Section 6
Internal, Operational, and
Compliance Auditing
Introduction
• Focus so far:
• Internal auditing, operational auditing, and
compliance auditing:

Internal Auditing
• Large corporations
• Institute of Internal Auditors (IIA)
Purpose of Internal Auditing
•
Internal auditing defined:
–
An independent appraisal activity established within
an organization to examine and evaluate its activities
as a service to the organization
•
Objective of internal auditors
•
Their work encompasses
Evolution of Internal Auditing
•
Has evolved to meet the needs of
•
Original demand
•
Role expanded as a result of
•
Organizations became larger and more
complex
•
Foreign Corrupt Practices Act of 1977
•
Current scope of internal auditing
–
Statement of Responsibilities of Internal Auditing
Internal Auditing Scope
•
Review reliability and integrity
•
Review the systems established to ensure compliance
•
Review means of safeguarding assets
•
Appraising economy and efficiency
•
Reviewing operations and programs to ascertain
Professional Standards of Internal Auditing
•
Cover five areas of auditing within an
organization
–
Independence
–
Professional proficiency
–
Scope of work
–
Performance of audit work
–
Management of the internal auditing department
Independence
•
Employees of the organization
•
Reporting to the proper level of management
•
Ideally should report to?
•
Conflicts of interest
Professional proficiency
•
Establish policies and procedures
•
Internal auditing department should collectively
possess
•
Assignment of staff
Scope of work
•
Extends beyond accounting and financial controls
•
IIA Standards for scope
Performance of audit work
•
Adequate planning
•
Examining and evaluating information
•
Communicating results
•
Follow up
Management of the internal auditing department
•
Guidance for the director
•
Assure:
–
Audit work is performed in accordance with
–
The departments resources are
Operational Auditing
• Also called:
• Comprehensive examination of an operating unit
or complete organization
• The focus is on:
• Economy
• Efficiency
• Effectiveness
Objectives of Operational Audits
•
Managements needs:
–
Assurance of a unit’s performance
–
Assurance about its plans
–
Objective information/Reporting
–
Weaknesses
–
Reassurance
General Approach to Operational Audits
Definition of
Purpose
Familiarization
Preliminary
Survey
Program
Development
Field Work
Report
Findings
Follow-Up
Definition of Purpose
•
Broad statement
•
Must specify precisely
•
Policies and procedures
Familiarization
•
Comprehensive knowledge
•
Study of documentation
•
Interviews
•
Documentation by the auditor
Preliminary Survey
•
Preliminary conclusions
•
Survey serves as a guide
Program Development
•
Tailor-made program based upon
•
What does it contain?
•
Personnel
Field Work
•
Executing the program
•
Analysis
•
Deficiencies
Report Findings
•
On final completion of field work
•
Will include
•
Exit conference
Operational Audit Report
Simon Greed
Vice President – Operations
Baxter Corporation
238 Queen Street
Hamilton, Ontario, L9V-5R6
Dear Mr. Greed:
In September 200X we concluded an operational audit of the data processing
operations.
Objectives, Scope, and Approach
The general objectives of this engagement, which were more specifically outlined in
our letter dated June 30, 200X, we as follows:
To document, analyze, and report on the status of current operations.
To identify areas that require attention.
To make recommendations for corrective action or improvements.
Our operational audit encompassed the centralized data processing facilities and the
on-site computer operations of the company’s retailing division. Our evaluations included
both the financial and operational condition of the units. Financial data consulted in the
course of our analyses were not audited or reviewed by us, and, accordingly we do not
express an opinion or any other form of assurance on them.
The operational audit involved interviews with management personnel and selected
operations personnel in each of the units studied. We also evaluated selected documents,
files, reports, systems, procedures, and policies as we considered appropriate. After
analyzing the data, we developed recommendations for improvements. We then discussed
our findings and recommendations with appropriate unit management personnel, and with
you, prior to submitting this written report.
Findings and Recommendations
All significant findings are included in this report for your consideration. The
recommendations in this report represent, in our judgment, those most likely to bring about
improvements to the operations of the organization. The recommendations differ in such
aspects as difficulty of implementation, urgency, visibility of benefits, required investment
in facilities and equipment or additional personnel.. The varying nature of the
recommendations, their implementation costs, and their potential impact on operations
should be considered in reaching your decision on courses of action.
(Specific Findings and Recommendations)
Follow-up
•
To ensure?
•
Done by whom?
•
Reexaminations
Compliance Auditing
• Laws and regulations
• Testing and reporting on whether and
organization has
• Major impetus
• Federal and provincial assistance
usually provided to whom?
• Thus tests of compliance do what?
Objectives of Compliance Auditing
•
To determine if there have been violations of
•
To provide a basis for additional reports on
compliance
•
Two categories
1.
2.
