section 6 internal, operational, and compliance auditing

Click here to load reader

Post on 15-Jan-2016




4 download

Embed Size (px)


  • Section 6Internal, Operational, and Compliance Auditing

  • IntroductionInternal auditing, operational auditing, and compliance auditing:

    Focus so far:

  • Internal AuditingLarge corporations

    Institute of Internal Auditors (IIA)

  • Internal auditing defined:An independent appraisal activity established within an organization to examine and evaluate its activities as a service to the organizationObjective of internal auditors

    Their work encompassesPurpose of Internal Auditing

  • Has evolved to meet the needs of

    Original demand

    Role expanded as a result ofEvolution of Internal Auditing

  • Foreign Corrupt Practices Act of 1977

    Current scope of internal auditing

    Statement of Responsibilities of Internal AuditingOrganizations became larger and more complex

  • Review reliability and integrity

    Review the systems established to ensure compliance

    Review means of safeguarding assets

    Appraising economy and efficiency

    Reviewing operations and programs to ascertainInternal Auditing Scope

  • Cover five areas of auditing within an organization


    Professional proficiency

    Scope of work

    Performance of audit work

    Management of the internal auditing departmentProfessional Standards of Internal Auditing

  • Employees of the organization

    Reporting to the proper level of management

    Ideally should report to?

    Conflicts of interestIndependence

  • Establish policies and procedures

    Internal auditing department should collectively possess

    Assignment of staffProfessional proficiency

  • Extends beyond accounting and financial controls

    IIA Standards for scopeScope of work

  • Adequate planning

    Examining and evaluating information

    Communicating results

    Follow upPerformance of audit work

  • Guidance for the director

    Assure:Audit work is performed in accordance with

    The departments resources areManagement of the internal auditing department

  • Operational AuditingAlso called:

    Comprehensive examination of an operating unit or complete organization

    The focus is on:

  • Efficiency


  • Managements needs:

    Assurance of a units performance

    Assurance about its plans

    Objective information/Reporting


    ReassuranceObjectives of Operational Audits

  • General Approach to Operational Audits

  • Broad statement

    Must specify precisely

    Policies and proceduresDefinition of Purpose

  • Comprehensive knowledge

    Study of documentation


    Documentation by the auditorFamiliarization

  • Preliminary conclusions

    Survey serves as a guidePreliminary Survey

  • Tailor-made program based upon

    What does it contain?

    PersonnelProgram Development

  • Executing the program


    DeficienciesField Work

  • On final completion of field work

    Will include

    Exit conferenceReport Findings

  • Operational Audit ReportSimon GreedVice President OperationsBaxter Corporation238 Queen StreetHamilton, Ontario, L9V-5R6Dear Mr. Greed:In September 200X we concluded an operational audit of the data processing operations.Objectives, Scope, and ApproachThe general objectives of this engagement, which were more specifically outlined in our letter dated June 30, 200X, we as follows:To document, analyze, and report on the status of current operations.To identify areas that require attention.To make recommendations for corrective action or improvements.Our operational audit encompassed the centralized data processing facilities and the on-site computer operations of the companys retailing division. Our evaluations included both the financial and operational condition of the units. Financial data consulted in the course of our analyses were not audited or reviewed by us, and, accordingly we do not express an opinion or any other form of assurance on them.

  • The operational audit involved interviews with management personnel and selected operations personnel in each of the units studied. We also evaluated selected documents, files, reports, systems, procedures, and policies as we considered appropriate. After analyzing the data, we developed recommendations for improvements. We then discussed our findings and recommendations with appropriate unit management personnel, and with you, prior to submitting this written report.Findings and RecommendationsAll significant findings are included in this report for your consideration. The recommendations in this report represent, in our judgment, those most likely to bring about improvements to the operations of the organization. The recommendations differ in such aspects as difficulty of implementation, urgency, visibility of benefits, required investment in facilities and equipment or additional personnel.. The varying nature of the recommendations, their implementation costs, and their potential impact on operations should be considered in reaching your decision on courses of action.

    (Specific Findings and Recommendations)

  • To ensure?

    Done by whom?


  • Compliance AuditingLaws and regulations

    Testing and reporting on whether and organization has

  • Federal and provincial assistance usually provided to whom?

