Audit Findings PERTEMUAN IXX Dr Rilla Gantino SE

Audit Findings PERTEMUAN IX-X Dr Rilla Gantino, SE. , AK. , MM MAKSI-FEB

KEMAMPUAN AKHIR YANG DIHARAPKAN - Mahasiswa mampu analisis dan memilah audit Findings

CONTOH AUDIT FINDINGS DARI TREASURY BOARD OF CANADA

TEMUAN AUDIT (Audit Finding) dan LAPORAN INTERNAL AUDIT TEMUAN AUDIT memberitahukan manajemen mengenai kelemahan pengendalian internal (jika dibiarkan dapat menimbulkan terjadinya kecurangan fraud & collusion- yang merugikan perusahaan) • • LAPORAN dari IAD: • Objective • Clear (jelas) Concise (singkat tapi padat) Constructive (membangun) • Timely (tepat waktu)

• MAJOR DEFICIENCY FINDINGS – Kelemahan SPI perusahaan yang mengakibatkan hambatan bagi organisasi untuk mencapai tujuan yang ditetapkan • MINOR DEFICIENCY FINDINGS – Kelemahan dalam SPI perusahaan, walaupun tidak menghambat tujuan perusahaan tapi bila tidak diperbaiki dapat merugikan perusahaan

KRITERIA DEFICIENCY FINDING YANG HARUS DILAPORKAN • Cukup significant • Didukung oleh fakta • Objective • Relevan dan masuk akal • Menurut Lawrence B. Sawyer (1996), Deficiency Finding adalah : suatu hal yang salah, atau yang akan menjadi salah (secara intrinsik tidak salah, tetapi memerlukan perbaikan)

o o PENGEMBANGAN TEMUAN AUDIT Hasil pemeriksaan internal auditor disimpulkan didokumentasikan dalam: List of Findings Kesimpulan berupa masalah/kelemahan yang ditemukan atau hal yang memerlukan perhatian manajemen: o Findings Positif tidak ada masalah yang ditemukan, atau menyebutkan kebaikan pengendalian intern yang perlu diterapkan dibagian lain o Findings Negatif memberitahukan kepada menajemen masalah yang ditemukan yang memerlukan tindakan perbaikan dari manajemen untuk mencegah kerugian

FINDING YANG BAIK • CRITERIA: Ukuran/standar yang diikuti (kondisi yang seharusnya ada) • STATEMENT of CONDITION: Kenyataan/kondisi yang terjadi di perusahaan • EFFECT: Akibat dari kenyataan yang terjadi di perusahaan (efek negatif berupa penyimpangan, efek positif berupa hasil yang lebih baik dari standar yang ditentukan) • CAUSE: Penyebab terjadinya kondisi tsb. di perusahaan dan bagaimana terjadinya

o o o PENGEMBANGAN REKOMENDASI dari TEMUAN Recommendation menjelaskan apa yang harus dilakukan untuk mengatasi kelemahan/masalah yang diuraikan dalam findings Kendala menyusun laporan : • Audit supervisor menyusun kembali konsep laporan yang telah dibuat oleh auditor in-charge, dengan gayanya sendiri • Auditor in-charge sengaja menyusun laporan seadanya (mengandalkan perbaikan dari audit supervisor dan audit manager) • Terlalu banyak waktu untuk menyusun laporan • Kualitas konsep laporan yang buruk Menurut Sawyer, 3 cara untuk memperbaiki report writing process : • Menentukan standar minimum yang dapat diterima • Komunikasikan standar tersebut kepada staf melalui training • Melakukan pengeditan oleh bagian independen atau perbandingan laporan dengan standar

PENGEMBANGAN REKOMENDASI dari TEMUAN • Rekomendasi yang efektif harus memenuhi prinsip: 1. Komprehensif 2. Spesifik 3. Disusun yang baik 4. Mudah dijalankan 5. Beralasan

HAL PENTING DALAM MENYUSUN REKOMENDASI YANG BAIK 1. Clear 2. Simply 3. Understandable & economical 4. Complete 5. Brief & concise 6. Coherent 7. Forceful 8. Variety

Common Audit Metrics Tool The CAMT is illustrated below and represents deliverables aimed at streamlining OCG’s oversight of internal audit. The three tools focus on capacity, Results-Based Audit Plans and individual Audit Engagements. The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Institute of Internal Auditors, Standard 2000 12

