auditing in public and private sector

Overview of Public Finance Management

1

Module 1

Public Finance Management (PFM) basically deals with all aspects of resource mobilization and expenditure management in government.

It is an essential part of the governance process. Public Finance Management includes the

following Resource Mobilization Prioritization of programmes The budgetary process Efficient management of resources and

exercising controls

2

Financial Management CyclePlanning &

Programming

Budgeting

Budget, Accounting & Control

Audit & Review

3

Generally, the public finance management in developing countries is poor as a result of lack of transparency and accountability which result in high level of corruption and wastages of public resources.

4

Module 2

GLOBAL BEST PRACTICES IN PUBLIC FINANCIAL

MANAGEMENT

5

OutlineI. Framework

a. Expenditure Management Cycleb. Three Objectivesc. Five Principles

II. Good Practicesa. Basic Institutionsb. Core processes

III. Budget Execution – Objectivesa. Core treasury functionsb. Contingent liabilitiesc. Expenditure Control Approaches

1. Central versus Delegated Control2. General Tensions

d. Managing Welle. FMISf. Essential of Good Financial Management

6

7

Expenditure Management Cycle

Planningsystem

Medium termplans, e.g. threeyear rolling plans

Annual budgetsDevelopment,recurrent and

revenue

Fund releaseprocedure, e.g...

warranting

Accounting forrevenue andexpenditure

Public expenditurereview Institutions

Reports andfinancial statements

Audit system

Project monitoring

Projectappraisal

Resourceallocation

Liquidity

managem

ent

Expen

ditur

e

cont

rol

Monitoring

& controlling

Post eventreview

Accountability

Expenditurereview

Financial management system boundaries

Source: Adapted from Integrated Financial Management. Michael Parry, International Management Consultants Limited. Training Workshop on Government Budgeting in Developing Countries. THE UNITED NATIONS. December 1997.

Three Objectives of Public Expenditure Management SystemsMacrofiscal discipline and stability

Avoid public finance crisesSupport economic growth and stability

Strategic allocation of resourcesMatch government policy with programs,

objectivesTechnical efficiency

Getting the most from spending

8

Basic principles of PEMComprehensiveness

include all revenue and expenditure, all agencies

Accuracyrecord actual transactions and flows

Annualitycover a defined period of time (e.g. one year budget,

multi-year forecasts)

Authoritativenessonly spend as authorized by law

Transparency information on spending is public, timely,

understandable

9

What are Good Practices?Attaining and Maintaining Good Basic

Institutions Basic public finance institutions must work

well for good policy and program outcomes Too often countries reach for advanced

OECD reforms, neglecting basic institutionsDedication to continuous system

examination, learning and improvementinstitutional development is long term

10

What are the basic institutions?

11

LawsPractices

Organizations

Accounting and Record Keeping

Info. System

Control Environment

Reporting

Treasury Budget

Cash

Mgmnt

Debt

Mgmnt

Internal Audit

Multi-year

Plan

ComprEhensIve

External Audit

12

Core ProcessesMinistry of Finance

Treasury

SpendingMinistry

Spending Unit

- Budget Allocations- Supplemental Budgets- Virements- In-year monitoring and correction

- Warrants (cash allocations)- Cash Flow Management (forecasting, planning, sequestration)- debt management- financial asset management- accounting (policy, system management, chart of accounts)- make payments- collect revenues- account management and reconciliation- Central Bank relations

- internal control- program management- spending (commitments)- recording & reporting- payment orders- verification of receipt of goods/services- program/cash plans

Financial Management is Everyone’s Responsibility And Service Delivery is also MoF’s Responsibility

- asset management- procurement, contracting- payroll/personnel mngmnt

Objectives of Budget ExecutionManage Spending and Revenues to

budgetsupport choices of elected officialsallow budget to be planning and steering

toolpromote macrofiscal disciplineReduce opportunities for corruption

Enable program implementation (service delivery)Assure resources flow to programsallow budget to be aid to operational

efficiency through spending unit advance planning, efficient administration

enable program managers to achieve objective

13

Core Treasury FunctionsCash management (flow and stock)Financial asset managementDebt management, servicing;

Guarantee and contingent liability management

Accounting (policy, chart of accounts, general ledger) and reporting

Revenue collection, forecastingAccount management (payment,

collection, reconciliation)Central Bank relations

14

Contingent liabilitiesGovernment acts as a guarantor of debt

repayment in the event that the borrower cannot make repayment, or of payment under certain conditionsLoan, pension benefit, bank deposit,

agricultural priceContingent debt must be managed with

the same detail as direct debt.As with direct debt these contingent

debts must be inventoried and monitored in a central location

Active identification, monitoring, management of risk important 15

Expenditure Control Approaches

Ex Ante (to commitment)

Ex Poste

External (to spending unit)

Centralized commitment control (transaction approval)

Allocations (commitment limits) Warrants (cash limits) Procurement rules Personnel/pay rules

Central internal audit, external audit

Regular reporting Quarterly close-outs

Internal Ministry or spending unit transaction approval

Procedures to minimize risk (internal controls)

