esaag internal audit guidelines
TRANSCRIPT
-
7/31/2019 ESAAG Internal Audit Guidelines
1/34
E S A A G
INTERNAL AUDITING GUIDELINES
for
East and Southern Africa Association of Accountants General
February 2001
-
7/31/2019 ESAAG Internal Audit Guidelines
2/34
INTERNAL AUDITING GUIDELINES
forThe East and Southern African Association of Accountants General
CONTENTS
PAGE
1. Introduction 1
2. Nature, Objectives and Scope of Internal Audit 1
3. Internal Audit Independence 7
4. Managing Internal Audit 12
5. Professional Proficiency 15
6. Relationships 20
7. Internal Audit Planning 23
8. Approaches to Internal Audit 26
9. Reporting, Monitoring and Follow-up 28
Glossary of Technical Internal Audit Terms 32
-
7/31/2019 ESAAG Internal Audit Guidelines
3/34
1. INTRODUCTION
1.0 These Internal Auditing Guidelines are recommended to all government institutions in member
countries. These may include Ministries, Departments, Regions, and other public sector
organisations or entities, where appropriate. The Guidelines are prepared in compliance withthe Standards for the Professional Practice of Internal Auditing developed by the Institute of
Internal Auditors and international best practice in public sector Internal Audit.
1.1 The guidelines are intended to provide best practice principals rather than specific guidance on
Internal Audit procedures and techniques. Each professional Internal Auditor should hold the
general skills and knowledge of Internal Audit practice.
1.2 A brief explanatory note to facilitate a clear understanding of the guidelines is included before
each guideline.
1.3 These guidelines provide criteria by which Internal Auditing in the Public Sector in member
countries should be measured and evaluated.
1.4 Any standards or guidelines should be dynamic to keep up to date and these guidelines will be
revised from time to time as necessary.
2. NATURE, OBJECTIVES AND SCOPE OF INTERNAL AUDIT
2.0 Explanatory Notes :
2.1 This guideline explains the nature, objectives and scope of Internal Auditing and indicates the
range of responsibilities that Internal Audit should cover. The Head of Internal Audit should
ensure that each Accounting Officer (see Glossary of Technical Internal Audit Terms at the end of
these Guidelines) in the public sector organisations for which they are responsible are aware of
the full range of activities that fall within the scope of Internal Audit.
2.2 Nature: The Institute of Internal Auditors defines Internal Auditing as "an independent objective
assurance and consulting activity designed to add value and improve an organisation's
operations. It helps an organisation accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control andgovernance processes."
Internal Auditing Guidelines February 2001 Page 1 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
4/34
2.3 Internal Audit should be an independent function or division within the public sector organisation.
It assists management by reviewing, assessing and helping to improve the internal control system.
Internal Auditors work with Accounting Officers and other managers to help to improve internal
controls within their public sector organisation and so reduce the risks the Government faces in
achieving its objectives to an acceptable level. Internal Audit undertakes reviews of individual
systems and processes. As a result, recommendations are made to the relevant Accounting Officer
on how internal controls could be improved.
2.4 Scope: The scope of internal audit needs to cover the systematic review, appraisal and reporting
of the adequacy of the systems of managerial, financial, operational and budgetary control and
their reliability in practice, including:
the relevance of established policies, plans and procedures, the extent of compliance with
these
the appropriateness of organisational, personnel and supervision arrangements
the extent to which assets and interests are accounted for and safeguarded from losses of
all kinds arising from waste, extravagance, inefficient administration, fraud or other causes
the appropriateness, reliability and integrity of financial and other management
information and the means used to identify, measure, classify, report and act upon that
information
the integrity of computer systems, including systems under development
the follow-up action taken to remedy previously identified weaknesses.
2.5 The actual areas reviewed by Internal Audit should be determined by a risk assessment that guides
Internal Audit planning (see Guideline Seven).
2.6 There should be an Internal Audit service for all public sector and government organisations
including the armed and secret services.
2.7 Objectives: Internal Audit should operate in partnership with management by helping to enhance
their accountability, transparency and corporate governance. This is achieved by identifying and
evaluating their internal control systems and making recommendations for improvements and
refinements to these systems.
2.8 Internal Audit assists Accounting Officers by evaluating and reporting on the elements of the
internal control system for which the Accounting Officer is responsible. It is not, however, an
extension of, or a substitute for, effective internal controls. Responsibility for internal controlrests fully with the Accounting Officer, who should ensure that appropriate and adequate
arrangements for internal control exist in addition to any Internal Audit activity in their public
Internal Auditing Guidelines February 2001 Page 2 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
5/34
sector organisation. It is for the Accounting Officer to decide whether or not to accept and
implement Internal Audit findings and recommendations. However, the Accounting Officer should
be responsible to an Audit Committee and the Public Accounts Committee for ensuring that
prompt and effective action is taken to address Internal Audit's findings. An Audit Committee may
assist in ensuring that prompt and effective action is taken in response to audit recommendations.
2.9 Internal Audit may undertake checks that individual items of expenditure are necessary and have
been authorised as required. This may be undertaken before the payment is made (pre-audit) or
may be undertaken later (post-audit). Internal Audit may also be required to undertake
independent checks on stores and fixed assets. However, international best practice suggests that
the core element of Internal Audit work should be systems audit. The objective of systems audit is
to improve the controls operated by management rather than Internal Audit acting as a control
itself.
2.10 If Internal Auditors undertake pre-audit, they should not also undertake system reviews of the
same transactions or systems.
Advantages and Disadvantages of Pre-Audit
Advantages Disadvantages
Could help to ensure that expenditure is
necessary and appropriate.
May reduce officers' responsibilities for
internal control. Managers may not check
payments properly, but rely on Internal Audit
to do these checks.
Could help to ensure that expenditure is
properly authorised before payment is
made.
Payments may be delayed until Internal Audit
has completed their checks.
Could help to prevent management fraud. It may be an inefficient use of valuable
Internal Audit time.
Could help to reduce the incidence of fraud
or irregularity.
Could provide an opportunity for unethical
Internal Auditors to seek bribes.
Could help to confirm the existence of
projects, supplies and stores.
Could relax Internal Audit objectivity when
doing systems audit work.
Could put Internal Audit security at risk.
2.11 In some countries, Internal Audit may be required to undertake pre-audit. Where this is the case
consideration should be given to reducing this role. This could be achieved by only undertaking
pre-audit on larger payments or those that are particularly vulnerable to fraud or irregularity.
Public sector organisations with good internal controls could be rewarded with a reduced
requirement to have their expenditure subject to pre-audit.
Internal Auditing Guidelines February 2001 Page 3 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
6/34
2.12 Internal Audit is not necessarily best suited to under take investigations into suspected fraud,
corruption or irregularity. This is a specialised function that requires expert knowledge and
experience. The approach to fraud investigation is different to that used in routine Internal Audit
work. For these reasons, where possible, fraud investigations should be undertaken by a special
unit.
