《Internal Control Survey Guidelines.doc》由会员分享,可在线阅读,更多相关《Internal Control Survey Guidelines.doc(21页珍藏版)》请在三一办公上搜索。
1、Internal Control Survey GuidelinesBACKGROUNDGenerally accepted government auditing standards require auditors to have a sufficient understanding of relevant internal controls to plan an audit and to determine what kinds of tests to do in the audit. The auditors should also have sufficient, competent
2、, relevant evidence to support the basis of their judgment about internal controls.Historically, auditors have been good at assessing internal controls related to control activities, because generally, there are source documents to which the auditor can refer to test or confirm the controls. For exa
3、mple, if agencies are required to get a contract when their cumulative expenditures for similar commodities exceeds $15,000, the auditors can examine accounting records, vouchers and other supporting evidence to test to see whether the agency is adhering to this control. There is ample documentary e
4、vidence upon which the auditors can base their judgment about these controls.The challenge for auditors has been how to get sufficient, competent, relevant and useful evidence to support their decision about the soft controls that do not lend themselves to empirical evidence. This includes the contr
5、ol environment and communication systems. There isnt any source documents routinely maintained that will tell the auditors about managements ethics, integrity, philosophy and operating style, or the competence of the people in the organization. But there is a valuable source with this information -
6、organization staff.Agency staff is in a position to observe managements actions and inactions on a daily basis. The greater percent of staff involved in the evaluation process, the more valid your results. For example, if the auditor solicits information from everyone involved in the procurement cyc
7、le, the auditor may have a sufficient basis on which to draw conclusions about the control environment.With the objective of getting evidence from agency staff, weve developed a survey based on current industry literature on control self assessment. Control self assessment is a process through which
8、 internal control effectiveness is examined and assessed to provide reasonable assurance that all business objectives will be met. Professional Practices Pamphlet 98-2, A Perspective on Control Self-Assessment (Altamonet Springs, Florida: TheInstitute of Internal Auditors), 1998, CSA Definition Chap
9、ter. The survey, when completed, may give the auditors sufficient, competent, relevant and useful evidence to draw a conclusion about the control environment. The survey will also give the auditor preliminary indicators of how adequate the agencys risk assessment, control activities, information and
10、 communication systems, and monitoring processes are working. Auditors should do other tests and evaluations to draw conclusions about these four other components of internal controls, as well as be constantly aware of other control environment evidence gained by the auditors interaction with organi
11、zation management.A methodology encompassing self-assessment surveys and facilitated workshops is a useful and efficient approach for managers and auditors to collaborate in assessing and evaluating control procedures. In its purest form, control self assessment integrates business objectives and ri
12、sks with control processes. Using control self assessment allows management and work teams, who are directly involved in a business unit, function, or process to participate in a structured manner for the purpose of: Identifying risks and exposures; Assessing the control processes that mitigate or m
13、anage those risks; Developing action plans to reduce risks to acceptable levels; and Determining the likelihood of achieving the business objectives.The outcomes that may be derived from self-assessment methodologies are: People in business units become trained and experienced in assessing risks and
14、 associating control processes with managing those risks and improving the chances of achieving business objectives. Informal, soft controls are more easily identified and evaluated. People are motivated to take ownership of the control processes in their units and corrective actions taken by the wo
15、rk teams are often more effective and timely. Auditors acquire more information about the control processes within the organization and can leverage that additional information in allocating their scarce resources so as to spend a greater effort in investigating and performing tests of business unit
16、s or functions that have significant control weaknesses or high residual risks. Management s responsibility for the risk management and control processes of the organization is reinforced, and managers will be less tempted to abdicate those activities to specialists, such as internal auditors.The pr
17、imary role of the audit activity will continue to include the validation of the evaluation process by performing tests and the expression of its professional judgment on the adequacy and effectiveness of the whole risk management and control systems. Practice Advisory 2120.A1-2: Using Control Self-a
18、ssessment for Assessing the Adequacy of Control Processes Interpretation of Standard 2120.A1 from the International Standards for the Professional Practice of Internal AuditingNotificationOnce the decision has been made to do an internal control survey, the auditor-in-charge should notify the head o
19、f the agency that auditors are going to assess internal controls at the audited organization. When initiating the internal control survey, the auditor-in charge should describe in general terms how the staff auditors are going to assess controls. Key points to cover in the conversation include: Audi
20、tors are going to collect evidence on the five elements of internal controls, with particular emphasis on assessing the control environment. Agency management can obtain information about internal controls on the State Comptrollers web site in the document Standards for Internal Controls in New York
21、 State Government. Auditors will need an organization chart of all people involved in the agency program, function or activity under audit. Using this chart and other input from agency management as necessary, the auditors will schedule meetings with all agency staff involved in program, function or
22、 activity under audit to get their input about internal controls. When scheduling the meetings with staff, the auditors will seek to ensure employees and their supervisors are not in the same meeting. Auditors do this to ensure staff providing information dont feel intimidated by the presence of the
23、ir supervisors, thus are free to openly respond to any inquiries. Once the survey is complete, the auditors will analyze the results and meet with agency management to discuss the preliminary results. After discussing results with agency management, the auditors will prepare a report. This report wi
24、ll go to the agency management after being reviewed and approved internally.The auditors should consider getting agency management to agree the survey statements are appropriate criteria for the auditors to evaluate the control environment and get indicators for the risk assessment, control activiti
25、es, information and communication systems and monitoring process. This will help management buy into the process and better accept the results when presented. Care should be taken in deciding which agency manager to approach for this. If the auditors have preliminary evidence that particular manager
