Inspector General Institute Jacksonville, FL August 2021
Transcript of Inspector General Institute Jacksonville, FL August 2021
Inspector General Institute®
Jacksonville, FLAugust 2021
www.theclarusgroup.com
© Clarus Group 2021
Dan Ahern, CIG, CFE. CGFM, MCPPOClarus [email protected]
Pamela Bloomfield, CIG, MCPPOClarus [email protected]
781-878-6000www.theclarusgroup.com
© Clarus Group 2021
Know standards applicable to audits, inspections, evaluations, and reviews and their major similarities and differences
Understand challenges and opportunities related to supervision, oversight, and leadership of OIG functions
Understand essential elements of persuasive report findings and recommendations
© Clarus Group 2021
Review of standards Focus on three issues Doing what is important Doing it well Doing what is right
© Clarus Group 2021
IIA and GAO Shift over time from financial audits to
performance audits Standards
© Clarus Group 2021
Audits InspectionsGAO Yellow Book1972 PCIE Inspections 1993IIA Red Book 1978 AIG Green Book 2001
Issued by Comptroller General of the United States
Generally Accepted Government Auditing Standards (GAGAS)
July 2018 revision April 2021 Technical Updates including addition of
concept of equity Framework “for conducting high-quality
engagements with competence, integrity, objectivity, and independence” (1.06)
© Clarus Group 2021
Foundation and principles for use and application
General requirements Standards applicable to all audits Standards for financial audits Standards for attestation engagements and
reviews of financial statements Fieldwork standards for performance audits Reporting standards for performance audits
© Clarus Group 2021
The concept of accountability for use of public resources and government authority is key to our nation’s governing processes. Management and officials entrusted with public resources are responsible for carrying out public functions and providing service to the public effectively, efficiently, economically, ethically, and equitably within the context of the statutory boundaries of the specific government program. (1.02)
© Clarus Group 2021
The administration of a government program or activity is equitable when it consistently serves members of the public, distributes public services, and implements public policy in a manner that promotes fairness, justice, and equality. Auditing . . . may include assessing the equality of access to and provision of services; procedural fairness and equal treatment of
individuals in government programs and policies; causes of disparate outcomes; or distributional impacts of public policies,
programs, resources, and services.
© Clarus Group 2021
The professional standards and guidance contained in this document provide a framework for conducting high-quality engagements with competence, integrity, objectivity, and independence. . . . (1.06)
© Clarus Group 2021
Engagements conducted in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations. GAGAS contains requirements and guidance to assist auditors in objectively obtaining and evaluating sufficient, appropriate evidence and reporting the results. . . . (1.07)
© Clarus Group 2021
Requirements Unconditional (must) Presumptively mandatory (should)
Application guidance (may, might, could) Applicability of other standards Statement of compliance in audit reports Unmodified Modified
© Clarus Group 2021
“. . . provide an independent assessment of whether an entity’s reported financial information (e.g., financial condition, results, and use of resources) is presented fairly, in all material respects, in accordance with recognized criteria. . . .” (1.17)
© Clarus Group 2021
Financial statement audits “provide financial statement users with an opinion by the auditor on whether an entity’s financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework.” (1.17a)
Other types of financial audits (1.17b)
© Clarus Group 2021
Attestation engagements can cover a broad range of financial or nonfinancial objectives about the subject matter or assertion depending on the users’ needs. In an attestation engagement, the subject matter or an assertion by a party other than the auditors is measured or evaluated in accordance with suitable criteria. (1.18)
© Clarus Group 2021
Examination Review Agreed-upon procedures
© Clarus Group 2021
“Performance audits provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability.” (1.21)
© Clarus Group 2021
Objectives vary widely and include assessments of:Program effectiveness and results (often interrelated with economy and efficiency)
Internal controlComplianceProspective analysesOther
© Clarus Group 2021
Ethical principles The public interest Integrity Objectivity Proper use of government information, resources,
and positions Professional behavior
© Clarus Group 2021
In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity
Auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditors and audit organizations are not independent
© Clarus Group 2021
Independence comprises Independence of mind Independence of appearance
© Clarus Group 2021
Apply conceptual framework to
1. Identify threats to independence2. Evaluate significance of threats3. Apply safeguards to eliminate or reduce
threats to an acceptable level
If no safeguards are available, independence would be considered impaired
© Clarus Group 2021
