1

Public Finance Management (PFM) basically deals

with all aspects of resource mobilization and expenditure management in government. It is an essential part of the governance process. Public Finance Management includes the following Resource Mobilization Prioritization of programmes The budgetary process Efficient management of resources and exercising controls
2

Financial Management Cycle

Audit & Review Planning & Programming

Budget, Accounting & Control

Budgeting

 Generally,

the public finance management in developing countries is poor as a result of lack of transparency and accountability which result in high level of corruption and wastages of public resources.

Outline
I.
a.

Framework
b.
c.

Expenditure Management Cycle Three Objectives Five Principles

II.
a. b.

Good Practices
Basic Institutions Core processes

III.
a. b. c.

Budget Execution Objectives

Core treasury functions Contingent liabilities Expenditure Control Approaches
1. 2.

Central versus Delegated Control General Tensions

d. e. f.

Managing Well FMIS Essential of Good Financial Management

6

Expenditure Management Cycle

Financial management system boundaries Project appraisal Medium term plans, e.g. three year rolling plans Resource allocation Annual budgets Development, recurrent and revenue Planning system

Expenditure review

Public expenditure review

Institutions

Fund release procedure, e.g... warranting

Accountability

Audit system Accounting for revenue and expenditure

Reports and financial statements

Source: Adapted from Integrated Financial Management. Michael Parry, International Management Consultants Limited. Training Workshop on Government Budgeting in Developing Countries. THE UNITED NATIONS. December 1997.

Three Objectives of Public Expenditure Management Systems

Macrofiscal discipline and stability Avoid public finance crises Support economic growth and stability Strategic allocation of resources Match government policy with programs, objectives Technical efficiency Getting the most from spending

Basic principles of PEM

Comprehensiveness
include all revenue and expenditure, all agencies

Accuracy
record actual transactions and flows

Annuality
cover a defined period of time (e.g. one year budget, multi-year

forecasts)

Authoritativeness
only spend as authorized by law

Transparency
information on spending is public, timely, understandable

What are Good Practices?

Attaining and Maintaining Good Basic Institutions Basic public finance institutions must work well for good policy and program outcomes Too often countries reach for advanced OECD reforms, neglecting basic institutions Dedication to continuous system examination,

learning and improvement

institutional development is long term

10

What are the basic institutions?

I n f o . S y s t e m

C a s h M g m n t

D e b t

M g m n t

M u l t iy e Practices a Organizationsr A

I n t e r n a lLaws

u d i t

P l a n

C o m p r E h e n s I v e

R e p o r t i n g

Control Environment Accounting and Record Keeping

External Audit

11

Core Processes
- Budget Allocations - Supplemental Budgets - Virements - In-year monitoring and correction

Ministry of Finance

- asset management - procurement, contracting - payroll/personnel mngmnt

- Warrants (cash allocations) - Cash Flow Management (forecasting, planning, sequestration) - debt management - financial asset management - accounting (policy, system management, chart of accounts) - make payments - collect revenues - account management and reconciliation - Central Bank relations

Treasury

Spending Ministry

Spending Unit

- internal control - program management - spending (commitments) - recording & reporting - payment orders - verification of receipt of goods/services - program/cash plans

Financial Management is Everyones Responsibility And Service Delivery is also MoFs Responsibility
12

Objectives of Budget Execution

Manage Spending and Revenues to budget
support choices of elected officials allow budget to be planning and steering tool promote macrofiscal discipline

Reduce opportunities for corruption

Enable program implementation (service delivery)

Assure resources flow to programs allow budget to be aid to operational efficiency

through spending unit advance planning, efficient administration enable program managers to achieve objective

13

Core Treasury Functions

Cash management (flow and stock) Financial asset management Debt management, servicing;
Guarantee and contingent liability management

Accounting (policy, chart of accounts, general ledger) and reporting Revenue collection, forecasting Account management (payment, collection, reconciliation) Central Bank relations
14

Contingent liabilities
Government acts as a guarantor of debt

repayment in the event that the borrower cannot make repayment, or of payment under certain conditions
Loan, pension benefit, bank deposit, agricultural

price

Contingent debt must be managed with the same detail as direct debt. As with direct debt these contingent debts must be inventoried and monitored in a central location Active identification, monitoring, management

of risk important

15

Expenditure Control Approaches

Ex Ante External
(to spending unit) (to commitment) Centralized commitment control (transaction approval) Allocations (commitment limits) Warrants (cash limits) Procurement rules Personnel/pay rules Ministry or spending unit transaction approval Procedures to minimize risk (internal controls)

Ex Poste
Central internal audit, external audit Regular reporting Quarterly close-outs

Internal

Ministry internal audit Performance Management

16

Central control versus Managerial Flexibility

Tensions between needs of center to Control cash flow Control policy And agency need to manage programs Larger, less detailed allocations Longer time horizon Greater transfer authority/flexible application of resources
17

