400-1195 Legislative Auditor's Policy Regarding Confidentiality of Audit/Engagement DocumentationAllegations: Allegations relative to local government agencies and quasi-public organizations (local auditees) come to the Louisiana Legislative Auditor (LLA) from several sources; by mail, email, phone, and through the Legislative Auditor Fraud Hotline.
Allegations are either handled in-house by LLA staff, or are sent by email to the certified public accountants (CPAs) who perform the audit and review/attestation engagements for local auditees.
The email sent to the CPA includes the allegation and instructions on what the CPA needs to do to address the allegation; and the type of response LLA requires with respect to the allegation. The type of response required depends on whether LLA considers the allegation to be high risk or low risk.
For both high risk and low risk allegations, the email will ask the CPA to reply to the email stating that the CPA will, during the planning and performance of the engagement, in accordance with AU-C 240, Government Auditing Standards, and the Louisiana Governmental Audit Guide (for audit engagements):
- Review the information in order to identify risks that may result in a material misstatement due to fraud
- Assess the identified risks after taking into account an evaluation of the entity’s programs and controls
- Respond to the results of the assessment, and
- Document their consideration of the information as it relates to risks that may result in a material misstatement due to fraud.
The CPA may send a response with the above affirmation immediately after receiving the email.
CPAs performing review/attestation engagements are asked to send a similar response stating that, during the planning and performance of the engagement, in accordance with Government Auditing Standards and the Louisiana Governmental Audit Guide they will:
- Review the information in order to determine whether it indicates conditions that may result in a material misstatement of the financial statements due to fraud, and
- Document their consideration of the information
An email with a high risk allegation attached also asks the CPA to notify the Engagement Manager by email if the CPA finds the allegation does not have merit or does not indicate a deficiency in internal control. Because of the nature of a high risk allegation, this notification is mandatory. LLA will not issue the report if the report does not include a finding related to the allegation, or the Engagement Manager has not received the CPA's notification that the allegation did not have merit.
Allegation emails include the telephone number of the Director of Investigative Audit in the event the CPA would like to discuss fraud-related matters or becomes aware of other illegal acts or violations of law.
In order to protect the confidentiality of personal identifying information, the CPA is instructed to delete any attachments when responding to the email. It is especially important to maintain confidentiality regarding the name of the person who made the allegation, if this information is included in the email that was sent to the CPA.
Misappropriation notices: Misappropriation notices are notifications sent to LLA by local auditees to notify LLA that there has been a misappropriation of the public funds or assets within the agency, as required by the audit law (Louisiana Revised Statute (R.S.) 24:523). Misappropriation notices are forwarded to the CPAs performing the related engagements, in a manner similar to allegations. The CPA is not required to respond to a misappropriation notice, but as stated in the email, is expected to include any misappropriation that is $1,000 or greater in a finding in the related report. See Special Reporting – Fraud and Misappropriations.
Other information: Other information regarding specific engagements is sent to CPAs, including requests to review bond millage rates, notification of ongoing LLA investigations, and completed LLA investigative audit reports. The related emails notify the CPA how the information is to be treated for the purposes of the engagement.
Confidentiality of information sent to CPAs by LLA: Allegations, misappropriation notices, LLA workpapers and audit documentation, and other information that is sent to the CPA by LLA (except for reports that have been issued by LLA) is considered by law (R.S. 24:513 I. and 44:4 (6)) to be confidential information.
A CPA firm must contact and obtain the express permission of LLA prior to giving access to this information to anyone outside of their firm. LLA will permit access to this information only upon receipt of a valid confidentiality agreement or a subpoena.
In accordance with state law and professional standards, the CPA may share audit/engagement documentation, without prior approval of LLA, with the successor auditor; or any committee, individual, or organization of the Louisiana Board of Certified Public accountants authorized to perform quality assurance engagement reviews.
For additional information, see Legislative Auditor's Policy Regarding Confidentiality of Audit/Engagement Documentation.
Questions:
- How does a CPA address an allegation with a local auditee if it is considered to be confidential information?
- I received a subpoena for a local auditee engagement’s workpapers. How should I proceed?
- Does LLA send allegations to CPAs who are performing compilation engagements?
- I received a low-risk allegation from LLA regarding a local auditee. The allegation is very vague, and I don’t think it has merit. How should I address it?