Threats Self-interest Self-review Bias Familiarity Undue influence Management participation Structural
© Clarus Group 2021
An auditor should decline to perform an audit or terminate an audit in process if threats are so significant that they cannot be eliminated or reduced to an acceptable level
In such instances, independence is impaired
© Clarus Group 2021
External auditor independence Internal auditor independence Internal auditors who work under the
direction of the audited entity’s management are considered independent for the purposes of reporting internally under certain criteria
Internal auditors who perform audits of external parties such as contractors are considered independent where no impairments exist
© Clarus Group 2021
Nonaudit services may create threats to auditor independence
Considerations Ability of management to oversee services Assumption of management
responsibilities
© Clarus Group 2021
Reasonable care – acting diligently in accordance with professional standards and ethical principles
Professional skepticism –a questioning mind, awareness of conditions that may indicate possible misstatement owing due to error or fraud, and a critical assessment of evidence. . . . it includes a mindset in which auditors assume that management is neither dishonest nor of unquestionably honest
© Clarus Group 2021
Staff assigned to audit must individually and collectively possess competence for required tasks
Organizations should have process to recruit, hire, continuously develop, assign, and evaluate competent staff so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement
© Clarus Group 2021
Auditors who plan, direct, perform engagement procedures for, or report on an engagement should complete at least 80 hours of CPE in every two-year period. 24 hours in subject matter directly related to the
government environment, government auditing, or the specific or unique environment in which the audited entity operates
56 hours in subject matter that directly enhance auditors’ professional expertise to conduct engagements
© Clarus Group 2021
Auditors who spend at least 20 percent of their time on GAGAS audits should complete at least 80 hours of CPE in every two-year period
The audit organization should maintain documentation of each auditor’s CPE
© Clarus Group 2021
Quality control system designed to provide reasonable assurance that the organization and personnel comply with professional standards and legal and regulatory standards
Audit organizations not already subject to a peer review requirement should obtain an external peer review at least once every three years
© Clarus Group 2021
Planning the audit Conducting the engagement Supervising staff Obtaining sufficient, appropriate evidence Preparing audit documentation
© Clarus Group 2021
Form of the report Report contents Report issuance Report distribution
© Clarus Group 2021
Institute of Internal Auditors International Standards for the Practice of Internal Auditing
Association of Inspectors General Quality Standards for Inspections, Evaluations, and Reviews
Council of the Inspectors General on Integrity and Efficiency (CIGIE) Quality Standards for Inspection and Evaluation
Evaluation standards
© Clarus Group 2021
Mandatory Guidance Definition of Internal Auditing Code of Ethics (January 2009) Standards (January 2017)
Recommended Guidance Implementation Guidance (Practice
Advisories) Supplemental Guidance (Practice Guides)
© Clarus Group 2021
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
The Institute of Internal AuditorsProfessional Practices Framework
© Clarus Group 2021
“Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature and scope of an assurance engagement are determined by the internal auditor. . . .”
The Institute of Internal AuditorsProfessional Practices Framework
© Clarus Group 2021
“Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. . . . When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.”
The Institute of Internal AuditorsProfessional Practices Framework
© Clarus Group 2021
Attribute Standards Performance Standards
© Clarus Group 2021
Characteristics of organizations and individuals performing internal auditing 1000 Purpose, Authority, and Responsibility 1100 Independence and Objectivity 1200 Proficiency and Due Professional Care 1300 Quality Assurance and Improvement
Program
© Clarus Group 2021
Describe the nature of internal auditing and provide quality criteria against which performance can be measured 2000 Managing the Internal Audit Activity 2100 Nature of Work 2200 Engagement Planning 2300 Performing the Engagement 2400 Communicating Results 2500 Monitoring Progress 2600 Communicating the Acceptance of Risks
© Clarus Group 2021
General Standards Staff qualifications Independence Due professional
care
© Clarus Group 2021
Qualitative Standards Quality control Planning Data collection and
analysis Evidence Timeliness Fraud and other illegal
acts Reporting Confidentiality Follow-up
General StandardStaff Qualifications
Individuals assigned to conduct inspection, evaluation, and review activities should collectively possess the knowledge, skills, and experience required for the work.
© Clarus Group 2021
General StandardIndependence
The Inspector General and OIG staff involved in performing or supervising any assignment should be free from personal or external impairments to independence and should constantly maintain an independent attitude and appearance.