2.13 Internal Audit can:
independently review and appraise the systems of control throughout the public sector
organisation (not just the financial controls);
recommend improvements to internal controls;
ascertain the extent of compliance with procedures, policies, regulations and legislation;
provide reassurance to management that their policies are being carried out with
adequate control of the associated risks;
facilitate good practice in managing risks;
save money by identifying waste and inefficiency, and by facilitating the spread of good
practice;
avoid duplication of effort by an effective partnership with the Auditor-General and other
review agencies;
by its activities help to ensure that assets and interests are safeguarded from fraud, deter
fraudsters and possibly identify fraud.
2.14 The existence of Internal Audit in a public sector organisation should not cause a general
relaxation or vigilance on the responsibility of the line managers. It is not the responsibility of
Internal Audit to detect and/or prevent fraudulent activities and irregularities. This is the
responsibility of all officers, managers and the Accounting Officer.
GUIDELINE ONE: NATURE, OBJECTIVES AND SCOPE OF
INTERNAL AUDIT
1
NATURE OF INTERNAL AUDIT
Internal Auditing is an independent objective assurance and consulting activity designed
to add value and improve an organisation's operations. It helps an organisation
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes. The
effect of Internal Audit should be continual improvements and refinements to the internal
control system as a contribution to proper, economic, efficient and effective use of
government resources.
OBJECTIVES OF INTERNAL AUDIT
Internal Auditing Guidelines February 2001 Page 4 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
7/34
2 Internal Audit has two main objectives. These are to:
a) ensure that internal control and risk management systems are continually being
improved and optimised in response to an ever changing environment;
b) provide reasonable assurance to the relevant Accounting Officer and the Audit
Committee that significant risks in the public sector organisationare being appropriately
managed, with an emphasis on the role of internal controls.
3 The way that these objectives are achieved will vary between countries and
organisations. This leads to a variety of different approaches to Internal Audit. This
subject is covered in the Guideline below on Approaches to Internal Audit.
4 The Head of Internal Audit should be consulted when the Accounting Officer wishes to
change the system of internal control. The Head of Internal Audit should be required to
co-ordinate inter-ministerial or departmental issues concerning control.
5 If Internal Auditors are used to investigate potential fraud or irregularity they will need
specialist knowledge and experience. An expert team should be created to investigate
cases of actual or potential fraud and irregularity.
6
INTERNAL CONTROL
Internal control has been defined by the Committee of Sponsoring Organisations of the
Treadway Commission (COSO) inInternal Control Integrated Framework, as:
'A process, effected by an entitys board of directors, management and other
personnel(people), designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of operations; (basic operational objectives,
performance goals and safeguarding resources)
reliability of financial reporting
compliance with applicable laws and regulations.'
7 Internal control is a management tool used to provide reasonable assurance that the
public sector organisation's objectives are being achieved efficiently. Internal control
covers the whole system of controls, policies and procedures established by management
to meet their targets and objectives.
8 The responsibility for the adequacy and reliability of internal controls rests with
management. The relevant Accounting Officer has overall responsibility for the
establishment and maintenance of internal controls within their area of responsibility.
The Accounting Officer of each public sector organisation should ensure that proper
internal controls are introduced, reviewed, and updated to keep them effective. An Audit
Committee can assist with this role.
9
SCOPE OF INTERNAL AUDIT
The potential scope of Internal Audit is the whole system of internal control established
Internal Auditing Guidelines February 2001 Page 5 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
8/34
by a public sector organisation. This may include controls over all the organisation's
activities, not just controls over financial accounting and reporting. Internal Audit should
review all significant operational and management controls, including policies and
procedures for the management of risk. However, Internal Audit should concentrate its
efforts on the high risk areas and the most important internal controls.10 The Accounting Officer and Audit Committee should not restrict Internal Audit to work
on financial systems or checking that assets are safeguarded. Internal Audit work should
go beyond the accounts to check that public officials and others entrusted with public
resources are:
a) complying with applicable laws and regulations
b) achieving government objectives and desired services or benefits established by the
public sector organisation.
11 The Audit Committee and the Accounting Officers should ensure that Internal Audit has
the widest scope to ensure that internal controls across the whole public sector
organisation may be subject to review by Internal Audit.
12 Internal Audit should have unrestricted access to all the people, systems, documents and
property it considers necessary for the proper fulfilment of its responsibilities.
Internal Auditing Guidelines February 2001 Page 6 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
9/34
3 INTERNAL AUDIT INDEPENDENCE
3.0 Explanatory Notes :
3.1 Internal Audit should be sufficiently independent from line management to ensure that InternalAudit's professional judgements and recommendations are objective and impartial. To be
effective, Internal Audit needs to have adequate authority and report at a sufficiently senior level
within the public sector organisation. As a result, the Head of Internal Audit should report (for
pay and rations) at a level at least equivalent to the Accountant-General in the Ministry of
Finance or the Permanent Secretary in other ministries. Internal Audit should also report to an
Audit Committee and have a direct reporting line to the Accounting Officer.
3.2 It is generally considered that Internal Audit should not report to a manager if Internal Audit
regularly reviews systems that this manager is directly responsible for. For this reason, in some
countries it is considered inappropriate for the Accountant-General to be responsible for Internal
Audit. The reason for this is that the Accountant-General is the accounting advisor to the
Permanent Secretary in the Ministry of Finance and is also in charge of the treasury and the
national accounts. The Head of Internal Audit regularly reviews systems that the Accountant-
General is responsible for and so should not report on these systems to the same officer.
3.3 Internal Audit will achieve respect through the status it is given in a public sector organisation.For the individual Internal Auditor,objectivity is essential to ensure an attitude of mind
characterised by integrity, steadfastness and an impartial approach to work. Objectivity may be
impaired through familiarity both with systems and non-audit staff. This may occur if Internal
Audit staff are involved with the same work assignments and ministerial officers for several years.
3.4 Internal Audit should take its authority and terms of reference from the Audit Committee and
Accounting Officer to whom the Head of Internal Audit should report and have the right of direct
access. Internal Audit's terms of reference (or charter) should clearly outline the nature,objectives, responsibilities and scope of Internal Audit. Internal Audits terms of reference should
be approved by the Audit Committee subject to applicable legislation.
Internal Auditing Guidelines February 2001 Page 7 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
10/34
3.5 The written terms of reference for Internal Audit should clearly:
a) establish Internal Audit's position within the organisation
b) establish Internal Audit's right of access to all records (both electronic or otherwise),
assets, personnel and premises, and its authority to obtain such information and explanations,
as it considers necessary to fulfil its responsibilities
c) define the scope of Internal Auditing activities.
3.6 Objectivity is an independent attitude of mind that Internal Auditors should maintain when
performing Internal Audit work. It is important that Internal Auditors always retain a critical
edge in undertaking their work. Internal Auditors need to be sceptical in discussions with officers
and to obtain an adequate level of proof from Audit testing.
