republic of liberia - iaa.gov.lriaa.gov.lr/doc/ias internal audit manual final.pdf · republic of...
TRANSCRIPT
REPUBLIC OF LIBERIA
Internal Audit Department
Internal Audit Manual
ISSUED BY
THE INTERNAL AUDIT SECRETARIAT
March 2013
PREFACE
Internal audit, a component of the internal control system, is a strategic function in ensuring
good governance throughout the organization. It is an independent, objective assurance and
consulting activity designed to add value and improve an organization’s operations. Internal
audit helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.1
This Manual is being issued to assist the Government of Liberia ministries and agencies in
establishing, and thereafter strengthening, the internal audit function in their institutions.
The Internal Auditor of the Government of Liberia has the fundamental role of assisting the
management of government ministries and agencies, and the Audit Recommendation
Implementation Committee, in promoting effective, efficient, ethical and economical
operations by appraising the adequacy of internal controls, consistent with all applicable
legislations and regulations. The findings on the appraisal of internal controls are provided to
heads/officials of the government ministries and agencies to institute corrective and preventive
measures and to achieve the ministries and agencies objectives.
The role of the Internal Auditor is not about fault-finding. Neither is it investigative or punitive.
As one of the accountability mechanisms in public service organizations, the Internal Auditor
reviews the extent of compliance with laws and policies under the authority of senior
management of the organization. As a component of the performance management
framework of government ministries and agencies, the Internal Auditor assesses the levels of
performance against agreed measures, targets and objectives. The internal audit function is
separate from, but complementary to, the day-to-day monitoring of internal controls and the
conduct of continual management improvement, which are within the responsibility of the
Government of Liberia ministries and agencies’ operating units. The Internal Audit
Department’s Internal Audit Manual (the Manual), was developed to guide Internal Auditors in
performing their duties. Practices in other countries where emphasis was placed on
strengthening internal audit functions were reviewed and considered in preparing this manual.
1 Definition of internal audit from the Institute of Internal Auditors.
i | P a g e
TABLE OF CONTENTS
1. INTRODUCTION 1
1.1 Objectives 1
1.2 Scope 2
1.3 Applicability 2
1.4 Clarifications 2
1.5 Updating 2
1.6 Manual Holders (Users of the Manual) 3
1.7 Structure of the Internal Audit Manual 4
1.7.1 The Main Body 4
1.7.2 Operational Procedures 4
1.7.3 Annexes 4
2. MISSION, DEFINITION, REPORTING & RESPONSIBILITY 5
2.1 Mission 5
2.2. Definition of Internal Auditing 5
2.3 Reporting 5
2.4. Responsibility 6
3. INTERNAL AUDIT MANDATE AND POLICIES 6
3.1 Mandate of Internal Audit Departments In Client Entities 6
3.1.1 Scope of the Internal Audit Department 6
3.1.2 Accountability 6
3.1.3 Responsibility 7
3.1. 4 Responsibility of Management 8
3.1.5 Authority 8
3.2. INTERNAL AUDIT POLICIES 9
3.2.1 Objectives of Internal Audit Departments 9
3.2.2 Audit Approach 10
3.2.3 Conduct and Role of Internal Audit staff 10
3.2.4 Audit Activities 10
ii | P a g e
4. AUDIT RECOMMENDATION IMPLEMENTATION COMMITTEE 11
4.1 Introduction 11
4.2 Access to Information 11
4.3 Composition of the Audit Recommendation Implementation Committee 12
4.3.1 Co-opted Members 12
4.4 The Roles and Responsibilities of the Audit Recommendation Implementation Committee 12
4.5 Meetings of the Audit Recommendation Implementation Committee 13
4.6 Evaluation of the Audit Recommendation Implementation Committee 13
5 PERSONNEL AND TRAINING 13
5.1. Competence 13
5.2 Resourcing 14
5.3 Training and Professional Development 14
5.3.1 Training and professional development plans 14
5.3.2 Continuing Education 15
5.3.3 Training Records 16
5.3.4 New Internal Auditor Staff 16
6. MANAGING INTERNAL AUDIT DEPARTMENTS 17
6.1 Role of the Director/Head of Internal the Audit Department 17
6.2 Assignment of Audits 18
6.3 Audit Procedures 18
6.4 On-the-Spot Examination and Testing of Management and Control Systems 19
6.5 Audit Control 19
6.6 Personnel Management and Professional Development 20
6.7 Certification Programs 20
7. INTERNAL AUDIT STRATEGY AND PLANNING 20
7.1 Strategic Plan 21
iii | P a g e
7.2 Annual Audit Plan 21
7.2.1 Purpose and Content 21
7.2.2 Audit Resources 23
7.3 Assignment Planning – Audit Agenda (or Audit Program Guide) 23
7.3.1 Time Budget 23
7.3.2 Purpose of the Audit Program Guide 23
7.3.3 Content of the Audit Program Guide 24
7.4 Reviews and Meetings 24
7.5 Timekeeping by Internal Auditors 25
8. AUDIT ASSIGNMENT METHODOLOGY 25
8.1 Introduction 25
8.2 Stages of an Assignment Audit 25
8.3 Initiation of the Audit Process (Planning Stage) 30
8.3.1 Auditors Assignment 30
8.3.2 Auditee Notification 30
8.3.3 Request for Internal Audit Services 30
8.3.4 Notice to the Interested Parties 31
8.3.5 Entrance Conference (Initial Meeting) 31
8.3.6 Audit Entrance Conference Memo 31
8.3.7 Memorandum of Audit Scope and Objectives 32
8.4 Preliminary Review 32
8.4.1 Definition of the Preliminary Review 32
8.4.2 Objectives of the Preliminary Review 32
8.4.3 Standard Procedures for Preliminary Review 33
8.4.4 Documentation of the Preliminary Review 34
8.4.5 Audit Program Guide 34
8.4.6 Risk Management (Assessment of Internal Controls) 35
8.4.6.1 Definition 35
8.4.6.2 Objective 35
8.4.6.3 Risk Management Cycle 36
8.4.6.4 Risk Assessment 36
8.4.6.4.1 Risk Identification 37
8.4.6.4.2 Risk Category Determination 37
8.4.6.4.3 Risk Impact Assessment 38
8.4.6.4.3.1 Risk Likelihood Assessment 38
8.4.6.4.3.2 Assessment of Current Internal Control Effectiveness 39
8.4.6.4.3.3 Determination of Risk Score and Risk Level 40
8.4.6.4.3.4 Determination of Mitigation Activities, Deadlines and Responsible Officials 40
iv | P a g e
8.4.6.5 Risk Action Planning 40
8.4.7 Audit Programs 41
8.5 Fieldwork 43
8.5.1 Definition 43
8.5.2 Objectives of the Fieldwork 44
8.5.3 Documenting the Fieldwork 44
8.5.4 Audit Findings Form 45
8.5.5 Finding of Illegal Acts 46
8.6 Audit Report 46
8.6.1 Reporting Responsibilities 46
8.6.2 Working Papers Review 47
8.6.3 Draft Audit Report 48
8.6.4 Transmission of the Draft Audit Report 48
8.6.5 Exit Conference (Closing Meeting) 49
8.7 Final Audit Report 49
8.7.1 Audit Opinion 50
8.7.2 Distribution of the Final Report 50
8.7.3 Auditee’s Response to Audit Findings 50
8.7.4 Auditee’s Comments on the Performance of the Internal Auditor 51
8.8 Monitoring the Implementation of Recommendations 51
8.8.1 Follow-up Process 51
8.9 Pre-Audit of Client Entity’s Transactions 52
8.9.1 Establishment of a Voucher Register 52
8.9.3 Reports of Pre-Audit of Transactions 53
8.10 Monthly, Quarterly and Annual Reports 53
9.0 VALUE-FOR MONEY AUDITING 54
9.1 BACKGROUND 54
9.2 Due Regard for Economy, Efficiency and Effectiveness 54
9.3 Methods of VFM Auditing 55
9.3.1 Procedures or Process-Oriented Approach 55
9.3.2 Results-Oriented Approach 56
9.4 The Audit Process 56
10.0 INFORMATION TECHNOLOGY AUDIT 57
10.1 Background 57
v | P a g e
10.2 Computer-Assisted Audit Techniques (CAATS) 58
10.2.1 Concept of CAATs 58
10. 2.2 Use of CAATs by the Internal Audit Department 58
11.0. ESSENTIAL PRINCIPLES AND GUIDELINES FOR AUDITING 59
11.1 Human Relations Principles in Auditing 59
11.2 Other Principles 60
11.2.1 General 60
11.2.2 Time Management 60
11.2.3 Obtaining Information 60
11.2.4 Documenting Information 61
11.2.5 Nature of Compliance Tests and Substantive Tests 61
11.2.6 Sampling Techniques 65
11.2.7 Extent of Testing 65
11.2.8 Effectiveness of Systems of Control 66
11.2.9 Efficiency of Systems of Control 67
12. AUDIT DOCUMENTATION 67
12.1 Introduction 67
12.2 Requirements 68
12.3 Cross-Referencing 69
12.4 Retention Policy 69
= 12.5 Audit Files 70
12.5.1 Current Files 70
12.5.2 Permanent Files 70
12.6 Documentation Management and Control 70
12.7 Files Structure, Identification and Traceability 71
13 GENERAL SECURITY ISSUES 75
13.1 Information Security – Internal Audit Department 75
14. QUALITY CONTROL 76
14.1 General Auditing Quality Criteria 76
14.2 Quality Assurance Program 77
vi | P a g e
14.2.1 Ongoing Internal Reviews 78
14.2.2 Periodic Internal Reviews 78
14.2.3 Periodic External Reviews by Independent Auditors 78
14.2.4 Quarterly Report on the Internal Audit Department’s Activities 79
vii | P a g e
LIST OF ABBREVIATIONS
ACRONYM TERM
IAS Internal Audit Secretariat
PFM Public Financial Management Act of 2009
PFRM Public Financial Management Regulations
IAD Internal Audit Secretariat
ARIC Audit Recommendation Implementation Committee
LICPA Liberia Institute of Certified Public Accountant
AICPA American Institute of Certified Public Accountants
IIA Institute of Internal Auditors
IFAC International Federation of Accountants
ACCA Association of Chartered Certified Accountants
ACFE Association of Certified Fraud Examiners
1 | P a g e
1. INTRODUCTION
Section 38 of the Public Financial Management Act, 2009 (the Act) and Section H of the PFM
Regulations (the Regulations), requires each Liberian “government agency or government
organization” to establish its own internal audit unit”2. The Act and Regulations also state that
each Internal Audit Department works directly for the Internal Audit Governance Board
Secretariat (the Secretariat), and is directed by the Secretariat. The responsibilities of the IAD
are provided in the Internal Audit Charter which is agreed between the Secretariat and the
government entity. This charter is consistent with the mandate of the Secretariat as enshrined
in the Act and the Regulations.