Introduction to Metrics • 42 Internal Audit Community Capacity Templates have been received and incorporated into this analysis (100% of population) • 40 Risk-Based Audit Plans have been analyzed • Over 160 internal audit reports have also been analyzed Simplified reporting • • Previous metrics 9 indicators with 70 measures Labour-intensive Included selected organizations only Could not use data for benchmarking: • • Did not use full-year data Lack of consistency in measures over time • • CAMT 5 indicators with 10 measures Reduced reporting burden Includes all organizations under IA Policy Enables departments to conduct internal benchmarking: • • Full-year data Consistent measures over time 13

Audit Techniques Utilized Just over two-thirds of audits used all three techniques: Document reviews; Interviews; and, Analytical procedures Technique Utilized Percentage* Document Reviews 97. 6% Interviews 96. 4% Analytical Procedures 72. 3% Questionnaires 3. 0% Vouching 2. 4% External Benchmarking 1. 8% Financial Statement Analysis 1. 8% Case Studies 1. 2% Internal Benchmarking 1. 2% HR and Payroll Analysis 1. 2% Other 1. 2% * More than one technique may have been used in the completion of individual audits n = 166 14

Average Elapsed Time to Complete an Audit as Reported by Departments On average, an audit takes one year to complete • Average time to audit was shortest in departments in the Social and Cultural Sector – average 311 days • Average time to audit was longest in departments in the Government Operations Sector – average 526 days • Average time to audit in International Affairs, Security and Justice Sector was 387 • Average time to audit in the economic sector was 345 days Duration of Stages in the Audit Cycle by Program Sector (days) ES n = 157 15

Summary of Findings by Risk Areas Distribution of findings based upon the IIA categorization of risk • Operational risks were the most predominate area of audit findings for all program sectors • Strategic business risks were the second highest area overall, although ranking of risks differed by program sector as Financial reporting risks ranked second within International Affairs, Security and Justice & Social and Cultural program sectors 16

Characteristics of Audit Findings Distribution of findings by level of government Distribution of findings by COSO control framework 1% 25% 7% 39% 28% 17

Audit Findings • Approximately 22. 6% of the findings are of minimal risk (green squares) • Approximately 62. 8% of the findings are of moderate risk (yellow squares) • Approximately 14. 6% of the findings are high risk (red squares) 18

Value-added Contributions Management Action Plans Implementation Status Recommendation Source Departmental internal audits Horizontal audits # % External assurance providers (OAG, PSC, etc) # % Prior year(s) recommendations 649 60. 4% 25 96. 2% 152 63. 3% 2014 -15 recommendations 425 39. 6% 1 2. 8% 88 36. 7% 1, 074 100. 0% 26 100. 0% 240 100. 0% Obsolete 13 n/a 6 n/a 1 n/a No/insignificant progress 41 3. 9% 0 0. 0% 8 3. 4% Planning stage 61 5. 8% 0 0. 0% 8 3. 4% Preparation for implementation 105 9. 9% 3 15. 0% 29 11. 7% Substantial implementation 179 16. 9% 3 15. 0% 31 13. 0% Full implementation 675 63. 6% 14 70. 0% 163 68. 2% 1, 074 100. 0% 26 100. 0% 240 100. 0% Recommendations by Year: Total Number of Recommendations by Status: Total Number of Recommendations * 2013 -14 figures were 65% full implementation and 35% not fully implemented. N = 42 reporting departments 19

Value-Added Contributions Risk Management Controls Governance Risk Management Fisheries and Oceans uses data analytics to support risk assessment in annual audit planning and individual audits. Financial and human resource raw data is used to assess risk and assist auditors’ understanding of business processes. “These exercises allow the Audit Directorate to provide timely advice to management as well as better meet their needs. ” Department of Finance audited acquisition cards, using third-party data (i. e. Bank of Montreal Online System) allowing specific tests to be performed resulting in mitigating risks facing the department’s internal controls Royal Canadian Mounted Police undertook several audits using technology to profile populations so that management oversight and monitoring is done more effectively and efficiently. “For example, in the cases of the Audit of Benefits and Allowances and the Audit of Inventory Management, IA assisted in the development of ACL scripts which continue to be used by the client for monitoring purposes. ” Controls Public Safety Canada provided management control framework training to all executives based on the results of internal audit findings. “Feedback from executives was excellent. ” The training is being followed up with planning advisory engagements to help branches design and implement management control frameworks. Canada Border Services Agency’s audit function worked with management to improve controls by mapping business processes, controls, and accountabilities. “This is a highly valued activity by management. ” 20

