internal audit manual - final - mfem a/internal audit... · internal audit manual ministry of...
TRANSCRIPT
Internal Audit Manual
Ministry of Finance and Economic Management
Government of the Cook Islands
Tuesday, February 28, 2012
TABLE OF CONTENTS PART 1: Introduction ......................................................................................................................... 3 Guiding Standards .................................................................................................................... 3 IAU Reporting Arrangements .................................................................................................. 3 Head of Internal Audit Role and Responsibility ...................................................................... 4 Defining Internal Audits .......................................................................................................... 4 Scope of Services: .................................................................................................................... 5 Internal Audit Assignments ..................................................................................................... 5 Relationship with Management ............................................................................................... 6 Relationships with the Cook Islands Audit Office (CIAO) ..................................................... 6 Steps in the Internal Audit Process .......................................................................................... 6 PART 2: Preparing and approving the audit plan ........................................................................... 8 The Audit Plan ......................................................................................................................... 8 Steps in Assignment Planning ................................................................................................. 9 Engagement Letter: ................................................................................................................ 10 Holding an Opening Meeting ................................................................................................. 10 IAU Engagement Letter Template ......................................................................................... 11 IAD Entry Interview: ............................................................................................................. 12 Background Information: ....................................................................................................... 13 Interviewing: .......................................................................................................................... 14 Interview Worksheet: ............................................................................................................. 15 Risk Assessment .................................................................................................................... 15 Inherent Risk Assessment Worksheet: ................................................................................... 18 Materiality Assessment: ......................................................................................................... 18 Planning Materiality Worksheet ............................................................................................ 20 Internal Control Assessment (planning): ............................................................................... 21 Control Environment Worksheet: .......................................................................................... 22 Internal Control Assessment Worksheet ................................................................................ 23 Audit Objectives .................................................................................................................... 24 Audit Scope: ........................................................................................................................... 24 Audit Criteria ......................................................................................................................... 24 Audit Approach: ..................................................................................................................... 24 Audit Timing and Resources: ................................................................................................ 25 Audit Timing and Resources Worksheet ............................................................................... 25 Audit Planning Memorandum: .............................................................................................. 26 IAU Audit Planning Memorandum Template ....................................................................... 27 Part 4: Undertaking fieldwork ......................................................................................................... 29 Process for undertaking fieldwork ......................................................................................... 29 Collecting evidence – standards and risk ............................................................................... 29 Audit Files: ............................................................................................................................. 31 Part 5: Preparing a summary of findings ........................................................................................ 32 The process for producing the Summary of Findings ............................................................ 32 Communicating findings to the audit entity – Exit meeting arrangement ............................. 32 summary of main findings and recommendations ......................................................................... 33 Audit Test Results .............................................................................................................................. 34 Audit Tests ......................................................................................................................................... 35 Part 6: Preparing the audit report ................................................................................................... 36 Report Structure ..................................................................................................................... 36 Audit Report Template: ......................................................................................................... 37 Part 7: quality control and Finalisation .......................................................................................... 40 Peer Review ........................................................................................................................... 40
2
Substantiating the report ........................................................................................................ 40 Finalization and Issuing of the Report ................................................................................... 40 Audit Follow up: ................................................................................................................................ 40 Part 9: Records management ........................................................................................................... 42 Electronic Working Papers .................................................................................................... 42 Working paper hardcopy files ................................................................................................ 42 Filing Audit Working Papers ................................................................................................. 42 The Permanent Audit File ...................................................................................................... 43 The Current Audit File ........................................................................................................... 43 Appendices: Audit Programmes ...................................................................................................... 45
PART 1: INT
This internaEconomic Mfunction. Th Guiding StaThis manuaby the InstPractise Fra
a. con
b. the
c. the
d. that
In some circternational
The
The
The
The
This guide supported b IAU Report The IAU repMFEM.
TRODUCTION
al audit manManagementhis includes g
andards al adopts theitute of Inteamework (IPP
nsistency and
auditors hav
efficient and
t a benchma
cumstances waudit and in
e Internation
e Internation
e Committee
e Information
is new to thby relevant le
ing Arrangem
ports functio
N
nual aims tot (MFEM) prguidance on
e Internationernal AuditoPF). The inte
d better qual
ve the neces
d effective d
ark exists fro
where detaiternal contr
nal Organisat
nal Federatio
e of Sponsori
n System Au
he IAU and egislation
ments
nally to the S
o provide thractical guidaplanning, pe
al Standardsrs (IIA). Thernal audit m
lity in the au
ssary guidanc
elivery of au
m which all a
led explanatols standard
tion of Supre
n of Account
ng Organisat
dit and Cont
has been dr
Secretary for
3
e Internal Aance, tools aerforming an
s for Professese standardmust follow th
dit work per
ce when com
udit services,
audit work c
tion is not givds stipulated
eme Audit Ins
tants (IFAC)
tions (COSO)
trol Associati
rafted in acc
r MFEM and
Audit Unit (IAand informand reporting
ional Practics are laid ohese standar
rformed,
mpleting aud
, and
can be measu
ven by the IPby
stitutions (IN
) and
ion (ISACA)
cordance wit
administrat
AU) of the Mtion for manon internal a
e of Internalut in the Intrds to ensure
its,
ured.
PPF, guidance
NTOSAI)
th the inter
ively to the h
Ministry of naging its inaudit engage
l Auditing asternational e
e has been t
nal audit ch
head of Trea
Finance andnternal auditements.
s establishedProfessional
akenfrom in
harter and is
asury for
d t
d l
s
Head of Int The head oThis involveEconomic Mdevelopmen
Duties and
The main du Pre Pre
ben Pre
the Rev
aud Com
inve Wh
cos Pro Pre
rep Pre Ens
proreg
Com Com
Defining IntThe purposstrategic an Internal Aud
ernal Audit
of Internal Aues providing Managementnt is achieve
d Responsib
uties includeparation of tparing risk nefit and minparing the in Secretary foview and assdit programmmplete comestigations aere approprt reductions ovide advice tpare and quorts, pare an annsure internaocedures areulations, mplete perfomplete other
ternal Audite of this unitnd annual pla
diting is defi
Role and Re
udit has oveadvice, expet internal aued and to ens
bilities:
e the internal based stratenimising the nternal auditor MFEM, sist in prepames, pliance audas requested riate, make and enhancto MFEM anuality assure
ual internal aal audit mae up to date
ormance appr assignment
s t is to perforans of the un
ned as
sponsibility
erall responsertise and gudit functionsure that the
audit charteegic and annresources cot budget bas
aring assignm
dits, financiaby the Secrerecommend
ced efficiencyd line ministe audit repo
audit report anual, qualite for current
praisals of thets and perfor
rm internal anit.
4
ibility for muidance in tn, managing e Ministry be
r, gain appronual plans fonsumed on sed on the a
ment audit p
al systems etary for MFdations for iy and effectitry managemorts prepare
on the activty assuranct best practi
e staff withinrm other dut
audits on the
anaging the he developmthe staff to
enefits from t
oval for the cfor IAU focunon value adudit coverag
plans ensurin
audits, busiEM, improved mveness of op
ment as apprd by senior
vities complece manual ice and chan
n the IAU, ties as reque
e MFEM and
activities anment of the ensure maxthe services
charter and uusing audit rdding activitge in the ann
ng adequacy
iness proces
management perations, opriate, internal au
eted during tand audit nges to gove
ested by the S
line ministr
nd resourcesMinistry of ximum outpof the IAU.
update regulresources foties, nual plan for
y of audit co
ss reviews
controls an
uditor(s) prio
he financial working prernment leg
Secretary fo
ries as determ
s of the IAU.Finance andput and staff
larly, or maximum
approval by
overage and
and special
nd practices,
or to issuing
year, actices andgislation and
r MFEM.
mined in the
. d f
m
y
d
l
,
g
d d
e
5
“an independent, objective assurance and consulting activity designed to add value and improve an organisations operation. It helps organisations accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
Scope of Services: The scope of services provided by the IAU is expansive. The purpose is to assist the MFEM to achieve its strategic goals and through a systematic approach evaluate the risk management, internal control systems and governance process of the Ministry. The IAD helps ensure that: Risks have been identified and are being managed, Financial, managerial and operating information is accurate, reliable and timely, Resources are adequately safeguarded, Internal control systems ensure the accurate processing of transactions, and That the operations of the Ministry are performed through adoption of high ethical standards.