General Tensions
Central control Agent accountability for results + + Agent Incentive for offbudget activity
Financial Management authority

Delegation Efficiency, economy +

18

To manage well requires:

Monitoring/managing
Cash balances
Cash flow Inflow outflow

Commitments
Arrears Contingent liabilities New legislation/mandates Off-budget activity Understanding future impact of current decisions

19

Definitions

What is an FMIS?
Financial management system:
Information system that tracks financial events and

summarizes information supports adequate management reporting, policy decisions, fiduciary responsibilities, and preparation of auditable financial statements Should be designed with good relationships between software, hardware, personnel, procedures, controls and data

Generally, FMIS refers to automating financial operations

20

Definitions

What are core and non-core FMIS systems?

Core systems General ledger, accounts payable and receivable. May include financial reporting, fund management and cost management. Non-core systems HR/payroll, budget formulation, revenue (tax & customs), procurement, inventory, property management, performance, management information

21

Definitions

What is integrated FMIS?

Can refer to core and non-core integration But, generally, four characteristics* Standard data classification for recording events Common processes for similar transactions Internal controls over data entry, transaction processing, and reporting applied consistently Design that eliminates unnecessary duplication of transaction entry

*from Core Financial System Requirement. JFMIP-SR-02-01. Joint Financial Management Improvement Program. Washington, D.C., November 2001.

22

What constitutes a good FMIS system?

Ability to*
Collect accurate, timely, complete, reliable,

consistent information Provide adequate management reporting Support government-wide and agency policy decisions Support budget preparation and execution Facilitate financial statement preparation Provide information for central agency budgeting, analysis and government-wide reporting Provide complete audit trail to facilitate audits
*from Core Financial System Requirement. JFMIP-SR-02-01. Joint Financial Management Improvement Program. Washington, D.C., November 2001. 23

Essentials of Good Financial Execution

Timely, accurate in-year reporting
Internal controls, audit External audit

Sufficient detail to identify sources of overspending

Sufficiently regular reporting to allow timely

management intervention Comprehensive system Accountability framework, control environment

24

Criteria for Assessing Budget Execution System

Budget Execution Features Commitment control system limits commitments to available resources, supporting avoidance of arrears during retrenchment. Treasury cash management further supports matching of expenditures to revenues. Treasury payment system and internal controls support proper payments. Accounting system and Financial Management Information System (FMIS) support comprehensive, timely and accurate information on spending and revenues for government and line ministry management. Fiscal and banking accounts regularly reconciled. Annual accounts closed in timely manner. Debt management assures sustainable debt policy, timely issuance of debt for cash flow management and reaching the spending target. Internal audit detects and corrects fraud, waste, and abuse; assures integrity of financial information. External audit assures fairness and accuracy of financial reporting, effectiveness of internal audit and control systems. Commitment and Treasury controls execute the budget as approved. Allocative Efficiency Formal, transparent procedures used to amend budget if necessary. Frequency of FMIS reporting allows management action to correct deviations from approved budget. Technical Budget execution (commitment and cash controls) limits critical expenditures, but supports flexible resource use at program level (e.g. across non-personnel economic classifications, with efficiency respect to seasonal spending patterns) for efficiency (controls are not excessively detailed to prevent management of program). FMIS supports program managers. Civil service system supports quality public staff, flexibility in reallocating staff resources, restructuring workforce. Procurement system supports competitive, efficient, timely contracting. Internal audit may identify options for improved economy and efficiency. Source: Draft Federal Republic of Yugoslavia PEIR, May 2002
25

Element Aggregate Fiscal Discipline

Financial Rules And Regulations In Nigeria (2009 Edition)

26

Financial Rules and Regulations In Nigeria.

Introduction

The financial Regulation is a body of Rules that provide guiding principles, methods and uniformity in the conduct, recording and controlling financial transactions, events and position in government. They are designed to achieve probity and accountability in government. They are made to guide and regulate actions of executives in order to enable them to make decisions that are rational and non personal.
27

Financial Rules and Regulations In Nigeria, Contd.

Other sources of financial Rules, Regulations and Authorities include; -The Nigerian Constitution, 1999. Highlights key financial requirements like payment of revenues into the Federation Account and Consolidated Revenue Fund (CRF) the authorization of expenditure from the two accounts, the Audit of Public Accounts, the Revenue Allocation etc. The Nigerian Constitution. Audit Ordinance Act, as amended. Financial (Control and Management) Act 1958, as amended. The annual Appropriation law, the Supplementary Appropriation law and the Allocation of Revenue Act 1981,amended. The Minister of Finance / Accountant-General of the Federations periodic circulars in accordance with either laws and policies Other Financial Circulars from the presidency, SGF and HOS. 28

Financial Rules and Regulations In Nigeria, Contd.

