Perform risk assessments on all the auditable units to determine priorities taking into consideration any audit requests that are received. Each year, new audit requests may be added, and a risk assessment conducted to prioritize and insert new requests into the ongoing list.

4.6—RISK ASSESSMENT CRITERIA

A formal risk assessment should be developed which includes various criteria deemed significant to the STA. A risk assessment usually includes consideration of both the impact and the probability of occurrence for any given risk. Impact is somewhat conspicuous in the suggestion criteria below. However, the probability of occurrence should also be kept in mind. Suggested criteria may include, though are not limited to, the following:

Revenues/expenditures

Federal responsibilities/requirements

Legal responsibilities/requirements

Public impact or exposure

Impact to the STA

Management needs

Date of last audit

Prior experience with auditee

Inherent risk factors (high activity, high volume, complexity of operations, dollar value of assets, etc.)

Potential for fraud (improper conduct, suspected misuse, improper use of assets, blatant disregard for procedures)

Strength of internal controls

Reported problems on last audit, external audit, or U.S. Department of Transportation (USDOT) reviews


Potential efficiency improvements

New programs, initiatives or activities

Change in key personnel

New IT systems or major changes to IT systems key to department

Estimated audit time

4.7—CONSIDERATION OF INTERNAL CONTROLS To achieve the objectives of the agency, management must sometimes place assets at risk. It is management's responsibility to decide how much and what risk it is willing to accept to achieve the objectives of the agency. Management mitigates risks and ensures that management’s objectives are met through the use of internal controls. Identifying and assessing threats helps management recognize vulnerabilities in the internal control system. Based upon this information, management can provide appropriate controls to mitigate risk. The internal auditor should consider these areas during their meeting with management to assess which programs and functions pose the highest risk to the agency and should therefore receive internal audit coverage first. Some common threats include the following: Management override - Controls are readily set aside at the option of management or

personnel.

Optional or incomplete controls - Controls that say “may” or those that give options without guidance for making decisions on how to proceed are not effective. Clear direction regarding the choice should be made.

Form over substance - Controls appear to be well designed but are ineffective or miss their

intended mark.

Conflicts of interest - Causes personnel to place their interest above that of the organization.

Access to assets - Having improper or unauthorized access to assets can result in theft, misuse or abuse.


Inadequately trained or uninformed personnel - Personnel who don’t understand the reason or necessity for a particular control or the desired result may not properly execute the necessary steps.

Inadequate separation of duties – Multiple control points are the responsibility of one person.

Chapter 5 discusses internal control in more detail.

4.8—INTERNAL CONTROL WEAKNESSES Another key component of the risk assessment process is gaining an understanding of why internal control weaknesses occur. Understanding these weaknesses helps management monitor for appropriate and effective internal controls. Internal Audit should consider these factors and determine whether they exist as they walk through the risk assessment process with management. Some common reasons internal control weaknesses occur may include the following: Poorly designed or implemented internal control processes--the process becomes routine

due to familiarity and steps in the process are overlooked

Information concerning a law, rule or procedure was not adequately communicated

Employees not properly trained or instructed

Personnel not knowledgeable of the importance of a step or process and its impact on another area

Confusion over who is responsible (each area incorrectly thinks the other is handling the process)

Time constraints

Inadequate resources devoted to the process

Employees unknowingly overlooked something

Personnel are comfortable with the current process and resistant to change


4.9—ANALYSIS OF INTERNAL AUDIT RESOURCES

To determine the number of internal engagements to be scheduled, an analysis of available staff hours should be conducted. Internal audit management should consider the following in determining hours available: Total annual hours

Holidays

Annual leave

Sick leave

Training

Miscellaneous administrative

Other considerations might include: Additional annual leave for long-term employees

Retirements/resignations

Time required to replace employees who retire or resign

Furlough days

Extended use of leave (family & medical leave, military leave, disability, and sick leave)

Other types of reviews, consulting, and non-audit services

4.10—DEVELOPING THE AUDIT WORK PLAN

Based on the risk assessment and analysis of staff availability, an audit work plan should be developed. Remember to include any needs for audit follow-ups (e.g. 90 – 120 days). It may be helpful to develop two types of audit work plans. One type would give a narrative describing the engagement. The second type would be a scheduling tool to assign auditors to each selected engagement with time estimates across the twelve months. Another consideration for scheduling engagements is the auditee’s schedule, which may include deadlines or busy seasons. These factors as well as others specific to your STA should be considered when scheduling.

It may also be helpful to prepare a two-year audit plan to assist with prioritizing engagements and resources. However, the second year of the internal audit plan is always given


reconsideration at the time of the development of the next year’s two-year plan. This is due to changes in circumstances and risks that may occur over the one-year period since the plan was last developed.

Final meetings with the STA’s chief executive officer and the audit committee, if applicable, should be scheduled to obtain concurrence and approval of the proposed audit work plan. Any scheduling concerns should be communicated at this time.


Chapter 5– Internal Control 5.1—OVERVIEW

Internal control is a system implemented by an organization’s governing body and management that helps ensure key financial, operational, and regulatory objectives are achieved. Internal control is affected by an entity’s management and other personnel; it is not merely policy manuals and forms but involves people at every level of an organization. Internal control is pervasive, impacting people, process, and technology. It can be expected to provide reasonable assurance, not absolute assurance, to an organization’s management. Some STA’s have implemented an Enterprise Risk Management (ERM) program or similar 2nd line of defense program. ERM is defined by the Committee of Sponsoring Organizations (COSO) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." STA internal audit functions often work with STA ERM functions to ensure key internal controls are in place to provide mitigation to risks identified. An STA’s internal audit function should be aware of this framework if an ERM function has implemented it.

This review guide adopts the internal control direction provided by COSO. In May 2013, COSO updated its Internal Control – Integrated Framework to take into account changes in business environment and operations over the last 20 years. In 2017, COSO updated its Enterprise Risk Management — Integrated Framework. It addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, Enterprise Risk Management — Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance.

5.2—COSO CATEGORIES

Internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three COSO categories: 1. Reporting - related to the internal and external financial and nonfinancial reporting to

stakeholders, encompassing reliability, timeliness, transparency, or other elements as established by regulators, standard setters, or the entity’s policies


2. Compliance - adhering to those laws and regulations to which the entity is subject, where non-compliance could result in penalties, fines or negative impacts to reputation

3. Operations - addresses an entity’s basic business objectives, including performance, goals and the safeguarding of resources.

In assessing the design and operating effectiveness of internal controls under the COSO framework, management also considers the five components of internal control as depicted in the COSO “Cube”. If designed and operating effectively, controls within these five components in totality provide a framework for internal control. The 2013 framework incorporates 17 principles that support these five components. For effective internal controls, the 2013 framework requires that each of the five components and 17 relevant principles be present and functioning, and that the five components must operate together in an integrated manner.

“Present” means that the components and relevant principles exist in the design and implementation of the system of internal control.

“Functioning” means that the components and relevant principles continue to exist in the conduct of the system of internal control.

5.3—FIVE COMPONENTS OF COSO

1. Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the set of standards, processes, and structures that provides the basis for carrying out internal control across the organization. It is the foundation for all other components of internal control, providing discipline and structure.

The five principles relating to control environment are: 1) The organization demonstrates a commitment to integrity and ethical values.


2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3) Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4) The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

2. Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed. Risk assessment is the identification and analysis of relevant risks that could affect the achievement of the entity’s objectives, forming a basis for determining how the risks should be managed.

The four principles relating to risk assessment are:

1) The organization specifies objectives with enough clarity to enable the identification and assessment of risks relating to objectives.

2) The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

3) The organization considers the potential for fraud in assessing risks to the achievement of objectives.

4) The organization identifies and assesses changes that could significantly affect the system of internal control.

3. Control Activities

Control activities are the policies and procedures that help determine if management directives are carried out. They help facilitate the necessary actions required to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

The three principles relating to control activities are:

1) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

2) The organization selects and develops general control activities over technology to support the achievement of objectives.

3) The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.


4. Information and Communication

Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but with information about external reporting as well. Effective communication must also occur in a broader sense, flowing down, across, and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators, and stakeholders.

The three principles relating to information and communication are:

1) The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

2) The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

3) The organization communicates with external parties about matters affecting the functioning of internal control.

5. Monitoring Activities

Internal control systems need to be monitored (a process that assesses the quality of the system’s performance over time). This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The 2013 Framework distinguishes between a management review control as a control activity and a monitoring activity. A management review control that is a control activity responds to a specified risk and is designed to detect and correct errors. However, a management review control that is a monitoring activity would ask why the errors exist, and then assign the responsibility of fixing the process to the appropriate personnel.

The two principles relating to monitoring activities are:

1) The organization selects, develops, and performs ongoing or separate evaluation to ascertain whether the components of internal control are present and functioning.

2) The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.


The COSO 2013 Framework became effective December 15, 2014. For internal auditors seeking governmental criteria for internal control findings, testing or review, the GAO’s Standards for Internal Control in the Federal Government, known as the “Green Book,” sets standards for an effective internal control system for Federal agencies. Green Book contains similarities to COSO and is sometimes adopted by an STA. Regardless of whether Green Book is officially adopted by an STA, the concepts contained therein can be helpful to auditors and government entities. 5.4—COBIT

While COSO is commonly accepted as the internal control framework for organizations, the Control Objectives for Information and related Technology (COBIT) is the accepted internal control framework for the information technology (IT) environment. COBIT was first released by the Information Systems Audit and Control Foundation (ISACF) in 1996 and has been updated to include current IT governance principles and emerging international, technical, professional, regulatory, and industry specific standards. The resulting control objectives have been developed for application to organization-wide information systems. Now in Edition 4.1, COBIT is intended to meet the multiple needs of management by bridging gaps between business risks, control needs and technical issues.

The COBIT framework is based on the following principle:

To provide the information that the organization requires to achieve its objectives, the organization needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required organization information.

The COBIT framework identifies 34 IT processes and has an approach to provide control over these processes. It provides a generally applicable and acceptable standard for sound IT security and control practices to support management’s needs in determining and monitoring the appropriate level of IT controls for their organizations.

