The purpose, authority, and responsibility of the audit
activity must be formally defined in an audit by-law, consistent with the
Municipal Act, the Definition of Auditing, the Codes of Conduct, and the Standards. The Auditor General must
periodically review the audit by-law and present it to Council for approval.
Interpretation:
The audit
by-law is a formal document that defines the audit activity's purpose,
authority, and responsibility. The audit by-law establishes the audit
activity's position within the City, including the
nature of the Auditor General’s functional reporting relationship with Council; authorizes
access to records, personnel, and physical properties relevant to the
performance of engagements; and defines the scope of audit activities. Final
approval of the audit by-law resides with Council.
1000.A1
– The nature of assurance services provided to the City must
be defined in the audit by-law. If
assurances are to be provided to parties outside the City, the nature of these
assurances must also be defined in the audit by-law.
The
mandatory nature of the Definition of Auditing, the Codes of Conduct, and the Standards must be recognized in the
audit by-law. The Auditor General should discuss the Definition of Auditing,
the Codes of Conduct, and the Standards with
Council.
The audit activity must be independent, and auditors
must be objective in performing their work.
Independence
is the freedom from conditions that threaten the ability of the audit activity
to carry out audit responsibilities in an unbiased manner. To achieve the
degree of independence necessary to effectively carry out the responsibilities
of the audit activity, the Auditor General has direct and unrestricted access
to Council and City staff. Threats to independence must be managed at the
individual auditor, engagement, functional, and City levels.
Objectivity
is an unbiased mental attitude that allows auditors to perform engagements in
such a manner that they believe in their work product and that no quality
compromises are made. Objectivity requires that auditors do not
subordinate their judgment on audit matters to others. Threats to objectivity
must be managed at the individual auditor, engagement, functional, and City
levels.
1110 – Organizational
Independence
The Auditor General must report to a level within the
City that allows the audit activity to fulfill its responsibilities. The
Auditor General must confirm to Council, at least annually, the organizational
independence of the audit activity.
Interpretation:
Organizational
independence is effectively achieved when the Auditor General reports to
Council. Examples of reporting to the Council involve Council:
·
Approving the audit by-law;
·
Approving the risk based audit plan;
·
Receiving communications from the Auditor
General on the audit activity’s
performance relative to its plan and other matters;
·
Approving decisions regarding the
appointment and removal of the Auditor General; and
·
Making appropriate inquiries to the Auditor
General to determine whether there are inappropriate scope or resource
limitations.
1110.A1
– The audit activity must be free from interference
in determining the scope of auditing, performing work, and communicating
results.
1111 – Direct
Interaction with Council
The Auditor General must communicate and interact
directly with Council.
1120 – Individual
Objectivity
Auditors must have an impartial, unbiased attitude and
avoid any conflict of interest.
Conflict of interest is a situation in which an auditor, who is
in a position of trust, has a competing professional or personal interest. Such
competing interests can make it difficult to fulfill his or her duties
impartially. A conflict of interest exists even if no unethical or improper act
results. A conflict of interest can create an appearance of impropriety that
can undermine confidence in the auditor, the audit activity, and the
profession. A conflict of interest could impair an individual's ability to
perform his or her duties and responsibilities objectively.
1130 – Impairment to
Independence or Objectivity
If independence or objectivity is impaired in fact or
appearance, the details of the impairment must be disclosed to appropriate
parties. The nature of the disclosure
will depend upon the impairment.
Impairment to City
independence and individual objectivity may include, but is not limited to,
personal conflict of interest, scope limitations, restrictions on access to
records, personnel, and properties, and resource limitations, such as funding.
The
determination of appropriate parties to which the details of an impairment to
independence or objectivity must be disclosed is dependent upon the
expectations of the audit activity’s and
the Auditor General’s responsibilities to Council as described in the audit by-law, as well as the nature of the
impairment.
1130.A1
– Auditors must refrain from assessing specific
operations for which they were previously responsible. Objectivity is presumed
to be impaired if an auditor provides assurance services for an activity for
which the auditor had responsibility within the previous year.
1130.A2
– Assurance engagements for functions over which
the Auditor General has responsibility must be overseen by a party outside the
audit activity.