26、s are contributing to a negative control environment, the auditors should consider getting agreement from other managers, preferably their superiors.PreparationBefore preparing the mechanics of the survey, the auditors should prepare themselves. This begins with gaining expertise in internal control
27、s.The auditor should study the State Comptrollers Standards for Internal Control in New York State Government. Often times in survey meetings, agency staff ask specific questions about their environment. The staff will describe whats going on in their office and look to the auditor to tell them whet
28、her its okay or not. In most cases, they want the auditor to confirm the practice theyre describing isnt okay. Its important for the auditor to handle the question effectively based on the definition and application of internal controls.The auditor should also be able to effectively facilitate a mee
29、ting. The auditor will lose credibility with the agency employees if they cant effectively manage the meeting. The auditor should review the organization charts to identify the lines of reporting and the upper and middle level managers (those who set the tone at the top). This will help the auditor
30、tailor the control environment part of the survey. Also, the auditor should determine the grade levels of the employees to help determine how to schedule the employees for meetings. Remember, the auditor should separate supervisors and staff when scheduling these meetings.Tailoring the SurveyThe sur
31、vey should be tailored to the organization or program under review. Since the survey makes specific statements about managements ethics and integrity, the auditor should identify the manager(s) by name and title in the survey. This is to avoid confusion for the employees filling out the survey. The
32、survey is provided in appendix to these guidelines.Its important the statement ask about managers by name because many employees have multiple managers. Adding the managers names to the survey will help to avoid confusion.While rare, there may still be some confusion. This may still occur to some ex
33、tent when the auditor identifies the managers by name and title (e.g., when there are purchasing and accounts payable staff in the same meeting, the survey will have two names in the statement about ethics - one for each chain of command). If the employee tells the auditor theyve reported to both ma
34、nagers in their career, instruct the employee to respond to the statement based on the manager in his/her direct chain of command. Then, invite the employee to add comments about other managers in the spaces following the section. To tailor the survey, insert the names and titles of the higher-level
35、 managers (those that set the tone at the top) into the survey comments that deal with ethics and integrity, and with compliance with laws, rules and regulations. The auditor may need to add additional statements to the survey to accommodate all the higher-level managers. It is not necessary to tail
36、or the comment about the employees immediate supervisor.The auditor should also consider whether to include a section in the survey to collect the employees name, grade and work unit name. This may facilitate the auditor being able to identify patterns and trends in the responses and allow the audit
37、or to follow up with the agency employee to get clarification on some issues.For example, if the data shows only the accounts payable employees indicate there is a fear of reprisal from their director, the auditor can tailor the recommendation to this particular unit. Also, if the employee writes th
38、eir name on the survey, it allows the auditor to follow up with the employee to get more evidence to support what the employees is saying, or simply to more fully understand what the employee is trying to convey.There are two schools of thought on whether to gather this type of identifying informati
39、on in the survey. One thought is that it facilitates getting more complete information and allows for more detailed analysis of results. The other thought is that the employees may be so afraid their managers are going to find out whom specifically said what, that the potential fear of reprisal will
40、 cause the employee to not fully disclose wrong-doing if it exists.The audit team should collectively decide whether to ask the employees for this identifying information.If the team decides the surveys should be anonymous, they can eliminate the identifying information from the survey, or still col
41、lect the information but keep it confidential.Scheduling the MeetingsAs noted above, when meeting with the employees to do the survey, the auditor should ensure they are not in the same meetings with any of their supervisors. Remember - some of the comments ask the employees to respond to statements
42、 about their supervisors. Having the supervisors present may intimidate the employee so much so that they wont give an honest or complete response.It isnt necessary to isolate the employees by functional group, but the auditor should separate the meetings by grade level or reporting level. For examp
43、le, the auditor can schedule employees from accounts payable, purchasing and receiving for the same meeting, but should try to ensure theyre at the same level in the organization (e.g., grade 14s together, supervisors together). Staff can be intimidated by managers who are not in their chain of comm
44、and. Ideally, the auditor should try to schedule meetings in large, comfortable rooms to allow the employees to spread out if they want to so other employees cant look at their responses. Also, it is best to schedule meetings beginning with the lower grade employees first, and then work your way up
45、the chain of command. This is to prevent supervisors from knowing the survey content before their staff and using this information to persuade how the staff will respond to the survey.After deciding which staff is going to attend the same meeting, the audit manager or auditor in charge should contac
46、t an appropriate manager at the agency to determine a day when the survey will take place. When speaking with the agency manager, remind him/her of the importance of this survey and ask that the manager find a day when the staff is likely to be present.Meeting with Agency StaffAgency employees may v
47、ery well be anxious when the auditor first arrives at the meeting. Several things may be the source of this anxiety: Auditors are generally unwelcome. Staff might not know why the auditor is meeting with them. The unknown can be frightening to some. Staff may know why youre meeting with them, but th
48、ey might not understand internal controls and how this exercise will impact their day-to-day work at the agency. Staff may be concerned about potential retribution if agency managers find out what theyre telling you.For these and other reasons, its important for the auditor to gain staff trust as so
49、on as possible. Professionalism, internal controls expertise, appropriate dress and polished presentation and facilitation skills are key factors to help gain their trust.The meeting with staff involves four major areas: Internal Controls Understanding Survey Mechanics Survey Administration Staff DebriefingInternal Controls UnderstandingIts important for the auditor to learn the degree to which agency staff underst