Internal Audit Assignments The Ministry of Finance and Economic Management Act 1995‐96 requires that Heads of Government Departments ensure; sound financial management systems and internal controls exist and these are operated so as to
provide: i. timely and materially accurate financial information; and ii. reasonable assurances that the transactions recorded are within statutory authority and
properly disclose the use of all public financial resources administered by the department on behalf of the Crown;
Where an internal audit function is employed, its responsibilities are generally defined as to review, appraise and report on: The soundness, adequacy and application of internal controls, The extent to which the organisation’s controls secure the achievement of department objectives,
promote operational efficiency and safeguard assets and interests, The extent of compliance with policies, plans and procedures, The integrity and reliability of financial and other management information used by the
organisation. These internal audit assignments to be completed by the IAU include: Financial audits – an audit of financial information provided by the governments accounting system
and supporting systems (both manual and computerised). These audits are performed to validate the accuracy and completeness of financial information, and
Compliance audits – an audit of a subject area which ensures compliance with suitable criteria such as the MFEM Act, government policies and frameworks, procedures, instructions, rules and regulations have been met.
Financial audits also incorporate compliance issues dealing with respective areas, which include compliance with the treasury instructions, financial policies and procedures manual and other documents which control the use of financial resources.
6
In addition separate compliance audits may be required on non financial areas such as health and safety, time recording and annual leave, personnel management, performance management which are completed separate from the financial audit. Steps are being taken to introduce performance and IT audits into the work plan of the IAD in order to keep pace with reforms in Public Financial Management through computerisation of government systems and changes in performance management systems. The audits will be performed under the direction of the senior internal auditor with overall responsibility resting with the head of the IAU. Ad Hoc Activities: The IAD will allocate a proportion of its time during the financial year for completing special ad hoc activities as requested by the Secretary for MFEM. If no such activities are requested, the allocated time will be utilised to perform audit assignments which had been deferred until future periods.
Relationship with Management The IAU provides an important service to management. Its strategies, planning and delivery should aim to maximize the benefit for management without jeopardizing the units’ responsibilities. Management and staff at all levels should have complete confidence in the integrity, independence and capability of internal audit. The relationship between internal auditors and line managers is a privileged one; information gained in the course of audit work should remain confidential. Co‐operative relationships with line management enhance the ability of internal audit to achieve its objectives effectively. Audit work should be planned in conjunction with management as far as possible, particularly in respect of the timing of audit work (except where unannounced visits are essential to ensure the achievement of the audit objectives).Regular meetings should be held with line management to discuss any issues arising from its operations or its ability to meet its objectives. Relationships with the Cook Islands Audit Office (CIAO) Internal and external audit activities may be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort. Establishing a professional working relationship between the MFEM IAU and the CIAO will deliver benefits to both parties. The IAU will seek input from the CIAO when developing the internal audit strategic plan and the annual work plan.
Steps in the Internal Audit Process In order to deliver expected results the IAU will , follow the standards adopted in part 1 of this manual which include;: Planning audit engagements to ensure maximum output from the audit resources available,
Evaluating internal controls and assessing compliance with the controls,
Testing controls and transactions,
Reporting audit findings in a concise, accurate, timely and constructive manner.
The audit process can be broken down into 4 major steps as illustrated in table 1:
7
Table 1: The Internal Audit Process
InternalAuditProcess
DesignAuditProcedures
PerformProceduresandEvaluateResults
ReporttoManagement
UnderstandingtheImplementingUni / System
UnderstandinAccountingandInternalControl
System
Understandinthe
DetermineMaterialit
DesignAuditProcedure
AssesRisk
Perform AuditProcedures :
Test of Control ,SubstantivAnalyticaProcedures
Other SubstantivProcedures
Tests ofDetails
Evaluate
AssignmentReportto
andAnnualReporttoSecretary
8
PART 2: Preparing and approving the audit plan
The Audit Plan The internal audit assignment plan will be generated from the annual audit plan for the IAU which is prepared prior to the start of the financial year by the Head of Internal Audit. The assignment audit plan is a critical document in the internal audit process. Its primary purpose is to document the planning procedures completed which includes the purpose, scope the resource requirements of the audit. . The audit plan is a working document used to guide the audit. While a standard approach is generally taken when planning an audit assignment it is recognised that the different types of audits will contain different information specific to that particular type of internal audit being conducted. The audit plan may need to be revised and adjusted during the audit. Revisions that modify the original objectives of the audit, add to the budget cost, or involve substantial changes to the audit methods, must be approved by both the head of Internal Audit and the Treasury Operations Manager. The cover sheet of the audit plan must contain the following information: Purpose – state that the purpose of the proposal is to seek Managements (Financial Secretary and
Treasury Operations Manager) approval for the internal audit to be conducted, Previous considerations – state any prior work the Unit has done on the topic e.g. “The Internal
Audit Unit previously completed an internal review in September 2005 into …………….” Summary – provide a short summary of the audit proposal, no more than two paragraphs.
Financial Implications – state how many hours the audit will take, and the cost. Refer the reader to
the full budget, which will be attached as an appendix to the proposal. Other Implications – state any other implications that the audit may have. E.g. how doing this audit
will affect other audits that may have been already planned and approved for future action. Timing – state when the report is expected to be ready for review by management.
Consultation – state who has been consulted on the proposal, both internal and external parties.
9
Steps in Assignment Planning
Determine initial audit objective1
Notify appropriate management that there section has been selected for audit
2
Hold opening meeting with management3
Collect and analyse background information
4
Assess risk and materiality5
Assess internal controls6
Determine audit objectives, scope, criteria and approach
7
Draft preliminary audit programme8
Determine time and resource allocation9
Prepare planning memorandum1
Finalise audit programme1
Taken from annual plan
Audit planning memorandum
Audit time budget
Draft audit programme
Detailed objectives scope
Internal control assessment workshee
Risk assessment worksheetMateriality worksheet
Permanent file openedDraft system notes
Engagement
Entry interview ( note )
Final audit programme
Assignment Planning Steps Planning Outputs
10
Engagement Letter: Prior to commencing any audit work the auditee should be notified of the pending audit assignment. The auditee is the most senior manager responsible for the area under review. The engagement letter should be drafted by the Principal Officer responsible for the audit and issued by the Head of Internal Audit. The template below should be adjusted accordingly and used for all audit assignments of the IAU. The engagement letter should contain; A brief overview of the system or activity under review, The type of audit to be performed including the general audit objectives and scope, Proposed dates of the planned audit assignment, A request for documentation if required.
Holding an Opening Meeting The purpose of the opening meeting is to clarify known details of the activity / system under review, and to reconfirm the contents of the engagement letter. In addition the opening interview will provide the opportunity for the audit manager to; Explain the role of the Head of Internal Audit/senior internal auditor, The need for cooperation from the auditee to any requests made by the auditor, Request information from management on areas which they deem to be high risk, Gather additional information about the activity under review including any changes to the system,
management plans for the future and turnover of senior staff, Confirm the location of operations / documents which may come under the purview of the audit, Discuss the output from the audit assignment, the audit report, including the reporting process and
planned reporting dates, Discuss any other applicable issues / concerns raised by management.