The Internal Audit Manual (the Manual) has been developed in conformity with the Act and
requirements of the International Professional Practice Framework issued by the Institute of
Internal Auditors. The Institute of Internal Auditors is the global internal audit authoritative
body that promulgates standards commonly used by internal auditors around the world.
The Secretariat is an independent appraisal function established to examine and evaluate the
financial and operational activities of all government entities. The Secretariat also keeps a check
on compliance of rules, regulations, systems, policies, and procedures prescribed by the
government entities, or by regulatory authorities. It is an important and integral part of the
control system of the government entities, which ensures that necessary controls are in place in
financial and operational activities of the client entities. Internal Audit, with objectivity, directly
provides to the senior management analysis, appraisal, observations, and recommendations
concerning the activities it reviews.
1.1 Objectives
This Manual is not a text book on audit, the theory of which should be acquired by Internal
Auditors through the Secretariat, which, inter alia, will organize courses, in-house training and
workshops. The objectives of this Manual are to:
Document in detail the internal audit policies and procedures to be followed by Internal
Audit Departments.
Serve as a useful guide to the internal auditors in respect of their responsibilities,
approach, and authorities to conduct effective internal audits of client entities and to
communicate audit results to the relevant authorities.
Provide documentation to be used to improve systems and internal control procedures.
2 The Public Financial Management Act
2 | P a g e
1.2 Scope
This Manual prescribes the organizational structure, policies, procedures, formats, checklists,
guidelines, and reference documents to be used by Internal Audit Departments of government
agencies and government organizations to carry out their responsibilities. The responsibilities
of the IAD on communicating audit results, its approach, authorities, and strategies to achieve
its objectives have also been described.
The procedures in this manual to be followed by the IAD are in narrative language and are
supported by specimen operational procedures documents that have been appropriately
referenced and serially numbered to facilitate their easy identification. The Operational
Procedures documents are included in the Internal Audit Department’s Operational Procedures
Manual, Part II of the Internal Audit Manual.
1.3 Applicability
This Manual is intended to provide work instructions and guidance primarily to the staff of the
Internal Audit Departments of government agencies and government organizations, hereinafter
referred to as “client entities”. However, certain guidelines are also applicable to employees of
client entities, as detailed therein.
1.4 Clarifications
Requests for clarifications of or explanations on the contents of this Manual should be
addressed to the Executive Director of the Secretariat.
The Secretariat shall, from time to time, issue circulars and notices amending or adding to the
policies and procedures to keep pace with the changing business requirements, expansion of
the client entity’s activities, and modifications in the applicable laws, regulations, and internal
auditing standards.
1.5 Updating
The Secretariat may need to update the Internal Audit Manual to reflect changes in policies or
procedures as decided from time to time, driven by either changing business requirements,
expansion of the client entities’ activities, or amendments in the applicable laws, regulations, or
internal auditing Standards.
It is suggested that revisions be incorporated in the following manner:
Responsibility for approving revisions should be assigned to the Executive Director of
the Secretariat. Proposed revisions to the Manual should be drafted by the Manual
3 | P a g e
holders (see 1.6) and forwarded to the Executive Director, with a copy of the
section/sub-section proposed for modification.
The Executive Director shall review the proposed revision(s) and invite comments from
the relevant heads and senior management of client entities, when necessary. Based on
comments received, the Executive Director shall approve the proposed modification.
Following the above approval process, the Executive Director should:
Circulate the revised section(s) to all Manual-holders. The revised sections should
specifically state the date which the changes will be effective.
Recall all superseded pages and destroy them.
Retain his/her superseded copies as master record.
See Operational Procedure OP 27: Revisions to the Internal Audit Manual, and Annex 32:
Revision to the Internal Audit Manual
1.6 Manual Holders (Users of the Manual)
Copies of the Internal Audit Manual should be retained by:
The Members of the Audit Recommendation Implementation Committee (ARIC) of the
client entities.
The Heads of Administration of the client entity.
The Heads of Information Technology Departments of the client entity.
All Sectional/Departmental/Unit Heads of the client entity.
The Directors/Heads of the Internal Audit Departments in client entities.
The Internal Auditors of the client entities.
The Manual should be placed on the central Server for staff information (where applicable).
This Manual is to be treated as confidential. No part of this Manual may be photocopied or
taken out of office premises.
All Manual holders are required to return the Manual intact to the Director/Head of IAD upon
relinquishing their position due to transfer, promotion, retirement or any other reason.
4 | P a g e
1.7 Structure of the Internal Audit Manual
The Manual is divided into three sections. These include the following:
1.7.1 The Main Body
This section outlines all the elements and procedures that may be followed to establish and
manage an effective and efficient Internal Audit Department, as well as those that are required
to plan, execute and report on internal audit assignments.
Sections 1 and 2 explain the purpose of the Manual.
Sections 3 to 6 define the administrative activities required to manage an effective and efficient
Internal Audit Department.
Sections 7 and 8 outline the activities to be followed to plan, execute, report and follow-up on
audit assignments.
Sections 9 to 12 explain audit principles, documentation and quality assurance.
Sections 13 and 14 explain ethical requirements and how to manage the Internal Audit
Department.
1.7.2 Operational Procedures
The Operational Procedures Manual, Part II of the Internal Audit Manual, explains the
procedures for completing various forms and templates the internal auditor is planning for,
conducting and/or reporting on audit assignments. It also includes procedures for completing
forms and templates when the internal auditor is following up on the status of implementation
of the recommendations made in previous assignments.
1.7.3 Annexes
The Annex Section, which are included in the Operational Procedures Manual, Part II of the
Internal Audit Manual, contain the various forms and letters that should be completed when
planning, conducting, and reporting on assignments as well as when following-up on the status
of implementation of the recommendations of the audit. Each document has been assigned a
reference number. The reference number refers to the order of filing of the working papers as
explained in Section 12.7.
5 | P a g e
2. MISSION, DEFINITION, REPORTING & RESPONSIBILITY
2.1 Mission
The Government of Liberia Internal Audit Secretariat and its satellite Internal Audit Departments’ mission shall be to support client entities to achieve their objectives in a systematic and disciplined manner.
2.2. Definition of Internal Auditing
According to the global USA based Institute of Internal Auditors, “Internal Auditing is an
independent, objective assurance and consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its objectives by bringing a
systematic disciplined approach to evaluate and improve the effectiveness of risk management,
control and governance processes”.
The client entity supports the Internal Audit Department as an independent appraisal function
to examine and evaluate the operational and financial activities of the client entity. The Internal
Audit Department follows the International Standards of Professional Practice of Internal
Auditing and the Internal Audit Manual of the Government of Liberia Internal Audit Secretariat.
