《Internal Control Survey Guidelines.doc》由会员分享,可在线阅读,更多相关《Internal Control Survey Guidelines.doc(21页珍藏版)》请在三一文库上搜索。
1、Internal Control Survey Guidelines BACKGROUND Generally accepted government auditing standards require auditors to have a sufficient understanding of relevant internal controls to plan an audit and to determine what kinds of tests to do in the audit. The auditors should also have sufficient, compete
2、nt, relevant evidence to support the basis of their judgment about internal controls. Historically, auditors have been good at assessing internal controls related to control activities, because generally, there are source documents to which the auditor can refer to test or confirm the controls. For
3、example, if agencies are required to get a contract when their cumulative expenditures for similar commodities exceeds $15,000, the auditors can examine accounting records, vouchers and other supporting evidence to test to see whether the agency is adhering to this control. There is ample documentar
4、y evidence upon which the auditors can base their judgment about these controls. The challenge for auditors has been how to get sufficient, competent, relevant and useful evidence to support their decision about the soft controls that do not lend themselves to empirical evidence. This includes the c
5、ontrol environment and communication systems. There isnt any source documents routinely maintained that will tell the auditors about managements ethics, integrity, philosophy and operating style, or the competence of the people in the organization. But there is a valuable source with this informatio
6、n - organization staff. Agency staff is in a position to observe managements actions and inactions on a daily basis. The greater percent of staff involved in the evaluation process, the more valid your results. For example, if the auditor solicits information from everyone involved in the procuremen
7、t cycle, the auditor may have a sufficient basis on which to draw conclusions about the control environment. With the objective of getting evidence from agency staff, weve developed a survey based on current industry literature on control self assessment. Control self assessment is a process through
8、 which internal control effectiveness is examined and assessed to provide reasonable assurance that all business objectives will be met.1 The survey, when completed, may give the auditors sufficient, competent, relevant and useful evidence to draw a conclusion about the control environment. The surv
9、ey will also give the auditor preliminary indicators of how adequate the agencys risk assessment, control activities, information and communication systems, and monitoring processes are working. Auditors should do other tests and evaluations to draw conclusions about these four other components of i
10、nternal controls, as well as be constantly aware of other control environment evidence gained by the auditors interaction with organization management. A methodology encompassing self-assessment surveys and facilitated workshops is a useful and efficient approach for managers and auditors to collabo
11、rate in assessing and evaluating control procedures. In its purest form, control self assessment integrates business objectives and risks with control processes. Using control self assessment allows management and work teams, who are directly involved in a business unit, function, or process to part
12、icipate in a structured manner for the purpose of: Identifying risks and exposures; Assessing the control processes that mitigate or manage those risks; Developing action plans to reduce risks to acceptable levels; and Determining the likelihood of achieving the business objectives. The outcomes tha
13、t may be derived from self-assessment methodologies are: People in business units become trained and experienced in assessing risks and associating control processes with managing those risks and improving the chances of achieving business objectives. Informal, soft controls are more easily identifi
14、ed and evaluated. People are motivated to take ownership of the control processes in their units and corrective actions taken by the work teams are often more effective and timely. 1 Professional Practices Pamphlet 98-2, A Perspective on Control Self-Assessment (Altamonet Springs, Florida: The Insti
15、tute of Internal Auditors), 1998, CSA Definition Chapter. Auditors acquire more information about the control processes within the organization and can leverage that additional information in allocating their scarce resources so as to spend a greater effort in investigating and performing tests of b
16、usiness units or functions that have significant control weaknesses or high residual risks. Management s responsibility for the risk management and control processes of the organization is reinforced, and managers will be less tempted to abdicate those activities to specialists, such as internal aud
17、itors. The primary role of the audit activity will continue to include the validation of the evaluation process by performing tests and the expression of its professional judgment on the adequacy and effectiveness of the whole risk management and control systems.2 Notification Once the decision has
18、been made to do an internal control survey, the auditor-in-charge should notify the head of the agency that auditors are going to assess internal controls at the audited organization. When initiating the internal control survey, the auditor-in charge should describe in general terms how the staff au
19、ditors are going to assess controls. Key points to cover in the conversation include: Auditors are going to collect evidence on the five elements of internal controls, with particular emphasis on assessing the control environment. Agency management can obtain information about internal controls on t
20、he State Comptrollers web site in the document Standards for Internal Controls in New York State Government. Auditors will need an organization chart of all people involved in the agency program, function or activity under audit. Using this chart and other input from agency management as necessary,
21、the auditors will schedule meetings with all agency staff involved in program, function or activity under audit to get their input about internal controls. When scheduling the meetings with staff, the auditors will seek to ensure employees and their supervisors are not in the same meeting. Auditors
22、do this to ensure staff providing 2 Practice Advisory 2120.A1-2: Using Control Self-assessment for Assessing the Adequacy of Control Processes Interpretation of Standard 2120.A1 from the International Standards for the Professional Practice of Internal Auditing information dont feel intimidated by t
23、he presence of their supervisors, thus are free to openly respond to any inquiries. Once the survey is complete, the auditors will analyze the results and meet with agency management to discuss the preliminary results. After discussing results with agency management, the auditors will prepare a repo
24、rt. This report will go to the agency management after being reviewed and approved internally. The auditors should consider getting agency management to agree the survey statements are appropriate criteria for the auditors to evaluate the control environment and get indicators for the risk assessmen
25、t, control activities, information and communication systems and monitoring process. This will help management buy into the process and better accept the results when presented. Care should be taken in deciding which agency manager to approach for this. If the auditors have preliminary evidence that