3.7 Objectivity requires Internal Auditors to carry out Audits in such a way that the quality of theirwork or their honest belief in the results of that work is not compromised. Internal Auditors
should not be placed in situations in which they feel unable to make objective professional
judgements.
3.8 Internal Auditors should not be placed in situations in which they feel unable to make objective
and impartial professional judgements. If any of the situations referred to below arise, Internal
Auditors should inform their Head of Internal Audit so that alternative arrangements for the
Internal Audit assignment may be made:
(a) Internal Auditors, notwithstanding their employment by the organisation, should be free
from any conflict of interest arising either from professional or personal relationships or from
pecuniary or other interests in an organisation or activity that is subject to Audit.
(b) Internal Auditors should be free from undue influences, which either restrict or modify the
scope or conduct of his work or over-rule or significantly affect judgement as to the content of the
Internal Audit report.
(c) Internal Auditors should not allow their objectivity to be impaired when Auditing an
activity for which they have had authority or responsibility in the past.
(d) Internal Audit should be consulted about significant proposed changes to the internal
control system or the implementation of new systems. Internal Audit may make recommendations
on the standards of control to be applied without prejudicing Internal Audit's objectivity in
reviewing those systems at a later date.
Internal Auditing Guidelines February 2001 Page 8 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
11/34
(e) Internal Auditors should not normally undertake non-Audit duties, but if they do,
exceptionally, they should ensure that management understands that they are not then functioning
as Internal Auditors.
3.9 International best practice suggests that Audit Committees should be established. Audit
Committees are generally considered to improve the independence of Internal Audit. Audit
Committees should be established for each public sector organisation. Members of an Audit
Committee, especially the chair, should be chosen so that they are sufficiently independent from
the senior managers of the public sector organisation and so they are suitably experienced. An
Audit Committee may deal with more than one organisation.
3.10 The role an Audit Committee with regard to Internal Audit is that it should:
approve Internal Audit's strategic and operational plans and review performance against
them
discuss with Internal Audit its findings and the responses of management to its major
recommendations; and, periodically, its views on the overall quality of internal control
consider the objectives and scope of any additional ( non-audit work) work undertaken by the
Internal Auditors to ensure there are no conflicts of interest and that independence is not
compromised
review the adequacy of the Internal Audit function, its adherence to professional standards,
particularly independence, standing, scope, resourcing, its liaison with the Auditor-General
and other review agencies and its reporting arrangements
meet regularly two or three times a year and meet with the Internal Auditors at their request
as they deem necessary
through its Chair represent the concerns of Internal Audit to the relevant Accounting Officer,
Permanent Secretary or Minister
be involved in the process of appointment or dismissal of the Head of Internal Audit
periodically review the Internal Audit terms of reference.
Internal Auditing Guidelines February 2001 Page 9 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
12/34
GUIDELINE TWO: INTERNAL AUDIT INDEPENDENCE13 Internal Auditors should be objective, and, as far as possible, operationally independent
of the management of the public sector organisation.
14 Internal Audit independence should permit it to provide impartial and unbiased
judgements that are essential for its proper function. Internal Audit independence should
also ensure that the Head of Internal Audit can report without 'fear or favour' to all levels
within the public sector organisation. Internal Audit independence can be ensured
through status and objectivity.
15 It is the responsibility of the Accounting Officer and the Audit Committee to ensure
that conflicts of interest do not arise and that Internal Audits objectivity and
independence are not compromised. If the independence or objectivity of Internal
Audit is impaired, in fact or appearance, the details of the impairment should be
disclosed to the Accounting Officer and the Audit Committee.
16
STATUS
The Head of Internal Audit should be responsible to an individual with sufficient
authority to promote Internal Audit independence and to ensure the broadest Internal
Audit coverage, adequate consideration of Internal Audit reports and appropriate action
on Internal Audit recommendations. Internal Audit needs the support of top management
officials so that they can gain the co-operation of officers and perform their work without
interference. Internal Audit should have a direct reporting line to the Accounting Officer
and the Audit Committee.
17 The Head Internal Auditor should report to the Accounting Officer and an Audit
Committee.
18
TERMS OF REFERENCE
Internal Audit should have written terms of reference (or charter) that are agreed by the
Accounting Officer and the Audit Committee. These should clearly outline the nature,
objectives, responsibilities and scope of Internal Audit. The Head of Internal Auditshould actively seek to develop and obtain approval of such terms of reference. The
terms of reference should be reviewed and revised, if necessary, at least every three
years.
19 The terms of reference for Internal Audit should include the requirement for Internal
Audit to have the access, to all personnel, records, assets and property that Internal Audit
considers necessary for it to undertake its work effectively.
20 The terms of reference for Internal Audit should be supported by a law, by-law or
regulation that specifies the position of the Internal Auditor in the government hierarchy.OBJECTIVITY
Internal Auditing Guidelines February 2001 Page 10 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
13/34
21 The term objectivity includes the requirement on the part of Internal Auditors to have an
independent mental attitude to the performance of their work. Objectivity should ensure
that Internal Auditors have an honest belief in their work product and that no significant
quality compromises are made.
22 Internal Auditors should not be placed in any situation where they feel unable to makeobjective professional judgements. Objectivity may be impaired through familiarity,
with both systems and officers. This may be created by Internal Audit staff being
involved with work assignments for too long a period of time. In order to maintain
maximum awareness and motivation amongst Internal Audit staff, work assignments
should be rotated on a planned basis. Transfers of Internal Audit staff between public
sector organisations are to be recommended, every few years, where possible.
23 Internal Audit assignments should be undertaken in such a way that there is no potential
or actual conflict of interest. Internal Audit staff should not undertake Audits of systems
if they worked in this area in the last year. Internal Audit staff should declare any
conflict of interest that may arise.
24 Recommending standards of control for new systems or reviewing procedures before
they are implemented is part of Internal Audit work. However, designing, installing and
operating systems is not an Internal Audit function. Performing such work is presumed
to impair Internal Audit objectivity.
25
POSITION
The position of Internal Audit should be categorised specifically as a Stafffunction as
opposed to allLine Functions. Internal Auditors should not supervise or manage other
sections or activities. If Internal Auditors perform non-audit work they are not
functioning as Internal Auditors. Performance of such activities is presumed to impair
Internal Audit objectivity. Therefore, the Internal Auditor should not undertake
executive functions outside their divisional activities.
26 The position of Internal Audit within the public sector organisation should be high
enough to ensure that there is no impairment of Internal Audit scope.
Internal Auditing Guidelines February 2001 Page 11 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
14/34
4 MANAGING INTERNAL AUDIT
4.0 Explanatory notes:
4.1 The appointment of appropriate staff is important to the success of Internal Audit. Internal
Auditors must be able to develop good working relationships with all officers. Internal Auditors
must also be able to quickly understand how systems work and be able to identify suitable
improvements. The Head of Internal Audit should ensure that all their staff are appropriately
trained and receive suitable guidance.