2.3 Reporting
The Director/Head and staff of each Internal Audit Department report functionally and
administratively to the Secretariat. The Secretariat shall be the employer of the staff of the
Internal Audit Department in all client entities. The IAD shall submit all reports to both the
Secretariat and the relevant authorities, and the Audit Recommendation Implementation
Committee (ARIC) at the client entity. The reporting line to the ARIC of client entities shall be
for implementation of audit recommendations, and to ensure that the IAD is adequately
resourced to execute its mandate. The IAD shall also seek input from the relevant authorities
and ARIC at client entities during preparation of the annual audit plan for purposes of
incorporating risk concerns in the audit planning process.
See Operational Procedure OP 22: Transmission Letter Procedure and Annex 24: Transmission
Letter to ARIC Template
6 | P a g e
2.4. Responsibility
The Internal Audit Department shall have no direct responsibility or authority for any of the
activities or operations it reviews. It shall not develop and install procedures, prepare records,
or engage in activities that would normally be reviewed by auditors.
3. INTERNAL AUDIT MANDATE AND POLICIES
3.1 Mandate of Internal Audit Departments In Client Entities
The mandate of the IAD in the client entity is defined by the Internal Audit Charter and the
responsibilities imposed on the Internal Audit function by the Secretariat, the Act, and the
Regulations.
3.1.1 Scope of the Internal Audit Department
The scope of the IAD’s work is to determine whether the client entity’s network of risk
management, control and governance processes, as designed and presented by Management
of the client entity, is adequate and functioning in a manner to ensure that:
Risks are appropriately identified and managed;
Interaction with the various governance groups occur as needed;
Significant financial, managerial and operating information is accurate, reliable and
timely;
Employees’ actions are in compliance with policies, standards, procedures and
applicable laws and regulations;
Resources are acquired economically, used efficiently, and are adequately protected;
Programs, plans and objectives are achieved;
Quality and continuous improvement are fostered in the client entity; and
Accounting procedures are effective.
Opportunities for improving management control, and the client entity’s image, may be
identified during audits and communicated to the appropriate level of management.
3.1.2 Accountability
The Internal Audit Department of the client entity shall be accountable to the Secretariat. The
IAD shall:
7 | P a g e
Provide periodically to the Secretariat an assessment on the adequacy and effectiveness
of the client entity’s processes for controlling its activities and managing its risks in the
areas set forth under the scope of IAD’s annual plan.
Conduct pre-audits of financial and non financial transactions to provide assurance of
conformance with relevant and applicable policies, procedures, regulations and laws.
Perform continuous audits and risk assessments of all financial and operational activities of the
client entity.
Audit and validate monthly financial statements produced by the client entity for both internal
and external users.
Report significant issues related to the processes for controlling the activities of the
client entity and its affiliates, where applicable. Provide recommendations for
improvements of those processes, and report such issues until they are resolved.
Periodically provide information on the status and results of the annual audit plan and
the sufficiency of the IAD’s resources.
Co-ordinate with and provide oversight of the other control and monitoring functions,
such as risk management, compliance, security, ethics, environmental, etc.
3.1.3 Responsibility
The primary objective of Internal Audit function in the client entity is to assist the Management
in the effective discharge of its responsibilities. In order to carry out this responsibility, the
Internal Audit Department shall:
Develop an annual audit plan with input from the ARIC and submit the annual audit plan
to the Secretariat for review and approval.
Implement the approved annual audit plan, including, and as appropriate, any special
tasks or projects requested by the Management of the client entity and/or the ARIC of
the client entity.
Maintain professional audit staff with sufficient knowledge, skills, experience, and
professional certifications to meet the requirements of the audit function in the client
entity.
8 | P a g e
Keep abreast of relevant best practices and new developments affecting the work of the
IAD and in matters affecting the client entity’s activities.
Respond to the client entity’s changing needs, and strive for continuous improvement
and maintain integrity in carrying out its activities.
Issue reports to Management and/or ARIC, with copies to the Secretariat, detailing
results of audit activities.
Assist in the investigation of significant suspected fraudulent activities within the client
entity and notify Management and ARIC, with copies to the Secretariat, of the results.
3.1. 4 Responsibility of Management
The primary responsibilities for the establishment of internal controls, ensuring compliance
with laws, regulations and ethical standards within the client entity lies with the management
of the client entity.
3.1.5 Authority
The IAD has the authority to audit all activities of the client entity and shall have complete
access to any of the records, physical properties, and personnel, relevant to the performance of
an audit. Documents and information given to internal auditors shall be handled as prudently as
they would be by those employees normally accountable for them.
The IAD will have no direct responsibility or authority for any of the activities or operations it
reviews or audits. It should not develop and install procedures, prepare records, or engage in
activities that would normally be reviewed by auditors.
The Internal Audit Department is authorized to:
Have unrestricted access to all Units/Departments/Sections within the client entity and
access to the records, property and personnel of the client entity;
Have full and free access to ARIC members;
Allocate resources, set audit frequencies, select auditable subjects, determine scope of
audit work and apply the techniques required to accomplish audit objectives;
Obtain the necessary assistance of personnel in Units/Departments/Sections of the
client entity where they perform audits, as well as other specialized services from within
or outside the client entity.
9 | P a g e
Conduct continuous reviews and pre-auditing activities in order to support the internal
controls processes of the client entity.
3.2. INTERNAL AUDIT POLICIES
The salient features of audit policies are summarized as follows.
3.2.1 Objectives of Internal Audit Departments
The objectives of the Internal Audit Departments are:
a. To ensure audit assignments are based on risk assessment of client entities’ systems and
procedures, focusing on reviewing and introducing controls to minimize the risks.
b. To add value to the client entity’s activities. The IAD should exceed the traditional
“policing” role and be supportive to line management in developing and running the
client entity’s business within the defined controls, without being involved in actual
operations.
c. To test and evaluate performance and adequacy of controls through critical reviews for
effectiveness, integrity of transaction processing, and safeguarding the client entity’s
interest.
d. To, when the IAD has identified potential issues, issue early warning alerts by raising red
flags to enable Management of the client entity to deal with the issues in a timely
manner.
e. To issue reports on the extent of compliance on the client entity’s policies and
procedures and regulations, and assess implementation and compliance thereon.
f. To review organizational and procedural changes introduced by the client entity to
assess availability of controls therein and that these are feasible for the client entity.
g. To evaluate policies and procedures before their finalization to assess whether
adequate built-in controls are in place.
h. To provide suggestions and recommendations to improve the management of the client
entity.
10 | P a g e
i. To, on an ongoing basis, follow up on all audit observations and recommendations to
ensure that Management has implemented them.
j. To test and evaluate liabilities before (or after) their settlement, depending on the
associated risks.
k. To ensure the reliability of financial information generated by the client entity.
3.2.2 Audit Approach
In reviewing the client entity’s activities, the IAD should review systems and procedures,
including the individuals performing those procedures, with the aim of identifying control
weaknesses in the systems and procedures. The observations and recommendations made by
the IAD should be constructive, with the goal of assisting the client with long-lasting and overall
improvement in the operations of the client entity.
3.2.3 Conduct and Role of Internal Audit staff
The Internal Audit Secretariat’s Code of Conduct and Ethics shall be seen as a necessary
complement, reinforcing the Internal Audit Charter, Code of Ethics issued by Institute of
Internal Auditors, Code of Ethics issued by International Federation of Accountants (IFAC), Code
of ethics of other professional bodies like AICPA, ACCA, ACFE etc., and Code of Conduct and
Ethics for the Government of Liberia. (Please refer to the Code of Ethics Manual).
3.2.4 Audit Activities
Audit activities are carried out in order to:
a. Determine the extent of compliance with the established policies & procedures and
regulations based on the risks involved therein.
b. Evaluate the soundness of operating and financial controls and their cost effectiveness.
c. Ascertain the extent to which the client entity’s assets are safeguarded and deployed
gainfully.
d. Appraise the reliability of information generated by the client entity.
e. Evaluate the quality of performance in carrying out the tasks and responsibilities
assigned to various employees.
f. Provide suggestions for improving the control environment of the client entity.
11 | P a g e
g. Investigate allegations of fraud, misappropriation, or possible loss to the client entity,
and suggest corrective and preventive measures to avoid future mishaps.
h. Provide consultation to line management wherever they seek IAD’s views in resolving
complex issues confronted by them.
i. Review new products, services and computerized systems being proposed (before they
are finally offered and accepted) to client entity to ensure adequacy of controls therein.
j. Review policies and procedures before they are finalized to ensure that necessary
controls and procedures are taken into consideration.
