section 6 internal, operational, and compliance auditing
Click here to load reader
Post on 15-Jan-2016
Embed Size (px)
Section 6Internal, Operational, and Compliance Auditing
IntroductionInternal auditing, operational auditing, and compliance auditing:
Focus so far:
Internal AuditingLarge corporations
Institute of Internal Auditors (IIA)
Internal auditing defined:An independent appraisal activity established within an organization to examine and evaluate its activities as a service to the organizationObjective of internal auditors
Their work encompassesPurpose of Internal Auditing
Has evolved to meet the needs of
Role expanded as a result ofEvolution of Internal Auditing
Foreign Corrupt Practices Act of 1977
Current scope of internal auditing
Statement of Responsibilities of Internal AuditingOrganizations became larger and more complex
Review reliability and integrity
Review the systems established to ensure compliance
Review means of safeguarding assets
Appraising economy and efficiency
Reviewing operations and programs to ascertainInternal Auditing Scope
Cover five areas of auditing within an organization
Scope of work
Performance of audit work
Management of the internal auditing departmentProfessional Standards of Internal Auditing
Employees of the organization
Reporting to the proper level of management
Ideally should report to?
Conflicts of interestIndependence
Establish policies and procedures
Internal auditing department should collectively possess
Assignment of staffProfessional proficiency
Extends beyond accounting and financial controls
IIA Standards for scopeScope of work
Examining and evaluating information
Follow upPerformance of audit work
Guidance for the director
Assure:Audit work is performed in accordance with
The departments resources areManagement of the internal auditing department
Operational AuditingAlso called:
Comprehensive examination of an operating unit or complete organization
The focus is on:
Assurance of a units performance
Assurance about its plans
ReassuranceObjectives of Operational Audits
General Approach to Operational Audits
Must specify precisely
Policies and proceduresDefinition of Purpose
Study of documentation
Documentation by the auditorFamiliarization
Survey serves as a guidePreliminary Survey
Tailor-made program based upon
What does it contain?
Executing the program
On final completion of field work
Exit conferenceReport Findings
Operational Audit ReportSimon GreedVice President OperationsBaxter Corporation238 Queen StreetHamilton, Ontario, L9V-5R6Dear Mr. Greed:In September 200X we concluded an operational audit of the data processing operations.Objectives, Scope, and ApproachThe general objectives of this engagement, which were more specifically outlined in our letter dated June 30, 200X, we as follows:To document, analyze, and report on the status of current operations.To identify areas that require attention.To make recommendations for corrective action or improvements.Our operational audit encompassed the centralized data processing facilities and the on-site computer operations of the companys retailing division. Our evaluations included both the financial and operational condition of the units. Financial data consulted in the course of our analyses were not audited or reviewed by us, and, accordingly we do not express an opinion or any other form of assurance on them.
The operational audit involved interviews with management personnel and selected operations personnel in each of the units studied. We also evaluated selected documents, files, reports, systems, procedures, and policies as we considered appropriate. After analyzing the data, we developed recommendations for improvements. We then discussed our findings and recommendations with appropriate unit management personnel, and with you, prior to submitting this written report.Findings and RecommendationsAll significant findings are included in this report for your consideration. The recommendations in this report represent, in our judgment, those most likely to bring about improvements to the operations of the organization. The recommendations differ in such aspects as difficulty of implementation, urgency, visibility of benefits, required investment in facilities and equipment or additional personnel.. The varying nature of the recommendations, their implementation costs, and their potential impact on operations should be considered in reaching your decision on courses of action.
(Specific Findings and Recommendations)
Done by whom?
Compliance AuditingLaws and regulations
Testing and reporting on whether and organization has
Federal and provincial assistance usually provided to whom?
