Internal, Operational, and Compliance Auditing

1
Section 6

• Internal, Operational, and Compliance Auditing

2
Introduction

• Focus so far

• Internal auditing, operational auditing, and
  compliance auditing

3
Internal Auditing

• Large corporations
• Institute of Internal Auditors (IIA)

4
Purpose of Internal Auditing

• Internal auditing defined
• An independent appraisal activity established
  within an organization to examine and evaluate
  its activities as a service to the organization
• Objective of internal auditors
• Their work encompasses

5
Evolution of Internal Auditing

• Has evolved to meet the needs of
• Original demand
• Role expanded as a result of

6

• Organizations became larger and more complex

• Foreign Corrupt Practices Act of 1977
• Current scope of internal auditing
• Statement of Responsibilities of Internal Auditing

7
Internal Auditing Scope

• Review reliability and integrity
• Review the systems established to ensure
  compliance
• Review means of safeguarding assets
• Appraising economy and efficiency
• Reviewing operations and programs to ascertain

8
Professional Standards of Internal Auditing

• Cover five areas of auditing within an
  organization
• Independence
• Professional proficiency
• Scope of work
• Performance of audit work
• Management of the internal auditing department

9
Independence

• Employees of the organization
• Reporting to the proper level of management
• Ideally should report to?
• Conflicts of interest

10
Professional proficiency

• Establish policies and procedures
• Internal auditing department should collectively
  possess
• Assignment of staff

11
Scope of work

• Extends beyond accounting and financial controls
• IIA Standards for scope

12
Performance of audit work

• Adequate planning
• Examining and evaluating information
• Communicating results
• Follow up

13
Management of the internal auditing department

• Guidance for the director
• Assure
• Audit work is performed in accordance with
• The departments resources are

14
Operational Auditing

• Also called
• Comprehensive examination of an operating unit or
  complete organization
• The focus is on

15

• Economy

• Efficiency
• Effectiveness

16
Objectives of Operational Audits

• Managements needs
• Assurance of a units performance
• Assurance about its plans
• Objective information/Reporting
• Weaknesses
• Reassurance

17
General Approach to Operational Audits
18
Definition of Purpose

• Broad statement
• Must specify precisely
• Policies and procedures

19
Familiarization

• Comprehensive knowledge
• Study of documentation
• Interviews
• Documentation by the auditor

20
Preliminary Survey

• Preliminary conclusions
• Survey serves as a guide

21
Program Development

• Tailor-made program based upon
• What does it contain?
• Personnel

22
Field Work

• Executing the program
• Analysis
• Deficiencies

23
Report Findings

• On final completion of field work
• Will include
• Exit conference

24

• Operational Audit Report
• Simon Greed
• Vice President Operations
• Baxter Corporation
• 238 Queen Street
• Hamilton, Ontario, L9V-5R6
• Dear Mr. Greed
• In September 200X we concluded an operational
  audit of the data processing operations.
• Objectives, Scope, and Approach
• The general objectives of this engagement, which
  were more specifically outlined in our letter
  dated June 30, 200X, we as follows
• To document, analyze, and report on the status of
  current operations.
• To identify areas that require attention.
• To make recommendations for corrective action or
  improvements.
• Our operational audit encompassed the
  centralized data processing facilities and the
  on-site computer operations of the companys
  retailing division. Our evaluations included both
  the financial and operational condition of the
  units. Financial data consulted in the course of
  our analyses were not audited or reviewed by us,
  and, accordingly we do not express an opinion or
  any other form of assurance on them.

25
The operational audit involved interviews with
management personnel and selected operations
personnel in each of the units studied. We also
evaluated selected documents, files, reports,
systems, procedures, and policies as we
considered appropriate. After analyzing the data,
we developed recommendations for improvements. We
then discussed our findings and recommendations
with appropriate unit management personnel, and
with you, prior to submitting this written
report. Findings and Recommendations All
significant findings are included in this report
for your consideration. The recommendations in
this report represent, in our judgment, those
most likely to bring about improvements to the
operations of the organization. The
recommendations differ in such aspects as
difficulty of implementation, urgency, visibility
of benefits, required investment in facilities
and equipment or additional personnel.. The
varying nature of the recommendations, their
implementation costs, and their potential impact
on operations should be considered in reaching
your decision on courses of action. (Specific
Findings and Recommendations)
26
Follow-up

• To ensure?
• Done by whom?
• Reexaminations

27
Compliance Auditing

• Laws and regulations
• Testing and reporting on whether and organization
  has

28

• Major impetus

• Federal and provincial assistance usually
  provided to whom?
• Thus tests of compliance do what?

