Acquiring Knowledge of Business
The early stage of planning a performance audit requires that auditors develop a sound understanding of the nature, objectives, and activities of the organization or organizations that will be audited. This involves obtaining basic information on an organization’s mandate, organizational structure, accountability relationships, programs, resources, key risks, past performance, and so on. It also means gathering more detailed information on specific systems and practices in areas that auditors are particularly interested in, including oversight.
Since oversight is a subset of governance, it is usually beneficial for auditors who want to focus on oversight to first develop a good understanding of the full governance structure of an agency, a board or an authority. This includes obtaining information on the structure and operation of the board of directors (or governing council) and all its committees. Table 3 provides a list of questions that auditors can seek answers to early in the audit. The required information can often be found easily in legislation, bylaws, annual reports, or organization websites. Auditors can also ask management for any missing information. It should not be necessary at this point to interview board members to obtain the required information.
Table 3 – Questions About the Governance of an Agency, a Board or an Authority
|
- How many directors sit on the board?
- For how long can directors serve on the board?
- What is the process to appoint new directors?
- Do board members receive training or orientation on their roles and responsibilities?
- Is there a board charter?
- Are board and corporate policies (such as a code of conduct) documented?
- Is there a board profile or a skills matrix?
- How many committees does the board have? What are the respective roles of the board committees? How often do the various committees meet?
- Are board minutes publicly available? Are records of committee meetings kept on file?
- Are board self-assessments conducted regularly?
- Who does the board report to and what information does it provide?
- What performance expectations has the government specified for the organization? What key outcomes are expected? What would be the impact of not meeting expectations?
- In addition to the President or CEO, how many senior executive positions are there? What are their respective roles and responsibilities?
|
Once auditors have a good understanding of the basic governance structure of the agency, board or authority they have selected, they can move to the next step, which is gaining a better understanding of the organization’s oversight roles and responsibilities and how they are being discharged in practice. In other words, how are things supposed to be and how are they in reality? Figure 11 presents an overall oversight framework that auditors can refer to when they develop their knowledge of business questions.
Figure 11
Overall Oversight Framework
At this stage of the audit process, auditors can ask questions to get an overview of an organization’s oversight regime without having to conduct extensive research and file reviews. Auditors typically ask more detailed questions that would require in-depth review and testing of evidence in the audit’s examination phase.
Knowledge of business questions specific to oversight responsibilities can be divided in two broad categories: structures and systems (Table 4) and the results and effectiveness of the oversight regime (Table 5). While this distinction is practical and often easily made, it does not work in all situations; there are usually links between systems and results and, in some cases, it may be hard to say where systems stops and where results begin.
Conducting this preliminary audit work will help auditors to draw an overall picture of the oversight in the agency, board or authority they have selected. It will also help them determine what the most important oversight functions and activities are and why. Equipped with this information, auditors will be able to start considering where the audit could fall on the spectrum of audits of oversight.
Table 4 – Knowledge of Business: Questions on Oversight Structure and Systems
|
- What are the key oversight bodies? How many members do they include? Who are they accountable to? Has the government formally provided the oversight body with clear performance expectations and information on the key outcomes to be achieved?
- Do oversight bodies have clear mandates that set out their authority to conduct specific oversight functions? What are these oversight functions? How are they organized?
- What are the specific oversight roles and responsibilities of the members of oversight bodies?
- Are there independence requirements for oversight bodies and their members? Are the oversight functions organizationally independent of management? Are there processes in place to manage conflicts of interest and other threats to independence?
- Is there a board profile or similar document that makes explicit the skills, knowledge, and experience that board members should possess in order to exercise their oversight roles and responsibilities? How does the board ensure that its members collectively meet these skills, knowledge, and experience requirements? Does the board make use of independent subject matter experts to supplement any identified skills/experience gaps?
- What information do oversight bodies need to make informed decisions? Have those needs been documented and communicated to management? What systems has management put in place to help produce the required information?
- Has the oversight body established a system to monitor the performance of important oversight activities or functions?
- What resources are allocated to oversight bodies each year? Are there significant resource gaps?
|
Table 5 – Knowledge of Business: Questions on Results and Effectiveness
|
- Are the oversight bodies receiving the information they request from management? If yes, is this information of good quality?
- How do oversight bodies obtain assurance that their organization is in compliance with laws, regulations, bylaws, and the organization’s code of ethics? Is compliance monitored regularly?
- Has the oversight body (or governance body) adopted a risk management policy? Has the oversight body ensured that adequate risk management practices exist within the organization? Is the oversight body aware of the key risks facing the organization? Are risk profiles and risk mitigation strategies prepared by management regularly reviewed by the oversight body?
- Is there a process in place for the oversight body to monitor the implementation of recommendations of internal audits and evaluations? Are actions taken in response to the recommendations of internal audits and evaluations?
- Are the results of important oversight activities or functions measured? Is performance information available? Is performance data gathered, used, and reported?
- What performance information is reported by oversight bodies and functions to fulfill their accountability responsibilities? Is the information reported complete and transparent? That is, do the reports include sufficient information for readers to be able to understand key results and evaluate organizational performance?
- Does the board or council periodically evaluate its performance in discharging its oversight roles and responsibilities?
- How do the different oversight functions within the organization interact and collaborate?
|