internal audit meth. eng

7/24/2019 Internal Audit Meth. ENG

1/24

Approved by the Order #1013

July 30 2010

Government of Georgia

Internal Audit Methodology

1. Introduction

Unlike external audit, internal audit is a new profession in Georgia, as well as all over the world.

Hence, it is natural that this profession is entity to permanent changes and improvements. This

document provides definition of the internal audit and discussion of the key principles thereof; it

provides detailed explanation on how internal audit function should be performed in accordance

with the International Professional Practices Framework developed by the International Institute of

Auditors (IIA). It should be noted that the feature of internal audit is unique for each institution and

depends upon environment in the institution. Therefore, to perform internal audit, culture, policies

and business processes of the institution should be studied and understood in details. Contemporary

internal auditors study the systems, watch effectiveness achievement of maximization of results

from the resources used in the activities of the audit object, cost-effectiveness, effectiveness

degree of meeting of the stated objectives by the audit object, regarding actual and expected results

and, if required, provide recommendations. Internal auditors study financial, operational, strategic

and compliance risks to ensure sustainability of the institutions control system. They conduct

assessment and identify required improvements. Main function of the internal audit is assistance to

the management in achievement of the institutions goals.

2. Definition and Principles of Internal Audit

What is internal audit?

According to IIA definition, internal audit is independent activity, including objective evidences

and consultancy activities, adding value and improving operation of the institution. It helps the

institution in achievement of its goals, in evaluation and improvement of the autonomous process of

risks management, control and management, using systemic and organized approach.


2/24

2. Charter of the Internal Audit Entity, Internal Audit Entity

Charter of internal audit entity is the official document stating purpose of internal audit activities, as

well as authorities and responsibilities. Internal audit charter specifies the place of internal auditentity, as integral part of the organizational structure, availability of tangible and intangible assets,

as well as entitlement to the staff information and various assets, as required for fulfillment of the

internal audit function. Internal audit charter states also the scopes of internal audit. Head of the

internal audit entity should periodically review the internal audit charter to ensure its compliance

with the modern internal audit concept, code of ethics of internal auditors and internal audit

standards.

Head of the internal audit entity shall provide implementation of the internal audit entity work

quality assurance, maintenance and improvement strategic program (which shall be developed by

the head of internal audit entity and approved by the head of institution, upon agreement with the

center), which covers all aspects of internal audit entity activities.

By means of the mentioned program compliance of internal audit entity activities with the internal

audit definition, internal audit standards and internal audit code of ethics shall be provided.

Implementation of this program should allow evaluation of effectiveness and efficiency of internal

audit function, as well as identification of the improvement opportunities.

4. Internal Audit Independence

Internal audit entity shall be independent and the internal auditors shall be unbiased in internal audit

performing.

To ensure independence of internal audit the internal audit entity shall be directly subordinated to

the head of institution (minister, state attorney, major etc.), in the organizational respect. Internal

auditor should have possibility of open professional communication with the head of institution,

though, internal audit entity shall be entitled to freely select (even if the opinion of internal audit

entitys head is different) and inspect any sphere, where he/she regards that there is the risk of

substantial errors.


3/24

Head of internal audit entity shall be independent in selection of the sphere of internal audit entity

work, implementation of its activities and reporting of the results.

5. Overview of Internal Audit Function, Audit Evidences

Audit evidence is collected analysed and evaluated information, on which the audit findings arebased. Evidences shall meet the following conceptual requirements and shall be:

a) Sufficient is the measure of quantity of the evidence; should be collected and evaluated

sufficient information so that the reasonably informed unbiased person agreed with the auditors

conclusions.

b) Reliable comprises the measure of reliability and adequacy of the source of evidence and the

method of seeking thereof; generally, information received from the third, independent party is more

reliable than that, received from the audit objects; the evidence is reliable where it is gained via

direct physical examination, observations and inspection and where it is received in the

documentary form, rather than verbally. Degree of information reliability increases where it is

received from several sources;

c) Adequateis the measure of adequacy of the evidence; the evidence shall be in logical relation

with that, for evidencing of which it is sought. Audit evidence may be physical, recognitive,

documentary and analytical.

6. Methods of Seeking of the Evidences

As a rule, for gaining the audit evidences various techniques and methods are used. Selection of the

evidence collection method is provided based on the characteristics of the methods and specific

purposes of audit. Methods of collection of the audit evidences differ significantly (e.g. the method

may be reliable, though requiring high costs; it may require greater technical knowledge and

experience etc.).