29
Objectives of Compliance Auditing

• To determine if there have been violations of
• To provide a basis for additional reports on
  compliance
• Two categories
• Compliance audit as part of a Financial Statement
  audit
• Compliance with specified authorities

30
Compliance Audit as Part of a Financial Statement
Audit

• Governmental organizations are subject to a
  variety of laws and regulations
• Receive funds from various sources
• Provided if only certain requirements are met

31

• Auditors perform a number of procedures

• Discussing laws and regulations
• Reviewing relevant grant and loan agreements
• Reviewing minutes

32

• When wording of laws subject to interpretation

• Written representations
• Assessment of risk
• Substantive tests of compliance

33

• Two additional reports

1. Compliance with laws and regulations
2. Organizations internal control

34
Reporting Compliance with Laws and Regulations

• The report should
• Describe the scope of the audit
• Transactions
• Authorities
• GAAS
• Contain the auditors opinion
• Complied with specified authorities
• Reservations

35
AUDITORS REPORT To the Honourable Minister
responsible for ABC Crown Corporation We have
audited the balance sheet of ABC Crown
Corporation as at December 31, 200X, and the
statements of income, retained earnings, and cash
flows for the year then ended and have issued our
report thereon dated February 28, 200Y. We
conducted our audit in accordance with generally
accepted auditing standards. Those standards
require that we plan and perform an audit to
obtain reasonable assurance whether the financial
statements are free of material misstatement.
Further, we have examined the transactions that
came to our notice in the course of the
above-mentioned audit of the financial statements
of ABC Crown Corporation for the year ended
December 31, 200X, to determine whether they were
in accordance with Part XII of the Financial
Administration Act, the regulations, the charter
and bylaws of the corporation (and any directives
given to the corporation pursuant to the act).
Our examination of these transactions was made in
accordance with generally accepted auditing
standards, and accordingly included such tests
and other procedures as we considered necessary
in the circumstances. In our opinion, these
transactions were, in all significant respects,
in compliance with the authorities. Carney, Black
and Heath, LLP Chartered Accountants Toronto,
Canada February 28, 200Y
36

• May be issued in conjunction with the auditors
  report on the F/S

• Discovery of violations
• Must consider the effect
• Resulting misstatement, if uncorrected

37

• Illegal acts

• May be included in the auditors report
• May instead do the following

38
Reporting on Internal Control

• How do auditors usually communicate problems with
  internal control?
• Report on internal control differs
• Also includes
• Managements responsibility
• Description of scope

39
REPORT ON INTERNAL CONTROL To the Members of
Council, Inhabitants, and Ratepayers of the
Corporation of the City of Rosebud, Ontario We
have audited the balance sheet of the Corporation
of the City of Rosebud, Ontario as at June 30,
200X, and the statements of operations for the
year then ended and have issued our report
thereon dated August 15, 200X. We conducted our
audit in accordance with generally accepted
auditing standards. Those standards require that
we plan and perform an audit to obtain reasonable
assurance whether the financial statements are
free of material misstatement. In planning and
performing our audit of the financial statements
of the Corporation of the City of Rosebud,
Ontario, for the year ended June 30, 200X, we
considered its internal control in order to
determine our auditing procedures for the
purposes of expressing our opinion on the
financial statements and not to provide assurance
on the internal control. The management of the
Corporation of the City of Rosebud, Ontario, is
responsible for establishing and maintaining
internal control. In fulfilling this
responsibility, estimates and judgments by
management are required to assess the expected
benefits and related costs of internal control
policies and procedures. The objectives of
internal control are to provide management with
reasonable, but not absolute, assurance that
assets are safeguarded against loss from
unauthorized use or disposition, and that
transactions are executed in accordance with
managements authorization and recorded properly
to permit the preparation of financial statements
in accordance with generally accepted accounting
principles. Because of inherent limitations in
any internal control, errors, irregularities, or
fraud may
40

• nevertheless occur and not be detected. Also,
  projection of any evaluation of the internal
  control to future periods is subject to the risk
  that procedures may become inadequate because of
  changes in conditions or that the effectiveness
  of the design and operation of policies and
  procedures may deteriorate.
• For the purpose of this report, we have
  classified the significant internal control
  policies and procedures in the following
  categories revenue/receipts, purchases/disburseme
  nts, and payroll.
• For all of the internal control categories listed
  above, we obtained an understanding of the design
  of relevant policies and procedures and whether
  they they have been placed in operation, and we
  assessed control risk.
• We noted certain significant deficiencies in the
  design or operation of the internal control, that
  in our judgment, could adversely affect the
  entitys ability to record, process, summarize,
  and report financial data consistent with
  assertions of management in the financial
  statements.
• Although temporary loans betweens funds are now
  being reconciled, they are not reconciled on a
  timely basis. We suggest that the accounting
  manager reconcile the funds loans monthly.
• The computer-prepared revenue, expenditure, and
  vouchers payable reports are not always
  reconciled to the general ledger accounts on a
  timely basis. We recommend that the chief
  accountant reconcile these reports monthly.
• A significant deficiency is a condition in which
  the design or operation of the specific internal
  control elements does not reduce to a relatively
  low level the risk that errors, irregularities,
  or fraud in amounts that would be material in
  relation to the financial statements being
  audited may occur and not be detected within a
  timely period by employees in the normal course
  of performing their assigned functions.