Thus tests of compliance do what?Major impetus
To determine if there have been violations of
To provide a basis for additional reports on compliance
Two categoriesCompliance audit as part of a Financial Statement auditCompliance with specified authoritiesObjectives of Compliance Auditing
Governmental organizations are subject to a variety of laws and regulations
Receive funds from various sources
Provided if only certain requirements are metCompliance Audit as Part of a Financial Statement Audit
Discussing laws and regulations
Reviewing relevant grant and loan agreements
Reviewing minutesAuditors perform a number of procedures
Assessment of risk
Substantive tests of complianceWhen wording of laws subject to interpretation
Compliance with laws and regulations
Organizations internal controlTwo additional reports
The report should:Describe the scope of the auditTransactionsAuthoritiesGAAS
Contain the auditors opinionComplied with specified authoritiesReservationsReporting Compliance with Laws and Regulations
AUDITORS REPORTTo the Honourable Minister responsible for ABC Crown Corporation:We have audited the balance sheet of ABC Crown Corporation as at December 31, 200X, and the statements of income, retained earnings, and cash flows for the year then ended and have issued our report thereon dated February 28, 200Y.We conducted our audit in accordance with generally accepted auditing standards. Those standards require that we plan and perform an audit to obtain reasonable assurance whether the financial statements are free of material misstatement. Further, we have examined the transactions that came to our notice in the course of the above-mentioned audit of the financial statements of ABC Crown Corporation for the year ended December 31, 200X, to determine whether they were in accordance with Part XII of the Financial Administration Act, the regulations, the charter and bylaws of the corporation (and any directives given to the corporation pursuant to the act). Our examination of these transactions was made in accordance with generally accepted auditing standards, and accordingly included such tests and other procedures as we considered necessary in the circumstances. In our opinion, these transactions were, in all significant respects, in compliance with the authorities.Carney, Black and Heath, LLPChartered AccountantsToronto, CanadaFebruary 28, 200Y
Discovery of violations
Must consider the effect
Resulting misstatement, if uncorrectedMay be issued in conjunction with the auditors report on the F/S
May be included in the auditors report
May instead do the following:Illegal acts
How do auditors usually communicate problems with internal control?
Report on internal control differs
Also includes:Managements responsibility
Description of scopeReporting on Internal Control
REPORT ON INTERNAL CONTROLTo the Members of Council, Inhabitants,and Ratepayers of the Corporation of theCity of Rosebud, OntarioWe have audited the balance sheet of the Corporation of the City of Rosebud, Ontario as at June 30, 200X, and the statements of operations for the year then ended and have issued our report thereon dated August 15, 200X.We conducted our audit in accordance with generally accepted auditing standards. Those standards require that we plan and perform an audit to obtain reasonable assurance whether the financial statements are free of material misstatement. In planning and performing our audit of the financial statements of the Corporation of the City of Rosebud, Ontario, for the year ended June 30, 200X, we considered its internal control in order to determine our auditing procedures for the purposes of expressing our opinion on the financial statements and not to provide assurance on the internal control.The management of the Corporation of the City of Rosebud, Ontario, is responsible for establishing and maintaining internal control. In fulfilling this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs of internal control policies and procedures. The objectives of internal control are to provide management with reasonable, but not absolute, assurance that assets are safeguarded against loss from unauthorized use or disposition, and that transactions are executed in accordance with managements authorization and recorded properly to permit the preparation of financial statements in accordance with generally accepted accounting principles. Because of inherent limitations in any internal control, errors, irregularities, or fraud may
nevertheless occur and not be detected. Also, projection of any evaluation of the internal control to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate.For the purpose of this report, we have classified the significant internal control policies and procedures in the following categories: revenue/receipts, purchases/disbursements, and payroll.For all of the internal control categories listed above, we obtained an understanding of the design of relevant policies and procedures and whether they they have been placed in operation, and we assessed control risk.We noted certain significant deficiencies in the design or operation of the internal control, that in our judgment, could adversely affect the entitys ability to record, process, summarize, and report financial data consistent with assertions of management in the financial statements.Although temporary loans betweens funds are now being reconciled, they are not reconciled on a timely basis. We suggest that the accounting manager reconcile the funds loans monthly.The computer-prepared revenue, expenditure, and vouchers payable reports are not always reconciled to the general ledger accounts on a timely basis. We recommend that the chief accountant reconcile these reports monthly.A significant deficiency is a condition in which the design or operation of the specific internal control elements does not reduce to a relatively low level the risk that errors, irregularities, or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.
