UNITAR e-learning Course on «Audit of Public Debt» Module 4: Audit of Public Debt Course Material written by Dr. Enrique Cosio-Pascal

(1)

Module 4:

Audit of Public Debt

(2)

_______________________________________________________________________________

www.unitar.org/pft i

Module 4 Contents

ABBREVIATIONS AND ACRONYMS ...1

1. BACKGROUND ...3

1.1. METHODOLOGICAL ASPECTS... 4

1.1.1 Basic Concepts: Internal Controls and Risk Assessment... 6

1.1.2. Why SAIs Examine Internal Controls?... 6

1.1.3. Components of Internal Control: the COSO Framework... 7

1.1.4. Control Environment ... 8

1.1.5. Risk Assessment... 11

1.1.6. Control Activities and Procedures ... 13

1.1.7. CBDMS and Communications ... 14

1.1.8. Monitoring of Controls... 27

1.1.9. Gathering Audit Evidence ... 27

1.1.10. Analysing Audit Evidence... 32

1.1.11. Formulating Audit Findings ... 33

1.2. AUDITING PUBLIC DEBT AND EXTERNAL INFORMATION... 36

1.2.1. What is Credit Rating?... 36

1.2.2. Pros and Cons of Credit Rating... 37

1.2.3. Concepts and Factors Considered for Credit Rating ... 40

1.2.4. Fitch... 40

1.2.5. Japan Credit Rating Agency (JCR) ... 42

1.2.6. Moody’s... 43

1.2.7. Standard & Poor’s (S & P)... 43

1.2.8. Credit Ratings and Rating Procedures... 43

1.2.9. The Rating Process ... 45

1.2.10. Multilateral Institutions ... 47

2. CONDUCTING AN AUDIT OF PUBLIC DEBT... 48

2.1. AUDITING THE PDMEXECUTIVE FUNCTIONS... 49

2.1.1. Gathering Audit Evidence on Executive Functions... 50

2.1.2. Methods for Gathering Evidence ... 51

2.2. AUDITING THE PDMOPERATIONAL FUNCTIONS... 51

2.2.1. Coordinating and Monitoring Functions ... 52

2.2.2. Back Office Functions: Recording and Operating/Monitoring ... 53

2.2.3. Middle Office Functions: Strategy and Risk Management ... 57

2.2.4. Front Office: Issuing, Negotiation and Domestic Markets ... 60

(3)

_______________________________________________________________________________

www.unitar.org/pft 1

Abbreviations and Acronyms

AGO: Accountant General’s Office

ALM: Asset Liability Management

AfDB: African Development Bank

AsDB: Asian Development Bank

CBDMS: Computer Based Debt Management System

CPI: Consumer Price Index

COSO: Committee of Sponsoring Organisations of the Treadway Commission

DCY: Abbreviation for domestic currency

DMO: Debt Management Office

DOD: Debt Outstanding and Disbursed, synonym of stock of debt in nominal value

DRS: World Bank Debtor Reporting System

DS: Debt Service, i.e. principal repayments and interest payments DSM: Debt Sustainability Model, shared by the World Bank

UNCTAD and the Common Wealth Secretariat

EBDM: Executive Board on Debt Management

EDMF: Effective Debt Management Functions

EUR: Euro, Eurocurrency of the 11 EU countries that joined the Euro GAO: US Government Accountability Office (previous Accounting

Office)

HIPC: Heavily Indebted Poor Countries

IADB: Inter-American Development Bank

IFIs: International Financial Institutions, i.e. IMF and World Bank IFMS: Integrated Financial Management System

IIP: International Investment Position, related to SDDS reporting INTOSAI: International Organisation of Superior Audit Institutions. IMF: International Monetary Fund

IT: Information Technology

JCR: Japan Credit Rating Agency

LIC: Low Income Country: World Bank Definition

MTDS: World Bank and IMF Medium-Term Debt Management

Strategy

NDF: Nordic Development Fund

NPISH: Non-profit institutions serving households subsector

OECD: Organisation for Economic Co-operation and Development.

PDM: Public Debt Management

PV: Present value

REER: Real Effective Exchange Rate SAI: Superior Audit Institution

SDDS: Special Data Dissemination Standard

SDR: Special Drawing Rights, unit of account of the IMF SNA: UN System of National Accounts, 1993

S & P: Standard & Poor’s

UN: United Nations

(4)

_______________________________________________________________________________

UNITAR: United Nations Institute on Training and Research USD: United States Dollar

(5)

_______________________________________________________________________________

1. Background

Recent events and the globalisation of capital markets have heightened the need for sound public debt management practices and prudential risk on managing public liabilities. It is clear that there is a need for protecting the governments’ budgetary exposures. SAIs can play an active role in protecting

the financial condition of governments by promoting the need for sound public debt strategies and risk management practices, data disclosure policies and effective supervisory-regulatory regime for the public sector financial management, so that the risks associated with future obligations and claims on the government’s budget, as well as possible contingent obligations arising from the private sector, can be minimised. SAIs should act within their legal authority when adopting these roles. More specifically, through performance audits of debt management practices, SAIs may:

• Play an active role in protecting the financial condition of governments by helping to ensure that sound and robust public debt practices are in place

• Encourage governments to produce better financial information and publish key debt information in order to analyse, assess their financial vulnerability and exposure

• Assess how well governments perform in the release of data disclosure

• Encourage their government to adhere to the international initiatives aimed at improving statistics disclosure and data requirements

• Encourage governments to ensure that regulators and

supervisors in the financial sector adopt practices that comply with international standards, since a more robust financial services sector will in turn reduce the vulnerability of the public debt to events affecting the private sector balance sheet

• Encourage governments to focus more on vulnerability

monitoring and give high priority to risk management

• Encourage data disclosure and promote the application of a proper regulatory and supervisory framework to be adopted for the financial services sector

(6)

_______________________________________________________________________________

1.1. Methodological Aspects

Auditing internal controls of public debt addresses the essential aspects to determine whether debt management is carried out in accordance with the best practices. SAIs should verify that:

• A recording and management system is implemented and that high quality control on data input and management allow for reliable reports based on the system’s information

