The URL can be used to link to this page

Home My WebLink AboutAudit Agenda - 2023-09-25 Financial Services Department www.kitchener.ca REPORT TO: Audit Committee DATE OF MEETING: September 25, 2023 SUBMITTED BY: Katie Fischer, Director, Financial Reporting and ERP Solutions, 519-741- 2200 ext. 4630 PREPARED BY: Greg Demacio, Manager, Financial Reporting and Analysis, 519-741- 2200 ext. 7895 WARD(S) INVOLVED: All DATE OF REPORT: September 15, 2023 REPORT NO.: FIN-2023-413 SUBJECT: External Audit Planning Report for Fiscal Year 2023 RECOMMENDATION: That the Audit Planning Report for the year ended December 31, 2023 prepared by KPMG, attached as Attachment A to report FIN-2023-413 be approved. REPORT HIGHLIGHTS: The purpose of this report is to approve the 2023 audit plan, auditors (KPMG). The approach being proposed is consistent with previous years. This report supports the delivery of core services. BACKGROUND: Item 4 (d) of the Audit Committee Terms of Reference states that one of the responsibilities of communication between the external auditor and the Audit Committee to ensure that both groups are kept up to date on changes in the organization, changes in the accounting/regulatory environment and their related risks. Committee twice annually. This is the first of those meetings for the 2023 fiscal year. A second meeting will be held once their audit is complete to present results and offer an opportunity for questions. REPORT: KPMG will present their Audit Planning Report. Please see attache Corporation of the City of Kitchener Audit Planning Report for the year ended December 31, 2023 STRATEGIC PLAN ALIGNMENT: This report supports the delivery of core services. *** This information is available in accessible formats upon request. *** Please call 519-741-2345 or TTY 1-866-969-9994 for assistance. FINANCIAL IMPLICATIONS: None. COMMUNITY ENGAGEMENT: INFORM council / committee meeting. It will provide the public with information to assist them in understanding the scope of the external audit to take place in the sprin consolidated financial statements for the year ended December 31, 2023, will be the subject of this audit. The 2023 audited consolidated financial statements, once completed and approved, will be posted on the City website and notice will be provided to all residents through a widely distributed newspaper in accordance with Section 295 (1) of the Municipal Act, 2001. PREVIOUS REPORTS/AUTHORITIES: Municipal Act, 2001 APPROVED BY: Jonathan Lautenbach, Chief Financial Officer, Financial Services ATTACHMENTS: Attachment A The Corporation of the City of Kitchener Audit Planning Report for the year ended December 31, 2023 The Corporation of the City of Kitchener Audit Planning Report for the year ended December 31, 2023 Prepared as of September 6, 2023 for presentation to the Audit Committee on September 25, 2023 kpmg.ca/audit 1 KPMG contacts Key contacts in connection with this engagement Matthew Betik Courtney Cheal Lead Audit Engagement PartnerLead Senior Manager 519-747-8245519-747-8884 mbetik@kpmg.caccheal@kpmg.ca 2 Table of contents Digital use information This Audit Planning Report is also available as a - Audit strategy - HighlightsAudit strategy Group audit document. 7 45 If you are reading in electronic form (e.g. In Appendices Risk assessmentKey milestones and home symbol on the top deliverables 13 9 12 right corner will bring you back to this slide. Click on any item in the table of contents to navigate to that section. The purpose of this report is to assist you, as a member of the Audit Committee, in your review of the plan for our audit of thefinancial statements. This report is intended solely for the information and use of Management, the Audit Committee, and the Board of Directors and should not be used for any other purpose or any other party. KPMG shall have no responsibility or liability for loss or damages or claims, if any, to or by any third party as this report to the Audit Committee has not been prepared for, and is not intended for, and should not be used by, any third party or for any other purpose. 3 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices No matters to report Matters to report see link for details Audit highlights Our audit of the consolidatedThe Corporation of the City of Kitchener Scope and for the year, endedDecember 31, 2023, will be performed in accordance with Canadian generally accepted auditing standards. Materiality $12M Risk of management override of controls Involvement of others Audit strategy Other significant risks Updates to our prior year audit plan Presumed risk of fraudulent revenue recognition Risk assessment Total Total assetsTotal revenue Other risks of material misstatement % Total work performed Audit Post employment benefits strategy - Tangible capital assets Involvement of other KPMG member firms group audit Obligatory reserve fund revenue and deferred revenue Asset retirement obligation Involvement of non-KPMG firms 4 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Materiality Plan and perform the audit We initially determine materialityto provide a basis for: Determining the nature, timing and extent of risk assessment procedures; Identifying and assessing the risks of material misstatement; and Determining the nature, timing, and extent of further audit procedures. We design our procedures to detect misstatements at a level less than materiality in individual accounts and disclosures, to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as Weinitiallydeterminematerialityatalevelatwhichweconsiderthat a whole. misstatementscouldreasonablybeexpectedtoinfluencethe economicdecisionsofusers.Determiningmaterialityisamatterof professionaljudgement,consideringbothquantitativeandqualitative Evaluate the effect of misstatements factors,andisaffectedbyourperceptionofthecommonfinancial informationneedsofusersofthefinancialstatementsasagroup.We We also use materiality to evaluate the effect of: donotconsiderthepossibleeffectofmisstatementsonspecific individualusers,whoseneedsmayvarywidely. Identified misstatements on our audit; and Uncorrected misstatements, if any, on the financial statements and in Wereassessmaterialitythroughouttheauditandrevisematerialityif forming our opinion. webecomeawareofinformationthatwouldhavecausedusto determineadifferentmaterialitylevelinitially. 