The COBIT framework is structured in four principle domains. Each domain includes unique processes which sum to the 34 IT processes discussed above. This structure serves as a process model for an enterprise to manage IT activities. 1. PLAN AND ORGANIZE (PO)

The Plan and Organize domain covers strategy and tactics and identifies how IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated, and managed for different perspectives. A proper organization as well as technological infrastructure should be put in place. The Plan and Organize domain addresses the following processes:

PO1—Define a strategic IT plan


PO2—Define the information architecture

PO3—Determine technological direction

PO4—Define the IT processes, organizations, and relationships

PO5—Manage the IT investment

PO6—Communicate management aims and direction

PO7—Manage IT human resources

PO—Manage quality

PO9—Assess and manage IT risks

PO10—Manage projects

2. ACQUIRE AND IMPLEMENT (AI)

To realize the Acquire and Implement IT strategy, IT solutions need to be identified, developed or acquired, and implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to ensure the solutions continue to meet business objectives. The Acquire and Implement domain addresses the following processes:

AI1—Identify automated solutions

AI2—Acquire and maintain application software

AI3—Acquire and maintain technology infrastructure

AI4—Enable operation and use

AI5—Procure IT resources

AI—Manage changes

AI7—Install and accredit solutions and changes

3. DELIVER AND SUPPORT (DS)

The Delivery and Support domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It addresses the following processes:

DS1—Define and manage service levels

DS2—Manage third-party services

DS3—Manage performance and capacity


DS4—Ensure continuous service

DS5—Ensure systems security

DS6—Identify and allocate costs

DS7—Educate and train users

DS8—Manage service desk and incidents

DS9—Manage the configuration

DS10—Manage problems

DS11—Manage data

DS12—Manage the physical environment

DS13—Manage operations 4. MONITOR AND EVALUATE (ME)

All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. The Monitor and Evaluate domain addresses performance management, monitoring of internal control, regulatory compliance, and governance. It addresses the following processes:

ME—Monitor and evaluate IT performance

ME—Monitor and evaluate internal control

ME3—Ensure compliance with external requirements

ME4—Provide IT governance

5.5—UNDERSTANDING AN AUDITEE’S INTERNAL CONTROLS

The auditor’s understanding of the client’s internal control is usually gained through the following procedures:

Prior experience with the entity

This can be a major source of audit efficiency in recurring audits. Because systems and controls usually don’t change frequently or significantly from year to year, information obtained by the auditor in previous audits of the entity can be updated and carried forward to the current year’s audit.

Inquiries of management, supervisory, and staff personnel within the entity


The auditor may inquire about the types of accounting documents used to process transactions and about control activities that have been placed in operation for authorizing, for example, a credit.

Observation of client activities and procedures

The auditor can observe client personnel in the process of preparing accounting records and documents and carrying out their assigned accounting and control functions.

Inspection of accounting documents and records

By inspecting actual, completed documents and records, the auditor can better understand their application to the entity’s internal control. The auditor may wish to obtain copies of sample documents used by the entity for inclusion in the permanent file.

Entity’s policy and system manuals

This includes both (1) policy manuals and documents, and (2) system manuals and documents, such as an accounting manual and an organization chart.

5.6—DOCUMENTING INTERNAL CONTROLS

The auditor documents their understanding of internal controls to:

Provide evidence of the understanding of the design of significant processes

Identify key risks within the process.

Identify controls that would prevent or detect errors from occurring within the process.

Identify control gaps and process improvement opportunities.

This documentation may take several forms such as:

Flowchart – A diagram that shows step-by-step progression through a procedure or system especially using connecting lines and a set of conventional symbols. The purpose of flowcharting is to: Be a tool for analyzing processes. Break down processes into individual events and activities, usually by process or event

owner. Identify interdependencies across the business. Link system and manual activities. Identify control gaps, segregation of duties, problems, and inefficiencies.

Narrative – A document that describes a process or transaction flow using words rather than a pictorial representation. The purpose of a narrative is to: Provide evidence of understanding of a process. Identify and document key risks, controls and control gaps.


Confirm understanding with the process owner. Provide knowledge that can be used in future years by other employees.

Walkthrough – A document that traces one representative transaction through a process from beginning to end. The purpose of a walkthrough is to: Confirm understanding of the significant flow of transactions. Confirm understanding of the relevant controls. Confirm that relevant controls have been placed in operation. Confirm process documentation.

Internal Control Questionnaire – Designed to identify basic control issues and used as a guide for improving or implementing good business practices and complying with policies and procedures.

5.7—INTERNAL CONTROL OVER FINANCIAL REPORTING

Auditors must understand the concepts of internal control; specifically, internal control over financial reporting. The AICPA’s Statement on Auditing Standards No. 115, as applicable, requires auditors to evaluate whether identified internal control deficiencies are significant deficiencies or material weaknesses, as they relate to financial reporting reliability. In addition, the conclusion that significant internal control deficiencies or material internal control weaknesses exist should be communicated in writing to management and the entity’s governing body.

A sound system of internal control over financial reporting includes control design and operating effectiveness to provide reasonable assurance that the entity’s financial statements are fairly presented in accordance with generally accepted accounting principles.

Internal controls over financial reporting are evaluated based upon the auditor’s risk assessment procedures to determine whether controls are designed adequately and operating effectively to provide reasonable assurance of financial reporting reliability. The entity’s ability to prevent and detect financial misstatement is evaluated and determines whether a significant deficiency or material weakness exists. 5.8—EVALUATION OF INTERNAL CONTROLS

Auditors can verify if controls are implemented as designed through testing, reviews, observations, and analytical procedures. Auditors can determine the validity and accuracy of transactions, as well as determine compliance with applicable rules, laws and procedures, and assess the adequacy of existing controls. Evaluation tools include:

Testing by statistical sampling – focuses on sampling techniques that provide assurance based on sampling risk that the auditor and stakeholders deem acceptable

Testing by direct sampling – focuses more closely on specific transactions or certain types of transactions and can be used when the population under review is not homogeneous


Reviews/interviews – used when the performance of a process does not lend itself to normal testing procedures

Observation – looks at actual practices to see if appropriate controls are in place and working

Analytical procedure – takes information as a whole and applies some set standard, analysis or comparison

5.9—CLASSIFYING INTERNAL CONTROL WEAKNESSES FOR REPORTING

Upon determining that controls are inadequately designed or implemented, auditors shall communicate the weakness to management based upon the likelihood and magnitude of the concern. This communication may be verbal, written via an informal management letter, or reported formally, such as in the audit report. The matrix below can help auditors determine how or where to report the weakness to management.

Likelihood of Misstatement

or Error

Magnitude of Misstatement (or Error) that Occurred or Could Occur

Inconsequential More than

Inconsequential but Less than Material

Material

Remote

Not a significant deficiency or material weakness

Do not report


Report informally, verbally or via management letter



More than remote



Significant deficiency

Report formally, via audit report

Material weakness

Report formally, via audit report


6 Chapter 6 –USDOT Agencies and Descriptions 6.1—USDOT AGENCIES AND DESCRIPTIONS The United States Department of Transportation (USDOT) is responsible for overseeing all federal transportation programs. The USDOT was established by an act of Congress, signed into law by President Lyndon B. Johnson on October 15, 1966. The Department's first official day of operation was April 1, 1967. The USDOT consists of the Office of the Secretary, an independent Office of Inspector General (OIG), and the following 11 individual Operating Administrations: the Federal Aviation Administration (FAA), the Federal Highway Administration (FHWA), the Federal Motor Carrier Safety Administration (FMCSA), the Federal Railroad Administration (FRA), the National Highway Traffic Safety Administration (NHTSA), the Federal Transit Administration (FTA), the Maritime Administration (MARAD), the Saint Lawrence Seaway Development Corporation (SLSDC), the Research and Innovative Technologies Administration (RITA), the Pipeline and Hazardous Materials Safety Administration (PHMSA), and the Surface Transportation Board (STB). The Office of the Secretary, the OIG, and the 11 Administrations of USDOT are discussed in more detail on their website at:

http://www.dot.gov/administrations

Office of the Secretary of Transportation (OST)

National Highway Traffic Safety Administration (NHTSA)

Federal Aviation Administration (FAA)

Office of Inspector General (OIG)

Federal Highway Administration (FHWA)

Pipeline and Hazardous Materials Safety Administration (PHMSA)

Federal Motor Carrier Safety Administration (FMCSA)

Research and Innovative Technology Administration (RITA)

Federal Railroad Administration (FRA)

Saint Lawrence Seaway Development Corporation (SLSDC)

Federal Transit Administration (FTA)

Surface Transportation Board (STB)

Maritime Administration (MARAD)

The next several sections provide more information about the Office of the Secretary, Office of Inspector General and 11 Administrations of USDOT.


6 6.2—OFFICE OF THE SECRETARY http://www.dot.gov/office-of-secretary

Leadership of USDOT is provided by the Secretary of Transportation through the Office of the Secretary. The Secretary of Transportation is the principal adviser to the President of the United States in all matters relating to federal transportation programs. The Secretary of Transportation is assisted in their responsibilities by a Deputy Secretary of Transportation. The Office of the Secretary is responsible for the formulation of national transportation policy and promotes intermodal transportation. Specifically, they are responsible for:

Negotiating and implementing the international transportation agreements

Ensuring the fitness of U.S. airlines and enforcing airline consumer protection regulations

Coordinating an effective highway transportation system

Ensuring motor carrier safety for the operation of commercial motor vehicles

Promoting safe, and environmentally sound rail transportation

Promoting, developing, and maintaining an adequate water transportation system

Reducing deaths, injuries, and economic losses resulting from motor vehicle crashes

Issuing regulations to prevent alcohol and illegal drug misuse in transportation systems

Developing improved mass transportation systems for cities and communities nationwide

Overseeing the safety of shipments of hazardous materials in the United States and the nation's energy that is transported by pipelines

Identifying and facilitating solutions to the challenges and opportunities facing America’s transportation system

Operating and maintaining a safe, reliable, and efficient waterway for commercial and noncommercial vessels between the Great Lakes and the Atlantic Ocean

Ensuring that competitive, efficient, and safe transportation services are provided to meet the needs of shippers, receivers, consumers

Preparation of transportation related legislation

These tasks are accomplished through the 11 USDOT operating administrations discussed below. Primary state interaction is through various grant programs; for specific information regarding the available programs and their significant compliance requirements, see the Catalog of Federal Domestic Assistance (CFDA) web site at:

http://beta.SAM.gov

In addition, federal grant guidance has been combined and is now located at 2 CFR Part 200: “Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.”