• The government has an indebtedness strategy to get into debt and that it is translated into measurable benchmarks in order to evaluate the degree of success in implementing the strategy

• The strategy and the benchmarks should include, inter alia, debt structure in terms of currencies, maturities, rates and financial instruments

• Debt management includes risk assessment in order to

guarantee and support the adopted strategy based on prudent practices

According to the Public Debt Committee of INTOSAI1_{, a correct definition}

of debt should be taken as the basis for the audit. It is necessary for this definition to be accurate in order to avoid doubts on the usage of particular concepts, as it was proposed in Module 1, Section 1.2.1. However, each country may have slight different definitions for domestic purposes. Public debt may be covered by a broad, all-encompassing definition when looking at the contribution of the public sector to the economy. Alternatively, if the concern were one of accountability, the definition would be narrowed to debt issued by a government entity with appropriate authority and responsibility. Each SAI will need to exercise its own judgment on the appropriate entities and commitments to be included. Great attention has to be paid to this definition in case is different to the one utilised by international organisations. The definition should be

• Clear for the report to be easily understandable

• Consistent throughout time

• Suitable for analysis

• Comprehensive, in order to assure that particular concepts have been included

The definition of debt must make clear its main components so that its management, accountability and auditing are carried out on the same basis, creating the conditions for generating historical data. Furthermore, the definition must be in line with the terms and concepts usually used by IFIs so as to undertake international benchmarking exercises.

1

(7)

_______________________________________________________________________________

The most important element for carrying out a performance audit of public debt is that the conceptual framework includes a broad definition of debt that enables to undertake an assessment of management, vulnerability, sustainability, the actors’ competence and accountability. Conceptualisation of debt, in any case, must embrace total debt of central government, its organisations, its firms, public financial system, i.e. the monetary authority (central bank) and public development banks; the state and municipality governments, explicit contingent liabilities, and the potential existence of contingent liabilities.

Contingent liabilities are obligations that arise from particular discrete events that may or may not occur. They can be explicit or implicit. A key aspect of such liabilities, which distinguishes them from current financial liabilities and debt, is that one or more conditions or events must be fulfilled before a liability materialises. Implicit contingencies may be recognised when the cost of not assuming them is believed to be unacceptably high in political or economic terms.

A broad debt definition of public debt does not imply that SAIs must audit every practices of public debt management in the same audit. Sometimes it is advisable to prioritise, the specific practices that may cause problem. Each SAI, according to its material and human resources and legal framework might define a strategy to deal with, at different periods and systematically, the different areas involved in debt management. It is advisable that audits deal with specific issues, but that the analysis is made with an adequate focus and high quality, in order to fulfil its goal of offering substantive recommendations and promoting better debt-management practices.

At the beginning of an audit of public debt, SAIs must decide which components of internal controls to examine and the depth of analysis of each component. The audit’s depth will depend on the SAI’s legal mandate, previous audit work carried out and what resources are available to perform the audit. Some SAIs may have a restricted legal mandate to audit sovereign debt. Other SAIs may have a broader mandate to review public debt issues, but lack technical expertise required to review complex public debt transactions that have significant linkages to fiscal and monetary operations. Therefore, a broad legal mandate and a comprehensive capacity building programme on PDM for SAIs is essential for performing an efficient public debt audit.

(8)

_______________________________________________________________________________

1.1.1 Basic Concepts: Internal Controls and Risk Assessment

SAIs can define the scope of debt audits by using the five components of a system of internal control:

• Control Environment

• Risk Assessment

• Control Activities

• Information and Communication

• Monitoring

Each component can be viewed as a starting point that represents a potential audit area. Each component leads to areas whose audit may vary in scope and technical complexity.

Control Environment leads auditors to examine sovereign debt management’s attitude, awareness, and actions concerning controls. This component may be implemented by SAIs having a clear mandate to audit effectiveness of debt management. The other four internal control areas are more closely related to traditional audits of internal controls. For example, risk assessment would lead auditors to identify what events and circumstances affect the ability of debt management to record, process, and report debt information2_.

International auditing standards require the auditor to obtain an understanding of the entity's environment, including its internal control environment, that is sufficient to assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures to address these risks. This section will discuss about internal controls that are applied in the public debt and how the auditor can examine them.

1.1.2. Why SAIs Examine Internal Controls?

The public debt portfolio is often the largest financial portfolio in the country and can have a far-reaching impact on financial stability. Therefore, effective public debt management is essential.

Supreme Audit Institutions (SAIs) examine internal controls on public debt management in order to encourage the proper reporting and sound management of public debt. The increase in the volatility of global financial markets, the emergence of complex debt instruments and

2

For instance see the Committee of Sponsoring Organizations (COSO) of the Treadway Commission that published in 1992 an exhaustive study of internal controls in the United States entitled Internal Control - Integrated Framework. Following COSO’s report, similar reports were issued in (1) Canada by the Controls Committee (COCO), (2) the United Kingdom, (3) the United States by the General Accounting Office (GAO), and (3) internationally by the International Federation of Accountants (IFAC).

(9)

_______________________________________________________________________________

practices, the possibility of lack of consistency in valuation of debt instruments and lack of transparency in reporting debt by public entities may pose formidable challenges for SAIs. These complicating factors affect the debt service and call into question the proper criteria for the assessment of debt operations and debt sustainability.

At the same time, legislative bodies have become increasingly aware of the interrelationships that exist between debt, fiscal policy, and economic policy. These situations make audits of debt management operations have become more challenging; internal controls have become more inclusive.

1.1.3. Components of Internal Control: the COSO Framework

Within the COSO Framework3_{, internal controls are currently defined as}

the set of procedures and tools that help managers achieve operational, financial, and compliance objectives. These are viewed as a continuous process, affected by an entity’s management, designed to provide reasonable assurance that the objectives of the entity are being achieved in the following categories:

• Operations are effective and efficient

• Financial, budget, and programme assessment reports are relevant and reliable

• Responsible officials comply with applicable laws and regulations The evaluation of internal controls of public debt management might not provide absolute assurance, but they for sure increase the likelihood of achieving operational, financial, and compliance objectives with respect to debt management.