5 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Initial materiality Based on prior year actuals Total 2022 revenues Materiality (adjusted for non-recurring Kitchener Power Corp gain) $12M $529M (2022: $10M) (2021: $482M) Total 2021 revenues 2.1% 2.3% Total 2022 expenses Total 2022 revenues $420M % of Benchmark (2021: $377M) Total net assets 2021 3.2% Total net assets 2022 2.9% Total 2022 net assets Total expenses 2021 2.6% $412M Total expenses 2022 2.9% (2021: $310M) % of Other Relevant Metrics 6 Audit strategy Group auditRisk assessmentKey milestones and deliverables HighlightsAudit strategyAppendices Group audit -Scoping Type of work performed Total assetsTotal revenue Total full-scope audits due to size (City of Kitchener)85%97% Tested through stand-alone audits (Enova Energy Corporation, Centre in the Square, Kitchener Public Library, 15%3% Kitchener Downtown BIA, Belmont BIA, and Kitchener Generation Corporation) Total work performed on consolidated financial statements 100%100% 3% 15% Total assetsTotal revenue 85% 97% 7 Audit strategy Group auditRisk assessmentKey milestones and deliverables HighlightsAudit strategyAppendices Audit Scope Entities Scoping Corporation of the City of KitchenerConsolidated Audit City of Kitchener Gasworks Enterprise (special audit, not considered a component)Stand-alone Audit Kitchener Public LibraryStand-alone Audit The Centre in the Square Inc.Stand-alone Audit Kitchener Downtown Improvement AreaStand-alone Audit Belmont Improvement AreaStand-alone Audit Enova Energy CorporationStand-alone Audit The Trust Funds of the Corporation of the City of Kitchener (special audit, not consolidated within the City of Kitchener financial Stand-alone Audit statements 8 Audit strategy Group auditRisk assessment HighlightsAudit strategyKey milestones and deliverablesAppendices Risk assessment summary Advanced technologies Our planning begins with an assessment of risks of material misstatement in your financial statements. Our KPMG Clara Dynamic Risk Assessment We draw upon our understanding of the Company and its environment (e.g. the industry, the wider tool gives us a more sophisticated, forward- looking and multi-dimensional approach to components of its system of internal control, including our business process understanding. assessing audit risk. Learn more Risk of Risk of PY risk rating OurKPMG Clara Business Process Mining frauderror provides immediate visualization of how 100% of your transactions are processed to complement Management Override of ControlsSignificant your process narratives & flow charts. Learn more Post employment benefitsElevated Tangible capital assetsBase KPMG Clara Account Analysis allows us to analyze the flow of transactions through Obligatory reserve funds and deferred revenueElevated your business to drive a more meaningful risk assessment. Learn more Asset retirement obligationsElevated The Clara Asset Impairment Tool delivers advanced analysis of long-lived assets and goodwill impairment models (based on discounted cash flows) through the use of predictive analytics, enabling a more robust assumptions. Learn more SIGNIFICANT RISK PRESUMED RISK OF MATERIAL MISSTATEMENT OTHER RISK OF MATERIAL MISTATEMENT 9 Learn more Audit strategy Group auditRisk assessment HighlightsAudit strategyKey milestones and deliverablesAppendices Significant risks Advanced RISK OF Management Override of Controls (non-rebuttable significant risk of material misstatement) technologies FRAUD Our KPMG Clara Journal Why is it significant?Our planned response Entry AnalysisToolassists in Presumption the performance of detailed Management is in a unique position to perpetrate As this presumed risk of material misstatement due to of the risk of fraud journal entry testing based on fraud because of its ability to manipulate accounting fraud is not rebuttable, our audit methodology resulting from records and prepare fraudulent financial statements incorporates the required procedures in professional engagement-specific risk management by overriding controls that otherwise appear to be standards to address this risk. These procedures include: identification and override of operating effectively. Although the level of risk of testing of journal entries and other adjustments, circumstances. Our tool controls management override of controls will vary from entity provides auto-generated to entity, the risk nevertheless is present in all entities.performing a retrospective review of estimates journal entry population evaluating the business rationale of significant statistics and focusses our unusual transactions. audit effort on journal entries that are riskier in nature. Click to learn more 10 Audit strategy Group auditRisk assessment HighlightsAudit strategyKey milestones and deliverablesAppendices Other risks of material misstatement AreasLevel of risk due to errorOur planned response Post-employment benefits- Weare focusing on this area due to this -Assess the reasonableness of assumptions used; being an estimate with significant judgment used by management and -Test the reasonableness of the underlying data, including employee populations; and -We will also use the work of MondelisActuarial (actuarial consultant) in our audit of the there is complexity of the accounting Elevated accounts and disclosures guidance. Tangible capital assets -Discuss capitalization policies and their application with management; We are focusing on this area due to the -Test a sample of capital additions to ensure existence and accuracy of additions; and significance of the account balances and there is a risk of error in inappropriately -Test items recorded as repairs and maintenance or other similar accounts to ensure recognizing costs as either capital or completeness of capital additions Base operating. Obligatory reserve fund revenue and -Perform substantive testing over amounts being