Upon completion of the opening meeting the audit manager should ensure that the meeting has been documented on an audit working paper and placed on the current audit file. A sample working paper for the entry interview is included below. A number of additional interviews may be required depending on the size and complexity of the activity / system under review and the amount of prior knowledge and audit activity which has been completed in the area. Any interviews performed should be documented and placed on the audit file. The auditors should prepare for the opening meeting in order to maximise the benefit for them and the use of the auditees time. They can do this by reviewing previous audit files and other documentation which may be available for the area under review.
IAU Engage
Governmen
Date:
Reference:
The {necessMinistry {if Dear Sir or M {Internal Au The above Managemeinform you The general{Insert shor The scope o{Insert prop The propos Pro Dur Esti
The Team Lmembers as{Insert Nam In advanceresponsiblepurpose of staff and tomeantime iaddress Yours faithf{Insert Nam
ement Letter
nt of the Coo
sary manageoutside MFE
Madam,
udit Assignm
Internal Ant to be carrthat the assi
l objectives ort statement
of the assignposed scope
ed timetableoposed Start ration of Fielimated Date
Leader for tssigned for t
me and Job Ti
of the stae for the {Insthis Entranco respond to if you have
fully, me and Job T
r Template
ok islands
r} EM} / Divisio
ent Title and
Audit Assignried out on {ignment is a
of the audit aof general o
ment is statement}
e for the assiDate: {Inserdwork: {Ins of Final Rep
the assignmethe duty are:itle}
rt of the assert area ofe Meeting isany issues wany questio
Title}
InternaMinistrInsert a
{Insert
{Insert
n {If inside M
d Reference f
nment was {insert the arbout to com
assignment aobjectives as
gnment is asrt Date} ert Number port: {Insert D
ent will be {
ssignment I f the assignms to discuss twhich you or ns in respec
11
al Audit Unitry of Financeaddress and
t Date}
t Reference}
MFEM}
from Approv
approved brea and aud
mmence.
are as followper activity
s follows:
Days or WeDate}
{Insert Nam
would likement}. Thehe aims, scothey wish toct of the aud
t e and Economcontact deta
ved Audit An
by the Secdit period in
ws: classification
eks}
e and Job T
to meet w Audit Teamope and proco raise in condit assignme
mic Managemails
nnual Plan}
retary for question}. T
n}
Title of Team
with you anm will also atesses of the nnection witent please co
ment
Finance andTherefore I a
m Leader} a
d the operattend this maudit with yth the assignontact me a
d Economicm writing to
nd the staff
ational staffmeeting. Theyou and yourment. In theat the above
c o
f
f e r e e
12
IAD Entry Interview:
Date:
Venue:
Present:
Subject:
Agenda Item Record of Meeting
Introductions Record names and job titles of all present at the meeting. Introduce the members of the internal audit team to the operational staff
Overview of the Assignment Outline and explain the nature and subject of the assignment to management. Explain the reasons for the assignment being included in the IAU Plan
Assignment Scope and Objectives Outline the provisional scope and objectives of the assignment to the management from the IAU Plan Discuss the internal control matters of particular interest or concern Identify any possible amendments to the scope of the assignment
Duration, Resources and Methods Outline in broad terms the duration of the assignment, who will be involved from the IAU side and what procedures will be used Identify the working arrangements between the IAU team and management
Issues to be Raised by the IAU Team Identify any recent changes in management or major system changes / developments Raise any other issues which should be discussed and record them. Some examples from recent practice include requests for documents, arrangement of further meetings and arrangements for access to certain government offices and sites
Questions and Issues From Management Ask management for their views on the assignment and ask them to identify the operational and control issues in the area of the assignment. Identify any operational concerns or any requests from management Reassure Management that their views will be
13
Agenda Item Record of Meeting
taken into account
Responses to Management Issues Make responses as appropriate to management issues raised. Record responses in the minute of the meeting
Reporting the Audit Provide information on the reporting process with a target reporting date for the assignment (if Possible)
Issues, Findings, Conclusions (Complete after interview)
Background Information: The key activities of this phase are to review and analyse: The structure, reporting relationships and significant locations of the activity, system or issue under
review. The corporate plan for the Ministry under review or the activities for a specific division including
performance targets if available and applicable to the activity under audit. The form of the financial records produced through the accounting system and the level of
transaction details available for the auditor from the system. Financial reports produced by the report writing facility including standard reports such as the monthly statements of expenditure against budget.
Familiarization with departmental rules, management reports other government rules and legislation is important. This will include reference to the MFEM Act, the financial policies and procedures manual, the treasury instructions and employee code of conduct plus other procedural documents depending on the activity under review.
14
A review of the latest published budgets or estimates of the current year, in order to assist in determining which systems are most significant and the component parts of the system / activity under review.
Any significant developments since the last audit e.g. major reports on the organisation, organisational restructuring or major systems installations/changes.
Study internal procedure manuals concerning the unit’s accounting system and control procedures, firstly to ensure that such documentation exists and secondly to understand how the system is intended to operate.
A review of the matters identified for attention from the previous year's audit report from the external auditor or any previous internal audit assignments, spot checks or investigations.
Reports produced by Technical Assistance projects or overview reports such as the financial performance assessment (PEFA Assessment report).
In addition to reviewing documentation and financial information the auditor will want to complete some site visits to observe operations for the activity under review and to have interviews with management and system operators on the activities that are completed. These interviews should be documented and retained on the audit file, they will enhance the auditors understanding of the system and will allow for refinement of any flowcharts or system descriptions that have been developed. Interviewing: Interviewing managers and staff members responsible for the activity or system under review should be completed to gain a full understanding of how the system is operating. Refer to the internal audit resource manual on how to prepare and perform an interview. An interview recording worksheet is attached below and should be completed for all interviews performed and filed on the current audit file.
15
Interview Worksheet: Title of Interview: {Insert Title}
Ministry / Division File Reference
Financial Year: Prepared by Date
Person interviewed: Reviewed by Date
Purpose of Interview: {Insert purpose} e.g. to gain a better understanding of how a system / activity operates.
SI Question Comments Initial WP Ref
1 Plan your interview questions in advance Commence with open questions to get a broad outline for the system/activity and follow up with closed questions if required Example: Could you describe the role of the IT section in the payroll system (Open Question) Some closed questions you may follow up with What type of software is used for
payroll? How many licenses exist for payroll
system? Are there any planned upgrades for the
future? What is the total number of users?
Request a list? What is the total number of stations
where data can be input into the system?
Risk Assessment The risk assessment process ensures that audit resources are targeted at the areas most vulnerable to non compliance or at risk of manipulation. It ensures efficiency in the use of audit resources. A detailed risk assessment is undertaken in the planning phase to ensure that the initial assessment has identified the main system risk areas. The initial audit objectives may need to be amended if the detailed risk assessment reveals additional risks or assigns higher or lower risk scores to the risks identified. The steps in the risk assessment process can be summarised as;
16
The senior internal auditor should discuss the high risk areas with the auditee when completing the entry interview; however s/he should make the final decision on which areas they consider being of highest risk for the audit assignment. The assessment process can categorise risk into two types; Inherent Risk – Inherent risk depends upon the nature of the system, transaction or item audited and whether it is susceptible to error e.g. cash, inventory or assets. It indicates the amount of assurance required from audit tests. The higher the risk, the greater the extent of audit tests required in order to increase the likelihood of detecting errors if they exist. Control Risk ‐ Control risk depends on the strength of the audited body's control environment and the systems of internal controls, and whether there are effective controls operating to reduce the risk of the organisation failing to achieve its objectives. Some situations may increase the risk of an error occurring e.g. System complexity – the more complex the system, the more likely that an error will occur and go
undetected. Internal control systems – not working as intended due to disregard for authorisations or
inappropriate design of controls. Economic factors – difficult economic conditions may force staff to boost income through
inappropriate means. Changes in working practices – failure to train staff and to document all changes to systems may
lead to inconsistencies and controls being bypassed.