Compliance audit as part of a Financial Statement audit
Compliance with specified authorities
Compliance Audit as Part of a Financial Statement
Audit
•
Governmental organizations are subject to a variety
of laws and regulations
•
Receive funds from various sources
•
Provided if only certain requirements are met
•
Auditors perform a number of procedures
•
Discussing laws and regulations
•
Reviewing relevant grant and loan agreements
•
Reviewing minutes
•
When wording of laws subject to interpretation
•
Written representations
•
Assessment of risk
•
Substantive tests of compliance
•
Two additional reports
1. Compliance with laws and regulations
1. Organizations internal control
Reporting Compliance with Laws and Regulations
•
The report should:
1. Describe the scope of the audit
a. Transactions
b. Authorities
c. GAAS
2. Contain the auditors opinion
a. Complied with specified authorities
b. Reservations
AUDITORS’ REPORT
To the Honourable Minister responsible for ABC Crown Corporation:
We have audited the balance sheet of ABC Crown Corporation as at December 31, 200X, and
the statements of income, retained earnings, and cash flows for the year then ended and have
issued our report thereon dated February 28, 200Y.
We conducted our audit in accordance with generally accepted auditing standards. Those
standards require that we plan and perform an audit to obtain reasonable assurance whether the
financial statements are free of material misstatement.
Further, we have examined the transactions that came to our notice in the course of the abovementioned audit of the financial statements of ABC Crown Corporation for the year ended
December 31, 200X, to determine whether they were in accordance with Part XII of the
Financial Administration Act, the regulations, the charter and bylaws of the corporation (and any
directives given to the corporation pursuant to the act). Our examination of these transactions
was made in accordance with generally accepted auditing standards, and accordingly included
such tests and other procedures as we considered necessary in the circumstances. In our opinion,
these transactions were, in all significant respects, in compliance with the authorities.
Carney, Black and Heath, LLP
Chartered Accountants
Toronto, Canada
February 28, 200Y
•
May be issued in conjunction with the auditor’s
report on the F/S
•
Discovery of violations
•
Must consider the effect
•
Resulting misstatement, if uncorrected
•
Illegal acts
•
May be included in the auditor’s report
•
May instead do the following:
Reporting on Internal Control
•
How do auditors usually communicate problems
with internal control?
•
Report on internal control differs
•
Also includes:
1.
Managements responsibility
2.
Description of scope
REPORT ON INTERNAL CONTROL
To the Members of Council, Inhabitants,
and Ratepayers of the Corporation of the
City of Rosebud, Ontario
We have audited the balance sheet of the Corporation of the City of Rosebud, Ontario as at June 30,
200X, and the statements of operations for the year then ended and have issued our report thereon
dated August 15, 200X.
We conducted our audit in accordance with generally accepted auditing standards. Those standards
require that we plan and perform an audit to obtain reasonable assurance whether the financial
statements are free of material misstatement.
In planning and performing our audit of the financial statements of the Corporation of the City of
Rosebud, Ontario, for the year ended June 30, 200X, we considered its internal control in order to
determine our auditing procedures for the purposes of expressing our opinion on the financial
statements and not to provide assurance on the internal control.
The management of the Corporation of the City of Rosebud, Ontario, is responsible for establishing
and maintaining internal control. In fulfilling this responsibility, estimates and judgments by
management are required to assess the expected benefits and related costs of internal control policies
and procedures. The objectives of internal control are to provide management with reasonable, but not
absolute, assurance that assets are safeguarded against loss from unauthorized use or disposition, and
that transactions are executed in accordance with management’s authorization and recorded properly
to permit the preparation of financial statements in accordance with generally accepted accounting
principles. Because of inherent limitations in any internal control, errors, irregularities, or fraud may
nevertheless occur and not be detected. Also, projection of any evaluation of the internal control to
future periods is subject to the risk that procedures may become inadequate because of changes in
conditions or that the effectiveness of the design and operation of policies and procedures may
deteriorate.
For the purpose of this report, we have classified the significant internal control policies and
procedures in the following categories: revenue/receipts, purchases/disbursements, and payroll.
For all of the internal control categories listed above, we obtained an understanding of the design of
relevant policies and procedures and whether they they have been placed in operation, and we
assessed control risk.
We noted certain significant deficiencies in the design or operation of the internal control, that in our
judgment, could adversely affect the entity’s ability to record, process, summarize, and report
financial data consistent with assertions of management in the financial statements.
1.
Although temporary loans betweens funds are now being reconciled, they are not
reconciled on a timely basis. We suggest that the accounting manager reconcile the
funds’ loans monthly.
2.
The computer-prepared revenue, expenditure, and vouchers payable reports are not
always reconciled to the general ledger accounts on a timely basis. We recommend that
the chief accountant reconcile these reports monthly.
A significant deficiency is a condition in which the design or operation of the specific internal
control elements does not reduce to a relatively low level the risk that errors, irregularities, or fraud
in amounts that would be material in relation to the financial statements being audited may occur and
not be detected within a timely period by employees in the normal course of performing their
assigned functions.
We also noted other matters involving the internal control and its operation that we have reported to
the management of the Corporation of the City of Rosebud, Ontario, in a separate letter dated August
15, 200X.
