2 2 1 Non-Audit Services
10 Pages
English

2 2 1 Non-Audit Services

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

2.2.1 Non-Audit Services 1Office of the City AuditorPolicies and ProceduresNumber: 2.2.1 Title: Non-Audit ServicesOriginal Date: Revision Date: Approved by:10/11/201004/19/2005 03/09/2011 [Kenneth Mory]I. References:See Government Auditing Standards (also referred to as the GenerallyAccepted Government Auditing Standards, or GAGAS), July 2007 revision,Chapters 1, 2 and 3, in particular, sections 1.33-1.34, 3.02, 3.20-3.30,and A3.02-A3.03.Related OCA policies include OCA Policy 3.8.1, Selecting Special RequestProjects; OCA Policy 3.8.2, Conducting Special Request Projects, and thepolicies in Section 4 of the OCA Policy Manual which collectively addressprojects of the City Auditor’s Integrity Unit (CAIU).II. PolicyA. Prior to performing any non-audit service, OCA shall considerwhether the performing the non-audit service under considerationwould create a personal, external or organizational impairment, infact or appearance, and proceed accordingly. This willinclude the application of two overarching principles as follows:(GAGAS 3.22)1. Audit organizations must not provide non-audit services thatinvolve performing management functions or makingmanagement decisions, and2. Audit organizations must not audit their own work or providenon-audit services in situations where the non-audit servicesare the type that would create an independence impairment andare significant or material to the subject matter of audits.B. If OCA makes the determination ...