4.2 Controlling: Internal Audit work should be controlled at all levels of operation to achieve
objectives and ensure the economic and efficient use of resources.
4.3 The Head of Internal Audit should continually monitor Internal Auditors' performance. Any
significant variations from work plans should be investigated and dealt with appropriately. The
results of each Internal Audit assignment or groups of Audit assignments should be reviewed
against Internal Audit plans. Efficiency should be assessed and any necessary revisions made to
subsequent planned work.
4.4 Recording: The Head of Internal Audit should specify standards of Audit documentation, ensure
that those standards are maintained and monitor compliance with the standards.
4.5 Appraisal: Like any other department, Internal Audit should be constantly appraised to ensure
that its performance and value to the management of the public sector organisation is maximised.
The Internal Audit function is subject to budgetary constraints, in common with all other elements
of the public sector, therefore its value should continually be re-assessed. This appraisal or
assessment should be undertaken by Internal Audit managers and also periodically by
independent suitably experienced external assessors. The assessment should consider the views of
the Accounting Officer and other senior managers on the success of Internal Audit. It may alsoconsider Internal Audits effectiveness and any appropriate directional changes.
4.6 An Internal Audit management unit in the Ministry of Finance may assist in maintaining the
quality of internal audit across all public sector organisations and can assist with ensuring the
independence of Internal Audit. The Internal Audit management unit may have responsibility for
the staffing, planning, organisation and co-ordination of Internal Audit units in all public sector
organisations. The management unit may provide guidance to Internal Audit units in other public
sector organisations, monitor all Internal Audit reports, and co-ordinate training across the
public sector. In some countries Internal Audit units in all public sector organisations are
managed by a central Controller of Internal Audit in the Ministry of Finance.
Internal Auditing Guidelines February 2001 Page 12 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
15/34
GUIDELINE FOUR: MANAGING INTERNAL AUDIT27 The Head of Internal Audit should effectively manage Internal Audit to ensure it adds value
to the public sector organisation and to ensure that:
(a) Internal Audit work fulfils its terms of reference
(b) resources for Internal Audit are used efficiently and effectively
(c) Internal Audit staff undergo suitable professional development
(d) Internal Audit work conforms to approved standards
(e) the morale of Internal Audit staff is developed and maintained.
28 The Head of Internal Audit should submit periodic activity reports to the Accounting
Officer and the Audit Committee. These reports should compare:
(a) actual performance with goals and Internal Audit plans
(b) actual expenditures with financial budgets.
The Head of Internal Audit should explain major variances (positive or negative) together
with action taken to address these.
29 The Head of Internal Audit should ensure that Internal Audit staff are provided with a
suitable Audit Manual including written policies and procedures to guide them with their
work. This guidance should also include programmes for particular Internal Audit
assignments. The Internal Audit programmes should specify reporting lines at each level of
management.
30 The Head of Internal Audit should ensure that the work of all levels of Internal Audit staff is
effectively supervised from planning to conclusion. This supervision should include:
(a) provision of suitable instructions and guidance at the outset of an Internal Audit
assignment and approving the Audit programme
(b) seeing that the approved Audit programme is carried out unless deviations are both
justified and authorised
(c) ensuring that Internal Audit staff understand the work to be undertaken and obtain and
document sufficient relevant and reliable audit evidence
(d) determining that Internal Audit objectives are being met.
31
MANAGEMENT REVIEW
All Internal Audit working papers and reports should be reviewed by Internal Audit
managers before the reports are released. This review should include:
(a) determining that Audit working papers adequately support the Audit findings,
conclusions and report
(b) making sure that Audit reports are accurate, objective, clear, concise, constructive and
timely.32 Internal Audit working papers should show clear evidence of this management review.
QUALITY ASSURANCE APPRAISALS
Internal Auditing Guidelines February 2001 Page 13 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
16/34
33 There should be periodical reviews of Internal Audit performance to ensure that its
performance and value to the management of the public sector organisation is maximised
and to ensure compliance with appropriate standards and guidance.
34 The Head of Internal Audit should establish and maintain a quality assurance programme to
evaluate the operations of Internal Audit. This programme should provide reasonableassurance that Internal Audit work conforms to relevant standards and theseInternal
Auditing Guidelines. It should also ensure that Internal Audit adds value by improving
internal control. This quality programme should include:
(a) supervision (b) internal review
(c) external review.
35 Supervision of Internal Audit work should continuously ensure conformance with the
Institute of Internal Auditors Standards, theseInternal Auditing Guidelines, department
policies and Audit programmes.
36 Internal reviews should be performed periodically by senior Internal Audit staff to appraise
the quality of the Internal Audit work that is undertaken in all public sector organisations.
37 External reviews should be performed to assess the quality of Internal Audit work against
these Guidelines. These reviews should be performed by suitably qualified Internal
Auditors who are independent of the organisation and who do not have either a real or an
apparent conflict of interest. The external reviews should be undertaken at least once every
five years.
38 On completion of such reviews, formal written reports should be issued to the relevant
Accounting Officer and the Audit Committee. These reports should express an opinion on
Internal Audit's compliance with theseInternal Auditing Guidelines and, where necessary,
should include recommendations for improvement.
5. PROFESSIONAL PROFICIENCY
5.0 Explanatory notes:
5.1 In carrying out their duties Internal Auditors should exercise due professional care, that is
competence based on appropriate experience, training, ability, integrity and objectivity.
5.2 Due professional care is defined as carrying out Internal Audit work with competence and
diligence. Due care does not mean infallibility. Consequently Internal Auditors cannot provide
absolute assurance that non-compliance or irregularities do not exist. However, it will be
incumbent upon the Internal Auditor to consider the effect of significant weaknesses in the systems
under review and evaluate the possibility of material irregularity or non-compliance with the
Internal Auditing Guidelines February 2001 Page 14 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
17/34
legislation and regulations when undertaking Internal Audit.
5.3 Professional care requires the use of Audit skills and judgements based on appropriate
experience, training, ability, integrity and objectivity. The level of professional care to be
exercised should be appropriate to the objective and complexity of the Internal Audit work being
performed.
5.4 In order to demonstrate due professional care, Internal Auditors should be able to show that their
work has been performed in the manner which meets the criteria set by these Internal Auditing
Guidelines or specific departmental policies.
5.5 Internal Audits should be performed by, or supervised and controlled by, Audit staff who have the
technical skills, experience and perspective which will enable them to comply with theseGuidelines. This is necessary to maintain Internal Audit's credibility as a dependable instrument
of management.
5.6 The Head of Internal Audit should therefore ensure that Audit staff have the capacity to meet the
responsibilities identified by the terms of reference agreed with the Audit Committee and the
Accounting Officer.
