Question

Accounting: Public Sector Auditing

Judge Learned Hand, in discussing "degree of care" in connection with the standard by which a prudent person is to be held, said this: "The degree of care demanded of a person by an occasion is the result of three factors: the likelihood that his conduct will injure others, taken with the seriousness of the injury if it happens, and balanced against the interest which he must sacrifice to avoid the risk." Discuss how Judge Hand’s statement might be applied to the responsibilities of management in establishing an internal control system and to the role of a performance auditor in assessing the control system. Please answer in own words. (See paragraphs below to get an idea) Note: Internal control system is based on five components: control environment, risk assessment, control activities, information and communication, and monitoring.

The Control Environment

The control environment is the foundation for all the other components of internal control. It provides the underlying managerial discipline and structure for the other components to function effectively. It is the collective impact of the following broad underlying factors on the effectiveness of all other policies and procedures developed to achieve the entity’s objectives: the integrity and ethical values of the managers; the operating style and attitude of the managers; the organizational structure and methods of assigning authority and responsibility; the way in which managers exercise control; the competence and reliability of the people in the organization; the influence of legislative bodies and audit committees; and the influence of external entities, such as higher level governments and credit-rating agencies.

In its Standards for Internal Control in the Federal Government, the Government Accountability Office says: “Policy makers and program managers are continually seeking ways to improve accountability in achieving an entity’s mission. A key factor in improving accountability in achieving an entity’s mission is to implement an effective internal control system.” Internal control starts with the highest-ranking executive and extends through every managerial level. The governor, the mayor, the department heads, the division chiefs, and other managers create and sustain the control environment in an organization. They set the tone regarding the importance of internal controls. Managers who establish a good control environment send the message that internal controls are not only an integral part of operations, but also that they apply to everyone in the organization.

A performance auditor, therefore, should see whether goals and objectives have been established, and whether they are in accord with related laws and requirements set forth by higher level funding agencies.

As a performance auditor, you need to assess such factors as: whether the entity attempted to measure performance; whether the performance indicators appeared to be appropriate to the entity; whether the reporting system provided accurate and timely results, and whether management responded effectively and in a timely manner to the performance results.

As a performance auditor, you need to determine whether the policies, procedures and strategies adopted by management meet these criteria. To do this, you need to review the laws, regulations and literature pertaining to the program you are auditing. You also need to see how management has assessed the risks and what procedures they have used to become aware of “best practices.”

As a performance auditor, you need to determine the nature of the quantitative and qualitative work standards established by management. You also need to find out how the standards were established, and whether they are revised to take advantage of changing technology and experience.

When you do a performance audit, you are a part of the monitoring process done through separate evaluations. When an auditor evaluates internal controls as part of attesting to an entity’s financial statements, that auditor is also part of the monitoring process.

Role of the performance auditor: Where does the separate evaluation - the performance audit - fit into this picture? The performance auditor will assess such matters as: (a) whether the unit supervisors are doing what they are supposed to do (that is, reviewing the completed check lists, making spot visits, and sending out complaint reports in a timely manner); (b) whether managers get periodic reports showing numbers of completed inspections relative to plan and whether they act promptly in the event of lagging inspection performance; and (c) whether there are a sufficient number of supervisors to do the job.

Performance auditors also have a responsibility to report major problems promptly to the appropriate levels of management. As discussed in Chapter 5, performance auditors need to establish a line of continuous communication with top management at the opening audit conference. Formal procedures should also be established for reporting on actions taken by management to resolve the conditions noted in performance audit reports.

Auditors sometimes tend to over-emphasize the wrong control components under the premise that control activities (i.e., policies and procedures) are the most critical elements of an organization’s success. Policies and procedures are certainly important. An effective performance auditor, however, ensures not only that they exist, but also that they exist within the appropriate control environment and that they are followed by staff and not over-ridden by management.