Subjects

Informations

Published by
Reads 20
Language English

2.2.1 Non-Audit Services 1
Office of the City Auditor
Policies and Procedures
Number: 2.2.1 Title: Non-Audit Services
Original Date: Revision Date: Approved by:
10/11/2010
04/19/2005 03/09/2011 [Kenneth Mory]
I. References:
See Government Auditing Standards (also referred to as the Generally
Accepted Government Auditing Standards, or GAGAS), July 2007 revision,
Chapters 1, 2 and 3, in particular, sections 1.33-1.34, 3.02, 3.20-3.30,
and A3.02-A3.03.
Related OCA policies include OCA Policy 3.8.1, Selecting Special Request
Projects; OCA Policy 3.8.2, Conducting Special Request Projects, and the
policies in Section 4 of the OCA Policy Manual which collectively address
projects of the City Auditor’s Integrity Unit (CAIU).
II. Policy
A. Prior to performing any non-audit service, OCA shall consider
whether the performing the non-audit service under consideration
would create a personal, external or organizational impairment, in
fact or appearance, and proceed accordingly. This will
include the application of two overarching principles as follows:
(GAGAS 3.22)
1. Audit organizations must not provide non-audit services that
involve performing management functions or making
management decisions, and
2. Audit organizations must not audit their own work or provide
non-audit services in situations where the non-audit services
are the type that would create an independence impairment and
are significant or material to the subject matter of audits.
B. If OCA makes the determination that the non-audit service violates
one or both of the overarching principles, then OCA shall decline to
perform the work.
C. If OCA determines that neither overarching principle is violated,
then OCA shall further evaluate the non-audit service under
consideration and shall document the results as appropriate.2 Section 2 Service Plan
D. As described in OCA Policy 1.3, Professional Standards, non-audit
projects undertaken by OCA shall be conducted in accordance with
the GAGAS general standards at a minimum.
III. Purpose
To establish independence guidelines and other requirements for non-
audit services in order to comply with the standards stated in the United
States Government Accountability Office’s Government Auditing
Standards.
IV. Definitions
A. Non-audit services – Professional services provided by auditors or
audit-investigators other than audit services. Examples include
special request projects from City Council members, integrity
investigations, fraud detection projects, control review projects, risk
assessments that do not fully comply with GAGAS, and management
assistance projects. Non-audit services generally fall into three
categories:
1. Services that do not impair independence – generally
referred to as technical advisory services – These are services
in which auditors provide technical advice based on their
technical knowledge and expertise. These services do not
impair auditor independence, unless the extent or nature of the
advice results in the auditors making management decisions or
performing management functions. These services may be
performed without implementing supplemental safeguards.
Examples include:
a. participating in committees or task forces as an expert in a
purely advisory, non-voting capacity;
b. providing tools and methodologies for use by management,
such as guidance on best practices, benchmarking studies,
and internal control assessment methodologies;
c. providing targeted and limited technical advice to assist
management in implementing audit recommendations or
internal controls;
d. providing assistance and technical expertise to legislative
bodies;
e. developing and administering surveys and reporting the
results as an independent third party;
f. providing audit, investigative, and oversight-related services
which could be performed as an audit of the audit
organization chose to do so, such as:
i. performing investigations of alleged fraud, contract
violations, or abuse;
ii. review-level work such as sales tax
reviews to determine whether all taxes due have been
received;
iii. performing follow-up on audit recommendations;
g. See GAGAS 3.26-3.27 and A3.02-A3.03 for other examples.2.2.1 Non-Audit Services 3
2. Services that do not impair independence if supplemental
safeguards are implemented – These are services that may
impair independence unless safeguards are taken to maintain
independence. Examples include
a. providing human resources services to assist management in
its evaluation of potential candidates; and
b. providing advisory services on information technology limited
to services such as advising on system design, system
installation, and system security.
c. See GAGAS 3.28 for other examples.
3. Services that impair independence – These are services that
directly support the entity’s operations and impair the audit
organization’s ability to meet either or both of the overarching
independence principles. Supplemental safeguards will not
overcome independence impairments, and these services shall
be avoided. Examples include
a. maintaining or preparing the audited entity’s basic
accounting records;
b. designing, developing, installing, or operating information
systems that are material or significant to the subject matter
of audits; or
c. developing an entity’s policies, procedures, and internal
controls.
d. See GAGAS 3.29 for other examples.
B. Supplemental safeguards – Steps which must be taken to protect
against impairment in fact or appearance when performing certain
non-audit services other than technical advisory services. Even for
technical advisory services, auditors may elect to apply the
supplemental safeguards, if there is a risk of the appearance of
independence impairment. See specific requirements under
Procedures step B.2.
C. Non-audit project checklist – Internally-generated form containing
selected compliance-related requirements to be completed for each
non-audit project to demonstrate compliance with OCA policies and
procedures, the OCA Quality Control System, and with GAGAS, as
appropriate.4 Section 2 Service Plan
V. Procedures
A. When the City Auditor is considering a non-audit service or project,