4. AUDIT RECOMMENDATION IMPLEMENTATION COMMITTEE
4.1 Introduction
The purpose of this section is to provide guidance on the roles, composition and responsibilities
of the Audit Recommendation Implementation Committees (ARIC), to enable them to function
effectively. The Act and the Regulations require all public sector entities to ensure
implementation of the recommendations included in audit reports. The framework for the
professional practice of Internal Auditing issued by the Institute of Internal Auditors also
requires organizations to have effective Committees to address audit related issues. Such a
Committee is a statutory and high level governance committee in the public sector financial
management system. This committee shall, among other things, promote the effective
functioning of Internal Audit Departments, and follow up on the implementation of audit
recommendations. This is to ensure efficient and effective utilization of public resources in line
with the objectives of the Public Financial Management Reform Programs. Section K5 of the
Regulations imposes clear and unambiguous sanctions for non-implementation of audit
recommendations issued by both the General Audit Commission (GAC) and the Internal Audit
Department.
4.2 Access to Information
The Audit Recommendation Implementation Committee shall have unrestricted access to all
information, documents, personnel and adequate resources in order to fulfill its
responsibilities. It is therefore important that the Internal Audit Secretariat works closely with
12 | P a g e
the ARIC to ensure its effectiveness in implementing audit recommendations and providing full
support to the IAD.
4.3 Composition of the Audit Recommendation Implementation Committee
The Act and the Regulations require all public sector entities to establish an Audit
Recommendation and Implementation Committee which shall comprise of:
in the case of ministries, The Minister, Deputy Minister for Administration, and a third
senior ministry official with relevant technical knowledge;
in the case of a public corporation which has a Board comprising of both executive and
non-executive members, only non-executive board members;
in the case of commissions or other autonomous agencies or bodies, the head of the
entity and two of its most senior officials.
It is envisaged that members shall be given induction and guiding principles on their roles,
responsibilities and participation in the work of the Audit Recommendation Implementation
Committee. Members are expected to be diligent in their work.
4.3.1 Co-opted Members
In the performance of its functions, the Audit Recommendation Implementation Committee
may co-opt any senior management personnel to serve on the Committee.
4.4 The Roles and Responsibilities of the Audit Recommendation Implementation Committee
The Audit Recommendation Implementation Committee is mandated to:
a. Ensure the implementation of the recommendations in all audit reports of the client
entity.
b. Follow up on the IAD, Auditor-General, and Public Accounts Committee’s
recommendations in reports concerning public entities.
c. Ensure full support to and collaboration with the IAD.
d. Ensure that the IAD is provided with the necessary resources required to facilitate the
discharge of its mandate.
13 | P a g e
It shall be the duty of the ARIC to ensure that the client entity:
a. Pursues the review and implementation of matters in all audit reports as well as
financial matters raised in the reports of internal monitoring units in the client entity.
b. Annually prepares a statement giving the status of the implementation of
recommendations made in all internal audit reports, as well as the Auditor-General‘s
reports which have been accepted by the legislature.
With regard to internal audit, the Audit Recommendation Implementation Committee shall:
I. Review, make inputs and sign off on the annual audit plans as an indication of its
commitment to fully cooperate and support the IAD in executing the annual audit plans.
II. Receive updates on the performance of Internal Audit Departments against its annual
audit plans.
III. Monitor the implementation of audit recommendations.
4.5 Meetings of the Audit Recommendation Implementation Committee
In order to effectively discharge its responsibilities, the ARIC shall meet at least once every
quarter of the financial year. Any majority of the membership of the ARIC shall constitute a
quorum. The ARIC shall have its own procedures on how to conduct its meetings.
4.6 Evaluation of the Audit Recommendation Implementation Committee
The Auditor-General shall evaluate the performance of the ARICs annually to ensure that they
perform effectively and that the client entities benefit from the work of the ARIC.
5 PERSONNEL AND TRAINING
5.1. Competence
The internal audit activities of the client entity shall be carried out by:
- The Director/Head of the Internal Audit Department.
- Internal Audit Staff of the Internal Audit Department.
14 | P a g e
The Director/Head of the Internal Audit Department is responsible for maintaining a team of
staff that collectively possesses the necessary knowledge, skills and disciplines for the
achievement of the IAD’s objectives. In particular, the Director/Head of the Internal Audit
Department is to:
- ensure staff possess appropriate professional skills, qualifications and experience; and
- provide opportunities to facilitate the continuing professional development of staff.
5.2 Resourcing
Under normal conditions, internal audit work is to be performed by staff of the Internal Audit
Department. Circumstances may arise where the Internal Audit Department may require
supplement its staffing by the appointment of consultants.
The Internal Audit Department may use the services of an audit services provider to:
- Satisfy the IAD’s staffing needs during workload peaks,
- Assist the IAD in the effective discharge of its responsibilities,
- Assist the IAD in the evaluation of risks and the controls over such risks,
- Utilize individuals with specialized knowledge or skills, and
- Carry out specialized audits such as IT Audit.
Services required from a consultant shall be acquired through the submission of a proposal by
the Director/Head of the Internal Audit Department, including justification for such services.
The request for such a service is subject to approval by the Secretariat.
See OP 28: Ad Hoc Internal Consultancy Services Procedure
5.3 Training and Professional Development
Internal Auditors should be trained in order to have the technical knowledge and skills to carry
out their assignments, and should keep informed about developments in internal audit
standards, procedures, and techniques. Each Internal Auditor is responsible for maintaining an
adequate level of technical competence and proficiency in related processes and systems.
5.3.1 Training and professional development plans
Regular training of Internal Auditors enables them to acquire the necessary skills required for
internal audit work. The Director/Head of the Internal Audit Department shall prepare annual
15 | P a g e
training and professional development plans. The preparation of such plans shall be
coordinated with the preparation of the Annual Audit Plans. In developing the training plan, the
Director/Head of the Internal Audit Department shall work with each audit staff in identifying
and mapping out his/her training needs.
The Internal Audit Department Annual Report should include a report on the implementation of
the training and professional development plans, including the following:
- training courses attended,
- audits carried out and methodology applied,
- professional qualifications acquired, and
- training on MIS, Microsoft and other software.
5.3.2 Continuing Education
Each Internal Auditor is responsible for continuing his/her own professional education in order
to maintain his/her proficiency, and should:
Possess the knowledge necessary for conducting internal audits.
Pursue a recognized, continuous process of professional education in order to sustain
continuous professional growth in the field of Internal Auditing.
The Internal Audit Department staff members are encouraged to prepare and sit for
examinations for professional certification. Any of the following certifications should be
considered:
- Certified Internal Auditor (CIA).
- Certified Public Accountant (CPA).
- Certified Information Systems Auditor (CISA).
- Certified Fraud Examiner (CFE).
- Chartered Accountant (CA / ACCA).
- Certified Government Audit Professional (CGAP).
- Certification in Control Self-Assessment (CCSA).
- Certified Financial Services Auditor (CFSA).
16 | P a g e
- Certification in Risk Management Assurance (CRMA).
Internal auditors with professional certifications should obtain sufficient continuing
professional education (CPE) to satisfy the requirements of professional certifications held. The
Internal Auditors will attend seminars and training workshops as deemed appropriate and in
line with the training program developed by the Internal Auditor and the Director/Head of the
IAD.
5.3.3 Training Records
Adequate training records shall be maintained for each Internal Auditor. These shall include
details of skills requirements for all positions. Training records should also be kept for those
internal auditors who need to comply with continuous professional required by professional
bodies they have been certified by. These records are essential for assessing further training
needs.
5.3.4 New Internal Auditor Staff
All new Internal Audit staff members will receive an orientation session or baseline training,
including training on:
i. The PFM Act and Regulations;
ii. The Public Procurement and Concessions Act (PPCA) and the World Bank
Procurement Procedures;
iii. The Civil Service Agency (CSA) Regulations and Policies;
iv. The General Services Agency (GSA) Regulations and Policies;
v. Liberia’s budgeting system including Medium Term Expenditure Framework;
vi. ICT systems (Information and Computer Technology) including IFMIS, IDEA and the any other applicable software necessary for the discharge of the duties of the internal auditor;
vii. Overview of the Internal Audit Manual; and
viii. Internal Audit Tools and Techniques.
17 | P a g e
6. MANAGING INTERNAL AUDIT DEPARTMENTS
6.1 Role of the Director/Head of Internal the Audit Department
The Director/Head of the Internal Audit Department shall properly manage the IAD and shall:
Establish risk-based plans to determine the priorities of the audit activity consistent with
the client entity’s goals and the key audit priorities identified by the Secretariat;
Ensure that professional internal auditing standards and practices are followed;
Create annual plans and implement annual plans;
Ensure that financial and human resources are appropriate, sufficient and allocated for
the effective implementation of the annual audit plans;
Ensure that audit planning, fieldwork, reporting and follow-up are performed in
accordance with the Secretariat’s standards and directives/circulars;
Adopt and maintain the Secretariat’s Quality Assurance policy for internal and external
reviews;
Seek directions and guidance from the Secretariat on the extent of coordination and
collaboration with external auditors and/or assessment teams to avoid duplication of
audit effort.