Ministry internal audit Performance

Management

16

Central control versus Managerial Flexibility

Tensions between needs of center toControl cash flowControl policy

And agency need to manage programsLarger, less detailed allocationsLonger time horizonGreater transfer authority/flexible application

of resources

17

General Tensions

18

Central control

Delegation

Efficiency, economy + -

Agent “accountability” for results + -

Agent Incentive for off-budget activity

+

-

Fin

anci

al

Man

agem

ent

auth

orit

y

To manage well requires:Monitoring/managing

Cash balancesCash flow

Inflow outflow

CommitmentsArrearsContingent liabilitiesNew legislation/mandatesOff-budget activityUnderstanding future impact of current

decisions

19

What is an FMIS?Financial management system:

Information system that tracks financial events and summarizes information

supports adequate management reporting, policy decisions, fiduciary responsibilities, and preparation of auditable financial statements

Should be designed with good relationships between software, hardware, personnel, procedures, controls and data

Generally, FMIS refers to automating financial operations

20

Definitions

What are core and non-core FMIS systems?Core systems

General ledger, accounts payable and receivable. May include financial reporting, fund management and cost management.

Non-core systemsHR/payroll, budget formulation, revenue

(tax & customs), procurement, inventory, property management, performance, management information

21

Definitions

What is “integrated” FMIS?Can refer to core and non-core integrationBut, generally, four characteristics*

Standard data classification for recording events

Common processes for similar transactionsInternal controls over data entry,

transaction processing, and reporting applied consistently

Design that eliminates unnecessary duplication of transaction entry

22

Definitions

*from Core Financial System Requirement. JFMIP-SR-02-01. Joint Financial Management Improvement Program. Washington, D.C., November 2001.

What constitutes a good FMIS system?Ability to*

Collect accurate, timely, complete, reliable, consistent information

Provide adequate management reportingSupport government-wide and agency policy

decisionsSupport budget preparation and executionFacilitate financial statement preparationProvide information for central agency

budgeting, analysis and government-wide reporting

Provide complete audit trail to facilitate audits

23

*from Core Financial System Requirement. JFMIP-SR-02-01. Joint Financial Management Improvement Program. Washington, D.C., November 2001.

Essentials of Good Financial ExecutionTimely, accurate in-year reporting

Internal controls, auditExternal audit

Sufficient detail to identify sources of overspending

Sufficiently regular reporting to allow timely management intervention

Comprehensive systemAccountability framework, control

environment 24

Criteria for Assessing Budget Execution System

25

Element Budget Execution Features Aggregate Fiscal Discipline

Commitment control system limits commitments to available resources, supporting avoidance of arrears during retrenchment.

Treasury cash management further supports matching of expenditures to revenues. Treasury payment system and internal controls support proper payments. Accounting system and Financial Management Information System (FMIS) support

comprehensive, timely and accurate information on spending and revenues for government and line ministry management.

Fiscal and banking accounts regularly reconciled. Annual accounts closed in timely manner. Debt management assures sustainable debt policy, timely issuance of debt for cash flow

management and reaching the spending target. Internal audit detects and corrects fraud, waste, and abuse; assures integrity of financial

information. External audit assures fairness and accuracy of financial reporting, effectiveness of internal

audit and control systems. Allocative Efficiency

Commitment and Treasury controls execute the budget as approved. Formal, transparent procedures used to amend budget if necessary. Frequency of FMIS reporting allows management action to correct deviations from approved

budget. Technical efficiency

Budget execution (commitment and cash controls) limits critical expenditures, but supports flexible resource use at program level (e.g. across non-personnel economic classifications, with respect to seasonal spending patterns) for efficiency (controls are not excessively detailed to prevent management of program).

FMIS supports program managers. Civil service system supports quality public staff, flexibility in reallocating staff resources,

restructuring workforce. Procurement system supports competitive, efficient, timely contracting. Internal audit may identify options for improved economy and efficiency.

Source: Draft Federal Republic of Yugoslavia PEIR, May 2002

Financial Rules And Regulations In Nigeria (2009 Edition)

Module 3

26

27

Introduction

The financial Regulation is a body of Rules that provide guiding principles, methods and uniformity in the conduct, recording and controlling financial transactions, events and position in government.

They are designed to achieve probity and accountability in government. They are made to guide and regulate actions of executives in order to enable them to make decisions that are rational and non personal.

Financial Rules and Regulations In Nigeria.

28

Other sources of financial Rules, Regulations and Authorities include;

-The Nigerian Constitution, 1999. Highlights key financial requirements like

payment of

revenues into the Federation Account and Consolidated Revenue Fund (CRF) the

authorization

of expenditure from the two accounts, the Audit of Public Accounts, the Revenue

Allocation etc. The Nigerian Constitution. Audit Ordinance Act, as amended.

– Financial (Control and Management) Act 1958, as amended.

– The annual Appropriation law, the Supplementary Appropriation law and the Allocation of Revenue Act 1981,amended.

– The Minister of Finance / Accountant-General of the Federation’s periodic circulars in accordance with either laws and policies

– Other Financial Circulars from the presidency, SGF and HOS.

Financial Rules and Regulations In Nigeria, Cont’d.