Based on system objective
, identify the risk of failing to meet the objective
1
What is the chance of the event occurring (high/ medium /lo )
5
What would the impact be if the eventoccurred ( high / medium/lo )
3
2
4What internal controls are in place toprevent the event from occurring
Plan to focus audit objectives on theidentified internal controls to ensure they
are operating
Even – Incorrect payment of overtime to
High – history of occurrence
Medium – budget constraints
Authorisation of overtime ,segregation of , validation
of overtime
To ensure all overtime payments are properly authorised and have been calculated correctly
Risk Assessment Steps Examples from Payroll System
17
Staffing issues ‐ staff may lack motivation and do not perform duties with due diligence required, also there is the possibility that important staffing positions have not been filled or have been filled with unqualified candidates.
Attached below are an inherent risk assessment worksheet, a materiality assessment worksheet and an internal control assessment worksheet which should be completed for all audit assignments and may be tailored for individual assignments to identify specific areas of focus. Each assessment will form part of the assignment planning decision process to determine the extent of audit work performed in specific areas. Each working paper should be filed in the relevant section of the current audit file as evidence of the work performed while planning the audit.
18
Inherent Risk Assessment Worksheet:
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Assessment of Inherent Risk (Name system / Activity)
Reviewed by Date
Objective Result
(H/M/L)1Comments / Reference2
1 Have there been allegations of fraud / misappropriation in the processing of transactions within the system?
2 Is management excessively involved in the day to day operation of the system?
3 Are staffing levels and competencies adequate to ensure transactions are properly processed in accordance with set procedures?
4 Does the system involve manual collection of revenue without a known total of revenue due?
5 Does the system involve handling large volumes of cash?
6 Does the system involve moveable stocks and assets which could be susceptible to theft?
7 Is the system so complicated that there is a risk of transactions being incorrectly processed?
8 Did prior year audit work reveal major errors or weaknesses in the system?
9 Has there been a high turnover of staff in the section for the period under review?
10 Have senior management positions been filled throughout the period?
Materiality Assessment: Materiality is the concept of developing a level of significance above which certain areas of activity are sufficiently important to ensure audit attention and subsequently deciding what degree of control weakness will trigger management action. Materiality is related to The number and value of transactions processed through a system, i.e. large number of
transactions, with large value is material e.g. the payroll system. The need for particular staff to demonstrate that they meet the highest standards of probity e.g.
where risk is considered high, e.g. dealing with cash collection and lodgements. The need for particular processes to be error free and, i.e. some processes should not contain any
errors as they are so well regulated e.g. tendering process. The risk of the Ministry’s reputation for even a small lapse in standards, e.g. system failure due to
poor backup procedures means that fortnightly payroll cannot be produced, would be a significant embarrassment for the MFEM. Theft of Funds from MFEM due to control weakness would be a significant embarrassment.
Materiality is a relative value, i.e. if it is based on a monetary amount it will be calculated as a monetary amount.
1 The risk is categorised as H = High, M = Medium, L = Low 2 This will include the impact that result has on the amount of audit work to be completed and may refer to the working papers to justify the assessment reached
19
Materiality is expressed in percentage terms e.g. ¼ to 2 per cent based on the degree of sensitivity in the area under consideration. The percentage selected represents the level of error which the auditor is prepared to accept within a particular system or account balance. Worked example Gross expenditure on payroll for financial year NZ$ 1,000,000 Materiality Basis ¼ % Materiality value NZ$ 2,500 This calculation basically means that the auditor may be prepared to accept errors amounting to NZ$ 2,500 in the system, depending on the type and extent if the errors uncovered. The materiality basis is selected based on auditor judgement, in this case it is selected at ¼ % as the payroll system is a highly regulated (no reasons why errors should occur) and sensitive (personnel don’t like errors in their pay) system that the auditor would only tolerate a low incidence of error. The worksheet below should be used when determining planning materiality levels, when more than one account balance is relevant to a particular audit, the auditor should determine which account balances they should select for extended testing, applying the materiality concept.
20
Planning Materiality Worksheet
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Materiality Assessment (Name system / Activity)
Reviewed by Date
Population
Total number of transactions processed through system in period
Total value of transactions processed in period NZ$
Materiality Basis Guideline % Used Total NZ$ value Material Amount
Gross Income ¼ ‐ 2 %
Gross Expenditure ¼ ‐ 2 %
Total Assets ¼ ‐ 2 %
Reason for materiality basis and justification of % used
Qualitative factors influencing materiality3
Account balances specifically selected for audit based on material significance
3 Qualitative factors include specific legislation which must be adhered to or certain standards which must be met regardless of the value
21
Internal Control Assessment (planning): There are 2 stages in the internal control assessment. The assessment of the control environment and the assessment of the internal control activities employed in a system. An effective control environment is an environment where well trained staff understand; Their responsibilities, Limits to their authority, The right things to do and the right way to do them.
Internal control systems are operated to ensure what is meant to happen actually happens. A control is any action taken by management or staff that enhances the achievement of system objectives mitigating the impact of risks and ensuring the security of assets. Controls are commonly thought of as 2 types Preventive, and Detective.
Preventive controls attempt to deter or prevent undesirable events from occurring as they are proactive controls that help prevent loss through ensuring: Separation of duties, Proper authorizations, Adequate supporting documentation, Physical control over assets.
Detective controls attempt to detect undesirable acts, they provide evidence that a loss has occurred but does not prevent it from occurring examples of detective controls include Reviews, Exception reports, Variance analyses, Reconciliations, Physical inventory counts.
The senior internal auditor should assess the control environment using the worksheet below. In light of this assessment and the risk assessment already completed the senior internal auditor is then in a position to assess the internal control activities in place and their likely effectiveness in preventing the identified risks. The auditor will do this by; Documenting the system (through flowchart) clearly identifying the key controls, Assessing the adequacy of the control to mitigate the risk, and Test that the control is operating.
The auditor should complete the internal control worksheet below as evidence of this assessment and place on the audit file.
22
Control Environment Worksheet:
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Assessment of control environment (Name system / Activity)
Reviewed by Date
Objective Result (Y/N)
Comments / Reference
1 Are there defined and authorised procedures for processing (Insert System Name) transactions?
2 Are all transactions required to be authorised?
3 Is there adequate separation of duties between the initiating, authorising and processing phases of the system?
4 Are there procedures to ensure completeness of processing?
5 Is there periodic bank or other reconciliations to ensure completeness of processing?
6 Are there supervisory checks to ensure the accuracy of processing (e.g. management check of accuracy of invoices)?
7 Are cheques, receipt vouchers, and other stationery adequately controlled? (Physically secure)
8 Is there an adequate audit trail4?
4 An audit trail exists when a document can be easily traced from an output e.g. financial report, back to the source documents which created the output, and vice versa.
23
Internal Control Assessment Worksheet
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Assessment of internal control for (System / Activity)
Reviewed by Date
Objective Result Comments / Reference
Organizational Controls (H/M/L)
1 Do the checks which are performed before authorization conform to those expected?
2 Are all the transactions subject to the same authorization procedure?
3 Does someone check that all transactions are properly authorized before processing?
Completeness and Measurement
4 Are standard forms relating to each type of transaction clear, enabling easy processing?
5 Do procedures involve extracting information from a form and writing data onto another form for later processing? If so, is it possible to redesign the form so that transcription is avoided (if so, highlight this fact)?
