iam vol 2 - rks-gov.net · ministry of finances 2 chu for internal audit internal audit manual –...

Ministry of Finances 2 CHU for Internal Audit Internal Audit Manual – Part II: The Audit Process

EU Support to Improving Public Management, Control, and Accountability in Kosovo An EU funded project managed by the European Commission Liaison Office

CONTENTS Foreword ..............................................................................................................4

Acronyms..............................................................................................................6

Introduction..........................................................................................................7

Chapter 1: Overview Of The Audit Process ..........................................................9

Chapter 2: Audit Planning ..................................................................................11

Chapter 3: Field Work.........................................................................................43

Chapter 4: Reporting and Audit Closure ............................................................63

Chapter 5: Follow‐Up Procedures For Details. ...................................................78

Chapter 6: Follow‐Up Procedures And Quarterly Status Reports ......................80

Chapter 7: Supervision .......................................................................................92



FOREWORD

This Manual was prepared by the Ministry of Finance, Central Harmonization Unit for Internal Audit, in cooperation with experts from the EU‐funded project “Further Support on Public Internal Financial Control and Internal Audit” and subsequently revised under the EU project to provide “Support to Improving Public Management, Control & Accountability”.

This Manual is available in three languages, Albanian, Serbian and English, and comprises two parts

supplemented by various material which is available on the CHU‐IA‐IA website:

http://www.mef‐rks.org/en/central‐harmonization‐unit‐of‐internal‐audit

The first part concerns managing the internal audit function, introducing the role of the main stakeholders, outlining the guiding principles and policies, and describing the important processes for developing strategic and annual audit plans. This second part details the activities of the audit team as it proceeds through an individual audit and will be useful as a pocket guide to auditors as they work on their audit assignments.

In recent years the profession of internal audit has undergone rapid development. As public sector internal auditors, it is important to work hard to apply modern internal audit techniques in Kosovo. This Manual will be a valuable tool to help internal auditors in Kosovo’s public sector entities to fulfil their important role in ensuring accountability and good governance. A key issue in bringing modern audit to public sector entities in Kosovo is removing the association of internal audit with the old concept of inspection, which was a check conducted by an external authority. Instead, managers should consider the internal auditor as a partner who will help them reduce the risks they face and who will provide insights into how the organisation could operate more efficiently, effectively and economically. Being a partner means working closely with management at each stage of our audit activity ‐ starting



from the initial meeting with management, through each of the phases of planning and conducting the audit, reporting results and following up recommendations. To be respected as professionals, auditors must conduct themselves professionally, which means:

• not passively waiting for, but actively seeking to work jointly with management at all levels of their organisation;

• objectively evaluating the effectiveness and efficiency of the organisation’s internal control mechanisms;

• coordinating their work with the Office of the Auditor General of Kosovo and other control bodies;

• determining compliance of the organisation’s processes with the relevant legislation, regulations and other rules;

• verifying the timeliness and accuracy of financial and other operational reports;

• delivering useful audit reports that help management understand their risks and provide practical recommendations for improving control procedures, processes and decisions which address the risks facing the organisation; and

• performing professional, objective consultancy services when requested.

This manual has been developed to reflect the current state of the internal audit function in Kosovo. Accordingly it focuses on basic principles and does not address some of the more complex issues. I would like to emphasize that as the practice of internal audit in Kosovo continues to evolve, the Central Harmonisation Unit for Internal Audit will reflect the changing circumstances through its instructions, and will be happy to receive your comments.

_________________________ ____________________________

Kosum Aliu, Bedri Hamza Director, CHU for Internal Audit Minister of Finance

August 31, 2011



ACRONYMS AC Audit committee

ATL Audit Team Leader

HEAD OF PSE/CAO Head of Public Sector Entity/Chief Administrative

Officer

CHU‐IA Central Harmonisation Unit

CPE Continuing Professional Education

ECLO European Commission Liaison Office

EU European Union

EWT Effective Working Time

IA Internal Audit

IAL Internal Audit Law

IAM Internal Audit Manual

IAU Internal Audit Unit

IIA Institute of Internal Auditors

MOF Ministry of Finance

OAG Office of the Auditor General

PIFC Public Internal Financial Control

PSE Public Sector Entity

PSS Public Sector Subject



INTRODUCTION This is Part II of the Internal Audit Manual for internal audits in the Kosovo public service.

A “systematic” and “disciplined” approach to internal audit is achieved by implementing a unified methodology and professional standards by internal auditors. This part of the Internal Audit Manual describes the standard approach to the conduct of internal audits. Internal auditors need to understand this approach and apply it consistently to maximise the quality of internal audit in the PSEs in Kosovo.

This part of the manual outlines the activities that internal auditors carry out within the framework of an individual audit assignment, the participants in the process, and their functions and responsibilities in each phase of the audit process (planning, field work, reporting and follow‐up).

The Manual does not consider audit consultancy assignments that internal auditors may be asked to perform from time to time, as the approach to each consulting assignment will vary according to the circumstances.

This part of the manual is supplemented by Templates of Audit Working Papers which can be accessed via the CHU‐IA website: http://MOF‐rks.org/en/central‐harmonization‐unit‐of‐internal‐audit

“Internal audit” is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, controls and governance processes. (IIA definition).



These Working Papers are provided to guide internal auditors through the audit process and ensure that appropriate material is gathered during the audit to fulfil the Standards for audit documentation. Internal audits may take many different forms depending on the process or organisation being examined and the audit approach that is being applied. Consequently not all the standard working papers will be relevant for all audits – some may need to be replaced or modified and some additional Working Papers may need to be created. Therefore the internal auditors should use their judgment in determining what Working Papers are appropriate for each audit.

The Audit Working Papers apply to the four phases of each individual audit: audit planning; fieldwork; reporting; and follow‐up. The working papers are organized by phase and it is suggested they are given reference numbers according to the following scheme:

• Phase 1000 Audit Planning

• Phase 2000 Fieldwork

• Phase 3000 Reporting

• Phase 4000 Follow‐up

It is assumed for the purpose of this part of the manual that the individual audit assignment is being done within the context of a Strategic Audit Plan and an Annual Plan. The methodology and procedures for strategic and annual planning are presented in the Part I of the Internal Audit Manual.

All terms used in this volume are explained in the Glossary presented with Part I of the Internal Audit Manual.



CHAPTER 1: OVERVIEW OF THE AUDIT PROCESS

An internal auditor’s job is to assist management to discover and evaluate risks, and contribute to improving the financial management and control systems operating in that organisation. In general, a “system” is a combination of interrelated elements, that constitute a single complete process which performs a particular function.

The principlescapplying to financial management and control systems are set out in the Law on Public Financial Management and Accountability (LPFMA). Internal auditors should be familiar with this Law and support management in its implementation. They should conduct in‐depth analyses of the financial management and control systems to assess the effective functioning of the control mechanisms. In other words, the emphasis should be on auditing systems, as opposed to examining transactions.

In systems audits the auditors form an opinion about the control mechanisms that are in place, how they operate and what is their impact on the objectives of the organisation. This is done by examining and evaluating the processes in the organisation, as illustrated by the following schematic:

Control

Processing

Feedback

OutputInput



Each process in the organization being audited has its own objectives. Internal auditors must be familiar with all processes and focus audit attention on those that are significant or prone to risk. Knowing the goals, resources, process flow and results of the processes, auditors are able to define the objectives and scope of internal audit.

The systems audit is a “step‐by‐step” process. However, steps should not be regarded as independent stages as each must be completed before starting the next stage of the audit ‐ the systems audit is an integrated whole process. The auditors’ basic knowledge of the systems will gradually broaden in the course of the audit. At each stage of the audit process, the internal auditors will have the opportunity to reconsider their approach based on their improved understanding of the system.

The key to a high quality audit is the auditors’ approach to the planning and conduct of the audit. To ensure consistent high quality, internal auditors apply a standard approach to each audit. This standard audit process has four phases: planning, field work, reporting and monitoring of the implementation of recommendations (including follow‐up). These phases are discussed in the following Chapters.



CHAPTER 2: AUDIT PLANNING 2.1. INTRODUCTION TO AUDIT PLANNING

The planning phase is critically important for the efficient performance of an effective audit. This phase has two main steps:

• preparing for the audit; and

• planning the audit activities and allocating resources. In the course of preparing for the audit the internal auditors should:

• document the audited process to understand how it operates;

• identify the control objectives;

• define the scope of the audit;

• conduct the initial meeting with the management of the audited organization;

• identify and assess the risks in the audited process;

• assess the controls against the risks in the audited process; and

• choose an approach, identifying the type and number of checks to be carried out.

At the end of this stage the Team Leader and the members of the audit team draw up the audit plan.

An audit plan is prepared at the start of every audit assignment envisaged in the annual plan. It contains the objectives, scope, duration and allocation of resources for the assignment.



The following diagram illustrates the process of planning for the audit

Gather information

Assess the controlenvironment and

management controls

Annual audit plan

Select substantive audit approach (no

reliance on controls)

Continue assessing the:

a) information and communication;b) key (mostly

application) controls

Prepare the PlanningDocument with Audit WorkProgram (or forms used at

field-work)

WeakMedium/Strong

Select the audit strategy

identify and assess risks

Understand objectives ofthe audited process/unit

Formulate control objectives

Set out audit scope andobjectives

Weak

Medium/Strong



The sequence of events illustrated by the above diagram is discussed further in following sections of the Manual.

In addition it is useful to understand how the management process relates to the whole audit process as presented in the schematic below:

Objectives Risks

Riskassessment

Controlobjectives

Controls andrelated

documentationRisk responseInformation and

communication

MonitoringTesting ofcontrols by

audit

DICE form

Process/ unit

Actions to improve

Audit report

Auditfield-work

Audit processManagement process

Decide upon the audit objectivesand understand management

objectives/risks

Decide on audit scope



2.1.1. Understanding and documenting the activity/process to be audited

The planning stage determines how the entire audit assignment will be executed. Good planning is a prerequisite for efficiently completing the audit assignment that coupled with the high level of competence of the auditors, should lead to an improvement in the organisation’s operations. Therefore internal auditors must approach the planning stage with particular care, making use of their professional skills and experience, taking into account how well they know the organisation, its processes, control environment and risks.

TEMPLATE No 1 – Audit Planning Checklist (WP 1001)

The annual plan of the IAU is the basis for assigning auditors to specific audits. Once assigned, the Audit Team Leader should work with the audit team to plan the specific audit work. The work depends on whether the internal audit activity in the organization will be done by:

(a) an IAU;

(b) shared Internal Audit Unit; or

(c) the IAU team within the Ministry of Finance (on request).

The different approaches are considered in the following sections.

The first Audit Planning working paper, number 1001, is a simple checklist that the Audit Team Leader can use to signify that each working paper has been duly completed. If a working paper on the list is not to be completed, the Audit Team Leader should strike it through as being not required. Any additional working papers created for the audit should be added at the bottom of the list



APPROACH 1 ‐ where internal audit activity is performed by internal auditors procured by the organisation from an external service provider

Assuming in this case that the internal audit team is less familiar with the organisation, the team members must devote more time to prior study and preparation of the audit assignment to ensure they have adequate knowledge of the audited activity/process and the established financial management and control systems.

The understanding of the activity is achieved by collecting and studying information about:

• legislation and internal regulations and procedures that concern the audited organisation;

• the objectives of the organisation; • the organisation structure, including allocation of responsibilities, job

descriptions, etc. • main areas of operation; • the risk assessment methodology applied in the organization; • information processing procedures and key controls; • the accounting environment and accounting policy; • financial management and control systems; • staff turnover; and • other applicable documents.

As a starting point, the audit team should refer to the material in the Permanent File. The team should then consider what additional information may be needed and collect it for addition to the Permanent File as necessary.

The audit team analyses the information collected and prepares for the initial meeting with the management of the audited organization.