29

The Needs for FR.

Financial Regulations are used to:

(i) Guide the day-to-day financial operations of Government ministries, extra-ministerial depts., agencies, parastatals and other arms of government (the Legislature and Judiciary).

(ii) Ensure appropriate system of information flow from management to finance and account staff.

(iii) Provide common standard procedures and guides by which Auditors and Treasury inspectors can ascertain that ministries are able to control and maintain up-to-date records of financial transactions.

(iv) Promote fiscal accountability, management accountability and programme results accountability in government financial management and control.


.

30


Major Highlights Accountability and Probity

- Both the AGF and the Accounting Officers (PS & CEOs) are enjoined by FR No. 101 to establish sound financial and accounting systems in government to ensure optimal utilization of scarce resources, strict compliance with FR to achieve government objectives.

Revenue Accounting- All revenues must be paid into government coffers. They must be properly documented.

Rendition of monthly Accounts.- The nature of the Transcript Accounts. The contents and supporting documents required.(sample demonstration) .

“Selected Provisions of the 2009 Revised Financial Regulations”Introduction: The following essential provisions will

be highlighted for in-depth discussion. Financial Authorities and Responsibilities of Public

Officers.Revenue –Collection and Accounting.Authorities for Expenditure.Classification and Control of Expenditure.Payment ProcedureCash Management. ImprestSalary AdministrationInternal Audit

“Selected Provisions of the 2009 Revised Financial Regulations” cont’d

Board of SurveyGovernment VehiclesStore Accounting and CustodyLoss of Government Fund Stock VerificationPublic Procurement ContractsOffences and Sanction.Pension Scheme in the Public service.Financial guidelines for the operations of

parastatals.

“Selected Provisions of the 2009 Revised Financial Regulations” cont’d

Discuss in class the relevant provisions directly from the 2009 Revised Edition of Finance Regulation.

FCT A(Treasury Department) @ 2010 JK Consulting

Co. Ltd.

Module 4Financial Authorities and

Responsibilities of Government Officials

34

35

Financial Authorities and Responsibilities of Public Officers.

The following government officers have important financial responsibilities to perform as enshrined in the finance regulations.

(i) The Minister of Finance

(ii) The Accountant-General of the Federation(iii) The Auditor-General for the Federation

(vi) The Accounting Officers (i.e. the Permanent Secretary and Head of Extra-Ministerial Departments and Agencies

(v) The Treasury Accountants (i.e. the DFAs etc.)

(vi) The Treasury Inspectorate Staff

(vii) The Sub-Accounting Officers

(viii) The Revenue Collectors

(ix) The Imprest Holder

36

Financial Authorities and Responsibilities of Public Officers, Cont’d

(1) The Minister of Finance: The functions include:

formulate fiscal policies of government. Harmonizes fiscal and monetary policies

of government. Handles the formulation, preparation,

execution and monitoring of budget of government.

Issues financial warrant without which the Accountant-General cannot release funds to the ministries and extra-ministerial departments.

Receives statutory financial statements of accounts from the Accountant-General of the Federation.

Debt management of the country.

37


(2) The Accountant-General of the Federation: The functions include: Head of the accounting services and treasury. Serves as the Chief Accounting Officer of receipts and payments

of the government of the federation. Supervise the accounts of the federal ministries and extra-

ministerial departments. Collates, presents and publishes statutory financial statements of

accounts required by the Federal Minister of Finance. Maintains and operates for government the following accounts:

−the Consolidated Revenue Fund (CRF);−Development Fund;−Contingency Fund; and −other Public Funds.

(the AGF provides cash-backing for the operations of government.)

Manages federal government investments through the Ministry of Finance Incorporated (MOFI)

Maintains and operates the federation account. Establishes and supervise the Federal Pay Offices in each state of

the federation.

38


(3) The Accounting Officers: (Permanent Secretary of the respective ministries and Heads of Extra-ministerial departments) are entrusted with the financial stewardship of safeguarding the public funds. Functions include ensuring that; proper budgetary and accounting systems are

established in the ministry or agency. there is proper internal control, accountability and

transparency. management tools are put in place to avoid financial

waste and fraud. all government revenues are collected and paid to

CRF. Monthly and periodical accounting returns and

transcripts are rendered to OAGF. prudence, safety and proper maintenance of all

government monies and assets under his custody. accurate and prompt collection of, and accounting

for, all public monies received and expended. responsibility for answering all audit queries (from

Auditor and PAC) pertaining to his/her ministry or office.

39


(4) Treasury Accountants (DFAs, etc): The functions include: Posted from the OAGF (Treasury) to all ministries. They are to enforce compliance with all the provisions of

the FR. They are to assist the accounting officer to improve the

quality of financial management and control in the public sector.