Widespread methods of collection of audit evidences include:

a) Interview this method is often used for collection of evidences. For conducting the

interview, adequate training and respective skills are required. Interview may identify the

problem, provide evidences for confirmation of the audit findings and the positions of the

auditor and audit object may be compared with respect of the breaches identified via

audit and recommendations;


4/24

b) Audit test testing means examination of the selected actions / measures or operations

doe identification their qualitative properties. Audit tests are of two types: compliance

testing and detailed inspection.

Purpose of compliance test is examination of the control adequacy and effectiveness.

Key procedures imply detailed examination of the selected operations/records.In many cases the test serves for both purposes. E.g. examination of calculations may show, whether

internal control mechanisms operate properly (compliance test), as well as how accurately the

system provides the amount (this test, simultaneously, serves to the goals of detailed examination).

After selection of the test type the operations / records to be tested will be identified. The specific

object of testing may be selected on the basis of judgment (e.g. taking into consideration the scopes,

risks or other properties). Conclusions made in such case would be applicable to the given objects of

testing.

Test object may be selected so that the selected set was representative for the group/population of

certain operations/records. Conclusion made in such case would be applicable to the entire

population (group) and not only to the test objects.

c) Selection the process, by means of which the part of the population is selected for

determination of the characteristics and parameters of the population. This method

significantly reduces the costs and makes internal audit functioning more effective and

therefore, it is very widely used.

Though, selection has its weaknesses as well:

One of its weaknesses is the selection risk risk that the selection by the internal audit

entity may be not representative (selection scopes may not fully cover the field under

consideration) for the entire population, resulting in inadequate findings;

There is also the risk of non-selectione.g. the error may be not identified.

There are two basic types of selection:

Statistical selection, which relies upon the statistical science;

Selection through judgment, or non-statistical selection, where the auditors provide

selection on the basis of judgment and determine the scopes of the selected set.

Statistical selection has the following advantages:


5/24

Generally, reduced sizes of the selected sets mean that audit/inspection activities are more

effective;

Allows risks assessment;

Is better protected from biased approach and inadequate efforts;

d) Questioningstructural approach to collection of information from the large population.

Example of use of monitoring is finding out of the opinions of the service beneficiaries

about quality and timeliness of the services. Its key element is tested, structured

questionnaire. Questioning could be conducted either via personal meetings, by phone,

internet or mail;

e) Inspection confirmation of presence of the records, documents or material resources.

Inspection of the material assets provides reliable information about presence of the

material assets and their condition. Inspection of records can confirm or reject existence

of the primary documentation of the accounting records;

f) Diagram graphical description of the process or system allowing analysis of the

complex operations/systems, examination of presence of the control mechanisms and

identification of the excessive/useless actions in the process;

g)

Modelingmethod facilitating decision-making by simulation of the actual processes by

means of mathematical and statistical models. The models may be descriptive or

cognitive. Descriptive models provide classification of variables and clarification of their

interrelations between them. By means of the cognitive method the prognosis is

developed how the interrelation between variables would change, if one or more of

them changes;

h) Observation similar to the inspection. Observation implies personally examining the

processes and procedures. There are some cases, where evaluation of functioning of the

operations and internal control mechanisms is possible only via direct observations over

their operation;

i) Confirmation written request to the audit object or the third party to provide written

confirmation of one or another information;


6/24

j) Analysisstudy of the gained information and its use for conclusions, to compare with

the indicators of the results of the audit objects activities, past achievements or results of

similar operations in the other institution, or for finding out compliance with the

institution policies and effective legislation.

7. Planning of Internal Audit

Head of the internal audit entity, based on the requirements of the legislation, in agreement with the

head of the institution and the center, should develop the strategic plan of internal audit and annual

plan of internal audit.

Strategic plan of internal audit, similar to the annual plan of internal audit, should be developed on

the basis of audit risks assessments, taking into consideration of the experience of past audits,

available resources (time and human resources).

Process of development of the internal audit plan assists the head of audit entity to clarify such

issues as:

Allocation of human resources to the different spheres of audit assignment of the staff

based on their knowledge, skills and experience to the complex / high risk operations /

systems and audits requiring relatively limited technical knowledge;

How management and supervision of the audit process will be provided;

Development of the quality assurance program etc.

Upon development of the internal audit strategic plan the internal audit annual plan should be

developed. Internal audit strategic plan should be developed once and further reviewed (at least once

in two years). Annual plan of internal audit shall be developed in the end of each year, at least one

month before commencement of the new financial year. Head of the internal audit entity shall

submit strategic plan of internal audit, as well as annual plan of internal audit to the head of

institution.