1200 – Proficiency and
Due Professional Care
Engagements must be performed with proficiency and due
professional care.
1210 – Proficiency
Auditors must possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities. The audit
activity collectively must possess or obtain the knowledge, skills, and other competencies
needed to perform its responsibilities.
Interpretation:
Knowledge, skills, and other competencies is a
collective term that refers to the professional proficiency required of
auditors to effectively carry out their professional responsibilities. Auditors are encouraged to demonstrate their
proficiency by obtaining appropriate professional certifications and
qualifications offered by appropriate professional organizations.
1210.A1 – The
Auditor General must obtain competent advice and assistance if the auditors
lack the knowledge, skills, or other competencies needed to perform all or part
of the engagement.
1210.A2
– Auditors must have
sufficient knowledge to evaluate the risk of fraud and the manner in which it
is managed by the City, but are not expected to have the expertise of a person
whose primary responsibility is detecting and investigating fraud.
1210.A3 – Auditors must have sufficient knowledge of key information
technology risks and controls and available technology-based audit techniques
to perform their assigned work. However, not all auditors are expected to have
the expertise of an auditor whose primary responsibility is information
technology auditing.
1220 – Due Professional Care
Auditors must apply the care and skill expected of a
reasonably prudent and competent auditor. Due professional care does not imply
infallibility.
1220.A1 – Auditors must exercise due professional care by considering
the:
·
Extent of work needed to
achieve the engagement’s objectives;
·
Relative complexity,
materiality, or significance of matters to which assurance procedures are
applied;
·
Adequacy and effectiveness of
governance, risk management, and control processes;
·
Probability of significant
errors, fraud, or noncompliance; and
·
Cost of assurance in relation
to potential benefits.
1220.A2 – In exercising due
professional care auditors must consider the use of technology-based audit and other data analysis techniques.
1220.A3 – Auditors
must be alert to the significant risks that
might affect objectives, operations, or resources. However, assurance
procedures alone, even when performed with due professional care, do not
guarantee that all significant risks will be identified.
1230 – Continuing
Professional Development
Auditors
must enhance their knowledge, skills, and other competencies through continuing
professional development.
1300 –
Quality Assurance and Improvement Program
The Auditor General must develop and maintain a
quality assurance and improvement program that covers all aspects of the audit
activity.
Interpretation:
A quality assurance and improvement program is
designed to enable an evaluation of the audit activity’s conformance with the
Definition of Auditing and the Standards and an evaluation of whether auditors
apply the Codes of Conduct. The program also assesses the efficiency and effectiveness of
the audit activity and identifies opportunities for improvement.
1310 – Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must
include both internal and external assessments.
1311 – Internal Assessments
Internal
assessments must include:
·
Ongoing monitoring of the performance of the audit activity; and
·
Periodic reviews performed through self-assessment.
Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision,
review, and measurement of the audit activity. Ongoing monitoring is
incorporated into the routine policies and practices used to manage the audit
activity and uses processes, tools, and information considered necessary to
evaluate conformance with the Definition of Auditing, the Codes of Conduct, and
the Standards.
Periodic
reviews are assessments conducted to evaluate conformance with the Definition
of Auditing, the Codes of Conduct, and the Standards.
Sufficient
knowledge of audit practices requires at least an understanding of all elements of the International Professional
Practices Framework.
1312 –
External Assessments
External assessments must be conducted at least
once every five years by a qualified, independent reviewer or review team from
outside the City. The Auditor General must discuss with Council:
·
The need for more frequent external assessments;
and
·
The qualifications and independence of the external
reviewer or review team, including any potential conflict of interest.
Interpretation:
A
qualified reviewer or review team demonstrates competence in two areas: the
professional practice of auditing and the external assessment process.
Competence can be demonstrated through a mixture of experience and theoretical
learning. Experience gained in organizations and / or cities of similar size,
complexity, sector or industry, and technical issues is more valuable than less
relevant experience. In the case of a review team, not all members of the team
need to have all the competencies; it is the team as a whole that is qualified.
The Auditor General uses professional judgment when assessing whether a reviewer
or review team demonstrates sufficient competence to be qualified.