The Audit Team Leader will judge whether the understanding achieved is sufficient or if it is necessary to request additional documentation and explanations from management. As a result of the work performed at this stage, the audit team defines in broad terms the objectives and scope of the audit that are then discussed at the initial meeting with the organisation’s management. After this discussion the Audit Team Leader may supplement or amend the original objectives, taking into account the opinion of the management on contentious areas. At a later stage the objectives will be specified in more detail, and the precise scope of the audit will be defined for incorporation in the final audit plan.

When the Audit Team Leader is ready to initiate the Internal Audit, s/he will write to the management responsible for the unit or process to be audited to inform them of the impending audit, seek a meeting to obtain background information, and indicate the audit team’s requirement for office space and equipment. This letter should be sent so that it is received at least a week prior to the requested meeting.

TEMPLATE No 2 ‐ Request for Initial Meeting (WP 1002)

The reason for requesting the information is to ensure the auditor has a sufficient understanding of the organisation unit or process to identify and evaluate controls and design appropriate tests. The Audit Team Leader should first consult the Permanent File to determine what information is already in the possession of the IAU and should limit the request for additional information about the organisational unit or process that is not on the permanent file. Further, the Audit Team Leader should not seek copies of all information at this stage, but should ask where the information can be accessed, such as web sites, central files, corporate publications and so on, so that the audit team can follow up.



APPROACH 2 ‐ Fulfilment of an audit assignment, where the internal audit activity is performed by an IAU

Where the internal audit activity is performed year‐round by a permanently established IAU, the Director of the IAU can plan the specific assignment with less emphasis on the preliminary data gathering. The assumption here is that the team is already familiar with the organisation. However, where the IAU or any of its members are new to the organisation, it is recommended that the more substantial preliminary work described in Approach 1 be undertaken.

Because it is assumed that the auditors already have an understanding of the organisation to be audited, planning should focus on an evaluation of the control environment and risks, from which the objectives and scope of each specific audit assignment can be defined in general terms.

While completing this step, the auditors should use data from the Permanent file of the audit, results of former audits, meetings and interviews with the management and other responsible experts. To collect additional information, internal auditors may draw up and provide questionnaires to employees, for completion as part of the audit.

TEMPLATE No 4 – Internal Control Questionnaire (WP 1004)

TEMPLATE No 6 –General Understanding (WP 1006)

These documents gather basic information to help the auditor understand the control environment, and identify the systems and controls that are in place. They can be used to guide an interview with the senior manager of the organisation unit being audited, or it can be provided to senior managers for them to complete in their own time. The auditor should modify the ICQ as s/he sees fit, being careful not to undermine the key data it is designed to capture



The Director of the IAU should ensure that the senior management of the organisation is familiar with the Strategic and Annual Plans, and should also inform the Head of the organisation of the planned audit activity. This is an important courtesy. Reasonable advance notice of each audit should be sent in writing to the highest‐ranking manager of the audited organization.

2.1.2. GATHER INFORMATION

Preliminary preparation for the audit requires the collection of a significant amount of information. Sources of information include: documents, interviews, questionnaires, procedure fiches, organizational charts, diagrams, etc., as these provide important reference points throughout the audit.

TEMPLATE No 5 – Record of Information Review (WP 1005)

When choosing data collection methods, internal auditors must judge which method is most efficient at satisfying the objectives of the review. The choice will depend on the professional judgment of the auditor and will reflect the auditor's understanding of the audited organization, the type of the audit and the specifics of the assignment.

TEMPLATE No 11 – Notes from Information Gathering (WP1011) At this stage of the planning phase the internal audit team should have a good understanding of the processes on which they are focusing and the audit objectives and scope for the audit will have been specified. Now the steps of the audited process must be documented. For this purpose a working paper ”Analysis of System Risks” is used. Auditors use this document to identify the processes they will test.

The auditors will obtain information from various sources (such as the Permanent File for the organisation, the sources identified by the audit manager in the Initial Meeting and subsequently, the ICQ) and will review it to identify avenues for further investigation. This information, and the suggested audit procedures, will be recorded on this form and initialed by each auditor who contributed. The Audit Team Leader will review and sign



TEMPLATE No 12 – Analysis of System Risks (WP 1012)

This working paper records the following key elements: the process to be audited; the objective of the process; the steps, risks and control procedures related to the process; and, assessment of the risks related to the process. In this way, the entire audit process is reflected in the working paper.

2.2. SETTING AUDIT OBJECTIVES

Audit objectives are broad statements developed by internal auditors to define what the assignment is intended to accomplish. Audit procedures are the means to attain audit objectives.

The audit objectives determine the work to be carried out by the internal auditors.

Audit objectives may be general or specific. In organisations where the internal audit is performed by an IAU, the general objectives are defined during the annual planning stage together with the assessment of the control environment and risks, and the definition of scope for each specific audit assignment. The Director of the IAU acquaints the management of the organization at the initial meeting with the general objectives and the scope of the internal audit.

The general objectives of the audit must be clear, focusing on important processes and significant risks and aiming to improve the processes being audited. Usually, the general objectives of an audit are concerned with

Standard 2210 – Engagement Objectives Objectives should be established for each engagement Standard 2210.A1 ‐ Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.



reviewing regulatory compliance, how economically, effectively and efficiently operations are managed, the safeguarding of assets, and the accuracy of accounting information.

Internal auditors specify the audit objectives at the same time as identifying control objectives. The control objectives are related to the objectives of the audited process.

Example: If the internal audit focuses on the accounting and financial activities of the organisation, the objectives of the audit will relate to the reliability and accuracy of the financial information and the compliance of the accounting records and financial reports with the policies, plans, procedures, regulations and laws, and safeguarding of assets.

Control objectives are the basis for identifying the risks in a process and for assessing the adequacy of the controls established to manage the risk.

The difference between audit objectives and control objectives is shown in the following example:



Audit of process for defining, calculating and paying remunerations at Ministry X

(Payroll Audit)

Objectives of the audit

To assess whether the payroll process functions in compliance with the relevant legislation, management policies and procedures;

To ensure that the payroll systems operate so that staff are paid correctly and on time;

To ensure that the payroll procedures are efficient and effective.

Scope of the audit

The audit will cover all the current payroll procedures operating within Ministry X from the commencement of employment of a new member of staff to the point at which s/he retires from or leaves the Ministry;

The audit will be limited to the processes and procedures operated by other departments or agencies on behalf of the Ministry.

Control objectives

To ensure employees working hours and, leavers, promotions, salaries and deductions from salary are authorised for all employees.

To ensure employees’ time attendance data are properly reviewed, approved, processed, documented and accurately coded for accounting purposes.

To ensure calculations of gross pay, deductions and net pay are:

‐ accurate; and

‐ based on authorised times and amounts.

To ensure tax and social security information is accurately and promptly reported.

To ensure payroll deductions are correctly accounted for and paid to the third parties to whom they are due.

To ensure payroll data is handled and maintained confidentially.



It is important to remember that different control objectives apply to different processes. Internal auditors must continuously think about additional control objectives, reflecting the context in which the process functions and some specific problems facing the process, which are subject of the review.

Formulation of the objectives

In developing audit objectives, internal auditors may use the following suggestions as a basis:

• evaluate whether the policies and procedures in place are adequate for the objectives of the audited process;

• establish whether the policies and procedures in place in the audited process, correspond to the requirements of regulatory acts;

• verify the existence, condition and custody of physical assets and the ability of the control systems to protect them against loss or waste;

• evaluate the completeness, relevance, accuracy and accessibility of the information system;

• establish the accuracy and timeliness of financial records; and

• identify errors and shortcomings and determine the factors (control weaknesses) that contribute to them.

Control objectives can be formulated as questions, for example:

• are adequate procedures applied to the processes of the audited body? Do management decisions relating to this process comply with statutory requirements and are such decisions fully documented?

• is there a system to report on the audited processes, and is this information complete and accurate?

• are assets properly protected?

• do the systems ensure that payments are made on time and for the correct amount?

• does the accounting system ensure correct entries of the assets, liabilities, revenues and expenditures and do payments match contractual obligations?



• have the requirements for awarding public contracts been met and have appropriate control mechanisms to ensure fulfilment of the regulatory requirements been put in place?

The way objectives are formulated depends largely on the type of audit to be conducted.

ANNEX No 2 – List of Objectives for Internal Audit

Relationship between audit objectives and audit procedures

Audit procedures are the means for achieving the audit objectives. The basic and most important procedures are the checks that internal auditors execute during the audit process. The specific checks to be made are selected during the planning process to reflect the character of the audited organisation and may be directed at different types of activities, processes, programs, indicators, documents, etc.

The objectives and procedures of the assignment, taken together, define the scope of the internal audit and must be directed to address the risks associated with the process being checked.

2.3. THE SCOPE OF THE AUDIT

As noted in the preceding section, audit objectives and procedures taken together define the scope of the internal auditor’s work.

Before the initial meeting with management, the internal audit team must define an audit scope that will achieve the objectives for the audit that were developed in the Annual plan.

The audit scope should define the following parameters of the audit assignment:

• audited period;

• name of the audited process;



• documents to be checked; and

• place of conduct of specific checks.

The scope may be constrained by factors or events that reduce the ability of the auditor to express an independent and professional opinion on the audited process. Such constraints may relate to:

• the access of internal auditors to assets, documents, information and key officials with respect to the objectives of the audit; or

• the available human resources and the time‐table for the auditor work.

It may be appropriate to include in the scope definition a statement of areas that, though related to the activity or process being audited, are not to be included in the audit work. This can clarify the boundaries of the audit and ensure that expectations about the audit’s results are appropriate.

2.4. INITIAL MEETING

The Director of the IAU or the Audit Team Leader should call a meeting with the management of the audited body after the preliminary study of the audited process is complete, and the scope and objectives of the audit have been defined.

Holding an initial meeting with management is important for the efficient fulfilment of the audit assignment and will pave the way for a cooperative relationship during the course of the audit. The initial meeting should set a positive tone for the engagement and should calm any management anxieties.

During the initial meeting, topics of discussion may include:

• planned audit objectives and scope of work;

• the timing of audit work;

• internal auditors assigned to the audit;

• the process of communicating during the audit, including the methods, time frames, and individuals who will be responsible;

• organisational condition and operations of the activity being reviewed;



• concerns or requests for management;

• matters of particular interest or concern to the internal auditor; and

• the internal audit reporting procedures and follow‐up process.

Template No. 7 provides a draft agenda that can be attached to the “Request for Initial Meeting”, and used to guide the initial meeting. The Audit Team Leader should modify it to suit the circumstances.

TEMPLATE No 3 – Draft Agenda for Initial Meeting (WP 1003)

The Audit Team Leader will discuss with management the planned start and end dates of the audit, and wherever possible should adapt them to synchronise with other organisational commitments. Management may use the opportunity to identify specific risks in the audited process that are not covered by the audit plan, which the audit team should consider for inclusion in the audit scope.

The auditor should ensure that all those in management who need to know about the audit are properly informed, and meetings should be held with managers who are responsible for the activity being examined. A summary record of matters discussed at meetings and any conclusions reached should be prepared, distributed to individuals as appropriate, and retained in the engagement working papers.

2.5. OBJECTIVES AND RISKS

The following activities should be completed and documented in the planning section of the working papers:

• assemble background information and document key issues in the planning section of the working papers;

• identify objectives for the audit;



• identify risks related to objectives;

• assess and identify the critical risks, formulate control objectives based on the risks and record them with their risk ratings on the working papers ‐ “Analysis of System Risks”; and

• identify controls related to critical risks, and document the key controls in the working paper ‐ “Analysis of System Risks”.

TEMPLATE No 9 – Checklist for Risk Management (WP 1009)

This checklist can be used to get an overview of risk management processes.

2.6. ASSESSING THE INTERNAL CONTROL SYSTEM

Auditors must understand the internal control system that management has designed and implemented. The basis for reviewing the control systems is provided by the COSO internal control systems model.