41
We also noted other matters involving the
internal control and its operation that we have
reported to the management of the Corporation of
the City of Rosebud, Ontario, in a separate
letter dated August 15, 200X. This report is
intended for the information of the audit
committee, management, and specify legislative
or regulatory body. This restriction is not
intended to limit the distribution of this
report, which is a matter of public
record. Carney, Black and Heath, LLP Chartered
Accountants Toronto, Canada August 15, 200X
42
Compliance Audit with Specified Authorities

• Authorities refers to
• May examine and report on a portion of the entity
• May be asked to report on
• Follow GAAS and PS section 5300

43
Designing Compliance procedures for the Programs

• Concerned with significant effect on specific
  programs
• Compliance audit as part of F/S audit concerned
  with
• Must be considered on a program-by-program basis

44

• Thus for the specific program

1. Assess risk of significant noncompliance
2. Then assess control risk
3. Perform review of internal control
4. Test the internal controls
5. Design substantive procedures to test each
   program for compliance

45
Evaluating the Results of Compliance for Programs

• Consider the frequency of noncompliance
• A questioned cost
• Evaluation of a questioned cost

46
Reporting on Compliance on Specific Programs

• The report should
• Describe the scope
• Identify entity or portion.
• Specify authorities.
• GAAS
• Auditors opinion
• On compliance.
• Reservations.

47
AUDITORS REPORT To the Honourable Minister
responsible for Entity Inc. We have made an
examination to determine whether Entity Inc.
complied with provisions of Part IV of the
Government Agencies Act during the year ended
March 31, 200X. Our examination was made in
accordance with generally accepted auditing
standards, and accordingly included such tests
and other procedures we considered necessary in
the circumstances. In our opinion, Entity Inc.
has complied in all significant respects with the
provisions of Part IV of the Government Agencies
Act during the year ended March 31,
200X. Carney, Black and Heath, LLP Chartered
Accountants Toronto, Canada May 12, 200X
48
Reporting on Internal Controls Relevant to the
Programs

• Auditors report provides?
• Thus auditor must
• Obtain an understanding of
• Perform tests of
• No opinion on internal control

49
Question 25-15 Explain why the Auditor General
of Canada performs comprehensive audits rather
than simply performing financial audits of
various government departments. Question
25-17 What does the term accountability mean
in the context of comprehensive auditing?
50
Question 25-18 Why are criteria so important
that they are mentioned specifically in Public
Sector Accounting Recommendation 5400? What does
the term criteria mean in this context? Provide
an example of a criterion that might be used by
an auditor in auditing the passenger service of
Via Rail.
51
Problem 25-24 Lajod Ltd. has an internal audit
department consisting of a manager and three
staff auditors. The manager of internal audit
reports to the corporate controller. Copies of
audit reports are routinely sent to the audit
committee of the board of directors as well as
the corporate controller and the individual
responsible for the area or activity being
audited. The manager of internal audit is aware
that the external auditors have relied on the
internal audit function to a substantial degree
in the past. However, in recent months, the
external auditors have suggested that there may
be a problem related to objectivity of the
internal audit function. This objectivity problem
may result in more extensive testing and analysis
by the external auditors. The external auditors
are concerned about the amount of nonaudit work
performed by the internal audit department. The
percentage of nonaudit work performed by the
internal auditors in recent years has increased
to about 25 percent of their total hours worked.
A sample of five recent non audit activities
areas follows
52

1. One of the internal auditors assisted in the
   preparation of policy statements on internal
   control. These statements included such things as
   policies regarding sensitive payments and
   standards of internal controls.
2. The bank statements of the corporation are
   reconciled each month as a regular assignment for
   one of the internal auditors. The corporate
   controller believes that this strengthens
   internal controls because the internal auditor is
   not involved in the receipt and disbursement of
   cash.
3. The internal auditors are asked to review the
   budget data in every area each year for relevance
   and reasonableness before the budget is approved.
   In addition, an internal auditor examines the
   variances each month, along with the associated
   explanations. These variance analyses are
   prepared by the corporate controllers staff
   after consultation with the individuals involved.

53

1. One of the internal auditors has recently been
   involved in the design, installation, and initial
   operation of a new computer system. The auditor
   was primarily concerned with the deign and
   implementation of internal accounting controls
   and the computer application controls for the new
   system. The auditor also conducted the testing of
   the controls during the test runs.
2. The internal auditors are frequently asked to
   make accounting entries for complex transactions
   before the transactions are recorded. The
   employees in the accounting department are not
   adequately trained to handle such transactions.
   In addition, this serves as a means of
   maintaining internal control over complex
   transactions.

The manager of internal audits has always made an
effort to remain independent of the corporate
controller's office and believes that the
internal auditors are objective and independent
in their audit and nonaudit activities.
54

• Required
• Define objectivity as it relates to the
  internal audit function.
• For each of the five situations outlined, explain
  whether the objectivity of Lajod Ltd.s internal
  audit department has been materially impaired.
  Consider each situation independently.
• The manager of internal audit reports to the
  corporate controller.
• Does this reporting relationship result in a
  problem of objectivity? Explain your answer.
• Would your answer to any of the five situations
  in requirement (b) above have changed if the
  manager of internal audit reported to the audit
  committee of the board of directors? Explain your
  answer.