An independent reviewer or review team means not
having either a real or an apparent conflict of interest and not being a part
of, or under the control of, the City to which the audit activity belongs.
1320 –
Reporting on the Quality Assurance and
Improvement Program
The Auditor General must communicate the results of
the quality assurance and improvement program to Council.
Interpretation:
The form, content,
and frequency of communicating the results of the quality assurance and
improvement program is established through discussions with Council and
considers the responsibilities of the
audit activity and Auditor General as contained in the audit by-law. To demonstrate conformance with
the Definition of Auditing, the Codes of Conduct, and the Standards, the results
of external and periodic internal assessments are communicated upon completion
of such assessments and the results of ongoing monitoring are communicated at
least annually. The results include the reviewer’s or review team’s assessment
with respect to the degree of conformance.
1321 – Use of “Conforms with
the Standards for the Professional Practice of Auditing”
The Auditor General may state that the audit
activity conforms with the Standards for the Professional Practice of
Auditing only if the results of the quality assurance and improvement
program support this statement.
Interpretation:
The audit activity conforms with
the Standards when it achieves the outcomes described in the Definition of
Auditing, Codes of Conduct and Standards.
The results of the quality assurance and
improvement program include the results of both internal and external
assessments. All audit activities will have the results of internal
assessments. Audit activities in
existence for at least five years will also have the results of external
assessments.
1322 – Disclosure of Nonconformance
When nonconformance with the Definition of Auditing, the Codes of Conduct, or
the Standards impacts the overall
scope or operation of the audit activity, the Auditor General must disclose the
nonconformance and the impact to Council.
Performance
Standards
2000 –
Managing the Audit Activity
The Auditor General must effectively manage the
audit activity to ensure it adds value to the City.
Interpretation:
The audit
activity is effectively managed when:
The audit activity adds value to the City (and its
stakeholders such as City Boards and City controlled corporations) when it
provides objective and relevant assurance, and contributes to the effectiveness
and efficiency of governance, risk management, and control processes.
2010 –
Planning
The Auditor General must establish risk-based plans
to determine the priorities of the audit activity, consistent with the City’s
goals.
Interpretation:
The Auditor General is
responsible for developing a risk-based plan. The Auditor General takes into
account the City’s risk management framework, including using risk appetite
levels set by management for the different activities or parts of the City. If
a framework does not exist, the Auditor General uses his/her own judgment of
risks after consultation with Council and senior City staff.
2010.A1 – The audit activity’s plan of
engagements must be based on a documented risk assessment, undertaken at least
annually. The input of Council must be considered in this process.
2010.A2 – The
Auditor General must identify and consider the expectations of Council, and
other stakeholders such as City Boards and City controlled
corporations for audit opinions and other conclusions.
2020 – Communication and Approval
The Auditor General must communicate the audit
activity’s plans and resource requirements, including significant interim
changes, to Council for review and approval and to senior City staff for
information. The Auditor General must also communicate the impact of resource
limitations.
2030 –
Resource Management
The Auditor General must ensure that audit
resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan.
Interpretation:
Appropriate refers to the
mix of knowledge, skills, and other competencies needed to perform the plan.
Sufficient refers to the quantity of resources needed to accomplish the plan.
Resources are effectively deployed when they are used in a way that optimizes
the achievement of the approved plan.
2040 –
Policies and Procedures
The Auditor General must establish policies and
procedures to guide the audit activity.
Interpretation:
The form and content of
policies and procedures are dependent upon the size and structure of the audit
activity and the complexity of its work.
2050 –
Coordination
The Auditor General should share information with
the external auditors to ensure proper coverage and minimize duplication of
efforts.
2060 –
Reporting to the Council
The Auditor General must report periodically to
Council on the audit activity’s purpose, authority, responsibility, and
performance relative to its plan. Reporting must also include significant risk
exposures and control issues, including fraud risks, governance issues, and
other matters needed or requested by Council.
Interpretation:
The frequency and content
of reporting are determined in discussion with Council and depend on the
importance of the information to be communicated and the urgency of the related
actions to be taken by senior management or Council.
2100 –
Nature of Work
The audit activity must evaluate and
contribute to the improvement of governance, risk management, and control
processes using a systematic and disciplined approach.
