Section 6 Internal, Operational, and Compliance Auditing Introduction • Focus so far: • Internal auditing, operational auditing, and compliance auditing: Internal Auditing • Large corporations • Institute of Internal Auditors (IIA) Purpose of Internal Auditing • Internal auditing defined: – An independent appraisal activity established within an organization to examine and evaluate its activities as a service to the organization • Objective of internal auditors • Their work encompasses Evolution of Internal Auditing • Has evolved to meet the needs of • Original demand • Role expanded as a result of • Organizations became larger and more complex • Foreign Corrupt Practices Act of 1977 • Current scope of internal auditing – Statement of Responsibilities of Internal Auditing Internal Auditing Scope • Review reliability and integrity • Review the systems established to ensure compliance • Review means of safeguarding assets • Appraising economy and efficiency • Reviewing operations and programs to ascertain Professional Standards of Internal Auditing • Cover five areas of auditing within an organization – Independence – Professional proficiency – Scope of work – Performance of audit work – Management of the internal auditing department Independence • Employees of the organization • Reporting to the proper level of management • Ideally should report to? • Conflicts of interest Professional proficiency • Establish policies and procedures • Internal auditing department should collectively possess • Assignment of staff Scope of work • Extends beyond accounting and financial controls • IIA Standards for scope Performance of audit work • Adequate planning • Examining and evaluating information • Communicating results • Follow up Management of the internal auditing department • Guidance for the director • Assure: – Audit work is performed in accordance with – The departments resources are Operational Auditing • Also called: • Comprehensive examination of an operating unit or complete organization • The focus is on: • Economy • Efficiency • Effectiveness Objectives of Operational Audits • Managements needs: – Assurance of a unit’s performance – Assurance about its plans – Objective information/Reporting – Weaknesses – Reassurance General Approach to Operational Audits Definition of Purpose Familiarization Preliminary Survey Program Development Field Work Report Findings Follow-Up Definition of Purpose • Broad statement • Must specify precisely • Policies and procedures Familiarization • Comprehensive knowledge • Study of documentation • Interviews • Documentation by the auditor Preliminary Survey • Preliminary conclusions • Survey serves as a guide Program Development • Tailor-made program based upon • What does it contain? • Personnel Field Work • Executing the program • Analysis • Deficiencies Report Findings • On final completion of field work • Will include • Exit conference Operational Audit Report Simon Greed Vice President – Operations Baxter Corporation 238 Queen Street Hamilton, Ontario, L9V-5R6 Dear Mr. Greed: In September 200X we concluded an operational audit of the data processing operations. Objectives, Scope, and Approach The general objectives of this engagement, which were more specifically outlined in our letter dated June 30, 200X, we as follows: To document, analyze, and report on the status of current operations. To identify areas that require attention. To make recommendations for corrective action or improvements. Our operational audit encompassed the centralized data processing facilities and the on-site computer operations of the company’s retailing division. Our evaluations included both the financial and operational condition of the units. Financial data consulted in the course of our analyses were not audited or reviewed by us, and, accordingly we do not express an opinion or any other form of assurance on them. The operational audit involved interviews with management personnel and selected operations personnel in each of the units studied. We also evaluated selected documents, files, reports, systems, procedures, and policies as we considered appropriate. After analyzing the data, we developed recommendations for improvements. We then discussed our findings and recommendations with appropriate unit management personnel, and with you, prior to submitting this written report. Findings and Recommendations All significant findings are included in this report for your consideration. The recommendations in this report represent, in our judgment, those most likely to bring about improvements to the operations of the organization. The recommendations differ in such aspects as difficulty of implementation, urgency, visibility of benefits, required investment in facilities and equipment or additional personnel.. The varying nature of the recommendations, their implementation costs, and their potential impact on operations should be considered in reaching your decision on courses of action. (Specific Findings and Recommendations) Follow-up • To ensure? • Done by whom? • Reexaminations Compliance Auditing • Laws and regulations • Testing and reporting on whether and organization has • Major impetus • Federal and provincial assistance usually provided to whom? • Thus tests of compliance do what? Objectives of Compliance Auditing • To determine if there have been violations of • To provide a basis for additional reports on compliance • Two categories 1. 