the City Auditor shall assign an Assistant City Auditor (ACA) to
evaluate and initiate the engagement.
B. The ACA, with input from the AIC, shall review GAGAS and
determine whether the non-audit service is one which can be
performed without compromising independence by violating either or
both of the overarching principles described above. The AIC shall
document the consideration of performing the non-audit service for
each non-audit service performed, using the Consideration of Non-
Audit Services form (Attachment A), and document the rationale for
the determinations made.
1. If the work would violate one or both of the overarching
principles, then OCA shall decline to perform the work.
2. If the work may impair independence unless safeguards are
taken to maintain independence, the ACA/AIC and OCA
management shall implement supplemental as
follows:
a. The AIC will establish and document an understanding
with management that includes the:
i. Objectives,
ii. Scope of work,
iii. Product or deliverable(s) of the service, and
iv. Management’s responsibility for the subject matter,
outcomes and decision-making associated with the
service. This understanding will be included with the
engagement letter (see the “Management Agreement”
form provided in Attachment B). Note that for advisory
services on information technology, management should
also specifically acknowledge responsibility for the
design, installation, and internal control over the
entity’s system and not rely on the auditors’ work as the
primary basis for determining (1) whether to implement
a new system, (2) the adequacy of the new system
design, (3) the adequacy of major design changes to an
existing system, and (4) the adequacy of the system to
comply with regulatory or other requirements.
b. OCA management will not reduce the scope and extent of
future audit work below the level that would be appropriate
if an unrelated party performed the non-audit work; and
c. OCA management will preclude staff who provide the non-
audit service from planning, conducting, or reviewing audit
work in the subject matter of the non-audit service for at
least two calendar years from the completion of the non-
audit service.2.2.1 Non-Audit Services 5
C. The AIC is responsible for developing a project plan containing the
objectives, applicable standards, description of the work that will be
done, the budgeted hours, and the estimated completion date.
D. The ACA, in consultation with the DCA, is responsible for approving
the project plan, for ensuring that the project and project
documentation meet relevant Government Auditing Standards and
internal OCA standards, and for making this documentation
available to any peer review.
E. The AIC is responsible for tracking the hours of the project to ensure
that it does not exceed the budgeted hours without proper
notification being made.
F. The AIC is responsible for documenting the engagement as required
by this policy and ensuring that documentation meets Governing
Auditing Standards and internal OCA standards for quality.
Working papers for the non-audit service shall include, at a
minimum, the following documentation:
1. Documentation in the work papers which demonstrates
verification of independence of staff assigned to the project, if
applicable. Verification will include a review of the “Annual
Independence Statement prepared by each assigned staff
member, updated as necessary, and review of the “Memorandum
to Document Staff Competence and Independence”, updated as
necessary. (NOTE: Independence may not be applicable for
certain management assistance projects which are performed
under a agreement, as described in B.2. above.)
2. The Consideration of Non-Audit Services form, with supporting
documentation of the rationale for the determination made;
3. The project plan;
4. A copy of the final output, or if no output is issued, a
concluding memo describing the project/service;
5. Workpapers supporting the final output; and
6. A completed Non-audit project checklist (see Attachment C).
Note: This requirement does not apply to CAIU projects.
G. The AIC and ACA are responsible for ensuring that reports or final
outputs for non-audit services do not state that the non-audit
services were conducted in accordance with GAGAS. Auditors
should communicate, as appropriate, with requestors and those
charged with governance to clarify that the scope of work performed
does not constitute an audit under GAGAS. (See GAGAS 1.33) The
AIC and ACA are responsible for obtaining DCA review and input on
any reports or final outputs and CA approval before issuance.
H. The AIC and ACA are also responsible for ensuring that all other
applicable policies are followed, including CAIU policies contained in6 Section 2 Service Plan
section 4 of the OCA Policy Manual and Special Request policies
found in section 3 of the OCA Policy Manual.2.2.1 Non-Audit Services 7
[Project #] [Project Name]
CONSIDERATION OF NON-AUDIT SERVICES (Attachment A to Policy 2.2.1)
For Non-Audit Projects:
I have considered the proposed non-audit services with regard to the overarching
principles listed below:
(1) Audit organizations should not provide non-audit services that involve
performing management functions or making management decisions, and
(2) Audit organizations should not audit their own work or provide non-audit
services in situations where the non-audit services are significant or
material to the subject matter of audits.
It is my determination that the performance of this non-audit service:
□ Violates the overarching principles.
□ Does not violate the overarching principles.
It is my determination that the non-audit service:
□ Is an activity which can be performed without compromising independence and
does not require that supplemental safeguards be used. Appropriate
standards will be followed.
□ Is an activity which can be performed without compromising independence, if
supplemental safeguards are used.
□ I have followed the additional safeguards required by the standards and
documented an agreement with management regarding OCA’s and
management’s roles in the non-audit service.