recognized as revenue by ensuring the deferred revenueprojects which the development charges are allocated to are appropriate and the We are focusing on this area due to related expenditure has incurred; and revenue recognized from development -Perform substantive testing over the collections of development charges recorded in the charge reserve fund is subject to deferred revenue account Elevated judgment as capital projects must be growth related in nature Asset retirement obligations- We are focusing on this area due to the appropriate and in compliance with Public Sector Accounting Standards; new accounting standards as well as the -Test a sample of obligations to ensure the accuracy and existence of the obligation is estimation uncertainty within the appropriate; obligation. Elevated-Test a sample of assets that have no obligation attached to them to ensure the 11 completeness of the overall obligation; and -Review journal entries to record initial obligation as at transition date HighlightsAudit strategyAudit strategy Group auditRisk assessmentAppendices Key milestones and deliverables Key milestones and deliverables March June 2024 Final Fieldwork & Reporting Oct -Dec 2023 Interim work Complete year-end data extraction July-Sept 2023 and processing activities Planning & RiskAssessment Obtain and update an understanding Perform remaining substantive audit of the Company and its environment procedures Evaluate results of audit procedures, Debrief prior year with management internal control, other than the including control deficiencies and Kick-off with management control activities component audit misstatements identified Planning and initial risk assessment Perform process walkthroughs for Review financial statement procedures, including: applicable business processes disclosures Involvement of others Identify process risk points for Present audit results to the Audit Identification and assessment of applicable business processes Committee and perform required risks of misstatements and Evaluate D&I of controls for business communications planned audit response for processes (control activity Issue audit report on financial certain processes component) statements Inquire of the Audit Committee, Perform interim substantive audit Closing meeting with management management and others within the procedures Filing date: Issue audit reports on Company about risks of material Perform site visits financial statements misstatement Provide update on audit progress Complete group audit scoping 12 Appendices Required New auditing standards Continuous evolution communications A AA Use of technology Changes in accounting A A standards Audit quality Insights A A 13 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix: Engagement letter 14 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix: Other required communications CPAB communication protocol The reports available through the following links were published by the Canadian Public Accountability Board to inform Audit Committees and other stakeholders about the results of quality inspections conducted over the past year: CPAB Audit Quality Insights Report: 2021 Annual Inspections Results CPAB Audit Quality Insights Report: 2022 Interim Inspections Results CPAB Audit Quality Insights Report: 2022 Annual Inspections Results 15 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices KPMG Clara Streamlined client experience And deeper insights into your business, translating to a better audit experience. Secure A secure client portal provides centralized, efficient coordination with your audit team. Intelligent workflow A better An intelligent workflow guides audit teams through audit experience the audit. Increased precision Advanced data analytics and automation facilitate a risk-based audit approach, increasing precision and reducing your burden. 16 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix: Audit quality: How do we deliver audit quality? Qualityessentially means doing the right thing and remains our highest priority. Our Global Quality Framework outlines how we deliver quality and how every partner and staff member contributes to its delivery. Perform qualityengagementsits at the core along with our commitment to continually monitor and remediate to fulfil on our quality drivers. Ourquality value drivers are the cornerstones to our approach underpinned by the supporting drivers and give clear direction to encourage the right behaviours in delivering audit quality. KPMG 2022 Audit Quality and Transparency Report audits are executed consistently, in line with the requirements and intent of applicable professional standardswithin a strong system of quality management; and all of our related activities are undertaken in an environment of the utmost level of objectivity, independence, ethics andintegrity. 17 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix: Audit quality -Indicators (AQIs) The objective of these measures is to provide more in-depth information about factors that influence audit quality within an audit process. Below are the AQIs that we have agreed withmanagement are relevant for the audit. We would like to obtain agreement of the Audit Committee that these are the relevantAQIs. We will communicate the status of the below AQIs on an annualbasis. Technology in the audit Team compositionEngagement hours Experience of the team Hours spent by level and phase Implementation of Technology in the Audit of the audit Role number of years experience in the Increase in use of technology in the audit industry, number of years on this year over year Number and percentage of hours incurred by engagement Partner by significant risk Number and percentage of hours incurred by Senior Managers and Managers by significant risk Number and percentage of hours incurred by audit staff and seniors by significant risk Timing of prepared by Quality reviews Number and percentage of hours incurred by client (PBC) items professionals with specialized skills by significant risk Timeliness of PBC items Results of internal and external reviews Number of timely and overdue