Answer 1

CONTROL ACTIVITIES

Consistent with the scope of mordern performance auditing this book defines an entitys control activities to encompass the broad range of both operating type or safeguarding types of activities. As noted in the GAO internal control standards, control activities are the "policies, procedures, techniques and mechanisms that enforce managements directives." They are also the actions taken to detect and prevent the identified risks. To encompass the concepts established in the Canadian Criteria of Control, we consider the control activities also to cover the process by which goals and objectives are established, startegies and action plans and the criteria against which they are measured and the way in which the human capital has been managed.

Operating startegies and control cover a broad spectrum of managerial activities, such as developing program goals and objectives, reporting system to measure the achievement of the objectives and strategies to give reasonable assurance that the objectives have been achieved effectively and efficiently and the qualitative and the quantitative standards have been maintained by the employees.

Safeguarding controls help management is a prevent or detect in a timely manner the unauthorised acquisition use or disposition of entities resources. They cover search techniques as requiring authorisation and approvals documenting transactions events and decisions securing assets from loss due to pilferage and other factors and separating related functions. Control activities are essential to efficient and effective operations and to accountability of resources and trusted to manager. Control activities vary from agency to agency full stop variances and mission goals and objectives as well as differences and risk that eat agency faces will affect the nature and extent of controls put in place. Weak operating controls can result in lack of direction and failure to achieve the agency its missions. Weak safeguarding controls can lead to a failure to prevent auto detection of fraud and other improper activities in a timely manner. Some safeguarding controls such as requiring documentation in support of certain events and requiring supervisory approval help to prevent losses through inefficiency.  As you read this discussion of controls remember that the cost of each type of control needs to be measured against anticipated benefit in determining the extent of its application to a particular set of circumstances. Also the needs to be taken that the controls are not intrusive as the staple employees initiative.

Managing Human Capital General: With GAO internal control standard point out that the affair entities workforce is essential to achieving results and in an important part of internal control training and reforming a workforce that has the skills needed to achieve the organisations goals developing appropriate performance standards having training programs that developing the skills needed to meet the changing needs providing staff with incentives imposes effective performance obtaining employee feedback and ensuring effective supervision. Some of these elements have been discussed in the ensuing paragraphs:

Developing quantitative and qualitative standards of employee performance:
Qualitative work standards generally referred to the nature of work that employees are required to do. Qualitative standards of intake the form of work programs or inspection. Expressed in procedures manual and in checklist. Quantitative standards might take the form of anticipated client performance such as level of student achievement.

Quantitative and Qualitative standards need to be set with care. They should not be set in a manner that decreases initiative, can they be so loose as to be meaningless. They cannot remain static. Managers to remain alert to the potential for greater efficiency and effectiveness as a result of changing technology and better methods based on experience within the jurisdiction and in other jurisdictions.

As performance auditor, you need to determine the nature of the quantitative and qualitative work standards established by the management. You also need to find out how the standards were established, whether they are advised to take advantage of changing technology and experience.

You also need to be aware of the Literature pertaining to the program your auditing and the standards adopted by other jurisdictions.Contact with state, or International professional associations applicable to the program your auditing is often helpful. Goal is to become as knowledgeable as you can about the activity being audited.

Supervising to ensure that employees made performance standards: Procedures manual and checklist are just one element of a control system.

Without supervision there is no Assurance that employees are adhering to the established qualitative and quantitative work standards. Supervision is needed for all activities, particularly important for activities such as inspection and maintenance, place away from Agencies officers. Effective supervision gives top management reasonable Assurance that staff employees are not cutting corners regarding work quality knowing them to goof of or be absent without authorization. Lack of effective supervision increases the risk that poor quality work will come to management attention the hard way as a result of accidents, report of bribery, find complain, other incidents that reflect poorly on entire government.

There are qualitative and quantitative aspects to supervisory performance, just as there are in staff performance. Some programs, laws or higher level oversight Agencies main established ratios of numbers of supervisors to staff. generally however agency manager is responsible for establishing the span of supervisory control. The extent of top management commitment effective control environment, discussed earlier in this chapter, to the quality of an agency supervision. Performance auditing, you open find the close relationship between the quality of the first line of supervision and efficient staff performance.