Value-Added Contributions Governance Public Safety conducted an audit of values and ethics including control activities supporting values and ethics obligations, culture and leadership, formal practices and oversight. The audit supported the release of the results from the Public Service Employee Survey and informed a Departmental Transformation Task Force to respond to issues raised in the audit and launch a cultural transformation. The position of Manager of Values and Ethics was created within Human Resources to address audit recommendations Statistics Canada reviews audit recommendations and action plans at its departmental executive oversight committee. As a result, action plans designed to improve management practices in specific areas are implemented in areas beyond the scope of previously conducted audits. For example, recommendations pertaining to information management and maintaining the confidentiality of data have been implemented in areas where audits have not been previously conducted. Public Works and Government Services Canada performed a series of audits of third party service providers resulting in recommendations and management action plans that continue to add value to this day. Specifically, the audits noted deficiencies in the governance/oversight framework for the management of the particular third party service providers. Consequently, the Department developed and applied a revised governance/oversight framework to new third party service contracts. 21

Improving Program Management Insight Oversight Foresight Oversight Canadian Grain Commission's audit resulted in refunds to industry as user fees were incorrectly charged. This audit also resulted in management re-prioritizing system development projects in order to develop and implement an application upgrade required to improve controls and efficiency Public Health Agency and Health Canada audit of Interdepartmental Services Arrangements supported the successful implementation of shared services which is the most recent and innovative internal service delivery agreement for the delivery of corporate administrative services and certain other program functions. The agreement is unique in that it is the first time two federal organizations have both contributed resources to a single service arrangement designed to operate equally in support of both organizations. As a result, the agreement has generated approximately $24 million annually in reduced overhead costs. Insight Infrastructure Canada’s assessment of Internal Policy Administration contributed towards achieving Destination 2020 objectives – specifically as it related to streamlining processes, reducing red tape and eliminating policy instruments that are no longer required. Justice Canada’s audit of Talent Management led to the development of a talent road-map for the Justice Canada of tomorrow, focusing on building the skill sets for the future. The Deputy Minister included the talent management strategy as a commitment in his direct report performance agreements making a specific reference to this audit recommendation. 22

Improving Program Management Foresight Public Service Commission’s audit of information management led to increased organizational efficiencies by promoting standardized categorization through training and the introduction of an information classification scheme supporting Smarter Searches that yield faster retrieval of information and significant time savings contributing to a more productive environment Veterans Affairs assessed service standards and timeliness of case management services, developed a method to measure case management workload, and developed an optimal caseload model for case managers. Based on this exercise, the audit directorate was asked to conduct a Client Service Agent (CSA) Workload Assessment to analyze the accuracy of the existing workload measurement tool, determine if there were alternative approaches, and identify key challenges affecting CSAs that should be addressed Justice Canada assessed the Department’s current billing process, as well as proposed future controls for a new funding model. Proactive risk identification and recommendations pertaining to future control frameworks assisted in the development of a future costing program that aims to sustain strong relationships with client departments and alleviate budgetary risks Veterans Affairs' Audit and Evaluation Division (AED) conducted two management assists to support the department in determining resource requirements in area offices. Canada Border Services Agency audit directorate assisted in reducing external audit burden by conducting preparatory reviews and undertaking follow-up on management action plans related to Office of the Auditor General (OAG) audits. “This work added value to the organization in terms of alleviating audit burden on our largest branches. ” 23

Improving How We Work Increased efficiencies Natural Resources Canada’s audit function has focused extensively on collaboration within the audit community and with others. They have collaborated with OGDs to perform joint audits and to share audit tools. They have also worked closely with their evaluation colleagues at NRCan when developing departmental Risk Based Audit Plans and the Evaluation Plan in order to avoid duplication and reduce the burden on senior management. This has lead to collaboration on audits and evaluations of programs and the conduct of a joint project where a single report was produced to satisfy both audit and evaluation requirements. Treasury Board Secretariat's internal audit group developed an assurance map in relation to the Secretariat's newly defined 2015 -16 Program Alignment Architecture. Assurance coverage information was presented by assurance providers over time. The information helped senior management and the audit committee identify potential assurance gaps which were further analyzed as part of the risk-based audit planning exercise. Health Canada and Public Health Agency of Canada’s integration of internal audit services provided to Health Canada and to the Public Health Agency of Canada in 2012 reduced overhead costs, provided benefits of greater capacity for internal audit and DAC Secretariat Services, and improved professional opportunities for audit staff. Environment and Climate Change Canada’s Audit and Evaluation Branch initiated a joint-audit of staffing and classification in collaboration with the Public Service Commission. 24