items received Number and nature of findings specific to the by the audit team. audit engagement Nothing to reportSome matters to reportSpecific matters to report 18 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices For more information on newly effective and upcoming changes to auditing standards Appendix: Newly effective and upcoming -see Current Developments changes to auditing standards Effective for periods beginning on or after December 15, 2022 ISA/CAS 220ISQM1/CSQM1ISQM2/CSQM2 (Revised) Quality Quality management for Engagement quality management for an firms that perform audits or reviews audit of financial reviews of financial statementsstatements or other assurance or related services engagements Effective for periods beginning on or after December 15, 2023 ISA 600/CAS 600 Revised special considerations Audits of group financial statements 19 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix : Changes in accounting standards StandardSummary and implications Asset retirement The new standard PS 3280 Asset retirement obligationsis effective for fiscal years beginning on or after April 1, 2022. obligations The new standard addresses the recognition, measurement, presentation and disclosure of legal obligations associated with retirement of tangible capital assets. Retirement costs will be recognized as an integral cost of owning and operating tangible capital assets. re costs of any legal obligations to dedto the historical cost of the asset and amortized over its useful life if the asset is in productive use. As a result of the new standard, the public sector entity will: Consider how the additional liability will impact net debt, as a new liability will be recognized with no corresponding increasein a financial asset; Carefully review legal agreements, senior government directives and legislation in relation to all controlled TCA to determine if any legal obligations exist with respect to asset retirements; Begin considering the potential effects on the organization as soon as possible to coordinate with resources outside the financedepartment to identify ARO and obtain information to estimate the value of potential ARO to avoid unexpected issues. Financial The new standards PS 3450 Financial instruments, PS 2601 Foreign currency translation, PS 1201 Financial statement presentationand PS 3041 instruments and Portfolio investmentsare effective for fiscal years beginning on or after April 1, 2022. foreign currency Equity instruments quoted in an active market and free-standing derivatives are to be carried at fair value. All other financialinstruments, including bonds, translation ecognition of the financial instrument and is irrevocable. Hedge accounting is not permitted. A new statement, the Statement of Remeasurement Gains and Losses, will be included in the financial statements. Unrealized gainsand losses incurred on fair value accounted financial instruments will be presented in this statement. Realized gains and losses will continue tobepresented in the statement of operations. PS 3450 Financial instruments was amended subsequent to its initial release to include various federal government narrow-scope amendments. 20 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix : Changes in accounting standards (continued) StandardSummary and implications RevenueThe new standard PS 3400 Revenueis effective for fiscal years beginning on or after April 1, 2023. The new standard establishes a single framework to categorize revenue to enhance the consistency of revenue recognition and its measurement. The standard notes that in the case of revenue arising from an exchange transaction, a public sector entity must ensure the recognition of revenue aligns with the satisfaction of related performance obligations. The standard notes that unilateral revenue arises when no performance obligations are present, and recognition occurs when thereis authority to record the revenue and an event has happened that gives the public sector entity the right to the revenue. Purchased The new Public Sector Guideline 8 Purchased intangiblesis effective for fiscal years beginning on or after April 1, 2023 with earlier adoption permitted. Intangibles The guideline allows public sector entities to recognize intangibles purchased through an exchange transaction. The definition of an asset, the general recognition criteria and GAAP hierarchy are used to account for purchased intangibles. Narrow scope amendments were made to PS 1000 Financial statement conceptsto remove the prohibition to recognize purchased intangibles and to PS 1201 Financial statement presentation to remove the requirement to disclose purchased intangibles not recognized. The guideline can be applied retroactively or prospectively. Public Private The new standard PS 3160 Public private partnershipsis effective for fiscal years beginning on or after April 1, 2023. Partnerships The standard includes new requirements for the recognition, measurement and classification of infrastructure procured througha public private partnership. The standard notes that recognition of infrastructure by the public sector entity would occur when it controls the purpose and use of the infrastructure, when it controls access and the price, if any, charged for use, and it controls any significant interest accumulated in the infrastructure when the public private partnership ends. The public sector entity recognizes a liability when it needs to pay cash or non-cash consideration to the private sector partner for the infrastructure. The infrastructure would be valued at cost, which represents fair value at the date of recognition with a liability of the same amount if one exists. Cost would be measured in reference to the public private partnership process and agreement, or by discounting the expected cash flows by a discount rate that reflects the time value of money and risks specific to the project. The standard can be applied retroactively or prospectively. 