Hold periodic meetings with the Secretariat, share audit plans with the Secretariat, and
have working papers reviewed by the Secretariat, when required;
Communicate audit assignments plans and resource requirements for the IAD, including
impact of resource limitation (where appropriate) to the Head of the Audit
Recommendation Implementation Committee and the Head of the client entity;
Review working papers to find out if they contain a time budget analysis for the project
that identifies:
o hours budgeted by audit segment.
o actual hours by audit segment.
18 | P a g e
o variances between budget and actual hours with explanations of material
variances.
Ensure the timely and efficient completion of audit engagements;
Prepare and submit weekly, monthly and quarterly reports required by the Secretariat
in the stipulated format; and
Perform those activities that are required by the Secretariat.
6.2 Assignment of Audits
It is the responsibility of the Director/Head of the Internal Audit Department to assign the audit
activities taking into consideration factors which may influence the scheduling and assignment
of audits, such as:
Degree of risk or exposure to loss;
Type of audit;
Availability of appropriate client entity staff resources;
Skills and availability of the IAD’s internal audit staff;
Availability of client entity staff resources due to unanticipated audits; and
Availability of logistical resources.
The Director/Head of the Internal Audit Department shall assign the audits and tasks to internal
auditors according to the nature and complexity of the audit and the internal auditor’s
experience, skills, knowledge as well as special preparation.
6.3 Audit Procedures
The Director of the Internal Audit Department shall ensure that the IAD conducts audits and
reviews according to generally accepted auditing standards using such audit programs,
techniques and procedures as prescribed by the Secretariat and the profession. The operation
of the internal audit functions to be carried out must be consistent with:
- The Internal Audit Charter;
- The Internal Audit Manual;
- Statement of responsibilities (Job Descriptions);
- Code of Ethics and Conduct Manual, and the Code of Ethics as issued by the IIA;
- The Standards for the Professional Practice of Internal Auditing as issued by the IIA;
19 | P a g e
- The Act and Regulations on internal audit in Liberia; and
- Directives and circulars issued by the Secretariat.
6.4 On-the-Spot Examination and Testing of Management and Control Systems
On site, the Internal Auditor must aim to obtain sufficient convincing, appropriate, and reliable
evidence that the management and control systems in place are operating as described, and
that they are adequate to ensure the regularity of expenditures and the accuracy and
completeness of financial and other information. In carrying out audits, Internal Auditors
should check that the system described actually exists in practice, and that appropriate
mechanisms exist to keep the documentation and the system up to date.
Testing to be carried out involves the documentation of systems through reviews of policies,
procedures, operating manuals, files, supplemented where necessary, by interviews with
relevant staff, including the testing of the operation of those systems. Testing of the operation
of systems should be carried out through examination of a sample of transactions. Sufficient
testing should be carried out to enable sound conclusions to be reached on the efficiency of the
systems under examination. Where the Director/Head of the Internal Audit Department
determines there is a high risk of non-compliance with the relevant regulatory requirements,
continuous audits and pre-audits should be carried out to support the client entity in complying
with its requirements. The Secretariat shall require pre-audits and continuous auditing by IADs
of all disbursements, until the Secretariat is convinced that there is no longer the need for pre-
auditing of disbursements on a continuous basis in the respective client entity.
6.5 Audit Control
The Director/Head of the Internal Audit Department shall review the completed audit work of
internal auditors to ensure compliance with the standards. S/he shall also supervise the audit
work to ensure that the planned time-table is met and the time allocated for the audit is used
effectively. Audit control can be delegated to a Senior Internal Auditor who will be responsible
for reviewing in detail the work of other internal auditors. The work of the Senior Internal
Auditors must be reviewed by the Director or Head of the IAD to ensure the quality and
adequacy of work performed.
20 | P a g e
6.6 Personnel Management and Professional Development
The Director/ Head of the Internal Audit Department shall establish a program for recruiting
internal auditors and for developing IAD human resource capacity. The program shall provide
for:
1. Developing written job descriptions for each level of the internal audit staff.
2. Recruiting qualified and competent individuals.
3. Training and continuing professional educational opportunities.
4. Appraising each auditor's performance at least annually.
5. Providing counsel to internal auditors on their performance and professional
development on an on-going basis.
6.7 Certification Programs
One aspect of professional development is obtaining professional certification as a Certified
Internal Auditor, Certified Information Systems Auditor, or Certified Fraud Examiner, etc. To
increase the professionalism and credibility of the internal audit staff, the Secretariat shall
support internal auditors' efforts in achieving certification through obtaining study aids, etc.,
depending on the needs of the client entities.
Professional certification is a factor used in the Secretariat's annual employee performance
appraisal. Professional development through certification, membership, and participation in
professional organizations shall be encouraged. Furthermore, training in other areas as needed
by the client entities and also required to perform the assigned duties, may also be arranged for
internal auditors.
7. INTERNAL AUDIT STRATEGY AND PLANNING
The Secretariat shall develop a three-year strategic plan on a revolving and rolling basis, which shall
form the framework for the annual plan that the Internal Audit Department shall develop. The annual
audit plan to be developed by the IAD of the client entity shall be structured on two levels:
- an entity-wide risk assessment; and
21 | P a g e
- development of a revolving annual audit plan premised on the risk assessment.
7.1 Strategic Plan
The long term planning document, or the strategic work plan, must identify all the key audit priority
areas within the public sector (including quasi-public sector institutions) which the Internal Audit
Department shall focus on during the subsequent three years. Identification and prioritization of thrust
(auditable) areas are to be based on:
An assessment of risk pertaining to the achievement of the client entity objectives.
Human resources and competency of the IAD.
Discussions with key stakeholders and other senior management.
Professional judgment of internal auditors.
The Strategic Plan shall be sufficiently comprehensive to ensure a complete and effective review of the
client entity’s activities on a cyclical basis and allow flexibility to accommodate special tasks and audits
requested by stakeholders
See Operational Procedure OP 00: Strategic Planning Procedure, and Annex 1: Strategic Plan
Template.
7.2 Annual Audit Plan
7.2.1 Purpose and Content
An Annual Audit Plan which includes objectives, priorities, timing and resource requirements
should be prepared each year on a revolving basis for each client entity. The Annual Audit Plan
is primarily an extract/subset from the Strategic Plan. It forms a basis for ongoing review of the
Strategic Plan. The Annual Audit Plan should be prepared by the IAD, and approved by the
Executive Director of the Secretariat. The Annual Audit Plan shall include:
- Types of audits to be performed during the current year;
- Audit program; and
- Allocated resources (time management).
The Annual Audit Plan can be revised following suggestions from the ARIC and other senior
managers, change in priorities, change in risk assessment, and important changes in the client
22 | P a g e
entity’s activities. Any change to the Annual Audit Plan must be approved by the Secretariat.
In formulating the Annual Audit Plan, the Internal Audit Department will consult with senior
management of the client entity, including the ARIC.
The Management Input Memo will be used to obtain suggestion, determined priorities and
important changes in activities from Management at the client entity and the ARIC.
See Operational Procedure OP01: Annual Audit Plan Procedure, and Annex 2: Management
Input Memo.
The Annual Audit Plan should include:
- Objectives/purpose of the audit;
- Identification / description of the activity / operation subject to internal audit;
- Duration of the audit;
- Period of the audit;
- Number of internal auditors involved in the audit;
- Identification of issues requiring specialized knowledge;
- Number of specialists with whom external expertise / consultancy contracts are to be
signed; and
- Internal Auditors to perform an audit and the resources needed.
If at any point in time, the Internal Audit Department is requested to undertake a special or un-
planned assignment, or if there is a change in the risk assessment of the client entity operations
requiring an amendment of the approved Annual Audit Plan, the Internal Audit Department,
with approval of the Executive Director of the Secretariat, will update the Annual Audit Plan to
include the special assignment or reflect the revised risk assessment,.
See Operational Procedure OP01: Annual Audit Plan Procedure and Annex 4: Annual Audit
Plan Template.
23 | P a g e
7.2.2 Audit Resources
Up to a maximum of 15% of each internal auditor’s annual working time can be left
undistributed in an annual audit plan to allow some flexibility and assure the applicable
execution of IAD activities (e.g. for possible illnesses, execution of unplanned audit and other
important circumstances). This 15% can be broken down as follows:
5% - Ad hoc investigations,
5% - Consulting activities, and
5% - Flexibility.
7.3 Assignment Planning – Audit Agenda (or Audit Program Guide)
In planning each audit assignment, the Director/Head of the IAD should consider:
- The objectives of the activity being reviewed;
- The significant risks to the activity, and the resources needed; and
- The adequacy and effectiveness of the activity’s risk management and control systems
and suggestions for making significant improvements.