26、 particular managers are contributing to a negative control environment, the auditors should consider getting agreement from other managers, preferably their superiors. Preparation Before preparing the mechanics of the survey, the auditors should prepare themselves. This begins with gaining expertis
27、e in internal controls. The auditor should study the State Comptrollers Standards for Internal Control in New York State Government. Often times in survey meetings, agency staff ask specific questions about their environment. The staff will describe whats going on in their office and look to the aud
28、itor to tell them whether its okay or not. In most cases, they want the auditor to confirm the practice theyre describing isnt okay. Its important for the auditor to handle the question effectively based on the definition and application of internal controls. The auditor should also be able to effec
29、tively facilitate a meeting. The auditor will lose credibility with the agency employees if they cant effectively manage the meeting. The auditor should review the organization charts to identify the lines of reporting and the upper and middle level managers (those who set the tone at the top). This
30、 will help the auditor tailor the control environment part of the survey. Also, the auditor should determine the grade levels of the employees to help determine how to schedule the employees for meetings. Remember, the auditor should separate supervisors and staff when scheduling these meetings. Tai
31、loring the Survey The survey should be tailored to the organization or program under review. Since the survey makes specific statements about managements ethics and integrity, the auditor should identify the manager(s) by name and title in the survey. This is to avoid confusion for the employees fil
32、ling out the survey. The survey is provided in appendix to these guidelines. Its important the statement ask about managers by name because many employees have multiple managers. Adding the managers names to the survey will help to avoid confusion. While rare, there may still be some confusion. This
33、 may still occur to some extent when the auditor identifies the managers by name and title (e.g., when there are purchasing and accounts payable staff in the same meeting, the survey will have two names in the statement about ethics - one for each chain of command). If the employee tells the auditor
34、 theyve reported to both managers in their career, instruct the employee to respond to the statement based on the manager in his/her direct chain of command. Then, invite the employee to add comments about other managers in the spaces following the section. To tailor the survey, insert the names and
35、 titles of the higher-level managers (those that set the tone at the top) into the survey comments that deal with ethics and integrity, and with compliance with laws, rules and regulations. The auditor may need to add additional statements to the survey to accommodate all the higher-level managers.
36、It is not necessary to tailor the comment about the employees immediate supervisor. The auditor should also consider whether to include a section in the survey to collect the employees name, grade and work unit name. This may facilitate the auditor being able to identify patterns and trends in the r
37、esponses and allow the auditor to follow up with the agency employee to get clarification on some issues. For example, if the data shows only the accounts payable employees indicate there is a fear of reprisal from their director, the auditor can tailor the recommendation to this particular unit. Al
38、so, if the employee writes their name on the survey, it allows the auditor to follow up with the employee to get more evidence to support what the employees is saying, or simply to more fully understand what the employee is trying to convey. There are two schools of thought on whether to gather this
39、 type of identifying information in the survey. One thought is that it facilitates getting more complete information and allows for more detailed analysis of results. The other thought is that the employees may be so afraid their managers are going to find out whom specifically said what, that the p
40、otential fear of reprisal will cause the employee to not fully disclose wrong-doing if it exists. The audit team should collectively decide whether to ask the employees for this identifying information. If the team decides the surveys should be anonymous, they can eliminate the identifying informati
41、on from the survey, or still collect the information but keep it confidential. Scheduling the Meetings As noted above, when meeting with the employees to do the survey, the auditor should ensure they are not in the same meetings with any of their supervisors. Remember - some of the comments ask the
42、employees to respond to statements about their supervisors. Having the supervisors present may intimidate the employee so much so that they wont give an honest or complete response. It isnt necessary to isolate the employees by functional group, but the auditor should separate the meetings by grade
43、level or reporting level. For example, the auditor can schedule employees from accounts payable, purchasing and receiving for the same meeting, but should try to ensure theyre at the same level in the organization (e.g., grade 14s together, supervisors together). Staff can be intimidated by managers
44、 who are not in their chain of command. Ideally, the auditor should try to schedule meetings in large, comfortable rooms to allow the employees to spread out if they want to so other employees cant look at their responses. Also, it is best to schedule meetings beginning with the lower grade employee
45、s first, and then work your way up the chain of command. This is to prevent supervisors from knowing the survey content before their staff and using this information to persuade how the staff will respond to the survey. After deciding which staff is going to attend the same meeting, the audit manage
46、r or auditor in charge should contact an appropriate manager at the agency to determine a day when the survey will take place. When speaking with the agency manager, remind him/her of the importance of this survey and ask that the manager find a day when the staff is likely to be present. Meeting wi
47、th Agency Staff Agency employees may very well be anxious when the auditor first arrives at the meeting. Several things may be the source of this anxiety: Auditors are generally unwelcome. Staff might not know why the auditor is meeting with them. The unknown can be frightening to some. Staff may kn
48、ow why youre meeting with them, but they might not understand internal controls and how this exercise will impact their day-to-day work at the agency. Staff may be concerned about potential retribution if agency managers find out what theyre telling you. For these and other reasons, its important fo
49、r the auditor to gain staff trust as soon as possible. Professionalism, internal controls expertise, appropriate dress and polished presentation and facilitation skills are key factors to help gain their trust. The meeting with staff involves four major areas: Internal Controls Understanding Survey Mechanics Survey Administration Staff Debriefing Internal Controls Understanding Its important for the auditor to learn the degree to which agency staff understands internal controls. This will help the auditor gauge the extent to which agency management communicated information ab