Control activities for computer information system: Be referred earlier to the importance of controls regarding computer system. Computerized information systems are the primary means by which most organisations control operations. Control activities are just as important for computerized systems as they are for manual system. there are two Generally Accepted group of controls general control and application controls

General controls include security planning and management security application software development and change control, software control, aggregation of duties, agency planning for service interruption. Application control helps ensure all transactions processed by a software application are complete,authorized and valid.

Access security controls are intended to protect the network from inappropriate access by hackers and others. Security control activities include changes of dial-up numbers, all users allowing access only to information they need, when changes of passwords and deactivation of passwords used by former employees, software and Hardware Firewall that restrict access.

Information and Communication:
the fourth component internal control, in ocean and communication is the lifeblood of most organisations. This component fills many needs:

Managers need to convey the organisations goals, objectives, policies and procedures to staff and staff needs to convey operating problems and success to managers.

Managers need operating information to see if they if they are meeting their goals and objectives and they need financial information to see if actual performance is within budget. new para operating units need to co-ordinate cities with each other. Management must constantly assess client needs and demonstrate accountability both to the legislature and the citizen.

Communication must flow up, down , across, and in and out of an organisation. Information must be useful, timely, accurate and complete. The information and communication systems in an organisation must work together to be successful in today's environment.

Today managing information is a discipline receiving increasing management attention in view of amount of documents and other objects being sent and received for different business processes, need for efficient administration is important. Actually this also applies to the environment of the users themselves, able to find their way around the electronic office quickly and effortlessly. This also applies, how, group of users who must have joint access to maintain information within the context of a specific project.

Software packages today feature multilevel folder management systems that support both the requirements of individual users and user group

Private folders can be used to store information that is used only for relevant user or selected person

Public folders can be used to communicate important information as well as to collect information ideas and expertise within an organisation. Public folders can also be used to administer project specific documentation minutes of meeting or planning documentation. in this folders is only used for certain departments project groups or individual users.

Communication: Effective communication is needed to convey numerous matters as management goal and objectives and procedures, specific performance targets, values and Expectations regarding dealing with the citizens. Without effective communication information is useless. This information relates to both the operational policies and procedures of the organisation as well as information regarding the actual operational performance of the organisation. Management must help the flow of information-upward, downward, across the organisation and in and out of the organisation.
Communication across the organisation is necessary to ensure that the information available to one unit is shared with the other affected units to co-ordinate activities.

Auditors should ask the following questions when assessing communicate systems.
Are employed duties and control responsibilities communicated properly?

Are these established channels for people to communicate suspected improperties? Paragraph is management receptive to employees actions on way to enhance productivity, or other improvements?

Is there adequate communication flow in the organisation?

Is the information communicated completely timely and sufficiently to enable people to discharge the responsibilities?

Are there open an effective channels of communication with customers suppliers and other external sources?

Monitoring:

Separate evaluations of the control system: Evaluations of the control system are needed because the ongoing agency- managerial and supervisory activities are not sufficient to provide assurances to all those who are concerned with the governmental Agencies activities. The stream of accountability runs upward from the unit managers to agency chiefs, to the CEO, Leader and ultimately to the citizen. Individuals and groups in this accountability chain need assurances that control system are in place and working.
Separate evaluations of control system might occur at any point in the accountability chain. Hey baby made by agency internal auditors, external financial auditors, does appointed by bleacher or elected by the citizen many larger Agencies have in house internal audit staff or obtained separate internal control evaluation under contract within outside entity.

Finding the right controls: Auditors sometimes tend to over emphasize the wrong control components under the premise that control activities are most critical elements of an organisation success. Policies and procedures are certainly important. Performance auditor, however ensures not only that they exist, so that the exist within the appropriate control environment and that they are followed by staff and not overridden by management. In conclusion, auditors are to be successful in finding the real cause of problems and covered in an organisation, it is tiff to address all of the control components identified in causes internal control- the greatest Framework auditors must understand the entities control environment and the information and communication systems. Is components are harder to assist than the others, just as critical in determining the entity success or failure.