The task of planning is ensured by using an Audit Program Guide.
7.3.1 Time Budget
A time budget provides overall guidelines for the performance of the audit. It is approved by
the Director/Head of the Internal Audit Department and enables the IAD to control the audit
work in process.
7.3.2 Purpose of the Audit Program Guide
The Audit Program Guide is a task plan prepared as a framework for the conduct of the audit
assignment and is used as a guidance to the internal auditors undertaking the review. The
purpose of an Audit Program Guide is to provide audit procedures to be performed during the
audit that will achieve the specific audit objectives. The Audit Program Guide is also a record of
supervisory approval of work to be performed. It provides a basis upon which to budget and
control the audit. The following of an approved and detailed Audit Program Guide will prevent
the internal auditor from getting off track and thus pursuing irrelevant items. In conjunction
with the Audit Program Guide and the Internal control rating, the internal auditor should
develop Audit Programs to be approved by the Director or Head of Internal Audit.
24 | P a g e
7.3.3 Content of the Audit Program Guide
The Audit Program Guide includes information under the following headings:
Background
At the beginning of the audit, provide a general overview of the client entity's
operations.
Planning
The planning program must be written before the internal auditor begins the
audit.
Audit Scope
The audit scope should mention which periods/areas/ operations are to be
covered by the audit.
Audit Objectives
Objectives should fit within the overall scope of the audit. Every audit procedure
should help to answer one of the objectives, and every objective should be
addressed in the procedures. All stated objectives must be answered and
supported by test work, referencing such test work to audit programs developed
by the Internal Auditors. Internal Auditors must use imagination, ingenuity and
intelligence in creating audit procedures which are responsive to audit
objectives.
Administration and Wrap-up
This includes all procedures not related to planning and testing, for eample,
completing forms, report writing, etc.
See Operational Procedure OP11: Audit Programs Development Procedure and Annex 15:
Audit Program Templates.
7.4 Reviews and Meetings
The Director/Head of the Internal Audit Department may provide to the ARIC and/or the
Executive Director of the Secretariat periodic oral or written interim reports on its progress in
terms of the Annual Audit Work Plans. Interim reports on significant matters and matters of
concern that need immediate attention, changes in audit scope, and other relevant issues
should be communicated in written form. The IAD should hold regular meetings, preferably
weekly, to review and discuss the internal audit process, and the implementation of the annual
audit plan. The Director/Head of the Internal Audit Department is responsible for the
implementation of the Annual Audit Plan. She/he is also responsible for establishment of an
effective supervision system to ensure that the Annual Audit Plan is implemented. Reviews
25 | P a g e
performed on the implementation of the Annual Audit Plan shall be registered in the summary
document on the preparation and implementation of the audit stages. This shall be filed in the
audit file, which provides evidence to the management that the work has been completed. The
Director or Head the Internal Audit Department shall also sign off on all documents in the audit
file requiring review.
7.5 Timekeeping by Internal Auditors
The Internal Audit Department should record time spent on performing internal audits. This
will assist in reporting internal audit coverage of risks, planning of future internal audits and
projects, and evaluating internal audit staff. Internal Auditors are required to prepare a weekly
Time Sheet, and to submit it to the Director of the IAD on a weekly basis.
See Operational Procedure OP26: Timekeeping Procedure, and Annex 26: Weekly Time
Sheet.
8. AUDIT ASSIGNMENT METHODOLOGY
8.1 Introduction
This section of the Internal Audit Manual explains the procedures for conducting an audit assignment in
a selected priority (thrust) area, from the initial assignment through to the quality review stage.
In the Operational Procedures Manual, Part II of the Internal Audit Manual, are standard forms
and samples to be used by the internal auditors when conducting audit assignments.
References assigned to the standard forms, etc. refer to their appropriate filing in the working
papers files.
See Section 12.7 on Audit Documentation.
8.2 Stages of an Assignment Audit
The audit process is similar for most audit engagements and normally consists of four main stages:
- Planning,
- Fieldwork,
- Audit Report, and
26 | P a g e
- Follow-up Review.
The client entity Management’s involvement is critical at each stage of the audit process. Usually, any
planned audit is to be carried out observing the applicable audit program. Special audits and
investigations may, however, require a different approach which will be defined on a case-by-case basis.
The Process Flowchart presented below gives a global view of the reporting and follow-up stages of the
audit assignment, and walks the internal auditor through the audit steps and the decisions which need
to be at these stages of the audit.
Audits should be carried out using the following sequence in the Flowchart. Special audits and
investigations may require a different approach, which will be defined on a case-by-case basis.
27 | P a g e
FLOWCHART
PROCESS OUTPUT/STANDARD FORM
Auditor prepares Draft Audit Report
Draft Audit Report
Director/Head of IAD Reviews
Draft Report
Audit Report review sheet
Complete? No
Yes
Auditor Schedules Exit Conference
Draft Audit Report
Exit Conference Memo
Conduct Exit Conference Exit Conference minutes
Prepare Final report Final report
Director/Head of IAD reviews Final report
Audit Report review sheet
Director/Head of IAD reviews Final report
Complete?
Auditee Responds to Final Report
Auditor follows up to assess status of implementation of
audit recommendations
Transmittal Memo
Final Report
Management Response
Implementation status
report
No
Yes
REP
OR
TIN
G
FOLL
OW
UP
28 | P a g e
The process Map shown on the next page charts the audit steps to the relevant Operational
Procedures and Annexes found in the Operational Procedures Manual.
The left side of the chart indicates each step of the internal audit process.
The right side of the chart indicates the output of the audit process, referencing the
related operational procedure and corresponding form, template, format, if applicable.
The Operational Procedures Manual includes operational procedures and standard forms,
templates and formats, as well as relevant samples.
29 | P a g e
PHASES PROCESS OUTPUT/STANDARD FROM
Follow up Process Annex 29 Audit Implementation OP 24 Status Report
Review Final Report
Distribute Final Report
Auditee Responds to Final Report
Annex 23 Audit Report review Sheet OP 21
Annex 24 Transmittal Memo OP22 Annex 22 Final Audit Report OP 20
Annex 25 Management Response OP 23
FOLL
OW
UP
Annex 21 Exit Conference Minutes OP 17
PROCESS MAP
Initiate Audit
Conduct Entry Conference
Tailor/Develop Programs
Review Audit Program
Conduct Risk Assessment
Perform Field Work (Gather and analyze evidence, Complete Working
Papers)
Review Working Paper
Conduct Exit Conference
Prepare Draft Report
Review Draft Report
Schedule Exit Conference
Prepare Final Report
Annex 7 Notice to Interested Parties OP 04
Annex 7 Audit Entrance Memo OP 05
BACKGROUND Information Internal Controls Assessment OP 08-2 ANNEX 7 Thrust Area Working Paper O P08-1 ANNEX 13 Risk Assessment Form
Annex 15 Prepare Audit Program OP 11
Annex 15 Approved Audit Program OP 11
Standard/tailored Working Papers Annex 18 Evidence Gathering OP 12 Annex 16[F01] Summary of interview Annex 17 Test Working Paper OP 13 Annex 17`Audit Finding Form OP15/A03-1
Annex 20 Working Paper Review OP 16
Annex 22 Draft Audit Report OP 18
Annex 23 Audit Report review Sheet OP 21
Annex 21 Exit Conference Memo OP 17 Annex 22 Draft Audit Report OP 18 Transmit Draft Audit Report OP 19
Annex 22 Final Report OP 20
REP
OR
TIN
G
EXC
UTI
ON
P
LAN
NIN
G
30 | P a g e
8.3 Initiation of the Audit Process (Planning Stage)
8.3.1 Auditors Assignment
Based on the approved annual audit plan, the Director/Head of the Internal Audit Department
will assign audit engagements in different priority (thrust) areas to the internal auditor(s). After
being assigned an audit, the internal auditor will begin the preliminary review process. An
Audit Assignment Form for the audit assignment will be issued.
See Operational Procedure OP02: Audit Assignment Procedure and Annex 5: Audit
Assignment Form.
The independence and qualification of the selected internal auditor(s) must be established and
documented. To document the independence and the qualification of the internal auditor(s)
assigned to an engagement, an Independence and Qualification Statement is issued.
See Operational Procedure OP03: Independence and Qualification of Staff Procedure, and
Annex 6: Independence and Qualification Statement.
8.3.2 Auditee Notification
The IAD shall notify the Auditee of the client entity via a memo, that an audit has been
scheduled.
See Operational Procedure OP05: Audit Entrance Memo Procedure, and Annex 8: Audit
Entrance Memo Template.
8.3.3 Request for Internal Audit Services
Interested parties/stakeholders may take the initiative of requesting internal audit services. To
ensure that internal audit needs are expressed, a Management Input Memo should be sent by
the IAD to the client entity’s various departments/units prior to preparing annual audit plans.