© Clarus Group 2021
General StandardDue Professional Care
Due professional care should be used in conducting inspections, evaluations, and reviews and in preparing accompanying reports.
© Clarus Group 2021
Qualitative StandardQuality Control
To ensure quality and expedite the progress of an inspection, evaluation, or review, proper supervision will be exercised from the start of such work to completion of the final report.
© Clarus Group 2021
Qualitative StandardPlanning
Inspection, evaluation, and review work is to be adequately planned.
© Clarus Group 2021
Qualitative StandardData Collection and Analysis
Information and data obtained about the organization, program, activity, or function being examined should be consistent with the inspection, evaluation, or review objectives, carefully documented and organized, and lead to a reasonable basis for conclusions.
© Clarus Group 2021
Qualitative StandardEvidence
Sufficient, competent, and relevant evidence is to be obtained to afford a reasonable basis for inspection, evaluation, and review findings and conclusions.
© Clarus Group 2021
Qualitative StandardEvidence
Sufficient - there is enough evidence to support the report’s findings
Relevant - evidence has logical, sensible relationships to those findings
Competent - evidence is consistent with fact (valid)
© Clarus Group 2021
Qualitative StandardTimeliness
Inspections, evaluations, and reviews should be conducted in a timely manner.
© Clarus Group 2021
Qualitative StandardFraud and Other Illegal Acts
OIG staff . . . [should] be alert for indications of illegal activity . . . . If . . . staff become aware of illegal acts, or indications of such acts, they should promptly present such information to their supervisors for review and possible referral to the appropriate investigative office.
© Clarus Group 2021
Qualitative StandardReporting
Inspections, evaluations, or reviews should result in a timely written report to appropriate officials. All reports should present factual data accurately, fairly, and objectively, and present findings, conclusions and recommendations in a persuasive manner.
© Clarus Group 2021
Qualitative StandardConfidentiality
The OIG should establish and follow procedures for safeguarding the identity of confidential sources and for protecting privileged and confidential information.
© Clarus Group 2021
Qualitative StandardFollow-Up
Appropriate follow-up should be performed to ensure that any recommendations are adequately considered and properly addressed.
© Clarus Group 2021
Fundamental objectives of OIGs Promote accountability, transparency,
good government, high performance Prevent and detect fraud, waste, and
abuse Add value Best done by identifying what is important
and pursuing it
© Clarus Group 2021
Leadership challenges Standards and best practices Pitfalls and lessons learned
© Clarus Group 2021
Fulfill OIG mission Improve government operations Boost public confidence in government
© Clarus Group 2021
Report may be inaccurate or incomplete Report may be biased or unclear Report may be untimely or otherwise
ineffective
© Clarus Group 2021
How high are the stakes? Immediate repercussions Longer-term consequences
© Clarus Group 2021
Planning the audit Conducting the engagement Supervising staff Obtaining sufficient, appropriate evidence Preparing audit documentation
© Clarus Group 2021
Framework for applying the fieldwork standards: Evidence Significance Audit risk
© Clarus Group 2021
Sufficient, appropriate evidence provides a reasonable basis for findings and conclusions that are valid, accurate, appropriate, and complete
© Clarus Group 2021
Significance is the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors
© Clarus Group 2021
Findings, conclusions, and recommendations may be improper or incomplete
Process may fail to detect a mistake, inconsistency, significant error, or fraud
© Clarus Group 2021
Factors affecting audit risk include: Time frames Complexity Sensitivity Dollars at stake Adequacy of program systems and
procedures Access to records
© Clarus Group 2021
Assess significance Assess audit risk Conduct preliminary research Applicable laws and regulations Contracts Program purpose or mission Previous audits or reviews Relevant literature
© Clarus Group 2021
Government Auditing Standards require a written audit plan documenting key decisions regarding: Objectives Scope Methodology (reflects criteria)
AIG Standards require written work plan Similar list to GAS “Manner in which the work will be
conducted”
© Clarus Group 2021
Work plan detail may depend on OIG familiarity with and access to program or subject matter reviewed
Obtaining relevant documents before interviewing participants can expedite review and provide essential context
Tensions Timeliness and thoroughness Procedural efficiency and issue
complexity
© Clarus Group 2021
Objectives, scope, and methodology may require adjustment in response to unforeseen conditions or developments
Planning is a continuous process throughout the audit, inspection, evaluation, or review
© Clarus Group 2021
Understand nature of the program to be audited and user needs