5.7 The Head of Audit should ensure that all Internal Audit staff are reminded of their ethical
responsibilities and also ensure that their declarations of interest are reviewed, and where
appropriate, updated at least once a year.
5.8 Internal Auditors should not accept any gift or inducement from an officer, worker, supplier or
other third party. Information acquired by Auditors in the course of their work should not be used
for unauthorised purposes or for personal benefit or gain. Internal Auditors should only accept
hospitality when this is consistent with the public sector organisations documented arrangements.
5.9 The most important source of information for Internal Auditors is the staff working within the area
subject to Audit. These officers know how the system actually operates and should have a
reasonable idea of how practical any improvements may be. Thus interviewing skills are essential
for all Internal Auditors. Internal Auditors need to be able to understand what may be a complex
system. Internal Auditors also need to be able to critically assess each stage of the process. Why
is its performed? Could it be undertaken more efficiently?
Internal Auditing Guidelines February 2001 Page 15 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
18/34
5.10 Staff who operate the system will know what they do, but not necessarily why they do it. They may
also try and explain the system in the most positive light. The skill of Internal Auditors is to
enable all the staff they interview to open up and describe what they actually do (not just what
they think they should do) and to identify any aspects they think could be improved.
Understanding why each step is taken is more difficult. Staff may just do it because weve
always done it that way or even worse because the Auditors told us to!
5.11 An experienced Internal Auditor will ensure that the staff they talk to are relaxed and so describe
the system, its bad points as well as the good points. They will also challenge the staff to ensure
that they describe what actually happens and through discussion ascertain whether any
improvements are possible and practical.
Internal Auditing Guidelines February 2001 Page 16 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
19/34
GUIDELINE FIVE: PROFESSIONAL PROFICIENCY
39
Staffing
Internal Auditors should be appointed through free and open competition on the basis of
merit. The criteria used to fill Internal Audit posts should be suitable and clearly
documented. They should be developed after considering the level of required scope and
responsibility. Deliberate attempts should be made to ensure the proficiency and
qualifications of each prospective Auditor.
40
Compliance with Codes of Conduct
Internal Audit staff should follow existing codes of conduct and ethics for their
organisation. All professional Internal Audit staff should be members of the relevant
accounting or Internal Auditing professional body and follow their code of conduct or
ethics. All Internal Auditors should follow a professional code of conduct which calls
for:
a) high standards of honesty
b) high standards of diligence
c) high standards of loyalty.
41
Knowledge Skills and Discipline
Internal Auditors should be required to (individually) possess the knowledge, skills and
competencies essential to the performance of effective Internal Audit. Internal Audit
staff should be required to possess the following skills:
a) proficiency in applying Internal Auditing Guidelines
b) knowledge of techniques required to perform Internal Audit
c) proficiency in accounting principles and techniques (especially government
accounting)
d) an understanding of management principles and administrative procedures to enable
recognition and evaluation of the materiality and significance of deviations from good
and acceptable practice.
42
Human Relation and Communication
Internal Auditors should possess the skills required to deal with people and to
communicate effectively. They should cultivate harmonious relationships with officers
and managers. Internal Auditors should be proficient in oral and written communication
to enable effective reporting.
43
Continuing Education
Training of Internal Auditors should be a planned and continuous process at all levels
and should be designed to cover:
a) basic training providing the minimum level of skills and knowledge which all
Internal Auditing Guidelines February 2001 Page 17 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
20/34
Internal Auditors should possess
b) development training in Audit skills, techniques and behavioural aspects to improve
the effectiveness of those staff currently engaged as Internal Auditors
c) management training for those Auditors with responsibility for managing and
directing Audit teams, together with those staff members who show the potential for
management positions
d) specialist training for those Auditors responsible for a special field of Audit work
which requires specialist skills and knowledge, for example, computer auditing or
performance auditing.
44 Internal Auditors, as responsible Government officers, should be responsible for
continuing their education in order that they maintain their knowledge, skills and
proficiency. They should keep themselves informed on changes and developments in
their public sector organisation's activities and other Government developments. Internal
Auditors also need to be aware of developments across the Internal Auditing profession.
45 If there is an Internal Audit management unit in the Ministry of Finance, this unit should
be responsible for the co-ordination of training requirements for all government Internal
Auditors. The foundation, from which the assessment of training requirements of
Internal Audit will be derived, should be the database of Internal Audit staff in all public
sector organisations.
46 Internal Auditors should be aware of their responsibility for continuing their education onorder to maintain their proficiency through participation in professional societies,
conferences and seminars, college courses, in-house training and engage in research to
identify new Internal Auditing developments.
47
Due Professional Care
The term due professional care means and includes the application of the care and skill
expected of a reasonable, prudent and competent Internal Auditor in the same or similar
circumstances.
48 In exercising due professional care, Internal Auditors should be alert to the following:
a) the possibility of intentional wrong doing
b) errors and omissions
c) inefficiency, waste, ineffectiveness
d) conflicts of interest
e) conditions and activities likely to give rise to irregularities
f) inadequate control situations.
49 In exercising due professional care the Head of Internal Audit is required to consider the
following:
a) the extent of Internal Audit work needed to achieve the Audit objectives
Internal Auditing Guidelines February 2001 Page 18 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
21/34
b) the relative complexity, materiality or significance of matters to which Audit
procedures are applied
c) adequacy and reliability of risk management and control processes
d) likelihood of material irregularities or non-compliance
e) the cost of Internal Audit work compared to potential benefits or the risk of poor
internal controls.
6. RELATIONSHIPS
6.0 Explanatory notes:
6.1 Management and staff at all levels should have confidence in the integrity, independence and
capacity of Internal Audit. This should be reflected and maintained in good working relationships
between Internal Auditors and the staff in the sections that they review.
6.2 The Head of Internal Audit should seek to foster and maintain constructive working relationships
with stock verifiers, fraud investigators, inspectors and any other review staff. Consultations
between Internal Audit and review staff should lead to effective co-ordination and minimise
Internal Auditing Guidelines February 2001 Page 19 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
22/34
duplication of work.
6.3 Internal Audit should not improperly disclose any information obtained during the course of their
work. Permission should be provided by senior management before any information is passed
outside the organisation. Internal Audit will, quite properly, reveal to appropriate responsible
parties (for example, police or Auditor-General) all material facts they have established which, if
not so revealed, may prevent the uncovering of unlawful acts or could distort Audit reports. The
passing of this information should be treated as confidential and legally privileged. That is the
Internal Auditor will be exempt from any legal liability from the passing of such information.
6.4 It is important for Internal Audit to market the services it can provide to managers. This could
include producing leaflets and making presentations to Accounting Officers and other senior
officers on the services, assistance and role that Internal Audit can play.
6.5 The relationship between Internal Audit and the Auditor-General's Office needs to take account of
their differing roles and responsibilities. Internal Audit is an independent appraisal function
within the organisation and Internal Auditors are direct employees. It is the Auditor-General's
role to ensure that the financial statements, operating performance and related statements are
properly stated in all material respects. Internal Audit and the Auditor-General may also have
responsibility for performance audit to ensure that economy, efficiency and effectiveness are
improved.