Internal control, as it is stated above, consists of the following five components:

• Control environment

• Risk assessment

• Control activities and procedures

• CBDMS and communication

• Monitoring of controls

The above components of internal control are applicable to audits in general. The division of internal control into the five components provides a useful framework for auditors to consider how different aspects of an entity's internal control may affect the audit. However, it does not

3 See Web Site http://www.coso.org/. COSO is recognised the world over for providing guidance on critical aspects of organisational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.

(10)

_______________________________________________________________________________

necessarily reflect how an entity considers and implements internal controls. Accordingly, auditors may use different terminology or conceptual frameworks to describe various aspects of internal control, and their effect on the audit other than those described above, provided all of the requirements of internal control are met.

1.1.4. Control Environment

The control environment is the foundation of internal controls by virtue of its influence on the conduct of public debt personnel. Senior debt management is responsible for establishing and nurturing a control environment that promotes ethical values, human resource policies that support PDM objectives, an organisational structure with clear lines of responsibility and communication, and computer-based information systems that incorporate adequate security controls.

Senior debt management is also responsible for achieving public debt objectives within the limits of its authority, ensuring that staffs are conscious of the benefits of an adequate control environment, as well as monitoring external factors that affect the government’s ability and willingness to service its debt. The control environment will cover the following items:

Laws, Rules and Regulations

As explained in Section 2.1 of Module 1, the legal framework should clearly set out the authority to borrow—domestically and externally—as well as undertake debt-related transactions such as public securities buybacks or any kind of swaps, issue loan guarantees and on-lent foreign resources on behalf of

the central government. The Parliament—because its constitutional power to approve central government tax and spending measures—is the authority that approves borrowing on behalf of the central government. The first level of delegation of the borrowing power therefore comes from Parliament down to the executive branch—for example to the Minister of Finance—, this delegation is found in a legislation dealing with public indebtedness, which normally is a Law on Public Debt, the Budget System Law or a Fiscal Responsibility Act, which together with the annual fiscal year Budget Law gives the primary legislation framework for public indebtedness. The delegation of the borrowing power is in most cases restricted by a statement for which purposes the executive can borrow, for instance, to finance the budget deficit, to refinance maturing loans or by a limit on the annual net borrowing or the total outstanding debt.

Another common constraint is that the Parliament retains the power to ratify certain loan agreements, particularly loans that are external debt. This ratification procedure should be limited preferably to international agreements concluded between sovereign governments or agreements between a sovereign government and another subject of international law,

(11)

_______________________________________________________________________________

such as the IFIs or regional development banks. In any case, it is of paramount importance that the ratification would be dealt with as a financing package, and not on a loan-by-loan basis, leaving the financial technicalities to the ultimate body receiving the delegation for borrowing, e.g. the DMO. For practical reasons it is common that the executive delegates the borrowing power to an implementing body, like a directorate at the Ministry of Finance or Central Bank or a designated DMO that contracts or issue debt on behalf of the central government.

How the operational delegation is implemented would be normally found in a set of rules and regulations, such as executive orders, decrees, ordinances, function manuals and so forth. It is important that the line of delegation is clear, both for internal control and for due diligence purposes. It has to be borne in mind that creditors require a legally binding and enforceable contract, through the legally authorised body, with the central government in its capacity as the borrower.

What is stated above for borrowing, also applies to the issue of loan guarantees and to on-lending foreign resources domestically. Loan guarantees and on-lending of foreign resources normally cannot be undertaken by the executive without approval by Parliament. In the rare cases when these guarantees constitutionally can be issued by the executive without any delegation from Parliament, it would be sufficient to check that the issuing entity is properly authorised through the rules and regulations.

The rules and regulations define how debt managers work with their counterparts in other government units, including the Budget Department and the Central Bank, and the extent of SAI’s authority on debt matters. SAIs should review their countries’ legal framework and actual debt procedures to gain an understanding of the environment in which debt managers operate and determine the scope of their audit. Some laws may prohibit the use of public borrowing to finance recurring expenditures and other laws may impose an overall public debt ceiling that can only be changed by the legislature4_.

The legal framework may also impose audit limitations for SAIs. In some countries SAIs might not have legal authority to perform a complete audit. For example, SAIs might not have legal authority to examine debt data of major government controlled enterprises that issue loans guaranteed by the central government. In addition to a review of the laws and regulations, SAIs need to verify that laws and written procedures are followed in practice. Auditors should have the ability to observe actual debt operations, communicate with the DMO’s staff and have access to their reports.

4

In countries that have advanced PDM techniques, this ceiling is fixed on net flows, as the net flow will determine the variation of indebtedness from one period to the other. See Module 1, Section 1.3.

(12)

_______________________________________________________________________________

As part of a debt audit, some SAIs may be able to examine how public debt estimates are programmed into the budget as a use and source of budget expenditures (debt service) and resources (disbursements in cash, on-lent and direct loans by the government debt service). In these audits, SAIs should be able to assess the DMO’s ability to provide budget officials reliable debt service requirements over the next fiscal year.

Budget documents can also be viewed as the blueprint for new debt issuance over the next budget cycle, as they define cash resources required to carry out the government’s investment and operating programmes. SAIs would also examine how public borrowing is used to fund temporary cash operating deficits, which requires close communication between cash and DMO’s staff, in case the DMO is not in charge of this function. A key element of a strong cash management system that directly affects public debt operations is the capacity to develop cash-flow projections based on expected receipts and disbursements. This forecasting capacity depends on the government’s budget execution and the ability to promptly collect cash and consolidate cash balances in a single treasury account. Failure to match the timing of cash inflows and disbursements may lead to unnecessary amounts of public debt and excessive amounts of idle cash.

Integrity and Ethical Values

The effectiveness of internal controls cannot rise above the integrity and ethical values of the individuals who create, manage, and monitor them. The integrity and ethical values of senior public debt officials are essential to maintaining effective internal controls because senior management can override internal controls

Human Resource Policies

The increasingly complex nature of public debt operations, which may involve multiple currencies, variable interest rates, debt restructuring, currency and interest rates swaps, as well as calling for an understanding

of sophisticated financial markets, demands increasingly skilled staff to manage public debt instruments. Senior staffs at the DMO are responsible for obtaining the competence levels necessary to achieve public debt objectives and assigning employees with the appropriate skills to each task.