We also noted other matters involving the internal control and its operation that we have reported to the management of the Corporation of the City of Rosebud, Ontario, in a separate letter dated August 15, 200X.This report is intended for the information of the audit committee, management, and [specify legislative or regulatory body]. This restriction is not intended to limit the distribution of this report, which is a matter of public record.Carney, Black and Heath, LLPChartered AccountantsToronto, CanadaAugust 15, 200X
Authorities refers to
May examine and report on a portion of the entity
May be asked to report on:
Follow GAAS and PS section 5300Compliance Audit with Specified Authorities
Concerned with significant effect on specific programs
Compliance audit as part of F/S audit concerned with
Must be considered on a program-by-program basisDesigning Compliance procedures for the Programs
Assess risk of significant noncompliance
Then assess control risk
Perform review of internal control
Test the internal controls
Design substantive procedures to test each program for complianceThus for the specific program:
Consider the frequency of noncompliance
A questioned cost
Evaluation of a questioned costEvaluating the Results of Compliance for Programs
The report should:
Describe the scope:Identify entity or portion.Specify authorities.GAASAuditors opinion:On compliance.Reservations.Reporting on Compliance on Specific Programs
AUDITORS REPORTTo the Honourable Minister responsible for Entity Inc.:
We have made an examination to determine whether Entity Inc. complied with provisions of Part IV of the Government Agencies Act during the year ended March 31, 200X. Our examination was made in accordance with generally accepted auditing standards, and accordingly included such tests and other procedures we considered necessary in the circumstances.In our opinion, Entity Inc. has complied in all significant respects with the provisions of Part IV of the Government Agencies Act during the year ended March 31, 200X.
Carney, Black and Heath, LLPChartered AccountantsToronto, CanadaMay 12, 200X
Auditors report provides?
Thus auditor must:Obtain an understanding of
Perform tests of
No opinion on internal controlReporting on Internal Controls Relevant to the Programs
Question 25-15:Explain why the Auditor General of Canada performs comprehensive audits rather than simply performing financial audits of various government departments.
Question 25-17:What does the term accountability mean in the context of comprehensive auditing?
Question 25-18:Why are criteria so important that they are mentioned specifically in Public Sector Accounting Recommendation 5400? What does the term criteria mean in this context? Provide an example of a criterion that might be used by an auditor in auditing the passenger service of Via Rail.
Problem 25-24:Lajod Ltd. has an internal audit department consisting of a manager and three staff auditors. The manager of internal audit reports to the corporate controller. Copies of audit reports are routinely sent to the audit committee of the board of directors as well as the corporate controller and the individual responsible for the area or activity being audited.The manager of internal audit is aware that the external auditors have relied on the internal audit function to a substantial degree in the past. However, in recent months, the external auditors have suggested that there may be a problem related to objectivity of the internal audit function. This objectivity problem may result in more extensive testing and analysis by the external auditors.The external auditors are concerned about the amount of nonaudit work performed by the internal audit department. The percentage of nonaudit work performed by the internal auditors in recent years has increased to about 25 percent of their total hours worked. A sample of five recent non audit activities areas follows:
One of the internal auditors assisted in the preparation of policy statements on internal control. These statements included such things as policies regarding sensitive payments and standards of internal controls.The bank statements of the corporation are reconciled each month as a regular assignment for one of the internal auditors. The corporate controller believes that this strengthens internal controls because the internal auditor is not involved in the receipt and disbursement of cash.The internal auditors are asked to review the budget data in every area each year for relevance and reasonableness before the budget is approved. In addition, an internal auditor examines the variances each month, along with the associated explanations. These variance analyses are prepared by the corporate controllers staff after consultation with the individuals involved.
One of the internal auditors has recently been involved in the design, installation, and initial operation of a new computer system. The auditor was primarily concerned with the deign and implementation of internal accounting controls and the computer application controls for the new system. The auditor also conducted the testing of the controls during the test runs.The internal auditors are frequently asked to make accounting entries for complex transactions before the transactions are recorded. The employees in the accounting department are not adequately trained to handle such transactions. In addition, this serves as a means of maintaining internal control over complex transactions.
The manager of internal audits has always made an effort to remain independent of the corporate controller's office and believes that the internal auditors are objective and independent in their audit and nonaudit activities.
Required:Define objectivity as it relates to the internal audit function.For each of the five situations outlined, explain whether the objectivity of Lajod Ltd.s internal audit department has been materially impaired. Consider each situation independently.The manager of internal audit reports to the corporate controller.Does this reporting relationship result in a problem of objectivity? Explain your answer.Would your answer to any of the five situations in requirement (b) above have changed if the manager of internal audit reported to the audit committee of the board of directors? Explain your answer.