(5)Treasury Inspectorate Staff: They are from the Headquters of the Office the Accountant

General of the Federation.They carry out: Inspection of the books and records of accounts of

ministries etc. to ensure compliance with FR. Investigation of reported cases of breach of financial

regulation and fraud. Recommendation of appropriate disciplinary action against

erring officers. (6) Internal Auditors:

The functions include: Carry out pre-payment audit of vouchers to ensure they

comply with provisions of financial regulations. Enforce financial regulations

40


7)The Auditor-General for the Federation: The functions include: Responsible for the audit and report on the public

accounts of the federation. Serves as the external auditor for the Federal

Government. Examines and ascertains that all accounts relating to

public funds and property as to whether in his opinion are:− The accounts have been properly kept;− All public monies accounted for essential records

are maintained− Monies have been expended for the purpose for

which they were appropriated and payment fully authorized.

Ensures that essential records are maintained and rules and procedures applied are sufficient to safeguard and control government funds and property.

Has free access to the books, accounts documents, files and records relating to the accounts of all ministries, agencies and extra-ministerial departments.

Submits reports to the National Assembly within 90 days of receipts of AGF financial statements.

41


(8) Sub-Accounting Officers: The officers include:i. The Sub-Treasurer of the Federationii. The Federal Pay Officersiii.The Police Pay Officeriv. The Army Pay Officerv. The Custom Area Pay Officervi.The Pension Pay Officer The functions include: Ensures the disbursement of public money Reports to the Accountant-General of the Federation.

(9) Revenue Collectors and Imprest Holder: The Revenue Collector: Is an officer, other than a Sub-Accounting Officer entrusted

with an official receipt, license or ticket booklet for the regular collection of some particular form of revenue.

The Imprest Holder: Is an officer, other than a Sub-Accounting Officer, entrusted

with the disbursement of public money for which vouchers cannot be presented immediately to a Sub-Accounting Officer for payment.

Keeps a petty cashbook.

THE ROLE OF AUDITING IN PUBLIC AND PRIVATE SECTOR GOVERNANCE

Module 5

42

1

MODERN INTERNAL AUDITING

Module 6

Modern Internal Audit Practice

Introduction

Originally, internal auditing is an attestation to the accuracy of financial matters only;

In modern time, it incorporates services like examination and appraisal of controls, performance, risk and governance to the original role;

Modern Internal Auditor is no more a client’s enemy, but pursues cooperative, friendly and productive working relationship with clients

Definition, Scope and Purpose of Modern Internal Auditing

Internal auditing is a systematic objective appraisal by internal auditors of the diverse operations and controls within an organization to determine whether;

- Financial and operating information is accurate and reliable;

- Risk to the enterprise (or org.) are identified and minimized;

- External regulations and acceptable internal policies and procedures

are followed;

- Satisfactory operating criteria are met;

- Resources are used efficiently and economically; and

- The organization’s objectives are achieved.

All for the purpose of consulting with mgt. and for assisting members of the org. in the effective discharge of their governance responsibilities.

Sources: IIA’s Internal Auditing Standard Board (1999)

Internal Audit.

Based on audit techniques or objectives

Types of Modern Internal Auditing Practice

System based audit

Performance audit or operational audit (otherwise called “valued-for-money audit)

Financial or accounting audit

Compliance audit

Internal audit can be divided based on the audit techniques or objective. They are as follows:

- System based audit performance

- Performance audit or operational audit otherwise called value-for-money

- Financial or accounting audit

- Compliance audit

Internal Audit in Government

As part of content, internal units are mandatory established in government services.

Paragraph 2001 of the FR (financial Regulations) provides the accounting officer of a ministry or extra ministerial department shall ensure that an internal audit is established to provide a complete and continuous audit of the accounts and records of revenue and expenditure, plants, allocated stores and then unallocated stores where applicable.

Internal audit units exist in:

- All self accounting ministries, agencies, offices and Parastatals of government (MDAs).

- All federal pay offices in the state of the federation.- Police Pay Offices.- The Army Pay Offices.- The legislative arm (the parliament)- The judiciary

Internal Auditor Vs External Auditor Similarities and overlaps

(a) Is an organization, employee or can independent entity.

Is an independent contractor.

(b) Serves the need of the organizations, though functions must be managed by the organization.

Serves third parties who need reliable information.

(c) Focuses on future events by evaluating controls designed to assure the accomplishment of entity goals and objectives.

Focuses on the accuracy and understanding of historical events as expressed in the financial statement.

(d) Is directly concerned with prevention of fraud.

Is incidentally concerned with prevention and detection of fraud but directly concerned with when the financial statements may be materially attached.

(e) Is independent of the activities audited, but ready to respond to all elements of management.

Is independent of management and board of directors.

(f) Revenue activities continually. Revenue records supporting financial statements periodically.

Internal Audit and Management

Internal Audit and Management

Internal auditors must have open communication ties with top management to enable them assist and support the management.

Internal auditors must keep the management aware of their concern, duties and discuss any misunderstanding/faulty expectations that management may have as to auditors and duties and responsibility.

The relationship with management is interactive and they are the specialist controls.

Roles of Internal Audit in an Organization.

It supports effective and efficient discharge of the guiding and monitoring duties of the organization’s management by producing assurance services for its internal customers relating to governance, control and risk management processes.

Internal audit brings added value and promotes achievement of the set goals by giving improvement recommendation.

It is management control tools who through its operations assist the entire organization by examining and evaluating the adequacy and efficiency of internal control and quality or operations.