Annual plan of internal audit provides more details, compared with the strategic plan of internal

audit. Internal audit annual plan, primarily, provides analysis of risks assessment results and further


7/24

plans of implementation of the other procedures of audit. This includes both, the nature of audit

procedures and sphere of audit, as well as terms for each audit. Annual plan of internal audit should

provide for (based on the past experience) certain amount of free time (for conducting off-schedule

audit of the staff with different experience, knowledge and skills, on the basis of request of the head

of institution, or suspicion of alleged abuse).

8. Implementation of Internal Audit

First step in most internal audits is informing of the management of the respective structural

subdivision / body of the structure / institution, where audit is planned, about conducting of the

audit. This is done via formal letter, by which the management of the audit object is officially

notified about planned audit. The mentioned letter should provide information about when the audit

is scheduled; who is in charge of audit and why the audit is conducted (current, scheduled, upon the

managements request etc.). Mentioned official letter should be sent, in addition to the management

of the audit object, to the immediate manager and shall state the following information:

a) Audit purposes and scope;

b) Date of audit commencement and its duration;

c) Names and surnames of the persons (at least the team leader) bearing responsibility for the

audit.

From the audit object the financial statements, statistical reports and other reports corresponding to

the goals of specific audit should be requested in advance; this would assist the auditors to better

understand the situation and identify the trends.

There are some cases where no formal letter is sent to the audit object, e.g. where the audit is

conducted unexpectedly, in relation with the abuse and only administration of the institution may be

informed. Though, it should be taken into consideration that off-schedule audit breaks the normal

course of work of the audit object and causes complication of fulfillment of their duties properly.

Therefore, off-schedule audit should be conducted in the extremal situations. In addition, frequent

off-schedule audits may endanger implementation of the internal audits states in the annual internal

audit plan.


8/24

9. Study of the Object within the Internal Audit Scopes

These studies are of great significance for clarification of the direction of audit efforts, specificspheres and scale; this is the first stage, which is implemented in the site of audit. Internal auditor

shall not commence audit of the documents or observation over some activities without specific goal

or objectives. Study at the object allows the auditor:

a) Familiarization with different systems;

b) Examine various system control structures and control risk in the spheres of audit.

If the audit group members do not know the location of audit object and its administration, it is

necessary to familiarize with them; in addition, any question in the letter about commencement of

the audit should be clarified. At the same time, team leader auditor shall develop the requirements

for the planned interviews and work schedule. For implementation of the typical study at the object

the team leader auditor and team members should take into consideration the following components:

Organization

In conducting study at the object the auditors shall cross-check the structure of institution, including,

whether the names and surnames of key staff members related to the specific audit operation are

provided correctly. Auditor shall get familiar with the functional responsibilities and key persons

participating in the activities.

In many cases, in the structures of the institutions, the titles of the positions do not adequately reflect

actual functions of specified position. The formal job descriptions shall be requested. If the given

structural subdivision (unit) and/or unit subordinated to the institution has no functional distribution,

the auditor shall prepare the brief sketch of the organizational structure and consider his/her

propositions with the administration of such structure, which is subject to audit.


9/24

Manuals and instructions

Copies of the respective policies and procedures manuals and required data, for the auditors workdocuments could be obtained online, with special access authorities. The respective laws and

regulations should be studied, as well as the administrations directives, which shall be fulfilled.

Regarding common objectives of the audit, the copies of correspondence should be considered as

well, to familiarize with the respective materials.

Reports

Respective reports and records of the meetings related to the audit to be performed should be

analysed (submitted by the leader), like budgeting, operations, costs analysis and personnel-

related issues, as well as the results of any external audit or survey conducted by the administration

and implemented measures. The examples may include the feasibility reports or conclusions made

by the Chamber of Control of Georgia. Such reports may provide to the auditor some hints, as well

as the summaries of the existing problems, recommendations offered and results achieved via their

implementation.

Personal observations

Visual examination of the object allows the internal auditors to get familiar with the given structural

subdivision (unit) and/or unit subordinated to the institution, its key activities and staff. This also

allow audit group to put the questions and observe the activities of the unit. The auditors are often

criticized because they pend all their time in accounting or administrative office and perform audit

so that they have no clear idea of the activities in relation with which the audit is conducted. As the

final work of the auditor may lack some significant issues, impressions of the visual examination

should be stated in the auditors work documents. Compliance with the procedures of the audit

object should be observed and documented as well.


10/24

Discussion with the staff related to the specific audit

Arrangement of the discussion with the staff members engaged in the audited sphere is useful foridentification of the problematic issues, results of the activities of structural subdivision (unit) and/or

unit subordinated to the institution and planned changes or reorganization. Questions should be

stated on the basis of data considered in advance or findings of the visual examination.