Auditors should address this model in a systematic way to ensure efficient use of audit resources. Accordingly, the internal control system evaluation is performed in the following sequence:

• understand the objectives and nature of a program/function/process and define risks related to them, assess risks;

• assess the control environment;

• assess the management controls and the process for monitoring their effectiveness;

• if the auditor decides that the control environment is weak then a no‐control reliance audit approach should be adopted. In this scenario do not assess the other internal control systems elements;

• if the assessment is that the control environment is medium to strong, then the auditor should proceed to identify and assess key application controls. There may well be very many application



controls, in which case the auditor should select key controls that mitigate more than one risk; and

• assess the effectiveness of information and communication flows and formulate your audit approach.

2.6.1. ASSESSMENT OF THE CONTROL ENVIRONMENT

The concept of a control environment is not tangible or easy to understand. Rather it describes an atmosphere or a culture in the institution, whereby management sets the tone at the top that results in a strong or weak control environment.

NB!

Although auditors should document their assessment of the control environment, it will generally not be supported by hard evidence. Therefore it should not be made public even inside the IAU, as this information may be easily misunderstood or misused. However, even as an estimate, or a feeling, it is accepted as a valuable planning tool in deciding whether or not to rely on controls, and if so, to what extent.

Use TEMPLATE No 7 – Checklist for Control Environment (WP 1007)

Note that the concept of control environment usually relates to the whole audited organisation. If the auditor has previously prepared an assessment of the control environment, it should only need updating when there have been significant changes in management, organisational structure, human resources, or organisational policies.

2.6.2. FRAUD INDICATORS

A strong control environment plays an important role in preventing fraud, and internal auditors should be alert for indications of fraud. This means:



• having sufficient knowledge of fraud to be able to identify indicators that fraud may have been committed. The auditor should know the characteristics of fraud, the techniques used to commit fraud, and the types of frauds associated with the activities reviewed;

• being alert to opportunities, such as control weaknesses, that could allow fraud. If significant control weaknesses are detected, auditors should conduct additional tests to look for indicators of fraud. Some examples of indicators are unauthorized transactions, overriding controls, unexplained procurement exceptions, and unusually large project losses or delays. Internal auditors should recognize that the presence of more than one indicator at any one time increases the probability that fraud may have occurred; and

• evaluating the indicators that fraud may have been committed and deciding whether any further action is necessary or whether to recommend a fraud investigation.

Where there is enough evidence of fraud to warrant an investigation, the findings should be turned over to the Audit Committee who will contact the appropriate authorities to initiate the investigation.



2.6.3. ASSESSMENT OF THE MANAGEMENT CONTROLS

Controls are all activities of management that aim to increase the probability of the organisation’s objectives being achieved by reducing or eliminating the impact of identified risks.

Controls are:

• Preventive Controls ‐ Designed to limit the possibility of adverse outcomes (separation of duties, approval, authorization, verification)

• Detective Controls ‐ Designed to identify adverse outcomes after the event; (reviews, balances, analysis, counting (physical inventory), audit)

• Corrective Controls‐Designed to correct undesirable outcomes which have occurred (accounting error correction, repayments)

• Directive Controls ‐ Designed to avoid the undesirable outcome (orders to do something, restrictions to do something)

The auditor’s assessment of controls directly impacts how many checks will be conducted during the audit.

The process of assessing risks can be split into 2 stages:

• identify management controls; and

• test the key management controls. The following process is useful in identifying management controls:



Is it automated?

It’s an application control

Is it preventative?

Is it checking that an application control

has been performed ?

Is it’s primarypurpose to help

management run thebusiness?

Probably not a control!

It’ s a MonitoringControl

No

Yes

Yes

Yes

No

Yes

No

Is it automated?

Is it preventative?

t

?

purpose to help

It’ s a ManagementControl

No

Yes

No

Identifying Controls

The second assessment stage could be performed using the checklist from TEMPLATE No 8 ‐ Checklist for Management Controls (WP 1008). This checklist presents a series of questions to which the auditor should determine the answers:

1. Does management periodically (at least quarterly) review reports to detect potential problems/errors?

2. Is management competent to identify problems from those reports? 3. Does management get timely feedback of causes of problems, if it has

identified any? 4. Does management initiate corrective actions in return for the

information related to problems? 5. Does management check for the successful implementation of

corrective actions? 6. Does management ensure through (delegated) reality checks the

sufficient achievement of objectives and progress?



7. Does management react with constructive action on audit reports/findings?

If all these questions can be answered affirmatively, i.e. “YES”, then the controls can be considered “effective”. If there is one ”NO” answer, the management controls should not be assessed as “effective”.

2.6.4. ASSESSMENT OF THE APPLICATION CONTROLS

Application controls differ from management controls in that they are not performed on aggregated (sum of) transactions, but are exercised on each transaction individually.

They can be either:

• manual (performed by staff); or

• computerized (performed within IT systems). In cases where an auditor has previously determined that no reliance should be placed on the controls, application controls will not be tested. When detailed activity‐level risks have been identified and captured on TEMPLATE No 12 – Analysis of System Risks (WP 1012) the related application controls (preferably the key controls) should also be recorded on this form.

2.6.5. ASSESSMENT OF INFORMATION AND COMMUNICATION

TEMPLATE No 10 ‐ Checklist for Information and Communication (WP 1010) can be used while assessing the availability, sufficiency and timeliness of information and communication.

2.7. SELECTING AN AUDIT APPROACH

Using the results of the internal control system evaluation as described in the preceding chapters, the auditor must select the appropriate audit approach. This involves deciding how much to rely on the controls based on the assessment of the controls and the environment in which they operate.



Alternative audit approaches to this decision are presented in the following sections.

2.7.1. ALTERNATIVE AUDIT APPROACHES

Broadly an audit approach considers how many tests of a control are necessary for the auditor to form an opinion about how well a control is working. It is not usually necessary to test every transaction that passes through a particular control. Instead, the auditor can test a sample and extrapolate the results from the sample to the population as a whole.

The key question for an auditor is: how much and what work should I do to minimize my audit risk, i.e. the risk of arriving at wrong conclusions?

The audit risk is higher when the control system is weak and lower if the control system is strong. The auditor has to choose how much audit work and that audit activities should be conducted based on the results of assessment of the internal control system. Subsequent sections describe in detail the assessment of individual elements of internal control system and how the results are used to determine what and how much audit work to do.

Option 1: no reliance on controls due to weak control environment

This applies when the control environment is assessed as weak. There is no point assessing management and application controls if the control environment has been assessed as weak. The controls cannot be relied upon.

Audit approach: The audit will not include any tests of controls (as controls cannot be relied upon). Instead, the auditor will perform analytical review and substantive tests of transactions for financial and compliance audits, and in the case of a systems audit, the auditor should advise the organisation as to what management and application controls are required and recommend



improvements to the control environment, using examples of control failures or poor risk management to demonstrate the problem.

Irrespective of the assessment reached about control environment and management controls, this approach must be followed if the process or organisational unit is being audited for the first time.

Option 2: no reliance on controls due to ineffective management controls

This is the situation when the control environment may have been assessed as medium, but management controls are not effective. In this situation management is not able to detect problems if they occur and corrective action by management is not assured.

Audit approach: The audit will not include any tests of controls (as we cannot rely on them). Instead the auditors should perform extensive analytical review and substantive tests of transactions in the case of financial or compliance audits. In the case of a systems audit the auditor should again recommend controls that need to be designed. Examples of control failures or poor risk management should be used to demonstrate the problem.

Irrespective of the auditor’s assessment of the control environment and management controls, this option must be chosen if the process/unit is being audited the first time.

Option 3: some limited reliance on controls

Where the control environment has been assessed as medium or high and management controls have been assessed as medium at the planning stage with some key application controls considered to be effective when they were tested at the planning stage.



The use of this option assumes that the auditors have audited the process under review before ‐ so there is some accumulated audit knowledge and experience.

Audit approach: The auditor should perform analytical reviews and conduct further testing of management controls and key application controls, supplemented by limited substantive testing of transactions.

Option 4: almost complete reliance on controls

Where there is a strong control environment coupled with effective management controls, the auditors can place almost full reliance on controls, focusing their attention on testing management and application controls supplemented with limited substantive tests.

The use of this option assumes that the auditors have audited the process under review before, so there is significant accumulated audit knowledge and experience.

The logic behind this approach is that if a material problem had occurred on any individual transaction, management controls would have identified it and at the application control level the error would have been prevented or corrected. Therefore the focus is on testing to check that the controls work as intended instead of looking for errors that have slipped through on individual transactions.

Audit approach: The auditor should focus on testing management controls and key application controls with minimal substantive tests.

2.7.2. RISK‐BASED SELECTION OF A SAMPLE

To avoid testing 100% of transactions the auditor should select a sample. In determining the size of the sample, and the transactions to select, the auditor should consider factors like monetary value, potential of fraud and frequency of irregularities, change as a default risk indicator, and timing, as follows:



a) Monetary value

The larger the amount of money involved the bigger is the risk (e.g. risk of misusing funds or making ineligible payments). Therefore projects, contracts and detailed transactions are sorted by their size in monetary terms and the biggest ones selected into the sample.

b) Potential fraud and frequency of irregularities

Management gathers information from different sources (e.g. exception reports, irregularities database) to record, prevent and understand risks and irregularities. The units with the highest record of irregularities in their transactions should be selected into the sample before units with no record of problems.

c) Change

If change occurs in a programme’s systems, staff or procedures, there is a risk that the new systems, staff or procedures may not be working as intended, so they are good candidates for inclusion in the sample.

d) Appropriate spread over the period

If a program period under question is one calendar year, the controls should not be tested just at the beginning of the year but should be tested evenly across different periods throughout the year.

If the program period is more than one calendar year, the auditors should aim at auditing as much as possible from the total program volume. In order to facilitate this in practice:

• careful strategic planning is needed on year by year basis; and

• a database should be kept per program to keep track of the amounts tested.

TEMPLATE No 13 – Control Test Procedures and Results (WP 1013)



While auditors may use their own judgment, the following guidance is provided for determining sample size:

Population size Sample size

Less than 1,000 units Select one third of the units

2,000 units 371 units

5,000 units 418 units

10,000 units or more 450 units

Select the units in the sample using a random technique.

(The guidance above approximates a confidence level of 95%, for sample precision of 2%).

The audit team shall develop one or more tests to determine whether the controls identified in Working Paper 1012 “Analysis of System Risk” are (a) present and (b) operating effectively. This working paper identifies the control by the process, process step and related risk that it is intended to address, and enables the auditor to record the description of the test that will be applied, the population that the test will be applied to (e.g. purchase order, estimate of uncollectible debts, bank statement, etc.), the size of the sample to be tested, and the method of selecting the sample.

Note that there shall be one version of this working paper for each test the team develops for each control, so there shall be multiple Control Test Procedures working papers for any audit



2.8. CONTENTS OF THE FINAL PLANNING DOCUMENT

The audit planning phase ends when the Audit Plan has been fully developed. The content of the Audit Plan will vary depending on the size and complexity of the area audited, but should contain the following types of information about the audit:

Section I: Background

This section contains three elements that summarise the team’s understanding of the organisation and processes being audited. The first concerns the organisation and processes, and should read something like the following:

“The process we will audit is called <process name> and is the primary responsibility of <organisation name>. Other organisational units and external bodies involved in this process are <name of organisations>. The objective of the process is to <state objective>, and the organisation accomplishes this through <x> steps, which are conducted at the following locations <list locations>”.

The second element outlines the Law which legally empowers or obliges the organisation being audited to perform the process, noting specific sections or clauses of particular significance, and summarises any regulations or procedures that define how the objective of the process is to be achieved.

Finally, this Section includes a list of factors identified during the analysis of planning data that could have a material impact on the conduct of the audit.