Roles of Internal Audit in an Organization, cont’d

The internal audit verifies that the internal control system functions efficiently economically and effectively in the following areas:- Setting and achievement of objectives and results.- Risk analysis and management.- Quality and continuous improvement of operations.- Organizational functions.- Economical use of resources.- Safeguarding of assets.- Compliance with laws, regulations by the supervisory authorities.

Human Aspect of Internal Auditing

Principles of Management Management deals with establishing objectives and seeing that

they are met through the work of others. An art and a science includes creativity and an intuition as well as an understanding of formal theories, laws, principles and methodologies.

While financial auditing requires an understanding of management principles, internal auditing requires more in depth understanding of these management principles.

- Dealing with people Auditors usually deal with figures, sometimes with

management processes. Management oriented internal auditors deal extensively with people.

- Employee and Management Fraud Wrong doings by deceit goes by many names. It has

been called fraud, white cellar crime, and embezzlement, among other things.

Fraud can therefore be described as a false representation or concealment of a material fact to induce someone to part with something or value. There are two types of fraud:- (i) Employee fraud – fraud against company/office (ii) Management fraud.

INTERNAL CONTROL, AUDIT AND FRAUD PREVENTION

Module 7

The importance of internal control

• In the UK guidance on internal control is knownas Turnbull report:

A company’s system of internal control is important for managing risks to the achievement of the company’s business objectivesInternal control can achieve 3 things:

•

•––

Efficiency & effectiveness of operation

Ensure the reliability of the company’s financialreporting to shareholders

ensure compliance with laws and other requlations–

The importance of internal control (Cont’d)

• Effective financial controls are important

– Ensure proper accounting records are maintained

A company’s strategic objectives and conditions inits business environment are continually changing

(strong system of internal control depends on abilityof the company to identify the changing risks in itsbusiness environment)

Internal Audit

• A systematic examination of the activities andstatus of an entity, based primarily oninvestigation and analysis of its systems,controls and records (CIMA)

Types of

•

audit

Performance audit•

•• Best value audit (VFM audit)Compliance audit

• Post-completion audit• Transactions audit

• Environmental audit• Systems-based audit

• Management audit• Risk-based audit

Financial audit

Internal audit

• An independent appraisal function establishedwithin an organisation to examine itsactivities… The objective… is to assistmembers of the organisation in the effectivedischarge of their responsibilities (CIMA)

Scope of internal audit

• •Effectivenesssystems

of control Integrity of processes andsystems

• •Compliance with policies Ensuring improvementsimplemented

areand regulation

• •Asset acquisitionsecurity

and Corporate governance

• Information integrity

Head of internal audit

propose and implement audit plan• Should

• ShouldOfficer

be independent of the Chief Financial

• Should report to Audit Committee

Systems-based audit

system objectivesproceduresrisk to achievement of objectives

••

•

•

•

•

•

•

Identify

Identify Identify Identify ways to manage the risk

adequateare effective

Decide whether controls are

Test to see whether controlsReport findingsMonitor implementation of recommendations

Risk-based internalaudit

•– Risk management processes are operating as intended

– Risk management processes are of sound design

– Responses to risks are adequate

– Control framework is appropriate

Provides assurance that:

Risk maturity of the organisation

• Risk naive

• Risk aware

• Risk defined (Specific)

• Risk managed

• Risk enabled (allow)

Audit

Terms of reference System definition RisksScope of work

plan

••••••••

Milestones and resources

Reporting and reviewAudit programme and techniquesStaff allocated

Analytic review

• Ratio analysis • Surveys/questionnaires

• •Benchmarking Narratives

• Flowcharting• Inspection

• Testing• Corroboration

• Reconciliation

The whole system of internal controls,•financial and otherwise, establishedto provide reasonable assurance of:

in order

––

–

Effective and efficient operation

Internal financial controlCompliance with laws and regulations

(CIMA)

Internal control

COSO model of internal control(Committee of Sponsoring Organisations, 1992)

• Control environment

• Risk assessment

• Control activities

• Monitoring

• Information and communication

COSO

• Control environmentThe control environment can be thought of asmanagement’s attitude, actions and awareness

the need for internal controls.If senior management do not care about internal controls and feel that it is not worthwhile

of

introducing internal controls then the control systemwill be weak.

Management can try to summarise their commitmentto controls in a number of ways:

Risk assessment (COSO)Controllable risks – for these risks internal procedures can be established

• control

• Uncontrollable risks – for these risks the companymay be able to minimise the risk in other waysoutside the internal control environment.