Study of the object is the first step for the purpose of any type of survey in the audited entity; at this

point the management meets with the audit group and the auditors assigned for the given task have

the first contact with the audited structural subdivision (unit) and/or unit subordinated to the

institution. At this stage the problems or disagreements may arise. Though, it is desired that these

issues were resolved at a time of letter of the commencement of audit. Head of the structural

subdivision may be unaware of what the internal auditors are interested in, or the internal auditors

may have no proper awareness about the structural unit, irrespective of preliminary planning.

Consequently, it may become necessary to change the planned overview, audit procedures or even

the sphere of audit. In such case the audit official should contact the head of internal audit entity for

further instructions.

Regarding the number of the internal audit service staff and the contents of letter on commencement

of audit the overview may be conducted by one or more internal auditors. One of them shall be

always nominated by the head of internal audit group as the chief auditor of the audit group, whose

responsibilities include making of the auditors decisions in situ. Normally, responsibilities of the

chief auditor are imposed over the senior auditor in the composition of auditors, though these

responsibilities should be vested upon the other auditors as well, by the rotation, to allow the less

experienced auditors to gain the audit process management skills.

10. Documenting of the Studies over the Object within Internal Audit Scopes

Normally, survey of the object (territory of the internal audit object territory) takes one or two days.

In case of wider examination the survey may be conducted separately, at a time of preliminary visit,


11/24

before the auditor implements the key procedures and performs the analytical work. In both cases,

the implemented work, as well as the summaries of the data collected at the object, in the course of

survey, should be stated in the auditors work documents. The copies of the reports and available

written procedures should be collected, as well as summary of the records, documented observations

at a time of all interviews and visual examination of the object. In addition, for each system orprocess the diagrams should be prepared.

Survey of the object is the means for identification of the new and innovative approaches to the

audit. Such new methods should be taken into consideration against the background of the changed

procedures or work conditions. For example, some function, which was previously performed

manually, now is automated (by means of certain technological innovations). The schemes should

be developed for description of the key processes, controlled risks and internal control mechanisms.

Via graphical expressions of the series of operations and data summaries the diagrams present the

complex systems, processes and control mechanisms.

There are many approaches for building of the diagrams, but diagrams should always depict

relations between different operation components and the control mechanisms in the processes.

Upon completion of work on them the diagrams will become the permanent part of the auditors

work document for given structural subdivision (unit) or unit subordinated to the institution. This is

also useful for meeting of the requirements according to which the institutions shall maintain the

documents and disclose the internal control mechanisms. In many cases the staff member of internal

audit entity has already prepared diagrams, from the previous surveys, which require only updating.

Sometimes the institutions, themselves have prepared internal diagrams for the purpose of process

documenting or any other purpose. Of course, these diagrams should be used, though the auditor

shall make sure that they are accurate and up-to-date.

11. Auditors Conclusions Resulting from Object Surveys

Within the scopes of internal audit, purpose of the object survey is cross-checking of the actual

nature of considerations developed in the course of preliminary planning of audit. In addition, the

key systems and processes should be studied as the information, upon which the preliminary

planning of audit rely is not complete in many cases. This is the important stage, where, the audit


12/24

group assigned for conducting of given audit can make changes to the scales and objectives of the

planned audit.

At a time of wider scale audits, in many cases, it is useful that the head of the audit entity visited the

group, which conducts field survey and consider the results. In this way all changes in the sphere ofaudit requiring approval from the side of administration could be made. In result of the field visit

many potential questions, which would further arise, could be answered. Internal auditor may find

him/herself in the situation, where, based on the information resulting from the object survey the

audit group can make corrections to the audit sphere planned in advance, or even cancellation of the

audit work completely. In some cases, the audit group participating in the preliminary planning may

contact the remote object of audit and receive information about absence changes in the sphere of

interest. After visiting of the object some significant changes could be revealed in result of object

survey, e.g. introduction of the new information system, what completely changes the control

environment and internal audit group may need to assign one more specialist for work with the

project, leading to corrections both, in staffing and audit testing strategy. In the other cases the audit

group may establish that the changes are insignificant and planned audit should be cancelled or

postponed. Though, mostly, the field survey provides to the audit group additional data, assisting

them to make changes to the planned procedures. Survey at the object conducted within the scopes

of internal audit should be used for the purpose of documenting or for updating of the permanent

work file.

If at the object there is no administration of audit service the survey results should be summarized in

written and sent to the chief by e-mail, in which case it is deemed that the chief is familiar with the

given conclusion.

12. Use of the Audit Programs for Internal Audit

Internal audit shall be organized and implemented consistently, for the purpose of minimization of

the arbitrary or useless procedures.