21 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix : Changes in accounting standards (continued) StandardSummary and implications Concepts The revised conceptual framework is effective for fiscal years beginning on or after April 1, 2026 with earlier adoption permitted. Underlying The framework provides the core concepts and objectives underlying Canadian public sector accounting standards. Financial The ten chapter conceptual framework defines and elaborates on the characteristics of public sector entities and their financialreporting objectives. Performance Additional information is provided about financial statement objectives, qualitative characteristics and elements. General recognition and measurement criteria, and presentation concepts are introduced. Financial Statement The proposed section PS 1202 Financial statement presentationwill replace the current section PS 1201 Financial statement presentation.PS 1202 PresentationFinancial statement presentationwill apply to fiscal years beginning on or after April 1, 2026 to coincide with the adoption of the revised conceptual framework. Early adoption will be permitted. The proposed section includes the following: Relocation of the net debt indicator to its own statement called the statement of net financial assets/liabilities, with the calculation of net debt refined to ensure its original meaning is retained. Separating liabilities into financial liabilities and non-financial liabilities. Restructuring the statement of financial position to present total assets followed by total liabilities. Changes to common terminology used in the financial statements, including re-naming accumulated surplus (deficit) to net assets (liabilities). Removal of the statement of remeasurement gains (losses) with the information instead included on a new statement called the statement of changes in net assets (liabilities). This new statement would present the changes in each component of net assets (liabilities), including a new component called A new provision whereby an entity can use an amended budget in certain circumstances. The Public Sector Accounting Board is currently deliberating on feedback received on exposure drafts related to the reportingmodel. 22 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix : Changes in accounting standards (continued) StandardSummary and implications Employee benefitsThe Public Sector Accounting Board has initiated a review of sections PS 3250 Retirement benefits and PS 3255 Post-employment benefits, compensated absences and termination benefits. The intention is to use principles from International Public Sector Accounting Standard 39 Employee benefits as a starting point to develop the Canadian standard. Given the complexity of issues involved and potential implications of any changes that may arise from the review of the existingguidance, the new standards will be implemented in a multi-release strategy. The first standard will provide foundational guidance. Subsequent standards will provide additional guidance on current and emerging issues. The proposed section PS 3251 Employee benefitswill replace the current sections PS 3250 Retirement benefitsand PS 3255 Post-employment benefits, compensated absences and termination benefits. It will apply to fiscal years beginning on or after April 1, 2026. Early adoption will be permitted and guidance applied retroactively. This proposed section would result in public sector entities recognizing the impact of revaluations of the net defined benefit liability (asset) immediately on the statement of financial position. Organizations would also assess the funding status of their post-employment benefit plans to determine the appropriate rate for discounting post-employment benefit obligations. The Public Sector Accounting Board is in the process of evaluating comments received from stakeholders on the exposure draft. 23 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix: Insights to enhance your business Learn more We have the unique opportunity as your auditors to perform a deeper dive to better understand your business processes that are relevant to financial reporting. How it works Lean in Audit Typical process and how it's Lean in Audit-winning StandardAudit audited methodology that offers a new way of looking at processes and engaging people within your finance function and organization through the audit. By incorporating Lean process analysis techniques TM Applying a Lean lens to Lean inAudit into our audit procedures, we can enhance our perform walkthroughs and understanding of your business processes that are improve Audit quality while relevant to financial reporting and provide you with identifying opportunities to new and pragmatic insights to improve your minimize risks and redundant processes and controls. steps Clients like you have seen immediate benefits such Make the process more as improved quality, reduced rework, shorter How Lean in Audit streamlined and efficient for all processing times and increased employee engagement. helps improve We look forward to working with you to incorporate businesses this approach in your audit. processes Value: whatcustomers Redundant:non-essential Necessary: required want(maximize) activities(remove) activities(minimize) Key controlstested Processcontrols 24 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix: Audit and assurance insights Our latest thinking on the issues that matter most to Audit Committees, board of directors and management. KPMG Audit & Assurance InsightsAccelerate 2023 The key issues driving the audit committee Curated research and insights for audit agenda in 2023. committees and boards. Momentum A quarterly newsletter with the latest thought-leadership Board Leadership Centre from KPMG's subject matter leaders across Canada Leading insights to help board members and valuable audit resources for clients. maximize boardroom opportunities KPMG Climate Change Financial Reporting Resource Centre Our climate change resource center provides insights to help you identify the potential financial statement impacts to your business. Audit Committee Guide Canadian Edition A practical guide providing insight into current challenges and leading practices shaping audit committee effectiveness in Canada. 