Section II: Objectives

Provide a list of the results to be achieved by the audit, such as:

“To review the operation of the car pool and assess whether the systems in place provide appropriate controls over access to government vehicles and consumption of fuel and maintenance resources.”



The objective should be written so that it can be easily determined at the completion of the audit whether the objective has been achieved.

Section III: Scope

The purpose of this section is to describe what is included in the audit and also what is not. Identify the organisation units and processes that are subject to audit and the key positions that are responsible for them. Include a statement about which geographic locations of the organisation unit or process will be covered. Also describe any constraints to scope, specifically indicating any areas that will not be covered where there is any room for misunderstanding.

Indicate the place where the audit will be conducted.

Section IV: Risks

This section should summarise the audit team’s review of the risk management approach adopted by the organisation being audited and their assessment of the risks.

Section V: Audit Programme

This section describes how the team plans to achieve the audit objective and fulfill the requirements of the Internal Audit standards by presenting an audit programme which summarises the test procedures that were documented in the Control Test Procedures working papers including:

• brief description of each test and its objective; • documents to review; • tests to perform; • criteria for the tests; • size of sample; and • method of sample selection.

This information can be provided by attaching forms 1012 and 1013, or by using a tabular presentation that consolidates the information from the forms.



TEMPLATE No 14 – Audit Programme (WP 1014)

Section VI: Resourcing

Identify the members of the team and confirm their availability, independence and qualification to participate. Specifically indicate who is responsible for quality assurance.

Indicate any special skills, e.g. IT expertise or asset valuation, that the audit will require to be sourced from outside the IAU.

Note that there is currently no requirement to develop a cost budget for each audit since there are no budget lines for internal audit. If this situation changes, the Audit Plan should include an estimate of out of pocket expenses (usually travel related) and outsourcing costs that will be incurred by the audit team.

Section VII: Schedule

This section will summarise the information from the Audit Resource Plan working paper concerning the key activities and their planned dates for completion.

Section VIII: Communication

Identify key audit entity contacts.

Describe the approach to communications that will be adopted throughout the audit including planned and ad‐hoc communications with the audit entity and any outside bodies that may be contacted for corroboration.

List the planned communication points – formal letters, scheduled meetings, draft reports, final reports and indicate the planned date for each.

Section IX: Sign off

The Audit Team Leader should sign the Audit Plan and indicate the date it was prepared. The Audit Plan should also be approved by the Director of the IAU.



TEMPLATE No 17 – Audit Plan (WP 1017)

Part of the Audit Plan involves assigning auditors to the various audit tasks that address the audit objectives. This is important to ensure the required audit team members are available when needed and that resources are used efficiently across the IAU’s different audits.

At the beginning of the planning process the Audit Team Leader should identify the different audit tasks, such as:

• preparing for the Initial Meeting; • conducting the Initial Meeting; • gathering data (documentary reviews and interviews); • analysing and documenting the data; • identifying risks;

• developing related controls; • planning the tests and samples; • finalising the Audit Plan; • conducting the fieldwork; • evaluating results and developing findings and recommendations;

• developing the draft Audit Report; • meetings with client; • audit management and correspondence; • finalising the Audit Report; and • following up the audit.

These tasks should be entered on the Working Paper. For each of the planned tasks, the Audit Team Leader should assign team members and estimate the number of days each team member will need to complete the tasks they have been assigned.

Working Paper 1014 provides a template for capturing tasks, assigning audit team members and estimating required time (in hours or days, as preferred). The template form assumes one Team Leader (TL) and 3 other Team Members (TM2, TM3, TM4). If the plan calls for more or fewer team members the



template should be modified accordingly. Assuming there is one Team leader and 3 other Team Members, you will use Column 1 to identify all planned tasks, Columns 2 to 5 to allocate time to each auditor and Column 11 to show when each task is planned to be completed.

Once completed and signed by the Audit Team Leader, this document should be reviewed with the Director of the IAU. The review may result in adjustments. Once the Director is satisfied with the estimate, s/he signs the working paper to approve the resource plan.

Subsequently the Audit Team Leader will use this form to track how much time is actually used by each auditor on each task and record the variance. Similarly the actual completion dates are recorded and a variance of time taken against the time planned can be noted. This will provide valuable information for monitoring the productivity of the Internal Audit Unit and for planning subsequent audits.

TEMPLATE No 15 – Audit Resource Planning and Tracking Form (WP 1015)

The Audit Plan should be updated as necessary to reflect any significant changes made during the audit.

As the Audit Team Leader assigns team members to the audit, s/he should check to ensure the assigned members are not disqualified from the audit because of conflicts of interest or lack of appropriate certification. Each assigned auditor must sign the auditor’s declaration.

TEMPLATE No 16 – Auditor’s Declaration (WP 1016)

This working paper provides the means to collect from each team member their declaration that they are not disqualified. The working paper takes the form of a questionnaire which each assigned auditor should complete prior to commencing the audit. Auditors who are disqualified from participating in any given audit should be re‐assigned.



CHAPTER 3: FIELD WORK

3.1. OVERVIEW OF ACTIVITIES ON SITE

By the end of the planning phase and after completing the detailed activity and resource planning work, the auditors will have updated the:

• permanent file; • planning file; • Audit Plan; • staffing requirements, and the staff to be assigned to each component

of the audit; • budget requirements; • timing considerations; and • list of information to be obtained from entity officials.

The internal auditors will use this information during the fieldwork phase of the audit process to perform the audit work. In particular, the audit program selected for the audit will guide the detailed activities of the auditor.

TEMPLATE No 18 – Audit Execution Checklist (WP2001)

The fieldwork is conducted in accordance with the planned “Control Test Procedures and Results” documented in the different copies of working paper 1013.

TEMPLATE No 19 – Test Procedures – Single Step (WP 2002)

TEMPLATE No 20 – Test Procedures – Complete Process (WP 2003)

Standard 2300 ‐ Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement’s objectives.



These forms document the tests that the auditor conducts to satisfy the planned tests identified in the planned “Control Test Procedures and Results” documented in the series of Working Paper 1013’s in the Planning File. There should be one working paper 2002 or 2003 for each form 1013 and they should be cross referenced.

There are two broad types of tests:

• tests that are conducted on multiple instances of a single step in the whole process; and

• tests that follow a single event through a complete multi‐step process (sometimes called “walk through tests”).

Working Paper 2002 relates to tests that are conducted on a single process step. The auditor develops a test or question to determine whether the expected control (from working paper 1013) is present and working effectively and documents the question on working paper 2002. The auditor then indicates which sampling units that were selected, and documents the result of the test.

When the test has been conducted on each item in the sample, the auditor concludes as to whether the evidence shows the expected control is present and whether it is working effectively. Generally it is not necessary for the control to have been properly executed on every single transaction tested. Often the auditor can accept up to 2 failures without considering the control to have completely failed. This process is repeated for all the controls that are to be tested.

Working Paper 2003 illustrates the approach where the auditor is testing a transaction through all steps of the process. The form is designed so that all tests are documented on the same form, rather than using a separate form for each test.



Each working paper should be initialed and dated by the auditor who conducted the test procedure, and verified, signed and dated by the Audit Team Leader.

3.1.1. TESTS FOR SYSTEMS AND COMPLIANCE AUDITS

When conducting the audit work on site, the internal auditor must gather sufficient convincing, appropriate and reliable evidence to determine whether the management and control systems in place are operating as described and that they are adequate to ensure the regularity of expenditure and the accuracy and completeness of financial and other information.

Internal auditors should check that there is a complete audit trail for all transactions, and that there are mechanisms to keep the audit trail up to date.

Procedures to be carried out are:

• evaluating systems documentation by reviewing files, supplemented where necessary by interviewing relevant staff; and

• testing the operation of those systems by examining a sample of transactions.

Sufficient testing should be carried out to enable the audit team to reach sound conclusions about the effectiveness of the systems under examination. The tests will address the audit objectives that were discussed in the previous chapter. The content of each audit may be adjusted by the auditor to take account of any divergence between the actual control environment encountered during the audit and the control environment that was envisioned during the audit planning stage that was discussed in the previous chapters.

3.1.2. TESTS FOR FINANCIAL AUDIT

Financial audits are concerned with validating the contents of the organisation’s financial reports. Tests of systems are supplemented by tests designed to substantiate reported amounts. These are referred to as



“substantive tests”, and include techniques like analytical review and tests of transactions and balances.

The objective of a financial audit is to state an opinion as to whether the figures in the financial statements are free from material misstatement, specifically in respect of the criteria noted in the table below.

Criterion Nature and example of a substantive test

Valuation A check that assets and other items are recorded at the correct value in financial records. For example, a substantive test may check that the sale or purchase of an asset is recorded at the correct value in the accounting system by checking the original invoice or sale note.

Existence A check that assets and other items recorded in the financial statements actually exist. These substantive tests may involve the physical verification of existence through confirmation by the custodian of the assets, or actually inspecting the asset.

Ownership A check that assets recorded are actually owned or legally used by the audited body. For example, a substantive test may involve checking that the audited body has a valid lease for premises used.

Proper period A check that a transaction is recorded in proper period. For example a purchase transaction may be recorded on December 30, where in fact the title to the related asset did not pass over until January 2 the following year.

Quality (accuracy and completeness) of inputs and outputs

A check that inputs and outputs are of an appropriate quality. For example, for inputs we could check that the accounting system has input controls built in, to ensure completeness and integrity control of data. For outputs, we could check that the system applies process controls to ensure that reporting is complete and correct.



Typical substantive tests for financial audits:

• Analysing balances by obtaining related general ledger account breakdowns;

• Reconciling general ledger summary amounts to related sub‐ledgers; • Testing detailed transactions from ledgers against related base

documents for proper recording, accuracy, cut off and valuation; • Obtaining balance confirmations from third parties; • Inspecting assets to verify the existence and value of the items

recorded in ledgers; • Performing two‐way tests of the complete recording of assets,

consisting of: selecting assets from the ledger to test their existence and also tracing physical assets back to the general ledger;

• Checking ownership documents of assets recorded in ledgers; and • Re‐calculating accruals and management estimates (e.g. bad debt

provisions). Test of controls in financial audits are limited to controls in related accounting and reporting functions and often also include coverage of IT controls that relate to those functions.

3.1.3. TESTS FOR PERFORMANCE AUDITS

Performance audits extend beyond the traditional audit domain to include a review of the management of operational units where performance is achieved and value is created.

Performance audits provide reasonable assurance about the reliability and integrity of the organisation reporting structure, and the performance of programs, services, activities, and functions, and includes recommendations for improvements.

Performance audits are concerned with the economy, efficiency and effectiveness of operational units. Because each operating unit has different objectives, organisation structure and processes, each audit will have to be defined specifically for each operating unit.



A typical performance audit requires the auditor to:

• consider the environment in which an organization operates by gathering information about local, regional, global and sector trends, competitors' strategies, etc.;

• ascertain the best practice for similar activities/process; • understand management's strategies and how they manage their

organisations to achieve performance goals. Understanding management's focus allows auditors to better understand potential business risks, and on the effectiveness of strategic measures to identify and mitigate those risks;

• assess financial and non‐financial performance, by considering such issues as: o customer satisfaction; o cost‐benefit and cost‐effectiveness; o quality; o quantity; o economy; o achievement of mission; o measurement of achievement of the organisation’s designated

outputs/outcomes; o return on investment; o financial condition; and o timeliness.

• analyse the information against relevant benchmarks to fulfil the objectives that were defined for the specific audit.

Performance audit approaches and example of items to be considered:

• Approach focusing on economy (inputs)

The auditor should consider:

o whether inputs are suitable and obtained for the lowest price; o variances between budget and actual financial performance; o to what extent all resources have been used; and o whether the value chain has been optimized.



• Approach focusing on efficiency (processes)

The auditor should consider whether:

o results could be achieved for lower cost; o there are bottlenecks in the process that could be avoided; o duties are properly segregated without overlaps; o different units that are working to reach the same target are

cooperating effectively; and o there are any incentives to motivate employees to minimise

expenses or maximise revenues.