This is to inform the departments/units that the IAD is in the process of preparing an annual
audit plan. The client entity’s departments/units should be invited to express their needs for
internal audit services. All requests submitted by the departments/units must be considered
and discussed by the IAD. The decision to perform, or not to perform the requested service(s),
will be made by the Director/Head of the Internal Audit Department, in corroboration with the
ARIC or the Secretariat.
31 | P a g e
See Operational Procedure OP 01: Annual Audit Plan Procedure, and Annex 4: Annual Audit
Plan Template.
See Operational Procedure OP 01: Annual Audit Plan Procedure, and Annex 2: Management
Input Memo Template.
8.3.4 Notice to the Interested Parties
A letter (Notice to Interested Parties) shall be sent to all interested parties to inform them that
the Internal Audit Department is initiating an internal audit of the client entity’s
department/unit/branch. Its purpose is to organize a meeting with the auditee at the client
entity to discuss the purpose, objectives and the working arrangements of the internal audit.
See Operational Procedure OP04: Notice to Interested Parties Procedure, and Annex 7: Notice
to Interested Parties Template.
During the meeting with the auditee at the client entity, issues to be discussed may include
possible requests for delaying the audit due to poor timing or unusual circumstances, special
concerns of the client entity, etc. Such requests for postponement of the audit must, however,
be justified by the party requesting the postponement. In the event such delays conflict with
best professional internal audit practice and good governance, the Secretariat shall be notified.
8.3.5 Entrance Conference (Initial Meeting)
An entry conference should be held with the auditee to gather information about the mission, critical
processes, and control procedures of the auditee’s operations, which will be used in the preliminary
review process. The internal auditor uses this information to determine an appropriate objective and
scope for the internal audit. During the initial meeting, it is important that the senior manager and any
staff members s/he wishes to include in the meeting be present to identify issues or areas of special
concern that should be addressed. At this stage it is advisable to provide the auditee with the
explanation or written guidelines to expedite the audit process, minimizing disruptions to the day-to-
day operations of the department/unit.
See Operational Procedure OP 07: Entrance Conference Procedure, Annex 11: Guideline to
Auditee for Handling an Audit, and Annex 3: Questionnaire to Auditee (Self-Assessment
Questionnaire) Template.
8.3.6 Audit Entrance Conference Memo
32 | P a g e
The audit entry conference’s date, attendees, and substantive issues discussed which are
directly related to the audit scope, objectives, timing, or confidentiality should be documented
using an Entry Conference Memo. The audit entrance conference must be attended by at least
two internal auditors.
See Annex 8: Audit Entrance Conference Memo Template.
8.3.7 Memorandum of Audit Scope and Objectives
After the Entry Conference, a Memorandum confirming the audit scope and objectives is to be
sent by the IAD to the Auditee, to confirm the mutual understanding of the audit objectives and
scope.
See Operational Procedure OP06: Confirmation of Audit Scope and Objective Procedure, and
Annex 10: Memorandum of Confirmation of Audit Scope and Objectives Template.
8.4 Preliminary Review
8.4.1 Definition of the Preliminary Review
The Preliminary Review is the identification and analysis of risk related to the audit. It should
lead to the elaboration of the Audit Agenda. During the preliminary review, the internal auditor
gathers relevant information about the department/unit to be audited in order to obtain a
general overview of the department/unit’s operations. The preliminary review, if done
correctly, will provide a clear picture of the client entity’s operations and internal controls, such
as segregation of duties, reconciliation of accounts, and procedures in place, etc.
8.4.2 Objectives of the Preliminary Review
The Preliminary Review has two main objectives:
1. The internal auditor uses professional judgment and available information to determine
the most appropriate audit objective(s) and scope, for example, statement of audit
boundaries.
o The audit objective(s), scope, and time budget should be constantly reassessed
throughout the audit process to ensure efficient use of audit resources: should
the remaining audit procedures be eliminated; should the objective or scope be
limited or expanded; have more efficient procedures been identified; or, should
additional hours be allocated. If, through this constant re-assessment, significant
changes are made to the objective and/or scope initially agreed upon with the
33 | P a g e
Secretariat, Audit Recommendation Implementation Committee and other
Management Staff, such changes should be communicated accordingly.
2. The internal auditor should prepare the audit agenda and determine the audit programs
needed to gather sufficient, competent, relevant, and useful evidence to accomplish the
established objective(s).
8.4.3 Standard Procedures for Preliminary Review
The following are standard procedures for the preliminary review.
a) Review of the client entity: the internal auditor should obtain and review organizational
charts, and information on interfacing functions of the client entity. Also, policy
statements, directives, statements of function, responsibilities, and delegation of duties
should provide the internal auditor with an overview of the client entity’s operations.
The internal auditors should determine whether all of the documents reviewed are
appropriate and responsive to the client current state of affairs. If there are no
documents, this would be considered an audit finding.
b) The internal auditor should review applicable rules, laws and regulations relative to the
client entity operations.
c) Financial Profile: the internal auditor should know the magnitude of funds involved in
the client entity’s operations and the client entity’s exposure to risk. A review of the
budget and general ledger would be useful in this pursuit.
d) Internal Control Review. The internal auditor should review the operations of the client
entity’s divisions/departments/ branches/units and the internal control structures. The
review of internal controls helps the internal auditor to determine the areas of highest
risk, which will then enable the internal auditor to design relevant tests to perform
during the audit fieldwork.
e) Interviews and Operating Instructions: employee interviews and important written
instructions and procedures, along with transactions walk-through will form the basis
for the preliminary review narratives/flow charts and evaluation of internal controls. In
addition to obtaining a good understanding of the client entity’s operations, the internal
auditor must document the process to provide evidence that the internal auditor has
suitable understanding of the operations. Note: A walk-through involves picking a single
transaction and passing/following it through the various stages of processing to
34 | P a g e
corroborate the narration obtained from the interview and review of procedures that is
undertaken to understand the client entity’s system.
8.4.4 Documentation of the Preliminary Review
The preliminary review should be documented through narratives, flowcharts, internal control
evaluations, and questionnaires. Copies of the client entity’s documentation and other key
information can also serve as documentation of the preliminary review. Flowcharts, if used,
should be at a fairly detailed level, showing the specific processing flows and controls.
See Operational Procedure OP08-1: Thrust/Priority Auditable Area Procedures, OP09:
Preliminary Audit Activities (Preliminary Survey) Procedure, and Annex 12: Thrust Area
Working Paper Template.
8.4.5 Audit Program Guide
Development of the Audit Program Guide concludes the preliminary review phase. The internal
auditor should develop audit programs, which should be approved, and if required,
supplemented by the Director/Head of the Internal Audit department.
The Audit Agenda outlines the fieldwork necessary to achieve the audit objectives. The
purpose of an audit program guide is to show the procedures the internal auditor should follow
during the audit, so that the audit objectives can be achieved. The audit program guide is also a
record of the audit supervisor’s approval of the activity to be performed, and is used to manage
and control the audit. By following the approved and detailed audit agenda, deviation from the
original audit program and focusing on non-important issues may be prevented.
An Audit Agenda is to be prepared using the standard Audit Agenda form (Annex 14). It
includes information under the following headings:
Basis
At the beginning of the audit, a study of the auditees’ operations should be carried out:
location, authority, personnel, and main duties and responsibilities.
Planning
The audit planning must be documented.
Audit scope
The audit scope must state the period/area/operation to be covered by the audit.
35 | P a g e
Audit objectives
The audit objectives must match the general audit scope. Each audit procedure must answer
one of the objectives and each objective must be addressed by a procedure. All of the
established objectives must be supported by audit tests. Regarding the audit programs
developed by the auditors, the internal auditors must use their intelligence, ingenuity and
imagination to create audit procedures to test whether or not the objectives were indeed
achieved.
Administration and Completion: Administration and completion include all the procedures that
are not related to planning and testing, such as: filling in forms, writing reports, and other
administrative function. It also includes identifying resource requirements.
See Operational Procedure OP10: Audit Agenda Development, and Annex 14: Audit Agenda
Development Template.
8.4.6 Risk Management (Assessment of Internal Controls)
8.4.6.1 Definition
Risk is a possible threat, that an event or combination of events, activity or combination of activities, or inactivity, may cause loss of assets or reputation and threaten successful fulfillment of tasks of an organization. Risk assessment is a general process of identifying, preventing and controlling risks and the planning of alternative action if there is a risk. Risk management is the sum of all proactive management-directed activities within a client entity that are intended to acceptably accommodate the possibility of failures in components of the client entity. "Acceptably" from an organization's perspective of a failure is anything accomplished in less than a professional manner and/or with a less-than adequate result.