2. Compliance audit as part of a Financial Statement audit Compliance with specified authorities Compliance Audit as Part of a Financial Statement Audit • Governmental organizations are subject to a variety of laws and regulations • Receive funds from various sources • Provided if only certain requirements are met • Auditors perform a number of procedures • Discussing laws and regulations • Reviewing relevant grant and loan agreements • Reviewing minutes • When wording of laws subject to interpretation • Written representations • Assessment of risk • Substantive tests of compliance • Two additional reports 1. Compliance with laws and regulations 1. Organizations internal control Reporting Compliance with Laws and Regulations • The report should: 1. Describe the scope of the audit a. Transactions b. Authorities c. GAAS 2. Contain the auditors opinion a. Complied with specified authorities b. Reservations AUDITORS’ REPORT To the Honourable Minister responsible for ABC Crown Corporation: We have audited the balance sheet of ABC Crown Corporation as at December 31, 200X, and the statements of income, retained earnings, and cash flows for the year then ended and have issued our report thereon dated February 28, 200Y. We conducted our audit in accordance with generally accepted auditing standards. Those standards require that we plan and perform an audit to obtain reasonable assurance whether the financial statements are free of material misstatement. Further, we have examined the transactions that came to our notice in the course of the abovementioned audit of the financial statements of ABC Crown Corporation for the year ended December 31, 200X, to determine whether they were in accordance with Part XII of the Financial Administration Act, the regulations, the charter and bylaws of the corporation (and any directives given to the corporation pursuant to the act). Our examination of these transactions was made in accordance with generally accepted auditing standards, and accordingly included such tests and other procedures as we considered necessary in the circumstances. In our opinion, these transactions were, in all significant respects, in compliance with the authorities. Carney, Black and Heath, LLP Chartered Accountants Toronto, Canada February 28, 200Y • May be issued in conjunction with the auditor’s report on the F/S • Discovery of violations • Must consider the effect • Resulting misstatement, if uncorrected • Illegal acts • May be included in the auditor’s report • May instead do the following: Reporting on Internal Control • How do auditors usually communicate problems with internal control? • Report on internal control differs • Also includes: 1. Managements responsibility 2. Description of scope REPORT ON INTERNAL CONTROL To the Members of Council, Inhabitants, and Ratepayers of the Corporation of the City of Rosebud, Ontario We have audited the balance sheet of the Corporation of the City of Rosebud, Ontario as at June 30, 200X, and the statements of operations for the year then ended and have issued our report thereon dated August 15, 200X. We conducted our audit in accordance with generally accepted auditing standards. Those standards require that we plan and perform an audit to obtain reasonable assurance whether the financial statements are free of material misstatement. In planning and performing our audit of the financial statements of the Corporation of the City of Rosebud, Ontario, for the year ended June 30, 200X, we considered its internal control in order to determine our auditing procedures for the purposes of expressing our opinion on the financial statements and not to provide assurance on the internal control. The management of the Corporation of the City of Rosebud, Ontario, is responsible for establishing and maintaining internal control. In fulfilling this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs of internal control policies and procedures. The objectives of internal control are to provide management with reasonable, but not absolute, assurance that assets are safeguarded against loss from unauthorized use or disposition, and that transactions are executed in accordance with management’s authorization and recorded properly to permit the preparation of financial statements in accordance with generally accepted accounting principles. Because of inherent limitations in any internal control, errors, irregularities, or fraud may nevertheless occur and not be detected. Also, projection of any evaluation of the internal control to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate. For the purpose of this report, we have classified the significant internal control policies and procedures in the following categories: revenue/receipts, purchases/disbursements, and payroll. For all of the internal control categories listed above, we obtained an understanding of the design of relevant policies and procedures and whether they they have been placed in operation, and we assessed control risk. We noted certain significant deficiencies in the design or operation of the internal control, that in our judgment, could adversely affect the entity’s ability to record, process, summarize, and report financial data consistent with assertions of management in the financial statements. 1. Although temporary loans betweens funds are now being reconciled, they are not reconciled on a timely basis. We suggest that the accounting manager reconcile the funds’ loans monthly. 2. The computer-prepared revenue, expenditure, and vouchers payable reports are not always reconciled to the general ledger accounts on a timely basis. We recommend that the chief accountant reconcile these reports monthly. A significant deficiency is a condition in which the design or operation of the specific internal control elements does not reduce to a relatively low level the risk that errors, irregularities, or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. We also noted other matters involving the internal control and its operation that we have reported to the management of the Corporation of the City of Rosebud, Ontario, in a separate letter dated August 15, 200X. This report is intended for the information of the audit committee, management, and [specify legislative or regulatory body]. This restriction is not intended to limit the distribution of this report, which is a matter of public record. Carney, Black and Heath, LLP Chartered Accountants Toronto, Canada