• Approach focusing on effectiveness (outcomes)

The auditor should consider whether:

o operational targets are achieved according to schedule; o outcomes are properly defined; o clients or beneficiaries are satisfied with the outcome; and o the outcome achieved will meet clients’ or beneficiaries’ needs.

3.1.4. TESTS FOR IT AUDITS

Information Technology (IT) has an increasingly important role in the management of organizations and the internal auditors must focus on evaluating them, regardless of their complexity.

Information Technology (IT) may be used for tracking financial and accounting information as well as for tracking operational information, related to business‐specific activities, processes, etc.

When conducting an audit of the IT environment internal auditors must bear in mind that the principal goals of IT systems are to:

• store sufficient trustworthy data and information to support effective control; and



• provide timely information to management to help them achieve the goals of the organization.

IT systems have various characteristics that can be used to formulate objectives. Some examples are given in the following table.

Information system characteristics

Objectives of the audit

Content Does the information system contain all the information required?

Deadline Can the information be obtained at the moment desired?

Updating Is the most recent information available?

Integrity of data Is the information contained in the information system complete and accurate?

Accessibility Are interested parties able to obtain this information easily and is it protected against unauthorized access?

Archiving Is a regular archive of data compiled according to a schedule and what are the rules of access to archived files?

Clarity Is the information easy to use?

In conducting IT audits, generally IT specialists should be included in the audit team. In principle, the IT audit follows a similar process to a systems audit, described earlier.



The evaluation of the IT system relates to the adequacy and performance of the IT systems to meet management needs, and its contribution to achieving the goals of the organization and to the effectiveness of the financial management and control systems. Testing general computer controls If audited management systems are strongly supported by information technology and internal controls are mainly automated or significantly dependent on information systems and technology, the internal auditor should assess the general computer controls to ensure that they are continuous and effective. General computer controls address four broad areas:

• Development and implementation: To ensure that systems are developed, configured and implemented to meet financial, operational and compliance objectives.

• Maintenance: To ensure that modified systems continue to meet financial, operational and compliance business objectives.

• Computer operations: To ensure that production systems are implemented as approved and that production problems are quickly identified and corrected.

• Security: There are two aspects to Security, the physical environment of the system and its components and access to system resources and data is authenticated and authorised

The internal auditor has to develop an understanding of the organisation’s processes so as to determine the relevant computer environments and systems to be reviewed. There may be more than one environment or system, depending on the technical complexity of the entity being audited.



The specific controls within each of the above areas are normally a mix of manual and automated controls. For example, controls ensuring appropriate security within an information system consist of automated controls that restrict users’ access to system utilities. However, the functionality and effectiveness of these automated controls is dependent on manual controls to ensure that the users’ capabilities properly reflect their responsibilities and needs.

The internal auditor does not need to have special technical skills to evaluate many of the general management computer controls. Nevertheless, the auditor should have sufficient understanding of the IT process, system or program to identify, assess and test controls over systems development and implementation, while some of the automated controls over system operations will need to be tested by IT specialists, especially when assessing security of access to the systems and data. The IT specialist will be required to test the program’ automated controls, examine the source code, and review the change control procedures including version controls.

Each of the areas referred to above should be addressed. However, the nature and extent of testing of general computer controls will depend on a number of factors:

• complexity of the environment and controls;

• breadth of coverage that a control provides;

• extent to which a control provides assurance over a particular automated process;

• extent of risk and the assurance required;

• extent of change to systems; and

• the effectiveness of the management of the entity’s information systems and technology activities.



Gathering information for the IT audit Key contacts for the auditor conducting IT audit are:

• IT director or head of the IT department;

• managers from individual IT sub‐departments/sections;

• IT staff;

• users; and

• consultants, and other external providers of IT services. Key information needed for planning the IT audit includes:

• IT organization (role, responsibilities, reporting);

• list of key systems/applications and their business purpose;

• complexity of the IT environment;

• IT strategy, changes already running and planned;

• existence of security and operational standards and procedures; and

• existence of standards and procedures for management of changes to the systems and development activities.

3.2. TESTING AND RELATED DOCUMENTATION

A key element of the internal audit is examining whether management and control systems are operating effectively at all relevant levels. This involves documenting relevant systems (including appropriate information from the audit trail), together with testing controls to examine whether the systems are actually operating as described and are effective.

Tests of controls should include checks that management and control systems are operating consistently and effectively. Tests should be carried out on a sample of transactions selected for the audit. Where the effectiveness of the management and control system is likely to vary (for example where different staff are responsible for applying the same checks on different transaction streams), the auditor should ensure that the sample is representative of these



possible differences. It is important during tests of controls to identify the reasons for any errors and omissions identified as they might indicate weaknesses in management and control systems.

The previous Chapter described how the audit team plans for sample‐based tests of controls. The resulting plan guides the audit team as to what tests to apply and how many items are required to make a valid sample.

In the fieldwork phase, the audit team needs to fulfil the following steps:

• select the sample;

• test the sample items;

• evaluate the sample results; and

• document the sampling procedure. These steps are discussed below:

Select the sample

The audit team needs to select the number of sampling items determined in the planning phase. Samples can be selected statistically or non‐statistically. The difference between these two approaches is the method of selecting the sample items. The planning requirements remain the same, as does the evaluation process.

There are two basic sample selection rules:

1. the sample conclusion only applies to the population from which it is selected; and

2. the sample should be representative of the population from which it is selected.

Rule 1 affects how the auditor defines the population from which the sample is to be drawn. This rule applies equally to statistical and non‐statistical sampling and requires the auditor to define the population carefully. For example, if the



auditor wants to rely on an internal control for the entire year, then the population must include all transactions for the whole year. A common mistake by auditors is to simplify sampling by selecting a sample of transactions from only one month. The result of this approach is that the auditor’s conclusion only applies to that one month ‐ the auditor does not have any assurance with respect to the other 11 months.

Rule 2 relates to how specific items in the population are selected into the sample. The auditor has a better chance of complying with Rule 2 with a statistical sample than with a non‐statistical sample. When using a non‐statistical sample, though, the auditor should strive to ensure that his/her sample is as representative of the population as possible.

There are several sample selection methods that are very good at ensuring that the sample is representative of the population from which it is selected, as follows:

Random; Fixed interval (systematic); Cell (random selection); and Stratified random.

These methods are described in the following sections. For non‐statistical sampling, the objective is to try to approximate one of these methods.

- RANDOM SELECTION

Random selection involves numbering all of the items in the population and then using a random number table or software programme to select random numbers for each item in the sample. So if the planned sample size is 200, then the audit team will need to generate 200 random numbers that correspond to a unique reference number on each item in the population (e.g. invoice number, purchase order number or employee number). The auditor then identifies the sampling unit that corresponds to each number.



This method is difficult to use unless the sampling units are already pre‐numbered such as pre‐numbered sales invoices, or can easily be numbered (30 supplier invoices per page and the pages are numbered, for example).

- FIXED INTERVAL (SYSTEMATIC) SELECTION

This method involves choosing a random starting point and then selecting every nth item. It requires the auditor to have a good idea of the total number of items in the population. For example, if the auditor knows that there are 30,000 invoices in the population and needs to draw a sample of 200, then s/he could select every 150th supplier invoice (calculated by dividing 30,000 population sizes by 200, the sample size). The random start would be a number between 1 and 150. If, say, the auditor picked a random start of 50, he/she would select the 50th item, the 200th item, the 350th item, etc.

- CELL (RANDOM INTERVAL) SELECTION

This method essentially combines the previous two methods. The auditor divides the population into cells and then picks a random item from within each cell. In our example, the first cell would contain the first 150 items, the second cell items 151 to 300, the third cell items 301 to 450, etc.

- STRATIFIED RANDOM SELECTION

Some automated audit (CAATS) tools may offer a fourth method ‐ stratified random sampling. Using this approach, the population is first stratified based on monetary ranges, type of transaction, etc., and then a random sample is drawn from each range. This could be used, for example, to weight an attribute sample to the larger value items or specific expenditure types, or to ensure that at least one sample item is drawn from each expenditure type.

- NON‐STATISTICAL SELECTION

The auditor can use judgment to select a sample in a way that approximates one of the methods described above. If done with care, this can be an



acceptable way to select a sample. However, it is prudent to increase the sample size by 20 to 50 percent to compensate for the fact that the sample may not be truly representative. The size of the increase depends on how close the auditors believe they are to approximately a statistical sample.

Test the Sample Items

In this step, the audit team applies the tests that were developed during the planning stage to each of the sampled transactions, taking care to fully document any sample items in which a deviation is found. Sampling items containing deviations must be clearly identified so they can be retrieved at a later stage if further investigation or validation of the deviation is required.

Evaluate the Sample Results

The audit team will tabulate the results of the tests of controls, essentially recording each deviation that has been identified.

If the actual number of deviations found in the sample exceeds the acceptable number of deviations identified in the planning stage, then the results are unacceptable and the control will be considered not to be working correctly.

In these circumstances the audit team may consider increasing the sample size to see if the deviations continue to occur at the same rate. In general though, the control will be considered to have failed and the audit team should determine how and why it failed, and develop a recommendation to management for improving its future reliability.

This approach applies equally whether statistical or non‐statistical methods have been used to select the sample.

Document the sampling procedure

It is important that the audit team can demonstrate that they followed good practice in arriving at their conclusions concerning the reliability of the



controls, and that they can show the data on which the conclusions are based. Therefore the audit file must be updated with a complete description of the procedures used for sampling and testing as well as the results and draft recommendations.

Working paper 1013, which originates in the planning phase is also used to capture the results of each test when the tests are performed in Phase 2, Fieldwork. In this phase we add information about the actual units included in the sample, the results of the test, causes of any failures, the impact on the organization and leads to the auditor’s development of conclusions and preliminary recommendations.

Each working paper should be initialed and dated by the auditor who conducted the test procedure, and verified, signed and dated by the Audit Team Leader.

Note that the Audit Resource Planning & Tracking Form (Working Paper 1015) should be completed for the Fieldwork tasks by the Audit Team Leader to track how much time was actually used compared with the plan, and to record any variance.

3.3. AUDIT EVIDENCE AND WORKING PAPERS

The purpose of performing the audit engagement is to gather audit evidence for use in supporting the facts, conclusions, and findings that will be contained in the audit report.

Auditors should base findings and conclusions on adequate evidence. The evidence should be retained in the audit working papers.

Working papers need to be prepared, organised, and summarised in sufficient detail and with sufficient care to enable the work to be reviewed, judged, and understood by persons independent of the audit.



Examples of typical evidence for different types of audit are given below. How much and what type of audit evidence should be gathered and recorded in the Current File is a matter for the auditors’ judgment and case by case decisions by the audit team leader.

Systems and compliance audit

• audit trail descriptions (flow charts or other representations); • detailed audit trail descriptions for the accounting and reporting

functions; • official documents establishing the mandate of the organizational unit

under review and the responsibilities associated with organisational positions with respect to operational processes, together with evidence that these documents have been analysed by the auditors and their conclusions;

• laws and regulations that govern the process under audit review as well as evidence that the key conditions have been audited and the related conclusions;

• record of the tests of key controls in the systems;

• working papers relating to IT systems and controls;

• interview scripts;

• working papers documenting physical observations (e.g. work sites, training courses, IT tests being carried out, bank transfer being performed etc.); and

• risk‐control work sheets.

Financial audit

• report on which the audit report/assurance is given (e.g. expenditure declaration);

• ledger print‐out of the reported items;

• written balance confirmations received from third parties (e.g. suppliers’ confirmation of works delivered and payments received related to their invoices);



• bank statements;

• reconciliations performed by staff and reviewed by management;

• working papers to document tests of control or substantive tests;

• interview scripts;

• contracts; and

• recalculations of management estimates and contingent amounts (e.g. accruals and bad debt estimates) and related supporting evidence (e.g. possible court cases).