Determine and document whether internal control is significant to the audit objectives
Assess the risk of fraud
© Clarus Group 2021
Government Auditing Standards require that: Staff and specialists assigned to the audit
possess adequate collective professional competence
Audit supervisors provide sufficient guidance and direction, stay informed about significant problems encountered, and provide effective on-the-job training
© Clarus Group 2021
AIG Standards require supervisory reviews to determine that: Evidence is adequate to support findings,
recommendations, and conclusions Review objectives are met Work plans are followed unless deviation
is justified and authorized
© Clarus Group 2021
Inappropriate interview conduct can affect Quality and quantity of evidence collected Interviewees’ perception of OIG
objectivity
© Clarus Group 2021
Examples of problematic conduct Overly aggressive or snide tone Skeptical or hostile body language Lack of note-taking Cutting off interviewee responses Filling allotted time with irrelevant chat Offering unwarranted reassurance Asking leading questions Affirmation through responses or head
nodding
© Clarus Group 2021
Appropriate interview conduct is neither hostile nor excessively friendly
Professional distance is essential Silence can be an effective interview tool
© Clarus Group 2021
Clarify expectations regarding interview conduct
Assign inexperienced reviewers to observe interviews conducted by senior reviewers
Provide guidance regarding requests to go “off the record”
Create a culture that encourages full staff debate and information disclosure
© Clarus Group 2021
Types of Evidence Physical (direct inspection or
observation) Documentary (existing information) Testimonial (obtained through
interviews, focus groups, questionnaires) Triangulation: obtaining evidence from a
variety of sources
© Clarus Group 2021
Sufficient: Measure of quantity Is there enough evidence to persuade a
knowledgeable person that the findings are reasonable?
Appropriate: Measure of quality Relevance Validity Reliability
© Clarus Group 2021
The greater the risk, the greater the quantity and quality of evidence required
Stronger evidence may allow less evidence to be used
A large volume of evidence does not compensate for lack of relevance, validity, or reliability
© Clarus Group 2021
Deficiencies in internal control, noncompliance, or fraud
Waste: The act of using or expending resources carelessly, extravagantly, or to no purpose◦ Relates primarily to mismanagement,
inappropriate actions, and inadequate oversight Abuse: Behavior that is deficient or
improper◦ Includes misuse of authority or position for
personal financial interests or those of a family member or business associate
© Clarus Group 2021
1. Criteria: The required or desired state or expectation with respect to program or operation
2. Condition: The existing situation3. Cause: The factors responsible for the
difference between the condition and the criteria
4. Effect or potential effect: The outcome or consequence resulting from the difference between the condition and the criteria
© Clarus Group 2021
The elements needed for a finding are related to the objectives of the audit
Some audits will not require development of elements such as cause or effect
© Clarus Group 2021
Government Auditing Standards require auditors to prepare audit documentation related to planning, conducting, and reporting
Audit documentation should be sufficiently detailed to enable an experienced auditor with no previous connection to the audit to understand the audit contents
© Clarus Group 2021
Accurate Objective Complete Convincing Clear Concise Timely
© Clarus Group 2021
Inspections, evaluations, or reviews should result in a timely written report to appropriate officials
All reports should present factual data accurately, fairly, and objectively, and present findings, conclusions, and recommendations in a persuasive manner
© Clarus Group 2021
Missing or deficient organizational structure Opinions presented as evidence Interview notes presented as findings Unsubstantiated leaps of logic Inappropriate tone Loaded words Incorrect grammar
© Clarus Group 2021
Research on complexity and courage in government executive decision-making identified two types of difficult decisions: Decisions that require complex analysis Decisions for which the difficulty is not
determining the right thing to do but having the courage actually to do it
© Clarus Group 2021
Decisions that require complex analysis: Seek more and more diverse sources of
input and information Avoid rushing to judgment
© Clarus Group 2021
Decisions for which the difficulty is not determining the right thing to do but having the courage actually to do it: Rely on personal values Limit deliberations to a small group of
trusted, supportive advisors In the end, trust your gut
© Clarus Group 2021
OIGs sometimes face internal or external impediments to doing what is right
Principles and standards – including those relating to independence, objectivity, and ethics – can help guide IGs
© Clarus Group 2021
Integrity Commitment Leadership
© Clarus Group 2021