2110 – Governance
The audit activity must assess and make appropriate
recommendations for improving the governance process in its accomplishment of
the following objectives:
·
Promoting appropriate ethics and values within the
City;
·
Ensuring effective organizational performance
management and accountability; and
·
Communicating risk and control information to
appropriate areas of the City.
2110.A1 – The audit activity must evaluate
the design, implementation, and effectiveness of the City’s ethics-related
objectives, programs, and activities.
2110.A2 – The audit activity
must assess whether the information technology governance of the City supports
the City’s strategies and objectives.
2120 – Risk
Management
The audit activity must evaluate the effectiveness
and contribute to the improvement of risk management processes.
Interpretation:
Determining
whether risk management processes are effective is a judgment resulting from
the auditor’s assessment that:
·
City
objectives support and align with the City’s mission;
·
Significant
risks are identified and assessed;
·
Appropriate
risk responses are selected that align risks with the City’s risk appetite; and
·
Relevant risk information is captured and
communicated in a timely manner across the City, enabling staff, management,
and Council to carry out their responsibilities.
The audit activity may gather the information to support this assessment
during multiple engagements. The results of these engagements, when viewed
together, provide an understanding of the City’s risk management processes and
their effectiveness.
Risk management processes
are monitored through ongoing management activities, separate evaluations, or
both.
2120.A1 – The audit activity must evaluate
risk exposures relating to the City’s governance, operations, and information
systems regarding the:
· Reliability
and integrity of financial and operational information;
· Effectiveness
and efficiency of operations and programs;
· Safeguarding of assets; and
· Compliance with laws, regulations, policies, procedures, and
contracts.
2120.A2 – The audit activity
must evaluate the potential for the occurrence of fraud and how the City
manages fraud risk.
2130 – Control
The audit activity must assist the City in
maintaining effective controls by evaluating their effectiveness and efficiency
and by promoting continuous improvement.
2130.A1 – The audit activity must evaluate
the adequacy and effectiveness of controls in responding to risks within the
City’s governance, operations, and information systems regarding the:
· Reliability
and integrity of financial and operational information;
· Effectiveness
and efficiency of operations and programs;
· Safeguarding of assets; and
· Compliance with laws, regulations, policies, procedures, and contracts.
2200 –
Engagement Planning
Auditors
must develop and document a plan for each engagement, including the
engagement’s objectives, scope, timing, and resource allocations.
2201 –
Planning Considerations
In planning the engagement, auditors must consider:
· The
objectives of the activity being reviewed and the means by which the activity
controls its performance;
· The
significant risks to the activity, its objectives, resources, and operations
and the means by which the potential impact of risk is kept to an acceptable
level;
· The adequacy
and effectiveness of the activity’s risk management and control processes
compared to a relevant control framework or model; and
· The
opportunities for making significant improvements to the activity’s risk
management and control processes.
2201.A1 – When planning an engagement for
parties (i.e., City Boards and City controlled corporations) outside the City,
auditors must establish a written understanding with them about objectives,
scope, respective responsibilities, and other expectations, including
restrictions on distribution of the results of the engagement and access to
engagement records.
2210 –
Engagement Objectives
Objectives must be established for each engagement.
2210.A1 – Auditors must conduct a preliminary
assessment of the risks relevant to the activity under review. Engagement
objectives must reflect the results of this assessment.
2210.A2 – Auditors must consider the
probability of significant errors, fraud, noncompliance, and other exposures
when developing the engagement objectives.
2210.A3 – Adequate criteria are needed to
evaluate controls. Auditors must
ascertain the extent to which management has established adequate criteria to
determine whether objectives and goals have been accomplished. If adequate,
auditors must use such criteria in their evaluation. If inadequate, auditors
must work with management to develop appropriate evaluation criteria.
2220 – Engagement
Scope
The established
scope must be sufficient to satisfy the objectives of the engagement.
2220.A1 – The scope of the engagement must
include consideration of relevant systems, records, personnel, and physical
properties, including those under the control of third parties.
