Internal Controls Opinion Audit Approach Audit Opinion Standard

Internal Controls Opinion Audit Approach

Audit Opinion � Standard SALGAG � Auditing format has been developed by compliance with s 125, but restricted to specific components specified in s 129

ASAE 3100 � General ◦ ◦ ◦ audit concepts apply: Reasonable assurance Sufficient appropriate evidence Materiality Risk Etc. � Auditor must understanding “suitable criteria” against which to assess Council ◦ E. g. Better Practice Model ◦ Discuss with Council, refer to Internal Control Policy ◦ If not Better Practice Model, consider appropriateness

ASAE 3100 – Common elements of a compliance framework � Staff training and awareness programs � Controls within key business processes � Processes to identify and monitor implementation of mitigating actions required to ensure that compliance obligations are met � A monitoring plan to test key controls on a periodic basis and report exceptions � Procedures for identifying, assessing, rectifying and reporting compliance incidents and breaches � Periodic sign off by management and/or external third party outsourced service providers as to compliance with obligations � A compliance governance structure that establishes responsibility for the oversight of compliance control activities

The 5 key components of internal control � Components of internal control should be present, functioning effectively, and working together. ◦ Control Environment ◦ Risk Assessment ◦ Control Activities ◦ Information and Communication ◦ Monitoring Activities

Control Environment � Weaknesses will contribute towards forming an opinion that multiple significant deficiencies in internal control exist � Casts doubt over reliability of internal control activities e. g. risk of controls being ignored / bypassed either deliberately or though lack of knowledge / human error

Control Environment Examples � Demonstrated commitment to integrity and ethical values – “tone at the top” and throughout � Responses to audit management letters � Codes of conduct � Mission and value statements � Oversight in the development and performance of internal control –audit committee, internal audit � Attitude to external and internal audit

Control Environment Examples � Policies (e. g. fraud, whistleblowers, internal control) � Existence and maturity of audit committee � Training and awareness programs � Penalties / consequences for breaches clearly defined and enforced � Good staff selection, appointment and probation processes, aimed at attracting and retaining competent staff aligned to strategic objectives (e. g. preference for internal appointments)

Risk Assessment � Must be documented � Weaknesses contribute towards forming an opinion that Council has not given adequate attention to ensuring that internal controls are sufficient, and that multiple significant deficiencies in internal control are likely to exist as a result. � Without a risk assessment, Council has no basis for prioritising controls or responses to control weaknesses

Risk Assessment Should Document � Risk tolerance � Risk identification – including fraud risks and involving input from a range of staff and managers across Council � Risk analysis - consider probability of occurrence and severity � Risk evaluation - which risks are to be treated and the priority for treatment � Risk treatment � Communication, monitoring and review

Control Activities Failure of a Control activity could either: � Individually, result in a material weakness; or � Result in a material weakness when considered in aggregate with other control weaknesses Better Practice Model “Part 2” contains examples of control activities. These are not mandatory.

Core Controls � Must consider implementing, document if not � Acceptable reasons could be: ◦ Alternative / compensating control ◦ Cost / benefit ◦ Not applicable / practical

Additional Controls � Applicability dependent on risk profile, size, � Prioritisation should depend on risk functions � Can be important

Testing Control Effectiveness Risk Based approach, sample basis � High Risk Business Cycles e. g. : ◦ Procurement ◦ Cash ◦ Payroll � High Risk Controls e. g. : ◦ EFT Security ◦ Delegations � Councils CSA may guide sample selection

Policies and Procedures � Should have in place for key business processes � Absence of policy / procedure decreases likelihood of control being exercised consistently, or in accordance with the intention of Council � Should be authorised, reviewed regularly, sanctions for wrong-doing, supported by adequate training / communication

Information and Communication � Weaknesses in the information and communication cycle will contribute towards forming an opinion that multiple significant deficiencies in internal control are more likely to exist ◦ Training and awareness programs ◦ External Communication (e. g. requirement for POs, no gifts, communication with bank re online security, required # of signatories, etc)

Monitoring Activities � Controls may be designed effectively, but not operating effectively i. e. frequently ignored / bypassed either deliberately or though lack of knowledge / human error. � Without Monitoring, on what basis is CEO certifying compliance with s 125? � No particular monitoring methodology specified in the Better Practice Model.