6 Where documents are pre‐numbered, are sequence checks performed to ensure that each is processed?
7 Are control totals used, If yes, are they manual or computerized?
8 Are transactions processed in batches, If yes are batch totals used, are they manual or computerised?
9 Are re‐performance calculations performed by someone independent of the transaction processor?
Security
10 Are transactions secure against unauthorized access during processing?
11 Are transactions processed through the system, posted as a permanent record by the same person?
24
Audit Objectives Once an understanding of the system or activity has been acquired and the assessment of risks has been completed including limited control testing, the senior internal auditor should develop the audit objective and the audit scope. The audit objective is often seen as the question that the audit seeks to answer. The audit objective forms the basis of the audit and hence should be carefully formed and clearly stated to enable conclusions to be drawn at the reporting stage of the audit. Audit objectives may be generic in nature to focus on key internal audit outcomes e.g. are internal controls operating as intended, or they may be very specific and targeted at specific issues on high risk areas identified by the auditor e.g. that overtime payments were properly calculated. Audit Scope: The scope should be sufficient to satisfy the objectives of the engagement. It should state the work the auditor intends to do and how it will be completed. The scope of the engagement should include: Consideration of relevant systems including compliance with legislation and procedures, Records to be examined, Timing of the engagement, Personnel numbers and skills, Physical properties including those under control of third parties, and Geographical spread of activities.
If the internal auditor develops reservations about the scope during the assignment these reservations should be discussed with management to determine whether to continue with the assignment. Audit Criteria Audit criteria are reasonable and attainable standards of performance and control. They provide the basis for developing audit observations and forming conclusions. As the majority of audits completed will be financial audits the audit criteria will generally be determined by the appropriate financial legislation, rules, regulations or procedures, it will be up to the auditor to determine the most appropriate criteria. They may be selected from; The MFEM Act, The Public Service Regulations, Financial Policies and Procedures, Treasury Circulars, The Public Service Commission Policy Manual, Public Procurement Regulations, Employee code of conduct, Memos circulated on operational procedures, Ministry corporate plans.
Audit Approach: The audit approach is designed to ensure that the audit is completed in the most efficient and effective way possible and that adequate evidence is collected to support all audit conclusions. Using professional judgement the senior internal auditor will determine the audit approach which is influenced by the degree of assurance and the type of evidence required. It will normally entail a combination of testing and evidence collection techniques. This will involve testing some of the key controls in the system activity under review to determine the effectiveness of the controls and will also entail the testing of details in account code balances to determine if any transactions have been processed in error. The type and amount of testing will be determined by the risks involved and will be documented in the audit programme.
25
Audit Timing and Resources: Appropriate audit resources should be deployed to meet the objectives of the audit assignment. This will require an evaluation of The number and experience of the internal audit staff available, The knowledge skills and other competencies required, Training needs of the internal auditors prior to competing the assignment, and Whether additional external resources maybe required to complete the assignment.
Along with the complexity of the area under review, the degree of assurance required and therefore the volume of the work involved. The timing of the assignment should include the start date and the proposed finish date of the audit along with a date for producing the draft report. The worksheet below should be used to complete the resourced allocated to a particular audit assignment. Audit Timing and Resources Worksheet
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Prepare time budget for audit Reviewed by Date
SI Description HoIA Senior Auditor Total
1 Planning
Understand System / Activities
Understand Control Environment
Perform analytical review procedures
Calculate planning materiality
Perform risk assessment
Plan reliance on internal control
Plan substantive testing
Draft audit programme
Complete audit planning memorandum
2 Execution
Complete audit programme
Control Tests
Substantive Tests
Analytical Review Tests
Update audit files
3 Reporting
Prepare draft report
Hold exit meeting
Incorporate management comment
Finalise audit report
4 Audit Management
Complete final review
Audit administration
Total
26
Audit Planning Memorandum: The planning memorandum is the main output from the audit planning process and should clearly document the results of the work performed during the preliminary assessment and planning stages. It should include the audit objectives, scope, risks identified along with the outputs from the audit which will include an audit report and a planned reporting date for the auditee. The planning memorandum template attached below should be utilised for all audit assignments. Audit Programmes: The preparation of the audit programme is an important part of the audit process as it will decide what work the auditor will perform, which areas they will focus their attention and what audit procedures they will adopt in the process. The audit programme will; Provide a guide for performing the audit work, Enable the assignment of audit work to members of the audit team, Enable better supervision of the audit, and Provide a mechanism for ensuring adequate audit coverage.
The audit programme will identify a number of tests (control and substantive) for the auditor to complete during the audit assignment. Audit programmes should be prepared in a consistent format for all audit areas as they are a prime source of evidence of audit work performed. Separate audit programmes are required for each assignment and should be completed during the audit fieldwork as evidence of work completed. There are audit programme templates included under the field work section of this guide.
27
IAU Audit Planning Memorandum Template Audit Planning Memorandum (to be completed by the Senior Internal Auditor) Name of audited System: Financial year: Date and nature of last audit (if applicable): N/A Audit Manager:
Ref. No.
Audit Planning Memorandum WP Ref
Audit Background:
Audit Approach:
Audit Objective(s):
Audit Scope:
Appropriate Legislation (Compliance): Policies and Procedures:
1 Names and designation of staff assigned for the preliminary review of systems and procedures:
WP Ref
(1)
2
Matters arising from preliminary visit to the audited unit (Give date(s) and details)
3 Weaknesses identified in system and their audit implications during preliminary survey
4 Weaknesses identified during previous audits
28
Ref. No.
Audit Planning Memorandum WP Ref
5
Significant issues discussed with management including areas of risk during the preliminary interviews
6
What specific matters are to be investigated during the audit as a result of the risk assessment?
Planning Materiality (Acceptable error rates)
7
Account balances to be examined in depth (Give, in each case, the amount above which this procedure should be adopted)
8 Estimates of population and sample sizes: How many people on the payroll system
Total Estimated Transactions in Population
Sample size
9 Steps to be taken if actual errors found to be above acceptable rates
10 Any additional or special work to be performed
11 Audit programmes attached and completed by senior internal audit officer
12 Estimated time for the audit (in days)
13 Date for commencement of audit
14 Target date for completion of the audit: (Draft Report)
15 List of Documentation included in audit file to date
16 Any significant matters arising from the interim review which need to be reported in the draft report.
17 Any other matters to ensure satisfactory completion of audit by target date
Senior Internal Audit Officer Date:
29
PART 4: UNDERTAKING FIELDWORK
Process for undertaking fieldwork Begin the visit by briefing the relevant manger and reviewing with him/her the information provided about the visit. Arrange and confirm with the audit entity party of the day and time of when you are making the visit to conduct the fieldwork. Capture the required evidence by photocopying, recording, taking photos, making notes or obtaining original documentation. Use the worksheets developed during the planning phase to check that all required evidence has been collected. Mark all evidence with details of such as source, which member of the team collected it, and when it was collected. Hold an exit meeting with the relevant manager at the completion of visit. Provide initial feedback on the results, but emphasise that the information provided is provisional and will be subject to more detailed analysis. Maintain contact with the audit entity at all times during the audit. (It is always good to provide the relevant manager with contact details such as an email so that they are able to contact the audit team should further information become available) Sometimes promising lines of enquiry may emerge during fieldwork that, if pursued, could substantially change the scope, cost, timeframe or risks of the audit. The team must seek approval from the Chief Internal Auditor before undertaking any new work that differs substantially from the work set out in the approved audit plan. Collecting evidence – standards and risk All statements in audit reports must be thoroughly evidenced – the strength of argument used to support conclusions depends on the validity of facts gathered. Auditors need to make judgements about the reliability of evidence gathered, and will need to determine whether the evidence is: Relevant, Reliable, Sufficient, Representative, and/or Verifiable, Logical
The auditor will need to ask such questions as: How significant is the comment being made? How reasonable or self‐evident is the comment? How persuasive is the evidence? Persuasive is not conclusive – does it need to be corroborated? Is there a likelihood of conflicting expert opinion?