2230 – Engagement Resource Allocation
Auditors must determine appropriate and sufficient
resources to achieve engagement objectives based on an evaluation of the nature
and complexity of each engagement, time constraints, and available resources.
2240 – Engagement Work Program
Auditors must develop and document work
programs that achieve the engagement objectives.
2240.A1 – Work programs must include the
procedures for identifying, analyzing, evaluating, and documenting information
during the engagement. The work program must be approved prior to its
implementation, and any adjustments approved promptly.
2300 –
Performing the Engagement
Auditors
must identify, analyze, evaluate, and document sufficient information to
achieve the engagement’s objectives.
2310 –
Identifying Information
Auditors
must identify sufficient, reliable, relevant, and useful information to achieve
the engagement’s objectives.
Interpretation:
Sufficient information is
factual, adequate, and convincing so that a prudent, informed person would
reach the same conclusions as the auditor. Reliable information is the best
attainable information through the use of appropriate engagement techniques.
Relevant information supports engagement observations and recommendations and
is consistent with the objectives for the engagement. Useful information helps
the City meet its goals.
2320 –
Analysis and Evaluation
Auditors
must base conclusions and engagement results on appropriate analyses and
evaluations.
2330 – Documenting Information
Auditors
must document relevant information to support the conclusions and engagement
results.
2330.A1 – The Auditor General must control
access to engagement records. The Auditor General must obtain the approval of
the City Solicitor prior to releasing such records to external parties, as
appropriate and based on the provisions of the Municipal Act.
2330.A2 – The Auditor General must develop
retention requirements for engagement records, regardless of the medium in
which each record is stored. These retention requirements must be consistent
with the City’s guidelines and any pertinent regulatory or other requirements.
2340 – Engagement Supervision
Engagements must
be properly supervised to ensure objectives are achieved, quality is assured,
and staff is developed.
Interpretation:
The extent of supervision required will depend on
the proficiency and experience of auditors and the complexity of the
engagement. The Auditor General has overall responsibility for supervising the
engagement, whether performed by or for the audit activity, but may designate
appropriately experienced members of the audit activity to perform the review.
Appropriate evidence of supervision is documented and retained.
2400 –
Communicating Results
Auditors must communicate the results of engagements.
2410 –
Criteria for Communicating
Communications must include the engagement’s
objectives and scope as well as applicable conclusions, recommendations, and
action plans.
2410.A1 - Final communication of engagement results must, where
appropriate, contain the auditors’ opinion and/or conclusions. When issued, an
opinion or conclusion must take account of the expectations of Council, and other stakeholders such
as City Boards and City controlled corporations and
must be supported by sufficient, reliable, relevant, and useful information.
Interpretation:
Opinions at the engagement level
may be ratings, conclusions, or other descriptions of the results. Such an
engagement may be in relation to controls around a specific process, risk, or
business unit. The formulation of such opinions requires consideration of the
engagement results and their significance.
2410.A2 – Auditors are encouraged to
acknowledge satisfactory performance in engagement communications.
2410.A3 – When releasing engagement results to
parties outside the City, the communication must include limitations on
distribution and use of the results.
2420 – Quality of Communications
Communications
must be accurate, objective, clear, concise, constructive, complete, and
timely.
Interpretation:
Accurate
communications are free from errors and distortions and are faithful to the
underlying facts. Objective communications are fair, impartial, and unbiased
and are the result of a fair-minded and balanced assessment of all relevant
facts and circumstances. Clear communications are easily understood and
logical, avoiding unnecessary technical language and providing all significant
and relevant information. Concise communications are to the point and avoid
unnecessary elaboration, superfluous detail, redundancy, and wordiness.
Constructive communications are helpful to the engagement client and the City
and lead to improvements where needed. Complete communications lack nothing that
is essential to the target audience and include all significant and relevant
information and observations to support recommendations and conclusions. Timely
communications are opportune and expedient, depending on the significance of
the issue, allowing management to take appropriate corrective action.
2421 –
Errors and Omissions
If a final communication contains a significant
error or omission, the Auditor General must communicate corrected information
to all parties who received the original communication.
2430 –
Use of “Conducted in Conformance with
the Standards for the Professional
Practice of Auditing”
Auditors may
report that their engagements are “conducted in conformance with the Standards for the Professional Practice of
Auditing”, only if the results of the quality assurance and improvement
program support the statement.