A policy decision has to be made at a very high level for hiring and retaining skilled personnel. This may involve salary policies, but also career and training perspectives, as well as advantage in kind or in special facilities for taking mortgages or loans for buying vehicles. Important policies for retaining personnel are training programmes and recycling sessions for the DMO officials, which eventually could involve travelling

(13)

_______________________________________________________________________________

abroad. This is part of the Resourcing Function that was dealt with in Section 2.1.1 of Module 1.

Organisational structure

Most DMOs have several operational units with different management functions and reporting responsibilities5_{. Public debt managers have two}

basic levels for assuming functions, which are a high-level function that involves monitoring debt operations as well as coordinating with the government’s bodies fiscal and monetary policies; and operational functions that involve contracting and issuing debt, managing public debt risk and cost, as well as specific debt operations and transactions and reporting on public indebtedness. This was dealt with extensively in Section 2.2 of Module 1.

Computer-Based Debt Management Systems (CBDMS)

The CBDMS has major implications for audits of sovereign debt operations. Auditors must have sufficient computer expertise to perform tests of the internal controls built into computer systems, which are commonly classified into general and application controls. This internal control is so important for a DMO that the detail on the internal controls of the CBDMS is as discussed in Section 1.1.7 in this module.

External Factors

External factors that may affect the government’s ability and willingness to service its debt should not be ignored by SAIs, even in audits of limited scope restricted to a debt management unit.

External sources of information can help SAIs to verify information provided by debt management staff. The ability to assess external factors and have access to debt information from third parties strengthens SAIs’ capacity to evaluate the likelihood of an efficient PDM. The discussion of the international agencies concerns in the PDM audit is discussed in Section 1.2 in this module.

1.1.5. Risk Assessment

Risk assessment is the process of identifying circumstances and events that can prevent senior management from meeting debt objectives and measuring the probability of their occurrence. Operational risks arise in the normal course of managing debt transactions. Fraud risks arise from intentional misdeeds committed to gain personal benefit. The responsibility for identifying risks and developing plans to manage those lies with the DMO’s senior management. A risk plan would describe procedures to minimise damages caused by the risks. In the course of an audit of internal controls

5

(14)

_______________________________________________________________________________

of debt, SAIs would examine the risk plan and compare the actual performance of debt managers against the risk plan.

Operational Risks

Operational risks usually arise in the areas that provide support and regular services to the DMO. SAIs would recognise the following operations risks when they examine the organisational structure of the public debt management unit.

Lack of Segregation of Functions

An independent administrative office must independently process public debt transactions, confirmed, valued, and reviewed, and monitored6_.

Inadequate Staff Expertise

Supervisors must have the proper expertise to avoid becoming a “rubber stamp” to the debt traders. Support staff is usually the first line of defence to uncover errors and irregularities that may occur in processing debt transactions.

Product risk

New debt contracts can be too complex or poorly understood. This could lead to the inability of the support area to process, value, and control new loans.

CBDMS and Technology Risks

These risks exist when staffs fail to stay up to date in technological developments associated with new information systems or adopt computerised information systems without a proper regular training for staffs to keep abreast with latest technical developments. This will be dealt with more in detail in section 1.1.7.

Procedural Risks

These risks exist when the debt management functions do not have written procedures, the work flow is not structured in a predictable and well-designed manner or there is a high rotation of personnel, with proper training policies maintained. These written procedures become more important the more complex PDM becomes.

Disaster Recovery Risks

These risks exist when the DMO has not planned for alternative sites, computer resources, communications, resources, trading facilities, and other support services in the case of a disaster. This will be dealt with more in detail in Section 1.17.

Documentation Risks 6

(15)

_______________________________________________________________________________

These risks exist when debt transactions do not have well-designed agreements that are legally authorised, properly executed and supported by appropriate confirmation in a timely manner. The back office must maintain master agreements and supporting documentation of debt contracts, debt issues, disbursements and debt service. The back office should have a scan service for all these relevant documents in order to have a back up copy in case of fire, flood or other catastrophe. The scanned files are then stocked on electronic support and follow other electronic files security measures.

Valuation Risks

These risks exist when the support staff cannot perform, at least on a yearly basis, a conciliation of figures with creditors, external and domestic, as well as with domestic beneficiaries of on-lent loans, direct loans and guarantees.

1.1.6. Control Activities and Procedures

Control activities and procedures are policies and procedures that help ensure that the government’s directives are carried out and actions are taken to achieve the government’s debt objectives. Establishing an effective link between debt objectives and control activities is a critical component of internal controls. The objectives of control procedures are top achieve the sovereign debt objectives that include:

Maintaining a Trade-off between Cost and Risk

Assuming liquidity can be achieved, a major objective is to find a balance between cost and risk, taking into account the risks associated with lowest cost. Because interest rates generally are higher for bonds with longer yields to maturity, lowest cost can generally be obtained by issuing instruments with shorter terms to maturity. But with that comes increased risk. The shorter the duration of a debt portfolio, the more susceptible it is to fluctuations in interest rates7_.

Developing Effective Domestic Capital Markets

Developing domestic capital markets allow the government to issue debt in domestic currency, eliminating exchange rate risk. However, the government should ensuring that trading rules are fair and transparent, which is fundamental to encouraging both domestic issuers—private and public—and investors—domestic and external—to use this market8_.

7

See Module 3, Part 1 and Section 2.2.3. 8

(16)

_______________________________________________________________________________

1.1.7. CBDMS and Communications

An essential prerequisite for the success of a computerised debt management information system is the existence of well-supported information flow procedures for manual debt-recording system9_{, based on}

sound legal and administrative arrangements that allow accurate loan and debt instruments data recording. If these conditions are not met, computerising the loan book is unlikely to add any value.

Therefore, the importance of dealing with such issues, as well as that of cleaning the existing loan data and replacing missing data before introducing a computerised debt recording system cannot be overemphasised.