The are a number of ways in which evidence can be collected. Each has different strengths and drawbacks, and generally facts are best confirmed through more than one type of evidence. Remember, people’s perceptions are not necessarily the truth!
30
Sufficient + Representative + Logical
Sufficient + Representative + Logical
Facts
Relevant Reliable Verifiable
Gathered during fieldwork
Types of Evidence
Physical Evidence Observations, photo, video, corroboration by another staff member.
Documentary External (independent of the audit entity) is preferred. If using internal evidence (documentation prepared by the audit entity) you must be satisfied as to the integrity of the system producing it.
Interview/ Testimonials Interview evidence should be corroborated with other evidence.
Analytical Questionnaire/calculations tables and charts. Usefulness of evidence is dependent on corroborating evidence.
Findings
31
Audit Files: The audit files are were all audit work papers relating to a particular audit assignment are filed. There are 2 files maintained a; Permanent file – a list of documents that are relatively permanent in nature, organisation structure, legislation, rules and regulations Current file – Information pertaining to a specific audit assignment, a current file index for a payroll audit work papers is included below. File Review File review is a common method of collecting evidence. The auditor should: obtain a list of the relevant files for review, look through the documents on the files and photocopy documents that provide evidence relevant
to the audit, record relevant details or data if source documents are not copied, note any documents or processes that appear to be absent from the files or documents, and check to see if absent information is held elsewhere or confirm that it does not exist.
Observation Observation provides a firsthand understanding of the work of the audit entity staff, and how processes or systems work. It involves gathering of evidence by observing facilities and work, and enables the audit team to compare activities with policies, manuals, statements made in interviews, and presentations made by the audit entity. This is among the strongest forms of audit evidence. The auditor should document evidence through photographs, video, notes, recordings, charts, maps, etc. Re‐performance or Walk throughs Re‐performance is a technique whereby the auditor carries out the same processes as the audit entity to see if the same result is achieved. It tests systems and provides evidence of the extent to which the audited entity has been effective in undertaking a task. Verification of Data Audits typically rely on data collected and supplied by others. The audit team should verify that the data itself and the systems producing the data are reliable. It should also ensure that any samples are extracted according to the stated methodology, and information is recorded accurately.
32
PART 5: PREPARING A SUMMARY OF FINDINGS
The Summary of findings should cover: expectations/audit criteria used in the audit, key findings and the proposed structure of the final report, preliminary conclusions, and any substantial variations or departures from the expectations or objectives in the audit plan.
The process for producing the Summary of Findings As fieldwork is undertaken, the evidence collected should be analysed. The results of the analysis should then be compared with the audit expectations, and an assessment made of the extent to which the entity has met them, and the implications of any shortfall. Any residual findings should also be assessed and their significance evaluated. The auditor should then review all findings and identify the most important. These should be used to form the basis of the report. Some auditors prefer to produce an initial draft report at this stage, but a more concise summary of findings is preferable because it avoids the risk of investing time and effort in drafting a which may be later disputed. The audit team should seek management’s agreement on: key findings (and how they are to be expressed and interpreted), risks (an update on the risks identified at the proposal stage and agreement on what new risks, if
any, have emerged during fieldwork), any additional fieldwork or analysis identified as necessary (taking account the cost and time of the
audit to date), the proposed structure and format of the final report, and any changes required to the summary of findings to take account of managements views.
Communicating findings to the audit entity – Exit meeting arrangement The Internal Audit Unit has a policy of “no surprises”, meaning that, wherever possible, the audit team should discuss all important findings with the audit entity in the exit meetings. The team should seek the entity’s reaction and incorporate its views in making the assessment. The summary of findings offers one of the best opportunities during an audit to communicate findings in an unthreatening and coherent way, and to seek input and responses before the formal draft report is produced. The team should provide a clear and detailed summary of findings.
33
SUMMARY OF MAIN FINDINGS AND RECOMMENDATIONS
TEST AREA: DATE: WP REF:
OFFICE:
AUDIT PERIOD UNDER REVIEW: AUDITOR:
REVIEWED BY:
FINDINGS: 1. 2. 3. 4.
RECOMMEDNATIONS:
34
AUDIT TEST RESULTS
TEST AREA: DATE: WP REF:
OFFICE:
AUDIT PERIOD UNDER REVIEW: AUDITOR:
REVIEWED BY:
OBJECTIVE:
TESTS: A
B
C
D
FINDINGS:
CAUSE:
IMPLICATIONS:
RECOMMENDATION(S):
Auditor’s Signature: _______________________________ Date: ______/_________/________
AUDIT TESTS
AUDIT PROGRAMME TESTING: OFFICE:
OBJECTIVE: AUDITOR:
TESTS: REVIEWED BY:
1.
2.
3.
4.
No Details of Test Documents Test Results Comments Wp Ref
1
2
3
4
5
6
7
8
9
10
PART 6: PREPARING THE AUDIT REPORT
Report Structure
Reports usually contain the following elements: Executive Summary. An overview of the audit as a whole, including the main findings,
conclusions, and recommendations. Introduction and Background. Why and how the audit was done, what it covers, background
to the topic, organisations involved, and structure of the report. Audit Scope and Objective. What does the Audit aim to find out, what information will the
audit/review be based on. This must be clearly and fully described in more detail. Findings and discussions. Findings should relate to the expectations and lead to the
conclusions. It should detail the main findings. Conclusions and recommendations. The conclusions should flow from findings and the
recommendations from the conclusions. It should also be detailed. The report should also recognise the difficulties faced by the entity and any significant actions taken by them which have improved performance and overcome deficiencies. The tone of the report should be positive and constructive. Facts should be clearly distinguished from opinions. The report should identify evidence to support the findings and recommendations.
This section should also explain how the Audit recommendations were developed. It should identify the cause of problems in the entity’s operations and note causes outside management’s influence or control. Where possible, recommendations should specify necessary remedial action by the entity. It is essential that the report make recommendations wherever audit findings require action by the entity. Finally, this section should identify any issues that require further study and investigation. These will be issues that do not fall within the objective of the Audit but which are significant enough to be pursued elsewhere or at a later date.
When finalizing the report structure, the auditor must take into consideration the best possible format that clearly conveys to the reader the main audit findings. Avoid repetition and unnecessary long words. Once the fieldwork has been completed the audit team should decide the structure of the draft report in consultation with colleagues and management and should take account of the following: 1. Accuracy Reports must be accurate and findings supported by sufficient evidence. Matters of fact should be reported accurately. Errors of fact in a report will damage the credibility of the entire report and the Internal Audit Unit. 2. Audience The report should be written to suit the capabilities, interests and time constraints of the audience. Short, sharp everyday words are the best means of getting the audience’s attention and understanding, particularly when the issues are complex.
37
3. Balance Both sides of an argument should be presented. A balance of praise and criticism should be apparent. The entity’s view should be properly and adequately reflected where appropriate. 4. Clarity Reports are to be written in a clear, easily understood fashion. The language should be simple. Steer clear of complex terminologies which a lay person may not understand. 5. Language avoid clichés and slang, never use a long word where a short word can be found, never use the passive where the active can be used instead, never use a foreign phrase, scientific word or jargon if a straight forward everyday English
word can be used, avoid affection and desires to “impress” readers, make the best effort to be simple through the use of short paragraphs and simple sentences, write in third person.