The organization, design, and content of audit working papers will depend on the nature of the audit. In general, working papers for an audit should document all aspects of the audit process.

Working papers for compliance audits are prepared in a table format, where the first column is prepared at the planning stage and the following columns are filled in during the field work stage.

Compliance requirement

Planned control/ measure

Description of the actual control/ measure

Test results of actual controls

Comments and conclusions

Regulation …. Usually taken from procedure manuals

Filled in the course of field work when observing controls in practice, interviewing staff or testing IT systems

3 times out of the test of 10 transactions, the control was not working as intended

To be reported for improvement



Minimum requirements for a substantive test working paper

In the case of substantive testing the auditor seeks assurance that transactions are:

• properly valued;

• accurately calculated and recorded;

• recorded in proper period

• properly recorded from ownership point of view;

• properly categorized and reported;

• recorded completely (i.e. no transactions are omitted). Accordingly the working paper should reflect:

• the description and purpose of the test;

• reconciliation with the (summary) account in which the transaction under review is recorded;

• the reconciliation with the summary account and the related report line where the summary account is reported;

• details of the base document that relates to the transaction under review (e.g. bank statement, invoice) to enable re‐performance of the audit test;

• dates as of which the accounts are prepared;

• the period in question for income statement accounts;

• sample selection methods and extent of the sample (how many transactions were selected);

• if errors are noted, reasons for them (failure of planned control, human or system error or other); and

• conclusion (incl. about potential irregularity).



Minimum requirements for test of control working paper

For tests of controls working papers should note:

• description and purpose of the test;

• description of the control(s);

• if the key control mitigates more than 1 risk, an explanation of what risks it mitigates;

• details of the transactions selected for testing (e.g. invoice details);

• reasons for control failure (if any); and

• conclusion as to whether or not a control failure is systematic, or whether it is an isolated irregularity.

Minimum requirements for systems audit working paper A systems audit aims to check that systems or processes are working as intended to achieve the objectives of a government programme. In this type of audit, the auditor may work with:

• each system or process individually; or

• review all components of a vertically or horizontally integrated process in a single step.

The working papers for analysing systems should include:

• a flowchart depicting the elements and actors in the process and the information flow (documents, databases, reports, decisions);

• a table associating risks and related controls with the elements in the process (based on risk assessment and procedure manuals);

• selected tests of the controls;

• notes of interviews with key staff involved in the process;

• analyses of the organizational structure, roles and responsibilities, and the segregation of duties in the process vis a vis other related processes (e.g. procurement versus payment); and

• the legal basis that provides a sufficient and proper mandate for those involved in the process.



CHAPTER 4: REPORTING AND

AUDIT CLOSURE

Internal Audit Standards provide guidance on the internal auditor’s responsibilities for reporting the results of audit.

The purpose of a report is to communicate. If it does not achieve communication, it has no value. The best field work and the most brilliant analyses are useless unless they are communicated ‐ meaning that the information about findings and recommended actions should be received and understood by an audience who can implement the recommendations.

In seeking to communicate, internal auditors must remember their principal objectives: (1) to provide useful and timely information, both oral and written, on significant matters; and (2) to promote improvements in control and performance of organisation operations.

Communication must be objective, clear, concise, timely, and constructive.

The Audit Team leader will have maintained open channels of communication with the senior management of the organization or process being reviewed to keep them informed of the audit progress and any significant findings during

Standard 2400 ‐ Internal auditors should communicate the engagement results. Standard 2410 ‐ Communications should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans



the fieldwork phase. The Reporting phase follows completion of the fieldwork and formalizes the submission of findings to management in a Draft Audit Report. Management’s responses are incorporated into the Final Audit Report.

It is essential that the audit report communicates with clarity the outcomes of the audit. Further it should be remembered that management will judge the quality of the audit by the report they receive as to them it is the result of the auditor’s work.

4.1. CLASSIFYING FINDINGS AND CREATING OVERALL AUDIT CONCLUSIONS

The first reporting working paper, number 3001, is used by the Audit Team Leader to provide a link between the results of the audit tests that were performed during Fieldwork and the contents of the Draft Audit Report.

The Audit Team Leader records, for each test conducted during the fieldwork (referenced to the relevant working paper), whether the test revealed a negative finding and led to a recommendation for improvement (indicated by a simple Yes or No response). For each test where there was a negative conclusion, the Audit Team leader should also indicate whether that conclusion and the related recommendation have been carried into the Draft Audit Report.

In general, the Audit Report should focus on significant findings that suggest systemic problems that expose the organization to a risk. Individual errors, if they are not symptomatic of a systemic weakness generally are not included in the report. Again, the Audit Team leader indicates with a Yes or No response whether the finding and recommendation has been carried into the Draft Audit Report. The Audit Team leader must justify any instance where s/he has decided not to include a finding in the report.

When the internal auditors find an error or problem they should follow these steps:

• analyze the error to see if it the result of a systemic failure;



• understand the root cause of the error;

• if there is no preventive control to stop a similar error from recurring, it can be concluded that the error might be systemic and the audit risk increases ‐ to mitigate the increased audit risk, the sample size should be increased accordingly (to be decided by audit team leader); and

• if there are preventive controls in place, the error will be repeated only as a result of a similar human error (assuming the detected exception was caused by human error) or as a co‐incidence, and no increase in the audit sample is required.

Every finding in the working papers should have a documented decision on the systemic nature and any further tests made. The internal auditor should report all violations and events of non‐compliance with the Internal Audit Law to the Audit committee.

Classifying findings

Internal auditors must be able to defend the seriousness with which they regard a finding. While analysing the finding, the auditor should answer the following:

• What is the effect of the issue on the organisation?

• How significant is the problem?

• What is the cause of the problem?

• Who is responsible for the problem?

• Was an existing control violated?

• Was there no control in existence?

• Was there an illegal action? Is it an irregularity? Violations of laws, rules, etc? Fraud?

• Can the situation be corrected?

• Is physical safety involved?

• Did management identify the issue prior to the audit? If so, what are the plans to correct the issue?



Once the issue is fully understood, the audit team should consider: Should corrective action be taken?

• Is it an isolated incident?

• Will existing controls usually preclude the problem?

• Are there any mitigating controls in place?

• Do existing instructions need to be clarified or amplified?

• Is it control weakness?

• Is a systems change needed?

• Has a cost‐benefit action been undertaken?

How should corrective action be undertaken?

• By whom?

• When?

The audit team should ensure that supporting evidence for identified findings is carefully assembled to provide:

• Assurance of the existence of the findings

• Information concerning the materiality of the findings

• Information to give management an adequate basis for action.

The auditor should work with the auditee’s management team to ensure the best solution to the issue is recommended. When documenting the findings, auditors must carefully consider how they will look in the final audit report. A well‐documented finding will make it unnecessary to write two separate findings ‐ one for the working papers and, later, one for the audit report.

4.2. CROSS ‐ REFERENCING THE FINDINGS

In internal auditing it is important that:

• all the important findings (reportable issues or significant issues) are reported ‐ it would be a major failure on the auditor’s part if



management is not informed of a risk and subsequently the risk is realised and the organisation suffers damage; and

• all findings are based on work done and supported by documented objective audit evidence and are not the unsubstantiated opinion of the auditor.

The Audit Team Leader can address these 2 requirements by:

• reviewing all the findings in the working paper for relevance and to ensure they are supported by sufficient evidence that is documented in the working papers;

• ensuring the working papers are cross referenced to the draft report (preferably using red annotations if done on paper format, or using Track Changes if using electronic format); and

• ensuring all findings in the draft report are referenced back to the working papers (using the same technique as described above).

Any discrepancies found must be discussed with the team and corrected i.e. unjustified issues should be deleted from the report or and issues noted in the working papers but not reported, must be added. The auditor should not rely on verbal reporting and must ensure all relevant material issues are included in the written reports.

4.3. STRUCTURE OF THE INTERNAL AUDIT REPORT

The Audit Team Leader should prepare the Draft Audit Report based on the work that has been documented in the working papers. This report confirms the objectives and scope of the audit, presents the findings, and most importantly, presents the audit team’s conclusions and recommendations for improvement. The sample Draft Audit Report template provides guidance as to the content of the report. It is important that the report is written clearly and crisply so that the reader can quickly grasp what the audit team discovered and what remedial actions are required.



At the draft stage, the purpose of the report is to provide management with a formal statement of finding and recommendations so that management can consider them and decide whether to accept the recommendations, suggest an alternative remedy or reject the recommendation. Until management has responded, there can be no Action Plan component, so this element of the report template is left blank at this stage.

Although the format and content of the audit communication would vary by organisation and the type of audit, the following general format is suggested:

EXECUTIVE SUMMARY

The executive summary should present an overview of the objectives and scope of the audit, and the main findings, conclusions and recommendations which identify the main areas to be addressed by the auditee. The summary findings should be cross‐referenced to the detailed findings. The conclusion should set out the opinion of the auditor regarding the related findings. The executive summary should also include an audit rating.

The following table outlines the four potential audit ratings that can be given, together with descriptions of the associated level of concern for consideration by top management and the Audit Committee:

Assessment Description Level of Concern

1 – Adequate No significant findings. An appropriate control framework is in place given the risks of the area of activities

None or limited

2 ‐ Needs Improvement

Significant findings have been noted in certain detailed control activities although overall an appropriate control framework is in place

Room for improvement

3 ‐ Needs Significant Improvement

Significant control weaknesses have been noted which may subject the management to material exposure*. Although certain mitigating controls are

Cause for concern



Assessment Description Level of Concern

in place, significant improvements are required to adequately safeguard against such exposure.

4 – Inadequate

Significant control weaknesses have been noted which may subject the management to material exposure*. Inadequate (or no) mitigating controls are in place. Immediate corrective actions are required to adequately safeguard against exposure.

Cause for considerable concern

*"Material Exposure" is defined as any circumstance, or set of circumstances, which could lead to material or significant: financial loss, reputation harm, legal exposure, information systems problems, regulatory or compliance risk, or delays in the attainment of stated government objectives in the area.

1. INTRODUCTION The Introduction may include background information such as identifying the organisational units and activities reviewed and provide relevant explanatory information.

2. PURPOSE AND SCOPE OF THE AUDIT

Purpose statements should describe the audit objectives and inform the reader why the audit was conducted and what it was expected to achieve.

Scope statements should identify the activities that were reviewed and should include supportive information such as the time period reviewed. Related activities not reviewed should be identified if necessary to delineate the boundaries of the audit.

The nature and extent of audit work performed also should be described.



3. RESULTS Results should include findings, conclusions, recommendations, and action plan.

3.1. FINDINGS

Findings are statements of fact. Only those findings that are necessary to support or prevent misunderstanding of the internal auditor’s conclusions and recommendations should be included in the final audit communications. less significant observations or recommendations may be communicated verbally or in memoranda to management.

Findings and recommendations emerge by a process of comparing what should be with what is the actual practice. This process of comparison provides the internal auditor with a foundation on which to build the report.

Findings and recommendations should be based on the following attributes:

Criteria The standards, measures, or expectations used in making an evaluation and/or verification (what should exist).

Condition The factual evidence that the internal auditor found in the course of the examination (what does exist).

Cause The reason for the difference between the expected and actual conditions (why the difference exists).

Effect The risk or exposure the organisation or others encounter because the condition is not the same as the criteria (the impact of the difference). In determining the degree of risk or exposure, internal auditors should consider the effect their audit findings and recommendations may have on the organization’s operations.



3.2. CONCLUSIONS

Conclusions are the internal auditor’s evaluations of the effects of the findings on the activities reviewed. Conclusions should be clearly identified as such.

Conclusions may encompass the entire scope of an audit or specific aspects. They may cover, but are not limited to, whether the organisation’s objectives and goals are being met, and whether the activity under review is functioning as intended.