Assuming that these pre-conditions have been satisfied, the key element needed by countries just starting out is a system that can record the government’s debt on both by individual instrument and original currency of the liability, allowing then for producing reports on consolidated portfolio or sub-portfolio basis on the desired reporting currency (USD, domestic currency, SDR, etc.). Centralising the database is critical so that the government can produce a single public debt figure, it is very embarrassing, for instance, if the Central Bank gives a different public external debt figure than that published by the Ministry of Finances. This means centralising the DMO back office functions.

The functionalities required by a CBDMS were summarised in Tables 2.3.1 and 2.3.2 in Module 1, respectively on information to be recorded for each instrument, and the operational requirements of a CBDMS. SAIs should verify that the CBDMS in place satisfies the exhaustive list of data and requirements given in these two tables.

In most countries, the Central Bank acts as the financial agent of the government, and all government receipts and payments flow through the government’s single account at the Central Bank. Normally, the Central Bank is the paying agent for external public debt; therefore, it will require complete information on payment obligations and an agreement with the debt manager on payment instructions and procedures. In many countries, the same CBDMS is shared by the DMO and the Central Bank, each one with its own rights and privileges as users, making easier to share the latest updated information and facilitating verification procedures. The DMO has to monitor the operational suspense account—put at their disposal by the Treasury for domestic debt service—balances regularly and ask for replenishment with the necessary anticipation in order not to fall short of resources for debt service10_.

9

Maintaining the debt data on Excel spreadsheets or other similar product should not be considered as a proper CBDMS. Note that here CBDMS is understood as the back office database and information management system, there are no included here in this conception of CBDMS simulation tools, like those described in Module 3, Section 2.2.

10

(17)

_______________________________________________________________________________

The CBDMS were deal with in Section 2.3.1 of Module 1, in the present Module the emphasis is put more on the auditor’s requirements on controls in order to audit such a system. The reason for putting more emphasis on this matter is that the CBDMS is of vital importance for the efficiency or a DMO. In this section we explore the application of general controls to the DMO’s CBDMS.

CBDMS General Controls

General controls provide the framework of overall controls for IT functions, i.e., they are like a foundation on which specific application controls are built upon. General controls relate to all parts of an IT system and must, therefore, be evaluated early in the audit. The relationship between the application controls and the general controls is such that general controls are needed to support the functioning of application controls, and both are needed to ensure complete and accurate information processing. In fact, the course of the assessment of IT environment mainly covers the general controls, since the IT environment is largely influenced by the structure of the general controls of the system. The various categories of general controls include:

• Organisation and management controls

• Segregation of duties

• Operational controls

• Physical controls (access & environmental)

• Logical access controls

• Programme change controls

• Business continuity planning

Importance of General Controls

Auditors usually evaluate the effectiveness of general controls before evaluating application controls. If general controls are ineffective there may be potential for inaccurate data processing in each computer-based application and the information generated by the system may not be reliable. In conducting the audit in any IT environment, the auditor has to first assess whether the general controls exist and are functioning properly.

The Organisation and Management Controls

The organisation and management control is concerned about the existence of policies, standards and procedures as a basis for planning, organising, and staffing of an Information Technology (IT) system.

(18)

_______________________________________________________________________________

¾ To ensure sound human resource policies and

management practices.

¾ Adequate segregation of duties between the information processing environment and the other organizational functions as well as within the IT system

¾ Methods to assess effectiveness and efficiency of

operations

Organisation and management controls ensure appropriate procedures and policies in the following areas:

¾ IT organisational structure

¾ IT strategy

¾ Personnel and training policies

¾ Documentation and document retention policies

¾ Outsourcing policies

¾ Internal audit involvement

¾ IT security policies

¾ Legal and regulatory compliance

Segregation of Duties

The purpose of having segregation of duties is to ensure that no one person has complete control over transaction throughout its initiation, authorisation, recording, processing and reporting. The following techniques are used to provide reasonable assurance in this regard:

¾ User identification codes /IDs

¾ Passwords

¾ Supervisory review at scheduled or random times

Operational Controls

Operational controls relate to the day- to -day operations of the hardware and software within the organization. Operational controls ensure that IT operations are effective, efficient and that only authorised working practices are adopted. These include the following:

¾ Activity logging and reporting: error log, transaction log and access control log

¾ Monitoring procedures

¾ Media management: controlling of disks and tapes, CD ROMs, etc.

¾ Support requirement: Back up, training, help desk and problem management

¾ Back up and disaster recovery: back up data should be carried out regularly

(19)

_______________________________________________________________________________

¾ Maintenance of both hardware and software

¾ Processing requirement: batch/ on line processing

¾ Effective monitoring and administration of the network

Physical Access and Environmental Controls

The objective of physical and environmental access controls is to prevent unauthorised access and interference to IT services. It includes administrative procedures, for example staff identity badges, controlling of visitors, etc. and use of physical locks like mechanical key locks, electronic door locks, etc. Video cameras, security guards, burglar alarms, etc. are also frequently used. Environmental controls include adequate fire protection, protection from water damage, control of power supply, etc.

Logical Access Controls

Logical access control uses the logic function of the computer system to prevent unauthorised access to computer files and data. Logical access controls also ensures that every user has access rights and privileges limited to the requirements of his job description. These include terminal logon procedures (usually involves users entering their login ID followed by a password), menu restrictions and controls, file permissions, limiting the number of concurrent sessions, restricted sign-on attempts, automatic terminal time-out on unattended terminals, terminal specific access, etc

Computer Program Modifications

Computer program change controls are necessary to ensure that all changes to system configuration are handled accurately, completely and in a timely manner. Poorly designed changes could alter relevant information and remove audit trails. Even when system development has been completed and the new system accepted, it may require changes, maintenance and alterations in response to changing needs of users or legislation or technology or in the quest for greater efficiency. This point would have less relevance when a CBDMS programmed by an international or a regional organisations like UNCTAD or Comsec are in place.

Business Recovery after Catastrophe: Back-up Procedures

It is important to develop comprehensive business recovery procedures to ensure that government debt management operations can continue to operate in the event of natural disasters or other events. The debt office should identify the types of disaster scenario it wishes to protect against and assess the associated risks to financial, physical and human capital. At a minimum it is essential to ensure access to the systems data and networks required to manage the portfolios and to identify in advance the critical functions that need to be undertaken in a business continuity setting.