Fir assistance and guidance the internal auditors shall use so called audit programs to perform audit

procedures consistently and effectively at a time of implementation of the similar audit. term

program denotes the number of audit procedures, which are similar to the computer programs and


13/24

contain instructions, which, each time, in the course of the process, pass one and the same program

instructions.

E.g. computer program, providing calculation of salaries, contain the instructions for reading of the

files of the cards recording the worked days, position benefits of the employed, seeking of theinformation saved in the other file and calculation of the aggregate salaries. For each employee one

and the same stages are repeated, with the exclusion of cases where the program specifies the

overtime work. Similarly, the audit program contains the set of predetermined stages to be

implemented by the internal auditor.

Audit program is the mean for planning, directing and controlling of the auditors work and ou tline

of the actions, which specifies the stages to be implemented for fulfillment of the audit objectives.

This is the set of the best methods of the auditor for conducting of audit and ensures documenting of

the performed stages. Entity of internal audit, desiring that its activities were evaluated as

effectiveand professional, shall have prepared the number of audit programs for performing of

the recurrent audit operations. Many such programs (e.g. one of them is observation over inventory)

are applied by number of years by many institutions only with minor changes. In the other case the

auditor may have to modify the standard program, to adjust it with the unique aspects of the specific

audit. And in some cases use of the standard audit program is not reasonable. For example, where

internal auditor desires to examine the structural subdivision (unit) or the unit subordinated to the

institution for special / unique control characteristics, or if the administration of the audit service

desires to apply different approach to overcome the problem identified in the previous survey.

Advantage of the standard programs that they contribute to perform the work in reasonable manner;

play the role of completed control questionnaire and ensure that all issues significant for the audit

are dealt with. Standard programs improve audit effectiveness and facilitate delegation of works and

control processes. Though, the standard programs have the weaknesses as well: if the decision on

their application is not reasonable, thi can suppress the professional judgment. In performing of

his/her work the auditor always needs professional judgment, as all audit operations are different

and thus, the tests shall be developed bearing in mind different conditions of each audit operation.

According to the planned audit objectives and base on the data collected at a time of preliminary and

field surveys the chief auditor can make decision on correction of the audit program. This may


14/24

include minor local changes or unique audit procedures based on the preliminary planning and field

survey results. To develop the program, the internal auditor, primarily, shall study the characteristics

comprising adequate audit program

13. Formats of Audit Programs and their Development

Audit program is the document describing the stages, procedures and tests to be performed by the

auditor at a time of actual implementation of audit. Development of the program shall be completed

before field survey and further, before implementation of actual auditor work in situ. It shall be

developed taking into consideration number of criteria, the most significant of which is that the

program identified the aspects of the sphere requiring further examination and sensitive spheres

(high risk spheres are implied), which require auditors attention.

One of the most significant purposes of audit program is that it provides guidance for both,

beginners and experienced auditors. For example, the administration can require from the audit

entity to observe over the annual inventory. Such survey consists of quite standard procedures.

Unexperienced auditor can be unaware in these procedural stages; even experienced professionals

can forget some of them. Audit program contains all necessary stages of audit.

Gradually entity of internal audit develops the library of programs with time for such tasks as

inventory observation or survey of long-term assets. In planning of such survey, for which the

developed programs are available, the administration of audit service will use given program, taking

into consideration the changed situation, which would become known to it at a time of preliminary

ot field survey. Audit programs are reviewed as required; changes shall be approved by the

administration of audit service, before commencement of the survey. Many entities of internal audit

may have no formulated audit programs for many years. This is caused by the fact that normally, the

internal auditors have to conduct audits in wide and versatile spheres, though they have no time or

resources to regularly survey each sphere. Audit programs developed on the basis of past audits

often become obsolete due to introduction of the new systems or changes to planning. Auditor

responsible for field survey or one of the audit service managers should update the available audit

programs, i.e. prepare the updated reviewed versions of the audit programs for the planned audit.

Regarding the type of planned audit, normally, on of the three general formats is used: set of general


15/24

audit procedures; audit procedures with the detailed instructions for the auditor and the checklist

(the latter is for the compliance audits).

Audit program containing detailed instructions or procedures implies that the auditor using such

program has no sufficient technical knowledge required for survey. In many cases such programsare used for one-time surveys for certain specific spheres, developed by the audit service

administration so that the auditor with the adequate knowledge for planning of all procedures

detailed in the audit program, perform audit upon certain instructions. Application of such program

format is useful for the audit management group by audit entity, the auditors of which perform their

activities in the remote locations and it desires that its auditors implemented one and the same

general procedures.