6.6 The aim should be to achieve mutual recognition and respect, leading to a joint improvement in
performance and the avoidance of unnecessary overlapping of work. It should be possible for the
Auditor-General and the Head of Internal Audit to rely on each other's work, subject to limits
determined by their different responsibilities, respective strengths and special abilities.
Consultations should be held and consideration given to whether any work of either Auditor is
adequate for the purpose of the other. Internal Audit does not automatically have a right of access
to the records of the Auditor-General. However, the relationship between the Head of Internal
Audit and the Auditor-General should be such that the Auditor-General will allow access to the
necessary records.
6.7 The Head of Internal Audit should seek, where appropriate, co-ordination of the plans of Internal
Audit with those of the Auditor-General's Office and the programme of, for example, stock
verifiers. This co-operation should promote the most effective total audit coverage and should
avoid duplication of work. The Auditor-General's Office will have to decide if they can place
reliance on the work of Internal Audit and so reduce the amount of work undertaken by their own
Internal Auditing Guidelines February 2001 Page 20 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
23/34
staff.
6.8 The Head of Internal Audit should meet regularly with staff from the Auditor-General's Office to:
discuss work plans for Internal Audit and the Auditor-General's Office
agree and review the performance of the work relied on
evaluate the relationships with the Auditor-General's Office and report as required to the
Accounting Officer and Audit Committee on this relationship
agree access to each other's audit programmes and working papers
exchange audit reports and management letters
enhance understanding of each other's audit techniques and methods
discuss any other matters of mutual interest.
GUIDELINE SIX: RELATIONSHIPS50 Internal Audits relations with other staff in the public sector organisation, the Auditor-
General, stock verifies and other review agencies should be based on mutual confidence,
understanding of each others needs and a reciprocal desire for co-operation.
Management, at all levels should have complete confidence in the integrity,
independence and capability of the Internal Audit unit.51 There should not be any form of rivalry or conflict between the Internal Auditors and
staff in the Auditor-General's Office. Similarly, there should be a constructive
relationship between Internal Auditors, stock verifiers and other review agencies.
52 The Head of Internal Audit should initiate action to ensure the development of co-
ordination, effective working relationships and the avoidance of duplication of work
with other review agencies. This could include:
a) liaison meetings to discuss matters of mutual interest
b) arranging for access to each others plans, system notes and findings
c) arranging for consultation on plans and proposed visits
d) reviewing training proposals to arrange joint training sessions where possible
e) dissemination of literature for discussion to promote understanding of techniques,
methods and terminology.
53 Copies of Internal Audit reports should be made available to the Auditor-General for
information and co-ordination.
54 Internal Auditors should be familiar with the legislation that defines the statutory
responsibility, duty and rights of access of the Auditor-General. The Head of Internal
Audit should recognise the differences between the roles of Internal Audit and that of the
Internal Auditing Guidelines February 2001 Page 21 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
24/34
Auditor-General.
55 The staff of the Auditor-General's Office may review the effectiveness of Internal Audit
as part of their evaluation of management control arrangements. This review should
determine the extent that the Auditor General's Office is able to rely on Internal Audit
work. Internal Audit should not necessarily undertake special tasks at the request of theAuditor General's Office. However, routine, planned Internal Audit work may be used
by the Auditor General's Office for their own purposes.
56 The relationship between the Internal Auditor and the public sector organisation should
be considered legally privileged. That is the Internal Auditor will be exempt from any
legal liability from the proper undertaking of their work.
Internal Auditors should not release Audit findings or other information outside the
normal reporting arrangements without the knowledge and permission of those
concerned.
57 Internal Auditors should normally consult and advise managers when arranging Audit
visits to their department. The exception to this rule would be for unannounced surprise
visits.
7. INTERNAL AUDIT PLANNING
7.0 Explanatory notes :
7.1 Internal Audit work should be planned at all levels of operation in order to establish priorities,
achieve objectives and ensure the efficient and effective use of Audit resources. Planning should
be based on Internal Audit's terms of reference and allow for coverage of all significant systems,
operations, staff and sites within the public sector organisation.
7.2 Internal Audit plans should be based on a comprehensive understanding of the public sector
organisation and the way in which it operates. High-risk systems or transactions and any known
problem areas should be clearly identified. The emphasis of the Internal Audit plan should be
directed towards these systems.
7.3 Internal Audit plans should be developed in consultation with senior staff and the relevant
Accounting Officer. The appropriate Audit Committee should then approve the Internal Audit
plans.
Internal Auditing Guidelines February 2001 Page 22 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
25/34
7.4 Internal Audit planning should include the following steps:
identify all auditable activities within the agreed scope of Internal Audit
carry out a risk assessment on these activities in conjunction with management, identifying
categories such as high, medium, low
prepare an audit needs assessment based on the risk assessment
develop an overall strategic plan from the audit needs assessment to cover these risks, over,
say, a three-year period
bring to the Accounting Officer and/or the Audit Committee's attention any mismatch between
Audit needs and actual Audit resources
identify systems to be covered in the first year of the strategic plan and prepare an annual
Internal Audit plan
discuss the strategic and annual plans with appropriate senior managers, Accounting Officers
and the Auditor-General's Office and amend as necessary
present the plans to the Accounting Officer and/or the Audit Committee for approval.
7.5 Internal Audit plans should be amended as necessary to take account of changing circumstances.
The Accounting Officer and the Audit Committee should formally approve all significant changes
to the Internal Audit plans.
GUIDELINE SEVEN: INTERNAL AUDIT PLANNING58 The Head of Internal Audit should establish plans to carry out the responsibilities of Internal
Audit consistent with the public sector organisation's goals and objectives.
59 The Internal Audit planning process should include the following:
(a) identifying goals
(b) preparation of strategic Internal Audit plans
(c) establishing proper staffing plans and financial budgets
(d) preparation of activity reports.
60 Internal Audit plans should:
(a) establish a list of systems that could be Audited and prescribe a period within which it is
desirable that each significant system should be examined
(b) define the tasks to be performed
(c) assist in the direction and control of work by identifying critical areas, setting target
dates and allocating resources.
61 To be effective, the Head of Internal Audit should:
(a) define audit needs taking into account the Internal Audit's terms of reference
(b) identify the staff and other resources needed and reconcile these with available,
resources
Internal Auditing Guidelines February 2001 Page 23 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
26/34
(c) choose an appropriate time period for the Audit plans
(d) record all plans in writing
(e) monitor work against planned activity and revise plans as appropriate.
62 Internal Audit plans should be based on a risk assessment. The risk assessment process, to
be conducted at least annually, includes an assessment of:a) relevant risks and their significance
b) consideration of senior management, the Accounting Officer and the Audit Committee's
professional judgement
c) identification of activities to be audited.