The Needs for FR. Financial Regulations are used to: (i) Guide the day-to-day financial operations of Government ministries, extra-ministerial depts., agencies, parastatals and other arms of government (the Legislature and Judiciary). (ii) Ensure appropriate system of information flow from management to finance and account staff. (iii) Provide common standard procedures and guides by which Auditors and Treasury inspectors can ascertain that ministries are able to control and maintain up-to-date records of financial transactions. (iv) Promote fiscal accountability, management accountability and programme results accountability in government financial management and control.
.
29

Financial Rules and Regulations In Nigeria, Contd.

Major Highlights Accountability and Probity - Both the AGF and the Accounting Officers (PS & CEOs) are enjoined by FR No. 101 to establish sound financial and accounting systems in government to ensure optimal utilization of scarce resources, strict compliance with FR to achieve government objectives. Revenue Accounting - All revenues must be paid into government coffers. They must be properly documented. Rendition of monthly Accounts. - The nature of the Transcript Accounts. The contents and supporting documents required.(sample demonstration)
.
30

Selected Provisions of the 2009 Revised Financial Regulations

Introduction: The following essential provisions will be highlighted for in-depth discussion. Financial Authorities and Responsibilities of Public Officers. Revenue Collection and Accounting. Authorities for Expenditure. Classification and Control of Expenditure. Payment Procedure Cash Management. Imprest Salary Administration Internal Audit

Selected Provisions of the 2009 Revised Financial Regulations contd

Board of Survey

Government Vehicles
Store Accounting and Custody Loss of Government Fund

Stock Verification
Public Procurement Contracts Offences and Sanction. Pension Scheme in the Public service. Financial guidelines for the operations of parastatals.

Discuss in class the relevant provisions directly from the 2009 Revised Edition of Finance Regulation.

FCT A(Treasury Department) @ 2010

JK Consulting

Financial Authorities and Responsibilities of Government Officials

34

Financial Authorities and Responsibilities of Public Officers.

The following government officers have important financial

responsibilities to perform as enshrined in the finance regulations.

(i)

The Minister of Finance

(ii) The Accountant-General of the Federation (iii) The Auditor-General for the Federation (vi) The Accounting Officers (i.e. the Permanent Secretary and Head of Extra-Ministerial Departments and Agencies (v) The Treasury Accountants (i.e. the DFAs etc.) (vi) The Treasury Inspectorate Staff

(vii) The Sub-Accounting Officers

(viii) The Revenue Collectors (ix) The Imprest Holder
35

Financial Authorities and Responsibilities of Public Officers, Contd

(1) The Minister of Finance:

The functions include: formulate fiscal policies of government. Harmonizes fiscal and monetary policies of government. Handles the formulation, preparation, execution and monitoring of budget of government. Issues financial warrant without which the Accountant-General cannot release funds to the ministries and extra-ministerial departments. Receives statutory financial statements of accounts from the Accountant-General of the Federation. Debt management of the country.
36

Financial Authorities and Responsibilities of Public Officers, Contd

(2) The Accountant-General of the Federation: The functions include: Head of the accounting services and treasury. Serves as the Chief Accounting Officer of receipts and payments of the government of the federation. Supervise the accounts of the federal ministries and extraministerial departments. Collates, presents and publishes statutory financial statements of accounts required by the Federal Minister of Finance. Maintains and operates for government the following accounts: the Consolidated Revenue Fund (CRF); Development Fund; Contingency Fund; and other Public Funds. (the AGF provides cash-backing for the operations of government.) Manages federal government investments through the Ministry of Finance Incorporated (MOFI) Maintains and operates the federation account. Establishes and supervise the Federal Pay Offices in each state of the federation.
37

Financial Authorities and Responsibilities of Public Officers, Contd

(3)

The Accounting Officers: (Permanent Secretary of the respective ministries and Heads of Extra-ministerial departments) are entrusted with the financial stewardship of safeguarding the public funds. Functions include ensuring that; proper budgetary and accounting systems are established in the ministry or agency. there is proper internal control, accountability and transparency. management tools are put in place to avoid financial waste and fraud. all government revenues are collected and paid to CRF. Monthly and periodical accounting returns and transcripts are rendered to OAGF. prudence, safety and proper maintenance of all government monies and assets under his custody. accurate and prompt collection of, and accounting for, all public monies received and expended. responsibility for answering all audit queries (from Auditor and PAC) pertaining to his/her ministry or office.
38

(4) Treasury Accountants (DFAs, etc): The functions include: Posted from the OAGF (Treasury) to all ministries. They are to enforce compliance with all the provisions of the FR. They are to assist the accounting officer to improve the quality of financial management and control in the public sector. (5) Treasury Inspectorate Staff: They are from the Headquters of the Office the Accountant General of the Federation. They carry out: Inspection of the books and records of accounts of ministries etc. to ensure compliance with FR. Investigation of reported cases of breach of financial regulation and fraud. Recommendation of appropriate disciplinary action against erring officers. (6) Internal Auditors: The functions include: Carry out pre-payment audit of vouchers to ensure they comply with provisions of financial regulations. Enforce financial regulations