The audit programs with the checklists were the most widespread format int he internal audit sphere.

It consisted of the long list of the questions and required answers yes, no, or N/A .

Implementation of such programs is provided via study of documents or the interviews.

Answers yes/no to the questions in the information collection context are acceptable in many

cases. Though, audit program in checklist format has two weaknesses. First, the experienced auditor,

at a time of yes/no type interviews can consider the problematic spheres or put the different

question, but the beginner can miss such nuances and he/she would simply complete the

questionnaire, without passing beyond the yes/no questions and would not provide in-depth study

of the problems pointed by thee questions. Procedures-oriented audit program is more conductive

with respect of the additional questions about the issues, to which the questions may arise based on

the collected information.

Questionnaire-type audit program, where the auditor puts the questions only, also leads to ignoring

of the issues requiring evidences by the auditor. Unexperienced auditor can simply tick yes

without finding out, whether such positive answer is based on the respective audit evidences or not.

For example, question about whether the significant documents are approved regularly or not. It is

easy to put the question and receive positive answer, but whether these documents were actually

approved or nor, will be never checked. Each format of the audit program is useful for different

types of survey, if the internal auditor takes some time to thoroughly understand the questions of the

program.


16/24

The main problem is that audits should be based on the audit program of certain type, which

provides documentation of the performed stages of survey. Such approach allows the audit service

administration to be aware in which procedures were conducted by the auditors and which were notat a time of given survey. Good and consistent audit programs are very significant for improvement

of the internal audit quality.

Reliability of the evidences to be considered and other information should be also taken into

consideration in finalization of the audit program. There is no use in maintaining of the obsolete

systems and procedures in audit program.

In development of the audit program internal auditor shall select the significant stages which ensure

collection of the reliable audit evidences. For example, in many cases, it is necessary that the audit

program contained the key procedures in the high risk significant sphere, rather than

recommendations on collection of information via interviewing.

Contemporary audit methods also contain audit software, where this is practicable. For example, by

the computer-based audit methods (CAATS) some audit stages could be implemented similarly to

the procedure of up-to-date audit procedure (e.g. statistical selection procedures), to allow the

auditor embracing the wider range of issues. In preparation of such audit the consultations should be

provided by the staff members of audit service, who have experience in information systems audit or

other technical skills.

For the audit program no best format or one stated format exists, though, the program should be the

document, which could be studied by the auditors to direct their efforts for the purpose of

documentation of such activities. Audit program will be further attached to the audit work

documents and play the role of the table of contents for the activities described in such work

document.

14. Implementation of Internal Audit Procedures in Situ

Audit may result in delays in everyday operation of the institutions system bodies and cause

problems where the audit takes place.


17/24

Chief auditor and audit group members should commence their work at the audit object with the

meeting with the respective members of the audited object to present them the audit plan, identify

the spheres to be examined, as well as the special reports or required documentation and introduce

the staff members, who will participate in the interviews.

Internal audit processes could be summarized as follows:

Risk assessment for the purpose of identification of potential control risks;

On the basis of risk analysis, regarding available time and other resources, development of

internal audit strategic plan and internal audit annual plan and amendment thereof;

Audit planning and resources allocation;

Notification of the audit object on commencement of audit;

Conducting of the audit survey;

Preparation of the work documents;

Implementation of the audit procedures;

Study of the key control mechanisms and procedures documenting;

Summarization of the audit results and their consideration with the audit object management.

15. Internal Audit Work Documents

This section of the methodology contains instructions dealing with preparation, consideration and

maintenance of the audit work documents.

Necessity of maintenance of the work documents is caused by need of the linkage between

performed work and audit report.

15.1 Requirements Related to Work Documents

Work documents provide linkage between performed audit work and the audit report. Work

documents comprise organized system of records fully reflecting performed work and include all

documents and electronic information collected or generated by the auditor, including evidences

confirming auditors findings, auditors opinions and conclusions. Evidences stated in the work

documents should be adequate for confirming auditors findings and supporting the auditors report.

Work documents should be developed and considered in accordance with the generally recognized

audit standards.


18/24

15.2 Planning Creation and Organizing of Preparation of the Internal Audit Work Documents

Well systematized work documents are critical for conducting of audit at the professional level. For

creation and preparation of the professional work documents adequate planning is required. Beforepreparation of the work documents the auditor shall gain clear understanding of the basic and

additional purposes of preparation of the work documents. In the process of creation, planning,

preparation and organizing of the work documents the following instructions shall be taken into

consideration:

15.3 Planning of Work Documents Preparation

Creation of the work documents shall be planned so that to disclose all data on all audit

aspects, in addition, the documents shall not contain data available from the other sources;

Each audit plan shall contain instructions on preparation of the audit documents, as well as

instructions dealing with the structure of files, procedures of assigning of indices, marks for

linking of the different documents. The instructions dealing with review of the work

documents shall be taken into consideration as well.