(20)

_______________________________________________________________________________

Testing General Controls

There are four basic methods followed in testing general controls:

¾ Enquiry

¾ Inspection

¾ Observation

¾ Limited re performance

The auditor may need to consider the appropriate methods to be applied during testing. Normally, the auditor does not have adequate time and resources to test all the controls. Key controls are those that satisfy, with reasonable assurance, the objectives of a particular control. The auditor will identify key controls, determine the extent of testing required, and test the key controls. The auditor would document and evaluate the test results to arrive at the conclusion about the effectiveness of general controls. If the general controls are found to be weak, audit may not be able to proceed with the testing on application control and may have to rely on substantive testing. However, if there are few minor weaknesses, they can be reported through an audit note.

Testing the Application Controls

After establishing that the general controls are operating effectively, the auditor is now ready to test the application controls. Application controls may consist of manual procedures carried out by users (user controls) and automated procedures or controls performed by the CBDMS over recording applications in order to provide reasonable assurance that all transactions are authorised, recorded, processed completely, as well as accurately and on a timely basis.

In a CBDMS it is essential to perform data quality control and to ensure the reliability of debt data on a long term basis. This is essential to produce statistics, analyse the indebtedness situation, evaluate risks inherent in the debt portfolio, and thus take correct management decisions. The reliability of the database would, therefore, indirectly affect the decisions to be taken on new borrowing, benchmarking, the mix of instruments to be used, debt renegotiations, as well as risk management strategies. Moreover, if the CBDMS is interfaced with an Integrated Financial Management System (IFMS), the reliability of debt data becomes crucial for the correct functioning of the whole public financial management and mistakes may have grave consequences. Therefore, the testing of application controls of the CBDMS becomes one of the most critical items of work in the process of public debt audit.

(21)

_______________________________________________________________________________

Categories of Application Controls

Application controls may be categorised as follows:

• Controls over input

• Controls over output

In each of the above categories, there are individual control objectives that must be met. Control objectives are what individual controls are meant to accomplish in an IT environment:

Input Controls

The input controls are broadly categorised into:

• Input authorisation

• Completeness of input data

• Data input validation

• Duplication checking

• Input error reporting and handling

Input authorisation verifies that all transactions have been authorised and approved by appropriate authority. Authorisation of input helps ensure that only authorised data are entered into the CBDMS for processing.

Input authorisation include

• Online access controls to ensure that only authorised

individuals may access data or perform sensitive functions

• Unique passwords to ensure that access authorisation cannot be compromised through use of another individual’s authorised data access. Often access rights and privileges of individual users are related to a predetermined list of functions which each is authorised to perform.

• Terminal identification to limit input to specific terminals as well as to individuals.

Completeness of input data is one of the most fundamental aspects of application controls. Without completeness, there is little possibility that the rest of processing can be correct, since items, transactions, or data are missing. Controls for completeness are not concerned with the correctness of any details of a transaction, but that all of the transactions were input

and processed as specified. Accuracy relates to the control of the individual data elements that make up each transaction.

The completeness of transaction input can be ensured by a variety of controls. These include manual procedures, e.g., keeping a log of transactions which are sent for input and computer sequence checks

(22)

_______________________________________________________________________________

in which the computer checks the pre-assigned serial numbers of input transactions and reports missing, inconsistent or duplicate data for manual investigation.

Missing documentation and late receipt of information will cause errors in the database, and consequently, statistics and analysis. Therefore, it must be ensured that procedures are in place so that:

• Information is regularly sent to the DMO

• Information is received on time by the DMO

• Information received by the DMO is complete

• Information is stored in a systematic and logical manner and it is easy to retrieve

• Receipt of information is logged in a logical and

meticulous way

The DMO, therefore, needs to maintain a complete list of information required from the relevant institutions (line ministries, beneficiaries of guarantees, national debtors, etc.), which can be double-checked with other organisations providing or managing the same information (external and domestic creditors, central bank, etc.). The DMO should verify the information received from one source against information managed by another source to ensure that there are no unexplained differences. This would also ensure accuracy and consistency of the data.

Data input validation requires procedures to be established to ensure that input data are validated and edited as close to the point of origination as possible. Proper input formats ensure that data are input to the correct field in the correct format. Data validation is the process of ensuring that debt data is complete, accurate, and consistent in order to produce reliable and timely information, meeting the objectives and needs of domestic and external institutions. It is a process of continuous self-control in order to ensure the reliability of the database rather than an evaluation. Validation should be performed by the DMO itself as described in Section 1.1.6 in Module 2, or, in case that the capacity does not exist, by an external consultancy with the ultimate aim of creating the capacity within the debt office.

Data validation is a process of controlling data and of certifying its quality. There are three different stages of data validation, depending upon the timing of the validation and its place in the debt administration process:

• Objective of the validation

(23)

_______________________________________________________________________________

• Data sources used for validating

First Stage

The objective of data validation procedures at this stage is to ensure that the information is entered completely, accurately and consistently with the standards set by the DMO, every time the data enters or leaves the CBDMS. The first stage of data validation is embedded into the debt recording and reporting process of a DMO (integrated control). Applications often have in-built controls which automatically check that data input is accurate and valid. Validation may also be achieved by manual procedures such as double checking input documents or review/certification by a supervisor before it is definitely recorded into the CBDMS. If input procedures allow supervisor overrides of data validation and editing, automatic logging should occur which should subsequently be checked by an individual who did not initiate the override. Validation should take place at the following points during debt recording:

• When a general loan information has been entered

• Every time a new tranche is created in an existing loan

• When the loan has been entered completely, and the

amortisation tables have been generated. All amortisation tables must be validated separately i.e. tranche by tranche

• When a real transaction is recorded in the ledger, e.g. a real disbursement or a payment, the amortisation table has to be lined up accordingly

• When , an amendment of the face value takes place, either cancellation or increase of the committed amount, the amortisation table and projections of future disbursements have to be lined up accordingly

• When non-payments operations are recorded, as operations of debt restructuring (write-offs, rescheduling or refinancing), or when arrears are created, or paid, implying modifications on the stock of debt, including its maturity structure

Second Stage

The objective of validation at this stage is to ensure that the information contained in the database is complete, accurate and consistent with the standards set by the DMO. This is performed at different points in time than the data entry. It concerns checks made by DMO staff. However, it should be done by a different team from the one who entered the data and the supervisor who authorised the information at the recording stage. Ideally it should be senior DMO staff or officers designated and supervised by them.