□ Is an activity which cannot be performed without compromising independence,
even if supplemental safeguards are used.
With regard to this non-audit service:
□ OCA has declined to perform the work.
□ OCA has accepted the engagement.
I have documented OCA’s rationale for these determinations in WP # _____________.
Auditor-In-Charge: _____________________________________ Date: ___________
Assistant City Auditor: __________________________________ Date: ___________
Prepared: Reviewed: Index: Axxx8 Section 2 Service Plan
[Project #] [Project Name]
MANAGEMENT AGREEMENT (Attachment B to Policy 2.2.1)
Purpose: To document an understanding with management of OCA’s independence and
management’s responsibilities with respect to non-audit services in compliance with
Government Auditing Standards. The management of the entity listed in this agreement is
responsible for the subject matter of the engagement as well as the substantive outcomes of
the work performed under this agreement, and, therefore, has a responsibility to be in a
position, in fact and appearance, to make an informed judgment on the results of the non-audit
service.
Department: __________________________________________________________
Project: __________________________________________________________
Time Frame: __________________________________________________________
Objectives: __________________________________________________________
__________________________________________________________
Scope: __________________________________________________________
__________________________________________________________
Deliverables: __________________________________________________________
__________________________________________________________
OCA staff assigned: ___________________________________________________
Management staff: ___________________________________________________
(Designee responsible for overseeing the non-audit service)
Management will:
Establish and monitor the performance of the non-audit service to ensure that it
meets management’s objectives.
Make any decisions that involve management functions related to the non-audit
service and accept full responsibility for such decisions.
Evaluate the adequacy of the services performed and any findings that result.
Management Representative: ____________________________ Date: ___________
OCA Representative: ___________________________________ Date: ___________
Prepared: Reviewed: Index: Axxx2.2.1 Non-Audit Services 9
NON-AUDIT SERVICES PROJECT CHECKLIST (Attachment C to Policy 2.2.1)
Purpose: To document compliance with OCA policies and GAGAS for Non-Audit Projects
AVAILABLE AT G:\SHARED RESOURCES\Audit Project Templates\Templates
Note: Judgment should be exercised in determining the applicable requirements and schedule for the items
below, based on the nature of the non-audit service being provided. Not all items will be required for all
projects. The ACA will determine and approve applicable requirements.
Page 1 of 2
COMPLETED# PHASE REQUIRED ITEM WP COMMENTS ON
(Yes/No)INDEX EXCEPTIONS
1 General Table of Contents (TOC) for each binder (refer To be updated asA100,
to templates) the audit progressesetc
2 General CD with Electronic Workpapers
3 General Listing of all binders with brief description of A101
contents
4 General Consideration of Non-Audit Services (See A104
Policy 2.2.1 Attachment A)
5 General Independence statement (See Policy 3.1.2) A105
6 General Management Agreement, if needed, as A106
determined by step 4 (See Policy 2.2.1
Attachment B)
FIELDWORK
7 Fieldwork Notification(s) of non-audit A108
(entrance/engagement letter), as appropriate
8 Fieldwork Conduct and document Entrance conference(s)
, as appropriate
9 Fieldwork Develop Project Plan that includes:
(a) the objectives,
(b) applicable standards,
(c) description of the work to be done,
(d) the budgeted hours, and
(e) the estimated completion date.
10 Fieldwork Documented substantive review of Project Plan
by ACA and DCA
11 Fieldwork Perform and document completion of tasks
related to the project plan
12 Fieldwork Develop summaries as needed - from interviews
or document reviews, to explain a spreadsheet,
or as a first step to report outline or draft
13 Fieldwork Review and cross reference results of the
project to supporting documents
14 Fieldwork Cross-reference project plan to supporting
documents
15 Fieldwork Communicate with OCA management and the
Auditee management as needed, following no
surprises policy of communicating concerns10 Section 2 Service Plan
Page 2 of 2
COMPLETED# PHASE REQUIRED ITEM WP COMMENTS ON
(Yes/No)INDEX EXCEPTIONS
REPORTING
16 Reporting If appropriate, develop and get
approval of an outline for the final
output or report.
17 Reporting Prepare written product or report.
The report should include, as
appropriate:
(a) O,S, and M;
(b) Results of the Project Work;
(d) Qualifying statement that the
engagement is not an audit;
(e) Views and plans of responsible
officials, if applicable.
18 Reporting Document ACA, DCA, and CA review
of draft report or product
19 Reporting Line Edit review for conformance to
Style Manual and general readability
20 Reporting Provide Draft output to Management
prior to AFC, as appropriate.
21 Reporting Cross-reference the report or product,
review and clear review comments and
changes and submit to ACA before
AFC.
22 Reporting Provide Report Manuscript or output to
Admin staff before AFC, if applicable
23 Reporting As appropriate, document a Report
distribution list, and distribute
report/output accordingly.
24 Reporting If errors are discovered in published
report or product, issue corrections as
needed per Policy 3.5.6
CLOSEOUT
25 Closeout Send Project Output Reporting Form A107
(available in templates) to OCA Admin
for posting to PAS database
26 Closeout Time accounting final project report
27 Closeout Binders reviewed and signed off
28 Closeout Performance appraisals administered
29 Closeout Request project folder be made "read
only"
30 Closeout Request to close TAS code
AIC INITIALS AND DATE:
I have reviewed to ensure that checklist is complete and exceptions noted are appropriate & approved.
ACA INITIALS AND DATE:

)