Respective work documents prepared in the course of audit shall be placed into the files and

kept;

Work documents shall contain supervisory directives, performed reviews/revisions and

comments. Of the decision dealing with auditing of any specific aspect was made, the work

document shall state the reasons thereof. Where any of the audit findings is not stated in the

final report the reasons of omitting of such finding shall be stated so that the person

considering/examining the audit was able to find the preliminary findings/results.

15.4 Preparation of the Work Documents Work documents shall be complete and accurate to support audit findings, provide

judgments, bases for conclusions and demonstrate the nature and scale of performed audit

work;

For the readers aware in audit the work documents shall be understandable and shall not

require any additional verbal clarifications;


19/24

Work documents shall be clear and transparent;

Work documents shall state only information dealing with the substantial issues and fit to the

goals of given audit.

15.5 Organizing of the Work Documents

Files of the work documents are divided into two main groups: permanent and current ones.

Permanent files shall contain information, which is transferable and useful for the future

audits. For example, the permanent files shall provide the input data, results of the previous

audit and reports of inspecting;

Current files shall be organized in accordance with the files structure developed for the given

audit. Current files of the large-scale audits can consist of the following sections: one file for

each examined sphere; other files on general part of the entire audit and one file for the

issues of audit administration. Current file shall contain the following minimum information:

contents; survey pages; audit summary; audit program with cross-references, analysis,

calculations and other supplementary information.

15.6 Principle of Documenting of the Work Documents

a) Work documents shall be in proper order so that to be understandable for the aware reader and the

latter should make the conclusion similar to the one made by auditor, without any additional verbal

clarifications. Work documents shall provide complete, clear and laconically. Adequately prepared

work documents provide possibility of continuation of given audit by the other auditor at any time

(for example upon completion of the inspection stage);

b) As a rule, all work documents or closely linked packages of work documents shall contain certain

basic information. Exclusion may be, e.g. the files of correspondence, administrative files etc.,

where it would be reasonable to provide required information on the title page or the first page ofthe file. Decision about said exclusions shall be made by the chief of audit or a person responsible

for given audit;

c) It is required that most work documents included the following information:

Title of the work document or heme;


20/24

Activity or function which is audited, names of the person who has prepared,

considered/inspected the work document;

Dates of preparation and consideration of the work document;

Explanation of the used marks, symbols or abbreviations;

Reference index of the work document, for placing into the respective file and reference.Any other information shall be stated as well, so that to clarify purpose, source, sphere,

methodology, criteria and conclusions of the specific work document.

15.7 Summary of the work documents

Work documents shall contain brief description of each sphere prepared by the auditor, irrespective,

whether the violations were found or not. Information provided in the summary shall support audit

findings and specify the shortcomings. Summary shall also contain the recommendations by the

auditor.

15.8 Indexing of the Work Documents

System of indices shall be simple, but with the potential of extension. It shall be adjusted for the

specific audit, in accordance with the purpose, significant spheres in given case and audit plan.

Indexing of the work documents shall be provided in the process of developing of work documents,

or immediately upon their completion.

15.9 Cross-references of the Work Documents

Cross-references of work documents ensure taking into consideration of all relevant facts and

conclusions, which support auditors opinion (on the copy of draft auditors report the references are

made to the work documents). In the event of adding of new information to the final report this

information shall have the relevant reference as well.

15.10 Review of the Work DocumentsWork documents shall be periodically reviewed to ensure compliance with the internal audit

standards. Frequent reviews allow evaluation of the quality of work documents, linkage between

audit goals and conducted work, as well as evaluation of completeness of the performed inspection.

In addition, review allows evaluation of audit conclusions and identification of any additional work,

if required.


21/24

The reviewer (person who provides review and who is assigned by the internal audit entity) shall

prepare the written notes upon completion of the review; and the auditor shall revise the work

documents as required and perform additional work. Reviewer and auditor shall agree upon the

comment and additional work scope. This process shall be documented.

For the purpose of securing accuracy of the supporting facts and figures of the audit report the copy

of the report with the references shall be considered by the independent reviewer. Independent

reviewer shall be the chief auditor, who does not participate in given audit operation. In addition, if

possible, the independent reviewer should not be the direct subordinate of the person responsible for

given audit. Documenting of the review shall be provided in the work documents, where the

comments of independent reviewer are stated, as well as the actions for addressing of the identified

problems (participation of the independent reviewer is not the mandatory component).