6 6.3—FEDERAL AVIATION ADMINISTRATION http://www.faa.gov/

The Federal Aviation Administration (FAA) oversees the safety of civil aviation. The FAA sees as its main priority its mission of safety, which includes the issuance and enforcement of regulations and standards related to the manufacture, operation, certification, and maintenance of aircraft. The agency is responsible for the rating and certification of airmen and for certification of airports serving air carriers. It also regulates a program to protect the security of civil aviation and enforces regulations under the Hazardous Materials Transportation Act for shipments by air. Programs implemented by STAs for oversight of aeronautics are based upon these federal regulations. The FAA operates a network of airport towers, air route traffic control centers, and flight service stations; develops air traffic rules; allocates the use of airspace; and provides for the security control of air traffic to meet national defense requirements. Other responsibilities include the construction or installation of visual and electronic aids to air navigation and promotion of aviation safety internationally. The FAA, which regulates and encourages the U.S. commercial space transportation industry, also licenses commercial space launch facilities and private sector launches. Primary interaction of STAs pertains to the issuance of grants for the planning and development of public use airports through the Airport Improvement Program (AIP). In some states, these grants are passed through the STA, and in other states grants are issued directly to airports or airport authorities, depending upon that state’s authority and laws. To promote the development of a system of airports to meet the nation's needs, the federal government embarked upon a grants-in-aid program for units of state and local governments shortly after the end of World War II. The first program was the Federal-Aid Airport Program (FAAP), which was authorized by the Federal Airport Act of 1946. In 1970, a more comprehensive program was established with the passage of the Airport and Airway Development Act of 1970. This Act provided grants for airport planning under the Planning Grant Program (PGP) and for airport development under the Airport Development Aid Program (ADAP). The current grant program, AIP, was established by the Airport and Airway Improvement Act of 1982 (Public Law 97-248). Since then, the AIP has been amended several times, most recently with the passage of the FAA Modernization and Reform Act of 2012. Funds obligated for the AIP are drawn from the Airport and Airway Trust fund, which is supported by user fees, fuel taxes, and other similar revenue sources. Grants through AIP are provided for improvements to public use airports. A public use airport is an airport that has been included in the National Plan of Integrated Airport Systems (NPIAS). The NPIAS, which is prepared and published every 2 years, identifies public-use airports that are important to public transportation and contribute to the needs of civil aviation, national defense, and the Postal service.


6 A public-use airport is an airport open to the public that also meets one of the following criteria:

Publicly owned

Privately owned but designated by FAA as a reliever

Privately owned but having scheduled service and at least 2,500 annual enplanements

Recipients of grants are referred to as "sponsors." The description of eligible grant activities is described in the authorizing legislation and relates to capital items serving to develop and improve the airport in areas of safety, capacity, and noise compatibility. In addition to these basic principles, a sponsor must be legally, financially, and otherwise able to carry out the assurances and obligations contained in the project application and grant agreement. Eligible projects include those improvements related to enhancing airport safety, capacity, security, and environmental concerns. In general, sponsors can use AIP funds on most airfield capital improvements or repairs and in some specific situations, for terminals, hangars, and non-aviation development. Other eligible activities include any professional services that are necessary for eligible projects, such as planning, surveying, and design. Aviation demand at the airport must justify the projects, which must also meet Federal environmental and procurement requirements.

6.4—FEDERAL HIGHWAY ADMINISTRATION http://www.fhwa.dot.gov/

The Federal Highway Administration (FHWA) coordinates highway transportation programs in cooperation with states and other partners to enhance the country's safety, economic vitality, quality of life, and the environment. The first comprehensive federal highway program was signed into law by President Woodrow Wilson on July 11, 1916. This launched the partnership between the federal and state governments which became known as the Federal-aid Highway Program. It was endorsed by the American Association of State Highway Officials (AASHTO), which had been formed in December 1914, by the various state transportation officials in an effort to coordinate transportation. FHWA was created on October 15, 1966, and in 1967 the functions of the Bureau of Public Roads were transferred to FHWA. The Office of Road Inquiry was the first predecessor to FHWA formed October 3, 1893. The name of the Office of Road Inquiry was changed to the Office of Public Roads in 1918.

FHWA provides grants to states through the Federal-Aid Highway Program, which provides federal financial assistance to the states to construct and improve the National Highway System, urban and rural roads, and bridges. Programs include:

Highway Planning and Construction

Highway Research and Development

Highway Training and Education

Recreation Trails Program

Transportation Infrastructure Finance and Innovation Act (TIFIA)

Fuel Tax Evasion – Intergovernmental Enforcement Effort

Federal Lands Highway


6 Through its various programs, FHWA provides funds for general improvements and development of safe highways and roads. The main revenue source for these grants is the Federal Motor Fuel Tax. USDOT provides support to the state highway system by providing financial assistance for the construction, maintenance, and operation of the nation’s 3.9 million-mile highway network, including the interstate highway system, primary highways, and secondary local roads. The program is administered by FHWA in cooperation with state and local governments. Local governments or local public agencies (LPAs) are the country’s cities, towns, and other municipal forms of government that operate about 75% or 2.9 million-miles of the nation’s roadways. The first major federal road program was established pursuant to the Federal Aid Road Act of 1916. Funding to state highway agencies was apportioned by a formula based upon land area, population and road miles. The Federal Aid Highway Act of 1956 provided for the development of the interstate highway system, which is now known as the Eisenhower Interstate System after President Eisenhower, who pushed for its enactment. President Eisenhower’s support for the interstate system was based largely upon civilian needs to support economic development, improved highway safety, and congestion relief, as well as reduction of motor vehicle-related lawsuits. He also understood the military value of the interstate system, as well as its use in evacuations. It has made travel between the states more efficient, economical, safe, and timely. That is why, since its inception, it has been considered a vital national interest. Federal-aid highway program funds are provided to assist STAs in the planning and development of an integrated, interconnected transportation system important to interstate commerce and travel by constructing and rehabilitating the National Highway System (NHS), including the Eisenhower Interstate System; and for transportation improvements to many other public roads. Funds may be used for:

Providing aid for the repair of Federal-aid highways following disasters

Fostering safe highway design

Replacing or rehabilitating deficient or obsolete bridges

Environmental studies

Engineering and design services

Right-of-way acquisition and relocation assistance, and construction for capital improvement projects classified as new construction

Reconstruction

Restoration

Rehabilitation, and resurfacing, or for functional, geometric, or safety reasons

Planning; research, development, and technology transfer Intelligent transportation systems projects


6

Roadside beautification

Wetland and natural habitat mitigation

Traffic management and control improvements

Improvements necessary to accommodate other transportation modes

Development and establishment of transportation management systems

Billboard removal

Construction of bicycle facilities and pedestrian walkways

Fringe and corridor parking

Car pool and van pool projects

Transportation alternatives and enhancements such as scenic and historic highway improvements; and, recreational trail

Other special purposes regarding transportation Funds generally cannot be used for routine highway operational activities, such as police patrols, mowing, snow plowing, or maintenance, unless it is preventative maintenance. In addition, funds authorized for the National Highway Performance Program (NHPP), Surface Transportation Program (STP), Congestion Mitigation and Air Quality (CMAQ) Improvement Program, and some additional programs may be used for mass transportation improvements. CMAQ funds are limited to projects and programs in air quality, non-attainment, and maintenance areas for ozone, carbon monoxide, and small particulate matter that reduce transportation-related emissions, though provision is made for states without air quality issues. Eligibility criteria for the programs differ, so program guidance should be consulted. Projects in urban areas of 50,000 or more population must be based on a transportation planning process carried out by a metropolitan planning organization (MPO) in cooperation with the state and transit operators, and the projects must be included in metropolitan transportation plans and improvement programs. Projects in non-metropolitan areas of a state must be consistent with a statewide transportation plan. Projects in both metropolitan and non-metropolitan areas must also be included in a fiscally constrained Statewide Transportation Improvement Program (STIP) developed as part of the required statewide transportation planning process. The FHWA and the Federal Transit Administration (FTA) must approve the STIP jointly. Program requirements and restrictions are contained in Title 23 United States Code. There are discretionary funds remaining from previous authorizations, which may remain available until expended.


6 6.5—FEDERAL MOTOR CARRIER SAFETY ADMINISTRATION http://www.fmcsa.dot.gov/

The Federal Motor Carrier Safety Administration (FMCSA) was established within the Department of Transportation on January 1, 2000, pursuant to the Motor Carrier Safety Improvement Act of 1999, which was effective December 9, 1999. The FMCSA's primary mission is to prevent commercial motor vehicle-related fatalities and injuries. To accomplish these activities, the Administration works with federal, state, and local agencies, the motor carrier industry, and labor safety interest groups. FMSCA activities contribute to: Ensuring safety in motor carrier operations through strong enforcement of safety regulations,

targeting high-risk carriers and commercial motor vehicle drivers.

Improving safety information systems and commercial motor vehicle technologies, strengthening commercial motor vehicle equipment and operating standards.

Increasing safety awareness.

Funding for the activities of the various states for this program is provided through the National Motor Carrier Safety program grants which include the following:

Commercial Motor Carrier Inspections

Performance and Registration Information Systems Management

Commercial Driver’s License Program Improvement Grant

Border Enforcement Grants

Safety Data Improvement Program

Commercial Motor Vehicle Operator Training Grants

Commercial Vehicle Information Systems and Network

Commercial Driver’s License Information System (CDLIS) Modernization Grant

Motor Carrier Research and Technology Programs

6.6—FEDERAL RAILROAD ADMINISTRATION http://www.fra.dot.gov/Page/P0001

The Federal Railroad Administration (FRA) promotes safe and environmentally sound rail transportation. With the responsibility of ensuring railroad safety throughout the nation, the FRA employs safety inspectors to monitor railroad compliance with federally mandated safety standards including track maintenance, inspection standards, and operating practices. The FRA conducts research and development tests to evaluate projects in support of its safety mission and to enhance the railroad system as a national transportation resource. Public education campaigns on highway-rail grade crossing safety and the danger of trespassing on rail property are also administered by FRA.