2431 – Engagement
Disclosure of Nonconformance
When
nonconformance with the Definition of Auditing, the Codes of Conduct or the Standards
impacts a specific engagement, communication of the results must disclose the:
· Principle
or rule of conduct of the Codes of Conduct or Standard(s) with which
full conformance was not achieved;
· Reason(s)
for nonconformance; and
·
Impact of nonconformance on the engagement and the
communicated engagement results.
2440 – Disseminating Results
The Auditor
General must communicate results to the appropriate parties.
Interpretation:
The Auditor
General or designee reviews and approves the final engagement communication
before issuance and decides to whom and how it will be disseminated.
2440.A1 – The Auditor General is responsible
for communicating the final results to Council who can ensure that the results
are given due consideration.
2440.A2 – If not otherwise mandated by legal,
statutory, or regulatory requirements, prior to releasing results to parties
outside the City the Auditor General must:
·
Assess the potential risk to the City;
·
Consult with City Solicitor as appropriate; and
·
Control dissemination by restricting the use of the
results.
2450 – Overall Opinions
When an overall opinion is issued, it must take into account the expectations
of Council
and must be supported by sufficient, reliable, relevant, and useful
information.
Interpretation:
The communication will identify:
·
The scope, including the time period to which the opinion
pertains;
·
Scope limitations;
·
Consideration of all related projects including the reliance on
other assurance providers;
·
The risk or control framework or other criteria used as a basis
for the overall opinion; and
·
The overall opinion, judgment, or conclusion reached.
The reasons
for an unfavorable overall opinion must be stated.
2500 –
Monitoring Progress
The Auditor General must establish and maintain a
system to monitor the disposition of results communicated to management.
2500.A1 – The Auditor General must establish a
follow-up process to monitor and ensure that management actions have been
effectively implemented or that senior management and / or Council has accepted
the risk of not taking action.
2600 –
Resolution of Senior Management’s
Acceptance of Risks
When the Auditor General believes that senior
management has accepted a level of residual risk that may be unacceptable to
the organization, the Auditor General must discuss the matter with the City
Manager. If the decision regarding residual risk is not resolved, the Auditor
General must report the matter to the Audit Sub-Committee for resolution.
Glossary
Add
Value
The audit activity adds value to the
City (and its stakeholders such as City Boards and City controlled
corporations) when it provides objective and
relevant assurance, and contributes to the effectiveness and efficiency of
governance, risk management, and control processes.
Adequate
Control
Present if management has planned and organized
(designed) in a manner that provides reasonable assurance that the City’s risks
have been managed effectively and that the City’s goals and objectives will be
achieved efficiently and economically.
Assurance
Services
An objective examination of evidence for the
purpose of providing an independent assessment on governance, risk management,
and control processes for the City. Examples may include financial,
performance, compliance, system security, and due diligence engagements.
Auditing
Assisting City Council in holding itself and
its administrators accountable for the quality of stewardship over public funds
and for the achievement of value for money in municipal operations.
Auditor
General
Auditor General describes a person in a
senior position responsible for effectively managing the audit activity in
accordance with the by-law and the Definition of Auditing, the Codes of Conduct,
and the Standards. The Auditor
General or others reporting to the Auditor General will have appropriate
professional certifications and qualifications. The Auditor General reports to City Council.
Council
(City Council)
The City of Ottawa’s elected governing body.
By-law
The audit by-law is a formal document that defines
the audit activity’s purpose, authority, and responsibility. The audit by-law
establishes the audit activity’s position within the City; authorizes access to
records, personnel, and physical properties relevant to the performance of
engagements; and defines the scope of audit activities.
Codes
of Conduct
The Codes of Conduct include that of the City of
Ottawa as well as those of the applicable professional associations relating to
accounting and/or auditing designations. The Codes of Conduct applies to both
parties and entities that provide audit services. The purpose of the Codes of
Conduct is to promote an ethical culture in the global profession of auditing.