August 15, 200X Compliance Audit with Specified Authorities • Authorities refers to • May examine and report on a portion of the entity • May be asked to report on: • Follow GAAS and PS section 5300 Designing Compliance procedures for the Programs • Concerned with significant effect on specific programs • Compliance audit as part of F/S audit concerned with • Must be considered on a program-by-program basis • Thus for the specific program: 1. Assess risk of significant noncompliance 1. Then assess control risk 1. Perform review of internal control 1. Test the internal controls 1. Design substantive procedures to test each program for compliance Evaluating the Results of Compliance for Programs • Consider the frequency of noncompliance • A questioned cost • Evaluation of a questioned cost Reporting on Compliance on Specific Programs • The report should: 1. Describe the scope: a. Identify entity or portion. b. Specify authorities. c. GAAS 2. Auditors opinion: a. On compliance. b. Reservations. AUDITOR’S REPORT To the Honourable Minister responsible for Entity Inc.: We have made an examination to determine whether Entity Inc. complied with provisions of Part IV of the Government Agencies Act during the year ended March 31, 200X. Our examination was made in accordance with generally accepted auditing standards, and accordingly included such tests and other procedures we considered necessary in the circumstances. In our opinion, Entity Inc. has complied in all significant respects with the provisions of Part IV of the Government Agencies Act during the year ended March 31, 200X. Carney, Black and Heath, LLP Chartered Accountants Toronto, Canada May 12, 200X Reporting on Internal Controls Relevant to the Programs • Auditors report provides? • Thus auditor must: 1. Obtain an understanding of 2. Perform tests of • No opinion on internal control Question 25-15: Explain why the Auditor General of Canada performs comprehensive audits rather than simply performing financial audits of various government departments. Question 25-17: What does the term “accountability” mean in the context of comprehensive auditing? Question 25-18: Why are criteria so important that they are mentioned specifically in Public Sector Accounting Recommendation 5400? What does the term “criteria” mean in this context? Provide an example of a criterion that might be used by an auditor in auditing the passenger service of Via Rail. Problem 25-24: Lajod Ltd. has an internal audit department consisting of a manager and three staff auditors. The manager of internal audit reports to the corporate controller. Copies of audit reports are routinely sent to the audit committee of the board of directors as well as the corporate controller and the individual responsible for the area or activity being audited. The manager of internal audit is aware that the external auditors have relied on the internal audit function to a substantial degree in the past. However, in recent months, the external auditors have suggested that there may be a problem related to objectivity of the internal audit function. This objectivity problem may result in more extensive testing and analysis by the external auditors. The external auditors are concerned about the amount of nonaudit work performed by the internal audit department. The percentage of nonaudit work performed by the internal auditors in recent years has increased to about 25 percent of their total hours worked. A sample of five recent non audit activities areas follows: 1. One of the internal auditors assisted in the preparation of policy statements on internal control. These statements included such things as policies regarding sensitive payments and standards of internal controls. 2. The bank statements of the corporation are reconciled each month as a regular assignment for one of the internal auditors. The corporate controller believes that this strengthens internal controls because the internal auditor is not involved in the receipt and disbursement of cash. 3. The internal auditors are asked to review the budget data in every area each year for relevance and reasonableness before the budget is approved. In addition, an internal auditor examines the variances each month, along with the associated explanations. These variance analyses are prepared by the corporate controller’s staff after consultation with the individuals involved. 4. One of the internal auditors has recently been involved in the design, installation, and initial operation of a new computer system. The auditor was primarily concerned with the deign and implementation of internal accounting controls and the computer application controls for the new system. The auditor also conducted the testing of the controls during the test runs. 5. The internal auditors are frequently asked to make accounting entries for complex transactions before the transactions are recorded. The employees in the accounting department are not adequately trained to handle such transactions. In addition, this serves as a means of maintaining internal control over complex transactions. The manager of internal audits has always made an effort to remain independent of the corporate controller's office and believes that the internal auditors are objective and independent in their audit and nonaudit activities. Required: a. Define “objectivity” as it relates to the internal audit function. b. For each of the five situations outlined, explain whether the objectivity of Lajod Ltd.’s internal audit department has been materially impaired. Consider each situation independently. c. The manager of internal audit reports to the corporate controller. i. Does this reporting relationship result in a problem of objectivity? Explain your answer. ii. Would your answer to any of the five situations in requirement (b) above have changed if the manager of internal audit reported to the audit committee of the board of directors? Explain your answer.