Financial Authorities and Responsibilities of Public Officers, Contd

39

Financial Authorities and Responsibilities of Public Officers, Contd

7) The Auditor-General for the Federation: The functions include: Responsible for the audit and report on the public accounts of the federation. Serves as the external auditor for the Federal Government. Examines and ascertains that all accounts relating to public funds and property as to whether in his opinion are: The accounts have been properly kept; All public monies accounted for essential records are maintained Monies have been expended for the purpose for which they were appropriated and payment fully authorized. Ensures that essential records are maintained and rules and procedures applied are sufficient to safeguard and control government funds and property. Has free access to the books, accounts documents, files and records relating to the accounts of all ministries, agencies and extraministerial departments. Submits reports to the National Assembly within 90 days of receipts of AGF financial statements.
40

Sub-Accounting Officers: The officers include: i. The Sub-Treasurer of the Federation ii. The Federal Pay Officers iii. The Police Pay Officer iv. The Army Pay Officer v. The Custom Area Pay Officer vi. The Pension Pay Officer The functions include: Ensures the disbursement of public money Reports to the Accountant-General of the Federation. (9) Revenue Collectors and Imprest Holder: The Revenue Collector: Is an officer, other than a Sub-Accounting Officer entrusted with an official receipt, license or ticket booklet for the regular collection of some particular form of revenue. The Imprest Holder: Is an officer, other than a Sub-Accounting Officer, entrusted with the disbursement of public money for which vouchers cannot be presented immediately to a Sub-Accounting Officer for payment. Keeps a petty cashbook.
(8)
41

Financial Authorities and Responsibilities of Public Officers, Contd

42

Modern Internal Audit Practice

Introduction
Originally, internal auditing is an attestation to the accuracy of financial matters only;
In modern time, it incorporates services like examination and appraisal of controls, performance, risk and governance to the original role; Modern Internal Auditor is no more a clients enemy, but pursues cooperative, friendly and productive working relationship with clients

Definition, Scope and Purpose of Modern Internal Auditing

Internal auditing is a systematic objective appraisal by internal auditors of the diverse operations and controls within an organization to determine whether;
- Financial and operating information is accurate and reliable; - Risk to the enterprise (or org.) are identified and minimized; - External regulations and acceptable internal policies and procedures are followed; - Satisfactory operating criteria are met; - Resources are used efficiently and economically; and - The organizations objectives are achieved.

All for the purpose of consulting with mgt. and for assisting members of the org. in the effective discharge of their governance responsibilities.
Sources: IIAs Internal Auditing Standard Board (1999)

Types of Modern Internal Auditing Practice

Internal audit can be divided based on the audit techniques or objective. They are as follows:
System based audit performance Performance audit or operational audit otherwise called value-for-money Financial or accounting audit Compliance audit Internal Audit. Based on audit techniques or objectives
System based audit Performance audit or operational audit (otherwise called valued-for-money audit) Financial or accounting audit Compliance audit

Internal Audit in Government

As part of content, internal units are mandatory established in government services. Paragraph 2001 of the FR (financial Regulations) provides the accounting officer of a ministry or extra ministerial department shall ensure that an internal audit is established to provide a complete and continuous audit of the accounts and records of revenue and expenditure, plants, allocated stores and then unallocated stores where applicable. Internal audit units exist in:
-

All self accounting ministries, agencies, offices and Parastatals of government (MDAs). All federal pay offices in the state of the federation. Police Pay Offices. The Army Pay Offices. The legislative arm (the parliament) The judiciary

Internal Auditor Vs External Auditor

Similarities and overlaps
(a) (b) Is an organization, employee or can independent entity. Serves the need of the organizations, though functions must be managed by the organization. Focuses on future events by evaluating controls designed to assure the accomplishment of entity goals and objectives. Is directly concerned with prevention of fraud. Is an independent contractor. Serves third parties who need reliable information.

(c)

Focuses on the accuracy and understanding of historical events as expressed in the financial statement. Is incidentally concerned with prevention and detection of fraud but directly concerned with when the financial statements may be materially attached. Is independent of management and board of directors.

(d)

(e)

Is independent of the activities audited, but ready to respond to all elements of management. Revenue activities continually.

(f)

Revenue records supporting financial statements periodically.

Internal Audit and Management

Internal Audit and Management

Internal auditors must have open communication ties with top management to enable them assist and support the management.
Internal auditors must keep the management aware of their concern, duties and discuss any misunderstanding/faulty expectations that management may have as to auditors and duties and responsibility. The relationship with management is interactive and they are the specialist controls.