Control Self Assessment � Control Self Assessment (“Control Track”) is the leading practice � 2 � If Approaches: 1) Desktop review 2) Testing CSA is performed properly and honestly, and is supported by appropriate work papers and independent review, it may be used by auditors to guide testing

Control Self Assessment � If a Council identifies a control failure in a timely manner via CSA, and implements an appropriate action plan to correct the failure, the auditor can take this into consideration when forming an opinion as to whether a control failure represents a material weakness.

Material weakness in internal control �A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material non-compliance with law will not be prevented, detected, or corrected on a timely basis. (consider likelihood vs. magnitude); or � Multiple significant deficiencies which, considered collectively, result in a determination that a material weakness exists. A significant deficiency = a deficiency, or combination of deficiencies less severe than a material weakness, yet are important enough to warrant the attention of Council.

Materiality � Per ASAE 3100: � Considered in the context of quantitative and qualitative factors: ◦ relative magnitude of instances of detected or suspected non compliance ◦ the nature and extent of the effect of these factors on the evaluation of compliance with the requirements as measured by the suitable criteria ◦ the interests of the intended users. � Professional Judgment

Materiality � Consider � Policies importance of control, e. g. : ◦ Key Control = policy exists and is approved ◦ Secondary controls = reviewed regularly, sanctions for wrong-doing, supported by adequate training / communication � Reconciliations ◦ Key Control = key accounts reconciled ◦ Secondary Control = other accounts reconciled

Materiality � Consider other factors: ◦ Length of control failure ◦ Existence of compensating controls ◦ Type of control that has failed (e. g. detective, corrective, preventative, directive) ◦ Has failure been identified by Council? ◦ Action plans in place to address – timely, appropriate ◦ The risk being managed by the control

Examples - Individually Material Controls � Bank reconciliations too infrequent, not supported by appropriate independent review, not integrated with system (e. g. on spreadsheets only) � Weak online banking / EFT security (e. g. excessive access, excessive dollar value limits, password sharing) � Inadequate physical security over cash collections (e. g. not in locked safe, excessive staff access) � Lack of significant contracts

Examples - Individually Material Controls � Lack of segregation of duties without compensating controls (e. g. detective controls, IT controls) – segregate recording, authorising, approving transactions and handling the related asset. � Lack of documented delegations � Lack of authorisation for transactions � Lack of security over blank cheques, inc. presigning blank cheques, access to blank cheques

Examples – Combination of weaknesses = material weakness � Weak General Ledger access restrictions – (without these, internal controls can be overridden, segregation of duties may be unachievable) ◦ General Journal entry controls ◦ Master-file access (e. g. rates, payroll, vendor) � General ledger / sub ledger reconciliations not performed � Inadequate budget monitoring process � Insufficient insurance (public liability, plant and equipment) � Policies lacking and/or not reviewed

Examples – Combination of weaknesses = material weakness � Lack of management review ◦ Fortnightly payroll reports, inc. bona-fide (current vs standard pay) ◦ EFT payment reports ◦ Master file changes reports ◦ Budget vs actual expenditure ◦ Rate rebates ◦ Aged debtors ◦ Leave balances (AL, LSL) ◦ Job costing / works order report

Examples – Combination of weaknesses = material weakness � Lack of documented key procedures – written step-by-step, screenshots, process maps � Excessive manual processes without sufficient checking (e. g. manual termination payment / leave calculations, manual reconciliations) � Lack of appropriate off-site backup of data, program and documentation. � Lack of registers (contracts, grants, elected member expenses, etc. )