Standard format has been developed by SALGAG Auditing compliance with s125, but restricted to specific components specified in s129
General audit concepts apply: ◦ Reasonable assurance ◦ Sufficient appropriate evidence ◦ Materiality ◦ Risk ◦ Etc. Auditor must understanding “suitable criteria” against which to assess Council ◦ E.g. Better Practice Model ◦ Discuss with Council, refer to Internal Control Policy ◦ If not Better Practice Model, consider appropriateness
Staff training and awareness programs Controls within key business processes Processes to identify and monitor implementation of mitigating actions required to ensure that compliance obligations are met A monitoring plan to test key controls on a periodic basis and report exceptions Procedures for identifying, assessing, rectifying and reporting compliance incidents and breaches Periodic sign off by management and/or external third party outsourced service providers as to compliance with obligations A compliance governance structure that establishes responsibility for the oversight of compliance control activities
Components of internal control should be present, functioning effectively, and working together. ◦ Control Environment ◦ Risk Assessment ◦ Control Activities ◦ Information and Communication ◦ Monitoring Activities
Weaknesses will contribute towards forming an opinion that multiple significant deficiencies in internal control exist Casts doubt over reliability of internal control activities e.g. risk of controls being ignored / bypassed either deliberately or though lack of knowledge / human error
Demonstrated commitment to integrity and ethical values – “tone at the top” and throughout Responses to audit management letters Codes of conduct Mission and value statements Oversight in the development and performance of internal control –audit committee, internal audit Attitude to external and internal audit
Policies (e.g. fraud, whistleblowers, internal control) Existence and maturity of audit committee Training and awareness programs Penalties / consequences for breaches clearly defined and enforced Good staff selection, appointment and probation processes, aimed at attracting and retaining competent staff aligned to strategic objectives (e.g. preference for internal appointments)
Must be documented Weaknesses contribute towards forming an opinion that Council has not given adequate attention to ensuring that internal controls are sufficient, and that multiple significant deficiencies in internal control are likely to exist as a result. Without a risk assessment, Council has no basis for prioritising controls or responses to control weaknesses
Risk tolerance Risk identification – including fraud risks and involving input from a range of staff and managers across Council Risk analysis - consider probability of occurrence and severity Risk evaluation - which risks are to be treated and the priority for treatment Risk treatment Communication, monitoring and review
Failure of a Control activity could either: Individually, result in a material weakness; or Result in a material weakness when considered in aggregate with other control weaknesses Better Practice Model “Part 2” contains examples of control activities. These are not mandatory.
Must consider implementing, document if not Acceptable reasons could be: ◦ Alternative / compensating control ◦ Cost / benefit ◦ Not applicable / practical
Applicability dependent on risk profile, size, functions Prioritisation should depend on risk Can be important
Risk Based approach, sample basis High Risk Business Cycles e.g.: ◦ Procurement ◦ Cash ◦ Payroll High Risk Controls e.g.: ◦ EFT Security ◦ Delegations Councils CSA may guide sample selection
Should have in place for key business processes Absence of policy / procedure decreases likelihood of control being exercised consistently, or in accordance with the intention of Council Should be authorised, reviewed regularly, sanctions for wrong-doing, supported by adequate training / communication
Weaknesses in the information and communication cycle will contribute towards forming an opinion that multiple significant deficiencies in internal control are more likely to exist ◦ Training and awareness programs ◦ External Communication (e.g. requirement for POs, no gifts, communication with bank re online security, required # of signatories, etc)
Controls may be designed effectively, but not operating effectively i.e. frequently ignored / bypassed either deliberately or though lack of knowledge / human error. Without Monitoring, on what basis is CEO certifying compliance with s125? No particular monitoring methodology specified in the Better Practice Model.
Control Self Assessment (“Control Track”) is the leading practice 2 Approaches: 1) Desktop review 2) Testing If CSA is performed properly and honestly, and is supported by appropriate work papers and independent review, it may be used by auditors to guide testing
If a Council identifies a control failure in a timely manner via CSA, and implements an appropriate action plan to correct the failure, the auditor can take this into consideration when forming an opinion as to whether a control failure represents a material weakness.
A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material non-compliance with law will not be prevented, detected, or corrected on a timely basis. (consider likelihood vs. magnitude); or Multiple significant deficiencies which, considered collectively, result in a determination that a material weakness exists. A significant deficiency = a deficiency, or combination of deficiencies less severe than a material weakness, yet are important enough to warrant the attention of Council.
Per ASAE 3100: Considered in the context of quantitative and qualitative factors: ◦ relative magnitude of instances of detected or suspected non compliance ◦ the nature and extent of the effect of these factors on the evaluation of compliance with the requirements as measured by the suitable criteria ◦ the interests of the intended users. Professional Judgment
Consider importance of control, e.g.: Policies ◦ Key Control = policy exists and is approved ◦ Secondary controls = reviewed regularly, sanctions for wrong-doing, supported by adequate training / communication Reconciliations ◦ Key Control = key accounts reconciled ◦ Secondary Control = other accounts reconciled
Consider other factors: ◦ Length of control failure ◦ Existence of compensating controls ◦ Type of control that has failed (e.g. detective, corrective, preventative, directive) ◦ Has failure been identified by Council? ◦ Action plans in place to address – timely, appropriate ◦ The risk being managed by the control
Bank reconciliations too infrequent, not supported by appropriate independent review, not integrated with system (e.g. on spreadsheets only) Weak online banking / EFT security (e.g. excessive access, excessive dollar value limits, password sharing) Inadequate physical security over cash collections (e.g. not in locked safe, excessive staff access) Lack of significant contracts
Lack of segregation of duties without compensating controls (e.g. detective controls, IT controls) – segregate recording, authorising, approving transactions and handling the related asset. Lack of documented delegations Lack of authorisation for transactions Lack of security over blank cheques, inc. pre- signing blank cheques, access to blank cheques
Weak General Ledger access restrictions – (without these, internal controls can be overridden, segregation of duties may be unachievable) ◦ General Journal entry controls ◦ Master-file access (e.g. rates, payroll, vendor) General ledger / sub ledger reconciliations not performed Inadequate budget monitoring process Insufficient insurance (public liability, plant and equipment) Policies lacking and/or not reviewed
Lack of management review ◦ Fortnightly payroll reports, inc. bona-fide (current vs standard pay) ◦ EFT payment reports ◦ Master file changes reports ◦ Budget vs actual expenditure ◦ Rate rebates ◦ Aged debtors ◦ Leave balances (AL, LSL) ◦ Job costing / works order report
Lack of documented key procedures – written step-by-step, screenshots, process maps Excessive manual processes without sufficient checking (e.g. manual termination payment / leave calculations, manual reconciliations) Lack of appropriate off-site backup of data, program and documentation. Lack of registers (contracts, grants, elected member expenses, etc.)