This report is intended for the information of the audit committee, management, and [specify
legislative or regulatory body]. This restriction is not intended to limit the distribution of this report,
which is a matter of public record.
Carney, Black and Heath, LLP
Chartered Accountants
Toronto, Canada
August 15, 200X
Compliance Audit with Specified Authorities
•
Authorities refers to
•
May examine and report on a portion of the entity
•
May be asked to report on:
•
Follow GAAS and PS section 5300
Designing Compliance procedures for the Programs
•
Concerned with significant effect on specific
programs
•
Compliance audit as part of F/S audit concerned
with
•
Must be considered on a program-by-program
basis
•
Thus for the specific program:
1. Assess risk of significant noncompliance
1. Then assess control risk
1. Perform review of internal control
1. Test the internal controls
1. Design substantive procedures to test each
program for compliance
Evaluating the Results of Compliance for Programs
•
Consider the frequency of noncompliance
•
A questioned cost
•
Evaluation of a questioned cost
Reporting on Compliance on Specific Programs
•
The report should:
1. Describe the scope:
a. Identify entity or portion.
b. Specify authorities.
c. GAAS
2. Auditors opinion:
a. On compliance.
b. Reservations.
AUDITOR’S REPORT
To the Honourable Minister responsible for Entity Inc.:
We have made an examination to determine whether Entity Inc. complied with provisions of Part IV
of the Government Agencies Act during the year ended March 31, 200X. Our examination was made
in accordance with generally accepted auditing standards, and accordingly included such tests and
other procedures we considered necessary in the circumstances.
In our opinion, Entity Inc. has complied in all significant respects with the provisions of Part IV of the
Government Agencies Act during the year ended March 31, 200X.
Carney, Black and Heath, LLP
Chartered Accountants
Toronto, Canada
May 12, 200X
Reporting on Internal Controls Relevant to the
Programs
•
Auditors report provides?
•
Thus auditor must:
1. Obtain an understanding of
2. Perform tests of
•
No opinion on internal control
Question 25-15:
Explain why the Auditor General of Canada performs comprehensive
audits rather than simply performing financial audits of various
government departments.
Question 25-17:
What does the term “accountability” mean in the context of
comprehensive auditing?
Question 25-18:
Why are criteria so important that they are mentioned specifically in
Public Sector Accounting Recommendation 5400? What does the term
“criteria” mean in this context? Provide an example of a criterion that
might be used by an auditor in auditing the passenger service of Via Rail.
Problem 25-24:
Lajod Ltd. has an internal audit department
consisting of a manager and three staff auditors. The manager of internal
audit reports to the corporate controller. Copies of audit reports are
routinely sent to the audit committee of the board of directors as well as
the corporate controller and the individual responsible for the area or
activity being audited.
The manager of internal audit is aware that the external auditors have
relied on the internal audit function to a substantial degree in the past.
However, in recent months, the external auditors have suggested that there
may be a problem related to objectivity of the internal audit function. This
objectivity problem may result in more extensive testing and analysis by
the external auditors.
The external auditors are concerned about the amount of nonaudit work
performed by the internal audit department. The percentage of nonaudit
work performed by the internal auditors in recent years has increased to
about 25 percent of their total hours worked. A sample of five recent non
audit activities areas follows:
1. One of the internal auditors assisted in the preparation of policy
statements on internal control. These statements included such things
as policies regarding sensitive payments and standards of internal
controls.
2. The bank statements of the corporation are reconciled each month as a
regular assignment for one of the internal auditors. The corporate
controller believes that this strengthens internal controls because the
internal auditor is not involved in the receipt and disbursement of
cash.
3. The internal auditors are asked to review the budget data in every area
each year for relevance and reasonableness before the budget is
approved. In addition, an internal auditor examines the variances each
month, along with the associated explanations. These variance
analyses are prepared by the corporate controller’s staff after
consultation with the individuals involved.
4. One of the internal auditors has recently been involved in the design,
installation, and initial operation of a new computer system. The
auditor was primarily concerned with the deign and implementation of
internal accounting controls and the computer application controls for
the new system. The auditor also conducted the testing of the controls
during the test runs.
5. The internal auditors are frequently asked to make accounting entries
for complex transactions before the transactions are recorded. The
employees in the accounting department are not adequately trained to
handle such transactions. In addition, this serves as a means of
maintaining internal control over complex transactions.
The manager of internal audits has always made an effort to remain
independent of the corporate controller's office and believes that the
internal auditors are objective and independent in their audit and nonaudit
activities.
Required:
a.
Define “objectivity” as it relates to the internal audit function.
b.
For each of the five situations outlined, explain whether the
objectivity of Lajod Ltd.’s internal audit department has been
materially impaired. Consider each situation independently.
c.
The manager of internal audit reports to the corporate controller.
i.
Does this reporting relationship result in a problem of objectivity?
Explain your answer.
ii. Would your answer to any of the five situations in requirement
(b) above have changed if the manager of internal audit reported
to the audit committee of the board of directors? Explain your
answer.