6 The FRA was created by the Department of Transportation Act of 1966. A series of bankruptcies and consolidations left the rail system in the hands of a few large operations by the 1980s. Almost all long-distance passenger traffic was shifted to Amtrak, which was formed during President’s Nixon’s administration in 1971 when Congress passed the Rail Passenger Service Act of 1970. This legislation established the National Railroad Passenger Corporation to take over the intercity passenger rail service that had been operated by private railroads. Amtrak began service on May 1, 1971, serving 43 states with a total of 21 routes. This greatly relieved the railroads from the burden of supplying the less profitable passenger rail service. FRA supports passenger and freight railroading through a variety of competitive grants, dedicated grant and loan programs to develop safety improvements, relieve congestion, and encourage the expansion and upgrade of passenger and freight rail infrastructure and services. FRA also provides training and technical assistance to grantees and stakeholders. The FRA provides grants primarily through states for the development of rail transportation through various programs including:

Railroad safety

Railroad research and development

Railroad development

National railroad passenger corporation grants

Railroad rehabilitation and Improvement Financing Program

Capital assistance to States-Intercity Passenger Rail Service

Maglev project Selection Program

High-speed rail corridors and intercity passenger rail service capital assistance grants

Rail line relocation and improvement and railroad safety technology grants

6.7—FEDERAL TRANSIT ADMINISTRATION http://www.fta.dot.gov/

The Federal Transit Administration (FTA) assists development of improved mass transportation systems for cities and communities nationwide. The responsibilities of the FTA were originally handled by the Department of Housing and Urban Development (HUD). President Lyndon Johnson transferred most of HUD’s responsibility for mass transit to the USDOT, effective July 1, 1968. Through its grant programs, delivered primarily through STAs, FTA helps plan, build, and operate transit systems with convenience, cost and accessibility in mind. While buses and rail vehicles are the most common type of public transportation, other kinds include commuter ferryboats, trolleys, inclined railways, subways, and people movers. In providing financial, technical, and planning assistance, the agency provides leadership and resources for safe and technologically advanced local transit systems while assisting in the development of local and regional traffic reduction. Funds may be used for capital projects to finance the planning,


6 acquisition, construction, cost-effective lease, improvement, and maintenance of equipment and facilities for use in transit for both urban and non-urban areas; and assist in development of transportation improvement programs, long-range transportation plans, and other technical studies in metropolitan areas. Activities include:

Preparation of transportation plans including transportation improvement programs and management systems

Studies related to transportation management

Operations, capital requirements, and economic feasibility

Evaluation of previously funded capital projects

Other related activities in preparation for the construction, acquisition, or improved operation of transportation systems, facilities, and equipment

The FTA's research program seeks to deliver solutions that improve public transportation. Its primary goals are to increase transit ridership, improve safety and emergency preparedness, improve operating efficiencies, protect the environment, promote energy independence, and provide transit research leadership. To accomplish this, FTA funds research on:

Mobility management

Transit operational efficiency

Safety and emergency preparedness

Transit capacity building

Energy independence and environmental protection

Infrastructure and equipment protection and innovation

Strategic research program planning

Funds may be used to assist in the development of cost-effective multimodal transportation improvement programs, which include the planning, engineering, and designing of federal transit projects, and other technical studies in a program for a unified and officially coordinated statewide transportation system. The FTA maintains the National Transit library (NTL), a repository of reports, documents, and data generated by professionals and others from around the country. The NTL is designed to facilitate document sharing among people interested in transit and transit related topics.


6 6.8—MARITIME ADMINISTRATION http://www.marad.dot.gov/

The Maritime Administration (MARAD) promotes development and maintenance of an adequate, well-balanced United States merchant marine, sufficient to carry the nation's domestic waterborne commerce and a substantial portion of its waterborne foreign commerce, and capable of serving as a naval and military auxiliary in time of war or national emergency. MARAD also seeks to ensure that the United States enjoys adequate shipbuilding and repair service, efficient ports, effective intermodal water and land transportation systems, and reserve shipping capacity in time of national emergency. President Harry S. Truman established MARAD in 1950 under his Reorganization Plan No. 21. However, MARAD traces its origins to the Shipping Act of 1916, which established the U.S. Shipping Board. The Marine Highway Program does not develop or operate marine highway services. The private sector or state/local governments develop and operate marine highway services. The program was designed to reduce landside congestion by integrating the commercially operated marine highway services into the nation's surface transportation system. Once integrated, these marine highway services connect seamlessly with all modes of transportation for freight and passengers, thus providing a convenient transportation alternative alongside congested landside transportation corridors. America’s marine highways are navigable waterways that have been designated by the Secretary of Transportation and have demonstrated the ability to provide additional capacity to relieve congested landside routes serving freight and passenger movement. Each marine highway has a corridor designation that reflects the congested landside route it parallels. For example, M-95 stretches from Maine to Florida and is the designation for the shipping lane along the Atlantic Coast paralleling interstate highway I-95. 6.9—NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION http://www.nhtsa.gov/

The National Highway Traffic Safety Administration (NHTSA) is responsible for reducing deaths, injuries and economic losses resulting from motor vehicle crashes. NHTSA sets and enforces safety performance standards for motor vehicles and equipment, and through grants to state and local governments, enables them to conduct effective local highway safety programs. In 1970, the Highway Safety Act authorized the establishment of NHTSA. Although the law added somewhat to USDOT’s safety mission, the FHWA originally had handled most of the functions that NHTSA assumed. Besides establishing another operating administration and adding to the secretary's span of control and coordination workload, the Highway Safety Act separated highway administration into two parts:

1. Design, construction, and maintenance

2. Highway and automobile safety


6 Under the oversight of NHTSA, formula grant funds may be used for problems identified within the nine national priority program areas of: 1. Alcohol and other drug countermeasures

2. Police traffic services

3. Occupant protection

4. Traffic records

5. Emergency medical services

6. Motorcycle safety

7. Pedestrian/bicycle safety

8. Speed control

9. Roadway safety

Other program areas identified by a state as constituting a highway safety problem in that state may be eligible for federal funding if they encompass a major highway safety problem in that state and the state has identified effective countermeasures. One such example that has received federal funding is pupil transportation safety programs. The law provides that at least 40 percent of these federal funds apportioned to a state for any fiscal year will be expended by the political subdivisions of such state. NHTSA is responsible for the following:

Investigating safety defects in motor vehicles

Setting and enforcing fuel economy standards

Helping states and local communities reduce the threat of drunk drivers

Promoting the use of safety belts, child safety seats and airbags

Investigating odometer fraud

Establishing and enforcing vehicle antitheft regulations

Providing consumer information on motor vehicle safety topics

Researching driver behavior and traffic safety to develop the most efficient and effective means of bringing about safety improvements

Maintaining a toll-free Auto Safety Hotline, which furnishes consumers with a wide range of auto safety information. Callers also can help identify safety problems in motor vehicles, tires and automotive equipment such as child safety seats.


6 6.10—OFFICE OF INSPECTOR GENERAL https://www.ignet.gov/sites

On October 12, 1978, the Inspector General (IG) Act established twelve federal Offices of Inspector General (OIG), including the Department of Transportation OIG. The Act passed the House of Representatives by a vote of 388 to 6 and was later approved by the Senate by unanimous consent. Two OIGs had previously been established, one in 1976 and another the following year. President Jimmy Carter signed the IG Act into law and described the new statutory IGs as “perhaps the most important new tools in the fight against fraud.” The President charged the IGs to always remember that their ultimate responsibility is not to any individual but to the public interest. The OIG is committed to fulfilling its statutory responsibilities and supporting members of Congress, the Secretary, senior department officials, and the public in achieving a safe, efficient, and effective transportation system. It builds on its long-standing record as a highly respected contributor to the department's mission. They are USDOT’s sole in-house source for objective examination of its programs and their integrity. Their core values and audit and investigative expertise ensure they remain highly responsive to the needs of the Secretary, Congress, and the American people. Their mission is to protect USDOT programs from fraud, waste, abuse, and violations of law and promote effectiveness of the USDOT’s programs. They accomplish this through audits and investigations. The OIG also consults with Congress about programs in progress and proposed new laws and regulations.

The Inspector General Act of 1978 gives the Office of Inspector General autonomy to do its work without interference. The Inspector General is chosen by the President; this choice is based not on political affiliation but rather on integrity and ability. IG candidates can show accomplishment in several fields, including accounting, auditing, law, financial or management analysis, public administration or investigations. Inspector General appointees are subject to Senate confirmation. Only the President has the power to remove an inspector general and the reasons for doing so must be communicated to Congress.

The Inspector General Act of 1978 prevents officials in the scrutinized agency from interfering with audits or investigations; it also requires the IG to keep the Secretary of Transportation and Congress informed of findings. However, much of OIG's most significant work is accomplished with the cooperation of the officials whose programs are being reviewed.

6.11—PIPELINE AND HAZARDOUS MATERIALS SAFETY ADMINISTRATION

http://www.phmsa.dot.gov/

The Pipeline and Hazardous Materials Safety Administration (PHMSA) oversees the safety of more than 800,000 daily shipments of hazardous materials in the United States and 64 percent of the nation's energy that is transported by pipelines. PHMSA is dedicated solely to safety by working toward the elimination of transportation-related deaths and injuries in hazardous materials and pipeline transportation, and by promoting transportation solutions that enhance


6 communities and protect the natural environment. PHMSA was created within the U.S. DOT under the Norman Y. Mineta Research and Special Programs Improvement Act of 2004. The purpose of the act was to provide the U.S. Department of Transportation with a more focused research organization and to establish a separate operating administration for pipeline safety and hazardous materials transportation safety operations. PHMSA is authorized to reimburse a state agency for up to 80 percent of the agency's actual cost of carrying out its pipeline safety program, including the cost of personnel and equipment. The actual amount of federal reimbursement depends upon the availability of appropriated funds and the state's pipeline safety program's performance. A state agency's program performance is based on PHMSA's annual Program Evaluation and Progress Report scoring of each state agency. The Program Evaluation includes an on-site review of the state’s inspection, compliance, accident investigation, training, and excavation damage prevention records and activities. The Progress Report scoring gives consideration to the state’s extent of safety authority over pipeline operators, inspector qualifications, inspection days accomplished, adoption of maximum civil penalty amounts, progress adopting amendments to federal regulations, adoption of one call requirements, and attendance at the National Association of Pipeline Safety Representative meetings. PHMSA also provides federal grant funding in support of preventing excavation damage to underground facilities which is a leading cause of pipeline incidents. Programs include:

State pipeline safety program base grants

Technical assistance grants

State damage prevention grants

PHMSA pipeline safety program One Call Grant

PHMSA pipeline safety research and development

6.12—RESEARCH AND INNOVATIVE TECHNOLOGY ADMINISTRATION http://www.rita.dot.gov/

The Research & Innovative Technology Administration (RITA) is an agency whose mission is to identify and facilitate solutions to the challenges and opportunities facing America's transportation system. RITA's focus is to promote transportation research that will foster the use of innovative technology. RITA includes the Volpe National Transportation Systems Center, an organization dedicated to enhancing the effectiveness, efficiency, and responsiveness of other federal organizations with critical transportation-related functions and missions. RITA was created in 2005 to advance transportation science, technology, and analysis, and to improve the coordination of transportation research within the Department and throughout the transportation community. With responsibility for research policy and technology sharing, the agency partners with national and international organizations and universities. RITA also includes


6 the Bureau of Transportation Statistics, the Transportation Safety Institute, and the University Transportation Centers program. RITA performs four basic functions:

1. Coordinates the USDOT's research and education programs

2. Shares advanced technologies with the transportation system

3. Offers transportation statistics and analysis for decision-making

4. Supports national efforts to improve education and training in transportation-related fields

6.13—SAINT LAWRENCE SEAWAY DEVELOPMENT CORPORATION http://www.seaway.dot.gov/

The Saint Lawrence Seaway Development Corporation (SLSDC) operates and maintains a safe, reliable and efficient waterway for commercial and noncommercial vessels between the Great Lakes and the Atlantic Ocean. Saint Lawrence Seaway Development Corporation is a wholly owned government corporation created by statute May 13, 1954, to construct, operate, and maintain that part of the St. Lawrence Seaway between the Port of Montreal and Lake Erie, within the territorial limits of the United States. Trade development functions aim to enhance Great Lakes/St. Lawrence Seaway System utilization without respect to territorial or geographic limits. The SLSDC, in tandem with the Saint Lawrence Seaway Authority of Canada, oversees operations safety, vessel inspections, traffic control, and navigation aids on the Great Lakes and the Saint Lawrence Seaway. SLSDC works to develop trade opportunities to benefit port communities, shippers and receivers, and related industries in the area to provide economic development of the Great Lakes Region.