Roles of Internal Audit in an Organization.

It supports effective and efficient discharge of the guiding and monitoring duties of the organizations management by producing assurance services for its internal customers relating to governance, control and risk management processes. Internal audit brings added value and promotes achievement of the set goals by giving improvement recommendation. It is management control tools who through its operations assist the entire organization by examining and evaluating the adequacy and efficiency of internal control and quality or operations.

Roles of Internal Audit in an Organization, contd

The internal audit verifies that the internal control system

functions efficiently economically and effectively in the following areas: - Setting and achievement of objectives and results. - Risk analysis and management. - Quality and continuous improvement of operations. - Organizational functions. - Economical use of resources. - Safeguarding of assets. - Compliance with laws, regulations by the supervisory authorities.

Human Aspect of Internal Auditing

Principles of Management Management deals with establishing objectives and seeing that they are met through the work of others. An art and a science includes creativity and an intuition as well as an understanding of formal theories, laws, principles and methodologies. While financial auditing requires an understanding of management principles, internal auditing requires more in depth understanding of these management principles. Dealing with people Auditors usually deal with figures, sometimes with management processes. Management oriented internal auditors deal extensively with people. Employee and Management Fraud Wrong doings by deceit goes by many names. It has been called fraud, white cellar crime, and embezzlement, among other things.

Fraud can therefore be described as a false representation or concealment of a material fact to induce someone to part with something or value. There are two types of fraud:(i) Employee fraud fraud against company/office

(ii)

Management fraud.

The importance of internal control

In the UK guidance on internal control is known as Turnbull report: A companys system of internal control is important for managing risks to the achievement of the companys business objectives Internal control can achieve 3 things:
Efficiency & effectiveness of operation Ensure the reliability of the companys financial reporting to shareholders ensure compliance with laws and other requlations

The importance of internal control (Contd)

Effective financial controls are important
Ensure proper accounting records are maintained
A companys strategic objectives and conditions in its business environment are continually changing (strong system of internal control depends on ability of the company to identify the changing risks in its business environment)

Internal Audit
A systematic examination of the activities and status of an entity, based primarily on investigation and analysis of its systems, controls and records (CIMA)

Types of audit
Financial audit
Compliance audit
Performance audit Best value audit (VFM audit) Post-completion audit Environmental audit

Transactions audit
Systems-based audit Risk-based audit

Management audit

Internal audit

An independent appraisal function established within an organisation to examine its activities The objective is to assist members of the organisation in the effective discharge of their responsibilities (CIMA)

Scope of internal audit

Effectiveness of control systems Compliance with policies and regulation Asset acquisition and security Information integrity Integrity of processes and systems Ensuring improvements are implemented Corporate governance

Head of internal audit

Should propose and implement audit plan Should be independent of the Chief Financial Officer Should report to Audit Committee

Systems-based audit

Identify system objectives Identify procedures Identify risk to achievement of objectives Identify ways to manage the risk Decide whether controls are adequate Test to see whether controls are effective Report findings Monitor implementation of recommendations

Risk-based internal audit

Provides assurance that:
Risk management processes are operating as intended

Risk management processes are of sound design

Responses to risks are adequate Control framework is appropriate

Risk maturity of the organisation

Risk naive
Risk aware

Risk defined (Specific)

Risk managed Risk enabled (allow)

Audit plan
Terms of reference System definition Risks Scope of work Milestones and resources Reporting and review Audit programme and techniques Staff allocated

Analytic review
Ratio analysis Benchmarking Inspection Corroboration
Surveys/questionnaires

Narratives Flowcharting Testing

Reconciliation

Internal control
The whole system of internal controls, financial and otherwise, established in order to provide reasonable assurance of:
Effective and efficient operation Internal financial control Compliance with laws and regulations (CIMA)

COSO model of internal control

(Committee of Sponsoring Organisations, 1992)

Control environment
Risk assessment

Control activities
Monitoring Information and communication

COSO
Control environment The control environment can be thought of as managements attitude, actions and awareness of the need for internal controls. If senior management do not care about internal controls and feel that it is not worthwhile introducing internal controls then the control system will be weak. Management can try to summarise their commitment to controls in a number of ways:

Risk assessment (COSO)

Controllable risks for these risks internal control procedures can be established Uncontrollable risks for these risks the company may be able to minimise the risk in other ways outside the internal control environment. ( i.e. caused by the external environment , Such as inflation)

Control activities (COSO )

S P A M S O A P Segregation of duties Physical controls Authorisation and approval Management Supervision Organisation structure Arithmetic and accounting controls Personnel