25 HighlightsAudit strategyAudit strategy Group auditRisk assessmentKey milestones and deliverablesAppendices Appendix: Continuous evolution Our investment: $5BResponsive delivery modelResult: A better experience We are in the midst of a five-year Tailored to you to drive impactful Enhanced quality, reduced disruption, investment to develop our people, outcomes around the quality and increased focus on areas of higher risk, digital capabilities, and advanced effectiveness of our audits.and deeper insights into your business. technology. Methodology and Approach StandardizationEnhanced audit quality Increased efficiency Automation Data and techCenter forNext-gen enablementAudit Solutionsauditor Exceptional experiences Centralization Quality Management System 26 kpmg.ca © 2023 KPMG LLP, an Ontario limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global www.kitchener.ca REPORT TO: Audit Committee DATE OF MEETING: September 25, 2023 SUBMITTED BY: Corina Tasker, Internal Auditor, 519-71-2200 ext. 7361 PREPARED BY: Corina Tasker, Internal Auditor, 519-71-2200 ext. 7361 WARD(S) INVOLVED: All DATE OF REPORT: August 30, 2023 REPORT NO.: CAO-2023-385 SUBJECT: 3rd Quarter 2023 Audit Status Report RECOMMENDATION: For information. REPORT HIGHLIGHTS: The purpose of this report is to provide information regarding recent audits. There is one audit included in this report: Accounting and Payroll controls audit. Results of the audit were positive, with no fraud detected. However, opportunities for improvement have been identified. There are no financial implications. advance of the council / committee meeting. This report supports the delivery of core services. EXECUTIVE SUMMARY: The following report provides a summary of the Internal Audit assurance and consulting services completed during the period of July to September 2023. The table below shows the audits contained in this report. Division / Topic Scope Accounting and Payroll Controls audit Consulting work is in progress on the following reviews: External billable work orders process review Training Documentation - process review The results of the Accounting and Payroll audit show that no fraudulent transactions were found during this audit. Recommendations for improvement relate to the following areas: Transaction backup was missing in some cases. Staff should be reminded of their responsibility to substantiate all entries. *** This information is available in accessible formats upon request. *** Please call 519-741-2345 or TTY 1-866-969-9994 for assistance. One major control weakness was identified in payroll processes which will beaddressed by staff. One major deficiency was noted in the ability to reconcile the Revenue debit/credit card entries, which will be addressed by staff as they work to find the root cause of the reconciliation issue. Recommendations aim to strengthen controls and minimize the opportunity for theft. BACKGROUND: The overarching goal of internal audit is . This includes, but is not limited to, protecting the long-term health of the organization, its financial and physical assets, its reputation, its ability to perform critical services and the safety and well-being of employees and citizens. Internal Audit provides assurance and consulting services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards), IIA 2012. These services are independent, objective activity designed to add value and improve an or systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Assurance services provide an objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. When performing consulting services, the internal auditor should maintain objectivity and not assume management responsibility. Audit topics are selected independently by the Internal Auditor and approved by Audit Committee on an annual basis. Audit results are brought back to Audit Committee in reports such as this on a quarterly basis as completed. REPORT: Accounting and Payroll Controls Audit Completed: August 30, 2023 Background: A comprehensive audit of the Accounting and Payroll sections was completed in 2016. A follow-up audit was conducted in 2019. Part of the audit focused on controls within the financial processes. Audit of just the financial controls was then added to the list of recurring assurance audits. This audit was planned for 2021 but due to a variety of factors including workload, staff vacancies, and system upgrades it was postponed until 2023. Audit Objective: The overall goal of this review is to document and test various financial controls to ensure assets are adequately protected from fraud, theft, or error. Scope: The following areas are within scope for this review: SAP Concur controls and reports Field orders and parked invoices Journal entries Duplicate payments Payroll ghost employees, retroactive adjustments, off-cycle payments, salary changes Bank reconciliations Emerging risk areas, if any The following areas are out of scope for this audit: Employee expenses (mileage, parking, VISA, petty cash, non-trade payables) Execution of any of the recommendations Methodology: The following activities were undertaken to complete this review: Review of past audit findings and recommendations Staff interviews to document current processes and controls and to identify any emerging risks Testing of the in-scope areas Testing of emerging risk areas, if any Findings and Recommendations: SAP Concur Controls A new software system called SAP Concur has been implemented since the last Accounting audit. It is used for employee expenses, including both out of pocket and corporate VISA expenses, and it replaces the previous paper-based processes. The system has many built-in controls to ensure valid business expenses with appropriate support. If the claim fails any of the control checks it will be automatically flagged and returned to the user for correction. Supervisors should be checking the business reason and receipts for each expense to ensure they are valid business expenses, since they are ultimately accountable for all expenses charged to