The mission of the Corporation is to serve the U.S. intermodal and international transportation system by improving the operation and maintenance of a safe, reliable, efficient, and environmentally responsible deep-draft waterway, in cooperation with its Canadian counterpart. The SLSDC also encourages the development of trade through the Great Lakes Seaway System, which contributes to the comprehensive economic and environmental development of the entire Great Lakes region.

6.14—SURFACE TRANSPORTATION BOARD http://www.stb.dot.gov/stb/index.html

The Surface Transportation Board (STB) is an independent, bipartisan adjudicatory body organizationally housed within the USDOT. STB was created pursuant to the ICC Termination Act of 1995 and is the successor agency to the Interstate Commerce Commission. The STB is an economic regulatory agency that Congress has charged with resolving railroad rate and service disputes and reviewing proposed railroad mergers. Although it is administratively affiliated with USDOT, it is required to maintain its independence in its decisions. The agency has jurisdiction over railroad rate and service issues; rail restructuring transactions, such as mergers, lines sales, line construction, and line abandonments; certain trucking companies; moving vans; non-contiguous ocean shipping rates; certain intercity passenger bus company structure, financial and


6 operational matters; and rates and services of pipelines not regulated by the Federal Energy Regulatory Commission.

It is responsible for the economic regulation of interstate surface transportation, primarily railroads, within the United States. The STB's mission is to ensure that competitive, efficient, and safe transportation services are provided to meet the needs of shippers, receivers, and consumers. The Board is charged with promoting, where appropriate, substantive and procedural regulatory reform in the economic regulation of surface transportation, and with providing an efficient and effective forum for the resolution of disputes.

The Board continues to strive to develop, through rulemakings and case disposition, new and better ways to analyze unique and complex problems, to reach fully justified decisions more quickly, to reduce the costs associated with regulatory oversight, and to encourage private-sector negotiations and resolutions to problems where appropriate.


7 Chapter 7 – Stewardship, Oversight, Laws, and Regulations 7.1—STEWARDSHIP AND OVERSIGHT AGREEMENT BETWEEN THE FEDERAL HIGHWAY

ADMINISTRATION AND STATE TRANSPORTATION AGENCIES

The Secretary of the United States Department of Transportation (USDOT) has delegated to the Administrator of the Federal Highway Administration (FHWA) the responsibility of administering the Federal-aid highway program (FAHP) under Title 23 and other associated laws. In addition, Title 23 allows states to assume the Secretary’s responsibilities in the design, construction, award, and inspection of certain federal-aid projects. Section 106 of Title 23, United States Code (USC), requires that the FHWA and STA enter into a stewardship and oversight agreement documenting the extent to which the STA assumes the responsibilities of the Secretary (and by delegation, FHWA) under Title 23, and where FHWA retains responsibilities. The purpose of the Stewardship/Oversight (S&O) Agreement is to formalize the roles and responsibilities of the FHWA division offices and each STA to address how the FAHP will be administered in the STA, and delineates a comprehensive FHWA and individual STA approach to FAHP stewardship and oversight.

The Moving Ahead for Progress in the 21st Century Act (MAP-21), was signed into law on July 6, 2012. While this legislation still allowed states to assume the responsibilities previously delegated, MAP-21 further defined the requirements of stewardship and oversight responsibilities, including the need to have a stronger data-driven performance element, and a more formal application of risk management principles.

FHWA revised the guidance regarding S&O on March 28, 2014. The intent of the revisions was to provide a consistent approach to developing future agreements with STAs, and to clarify distinctions with FHWA’s risk-based, data-driven stewardship and oversight framework. This revised guidance supersedes all previous guidance on this topic, and is available at:

https://www.fhwa.dot.gov/federalaid/stewardship/150504podi.pdf

Section 106 of Title 23, United States Code, requires the FHWA and each STA to enter into an agreement documenting the extent to which the state will assume specific responsibilities under Title 23. The S&O Agreement formalizes these assumed responsibilities to address how the FAHP will be administered in each state. Rather than specifying mandatory procedures, the guidance outlines the basic S&O concepts and approaches that FHWA division offices should follow.

Section 1503 of MAP-21 contains changes to the requirements for oversight and approval of Federal-aid projects. Specifically, Section 106 eliminated the provision prohibiting states from assuming responsibilities for new construction and reconstruction projects on the Interstate System exceeding $1 million in cost. In addition, MAP-21 prohibits STAs from assuming responsibility for projects determined by FHWA to be high risk. The S&O Agreement Guidance implements these changes.


7 A significant change in FHWA’s project-level S&O of the FAHP is the transition from “full-oversight” of projects to oversight activities primarily focused on areas of higher risk and opportunity. The FHWA’s use of a risk-based approach for project S&O is intended to optimize the successful delivery of projects and to assure compliance with federal requirements.

Risk-based project S&O has three main components:

1. Required project approval actions

2. Data-driven compliance assurance, i.e., the FHWA’s national Compliance Assessment Program (CAP)

3. Risk-based S&O of Projects of Division Interest and Projects of Corporate Interest. This S&O Agreement Guidance also implements a process for conducting legal reviews of these agreements by the FHWA Office of Chief Counsel before they are signed by the STAs and FHWA division offices. Upon completion of the legal review, FHWA division administrators are authorized to execute and sign S&O Agreements with their respective STA.

The Project Action Responsibility Matrix (an attachment to the guidance) is the cornerstone of the S&O Agreement for assumptions of project-level responsibilities. Deviations from this matrix must be consistent with specific responsibilities that 23 U.S.C. 106 allows the STAs to assume from the FHWA. The S&O Agreement may include S&O indicators as agreed to by the STAs and FHWA divisions to help in managing the FAHP. See Federal Rules for specific requirements regarding performance measures that are a requirement of MAP-21. These rules pertain to the Highway Safety Improvement Program (HSIP), statewide and metropolitan and non-metropolitan planning regulations, pavement, bridges, asset management, system performance, congestion, emissions, freight, and public transportation. 7.2—HIERARCHY There is a hierarchy of law that all STAs must understand and follow. The United States Code (U.S.C.) is the codification by subject matter of general and permanent laws of the United States as passed by Congress and is specific to each federal agency. The U.S.C. is further detailed in specific statutes like Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (SAFETEA-LU) or Moving Ahead for Progress in the 21st Century Act (MAP-21). The Code of Federal Regulations (CFR) are programmatic and administrative requirements created by individual federal agencies as an interpretation and clarification of U.S.C. In addition to U.S.C. and CFRs, individual federal agencies will also have guidance to further explain how to carry out statutes and federal regulations.


7

The specific regulatory information pertaining to transportations programs are listed below.

49 United States Code, Transportation (49 U.S.C.)

23 United States Code, Highways (23 U.S.C.)

7.3- FEDERAL REQUIREMENTS (2 CFR 200)

(a) Administrative requirements. Subparts B through D 2 CFR 200 set forth the uniform administrative requirements for grant and cooperative agreements, including the requirements for Federal awarding agency management of Federal grant programs before the Federal award has been made, and the requirements Federal awarding agencies may impose on non-Federal entities in the Federal award. (b) Cost Principles. Subpart E—Cost Principles of 2 CFR 200 establishes principles for determining the allowable costs incurred by non-Federal entities under Federal awards. The principles are for the purpose of cost determination and are not intended to identify the circumstances or dictate the extent of Federal government participation in the financing of a particular program or project. The principles are designed to provide that Federal awards bear their fair share of cost recognized under these principles except where restricted or prohibited by statute. (c) Single Audit Requirements and Audit Follow-up. Subpart F—Audit Requirements in 2 CFR 200 are issued pursuant to the Single Audit Act Amendments of 1996, (31 U.S.C. 7501-7507). It sets forth standards for obtaining consistency and uniformity among Federal agencies for the audit of non-Federal entities expending Federal awards. These provisions also provide the policies and procedures for Federal awarding agencies and pass-through entities when using the results of these audits. The Compliance Supplement is contained in 2 CFR 200 Subpart F Appendix XI: The link for the electronic version of the Code of Regulations is as follows:

http://www.ecfr.gov/cgi-bin/retrieveECFR?gp=1&SID=ab3a2671992eacd9725f23b8fce9ab6c&ty=HTML&h=L&r=SUBPART&n=2y1.1.2.2.1.6

7.4—AUDIT REQUIREMENTS

The Code of Federal Regulations 2 CFR 200 sets forth standards for obtaining consistency and uniformity among federal agencies for the audit of states, local governments, and non-profit organizations expending federal awards. Currently, if an entity receives $750,000 or more in total federal funding during a fiscal year, the entity is required to obtain an audit of Federal

Federal Agency Guidance

Code of Federal Regulations 49 and 23 CFR

US Code, 49 and 23 USC

FEDERAL LAW

STATE LAW


7 expenditures from a qualified Certified Public Accountant (CPA). STAs are responsible for monitoring those entities to which they’ve passed federal funds. STA staff are responsible for monitoring any audit findings for resolution. The area and staff assigned this responsibility vary by STA. 7.5—CATALOG OF FEDERAL DOMESTIC ASSISTANCE The Catalog of Federal Domestic Assistance (CFDA) contains detailed program descriptions for federal assistance programs, including type of assistance offered, the agency offering the assistance, contact information, and eligibility criteria. 7.6—STATE LAW Each state has its own set of laws passed by the state legislature. These codes of law provide the legal authority to a state agency or department (for example an STA) to plan, design, operate, construct and maintain public roads and other transportation modes. States may also pass legislation on special transportation initiatives, public-private partnerships, tolls, oversize vehicle permits, outdoor advertising, highway enhancement, and other transportation programs. Some state laws implement federal law and can generally be more restrictive than federal law, such as contractor prompt payment laws. STAs may be authorized to waive certain provisions of state law when inconsistent with federal requirements, such as congressional district balancing requirements. Other state laws exist for activities not federally mandated, such as contractor prequalification or audit requirements. State laws typically establish governance of STAs, state employee codes of conduct, and rules for various administrative operations within STAs. In addition to codes of law, some states have rules and regulations promulgated directly from the STA which provide further governance of transportation matters, such as outdoor advertising, contractor prequalification, design-build contracting, and grant programs.