Classification of controls
Financial controls

Non-financial quantitative controls

Non-financial qualitative controls

Cash controls
Banking

Payments

Bank accounts

Transfers
Authorisation

Signatories

Cash forecasting

Debtor controls
Invoice recording Collection activity

Receipt recording

Credit notes

Bad and doubtful debts

Disputed amounts

Credit checking

Verification of balances

Inventory controls
Physical count Storage and security

Valuation

Surplus and obsolete stock

Receipts and issues procedures

Stock in transit

Investments and intangibles controls

Evidence of ownership

Acquisition and disposal

Periodic review

Accounting for income

Valuation

Amortisation

Fixed asset controls

Recording

Security

Checking

Depreciation

Acquisition and disposal

Obsolescence

Creditors
Authorisation Invoice recording Payment authorisation

Receipt of goods

Invoice checking

Reconciliations Investigation of disputed amounts

Documentation

Loans
Recording Interest

Authorisation

Loan provisions

Income and expenses

Sales documentation Matching

Cost recording

Authorisation

Payroll controls
Recruitment New employee authorisation Rates of pay Time recording Leave, sickness and absenteeism Termination of employment

No ghosts
Payroll reconciliation Deductions Benefits

What is fraud?
Dishonestly obtaining an advantage, avoiding an obligation or causing a loss to another party, including crimes against:
Customers/clients Employers Employees Financial institutions Government Major organisations

Fraud prevention
Dishonesty:
Pre-employment checks Supervision Discipline Leadership

Opportunity:
Separation of duties Input controls Processing controls Output controls Physical security

Motive:
Employment conditions Dismissals Complaints procedure

Warning signs

Culture Poor internal controls Poor accounting management History of legal violations Strained relationship with auditors Lack of supervision Inadequate recruitment process Redundancies Dissatisfied employees Unusual staff behaviour Personal financial pressures Discrepancy between earnings and lifestyle

Low salaries Unsocial hours Not taking leave Lack of job segregation Lack of asset identification Poor management reporting Alteration of documents Photocopies of documents Missing authorisations Poor physical security Poor IT access controls .etc.!

Fraud risk management strategy

Fraud prevention

Fraud identification

Fraud response

Prevention
Anti-fraud culture Risk awareness Whistle blowing Sound internal controls

Identification
Perform regular checks

Look for warning signals

Whistleblowers

Response (i)
Disciplinary action

Civil litigation

Criminal prosecution

Response (ii)
Allocate responsibility to:
Managers Finance director Personnel Audit committee Internal auditors External auditors Legal advisors Public relations department Police Insurers

Computer fraud
Control and testing of program changes Physical IT security Password controls Output controls

Management fraud
Distortion of results Capitalisation of expenses Under-provision Over-valuation of inventory

Code of Ethics for Auditors

These are underlying principles and rules of conduct that

are desirable of auditors. They are to guide the ethical conduct of auditors. Principles Auditors are expected to apply & uphold certain fundamental principles. - Integrity: which establishes trust and provides basis for reliance on the their judgment. - Objectivity. - Confidentially. - Competency: must apply knowledge, skills & experience needed.

Code of Ethics for Auditors, Contd

1.

Rules of Conduct Integrity Auditors: (i) Shall perform their work with honesty and responsibility; (ii) Shall observe the laws, rules and regulations expected of them. (iii) Shall not knowingly be party to any illegal activity. Objectivity Auditors: (i) Shall not participate in any activity or relationship that may impair their unbiased assessment. (ii) Shall not accept anything that may impair or be presumed to impair their professional judgment. (iii) shall disclose all materials, facts known to them that if not disclosed, may distort their reporting of operations under review.

2.

 Rules of Conduct, Contd

Code of Ethics for Auditors, Contd

3. Confidentiality Auditors: (i) Shall be prudent in the use of information acquired in the course of their duties. (ii) Shall not use information for any personal gain or detrimental to the interest or welfare of the org. 4. Competency Auditors: (i) Shall engage only in those services for which they have the necessary knowledge, have skills and experience. (ii) Shall continually improve proficiency and effectiveness and quality of their service. (iii) shall perform services in accordance with the standards of PPA (professional practice of auditing).

PERFORMING AN IS AUDIT
What is auditing? Auditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.

97

Classification of audits
Financial audits
Objective of this type of audit is to establish the

integrity and reliability of entitys financial statements Will generally involve detailed substantive testing of transactions and balances

Operational audits
Designed to evaluate the internal control structure

Examples include: Audit of applications control or logical security systems

98

Classification of audits
Integrated audits Combination of both financial and operations audit with the objectives of

Safeguarding the assets of the company Efficiency and compliance of internal/applications controls

Administrative audits This relates to operational efficiency and productivity within the organization

99

Classification of audits
Information systems audits - establishes within the

information Systems Suits:

Measures to safeguard the assets of the entity Maintaining data and system integrity Efficient utilization of information resources

Specialized Audits commissioned and geared towards evaluating internal controls within and

around certain specialized circumstances eg.:

Outsourcing or Other third-party situations
100

Classification of audits
Forensic Audit usually establish evidence of irregularities

or fraud for application by law enforcement agencies and the judiciary. It covers areas in Corporate fraud investigation Cyber crimes investigation may cover: Computer hard disks Switches Routers Hubs and other electronic devices

Audit programs for the above listed systems audits, are based on the objective and scope of the particular assignment.