6. Logic Reports are to present arguments that are logical. Errors will also be very damaging to the credibility of the report and the Internal Audit Unit. 7. Purpose Reports are to identify their purpose clearly. 8. Structure It is important to start sections and paragraphs with a statement of the main topic or idea to be developed. The remainder of the section or paragraph should develop that topic in a logical and coherent fashion. The key feature that should be incorporated in this approach is the need to identify the main idea at the start and not to bury it in the middle of your piece of writing. 9. Timeliness Reports are to be issued in a timely manner. This means producing a quality product within the time constrains of the Audit Plan. 10. Usefulness For the report to be useful it must have value in terms of providing information and assurances to management and specify where improvements can be made and the likely impact. Audit Report Template: Title Page – Internal audit assignment on {insert name of audit assignment} completed by the IAU on {Insert Date} Introduction / Background: identifies the organisational units and activities reviewed and the reason the unit exists, Information of previous reports and the status of prior recommendations, Statistical information on the area in question e.g. total value of expenditure, Information on the staffing structure, volume and value of transactions processed.
38
Objectives: Overall objective – reason that the audit assignment was performed e.g. to ensure that all payroll payments were made to bona fide employees, were paid at the correct rate and at the correct time. Specific objectives – the areas that you focused your attention on e.g. to ensure that all overtime processed has been paid at the correct rate, to ensure that all starters have been properly authorised and entered onto the payroll
system, to ensure that leavers have been removed from the system promptly so that no
overpayments have occurred, to ensure that all allowances paid have been properly authorised, correctly calculated and
classified in the payroll system, To ensure that all outputs from the payroll have been correctly input into the accounting
system, Scope: Context of the subject matter, description of the system or activity under review, The audit period under review, Geographical information / sites visited, Any exclusions.
Audit Approach: Audit criteria identified against which audit conclusions were drawn e.g. MFEM act, financial policies and procedures manual or the treasury circulars. A description of how the work was performed, e.g. the types of testing that was performed, how samples were selected etc. Standards adopted, to what standard was the audit performed, e.g. in conjunction with the IAU internal audit manual or professional body standards. Timing of the audit work, any specific reason e.g. to attend a stock take, or to ensure no impact from school holidays if auditing the Ministry of Education. Observations: Observations should be objective statements of fact, which need to be accurate and evidence based to support the auditors conclusions, they should compare what should be, with what is actually happening. Observations should be based on the following attributes: Criteria – The standards, measures or expectations used in making an evaluation – what
should be? Condition – The factual evidence the internal audit found during the examination – what is
happening? Cause – The reason for the difference between the expected and actual conditions ‐ why
does the difference exist? Effect – The risk encountered because the condition does not meet the criteria. In
determining the degree of risk the internal auditor should consider the effect that their observations and recommendations would have on the operations and financial statements of the organisation.
39
In a situation where there are several audit observations the auditor should decide if some of the observations can be aggregated, and then determine which ones are reportable and those that are relatively minor and should not be included in the audit report. Conclusions: Conclusions should be clear and concise, they should include;
o Conclusions on the objectives set – are internal controls working, o Compliance with relevant laws regulations and other procedures, o Statement on whether the system/activity is functioning as intended, o Quantify and aggregate any losses identified during the audit.
Recommendations: Suggest approaches to enhance performance of internal controls in areas identified in observations and conclusions, suggestions for action by management. Recommendations should be ranked as high, medium or low.
Grading Definition
High Major risk, requiring action by the time the final report is issued
Medium Medium risk, requiring action within 6 months of the report being issued
Low Change to achieve best practice by a date agreed with the section manager
Action Plan: The action plan identifies the action which management will take to resolve issues
{System / Activity} Action Plan – Short Term Response
Action Responsibility Time scale Audit Comments
{System / Activity} Action Plan – Medium Term Response
Action Responsibility Time scale Audit Comments
40
PART 7: QUALITY CONTROL AND FINALISATION
Peer Review Peer Review is a key element of the Internal Audit Units quality assurance process. The purpose of peer review is to provide an independent check on the quality of all key products relating to the audit. These are the proposal, plan, and draft report. The peer reviewer can also provide ad hoc advice to the audit team at any time, but must remain independent and should therefore not be drawn into undertaking fieldwork or analysis. If this should occur, a new reviewer should be appointed. The peer reviewer should ensure: all the products of the audit reflect a consistent purpose and focus that link transparently to
the objectives of the audit; that all reporting is consistent with the audit plan (or any divergence explained); arguments, inference, and conclusions are clear, logical, fair, and free from bias; and presentation, structure, and writing style of documents are appropriate, of good quality, and
appropriate to the intended audience (making suggestions for improvement as required). Peer review takes time and effort to do well, and the audit team should therefore give the reviewer sufficient time (at least one week) to do it. The peer reviewer should discuss issues with the audit team and provide comments in writing. Minor comments can be noted on the document. The audit team should record in writing any reasons for not addressing concerns that the peer reviewer has raised. Any significant disagreements should be discussed with the peer reviewer and management. Substantiating the report Audit evidence is information collected and used to support audit findings i.e. to arrive at an assessment of whether normal audit procedures are being met. The relationship between Audit criteria, programme and evidence is that without good criteria you cannot design an effective audit programme, and without an effective audit programme you cannot obtain convincing evidence to support your findings in an economic, efficient and effective manner. Evidence can be in physical, oral documentary or analytical forms and must be relevant, reliable and sufficient. Relevancy requires that the evidence bears a clear and logical relationship to the audit objectives. It is important to ensure that they are consistent with and relate directly to the audit objectives that have been established. Evidence is reliable if it actually represents what it imply to represent, while sufficient is when there is enough relevant and reliable evidence to convince a reasonable person, beyond reasonable doubt, that the performance audit findings, conclusions and recommendations are warranted and supported. Finalization and Issuing of the Report Once quality assurance of the audit report is completed a final draft copy is prepared and forwarded to the Head of Internal Audit to sign. The report is then issued to Management following the exit meeting. AUDITS FOLLOW UP:
Recommendations which have identified high risk areas for immediate action should be reviewed prior to issuing the final report. Medium risk items will be verified within the 7th month after the final report is issued at the auditor’s discretion to determine if adequate measures have been taken by management.
41
The implementation of low risk recommendations will be reviewed at the auditor’s discretion or at the next audit of the system/activity whichever comes first. The IAU will maintain a register of recommendations from all audit sources including those recommended by the audit office. Progress on the implementation of audit recommendations of all medium and high risk recommendations will be reported in the monthly management meeting until the action has been completed.
42
PART 9: RECORDS MANAGEMENT
Record keeping is an important aspect of project management because: Audit evidence should be easily identifiable and retrievable; it provides evidence that the audit team has followed due process (because there should be
files containing evidence on all important issues), and it ensures only those documents relevant to the audit are archived.
Internal Audit files are kept in two forms:
1. Electronic working paper copy kept on the MFEM server, 2. Working paper hardcopy files, which are located in the audit team’s space during the audit,
and are archived after the audit’s completion. Electronic Working Papers All electronic files are kept on the “H:\Internal Audit\Audit Reviews” folder and filed according to the financial year the review was completed in. Example: If a review is completed and issued on August 2009, then it will be filed in the folder labelled 2009‐2010 as it falls within the year July 2009 to June 2010. A folder is then created in “H:\Internal Audit\Audit Reviews\2009‐2010”and the work papers saved in it. Note: All soft copies of work papers, correspondences and reports must be clearly labelled and dated. All correspondences must be dated on the day they were delivered to the recipient. It is recommended that subfolders clearly identifying correspondences, interviews, reports and other work papers be created within the folder to enable easy access to relevant documents by anyone needing the information. Working paper hardcopy files Working papers are the link between the fieldwork and the Audit report. It should contain: An adequate and valid basis for the Audit opinions expressed in a report, A basis for support for the auditors opinion, An effective link between successive audits and, The basis for quality assurance review, The evidence accumulated in support of the Audit findings, conclusions and
recommendations Copies of issue papers and draft Audit reports.