8 Chapter 8 – Transportation Innovative Financing and

Construction Delivery Methods

INNOVATIVE FINANCING

Innovative financing provides options during challenging economic times by offering alternatives to overcome the constraints of limited resources. Financial innovations can increase the ability of STAs to deliver transportation projects by accelerating construction, reducing costs, and providing the revenues required to deliver projects.

We have briefly covered the more popular innovative financing methods below to provide internal auditors with a basic awareness of these methods utilized by STAs to meet the transportation needs of their states. Any of the methods that are utilized by an STA may be included as part of an internal audit to ensure compliance with the applicable requirements. For further information and a discussion of other innovative financing methods, visit the U.S. Department of Transportation Federal Highway Administration (FHWA), Innovative Program Delivery website at:

www.fhwa.dot.gov/ipd.

8.1—GRANT ANTICIPATION REVENUE VEHICLE (GARVEE)

GARVEE debt financing provides up-front capital for major highway projects. U.S. Code Title 23, Section 122 allows the use of future federal funds to repay the debt and related financing costs. This allows projects to be constructed sooner and at less cost due to inflation savings. The public realizes safety and economic benefits and costs are spread over the useful life of the project.

8.2—TRANSPORTATION INFRASTRUCTURE FINANCE AND INNOVATION ACT (TIFIA)

The TIFIA program provides federal credit assistance through direct loans, loan guarantees, and standby lines of credit for surface transportation projects of national and regional significance. TIFIA credit assistance provides access to capital markets, flexible repayment schedules, and more favorable interest rates than private capital markets can offer.

8.3—SECTION 129 LOANS (23 U.S.C. 129 (A)(7))

An STA may fund loans to a public or private entity to construct a toll or non-toll project that has a dedicated revenue source up to an amount equal to the federal share of the project. Dedicated revenue sources may include tolls, excise taxes, sales taxes, motor vehicle use fees, tax on real property, and tax increment financing.

8.4—TAX INCREMENT FINANCING (TIF)

TIF is a mechanism allocating any increase in total property tax revenues toward public investment within a designated district. All or a portion of the increase can be dedicated to repaying the debt incurred in building the transportation improvement.


8 8.5—PRIVATE ACTIVITY BONDS (PABs)

PAB are debt instruments that may be issued by STAs and used to construct projects with significant private involvement. To increase private sector investment in transportation infrastructure, the federal government has provided access to these tax-exempt bonds. State projects receiving a PAB allocation must also receive assistance under U.S.C. Title 23 or Title 49. These bonds are limited to $15 billion and are allocated by the Secretary of Transportation to qualified projects.

8.6—PUBLIC-PRIVATE PARTNERSHIPS (P3s)

P3s are contractual agreements between a public agency and a private entity in which the private entity takes on more risk than traditional project agreements. The private entity may participate in design, finance, operations, and maintenance, increasing the level of risk accepted. P3s are actually a procurement option and not a revenue source. P3s may increase financing capacity and reduce costs; however, a revenue source still needs to be identified for the project. By using P3s, a private entity may operate a facility over a specified term in exchange for annual payments. The entity may receive the right to collect toll revenues from the project, or other similar arrangements may be identified.

INNOVATIVE CONSTRUCTION DELIVERY METHODS

Innovative construction delivery methods help to provide efficiency and a smooth, effective transition from design to construction. Two such methods are described below.

8.7—DESIGN-BUILD (DB)

DB is a project delivery method in which one entity assumes responsibility for the design and construction of a project under one contract. The DB team may be composed of a single firm, a consortium, or a joint venture. This method provides collaboration and coordination between the designer and the contractor, thus enabling early intervention to address project complexities, advance project delivery, reduce costs, and enhance quality. Coordination of design and construction processes result in time savings due to improved communication. Typically, a two-step selection process is used. The first step is qualifications-based selection using a Request for Qualifications (RFQ). Best-value is then determined based upon the short-listed firm’s technical expertise and price components using a Request for Proposals (RFP). Please refer to 23 CFR 636 for regulations covering DB.

8.8—CONSTRUCTION MANAGER/GENERAL CONTRACTOR (CMGC)

The CMGC project delivery method is divided into two contract phases:

1. During the design phase, the project owner hires a contractor who acts as a consultant to provide feedback to the design team, identify risks, provide cost projections, and refine the project schedule while design is being completed.

2. In phase two, the contractor and project owner negotiate the price of the construction contract. Once agreed upon, the construction phase begins. The benefits of CMGC include reduced costs, schedule risk, and change orders, as well as improved design quality as the


8 contractor’s knowledge and experience are utilized up front. The CMGC process facilitates value engineering by allowing the contractor to provide cost estimates for all designs and alternatives during the design phase.


9 Chapter 9 - General Audit Programs

The following audit program is a shell to help internal auditors develop their procedures when performing an engagement. Audit programs need to be tailored to the auditing standards, and engagement type that is being performed. Requirements differ based on the type of engagement being performed. Auditors can also utilize practice aids for assisting in development of specific audit steps. For program or activity specific suggested audit objectives and steps, see the separate Practice Aids available on the AASHTO Internal/External Audit website listed under the Internal Audit Section. Each Practice Aid provides background information to assist the internal auditor gain a general understanding of the area and suggested audit objectives and steps that an auditor might cover during an audit.

9.1—AUDIT PROGRAM PURPOSE AND SCOPE

This program has the following major objectives:

Understanding the organizations’ operations

Understanding the preliminary analytical procedures

Identifying relevant risk factors

Identifying significant compliance requirements

Documenting the internal control assessment 9.2—PHASES

A. Preliminary Survey (Planning) Phase 01. Send an Engagement Letter to the stakeholder(s). 02. Hold team brainstorming meeting, including IT and Fraud employees when discussing IT issues and

fraud, waste, and abuse. 03. Conflict of Interest or Objectivity Impairment for Auditors 04. Review previous (internal and external) State and Federal Audit and Review Reports. Document

findings in those reports for appropriate follow-up. Identify reported weaknesses that have not been corrected.

05. Review background material to become familiar with the activities of the organization. Examples are: Legislative rules Administrative code State policies and procedures Entity rules and regulations Entity manuals Federal highway regulations Traffic control regulations Internal or external peer review reports Industry standards Industry best practices Mission, vision, and goals


9 06. Obtain current organization chart. 07. Conflicts of Interest reported to the organization by process owners and staff of areas under audit. 08. Interview(s), surveys, and face-to-face meetings with organization personnel. Discuss the entity’s

activities, any changes in the policy and procedures, employee turn-over rate, and general internal controls environment (performance goals, tracking/exception reporting, known issues, etc.).

09. Ask management if they are aware of any fraud, waste or abuse. 10. Obtain policies and procedures related to the major functions of the organization. Note any changes

in rules, regulations, or laws since the last audit. 11. Prepare and send surveys or questionnaires to the entities’ customers. 12. Gain an understanding of key business processes. Document systems through a process map (flow

chart) and/or narrative. Identify any potential control gaps and/or weaknesses, including opportunity cost of having too many controls.

13. Document your data analysis of the organizations’ operations, including the following: Management and organization Factors affecting the organization Internal factors affecting the organization Accounting policies and issues Electronic data processing systems used in carrying out functions and activities Strategic alignment Control design Identified themes General and definable risk areas Internal environment / fraud risks Documentation reviewed Control design evaluation assessment (see appendix C) Risk assessment summary In scope and out of scope areas

14. Validate the original objective(s) or refine your objective(s). 15. Present your scope to the CAE and receive approval to move forward. Coordinate with General

Counsel, depending on audit focus and potential for litigation. 16. Develop a program step for each area of your scope that has compliance requirements. Summarize

the requirements for testing and evaluating controls over compliance. 17. Develop specific audit procedures and sampling plans for audit objectives (see individual practice aid

for Items of Consideration). 18. Get work program approved. 19. Schedule and hold an entrance conference with report owners or key stakeholders as appropriate. B. Execution (Fieldwork) Phase

01. Complete audit tests and write up management comments / findings and observations identified during testing. Work papers should include, at a minimum, a purpose, source, procedures performed/results, and conclusion. (Refer to applicable practice aid for specific objectives and steps.)

02. Hold weekly audit team status meetings to confirm project status and deliverables and prepare for weekly status meetings with entity management.

03. Provide continuous communication (weekly status meetings) with entity management on any issues encountered, along with audit observations and possible recommendations.

04. Work with entity management to address risks identified in the findings. To assist with this process, may issue Potential Audit Findings to management for their review of Potential Issues in advance of the issuance of the Draft Report.

05. Prepare draft audit report, including findings, management responses/action plans, and audit engagement opinion, as applicable.


9 C. Closing (Reporting) Phase

01. Ensure all work papers are reviewed and approved. Prepare a draft audit report and have audit management review.

02. Hold exit conference with entity to discuss draft audit report. Revise as necessary and have audit management perform a final review.

03. After audit management approves the draft report, send the approved draft report to General Counsel (if policy requires) and the audit report owners/stakeholders, as applicable.

04. After concurrence and/or resolution of the returned comments, issue final audit report. 05 Complete final working paper sign-offs. 06. Complete team performance evaluations, as related to engagement performance. 07. Track Management Action Plans and establish follow up engagements to confirm remediation of risks. 08. Complete internal quality assessment of the audit working papers.

9.3—ATTESTATION PROGRAM PURPOSE AND SCOPE

The purpose of the following attestation program is to develop a general program for conducting GAGAS attestation engagements. It covers steps applicable for all three types of attestations: examinations, reviews, and agreed-upon procedures. These engagements are of less scope than full audits. This program has the following major objectives:

Determine the appropriate type of attestation and scope

Understand the program or subject area under engagement

Identify risk elements

Identify significant compliance requirements

Identify significant reporting requirements Program steps are based on AICPA Statement of Standards for Attestation Engagements (SSAE) and Generally Accepted Government Auditing Standards (GAGAS) promulgated by the Government Accountability Office (GAO). This program may be used for examination, review or agreed-upon procedure attestation engagements, as stated above.