101

Classification of audits
General audit procedures are the basic steps in the

performance of an audit and usually include: Obtaining and recording an understanding of the audit area/subject Risk assessment and general audit plan and schedule Detailed audit planning Preliminary review of audit area/subject Evaluating audit area/subject Compliance testing (often referred to as tests of controls) Substantive testing Reporting (communicating results) Follow up
102

Procedures for testing and evaluating systems controls

The Auditor must understand the procedures for testing

and evaluating IS control and may include the following: The use of generalized audit software to survey the contents of data files (including systems logs) The use of specialized software to assess the contents of operating systems parameter files, (or detect deficiencies in system parameters setting) Flow-charting techniques for documenting automated applications and business process The use of audit reports available in operating systems Documentation review observation

103

Controls Classifications
Corrective Controls minimize the impact of a threat.
Remedy problems discovered by detective controls Identify the cause of a problem Correct errors arising from a problem Modify the processing system (s) to minimize future occurrences of the problem Contingency planning Backup procedures Rerun procedures
104

Audit Phases
Audit phase
Audit Objective

Identify the area to be audited.

Identify the purpose of the audit. For example , an objective might be to determine that program source code changes occur in a well-defined and controlled environment. Identify the specific systems, function or unit of the organization to be included in the review. For example, in the previous program changes example, the scope statement night limit the review to a single application system or to a limited period of time.

Audit Scope

Pre-audit Planning

Identify technical skills and resources needed. Identify the sources of information for test or review such as functional flowcharts, policies, standards, procedures and prior audit work papers. Identify locations or facilities to be audited.

Audit procedures and steps for data gathering

Identify and select the audit approach to verify and test the controls. Identify a list of individuals to interview. Identify and obtain departmental policies, standards and guidelines for review. Develop audit tools and methodology to test and verify control.

105

Audit Phases contd.

Procedures for evaluating the test or review results

Organization specific

Procedures for communicating with management

Organization specific

Audit report preparation

Identify follow-up review procedures. Identify procedures to evaluate/test operational efficiency and effectiveness. Identify procedures to test controls. Review and evaluate the soundness of documents, policies and procedures.

106

AUDIT METHODOLOGY
A product of the audit process is an audit program that

becomes a guide for documenting the various audit steps performed and the extent and types of evidential matter review. It provides a trail of the process used to perform the audit as well as accountability of performance.

107

AUDIT METHODOLOGY
Although an audit program does not necessarily follow

a specific set of steps, the IS auditor typically would follow sequential program steps to
gain an understanding of the entity under audit,

evaluate the control structure and

test the controls.

108

Audit objectives
An audit objective refers to the specific goals of an audit. An audit may have several audit objectives. They often center on substantiating that internal controls exist to minimize business risks. They include assuring compliance with legal and regulatory requirements as well as the confidentiality, integrity, reliability and availability of information resources.

109

Audit objectives
In planning an IS audit, a key element is to translate basic audit objectives into specific IS audit objectives. One of the basic purposes of any IS audit is to identify control objectives and the related controls that address the objective. An Auditor may alternatively assist in assessing the integrity of financial reporting data which is referred to as substantive testing, through computer assisted audit techniques (CAATs).
110

Compliance VS. Substantive Testing testing is a procedure, by which the IS auditor Compliance
gathers evidence for the purpose of testing an organization's compliance with control procedures. Substantive testing is gathering evidence for evaluating the integrity of individual transactions, data or other information. Compliance test determines if controls are being applied in a manner that complies with management policies and procedures. It can be used to test the existence and effectiveness of a defined process, which may include a trail of documentary and/or automated evidence.

111

Compliance VS. Substantive Testing

A substantive test substantiates the integrity of actual processing.
It provides evidence of the validity and integrity of the balances in the financial statements and the transactions that support these balances. Substantive tests can be used to test for monetary errors directly affecting financial statement balances.

112

Understand the Control Environment and Flow of Transactions

Review the system to identify controls. Test compliance to determine whether controls are functioning Evaluate the controls to determine the basis for reliance and the nature, scope and timing of substantive tests.

Use two types of substantive tests to evaluate the validity of the data.