3.3. RECOMMENDATIONS

Recommendations are based on the internal auditor’s findings and conclusions. They call the management to act to correct existing conditions or improve operations.

Recommendations may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. Recommendations may be general or specific.

Classifying findings

• Significant issue (major importance) will prevent a significant objective of an operation from being achieved. It doesn't matter how large or small the operation is as long as the issue identified is significant to that operation. These issues will be highlighted in the report for the attention of the management of the organisation. All irregularities belong to this group.



• A reportable issue (medium importance) is one that warrants reporting because its adverse effect will not be halted until it is corrected.

• An observation (minor importance) is a random error that should be corrected, but which may not warrant inclusion in a formal audit report.

4. ACTION PLAN

The internal auditor should try to obtain agreement with management on the results of the audit and on a plan of action to improve operations, as needed. Management responses should include specific actions to be taken, the person(s) responsible for the corrective action, a timetable for completion and expected results.

If the internal auditor and the management do not agree on the audit results, the communications may state both positions and the reasons for the disagreement. Management’s written comments may be included as an appendix to the audit report.

A table summarizing the main findings, conclusions and recommendations should also form part of the report.

TEMPLATE No 21 – Audit Report (WP 3001)

At the Draft stage, the purpose of the report is to provide management with a formal statement of findings and recommendations so that management can consider them and decide whether to accept the recommendations, suggest an alternative remedy or reject the recommendation altogether. Until management has responded, there can be no Action Plan component, so this element of the report template is left blank at the draft stage.



The Draft Audit Report should be signed by the Audit Team Leader and formally presented, with a transmittal letter, to the management of the organization unit or process being reviewed, copy to the Director of the IAU, for their review and approval. The transmittal letter should explain the purpose of the Draft Audit Report and outline the response that the audit team is expecting. A date by which the response is required should also be indicated.

“Findings for the Audit Report” form tracks, in a tabular format, how each of the findings presented in the Draft Audit Report has been dealt with. The Findings are presented in groups that represent their importance (as they should have been in the Draft Audit Report) and tracks for each finding what recommendations the audit report provided to management, management’s response to the recommendation, and finally, an action item for the audit team to follow up management’s response at a later date.

This working paper tracks management’s responses to the Draft Audit Report and is included as an Annex to the Final Audit Report.

TEMPLATE No 22 – Findings for the Audit Report (WP 3002)

During meetings with management to follow up the Draft Audit Report, the Audit Team Leader will ask management to submit an Action Plan for implementing the recommendations that have been agreed. Management should be asked to present the Action Plan in a form similar to the suggested format shown in Working Paper 3003, Management’s Action Plan. The Action Plan should be signed by the official who will be responsible for implementing the recommendations. It provides the record of what actions management has committed to, and the basis against which the audit team can subsequently review progress.

TEMPLATE No 23 – Management Action Plan (WP 3003)

Following meetings with management to discuss the findings and recommendations and to agree upon management’s Action Plan, the Audit



Team Leader can finalise the Audit Report, appending working papers 3002 and 3003 as annexes.

Each section from the Audit Report is written for use by a different level of management. The Audit Team Leader has to use the Distribution sheet to decide which section would be most useful for each person on the list.

TEMPLATE No 24 – Distribution sheet (WP 3004) and EXAMPLE No 5 – Distribution sheet

Other formatting standards

Tense:

• When describing the internal audit work performed, the past tense should be used. For example:

o “We have completed our internal audit of XXXX processes and controls”

o “The scope of our review included” o “We examined a selection of XXXXX” o “Our review focused on the processes utilized by XXXX”

• When describing the operations of auditee, the present tense should

be used:

o “The Accounting Department supports the process by…..” o “Based upon the results of our review, controls over the XXXX

are adequate.”

• When drafting recommendations, an imperative sentence should be used. The recommendations should always begin with an action verb:

o “Establish monthly reporting requirements.” o “Develop and implement formal procedures for XXX.” o “Document, review and approve manual adjustments.”



Standard practices:

• Specific quarters can be abbreviated using the quarter number and the year (e.g. Q1/09).

• Specific dates can be abbreviated using the dd/mm/yy format. For example, November 15, 1998 can be abbreviated as 15/11/98.

• No individual’s name should be mentioned in audit reports. • All acronyms should be spelled out the first time they appear in the

report. • The standard currency should be €. • Management responses should be italicized.

4.4. OVERVIEW OF THE REPORTING PROCESS

end of fieldwork

closingmeeting

10 workingdays/2weeks

2 weeks

Draft report Managementresponses

1week

Finalreport

The main purpose of the Audit Report is to inform the CAO/management of the results of the audit to:

• give an assessment of the condition of the audited process by expressing an independent and objective opinion on the effectiveness of control procedures concerning lawfulness, financial management and transparency; and

• provide recommendations for improving the financial management and control systems to remedy any errors, weaknesses and irregularities identified by the audit.



The Draft Audit Report should be:

• Prepared by the audit team members. • Reviewed by the Audit Team Leader subsequent to the completion of

fieldwork. • After the review, the overall rating should be discussed with the

Director of the IAU.

A Closing Meeting should be held:

• Within 10 working days from end of the fieldwork, the draft report should be submitted to management to obtain their responses to the recommendations;

• Management should be allowed ten working days to complete their responses and if within 10 days there is no management response then the draft report shall be finalized and sent to management highlighting that the management agrees with the recommendations

• Once all management responses have been obtained, the report must be reviewed by the Audit Team Leader; and

• Any factual errors noted by management should be corrected and statements that lacked sufficient supporting evidence in draft report should be deleted. However the internal audit team should stick with its findings and recommendations where there is sufficient evidence and analysis and should not allow themselves to be pressured by management into releasing an inappropriate audit report.

The Final Report should be compiled by audit team members and reviewed by Audit Team Leader.

The Director of the Internal Audit Unit should sign the final report and send it to the budget organisation management.

One original of the final report should be filed in Internal Audit Reports file in the IAU and one copy submitted to the Audit Committee.

Other reports In addition to the individual audit reports, the IAU should also report quarterly to senior management to summarise new findings made during the quarter



and the status of findings from previous quarters/periods to facilitate monitoring of critical findings and their corrective actions. The follow‐up database should be used to assist in preparing these interim reports.

Annual report

The annual activity report describes not only the work done, but also explains how the internal audit unit itself has developed. It is advisable to agree the internal audit objectives at the beginning of the year: the annual activity report should then demonstrate to what extent these objectives have been achieved. Measurable indicators should be agreed beforehand and then reported on.

The Charter of each Internal Audit Unit requires the basic of duration and the deferent types of reports that Internal Audit Unit has to present to the management.



CHAPTER 5: FOLLOW‐UP PROCEDURES FOR DETAILS

5.1. THE CLOSING MEETING

It is important to maintain good communication with the management of the audited organisation or activity. Good communication ensures the effectiveness of the audit process. The presentation of the draft audit report and an outline of its recommendations are key aspects of such communication. The closing meeting is designed to give a final overview of the audit issues and recommendations and emphasise the need for urgent action on the part of management to reduce the level of identified risks. The Audit Team Leader should explain to management the importance of each recommendation and the consequences for the organisation of a failure to fulfil it.

The closing meeting is not the time to discuss new issues that have not previously been identified and discussed with the personnel affected by the issue.

The entire audit team and the ATL should be present in the closing meeting. Management can be asked to begin compiling their responses at this time, but are not required to submit responses until they receive a copy of the draft report.

Management should be informed that the goal of the Internal Audit Unit is to issue the Final Report within three weeks of the draft report date. This means that responses should be received within two weeks leaving time to answer any questions or resolve any disputes.



Management should be informed that their responses should identify:

• specific actions to be taken;

• the individuals responsible for implementing the corrective action; and

• a timetable for completion.

In addition they should be informed that, if they don’t accept the audit recommendations, their objections should be substantiated and evidence attached to support them.

The agenda for the closing meeting includes:

• discussion of the issues;

• requirements for Management’s Responses; and

• audit rating (should always be discussed last).

It should be emphasised at the closing meeting that the internal audit team will assume that responses submitted by management have been approved by the appropriate levels within the organisation.

5.2. AUDIT COMPLETION CHECKLIST

The Audit Completion Checklist provides a means of ensuring that all important matters and audit components have been satisfactorily considered and evidenced in the working papers. It also serves to record the participation of the Audit Team Leader and the Director of the IAU.

The Audit Completion Checklist must be:

• prepared and dated by the Audit Team Leader;

• reviewed, dated and signed by the Director of the IAU; and

• filed in the audit working papers Current File

TEMPLATE No 26 ‐ Audit Completion Checklist (WP 4002)



CHAPTER 6: FOLLOW‐UP PROCEDURES AND QUARTERLY

STATUS REPORTS Internal audit does not end with preparation of the final audit report or the discussion of the recommendations and submission of the action plan by the audited organization. It is also necessary for the Director of the IAU and Audit Team Leader to monitor the implementation of the audit recommendations.

Monitoring is a follow‐up process, in which internal auditors assess the adequacy, effectiveness and timeliness of the actions undertaken by management to address each audit’s recommendations.

6.1. FOLLOW‐UP PROCEDURES

The Director of the Internal Audit Unit is responsible for ensuring that a process is in place to monitor that control deficiencies noted in the audit reports have been addressed.

The planning of the follow‐up and the way it is implemented depends on the following factors:

• the importance of the audited process and the weaknesses discovered;

• the cost and effort associated with improving the audited process;

• the risk of an adverse event occurring if remedial measures aren’t taken;

• the scope of the remedial action to ensure that all related organisational units implement necessary improvements; and

• the time‐frame for implementing changes.



Audit follow‐up procedures include:

• confirming a timeframe within which the management’s response to the audit findings and recommendations is required (two weeks is suggested);

• evaluating management’s responses;

• verifying the responses (if appropriate);

• a follow‐up audit (if required); and

• escalating unsatisfactory responses or actions, including the acceptance of risks, to the appropriate level of management.

To correctly plan follow‐up activities, the Audit Team Leader completes a working document that summarises the recommendations from prior audits. The scheduled date for monitoring the fulfilment of recommendations is noted in this document. A week before expiry of the deadline for implementing each recommendation, the Audit Team Leader should write a reminder letter to management.

TEMPLATE No 25: Follow‐up Schedule (WP 4001)

6.1.1. MONITORING PROGRESS

Follow‐up may be accomplished through monitoring, or through more rigorous follow‐up audits.

Monitoring would be appropriate when:

• the audited process or activity is of minor importance and does not constitute a serious obstacle to achieving the main objectives of the organisation;

• the established weaknesses, errors, shortcomings or irregularities are not significant;

• the recommendations are easy to fulfil; and • the remedial action is not complicated.



The auditor can monitor progress by:

• receiving and evaluating management responses to audit findings within the reasonable period (say, two weeks) after the audit results are communicated;

• receiving periodic updates from management to evaluate the status of actions to correct reported weaknesses;

• receiving and evaluating information from other organisational units that have been given responsibility for implementing the corrective procedures; and

• reporting to senior management on the status of the responses to the audit findings.

There may be instances where the Director of the IAU judges that the management’s oral or written responses show that actions already taken are insufficient when weighed against the relative importance of the finding. On such occasions, a follow‐up audit may be performed as a part of the next audit engagement.

The following three results are possible:

• management’s response contains information about the implementation of the recommendations within the deadline specified in the action plan. In such a case the Audit Team Leader should send a letter expressing appreciation to the management for the action taken; or

• management’s reply indicates that the recommendations have not been fulfilled within the deadline specified and possibly lists the causes for such non‐fulfilment. The Director or Audit Team Leader should send a letter reminding management that, regardless of the reasons for failing to comply, the recommendations must be followed, and that failure to fulfil the recommendations will be reported in the annual operations report; or

• no response is received. The Director or Audit Team Leader should treat the absence of a reply as non‐performance within the deadline specified and undertake the actions described in the preceding item.