A. Preplan the Attest Engagement 1. Determine whether attest engagement will be an examination, review or agreed-upon procedure. (Refer

to comparison chart of examination, review and agreed-upon procedure attestation engagements at the end of this program)

2. In determining the assignment consider the following: Does auditor have sufficient technical training & proficiency to perform engagement? Does auditor have adequate knowledge of subject matter? Are there criteria suitable & available to evaluate the subject matter? Is auditor independent in both mind and appearance? Is auditor able to exercise due professional care in planning & performing engagement and the

preparation of report? B. Plan the Attest Engagement 1. Maintain timesheet of hours spent on engagement


9 2. Adequately plan the attest engagement by considering the following:

Plan procedures to address the objectives of the attest engagement Determine criteria which will be the basis of the engagement Make initial judgments regarding risk and materiality of engagement (may be appropriate to use

lower materiality levels because of public accountability of government agencies) Consider likelihood of revising or adjusting the subject matter Consider whether attest procedures should be modified or extended Verify or adjust the nature of the attest engagement; examination, review or agreed-upon procedure

3. Notify appropriate management, in writing, of the intent and date to conduct an attest engagement of a program or activity (engagement letter/email). Letter should include: Objective of the engagement Management’s responsibility Auditor’s responsibility Limitations of the engagement (e.g. specific scope and expected deliverables)

4. Additional guidance for agreed-upon procedures (AUP) Terms of the AUP should be understood by the auditor and ideally expressed in an engagement

letter Specific procedures on the subject matter must be agreed to by the auditor and the specified party

making the request The specified party is responsible for determining the sufficiency of the procedures The criteria to be used for determining a conclusion must be agreed to by the auditor and specified

party There is agreement between auditor and specified party regarding materiality, if applicable If the work of a specialist is used, the auditor and specified party should explicitly agree to that use

5. Plan for supervision of team members, if assigned 6. Review background information, such as applicable laws, policies and regulations, to become familiar

with activities of the division or section. Consider the following: Federal regulations State laws, policies, procedures and rules Administrative code ITD department policies and rules ITD manuals affecting subject area Internal or external peer review reports Industry standards & best practices Mission, vision and goals

7. Obtain the organizational chart for the office and define positions, functions and identify vacancies 8. Determine if current desk manuals are available 9. Review prior internal audit report, program and work papers, if applicable, and note areas of audit

interest Document findings for appropriate follow up Identify any reported weaknesses that haven’t been corrected

10. Search for review/audit reports from external groups 11. If applicable, obtain printouts of the total revenue and expenditure transactions for the latest completed

fiscal year 12. Conduct an interview with the division administrator, section manager or specified party for input on

perceived risks to their program or activity. Discuss: Programs and activities Any changes in policies, procedures and organization Employee turnover rate General internal control environment Performance goals, measures or tracking Ask management if they are aware of any fraud, waste or abuse Obtain policies and procedures related to program or activity under engagement


9 Consider whether an evaluation is indicated for any of the above items

13. Conduct an entrance conference with the Division Administrator, section manager or specified party. Discuss: Objective(s) of engagement Estimated length of engagement Responsibilities of Management regarding the engagement Responsibilities of the auditor regarding the engagement

14. Interview executive management and other stakeholders to determine areas of interest or concern 15. Identify programs and activities, flow chart processes and evaluate for risk

Evaluate for adequate internal controls Note any gaps or weaknesses in controls Identify risks to the program or activities Verify risks with employees responsible and with management or resolve if additional mitigating

information is provided Prioritize risks as high, medium or low based on probability and impact

Consider the probability of each risk occurring Consider the impact to the program or activity if it occurred Identify the priority level for each risk (high, medium or low)

16. Meet with Audit Manager to verify or refine original objective(s) to focus efforts Determine scope, and resource and time budget for assignment Consider Government Accountability Office (GAO) Audit Standards Consider AICPA Statements on Standards for Attestation Engagements (SSAE)

C. Fieldwork Phase 1. Obtain sufficient evidence (based on nature of attest engagement) to provide a reasonable basis for a

conclusion Evaluate inherent risk (inherent risk in the type of process or treatment of transactions) control risk (risk that internal controls are not present and/or not operating adequately) detection risk (risk that a material weakness or fraud, waste or abuse won’t be detected) Strive to achieve a low level of audit risk for examination engagements Strive to achieve a moderate level of audit risk for review engagements Add newly identified risks to list of risks already identified and prioritize as in step B.15

2. Design examination engagement to detect instances of fraud and noncompliance with laws, regulations, contracts and grant agreements that may have a material effect on the subject matter Assess risk and possible effects of fraud and noncompliance with laws, etc. Document risk factors and auditor’s conclusion regarding those risks If auditor becomes aware of abuse that could be material to subject matter, design procedures to

assess the potential effect Instances of fraud; noncompliance with laws, regulations, contracts or grant agreements; or abuse

should be communicated to those charged with governance 3. If, while conducting procedures of a review or agreed-upon procedure engagement; instances of fraud,

noncompliance with laws, regulations, contracts or grant agreements; or abuse come to the auditor’s attention, those charged with governance should be informed

4. Obtain evidential matter for agreed-upon procedure to provide a reasonable basis for conclusions. Appropriate procedures may include: Conduct specific procedures as established by specified user Need not perform additional procedures outside the scope of engagement Conduct sampling according to agreed-upon parameters Inspect specified documents for evidence of certain transactions or detailed attributes Confirm specific information with third parties Compare documents, schedules or analyses with specified attributes Perform specific procedures on work performed by others Perform mathematical computations


9 5. Determine scope of testing for examinations & reviews; consider quality and quantity of evidential

matter Consider previous audit findings and recommendations in assessing risk and determining scope of

testing Conduct interviews and observations Conduct site visits if appropriate Obtain financial reports for inspection or testing Document findings and observations Document management comments Determine whether internal controls are adequate; consider expanding testing if not Include purpose, source, scope, and conclusion in work papers

6. Document meetings to update Audit Manager on progress and status of attestation assignment

7. Provide periodic communication with administrator, section manager or specified party requesting attestation engagement and with management under audit, if different Document periodic communication Update administrator or manager on progress, any identified problems, or suggested best practices

8. Review or Agreed-Upon Procedures: Prepare draft report identifying results, conclusions and recommendations

9. Examinations: Prepare draft report identifying findings and recommendations. Must develop elements of findings (criteria, condition, cause, and effect)

D. Reporting Phase 1. Compliance with reporting standards

Identify subject matter and character of engagement Conclusion relates to criteria used to evaluate subject matter Document the nature, timing, extent and results of the attest procedures and information obtained;

quantify results if possible (experienced auditor test) In following GAGAS standards, include a statement that the attestation engagement was conducted

in accordance with GAGAS If a review, GAGAS statement should include statement that a review engagement is

substantially less in scope than an examination, the objective of which is to express an opinion on the subject matter, and accordingly, review reports express no such opinion

If an agreed-upon procedure, GAGAS statement should include a statement that “auditors were not engaged to and did not conduct an examination or a review of the subject matter, the objective of which would be the expression of an opinion or limited assurance and that if the auditors had performed additional procedures, other matters might have come to their attention that would have been reported.”

The agreed-upon procedure report is also required to state that the sufficiency of the procedures is solely the responsibility of the specified parties and must include a disclaimer of responsibility for the sufficiency of the procedures

Agreed-upon procedure reports must be restricted to the specified party or parties Document any departures from GAGAS requirements and the impact on the engagement and

conclusions Document any significant reservations, such as scope deficiencies and engagement reservations,

and determine if a qualified conclusion or disclaimer should be reported Document instances of fraud and noncompliance with laws, regulations, contracts, and agreements

that have a material effect on the subject matter Document instances of abuse that have a material effect on the subject matter Document if separate reports are being issued for fraud, noncompliance or abuse Document significant deficiencies or material weaknesses in internal controls Document if confidential and sensitive information was omitted and reason for omission Determine whether to communicate internal control deficiencies not considered significant or

material to those charged with governance


9 2. Document meetings with team and Audit Manager to review and approve findings and/or conclusions,

and recommendations 3. Conduct preliminary close out meeting with managers and supervisors to listen and discuss the section’s

input and concerns regarding findings and/or conclusions, and recommendations 4. Hold close out meeting with division administrator, section manager, or specified party; chief officer;

controller and any other executive/management stakeholders 5. Request and review management’s responses and action plans; note whether a target date and

responsible position is identified; or note audited entity did not provide comments 6. Present final attestation report to Director/Secretary, obtain concurrence, signature and distribute

(electronically and/or hardcopy) Distribute report to those charged with governance, the audited section’s management and other

stakeholders as appropriate If subject matter involves material that is classified for security reasons or contains confidential or

sensitive information, auditor should limit distribution Include statement if restricted distribution, “This report is intended solely for the information and

use of __________________.” (e.g. agreed-upon procedures) Consider need to report findings or conclusions to outside agencies

7. Finalize work paper documentation and obtain internal quality control assessment of attest work papers 8. Retain documents according to department policy 9. Administrative procedures are in place to maintain the confidentiality of attest documentation E. References 1. AICPA AT- C Section 105 establishes the concept common to all attestation engagements. 2. AICPA AT-C Section 205 provides guidance, practice aids, and sample reports for examinations.

3. AICPA AT Section-C 215 provides guidance, practice aids, and sample reports for agreed-upon

procedures

4. GAGAS incorporates AICPA standards by reference

AASHTO Internal Audit Guide 2019 Edition Glossary Page 60

GLOSSARY

Actual Costs — Amounts determined based on costs incurred and supported by source documentation, such as invoices, receipts, and cancelled checks. Actual costs are generally not determined based on forecasts or historical averages. Administrative Expenses — Costs that are not directly identified with any one item of work, but when taken, support or contribute to all activities of a firm. Agreement — An obligation between two parties that is less formal than a contract, which identifies the deliverable goods or services to be provided, under what conditions, and the method of reimbursement for such goods and services. An agreement may include both federal and state requirements that must be met by the S T A and entity. Agreements usually indicate start and finish dates, record retention requirements, and other pertinent information relative to the work to be performed. In the context of this guide, generally refers to intergovernmental obligations, such as grant agreements. Allocable — A cost is allocable to a government contract if the cost is incurred specifically for the contract; benefits both the contract and other work and can be distributed to them in reasonable proportion to the benefits received; or is necessary to the overall operation of the business, although a direct relationship to any particular cost objective cannot be shown. Allowable — A cost is an allowable charge to a government contract only if the cost is reasonable, allocable, compliant with GAAP, compliant with terms of the contract, and not prohibited by federal cost principles. Analytical Procedure — An audit procedure whereby an auditor assesses information by comparing it to certain parameters or expectations selected by the auditor. It involves the auditor reasonably expecting a certain relationship among certain information and expecting those relationships to continue unless there are known conditions that should cause the relationship to not exist. The expected conditions should be developed by the auditor using reliable sources to ensure an unbiased comparison. Some common analytical procedures include ratio analysis, trend analysis, comparison between periods, comparison to budgets and forecasts, external benchmarking, and internal benchmarking. AASHTO — American Association of State Highway and Transportation Officials AICPA — American Institute of Certified Public Accountants, the national professional organization of Certified Public Accountants