Test balances and transactions

Analytical review procedures

113

Evidence
Evidence is any information used by the IS auditor to determine whether the entity or data being audited follows the established audit criteria or objectives. It is a requirement that the auditors conclusion must be based on sufficient, relevant and competent evidence. It may include the IS auditors observations, notes taken from interviews, material extracted from correspondence and internal documentation, or the results of audit test procedures.
114

Evidence
Determinants for evaluating the reliability of audit

evidence include:
Independence of the provider of the evidence. Qualifications of the individual providing the information/evidence Objectivity of the evidence objective evidence is more reliable

than evidence that requires judgment or interpretation. E.g. a cash count. Timing of the evidence e.g. evidence through EDI, DIP (document image processing), may not be retrievable after a specified period of time if changes to the files are not controlled or the files are not backed up.

Both the quality and quantity of the evidence must be

assessed by the IS auditor.

115

Techniques for gathering evidence

Reviewing information systems organization structures Reviewing IS policies, procedures and standards
Systems development initiating documents (e.g.,

feasibility study) Functional requirements and design specifications Test plans and reports Program and operations documents Program change logs and histories
116

Techniques for gathering evidence

User manuals Operations manuals Security related documents (e.g., security plans, risk

assessments) Quality assurance reports

Interviewing appropriate personnel Observing processes and employee performance

117

Computer assisted audit techniques (CAATs)

CAATs are tools used in gathering information from the

processing environments. They enable IS auditor in performing audits to gather information independently They provide a means to gain access and analyze data for a predetermined audit objective and to report the audit findings with emphasis on the reliability of the records produced and maintained in the system. The reliability of the source of the information used provides reassurance on findings generated. They include:
Generalized audit software Utility software Test data, etc.
118

CAATs (contd)
Generalized audit software (GAS) refers to standard software that has

the capacity to directly read and access data from various database platforms, flat-file systems and ASCII formats. It supports the following functions:
file Data selection global filtration conditions and selection criteria Statistical functions - sampling, stratification and frequency analysis Arithmetical functions arithmetic operators and functions

File access reading of different record formats and file structures File reorganization indexing, sorting, merging and linking with another

119

CAATs (contd)
Utility software the subset of software, such as database

management systems report generators, that provides evidence to the auditors about system control effectiveness Test data involve the auditors using a sample set of data to assess whether logic errors exist in a program and whether the program meets its objectives. Audit-expert system will give direction and valuable information to all levels of auditors while carrying out the audit because the query-based system is built on the knowledge base of the senior auditors or managers.

120

Tools and techniques for audit procedures

The foregoing can be used in performing various audit procedures:
Test of details of transactions and balances Analytical review procedures

Compliance tests of IS general controls

Compliance tests of IS application controls Penetration and OS vulnerability assessment testing.

The auditor should have a thorough understanding of CAATs and know where and when to apply them.
121

CAATs Summary
CAATs offer the following advantages:
Improved audit efficiency Reduced level of audit risk Greater independence from the auditee Broader and more consistent audit coverage Faster availability of information Greater flexibility of run times Improved exception identification Greater opportunity to quantify internal control weaknesses Enhanced sampling Cost savings over time.

122

CAATs summary
Issues to consider before developing CAATs are:
Ease of use, both for existing audit staff and future staff Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies (esp. With a PC CAAT)

Effort required to bring the source data into the CAATs

for analysis.
123

Examples of documentation to be retained when developing CAATs

Online reports detailing high-risk issues for review
Commented program listing Flowcharts

Sample reports
Record and file layouts Field definitions

Operating instructions
Description of applicable source documents
124

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSES

After developing an audit program and gathering audit evidence, the next step is an evaluation of the information gathered in order to develop an audit opinion. The IS auditor has to consider a series of strengths and weaknesses and then develop audit opinions and recommendations. The IS auditor is required to make judgments that are often gained from experience, rather than from reference materials.

125

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSES

ISACAs standard for IS auditing 030.020, Professional

Care, is particularly important to the IS auditor in evaluating audit strengths and weaknesses. The IS auditor should assess the results of the evidence gathered for compliance with the control requirements or objectives established during the planning stage of the audit. Considerable judgment is required as controls are often unclear. In essence, controls should be in place to remove or minimize every perceived risk or threat to the entity being audited.

126

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSES

As part of IS review, the IS auditor may discover a variety of strong and weak controls. In some instances, one strong control may compensate for a weak control in another area. E.g. if the IS auditor finds weaknesses in a systems transaction error report, the IS auditor may find that a detailed manual balancing process over all transactions compensates for the weaknesses in the error report.

127

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSES

The IS auditor should be aware of compensating controls in

areas where controls have been identified as weak. Compensating control situation occurs when one stronger control supports a weaker one. Overlapping controls are two strong controls. E.g. a data center employs a card key system to control physical access and a guard inside the door requires employees to show their card key or badge. Either control might be adequate to restrict access and the two complement each other.

128

EVALUATION OF AUDIT STRTENGTHS AND WEAKNESSES

A control objective will not be achieved by considering

one control adequate. The IS auditor should perform a variety of testing procedures and evaluate how these relate to one another. An IS auditor should always review for compensating controls prior to reporting a control weakness.

129