It should be fully indexed and cross referenced to the issues papers and the final report. Once a review is completed and the final report issued to stakeholders, all work papers and other audit documentation must be transferred into a manila folder. The folder should be labelled and filed into one of two four drawer cabinets kept in the SPR division side of the office. Filing Audit Working Papers Auditing working papers are usually maintained in two separate files: Permanent File Current File
43
The Permanent Audit File Information about a client/system that is relevant to more than one year is placed in the permanent audit file and this will be referred to from year to year and provide continuity in the planning and carrying out of the audit. Before starting each new audit however, you should ensure that all relevant details in the permanent audit file are up to date e.g. a change in organisational structure will mean a change to the permanent audit file. The purpose of the Permanent Audit File is:
To document information of recurring value regarding items appearing in the financial statements
To document information of a permanent nature regarding the clients business
To give audit staff new to the audit, information regarding the organisation or process to be reviewed.
The main contents of the permanent file are:
A brief description of the audited organisation, organisation charts, lists of senior officials and their job descriptions
Systems notes, internal control questionnaires, flow charts(if any), details of compliance tests (if carried out), and results of control evaluations ( e.g. weaknesses or breakdowns in internal controls)
Information about managerial and financial policies
Ministerial directives, notes of internal rules and procedures, important management reports
Copies of important contracts and agreements
Notes of the composition and activities of management committees. The Current Audit File Information specific to a particular client and period is kept in the current audit file The purpose of the current audit file is to provide a profile of work planned: Current Audit File Index Template:
Planning Section Initials
P.1 Audit planning memorandum
P.2 Audit engagement letter
P.3 Knowledge of the system
P.3.1 List of documents reviewed
P.3.2 Important papers on file, e.g. latest pay rates
P.3.3 Minutes of relevant meetings
P.3.4 External audit queries – List of key points raised
P.3.5 Other audit queries
P.4 Identification of main system components
P.5 Interview notes
P.5.1 IT Section MFEM
P.5.2 Payroll Section MFEM
P.5.3 Public Service Commission
P.5.4 Ministry of Education Payroll
P.5.5 Ministry of Health Payroll
P.5.6 Audit Office
P.6 Control environment worksheet
44
P.7 Risk analysis work sheet
P.8 Planning materiality
P.9 Analytical review work sheet
P.10 Staff resources and timing
P.11 System description (flowchart(s))
P.12 Identification of Key Controls
P.13 Audit programme (Control and Substantive Tests)
Execution (Fieldwork)
E.1 Completed audit programme
E.2 Sampling procedures performed
E.3 Tests and evidence on payroll processing
E.4 Tests and evidence on starters and leavers
E.5 Tests and evidence on time recording and leave entitlements (includes overtime)
E.6 Tests and evidence on payroll allowances
E.7 Tests and evidence on payroll deductions
E.8 Tests and evidence on payroll payments
E.9 Tests and evidence on general IT controls and data security
Reporting WP
R.1 Final Audit Report
R.2 Draft Audit Report
R.3 Quantify audit errors discovered
R.4 Summary of main findings
R.5 Follow‐up of prior year report
R.6 Final review checklist
APPENDICES: AUDIT PROGRAMMES
Auditee: WP Ref
Period Under Review: Prepared by Date
System: Reviewed by Date
Objective Expected Internal Controls Audit Test WP Ref
General: Documented payroll procedures with adequately trained staff
New staff induction and training Staff training for system changes Procedures up to date Supervisors/managers ensure that
procedures implemented
Check for existence of staff training on payroll procedures Check that procedures are up to date Check that supervisors aware of the procedures Check for evidence that management ensure procedures
are being implemented
Payments are made only to valid employees
Written confirmation required for new employees prior to payroll processing
Identify all new personnel during the period in question and check that all new starts were properly authorised.
Check if the new start received their first pay by cash, and the date processed.
Review procedures for checking new employee’s details after they have been entered on to the payroll system. Assess adequacy of review.
Preparation, recording and payment functions are adequately segregated
Document the payroll system, clearly identifying responsibility for preparing, recording and making payroll payments.
In the absence of adequate segregation of duties check for compensating controls.
Unique ID numbers are assigned to each employee.
Check that payroll IDs are sequential and cannot be re‐used Review procedures for allocation of payroll IDs to new
employees and assess adequacy for prevention of duplicate payments
Check for evidence of exception reports each time a new start is entered onto the system
Salaries/Wages are paid based on weekly/fortnightly timesheets submitted
Select a sample of timesheets from respective ministries and check that they have been
46
Objective Expected Internal Controls Audit Test WP Ref
Payments are made only to valid employees by line ministries.
Properly prepared
Properly authorised and
Are for bona fide employees
Removal from payroll system only occurs upon receipt of an appropriately authorised notification.
Select a sample of leavers entitlement payments entered on system and test whether:
leave balances agree to leave cards and attendance books;
Calculations by LM are accurate
All forms are properly approved All documents were date stamped when received by MFEM
payroll section to prevent duplicate payments For the sample, test the date submitted from LM with the
date of removal from Payroll system, check for payments after the leave date.
Changes to employee payroll details (e.g. Bank details) are processed only on receipt of written notification
Review system exception reports for all changes made to payroll during the period in question.
Check the extent to which monthly payroll reports are reviewed by management.
Cash payments (loose vouchers) only issued on production of valid identification and when a signature of receipt is obtained.
Select a sample of cash payments made to salary staff and check if;
The payment should have been made at in cash,
The payment was properly authorised,
The payment was for the correct amount,
The employee signed for receipt of the cash salary
All data input to the payroll system is correct and properly authorised
Access controls to payroll software Authorisation procedures for changes
made to payroll data Monitoring of payroll system through
exception reports and monthly
Review procedures over access control and determine if they are documented and understood by staff
Check access rights for approved users for the Payroll system
Check for existence of usernames and passwords including evidence of regular password changes and password strength
47
Objective Expected Internal Controls Audit Test WP Ref
management reports Check for existence of password sharing in payroll section e.g. large volumes of transactions processed by one user.
Check for appropriate filing and referencing of personnel records and that
they are securely held,
they are only accessible by authorised personnel Check management procedures for examining changes to
permanent records, Examine exception reports reviewed prior to each pay run Select a sample of changes that have been made to
standing data and check that these have been properly authorised and the change has been made by an appropriate member of staff.
Check that the database administrator has not processed any transactions on the payroll system.
Payments are correctly calculated in accordance with approved pay scales
Verification of payment amounts by MFEM Check for any changes to the number of staff on the payroll compared with the last pay period.
Check the number of staff paid is reconciled with the previous fortnight and any changes are included within authorised data input.
Check the number of payments made to a Ministry against the approved staffing structure for the Ministry
Select a sample of employees and test that
Each employee has supporting documentation on file,
All documentation has been properly authorised,
The personal data has been correctly entered on to the Payroll system.
That the data has been only entered once
That the salary amount is correct as per the most recent government pay‐scale
That all allowances paid have been properly calculated
Payroll costs are correctly Reconciliations between the Payroll and Reconcile payroll outputs to payroll figures recorded in
48
Objective Expected Internal Controls Audit Test WP Ref
recorded in the financial accounting system
the Accounting (Solomons) System general ledger and bank statements
Payroll data is adequately protected and is securely stored
Backups are taken and physically secure Check that regular backups are taken of the system Identify where the backups are stored, and physically inspect
if storage facilities are fire and water proof with restricted access.
Check procedures to re‐create payroll information in the event of system failure
Check for evidence that the procedures have been tested