Compliance
Adherence
to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
Conflict
of Interest
Any relationship that is, or appears to be,
not in the best interest of the City. A conflict of
interest would prejudice an individual’s ability to perform his or her duties
and responsibilities objectively.
Control
Any action taken by management, Council, and other
parties to manage risk and increase the likelihood that established objectives
and goals will be achieved. Management plans, organizes, and directs the
performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.
Control
Environment
The attitude and actions of Council and
management regarding the importance of control within the City. The
control environment provides the discipline and structure for the achievement
of the primary objectives of the system of internal control. The control
environment includes the following elements:
· Integrity
and ethical values.
· Management’s
philosophy and operating style.
· Organizational
structure.
· Assignment
of authority and responsibility.
· Human
resource policies and practices.
· Competence
of personnel.
Control
Processes
The policies, procedures, and activities
that are part of a control framework, designed to ensure that risks are
contained within the risk tolerances established by the risk management
process.
Engagement
A specific audit assignment, task, or review
activity, such as an audit, control self-assessment review, fraud examination,
or consultancy. An engagement may include multiple tasks or activities designed
to accomplish a specific set of related objectives.
Engagement
Objectives
Broad statements developed by auditors that define
intended engagement accomplishments.
Engagement
Work Program
A document that lists the procedures to be followed
during an engagement, designed to achieve the engagement plan.
External
Service Provider
A person or firm outside of the City that
has special knowledge, skill, and experience in a particular discipline.
Fraud
Any illegal act characterized by deceit,
concealment, or violation of trust. These acts are not dependent upon the
threat of violence or physical force. Frauds are perpetrated by parties and
organizations to obtain money, property, or services; to avoid payment or loss
of services; or to secure personal or business advantage.
Governance
The combination of processes and structures
implemented by Council to inform, direct, manage, and monitor the activities of
the City toward the achievement of its objectives.
Impairment
Impairment to organizational independence and
individual objectivity may include personal conflict of interest, scope
limitations, restrictions on access to records, personnel, and properties, and
resource limitations (funding).
Independence
The freedom from conditions that
threaten the ability of the audit activity to carry out audit responsibilities in an
unbiased manner.
Information Technology Controls
Controls that
support business management and governance as well as provide general and
technical controls over information technology infrastructures such as
applications, information, infrastructure, and people.
Information Technology Governance
Consists of the
leadership, organizational structures, and processes that ensure that the
enterprise’s information technology supports the organization’s strategies and
objectives.
International Professional Practices Framework
The conceptual framework that organizes the
authoritative guidance promulgated by The IIA. Authoritative
Guidance is comprised of two categories – (1) mandatory and (2) strongly
recommended.
Municipal Act
Municipal Act, 2001, S.O. 2001, CHAPTER 25.
Must
The Standards use the word “must” to specify
an unconditional requirement.
Objectivity
An unbiased mental attitude that allows auditors to
perform engagements in such a manner that they
believe in their work product and that no quality compromises are made.
Objectivity requires that auditors do not subordinate their judgment on audit
matters to others.
Residual
Risk
The risk remaining after management takes action to
reduce the impact and likelihood of an adverse event, including control
activities in responding to a risk.
Risk
The possibility of an event occurring that will
have an impact on the achievement of objectives. Risk is measured in terms of
impact and likelihood.
Risk Appetite
The level of risk
that the City is willing to accept.
Risk
Management
A process to identify, assess,
manage and control potential events or situations to provide reasonable
assurance regarding the achievement of the City’s objectives.
Should
The Standards use the word “should” where
conformance is expected unless, when applying professional judgment,
circumstances justify deviation.
Significance
The relative importance
of a matter within the context in which it is being considered, including
quantitative and qualitative factors, such as magnitude, nature, effect,
relevance, and impact. Professional judgment assists auditors when evaluating
the significance of matters within the context of the relevant objectives.
Standard
A professional pronouncement promulgated by the
Internal Audit Standards Board that delineates the requirements for performing
a broad range of internal audit activities, and for evaluating internal audit
performance. Standards were modified and
approved by Council.
Technology-based
Audit Techniques
Any automated audit tool, such as generalized audit
software, test data generators, computerized audit programs, specialized audit
utilities, and computer-assisted audit techniques (CAATs).