15.11 Maintenance and Security of the Work Documents Files

Work documents shall be maintained for at least 6 years from the date of publication of the final

report, unless maintenance of the work documents for longer period is required for the other reasons

(e.g. investigation). Materials collected in the audit process and are no more needed shall be

destroyed and not archived.

Files of the work documents shall be protected and only staff members with relevant authorities

shall have access to them.

16. Reporting of Internal Audit (Conclusion)

Internal audit report is the final result of the work performed by the internal auditor. There are

number of reasons or set of reasons for development of the internal audit report, in particular:

a) Development of the recommendations and initiation of the organization changes on the

basis of recommendations provided in the unbiased, independent report prepared by the

entity the institution can implement the fundamental organizational changes;

b) Study and consideration of the problems with respect of internal control internal control

report helps the administration in properly understanding and studying of the problems and

issues related to internal audit;

c) Taking of the facts revealed in result of audit and relevant recommendations and taking

respective measures by the management submission of the formal written


22/24

recommendations and further monitoring of the relevant response from the side of

management ensures implementation of the changes according to the recommendations in a

timely manner;

d) Documenting of the performed audit workinternal audit report provides documentation of

the audit evidences. In addition, it shall specify the scope of performed work, issuesconsidered and basis for the conclusions, together with the issues, which were not studied

within the scopes of given audit;

e) Collection of the proper evidences by internal auditor for the administration and submission

of the respective information function of the internal audit is providing of the respective

evidences to the administration, what is implemented via official submission of the audit

report. In addition the report provides advices and information on risks and corporative

management developed by the independent party.

Before submission of the final, official report the internal auditor submits draft report to the

management of the audit object. Further the mentioned draft report is considered to ensure full

understanding of the report by the audit object management, open discussion of the issues and

recommendations provided in the report and conciliation of the positions, before submission of the

final report. In result of the mentioned discussion the draft report may be modified.

17. Contents of the Internal Audit Report

Internal audit report shall state the following key issues: title page of the report shall state the issue

of audit, names and positions of the persons to whom the report is sent and the dates of preparation

and submission of the report.

Body text of the report shall consist of two parts: I key audit findings and recommendations; II

detailed information about identified facts and agreed actions.

Before the body text of the report the summary is provided, stating the key results and consisting of

the following parts:

Brief overview of internal audit;

Introduction;

Sphere of internal audit;


23/24

Key risks;

Opinions of the internal auditor;

I part of the internal audit report considers the key findings, risks and their significance, as well as

the recommendations; II part provides more detailed consideration of the results of performed work.

Internal audit report provided below shall contain the following information: Risks;

Agreed measures;

responsibilities;

Terms of implementation of the agreed measures.

Generally, internal audit report shall include the annex providing detailed clarifications and

respective analysis, providing basis for the recommendations and opinions stated in the report.

18. Internal Control

Definition of the internal control is provided in the international audit standards (International

Standard of Audit 400 Risk Assessment and Internal Control). According to the mentioned

international standard the internal control system is the set of control environment and control

procedures. Internal control system contains all directions and procedures set by the managers of the

respective units, within their capabilities, for achievement of the well organized and effective

activities, including consistent implementation of the policies set by the management, protection of

the assets, prevention of the breaches and errors and their identification, for ensuring completeness

and accuracy of the accounting records and timely preparation of the reliable financial information

19. Quality Control

Head of the internal audit entity shall develop the quality assurance program embracing all aspects

of internal audit function and ensuring effective performing the audit at high quality. In addition, the

head of internal audit entity shall perform program implementation monitoring and amendmentthereof, for the purpose of taking into consideration the changes in the rapidly developing profession

of the internal audit. Effectiveness and efficiency of internal audit shall be evaluated, as well as

opportunities for improvements shall be identified and used.

Quality assurance program, which shall be developed in each entity of internal audit, shall provide

for review of the audits performed by the staff members of internal audit entity, what implies


24/24

examination of the performed audit operations by an auditor, who has not participated in the audit

process. Review of the performed audit is of two types: a) internal review; b) external review. The

internal review is conducted with the participation of the staff members of the given internal audit

entity and external review are performed by the invited independent internal auditors.

Quality assurance program ensures compliance with the requirements of internal audit legislationeffective in the country, instructions by the LEPL National Center of State Internal Control, internal

audit standards, internal audit code of ethics, charter of internal audit entity.

Quality assurance program shall also include the program for improvement of the qualification of

internal audit entity staff. Each staff member of the internal audit entity shall have the certificate of

internal auditor, or, concurrently with employment, he/she shall study for obtaining of the

mentioned certificate.