( i.e. caused by the external environment , Such asinflation)

Control activities (COSO )

••

•

•

•

•

•

•

S

P A M S O AP

Segregation of duties

Physical controlsAuthorisation and

ManagementSupervision

approval

Organisation structure

Arithmetic and accountingPersonnel

controls

Classification

Financial controls

of controls

•

• Non-financial quantitative controls

• Non-financial qualitative controls

Cash controls

• Payments• Banking

• Bank accounts

• Transfers

• Authorisation

• Cash forecasting• Signatories

Debtor controls

• Invoice recording • Collection activity

• Receipt recording • Credit notes

• Bad and doubtful debts • Disputed amounts

• Credit checking • Verification of balances

Inventory

Physical count

controls

• • Storage and security

• •Valuation Surplusstock

and obsolete

• Receipts andprocedures

issues• Stock in transit

Investments and intangibles controls

• Acquisitiondisposal

and• Evidence of ownership

• Periodic review

• Accounting for income

• Valuation

• Amortisation

Fixed asset controls

• Security• Recording

• • DepreciationChecking

• Acquisition and disposal • Obsolescence

Creditors

• Authorisation • Invoice recording

• Payment authorisation• Receipt of goods

• Reconciliations• Invoice checking

• Investigation of disputed amounts• Documentation

Loans

• •Recording Interest

• •Authorisation Loan provisions

Income and expenses

• •Sales documentation Matching

• •Cost recording Authorisation

Payroll controls

• •Recruitment Termination ofemployment

• New employeeauthorisation • No ‘ghosts’

• •Rates of pay Payroll reconciliation

• •Time recording Deductions

• •Leave, sicknessabsenteeism

and Benefits

Dishonestly obtaining an advantage, avoiding• anobligation or causing a lossincluding crimes against:

to another party,

••••••

Customers/clients

EmployersEmployeesFinancial institutionsGovernmentMajor organisations

What is fraud?

Fraud prevention

• Dishonesty: • Opportunity:––

–

–

Pre-employment

Supervision Discipline Leadership

checks– Separation of

duties

Input controls Processing controls Output controlsPhysical security

––

–

–• Motive:

––

–

Employment

Dismissals

conditions

Complaints procedure

Warning signs

••••••••••••

••••••••••••

Culture

Poor internal controlsPoor accounting managementHistory of legal violationsStrained relationship with auditorsLack of supervisionInadequate recruitment processRedundancies Dissatisfied employees Unusual staff behaviour Personal financial pressuresDiscrepancy between earnings and lifestyle

Low salaries

Unsocial hoursNot taking leaveLack of job segregation Lack of asset identification Poor management reporting Alteration of documents Photocopies of documents Missing authorisationsPoor physical security

Poor IT access controls…….etc.!

Fraud risk management strategy

• Fraud prevention

• Fraud identification

• Fraud response

Prevention

Anti-fraud culture•

• Risk awareness

• Whistle blowing

• Sound internal controls

Identification

regular checks• Perform

• Look for warning signals

• Whistleblowers

Response

Disciplinary action

(i)

•

• Civil litigation

• Criminal prosecution

Response (ii)

• Allocate responsibility to:––––––––––

ManagersFinance directorPersonnelAudit committeeInternal auditorsExternal auditorsLegal advisorsPublic relations departmentPoliceInsurers

Computer fraud

• Control and testing of program changes

• Physical IT security

• Password controls

• Output controls

Management

Distortion of results

fraud

•

• Capitalisation of expenses

• Under-provision

• Over-valuation of inventory

CODE OF ETHICS FOR AUDITORS

Module 8

Code of Ethics for Auditors

These are underlying principles and rules of conduct that are desirable of auditors. They are to guide the ethical conduct of auditors.

Principles Auditors are expected to apply & uphold certain

fundamental principles.- Integrity: which establishes trust and

provides basis for reliance on the their judgment.

- Objectivity.- Confidentially.- Competency: must apply knowledge, skills

& experience needed.

Code of Ethics for Auditors,Cont’d

Rules of Conduct1. Integrity

Auditors:(i) Shall perform their work with honesty and responsibility;(ii) Shall observe the laws, rules and regulations expected of them.(iii) Shall not knowingly be party to any illegal activity.

2. ObjectivityAuditors:(i) Shall not participate in any activity or relationship that may impair their unbiased assessment.(ii) Shall not accept anything that may impair or be presumed to impair their professional judgment. (iii) shall disclose all materials, facts known to them that if not disclosed, may distort their reporting of operations under review.

Code of Ethics for Auditors,Cont’d Rules of Conduct, Cont’d

3.Confidentiality Auditors:(i) Shall be prudent in the use of information acquired in the course of their duties.(ii) Shall not use information for any personal gain or detrimental to the interest or welfare of the org.

4.CompetencyAuditors:(i) Shall engage only in those services for which they have the necessary knowledge, have skills and experience.(ii) Shall continually improve proficiency and effectiveness and quality of their service.(iii) shall perform services in accordance with the standards of PPA (professional practice of auditing).

COMPUTER ASSISTED AUDITING

Module 9

97

PERFORMING AN IS AUDIT

What is auditing?Auditing can be defined as a systematic

process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.

98

Classification of auditsFinancial audits

Objective of this type of audit is to establish the integrity and reliability of entity’s financial statements

Will generally involve detailed substantive testing of transactions and balances

Operational auditsDesigned to evaluate the internal control

structureExamples include:

Audit of applications control or logical security systems

99

Classification of auditsIntegrated audits

Combination of both financial and operations audit with the objectives of Safeguarding the assets of the company Efficiency and compliance of internal/applications

controls

Administrative auditsThis relates to operational efficiency and

productivity within the organization

100

Classification of auditsInformation systems audits - establishes

within the information Systems Suits:Measures to safeguard the assets of the entityMaintaining data and system integrityEfficient utilization of information resources

Specialized Audits – commissioned and geared towards evaluating internal controls within and around certain specialized circumstances eg.:Outsourcing orOther third-party situations

101

Classification of auditsForensic Audit usually establish evidence of

irregularities or fraud for application by law enforcement agencies and the judiciary.