Improving How We Work Improving capacity National Defence: established a formal Internship Program with a local university, in order to provide commerce students with internal audit experience throughout their studies, and eventually bridge successful graduates into junior auditor positions. They also launched an extensive internal audit manual posted on GC Connex to provide auditors a platform to provide feedback and comments on the use of the manual, as well as to disseminate changes made to it 25

CONTOH PROGRESS REPORT OF AUDIT FINDINGS REPUBLIC OF SOUTH AFRICA

AUDIT OF PREDERMINED OF OBJECTIVE • Management has put measures in place to align the yearly targets in the Quarterly Status Report Template to those in the approved Annual Performance Plan • The completed QSRM template is compared with the original information sent to management to prevent unauthorized changes. • Task teams reporting template has been circulated to all Chairpersons of task teams to report on monthly progress and on completion of projects. • Management will ensure that there is consistency in all QSRM reports and to make use of the QSRM data to compile the Annual Report. • SRSA discussed the Do. RA indicators with provincial officials and standardized indicators across all provinces. This will ensure that interpretation of indicators and measurements is the same in all provinces. SRSA 27

AUDIT OF PREDERMINED OF OBJECTIVE. CONT. • Management provides reasons for variances for the set performance targets and includes corrective action plans as well as progress made in their reports. • The Quarterly Status Reports template addresses all the delivery areas within the department. • Changes to the APP and Quarterly targets are documented and approved. Evidence of approval kept in the relevant file • Evidence and supporting documents for performance reported kept in a file for audit purposes. • The Accounting Officer has establish a task team that focuses on the Conditional Grant requirements • Records to be kept for all required submissions by provinces and non-compliant provinces identified. • Withholding of funds from provinces that do not comply SRSA 28

AUDIT OF CONTROLS IN FINANCE AND SUPPLY CHAIN MANAGEMENT UNIT • The accounting officer reviews and approve relevant policies • Finance date stamps the invoices when receiving them, and capture date of receipt when processing payments. • Keep record of communication with National Treasury in verifying bank details. • The Supply Chain officials keeps copies of quotations for evidence. • All officials oriented about the new delegations. • Prices are benchmarked by various quotations received. • Tax clearance certificate required before processing of orders. SRSA 29

AUDIT OF CONTROLS IN FINANCE AND SUPPLY CHAIN MANAGEMENT UNIT. cont • Copy of invoices are certified before processing payments. • All deviations from supply chain procedures are recorded and approved as required by the policies. • SRSA to establish a new supplier data-base. • The data-base to be regularly updated when necessary • Conduct physical asset verification and identify redundant assets to be removed from the register. • Record all movements of assets in the prescribed forms and update the asset register accordingly. • All supporting documents attached to all claims, and payment requisitions before authorizing payments SRSA 30

AUDIT OF CONTROLS IN HUMAN RESOURCES MANAGEMENT UNIT • Filling of vacancies in Finance and SCM is in progress to provide the required capacity. • Leave management incorporated in the Performance Agreements of all SMS members to manage it in their specific units. • Reports of non-compliance by to be submitted to top management. • Set and comply with target dates for performance assessments and moderation of results. • Review of a special allowances against an approved list. • Circular on declaration of interest and the relevant send to all staff for completion and return to SCM & HRM. • Procedures are in place to recruit competent staff to fill key positions, and to restructuring is completed • The accounting officer reviews and approve relevant policies. SRSA 31

AUDIT OF CONTROLS IN THE TRANSVERSAL SYSTEMS (BAS/LOGIS/PERSAL) • Management amended the DRP and submit to MANCO for approval and signed off by the DG • Documentation of monitoring of passwords, user logon violations and user access to applications done on continuous basis. SRSA 32

AUDIT OF CONTROLS IN THE MONITORING OF PUBLIC ENTITIES AND FEDERATIONS • Monitoring of public entities’ is being improved to ensure compliance with all legal requirements • SRSA has deployed its own internal audit team to assist Boxing SA • DG has held a mentoring session with CEO of Boxing SA for BSA to come up with a new Business Model SRSA 33