    Thus tests of compliance do what?Major impetus

  • To determine if there have been violations of

    To provide a basis for additional reports on compliance

    Two categoriesCompliance audit as part of a Financial Statement auditCompliance with specified authoritiesObjectives of Compliance Auditing

  • Governmental organizations are subject to a variety of laws and regulations

    Receive funds from various sources

    Provided if only certain requirements are metCompliance Audit as Part of a Financial Statement Audit

  • Discussing laws and regulations

    Reviewing relevant grant and loan agreements

    Reviewing minutesAuditors perform a number of procedures

  • Written representations

    Assessment of risk

    Substantive tests of complianceWhen wording of laws subject to interpretation

  • Compliance with laws and regulations

    Organizations internal controlTwo additional reports

  • The report should:Describe the scope of the auditTransactionsAuthoritiesGAAS

    Contain the auditors opinionComplied with specified authoritiesReservationsReporting Compliance with Laws and Regulations

  • AUDITORS REPORTTo the Honourable Minister responsible for ABC Crown Corporation:We have audited the balance sheet of ABC Crown Corporation as at December 31, 200X, and the statements of income, retained earnings, and cash flows for the year then ended and have issued our report thereon dated February 28, 200Y.We conducted our audit in accordance with generally accepted auditing standards. Those standards require that we plan and perform an audit to obtain reasonable assurance whether the financial statements are free of material misstatement. Further, we have examined the transactions that came to our notice in the course of the above-mentioned audit of the financial statements of ABC Crown Corporation for the year ended December 31, 200X, to determine whether they were in accordance with Part XII of the Financial Administration Act, the regulations, the charter and bylaws of the corporation (and any directives given to the corporation pursuant to the act). Our examination of these transactions was made in accordance with generally accepted auditing standards, and accordingly included such tests and other procedures as we considered necessary in the circumstances. In our opinion, these transactions were, in all significant respects, in compliance with the authorities.Carney, Black and Heath, LLPChartered AccountantsToronto, CanadaFebruary 28, 200Y

  • Discovery of violations

    Must consider the effect

    Resulting misstatement, if uncorrectedMay be issued in conjunction with the auditors report on the F/S

  • May be included in the auditors report

    May instead do the following:Illegal acts

  • How do auditors usually communicate problems with internal control?

    Report on internal control differs

    Also includes:Managements responsibility

    Description of scopeReporting on Internal Control

  • REPORT ON INTERNAL CONTROLTo the Members of Council, Inhabitants,and Ratepayers of the Corporation of theCity of Rosebud, OntarioWe have audited the balance sheet of the Corporation of the City of Rosebud, Ontario as at June 30, 200X, and the statements of operations for the year then ended and have issued our report thereon dated August 15, 200X.We conducted our audit in accordance with generally accepted auditing standards. Those standards require that we plan and perform an audit to obtain reasonable assurance whether the financial statements are free of material misstatement. In planning and performing our audit of the financial statements of the Corporation of the City of Rosebud, Ontario, for the year ended June 30, 200X, we considered its internal control in order to determine our auditing procedures for the purposes of expressing our opinion on the financial statements and not to provide assurance on the internal control.The management of the Corporation of the City of Rosebud, Ontario, is responsible for establishing and maintaining internal control. In fulfilling this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs of internal control policies and procedures. The objectives of internal control are to provide management with reasonable, but not absolute, assurance that assets are safeguarded against loss from unauthorized use or disposition, and that transactions are executed in accordance with managements authorization and recorded properly to permit the preparation of financial statements in accordance with generally accepted accounting principles. Because of inherent limitations in any internal control, errors, irregularities, or fraud may

  • nevertheless occur and not be detected. Also, projection of any evaluation of the internal control to future periods is subject to the risk that procedures may become inadequate because of changes in conditions or that the effectiveness of the design and operation of policies and procedures may deteriorate.For the purpose of this report, we have classified the significant internal control policies and procedures in the following categories: revenue/receipts, purchases/disbursements, and payroll.For all of the internal control categories listed above, we obtained an understanding of the design of relevant policies and procedures and whether they they have been placed in operation, and we assessed control risk.We noted certain significant deficiencies in the design or operation of the internal control, that in our judgment, could adversely affect the entitys ability to record, process, summarize, and report financial data consistent with assertions of management in the financial statements.Although temporary loans betweens funds are now being reconciled, they are not reconciled on a timely basis. We suggest that the accounting manager reconcile the funds loans monthly.The computer-prepared revenue, expenditure, and vouchers payable reports are not always reconciled to the general ledger accounts on a timely basis. We recommend that the chief accountant reconcile these reports monthly.A significant deficiency is a condition in which the design or operation of the specific internal control elements does not reduce to a relatively low level the risk that errors, irregularities, or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.