It covers areas inCorporate fraud investigationCyber crimes – investigation may cover:

Computer hard disksSwitchesRoutersHubs and other electronic devices

Audit programs for the above listed systems audits, are based on the objective and scope of the particular assignment.

102

General audit procedures are the basic steps in the performance of an audit and usually include:Obtaining and recording an understanding of

the audit area/subjectRisk assessment and general audit plan and

scheduleDetailed audit planningPreliminary review of audit area/subjectEvaluating audit area/subjectCompliance testing (often referred to as tests

of controls)Substantive testingReporting (communicating results)Follow – up

Classification of audits

103

Procedures for testing and evaluating systems controls

The Auditor must understand the procedures for testing and evaluating IS control and may include the following:The use of generalized audit software to survey

the contents of data files (including systems logs)

The use of specialized software to assess the contents of operating systems parameter files, (or detect deficiencies in system parameters setting)

Flow-charting techniques for documenting automated applications and business process

The use of audit reports available in operating systems

Documentation reviewobservation

104

Controls ClassificationsCorrective Controls minimize the impact of

a threat.Remedy problems discovered by detective

controlsIdentify the cause of a problemCorrect errors arising from a problemModify the processing system (s) to

minimize future occurrences of the problem Contingency planning

Backup proceduresRerun procedures

105

Audit PhasesAudit phase Identify the area to be audited.

Audit Objective Identify the purpose of the audit. For example , an objective might be to determine that program source code changes occur in a well-defined and controlled environment.

Audit Scope Identify the specific systems, function or unit of the organization to be included in the review. For example, in the previous program changes example, the scope statement night limit the review to a single application system or to a limited period of time.

Pre-audit Planning Identify technical skills and resources needed.Identify the sources of information for test or review such as functional flowcharts, policies, standards, procedures and prior audit work papers.Identify locations or facilities to be audited.

Audit procedures and steps for data gathering

Identify and select the audit approach to verify and test the controls.Identify a list of individuals to interview.Identify and obtain departmental policies, standards and guidelines for review.Develop audit tools and methodology to test and verify control.

106

Audit Phases contd.Procedures for evaluating the test or review results

Organization specific

Procedures for communicating with management

Organization specific

Audit report preparation Identify follow-up review procedures.Identify procedures to evaluate/test operational efficiency and effectiveness.Identify procedures to test controls.Review and evaluate the soundness of documents, policies and procedures.

107

AUDIT METHODOLOGYA product of the audit process is an audit

program that becomes a guide for documenting the various audit steps performed and the extent and types of evidential matter review.

It provides a trail of the process used to perform the audit as well as accountability of performance.

108

AUDIT METHODOLOGYAlthough an audit program does not

necessarily follow a specific set of steps, the IS auditor typically would follow sequential program steps to gain an understanding of the entity under

audit, evaluate the control structure andtest the controls.

109

Audit objectivesAn audit objective refers to the specific

goals of an audit. An audit may have several audit objectives.

They often center on substantiating that internal controls exist to minimize business risks.

They include assuring compliance with legal and regulatory requirements as well as the confidentiality, integrity, reliability and availability of information resources.

110

In planning an IS audit, a key element is to translate basic audit objectives into specific IS audit objectives.

One of the basic purposes of any IS audit is to identify control objectives and the related controls that address the objective.

An Auditor may alternatively assist in assessing the integrity of financial reporting data which is referred to as substantive testing, through computer – assisted audit techniques (CAATs).

Audit objectives

111

Compliance VS. Substantive Testing

Compliance testing is a procedure, by which the IS auditor gathers evidence for the purpose of testing an organization's compliance with control procedures.

Substantive testing is gathering evidence for evaluating the integrity of individual transactions, data or other information.

Compliance test determines if controls are being applied in a manner that complies with management policies and procedures.

It can be used to test the existence and effectiveness of a defined process, which may include a trail of documentary and/or automated evidence.

112

A substantive test substantiates the integrity of actual processing.

It provides evidence of the validity and integrity of the balances in the financial statements and the transactions that support these balances.

Substantive tests can be used to test for monetary errors directly affecting financial statement balances.

Compliance VS. Substantive Testing

113

Understand the Control Environment and Flow of TransactionsReview the system to identify controls.

Test compliance to determine whether controls are functioning

Evaluate the controls to determine the basis for reliance and the nature, scope and timing of substantive tests.

Use two types of substantive tests to evaluate the validity of the data.

Test balances and transactions

Analytical review procedures

114

EvidenceEvidence is any information used by the

IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives.

It is a requirement that the auditor’s conclusion must be based on sufficient, relevant and competent evidence.