The validation is carried out under the standards, rules and regulations of the country, and has to coincide with its accounting

(24)

_______________________________________________________________________________

standards and international standards for debt reporting. Data validation at this stage is a systematic and periodic “double checking” and is usually performed through specific checking reports. In addition, certain ad-hoc checks might be necessary if information indicates particular problems. It is important to verify that computer procedures and restricted access rights should prevent the ex-post alteration of data after validation at all stages.

Third Stage

The objective at this stage is to ensure that the information in the database is timely, complete, accurate and consistent with both international auditing standards and standards of other international organisations compiling and reporting public or external debt data. The difference between the second and third stage of validation is that at the third stage is an external control, i.e. the validation is performed by outsiders and not the debt office staff. The objective relates more to an evaluation of the information managed in the debt office. It can also relate to validating information in the debt office with external sources like domestic and external creditors. This is most often to be performed by the auditor belonging to the national SAI.

Validation techniques may depend on the borrowing instruments and the dynamics involved in the processes for disbursing and repaying various instruments. Most agreements or debt instruments would have certain common data elements, e.g., disbursements, debt service operations, non-payment operations, reference files etc. However, certain types of instruments have to receive a particular treatment11_{. This should be considered while carrying out}

data validation.

A Complete Data Validation, i.e., validation of all loans, tranches and its corresponding transactions, of the database for completeness, accuracy and consistency might be necessary under certain circumstances12_{. It is a detailed check where the DMO has to}

validate not only information in the computer system but also all its manual records and information received from external sources. Information also has to be cross-checked with other departments and institutions, and often with domestic and external creditors as well. This may be required under special circumstances, like the integration of the CBDMS with another system like an IFMS, or when making preparations to renegotiate part of the debt and there is a need for a reliable assessment of public indebtedness, or when a change in administration takes place, for instance after elections in which political parties in power have switched, or the debt office is reorganised and new procedures are implemented.

11

For instance, see Oyola (2007) for an example on sovereign market instruments. 12

(25)

_______________________________________________________________________________

Input Error Reporting and Handling

In the input functionality of a CBDMS, where data is automatically checked and validated at data entry, it is important that there are procedures for dealing with transactions which fail to meet the input requirements, i.e., the auditor should determine what happens to rejected transactions.

Errors can occur due to duplication of transactions and inaccurate data entry. These errors can, in turn, greatly impact the completeness and accuracy of the data. Controls must be identified to verify that input errors are recognised and corrected. Corrections to data should be processed through normal data conversion process and should be verified, authorised and re-entered to the system as a part of normal processing.

The DMO should have procedures in place to establish input error handling procedures to control over transactions that are flagged or rejected by the system and ensure that all data rejected will be subsequently corrected, re-input to and accepted by the CBDMS.

Controls over Processing and Computer Data Files

Processing controls ensure completeness and accuracy of stored data. Controls over processing and data files are designed to provide reasonable assurance that:

• Transactions, including system generated transactions, are properly processed by the CBDMS

• Transactions are not lost, added, duplicated or improperly changed

• Processing errors are identified and corrected on a timely basis

• Transactions once input and processed are stored into an appropriate file

• The stored data remains on file until amended, deleted or changed as a result of an authorised process or modification routine

Processing controls prevent, detect, and correct errors from the time data is received from the input sub-system to the time data is dispatched to the database, communication, or output sub-system. They seek to enhance the reliability of the application software that execute instructions to meet specific user requirements.

The transaction process which occurs inside a computer is effectively invisible to the auditor. Auditors can see what went in and what came out, but may have little knowledge of what went on in between this process. This weakness can be exploited by

(26)

_______________________________________________________________________________

embedding testing software routines inside the implemented ones. For instance, embedding routines for recalculating a sample of transactions to ensure that processing is accomplishing the desired task.

Controls over Computer Files Management

The auditor will encounter many system related files during an audit of a CBDMS which are valuable for audit analysis and reporting purposes. Some of these files are support files like creditor, debtors, beneficiaries, or data files like exchange and interest rates, and operational files, like the loan ledger for recording real debt operations, future debt operations reflected on individual amortisation tables, software files, backup files, log files, etc. Major concerns for the auditor should be who can access and update these files.

File controls should ensure that only authorised processing occurs to stored data. There should be procedures and controls to access/amend/delete stored/standing data and software files. As standing data errors have far reaching effects it is normal for the controls over this data to be stricter than controls over individual transactions.

Controls over computer data files include the following:

• Source documentation like debt

agreements, payment orders and disbursement advises, amortisation tables, etc. should be retained to enable retrieval, reconstruction, or verification of data and transactions.

These documentation should not only be filed in hard-copy, but also scanned and stored electronically in order to be included in the backup procedures with other electronic files within the normal security tasks

• The proper and correct version of a file should be used in order for the processing to be reliable

• Data file security controls prevent unauthorised access by users that may alter data files unduly

• All transaction input activity is recorded by the computer in a Log. A detailed recording including date and time of input, user ID and terminal location can then be generated to provide an audit trail.

• Proper and adequate authorisation for file updating and maintenance is necessary to ensure that stored data is adequately safeguarded, correct, and up-to-date.

(27)

_______________________________________________________________________________

Controls over Output

Controls over output are designed to provide reasonable assurance that:

• Results of processing are accurate

• Access to output is restricted to authorised personnel

• Output is provided to appropriate authorised personnel in a consistent and secure manner and on a timely basis

Output controls should verify that output reports should be distributed according to authorised guidelines which may be automated or manual. It should be verified that output reports are complete and delivered according to schedule. All reports should be logged prior to distribution.