Audit Confirmation — An audit procedure whereby an auditor obtains direct written verification of the accuracy of information from a third party. Positive confirmation is obtained by asking the third party to respond b y stating whether o r n o t they believe the information is correct. Negative confirmation asks the third party to respond only if there is an issue. Positive confirmation is more reliable because, with negative confirmation, there is no certainty if the party does not respond that there is no issue. Audit Inquiry — An audit procedure that involves asking questions of the auditee or other parties to obtain oral and written information. Evidence gathered through inquiry is considered indirect evidence, which is rarely considered sufficient by itself to support a finding. However, it is supportive documentation when corroborated through other means. Audit Planning — An overall strategy developed for conduct and scope of the audit. The nature, extent, and timing of planning vary with size and complexity of the entity, experience with the entity, and knowledge of the business. In planning the audit, the auditor considers the entity's business and its industry, its accounting policies and procedures, the methods it uses to process accounting information, the planned assessed level of control risk, and the auditor's preliminary judgment about audit materiality. Audit Risk — A combination of the risk that material errors exist and the risk that the errors will not be discovered by audit tests. Audit risk includes uncertainties because of sampling (sampling risk) and other factors (nonsampling risk). Audit Trail — A record of transactions in an accounting system that provides verification of the activity of the system. A complete audit trail allows auditors to trace transactions in a client’s accounting records from original source documents into subsidiary ledgers through the general ledger and into basic financial statements and billings/invoices prepared and submitted by the entity. Audit Universe — All potential audit activities within an organization; comprises all auditable units within an organization. These units can include a range of programs, activities, functions, structures, and initiatives, which collectively contribute to the achievement of the STA’s strategic objectives. Auditable Units — Any organizational process or activity that can be audited. Internal auditors divide an organization into manageable auditable activities (auditable units) to define the audit universe, assess risk, and prioritize the use of audit resources. Benford's Law — A mathematical law that applies to any population of numbers derived from other numbers (such as the dollar amount of a sale, found by multiplying the quantity sold times the unit price). It holds, for example, that 30% of the time the first non-zero digit of this derived number will be one, and it will be a nine only 4.6% of the time. Benford's law is used by auditors to identify unusual data patterns that may signal the presence of errors or fraud.


Change Order — Document required when work is added to or deleted from the original scope of work of a contract which alters the original contract amount and/or completion date. Code of Federal Regulations (CFR) — The codification of the general and permanent rules published in the Federal Register by the executive departments and agencies of the federal government. The CFR is divided into 50 titles that represent broad areas subject to the federal regulation. Contract Modification — A change to an existing contract for a change in scope or other factors which must be agreed to by all parties of the contract. Control Environment — The attitude, awareness, and actions of the board, management, owners, and others about the importance of control. This includes integrity and ethical rules, commitment to competence, board or audit committee participation, organizational structure, assignment of authority and responsibility, and human resource policies and practices. Cost Center — A grouping of incurred costs identified with a specific final cost objective. Cost Principles — Federal cost principles are intended to establish a uniform approach for determining costs and promoting effective program delivery, efficiency, and better relationships between grant recipients, subrecipients, and the federal government. The principles are promulgated to determine allowable costs, enforce compliance with federal grant requirements, and ensure that the federal government bears its fair share of costs except where restricted or otherwise prohibited by law. Detection Risk — The risk audit procedures will lead to a conclusion that material error does not exist when, in fact, such error does exist. DOT — A state Department of Transportation. Direct Cost — Any cost that is identified specifically with a particular final cost objective. Direct costs are not limited to items that are incorporated in the end product as material or labor. Costs identified specifically with a contract are direct costs of that contract. All costs identified specifically with other final cost objectives of the contractor are direct costs of those cost objectives. Direct costs can include labor, materials, and reimbursable expenses incurred specifically for an agreement. Engagement Letter — A letter that represents the understanding between the client and the CPA about the engagement. The letter identifies the financial statements and/or schedules and describes the nature of procedures to be performed. It includes the objectives of the procedures, an explanation that the financial information is the responsibility of the company's management, and a description of the form of auditor’s report.


Entrance Conference — A meeting between the auditor and the auditee during which the purpose and scope of the audit are discussed. Exit Conference — A meeting between the auditor and the auditee held after completion of the audit that generally focuses on preliminary audit findings, which could change based on further audit testing, supervisory review, and additional information submitted by the auditee. Federal Travel Regulation (FTR) — As contained in 41CFR 300-304. The FTR implements policies for travel by federal civilian employees and others authorized to travel at the federal government’s expense. Finding — Results from deficiencies in internal controls, fraud, illegal acts, violations of contract or grant provisions, and/or abuse. In accordance with GAGAS, when documenting a finding, the auditor should include the condition, criteria, cause, effect, and a recommendation for correction. Generally, auditors include management responses to reportable findings within the final audit report. GAAP — Generally Accepted Accounting Principles – Widely accepted set of rules, conventions, standards, and procedures for reporting financial information, as established by the Financial Accounting Standards Board (FASB). GAAS — Generally Accepted Auditing Standards – The ten auditing standards adopted by the membership of the AICPA. Auditing standards differ from audit procedures in that "procedures" relate to acts to be performed, whereas "standards" pertain to the quality of the performance of those acts and the objectives of the procedures. GAGAS — Generally Accepted Government Auditing Standards – Also known as the “Yellow Book,” issued by the U.S. Government Accountability Office (GAO). GAGAS prescribe general procedures and professional standards that auditors must apply when performing government audits or attestation engagements. General Administrative Expenses — Costs of operating a company that are incurred by, or allocated to, a business unit and are not directly linked to the company’s products or services. Government Accountability Office — GAO — The audit, evaluation, and investigative arm of the United States Congress. Indirect Cost — Any cost that is not directly identified with a single, final cost objective, but is identified with two or more final cost objectives or an intermediate cost objective. Recipients recover their indirect costs in their overhead rate. Ineligible Cost — A cost that does not meet the terms of the agreement as well as federal and state statutes and regulations.


Inherent Risk — The risk that exists in an environment without the benefit of internal controls due to other factors such as the nature of transaction or activity. For example – complexity, frequent change, etc. Inspection — An audit procedure that involves the auditor’s review of a document or record through physical examination to provide direct evidence of its content. This is a means of gathering direct evidence. Internal Control — The plan of an entity and the methods and procedures adopted by management to ensure that the entity’s goals and objectives are met; that resources are used consistently with laws, regulations, and policies; that resources are safeguarded against waste, loss, and misuse; and that reliable data are obtained, maintained, and fairly disclosed in reports. Narrative — A written description of an internal control system, procedure, or process. Observation — An audit procedure that involves the auditor seeing or experiencing something first hand. It could include having the auditee walk through a process while the auditor observes and monitors the activities, procedures, and steps performed and observes security practices. Through the performance of this activity, the auditor can obtain direct evidence. Overhead Expenses — All allowable general administrative expenses and fringe benefit costs not directly identified with a single final cost objective. Depending upon the size of the auditee, these costs may be separately identified on a schedule of overhead costs. Overhead Rate — A rate computed by adding together all of an entity’s costs that cannot be associated with a single cost objective (e.g., general and administrative costs and fringe benefits costs), then dividing by a base value (usually direct labor cost). This rate is applied to direct labor, as incurred on projects, to allow an entity to recover the appropriate share of indirect costs allowable per the terms of the specific agreement. Peer Review — A quality control program in which the audit documentation of one STA audit group is periodically (three years for GAGAS, five years for IIA) reviewed by independent partners of other STA groups to verify that it conforms to the standards of the profession. Permanent Files — File containing information of continuing importance to engagements covering an auditable unit. Project Authorization and Agreement — A contractual obligation of the federal government for payment of the federal share of project costs. The agreement will include a description of the project, the federal-aid project number, the work covered, total cost and amount of federal aid funds, the federal share of funds, signatures of state and federal officials, and any other provision set out by 23 U.S.C. 106 and/or 23 CFR.


Reasonable Cost — A cost is reasonable if, in its nature and amount, it does not exceed that which would be incurred by a prudent person in the conduct of competitive business. Reconcile (reconciliation) — Efforts to prepare a schedule establishing agreement between separate sources of information, such as accounting records reconciled with the financial statements. Reperformance — An audit procedure that involves the auditor redoing a certain activity or procedure to see if he or she arrives at the same results. The auditor’s reperformance of a particular control provides direct evidence to support whether a control is operating effectively. Residual Risk — The risk that exists after consideration of the controls management has implemented to mitigate or transfer risk. Resolution Process — The process used to resolve findings. It may involve negotiating a corrective action, reimbursing funds, and improving procedures. Risk — The probability that an event or activity will occur that adversely impacts the achievement of an organization’s objectives. Sample Size — The number of items selected when a sample is drawn from a population. Sampling Error — The risk that the sample results will mislead the auditor, unless the auditor examines 100% of the population. The larger the sample, the less risk of sampling error and the greater the reliability of the results. Sampling Risk — The possibility that conclusions drawn from the sample may not represent correct conclusions for the entire population. Segregation of Duties — Assigning to different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets. Segregation of duties reduces the opportunities for one person to both perpetrate and conceal errors or fraud. Single Audit — A rigorous, organization- wide audit or examination of an entity that expends $750,000 (currently) or more of federal assistance received for its operations. These are usually performed annually. The objective of a Single Audit is to provide assurance to the federal government as to the management and use of such funds by recipients such as states, cities, universities, and non-profit organizations. These audits are typically performed by an independent certified public accountant (CPA) and encompass both financial and compliance components. Source Documentation — Documents that support the costs recorded in an entity’s records. Source documents can include timesheets, payroll registers, invoices, receipts, rental slips, cancelled checks, etc.


Test — An audit procedure whereby the auditor reviews certain transactions and processes or attributes against established criteria. The auditor then decides whether the audited entity complied with the criteria, which are established standards, practices, laws, regulations or requirements. Tracing — An audit procedure that involves tracking information forward from one document to another subsequently prepared document or record. This test is performed as a means to test for the completeness of the document or record. Unallowable Cost — An item of cost that is ineligible for cost reimbursement. Verifying — The act of tracing a transaction from one document to the original support document. Vouching — An audit procedure that involves tracking information from one document or record back into a previously prepared document or record or to some other reliable source. This procedure is performed to determine the validity of the information. Walkthrough — Procedure whereby an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use.

2019 Internal Audit Guide...^,dK / v v o µ ] ' µ ] î ì í õ ] ] } v d o } ( } v v d > K& KEd...

Documents

Transcript of 2019 Internal Audit Guide...^,dK / v v o µ ] ' µ ] î ì í õ ] ] } v d o } ( } v v d > K& KEd...