63 Internal Audit strategic plans should take into account the following factors:
(a) the date and results of the last Internal Audit assignment
(b) the estimated time required, taking into account the scope of the planned work and the
nature and extent of audit work to be performed by others.
(c) requests by management
(d) major changes in operations, programs systems, and controls
(e) staffing, planning and effective utilisation of financial budgets
(f) Internal Audit priorities
(g) flexibility to cover unanticipated demands on the department.
64 Internal Audit plans and staffing and financial budgets should be developed from strategic
plans, administrative activities, education and training requirements and research anddevelopment efforts.
65 The Head of Internal Audit should submit annually to the Accounting Officer and Audit
Committee for approval a summary of Internal Audit's strategic plans, staffing plans and
financial budgets. All significant amendments to these plans should similarly be approved
by the Accounting Officer and Audit Committee.
66 The Head of Internal Audit should explain, if necessary, why the Audit needs are not being
met. This should prompt the relevant Accounting Officer to take action to ensure that their
public sector organisation is provided with sufficient Internal Audit resources.
Internal Auditing Guidelines February 2001 Page 24 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
27/34
8 APPROACHES TO INTERNAL AUDIT
8.0 Explanatory notes:
8.1 There are several different approaches to Internal Audit. International best practice suggests thatsystems audit is the most effective way that Internal Audit can add value to an organisation.
However, in many countries it is considered necessary for Internal Audit to complement systems
audit with a pre-audit approach. If a pre-audit approach is adopted the Head of Internal Audit,
the Audit Committee and the Accounting Officer should discuss the extent that this is necessary.
They should also consider suitable means of reducing the proportion of time that Internal Auditors
spend on pre-audit work.
8.2 The systems approach to Internal Audit seeks to assess and improve the effectiveness of the publicsector organisations internal control system. The prime purpose of a systems Audit should be to
evaluate the extent to which the system may be relied upon to ensure that the objectives of the
system are met. Where internal controls are not adequate and reliable Internal Audit should make
practical recommendations to ensure that these controls are improved.
8.3 Internal Audit evidence should be adequate to meet the objectives of Audit assignments. Internal
Auditors should be satisfied with the nature, adequacy and relevance of Audit evidence before
placing reliance on that evidence. Information should be collected analysed and documented by
the use of appropriate Audit techniques.
8.4 The production of Audit evidence should be supervised and reviewed by the Head of Internal
Audit. To meet an acceptable standard the evidence should be sufficiently adequate and
convincing to the extent that a prudent, informed person would be able to appreciate how the
Auditor's conclusions were reached.
8.5 Internal Audit may also complement its systems approach with other techniques, for example:
performance auditing
control self assessment
advice and assistance on control issues
helping with risk management.
Internal Auditing Guidelines February 2001 Page 25 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
28/34
GUIDELINE EIGHT: AUDIT APPROACH67 Internal Auditors should ensure that their approach and methods enable them to discharge
their responsibilities effectively. This will involve careful thought and discussion with the
Accounting Officer, the Audit Committee and others on the most effective approach to
Internal Audit given the particular circumstances of the public sector organisation.68 Internal Audit should assess and improve the public sector organisation's risk management,
control, and governance processes. The internal auditing activity should assist the public
sector organisation in maintaining effective controls. Assistance can be provided by
evaluating the public sector organisation's controls to determine their effectiveness and
efficiency and by developing recommendations for improvement. Internal Auditors should
ensure that the costs of maintaining controls balances the potential benefits.
69
SYSTEM APPROACH
Internal Audit should, where possible, adopt a systems approach. The systems approach
aims to asses and helps to improve the control features that govern the system. This
approach should provide reasonable assurance that existing controls will ensure that each
systems objective is achieved.
70 When undertaking systems audit an Internal Auditor should:
a) document and analyse the internal control system across all public sector organisations
and establish Internal Audit plans
b) identify and evaluate the controls that are established in individual systems to achieve
the public sector organisation's objectives in the most economic and efficient manner
c) obtain and record relevant, reliable and sufficient audit evidence to support their
findings and recommendations
d) report findings and recommendations for each individual system that is Audited
e) provide an opinion on the adequacy and reliability of the controls in the individual
system under review
f) provide periodic assurance based on an evaluation of the whole internal control system
across all public sector organisations.
71 The use of the systems approach should enable Internal Audit to confirm the following:
a) the official system
b) whether it is operating according to agreed guidance and regulations
c) whether the system is adequate
d) whether the controls are reliable.
72 The system's adequacy should be used to ascertain the following:
a) what should happen to achieve the systems objectives
b) what could go wrong in view of the system's design
c) what has been done to stop things going wrong.
Internal Auditing Guidelines February 2001 Page 26 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
29/34
9 REPORTING, MONITORING AND FOLLOW UP
9.0 Explanatory notes:
9.1 The findings and recommendations arising from each Internal Audit assignment should be
promptly reported to management. The recommendations should then be followed up to check
that agreed action has been implemented. A summary of Internal Audit findings,
recommendations and activities should be submitted periodically to the Accounting Officer and
the Audit Committee.
9.2 In general Internal Audit reports should:
state the scope, purpose, extent and conclusions of the Internal Audit assignment, including
Internal Audit's opinion on the adequacy of controls
make recommendations that are appropriate and relevant, that call for action to correct
identified weaknesses or improve the efficiency of operations
acknowledge the action taken, or proposed, by management.
9.3 Recommendations included in the Internal Audit reports should:
be practical and provide constructive solutions to problems identified
be sufficiently detailed to act as a guide for action and facilitate the efficient achievement of the
organisations objectives
be prioritised based on the significance of the weakness identified.
9.4 Conclusions are the Internal Auditor's evaluations of the effects of the findings on the particular
system reviewed. They should:
put the findings in perspective based on the overall implications and significance of the
weaknesses identified
identify the extent to which the system's control objectives are being achieved and the degree to
Internal Auditing Guidelines February 2001 Page 27 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
30/34
which the internal control systems should ensure that the goals and objectives of the public
sector organisation are accomplished efficiently.
9.5 Management should be required to respond in writing to each Internal Audit report. Management
and Internal Audit should agree officer responsibility and target dates for implementation of
agreed recommendations. The responsibility for final editing of Audit reports should remain with
the Head of Internal Audit who should always retain the right to issue reports without further
editing.
9.6 Follow-up activity is the process by which Internal Audit confirms that agreed recommendations
have been implemented by line managers. Internal Audit should periodically follow up Audit
reports to review and test the implementation of agreed Internal Audit recommendations.
9.7 The Head of the Internal Audit should submit to the Accounting Officer and Audit Committee, at
agreed intervals, a report of Internal Audit activity and results. The report should compare actual
Internal Audit activity against the annual Internal Audit plan and should clearly indicate the
extent to which the total Internal Audit needs of the public sector organisation have been met.