Access to distributed reports can compromise confidentiality. Therefore, physical distribution of reports should be adequately controlled. Reports containing sensitive data should be printed under secure, controlled conditions. Logical access to electronically distributed reports should be carefully controlled and subject to authorisation. Before the produced report is authorised for distribution, the information has to be validated and countersigned by appropriate authority. In particular the following points should be checked:

• A log for distribution and its schedule should be firmly adhered to and kept in records

• To provide assurance that sensitive reports are properly distributed, the recipient should sign a log as an evidence of receipt of output

• In case any output is exported to another computer

system, e.g., to the IFMS, the auditor should look for controls to ensure that outputs are accurately transferred

Testing Application Controls

In order to rely on application controls in an auditee’s computer applications, the auditor should perform an “application review”. An application review includes a series of specific audit steps in order to understand, document, identify and test application controls.

The steps in an application review are generic and apply to any activity where the auditor intends to rely on the application controls. The steps involved in an application review include:

• Identifying the sources of original input into the application

• Preparing a description of the application including data preparation, data input, data editing, error correction

(28)

_______________________________________________________________________________

procedures, data processing, posting of data to the subsidiary and general ledgers, and reports generated

• Preparing a walkthrough tracing the steps of a single

transaction from its original source to the general ledger.

• Identifying key controls, determining the extent of testing required, and testing the key controls. Key controls are those that satisfy, with reasonable assurance, the control objectives of a particular application control

• Evaluating the results of tests and concluding on the overall adequacy and effectiveness of the application controls

Once the auditor has identified and selected the key controls to be tested he is now ready to tests these controls. It is important to note that it is the control that should be tested not the transaction. The objective of testing the key controls is to determine whether the control exists and has been operating effectively throughout the period of

intended reliance. The testing procedures must be applied rigorously in order to obtain moderate reliance on application controls. The nature, extent, and timing of tests of key application and key controls to support a controls-reliant audit approach should be documented in the audit working papers. The auditor should prepare:

• An audit programme outlining the steps to be followed in performing an application review and testing of key controls

• A worksheet to document the testing of the key application controls.

• A separate worksheet would normally be prepared for each stage of the application and would identify:

Whether the key controls were manual or

computerised

The tests performed;

The observations made;

The client personnel interviewed

The documents examined

Other evidence obtained to corroborate inquiries

Any exceptions and how they were cleared or the audit implications

The results of the test, i.e., whether the control objective was met or not

A file to document the work performed

If after completing the tests of application controls, weaknesses are identified, the existence of compensating controls should be considered as well as the need to consult with information technology specialists. The auditor must determine whether the

(29)

_______________________________________________________________________________

control weaknesses are significant enough to prevent the achievement of related control objectives being tested. This may be done by considering:

• The types of error(s) that could occur due to the weaknesses

• Whether the error(s) could compromise the accuracy,

completeness and consistency of the data

• The impact that the entity has experienced as a result of the weakness

If, as a result of this process, it is determined that the control objectives are met, the DMO should be informed on any control weaknesses noted at the end of the audit.

1.1.8. Monitoring of Controls

Monitoring of controls can be effected through both the normal ongoing internal controls of public debt operations and separately focused audits. Debt managers normally depend on periodic reports and inquiries from inside and outside stakeholders to detect unexpected trends or changes. Ongoing monitoring should be built-in through the use of periodic site visits, checks to determine whether procedures are being followed, and management review of reports. From time to time, senior debt management could also order a separate, thorough evaluation of internal controls.

1.1.9. Gathering Audit Evidence

An audit process is a well-defined methodology to ensure that sufficient and appropriate audit evidence is obtained to reduce the audit failure risk to an acceptable level. The first basic objective of audit is to gather sufficient and reliable evidence in order to be able to formulate logical observations with reference to the audit criteria.

A good audit is based on evidence that is competent, sufficient and relevant. Whether the evidence meets these criteria will depend upon:

• How independent are the sources of evidence

• How well the data have been analysed

• How carefully the evidence was gathered

• The purpose for which the evidence is used

When planning the audit, the auditor should identify the probable nature, sources and availability of audit evidence required accordingly to the above enumerated points.

Types of evidence:

The types and potential sources of evidence in the audit of public debt are: documentary, testimonial, analytical and physical.

(30)

_______________________________________________________________________________

This is a very important source, especially from the debt management office files and major national debtors when the debt is guaranteed. This refers to files, computerised or physical, as well as records of different types, including the logs in the different DMO dependencies.

Testimonial

Testimonial evidence comes from interviews with the DMO officers and other related parties, of whom there are likely to be many in a government, e.g., Treasury, Budget and Central Bank among others, counterparties and bodies utilising or benefiting from public debt, credit rating agencies, IFIs, etc. It can be documented in the form of interview notes, recorded conversations on magnetic tape, or corroborated evidence or testimonies from other people that have knowledge of the issue at hand like academics and public debt experts. However, all testimonial evidence has to be double checked in order to avoid biased opinions in some specific testimonies.

Analytical

The auditor has to wander whether anything that was not done should have been done or if done, whether it was well done. Not such evidence will be found necessarily in the DMO documentation. It needs to be inferred from analysis of documentary and testimonial evidences, for which the auditor may need to complement information recurring to expert external advice, e.g., analysis by experts can be search for assessing the consequences of not refinancing a relatively expensive interest rate instrument or a risky foreign currency labelled instrument. With some expert advice, the auditor could develop an analysis showing whether the performance by the DMO staffs is convincing.

Physical

This type of evidence can be obtained from the following sources, among others: site visits to gain personal knowledge of the practicality and the physical state of work as they are at a point in time; and physical verification of tangible results of the utilisation of public debt funded programmes, etc.

When selecting the techniques for gathering audit evidence, it is important to decide how appropriate a technique might be to a particular set of circumstances. Auditors should avoid the use of techniques without full knowledge of their costs and their limitations. Nevertheless, auditors should not depend on techniques just because they have a lot of experience using them. Without a varied methodology, auditors might tend to rely too much on techniques that may not be appropriate for specific cases.

Methods of Gathering Evidence

Evidence gathered may be qualitative in nature and require extensive use of professional judgement. Accordingly, the auditor would ordinarily seek