  • We also noted other matters involving the internal control and its operation that we have reported to the management of the Corporation of the City of Rosebud, Ontario, in a separate letter dated August 15, 200X.This report is intended for the information of the audit committee, management, and [specify legislative or regulatory body]. This restriction is not intended to limit the distribution of this report, which is a matter of public record.Carney, Black and Heath, LLPChartered AccountantsToronto, CanadaAugust 15, 200X

  • Authorities refers to

    May examine and report on a portion of the entity

    May be asked to report on:

    Follow GAAS and PS section 5300Compliance Audit with Specified Authorities

  • Concerned with significant effect on specific programs

    Compliance audit as part of F/S audit concerned with

    Must be considered on a program-by-program basisDesigning Compliance procedures for the Programs

  • Assess risk of significant noncompliance

    Then assess control risk

    Perform review of internal control

    Test the internal controls

    Design substantive procedures to test each program for complianceThus for the specific program:

  • Consider the frequency of noncompliance

    A questioned cost

    Evaluation of a questioned costEvaluating the Results of Compliance for Programs

  • The report should:

    Describe the scope:Identify entity or portion.Specify authorities.GAASAuditors opinion:On compliance.Reservations.Reporting on Compliance on Specific Programs

  • AUDITORS REPORTTo the Honourable Minister responsible for Entity Inc.:

    We have made an examination to determine whether Entity Inc. complied with provisions of Part IV of the Government Agencies Act during the year ended March 31, 200X. Our examination was made in accordance with generally accepted auditing standards, and accordingly included such tests and other procedures we considered necessary in the circumstances.In our opinion, Entity Inc. has complied in all significant respects with the provisions of Part IV of the Government Agencies Act during the year ended March 31, 200X.

    Carney, Black and Heath, LLPChartered AccountantsToronto, CanadaMay 12, 200X

  • Auditors report provides?

    Thus auditor must:Obtain an understanding of

    Perform tests of

    No opinion on internal controlReporting on Internal Controls Relevant to the Programs

  • Question 25-15:Explain why the Auditor General of Canada performs comprehensive audits rather than simply performing financial audits of various government departments.

    Question 25-17:What does the term accountability mean in the context of comprehensive auditing?

  • Question 25-18:Why are criteria so important that they are mentioned specifically in Public Sector Accounting Recommendation 5400? What does the term criteria mean in this context? Provide an example of a criterion that might be used by an auditor in auditing the passenger service of Via Rail.

  • Problem 25-24:Lajod Ltd. has an internal audit department consisting of a manager and three staff auditors. The manager of internal audit reports to the corporate controller. Copies of audit reports are routinely sent to the audit committee of the board of directors as well as the corporate controller and the individual responsible for the area or activity being audited.The manager of internal audit is aware that the external auditors have relied on the internal audit function to a substantial degree in the past. However, in recent months, the external auditors have suggested that there may be a problem related to objectivity of the internal audit function. This objectivity problem may result in more extensive testing and analysis by the external auditors.The external auditors are concerned about the amount of nonaudit work performed by the internal audit department. The percentage of nonaudit work performed by the internal auditors in recent years has increased to about 25 percent of their total hours worked. A sample of five recent non audit activities areas follows:

  • One of the internal auditors assisted in the preparation of policy statements on internal control. These statements included such things as policies regarding sensitive payments and standards of internal controls.The bank statements of the corporation are reconciled each month as a regular assignment for one of the internal auditors. The corporate controller believes that this strengthens internal controls because the internal auditor is not involved in the receipt and disbursement of cash.The internal auditors are asked to review the budget data in every area each year for relevance and reasonableness before the budget is approved. In addition, an internal auditor examines the variances each month, along with the associated explanations. These variance analyses are prepared by the corporate controllers staff after consultation with the individuals involved.

  • One of the internal auditors has recently been involved in the design, installation, and initial operation of a new computer system. The auditor was primarily concerned with the deign and implementation of internal accounting controls and the computer application controls for the new system. The auditor also conducted the testing of the controls during the test runs.The internal auditors are frequently asked to make accounting entries for complex transactions before the transactions are recorded. The employees in the accounting department are not adequately trained to handle such transactions. In addition, this serves as a means of maintaining internal control over complex transactions.

    The manager of internal audits has always made an effort to remain independent of the corporate controller's office and believes that the internal auditors are objective and independent in their audit and nonaudit activities.

  • Required:Define objectivity as it relates to the internal audit function.For each of the five situations outlined, explain whether the objectivity of Lajod Ltd.s internal audit department has been materially impaired. Consider each situation independently.The manager of internal audit reports to the corporate controller.Does this reporting relationship result in a problem of objectivity? Explain your answer.Would your answer to any of the five situations in requirement (b) above have changed if the manager of internal audit reported to the audit committee of the board of directors? Explain your answer.