The results of monitoring fulfilment of the recommendations should be reflected in the annual operations report.

6.1.2. FOLLOW‐UP AUDIT

This type of audit is applied in any of the following circumstances:

• serious errors and shortcomings/irregularities were identified in a previous audit;

• there is a high risk that management will fail to undertake follow‐up actions;

• fulfilling the recommendations calls for the development of further internal rules and regulations;

• the required change refers to the activities of more than one division or department; or

• substantial resources are needed to introduce changes in the organisation.

The Annual Internal Audit Plan should include tasks for monitoring the fulfilment of recommendations given in previous audits. The timing of the follow‐up audit should be aligned with the schedule for implementing the recommendations from the previous year’s audit reports.

A follow‐up audit review is similar to a regular audit; however the objectives and scope are narrowed to focus on the deficiencies noted in the previous report.

The follow‐up audit comprises the same planning, performance, and reporting procedures as a regular audit, with the addition of some special procedures, as follows:

• review the audit findings in the previous report to determine the scope of the follow‐up audit;

• design appropriate audit tests and procedures to evaluate the corrective action;



• conduct the audit fieldwork and document the results of the audit work performed;

• verify implementation due dates and revise if necessary; and

• issue a follow‐up audit report.

In the course of the follow‐up audit a conclusion should be made about whether management’s actions have had an impact on reducing the risks identified in the previous audit and have improved the functioning of the organization in achieving its aims.

If it is determined that management did not take action to correct weaknesses and fulfil the recommendations given, the internal auditors will reflect this in the annual report and communicate it to the superior of the person or organisation that is responsible. The internal auditors have to analyse the consequences of non‐performance and make an additional risk assessment as a result of the failure to undertake remedial action. Where high risk is detected, the internal auditors will plan another audit of the same activity or process in the following year.

6.2. FOLLOW‐UP DATABASE

It is the responsibility of the Director of the Internal Audit Unit to ensure all follow‐up items are entered into a "follow‐up database". The job itself may be delegated to junior members of the IAU. The Director of the Internal Audit Unit is also responsible for updating the database when a follow‐up item is completed.

The follow‐up database is best kept electronically. Back‐ups should be taken monthly on a CD which should be kept in a fireproof cabinet. Print‐outs of the database should be made quarterly and filed in the IAU.

The main activities relating to the follow‐up database are:

• input recommendations as the final reports are prepared; • at the beginning of the quarter send Informative Letters to auditee

heads; • Input information about management responses, resolved issues,

revised due dates etc. as soon as it is received;



• bring forward information about management action on recommendations to follow‐up audits to check the proper resolving;

• before the end of each quarter send updated quarterly Late Issues Report to auditee heads for them to complete;

• input responses received from auditee; and • compile quarterly Late Issues Report.

6.3. LATE ISSUES REPORT AND THE ACCOMPANYING LETTERS

At the end of every quarter, each auditee is sent one of the three standard letters from the Director of the Internal Audit Unit. The letter sent depends upon whether:

• the auditee has only current recommendations due this coming quarter;

• the auditee has both current recommendations and recommendations that have not been resolved by their promised completion date; or

• the auditee is new to the organization or position or the audit process. The 3 letters are formed as follows:

a) Auditee already involved in process, successful in resolving issues on schedule

Letter = 1.1. + 2 + 3.1. below

b) Auditee already involved in process, unsuccessful in resolving issues on schedule

Letter = 1.1. + 2 + 3.2. below

c) Auditee first time in the process

Letter = 1.2. + 2 + 3.3. below



1.1. Standard opening text and description of the procedure for auditees who are aware of the follow‐up process

As you are aware, the Internal Audit Unit is responsible for monitoring the status of all unresolved internal audit issues on an ongoing basis. As part of our monitoring, we provide quarterly reports to all department heads of both their issues that are scheduled for resolution during the current quarter, as well as those issues that are considered "late" (i.e., any issue that has a "revised" date which is greater than the "promised" date). Attached is a report relating to the status of internal audit issues relating to your department.



1.2 Standard opening text and description of the procedure for auditees who are involved first time of the follow‐up process

As part of the Internal Audit Unit’s ongoing responsibility to monitor the control environment related to management of public budget, we currently have a process in place whereby all internal audit issues; including late issues (i.e., those items that have "revised" dates that are greater than the "promised" date) are tracked until resolved.

2. Standard main body of the letter (all occasions)

As a reminder, the following summarizes our process:

a) During the first month of each quarter, the Internal Audit Unit will send Informative Letters (using the Late Issues Report template) to each responsible individual within your organisation of all outstanding issues that they have committed to resolve (late issues, issues due during the current quarter, and issues due in future quarters). This notification is for information only and does not require a response back to the IAU.

b) During the first week of the last month of each quarter, the IAU will send a written request (using the Late Issues Report template) to each responsible individual within your organisation requesting them to provide us with a written status of all of their audit issues that are scheduled for resolution during the current quarter, as well as previously reported late issues.

c) The IAU determines that issues are late (i.e., not resolved as of the end of the quarter) based upon the completed templates received. Failure to respond to our written request will cause us to consider the issues to be late.

d) The IAU communicates all late issues in a Late Issue Report to the head of the organisation.



3.3. Conclusion of the follow‐up message to the head of an auditee who gets the quarterly follow‐up report for the first time

We have attached a report highlighting all late issues as of Month day (will be modified as appropriate) for your organization. As noted in the “Comments” column on the attached report, there are numerous reasons why these issues have not been resolved. However, due to the volume of issues contained in our tracking database we cannot render any conclusion as to the appropriateness of the explanations for the delay. Accordingly, an issue that is still open beyond the “promised” date will continue to be reported as late, regardless of the reason for the delay, until it is resolved. In addition, we have also attached a report of all issues scheduled for resolution during the yyy quarter (will be modified as appropriate) for your organisation. Your support in ensuring prompt attention to these issues is greatly appreciated. If you have any questions regarding our follow‐up process or the issues in your report, l

3.2. Conclusion of the follow‐up message to the head of an auditee that has been unsuccessful in resolving all issues within the agreed deadline

We will continue to work with the responsible individuals in your organisation to ensure that all of the late issues are promptly addressed and resolved. As noted in the “Comments” column on the attached report, there are numerous reasons why these issues have not been resolved. However, due to the volume of issues contained in our tracking database, we cannot render any conclusion as to the appropriateness of the explanations for the delay. Accordingly, an issue which is still open beyond the "promised" date will continue to be reported as late, regardless of the reason for the delay, until it is resolved. Your continued support in ensuring prompt attention to these issues is greatly appreciated. If you have any questions regarding our follow‐up process or the issues in your report, please contact me at zzzzzz



Late Issues Report

These detailed reports of the currently scheduled recommendations and late recommendations provide:

• the audit number;

• audit title;

• department head’s name;

• brief description of the recommendation;

• the promised completion date; and

• revised completion date (if applicable) 6.4. MEETINGS WITH AUDIT COMMITTEE

Each quarter, the Director of the Internal Audit Unit meets with the Audit Committee to discuss progress to date against the approved audit plan, significant issues noted during the quarter from the audits completed, the status of outstanding and late recommendations, and other items of interest.

Quarterly status report

The Director of the Internal Audit Unit is responsible for submitting a quarterly status report to the Audit Committee and to the managemenet. The purpose of the status report is to keep the Audit Committee and the management informed of status of all audit work.

TEMPLATE No 30 ‐ Quarterly Status Report (WP 4006)

6.5. WORKING PAPERS AND AUDIT FILES MANAGEMENT

The organisation and documenting of the audit work are carried out through the use of two types of dossiers ‐ the current and permanent audit files.

The purpose of the permanent audit file is to provide auditors with a source of background information about the organisations or processes being audited thus allowing them to obtain a greater understanding of their systems and



activities. The permanent audit file should be updated each year and will thus provide the auditor with the most updated information available.

The current file should include all the documents prepared during the planning, field work reporting and follow‐up phase.



CHAPTER 7: SUPERVISION

7.1. SUPERVISION AREAS AND ACTIVITIES BY DIRECTOR OF IAU

The Director of the Internal Audit Unit is responsible for assuring that internal audit assignments are properly supervised.

Supervision is a process that begins with planning and continues throughout the field work, reporting, and follow‐up phases of the audit.

Supervision includes:

• ensuring that the auditors assigned possess the requisite knowledge, skills, and other competencies to perform the assignment. It must be done during planning when mobilizing the team and through coaching and review during the execution stage;

• providing appropriate instructions during the planning of the assignment, and approving the Audit Plan;

• ensuring that the approved Audit Plan is carried out unless changes are both justified and authorized;

• determine that audit working papers adequately support the assignment observations, conclusions, and recommendations;

• ensuring that audit communications are accurate, objective, clear, concise, and timely;

• ensuring that audit objectives are met; and • providing opportunities for developing internal auditors’ knowledge,

skills, and other competencies.

Appropriate evidence of supervision should be documented and retained. The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the audit. The Director of IAU has overall responsibility for review but may designate the Audit Team Leader to perform the review. All internal audits, whether performed by the IAU or by an external service provider, remain the responsibility of the Director of the Internal Audit Unit.



The Director of the Internal Audit Unit is ultimately responsible for all significant professional judgments made in the planning, field work, reporting, and follow‐up phases of the assignment. The Director of the Internal Audit Unit should therefore adopt suitable means to ensure that this responsibility is met.

“Suitable means” include policies and procedures designed to:

• minimize the risk that professional judgments may be made by internal auditors or others performing work for the internal audit activity that are inconsistent with the professional judgment of the Director of the Internal Audit Unit such that a significant adverse effect on the assignment could result – the main risk‐management procedure is that no communication should be made without the knowledge and agreement of the Director of Internal Audit Unit; and

• resolve differences in professional judgment between the Director of the Internal Audit Unit and IAU members over significant issues relating to the assignment. Such differences may include or require: (a) discussion of pertinent facts; (b) further inquiry or research; and (c) documentation and disposition of the differing viewpoints in the audit working papers.

All working papers should be reviewed to ensure that they properly support the audit conclusions and that all necessary audit procedures have been performed. The reviewer should initial and date each working paper after it is reviewed. Reviewers may make a written record of questions arising from the review process. When clearing review notes, care should be taken to ensure that the working papers provide adequate evidence that questions raised during the review have been resolved.

Acceptable alternatives with respect to disposition of review notes are as follows:

• retain the review notes as a record of the questions raised by the reviewer and the steps taken in their resolution; or



• discard the review notes after the questions raised have been resolved and the appropriate engagement working papers have been amended to provide the additional information requested

The TEMPLATE No 26 “Audit Completion Checklist” (working paper 4002), is a key quality review document, and is used by the Audit Team Leader and Director of the IAU to verify that all steps in the audit have been completed. Any missing work must be properly completed before the audit can be considered complete.

7.2. MANAGING FEEDBACK FROM AUDITEES The “Audit Feedback Survey Form” should be distributed by the Director of Internal Audit Unit to the auditees. When selecting the recipients of the survey the Director should use the following as guidelines:

• recipients should hold a supervisor/manager or higher level position;

• recipients should include persons with whom the audit team interacted most frequently, and,;

• at least one person from each department involved in the audit should be included.

The completed survey forms are sent back to the Internal Audit Unit, where they are summarised and the results provided to the Director of the Internal Audit Unit. A summary of the results of these “Audit Feedback Survey Forms”

Standard 1300 – Quality Assurance and Improvement Program requires the Director of the IAU to develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit function and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal supervision.



should be included in or appended to the Annual Internal Audit Activity Report. The “Audit Feedback Survey Form” should be sent to respondents with the final report.

TEMPLATE No 27 ‐ Audit Feedback Survey ‐ COVER LETTER (WP 4003)

TEMPLATE No 28 ‐ Audit Feedback Survey ‐ FORM (WP 4004)

iam vol 2 - rks-gov.net · ministry of finances 2 chu for internal audit internal audit manual –...

Documents