9.8 In the annual Internal Audit report the Head of the Internal Audit should give a formal opinion to
the Accounting Officer and Audit Committee on the extent to which reliance can be placed on the
public sector organisations internal control system. The attention of the Accounting Officer and
Audit Committee should be drawn to any major Internal Audit findings where action appears to be
necessary but has not been undertaken.
GUIDELINE NINE: INTERNAL AUDIT REPORTING73 The Head of Internal Audit should report periodically to the Accounting Officer and the
Audit Committee on Internal Audit's purpose, authority, responsibility, and performance
relative to its plan. Reporting should also include significant risks and control issues,
corporate governance issues, and other matters needed or requested by the AccountingOfficer and the Audit Committee.
74 The findings and recommendations arising from each Internal Audit assignment should be
Internal Auditing Guidelines February 2001 Page 28 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
31/34
promptly reported to the Accounting Officer and others who are affected by the report. The
final Internal Audit report including any comments from the Accounting Officer should be
reported to the Audit Committee.
75 The Head of Internal Audit should have complete freedom in the way in which Internal
Audit findings are reported and to whom each report is issued. The Head of Internal Auditshould review and approve each final Internal Audit report before it is issued.
76 Internal Audit reports should contain all material facts known to the Auditor concerning the
system under review to avoid distortion or concealment of any unlawful or improper
practice.
77 Internal Audit reports should be regarded as confidential and exclusive to the public sector
organisation concerned except for privileged external reviews by the Auditor-General and
Permanent Secretary to the Treasury.
78 The Head of Internal Audit should submit monthly or periodic progress reports to the
Accounting Officer and the Audit Committee and explain significant deviations from
approved strategic plans, staffing plans and financial budgets.
79 The Head of Internal Audit should provide an annual report to the Accounting Officer and
the Audit Committee. This report should include:
a) the Head of Internal Audit's opinion on the adequacy and reliability of the whole internal
control system
b) the extent that the Internal Audit needs of the public sector organisation have been met
c) any significant Internal Audit findings where action appears necessary but has not been
taken
d) any systems within the public sector organisation where the internal controls are not
adequate and reliable
e) a comparison of actual Internal Audit activity against the agreed annual plan.
80
COMMUNICATING RESULTS
When communicating results of their work Internal Audit should:
a) oral reports may be issued and should be confirmed in writingb) discuss conclusions and recommendations at appropriate ministerial, departmental or
regional levels before issuing final written reports
c) issue a signed written report after each Internal Audit assignment that is objective clear,
concise, constructive and timely.
d) give reports which clearly present the purpose, scope and results of the Audit
e) give reports with recommendations for potential improvement, suggestions of corrective
action and acknowledgement of satisfactory performance
f) obtain and include in the report the system managers' views about the conclusions or
recommendations
Internal Auditing Guidelines February 2001 Page 29 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
32/34
g) include the officer who is to implement each agreed recommendation and a target dates
for its implementation.
81
MONITORING AND FOLLOW-UP
Internal Auditors should follow up their reports to ascertain that appropriate action is taken
on agreed Internal Audit recommendations. Internal Audit should determine, withappropriate Audit testing, that corrective actin has been taken and is having the desired
effect.
82 If the Accounting Officer does not agree with an Internal Audit recommendation or does not
ensure that agreed recommendations are implemented they should accept the associated
risks. The Audit Committee may advice the Accounting Officer to implement an Internal
Audit recommendation if it considers necessary to achieve sound internal control.
83 The Auditor-General may review and report on the extent that Internal Audit
recommendations have been implemented. Internal Audit may also review the extent that
recommendations made by the Auditor-General have been implemented.
Internal Auditing Guidelines February 2001 Page 30 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
33/34
Glossary of Technical Internal Audit Terms
Accounting Officer the head of a government ministry or department who is personallyresponsible for the management and internal controls of the ministry or department and anyfraud or irregularity that may occur.
Adequacy of internal control an assessment of the quality of internal control. Controls maybe considered to be adequate if, when applied consistently, the controls should help to providereasonable assurance that a control objective will be achieved.
Auditor-General the head of the governments external audit service. The Auditor-Generalis responsible for certifying that the government accounts show a true and fair view, there hasbeen a proper use of public funds and often for undertaking value for money reviews.
Audit Committee a high level committee, comprising, where possible, independent, non-executive members, with responsibility for overseeing the independent review of the frameworkof internal control, monitoring the Internal Audit function and the external audit processes.
Audit Needs Assessment- an assessment undertaken by Internal Audit in consultation withmanagment to determine the extent of Internal Audit that is needed within an organisation andthe frequency that particular systems should be reviewed.
Control objectives the objectives of a control system. Used by Internal auditors as aframework for undertaking systems auditing and so assessing the overall quality of the internalcontrol system.
Control Self Assessment an approach to risk management, that may be facilitated byInternal Audit, that enables management to assess the risks and controls to the achievement ofthe organisations objectives. It may include the development of a risk register that lists themain risks the organisation faces and an action plan for improvements to internal control.
Head of Internal Audit- is a generic title for Chief Internal Auditor or Director of Internal Auditor any other equivalent title.
Internal Audit-is an independent objective assurance and consulting activity designed to addvalue and improve an organisation's operations. It helps an organisation accomplish itsobjectives by bringing a systematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control and governance processes.
Internal Control- is a process, effected by an entitys board of directors, management andother personnel (people), designed to provide reasonable assurance regarding theachievement of objectives in the following categories:
effectiveness and efficiency of operations; (basic operational objectives, performance goalsand safeguarding resources)
reliability of financial reporting
compliance with applicable laws and regulations.
Management- implies the Permanent Secretary and Accounting Officers in Ministries, orControlling officers in Regions or other responsible officers in a public sector organisation.
Performance Audit an approach to Audit that aims to improve the economy, efficiency andeffectiveness of operations. The objective of Performance Audit is to improve the value formoney provided by a public sector organisation.
Public Sector Organisation types of public sector entities, for example, ministries,departments, regions or districts, as examples of the range of possible governmental entitiesthat may exist.
Internal Auditing Guidelines February 2001 Page 31 of 33
-
7/31/2019 ESAAG Internal Audit Guidelines
34/34
Reliability of Internal Control an assessment of the extent that internal controls are appliedconsistently by all staff, at all times and in all circumstances.
Risk the chance (or probability) that one or more of the organisations objectives will not beachieved. It may refer to the failure to achieve objectives efficiently or the occurrence ofunwanted outcomes. It may also refer to the inability to exploit possible opportunities.
Risk management- the formal identification, assessment and planned management ofsignificant risks facing the organisation.
Systems Audit- systems audit is the structured analysis of internal control in relation to theobjectives of the organisation. Systems audit should enable internal audit to make practicalrecommendations to address any weaknesses that have been identified within the context ofrisks to the achievement of the systems objectives. It should also enable internal audit to forman opinion on the adequacy and reliability of the organisations internal control system.