It may include the IS auditor’s observations, notes taken from interviews, material extracted from correspondence and internal documentation, or the results of audit test procedures.

115

Determinants for evaluating the reliability of audit evidence include: Independence of the provider of the evidence.Qualifications of the individual providing the

information/evidenceObjectivity of the evidence – objective evidence is more

reliable than evidence that requires judgment or interpretation. E.g. a cash count.

Timing of the evidence – e.g. evidence through EDI, DIP (document image processing), may not be retrievable after a specified period of time if changes to the files are not controlled or the files are not backed up.

Both the quality and quantity of the evidence must be assessed by the IS auditor.

Evidence

116

Techniques for gathering evidenceReviewing information systems

organization structuresReviewing IS policies, procedures and

standards ––— Systems development initiating documents

(e.g., feasibility study)Functional requirements and design

specificationsTest plans and reportsProgram and operations documentsProgram change logs and histories

117

User manualsOperations manualsSecurity – related documents (e.g., security

plans, risk assessments)Quality assurance reports

Interviewing appropriate personnelObserving processes and employee

performance

Techniques for gathering evidence

118

Computer – assisted audit techniques (CAATs)CAATs are tools used in gathering information from

the processing environments.They enable IS auditor in performing audits to gather

information independentlyThey provide a means to gain access and analyze data

for a predetermined audit objective and to report the audit findings with emphasis on the reliability of the records produced and maintained in the system.

The reliability of the source of the information used provides reassurance on findings generated.

They include:Generalized audit softwareUtility softwareTest data, etc.

119

CAATs (contd)Generalized audit software (GAS) refers to standard

software that has the capacity to directly read and access data from various database platforms, flat-file systems and ASCII formats.

It supports the following functions: File access – reading of different record formats and file

structures File reorganization – indexing, sorting, merging and linking

with another file Data selection – global filtration conditions and selection

criteria Statistical functions - sampling, stratification and frequency

analysis Arithmetical functions – arithmetic operators and functions

120

CAATs (contd)Utility software – the subset of software, such as

database management system’s report generators, that provides evidence to the auditors about system control effectiveness

Test data – involve the auditors using a sample set of data to assess whether logic errors exist in a program and whether the program meets its objectives.

Audit-expert system will give direction and valuable information to all levels of auditors while carrying out the audit because the query-based system is built on the knowledge base of the senior auditors or managers.

121

Tools and techniques for audit proceduresThe foregoing can be used in performing

various audit procedures:Test of details of transactions and balancesAnalytical review proceduresCompliance tests of IS general controlsCompliance tests of IS application controlsPenetration and OS vulnerability assessment

testing.The auditor should have a thorough

understanding of CAATs and know where and when to apply them.

122

CAATs SummaryCAATs offer the following advantages:

Improved audit efficiencyReduced level of audit riskGreater independence from the auditeeBroader and more consistent audit coverageFaster availability of information Greater flexibility of run timesImproved exception identificationGreater opportunity to quantify internal control

weaknessesEnhanced samplingCost savings over time.

123

Issues to consider before developing CAATs are:Ease of use, both for existing audit staff and

future staffTraining requirementsComplexity of coding and maintenanceFlexibility of usesInstallation requirementsProcessing efficiencies (esp. With a PC CAAT)Effort required to bring the source data into

the CAATs for analysis.

CAATs summary

124

Online reports detailing high-risk issues for review

Commented program listingFlowchartsSample reports Record and file layoutsField definitionsOperating instructionsDescription of applicable source

documents

Examples of documentation to be retained when developing CAATs

125

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSESAfter developing an audit program and

gathering audit evidence, the next step is an evaluation of the information gathered in order to develop an audit opinion.

The IS auditor has to consider a series of strengths and weaknesses and then develop audit opinions and recommendations.

The IS auditor is required to make judgments that are often gained from experience, rather than from reference materials.

126

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSESISACA’s standard for IS auditing 030.020,

Professional Care, is particularly important to the IS auditor in evaluating audit strengths and weaknesses.

The IS auditor should assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage of the audit.

Considerable judgment is required as controls are often unclear. In essence, controls should be in place to remove or minimize every perceived risk or threat to the entity being audited.

127

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSESAs part of IS review, the IS auditor may

discover a variety of strong and weak controls.

In some instances, one strong control may compensate for a weak control in another area. E.g. if the IS auditor finds weaknesses in a systems transaction error report, the IS auditor may find that a detailed manual balancing process over all transactions compensates for the weaknesses in the error report.

128

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSESThe IS auditor should be aware of compensating

controls in areas where controls have been identified as weak.

Compensating control situation occurs when one stronger control supports a weaker one.

Overlapping controls are two strong controls. E.g. a data center employs a card key system to control physical access and a guard inside the door requires employees to show their card key or badge. Either control might be adequate to restrict access and the two complement each other.

129

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSESA control objective will not be achieved by

considering one control adequate. The IS auditor should perform a variety of testing procedures and evaluate how these relate to one another.

An IS auditor should always review for compensating controls prior to reporting a control weakness.

auditing in public and private sector

Documents

federal pay

treasury inspectorate

consolidated

generalized

risk management

cash flow

public finance

financial