their budget. However, in order to review the receipts, they must drill down into the expense item or hover over it to see the detail. Following the management approval, any claims with the following types of transactions will be routed to the Accounting Clerk for a further audit before releasing for payment or posting: Out of pocket transactions Conferences Mileage Parking Council expenses All other claims will flow directly for posting. SAP Concur has several reports which can be run on the claim data for analysis purposes but which are not currently being utilized. Overall, the SAP Concur system provides another layer of protection against expense fraud compared to the previous paper process. The automated controls will catch most of the ineligible expenses, check for missing receipts, and ensure there is a business purpose for each expense. In addition, the higher risk expenses are still being checked manually by the Accounting Clerk who is very thorough. The risk of ineligible expenses getting reimbursed is small. legitimate and approved expenses for the division. This includes reviewing all receipt detail within Concur to verify the items are being used for the job vs. being taken home by staff for personal use. Accounting staff are recommended to utilize the SAP Concur reports on a quarterly basis to ensure adequate management oversight and compliance, and to detect any fraud. They are also recommended to periodically remind approvers to review all receipts when approving expense claims. Purchases <$3000 The previous audit noted that purchases <$3000 have a greater risk of fraud. Specifically, parked invoices and field orders do not have approval paths (management oversight) within SAP nor are audited by Accounting. It was recommended that parked invoices be eliminated and that an approval path be added to SAP for field orders. However, neither recommendation has been implemented yet. SAP Concur Invoice (automation of Accounts Payable invoicing) is planned to be implemented in 2025. The project will likely see all invoices, regardless of amount, being routed in the system for approvals and will replace parked invoices and field orders. This will work similarly to the existing employee expenses as noted above in the SAP Concur Controls section, with an approval path and automated controls. Journal Entries Journal entries (JEs) are accounting entries made to the general ledger to move amounts from one account to another. They are made by staff in Financial Operations (Accounting), Financial Planning & Asset Management, Financial Reporting & ERP Solutions and Revenue. A random sample of 50 journal entries was tested to determine if they had management approval and sufficient supporting documents to explain the purpose of the entry. 14 of 50 (28%) had insufficient supporting documents where the Auditor was unable to determine the purpose of the entries and 1 entry did not have management approval. When asked about the entries without sufficient backup, management indicated for most of the entries that they were either small dollars and they did not request backup, or that they were routine entries that they were familiar with. While the entries should be able to stand on their own and be understood by any auditor (internal or external) who reviews them, the main purpose of the backup is to provide control over changes to the ledger through management approvals, not to satisfy the Auditor. Therefore, as long as the approver is comfortable with the entry, then the quality of the backup will not be questioned. Duplicate Payments Duplicate payments to vendors can occur if an employee purchases something on their corporate VISA but the vendor also sends an invoice, which may or may not show the VISA payment. The invoice can then get sent to accounts payable and paid in error. Sometimes the vendor is truthful and will return or reverse the duplicate payment, but not always. A three-month sample of all VISA transactions and vendor cheque payments from the same period were matched on vendor name and amount to determine if there were any duplicate payments. One duplicate was found, but the vendor had already reversed the VISA transaction. Payroll Controls One important payroll control is to segregate duties to ensure that no staff has the ability to set up a new employee in the system, change rates of pay, change bank account information, and remove staff from the system. A report run from PeopleSoft shows that there were multiple people in Human Resources, Technology Innovation & Services, Payroll, Financial Planning and Fire that have access to edit job codes, grade, step, and salary as well as setting up or removing employees in the system. Further investigation into access levels revealed that 10 employees with access to edit payroll data only require view access. Edit access was removed from these staff. None of these staff, however, have made any unauthorized payroll transactions with their edit access. All pay rate changes will appear on the daily audit report, and if someone other than Benefits team tries to make a rate change Payroll staff would detect it. One control weakness was noted related to pay rate changes, which is not described here for security of assets reasons. Recommendations to address have been provided to the relevant staff. Payroll controls testing was done by reviewing random samples of retro-active payments, off- cycle payments (outside of regular pay periods), and sick leave payments to see whether there was sufficient backup and correct calculations to support the payments. 12 of 62 entries (19%) did not have sufficient backup. In some of these cases the backup existed but was not stored in the shared folder, making it difficult to find. Recommendations focus on the Payroll Supervisor ensuring that staff are attaching sufficient backup for every payout and storing the backup in a shared location. Bank Reconciliations balances and the SAP records to ensure there are no irregularities, to detect potential fraud, and ensure any differences are explainable. The process involves manual or automatic matching, investigating and adjusting transactions. In 2022 due to staff shortages the account reconciliations were several months behind. As a result, a single case of theft of cash went undetected for some time. The employee had properly entered the deposit into the deposit slip system which posted to SAP. However, they never deposited the funds in the bank account. If the account reconciliation was up to date this could have been caught sooner. A full investigation was launched to determine the extent of the theft and appropriate remedial actions were taken. A review of the May reconciliations shows that they are now up to date again, however, there were still several outstanding items as of May to be investigated and cleared. The only significant reconciliation issue is related to the debit / credit card account. There are always timing differences between when the point-of-sale system posts to the ledger and when transactions show up in the bank account. Normally a report would be run to itemize the difference and allow the account to balance. However, since the Revenue Remittance Clerk role has been vacant the account has not balanced. Accounting staff are working on trying to investigate the root cause of the difference and may require changes to the process by the Revenue team. Emerging Risks 1. Over time there has been a growing list of sub-systems implemented across the organization to accept payments, which are expected to flow to the general ledger and the bank. There has been a lack of consistency in types of payments accepted by various divisions and Accounting has not always been involved when new software solutions are being explored. Accounting would like more input into new systems to ensure seamless integration with SAP and minimize staff time related to work-arounds. The end goal is to make sure that system data flowing from sub-systems happens efficiently and in a format that can be automatically matched within SAP to the bank account line items. It is recommended that Accounting by included in the Technology Solution Assessment vetting process whenever the solution involves payments to the City. 2. The City currently does not have any payment policies which has caused inconsistent practices across divisions. Creating such policies is beyond the scope of this review, however it is agreed that this is required and has thus been noted as a recommendation. Examples of payment policies include standard payment types, whether credit card fees will be charged to the customer, how refunds will be issued, and which point-of-sale software solutions are permitted. Conclusion No fraudulent transactions were found during this audit. Transaction backup was missing in some cases. Staff should be reminded of their responsibility to substantiate all entries. One major control weakness was identified in payroll processes which will be addressed by staff. One major deficiency was noted in the ability to reconcile the Revenue debit / credit card entries, which will be addressed by staff as they work to find the root cause of the reconciliation issue. Recommendations aim to strengthen controls and minimize the opportunity for theft. This audit will continue to be part of the rotating list of standard controls and compliance audits. STRATEGIC PLAN ALIGNMENT: This report supports the delivery of core services. FINANCIAL IMPLICATIONS: Capital Budget The recommendation has no impact on the Capital Budget. Operating Budget The recommendation has no impact on the Operating Budget. COMMUNITY ENGAGEMENT: INFORM the agenda in advance of the council / committee meeting. PREVIOUS REPORTS/AUTHORITIES: CAO-2022-494 2023 Internal Audit Work Plan APPROVED BY: Dan Chapman, CAO ATTACHMENTS: None CAO-2023-385 3RD QUARTER AUDIT STATUS REPORT Summary Completed: Accounting & Payroll controls audit In progress: External billable work orders process review Training documentation review ACCOUNTING & PAYROLL Audit Objective Objectives: To document and test Accounting and Payroll financial controls to ensure assets are protected from fraud, theft or error. Scope SAP Concur controls and reports Field orders and parked invoices Journal entries Duplicate payments Payroll Bank reconciliations Emerging risks Methodology Review of past audit recommendations Staff interviews to document processes Testing SAP Concur Controls & Reports SAP Concur replaced paper employee expenses Built-in controls Risk of reimbursing ineligible expenses is small Utilize SAP Concur reports to ensure management oversight and compliance Remind approvers to review receipt detail Field Orders & Parked Invoices Greater risk of fraud No management approval path Will be replaced with SAP Concur Invoice in 2025 Utilizes approval path and SAP Concur controls Journal Entries Accounting entries to move amounts from one account to another within general ledger 28% of random sample did not have sufficient backup Management indicated entries were routine and / or small dollars Reminder to approvers to review / require backup Duplicate Payments May occur if goods or services purchased on Corporate VISA and vendor sends an invoice, which gets paid in error Testing found no duplicate payments to recover Payroll Controls Segregation of duties is important Access levels more than required Control weakness related to pay rate changes Recommendations to address provided to staff Testing of retro, off-cycle, sick leave payments 19% did not have sufficient backup Reminder to require backup for all entries Bank Reconciliations Reconciliation between bank accounts and general ledger (SAP) Reconciliations are up to date Issue with debit / credit card account Staff are working to determine root cause Emerging Risks Lack of Accounting involvement in system solutions Include in Technology Solution Assessment Lack of consistency in payment types & policies Create treasury policies Conclusion No fraud or theft found Transaction backup missing in some cases Payroll control weakness Deficiency ability to reconcile debit/credit card account Recommendations aim to strengthen controls and minimize opportunity for theft