8.4.6.2 Objective
The objective of risk management is to bring the risks of an organization to an acceptable level by the management of the organization carrying out activities that would mitigate the likelihood of risk occurrence, impact of risk realization, or both at the same time. In order to do this, it must first be acknowledged that risks are a natural part of everyday activities and cannot be avoided, but can be managed. The task of management is to manage risks in a way that ensures the achievement of the organization’s objectives. As the resources of an organization are limited, it is not practical to have total risk mitigation or risk prevention as total risk mitigation would demand excessive resources, but only to mitigate risk to the
36 | P a g e
acceptable level by the management. Risk assessment has to be carried out in order to know which risks are at the highest and which risks need to be mitigated.
8.4.6.3 Risk Management Cycle
Risk Management is a cyclical, ongoing process which includes the following steps:
identifying,
assessing,
prioritizing risks,
planning,
implementing, and
reviewing mitigating or corrective actions.
8.4.6.4 Risk Assessment
The rationale for conducting a risk assessment is that the internal auditor can limit testing, avoiding 100% testing of the client entity’s operations. Risk assessment is divided into four important components:
• Identifying existing risks; • Identifying the magnitude of risk and its possibility of occurrence - score and risk level (low, medium or high); • Planning activities to mitigate risks to an acceptable level; • Identifying acceptable risk level by the management and identifying risks that exceed this level, from risks that have been assessed.
The Purpose of Risk Assessment includes:
• Identifying the threats facing the client entity, •Identifying the controls or procedures the client entity has in place to prevent, eliminate or minimize the threats, • Assessing the internal control structure/process of the client entity, •Developing audit programs to find out if the controls or procedures the client entity has in place to prevent, eliminate, or minimize identified threats are working.
The internal auditor should obtain and analyze the following information prior to assessing risk. This list is not all-inclusive:
• Period since last audit, • Results of last audit, • Client entity’s Budget, • Changes to the working environment, • Changes to IT systems utilized, • Level / changes of national and other regulations, • Management concerns and needs, and • Management team: changes in management, competence and integrity.
The internal auditors should develop a Risk Matrix, using the Risk Assessment Form, Annex 13 in the Operational Procedures Manual.
37 | P a g e
8.4.6.4.1 Risk Identification
Risks can be identified by several complementary approaches:
Through screening of client entity, processes, or control and decision-making points;
Consideration of previous fact-finding and audit missions, detection of irregularities, malfunctioning processes, and weaknesses warnings;
Brainstorming/paper-storming performed with different levels of staff and management;
Audits such as systematic, exhaustive and comprehensive risk assessment performed by internal auditors.
Risks are to be identified on two levels:
on the level of the institution (based on the organizational structure), and
on the level of activity (based on functions). In risk identification, the internal auditor should consider:
internal factors (the quality and motivation of the staff, etc.), and
external factors (amendment of legislation, technological developments, etc.). Risk identification should be based on intimate knowledge of:
the processes and activities of client entity, and
the environment in which it operates. The risk management process should begin with a detailed inventory of the client entity’s processes, phases and activities, broken down to a task level. The inventory should also include the transactions with, and dependences on, other client entities. Staff at all levels in the client entity, both managerial and operational staff, should take cognizance of potential threats pertaining to the systems they operate, and should notify the heads of units/departments by submitting Risk Alert Forms (Annex 13).
8.4.6.4.2 Risk Category Determination
The identified risks can be grouped into 3 main risk categories in order to have an overview of the processes which have the most critical risks:
Strategic risk – risk that could result in a failure to achieve the strategic objectives of the client entity;
Operational risk – risk that comes from insufficient or missing processes or activities within the client entity:
38 | P a g e
Human resources – risks involved with employees, for example, recruitment, rewarding, quality of management;
• Information technological (IT) risks; • Third party – risks that are caused by external factors; • Legal/regulatory – risks proceeding from legal framework;
Physical security – risk of the preservation of assets, i.e. loss or destruction;
Documentation/records – risks that relate to the movement and retention of documentation and procedures of client entity’s operations and activities;
Communication – risks involved with the internal and external communication of the client entity, and which could negatively impact the reputation of the client entity;
Health and safety – risks involved with work environment regarding health and safety.
Financial risk – risk that could result in a failure to maintain effective financial management and accountability measures in all the client entity’s activities.
8.4.6.4.3 Risk Impact Assessment
In order to assess the impact of risks identified and the losses that could result, the following chart may be used.
SCORE ASSESSMENT AGREED MEANING
1 No significant impact In case the risk appears, works in process and planned activities are not disturbed.
2 Minor impact In case the risk appears, the activities are disturbed, but this does not result in the need for additional resources to achieve objectives
3 Significant but containable
In case the risk appears, the activities are significantly disturbed, but this does not disturb achieving objectives
4 High impact In case the risk appears, the activities are significantly disturbed and considerable additional resources are needed for achieving objectives.
5 Extremely Detrimental
In case the risk appears, it is not possible to achieve objectives.
8.4.6.4.3.1 Risk Likelihood Assessment
The likelihood of risk occurrence is a frequency of how often a certain risk may appear.
For assessment of the likelihood of risk occurrence, the scale presented below may be used:
SCORE ASSESSMENT AGREED MEANING
1 Rarely happen The occurrence of risk is practically impossible.
2 Possible The occurrence of risk is theoretically possible, but there
39 | P a g e
exist few practical cases.
3 Likely The likelihood of risk occurrence is supported by little evidence.
4 Very likely The likelihood of risk occurrence is supported by clear evidence.
5 Unavoidable The risk has already appeared or the occurrence of risk is unavoidable in the future.
8.4.6.4.3.2 Assessment of Current Internal Control Effectiveness
Internal control is every action instigated from within the client entity which is designed to reduce risk impact and/or likelihood of risk occurrence. In order to be able to assess the efficiency of internal control measures put in place, the internal control measures that currently help to mitigate risks are singled out. Risk impact and risk likelihood are assessed without taking into account the existing mitigation measures. The existing measures are taken into account by adding the third factor – the efficiency of internal control measures.
Internal control measures are assessed according to the following criteria:
SCORE ASSESSMENT AGREED MEANING
3 Highly effective Addition to/improvement of internal control measures is not necessary at the moment.
2 Need to be improved Internal control measures exist at the moment, but they need to be overviewed and renewed.
1 Inadequate Internal control measures are missing or immediate improvement of existing internal control measures is necessary.
The risks that have been submitted in the risk alert forms are assessed as follows:
If relevant, the risk will be assessed; • If irrelevant, the warning is filed but disregarded and the originator is notified of the
decision; and
If more information is needed to decide as to the relevance of the risk alert, the client entity will investigate the issue.
Based on the three ratings (likelihood, impact and effectiveness of controls), a composite risk value (R) is calculated with the formula:
40 | P a g e
R = I x L / C Where: I = Impact L = Likelihood C = Effectiveness of Existing Controls R has no significance as an absolute value; it only serves as an indicator to compare/prioritize risks. 8.4.6.4.3.3 Determination of Risk Score and Risk Level
Using the overall score for each risk, it is possible to identify risk materiality or risk level. Risk level is identified according to the following table:
RISK LEVEL SCORE MATERIALITY
Low Risk 1-8 points Issues that need to be reviewed from time to time.
Medium Risk 9 – 16 points Issues that need constant monitoring.
High Risk 17 - 25 points Issues that need immediate attention.
It is easy to group certain risks to the list of risks by using risk levels. The management and the internal auditor have to pay attention foremost to risks that are ranked high (overall score at least 17 points) and the heads of structural units should focus on medium level risks.
8.4.6.4.3.4 Determination of Mitigation Activities, Deadlines and Responsible Officials
After risk assessment, the structural units add mitigation activities to the list of risks in the risk register and action plan (Annex 13), which the client entity believes is important to implement in order to mitigate the risks that were brought out. Also a deadline is set to mitigation activities, and a responsible person is selected, who is charged with the responsibility to fulfill certain mitigation activity. While identifying an acceptable risk level, the management decides:
which risks belong under acceptable level and additional mitigation activities are not necessary to be carried out, and
which risks need to be mitigated (additional mitigation activities need to be carried out). Management may decide that in some fields high risks are acceptable, but in others mitigation activities need to be carried out.
8.4.6.5 Risk Action Planning
During the risk action planning session, the participants identify and analyze the root causes of the risks examined. This forms the basis for formulating risk mitigating actions. Risk mitigating actions are activities or tasks that need to be completed in order to strengthen internal controls
41 | P a g e
and thus reduce the vulnerability of risk areas. Deadlines are established and responsibilities for risk actions are assigned and this information is duly recorded in the Risk Register and in the Risk Action Plan. See Operational Procedure OP 08 – 2: Assessment of Internal Control (Risk Assessment)
Procedure, and Annex 13: Risk Assessment Form.
8.4.7 Audit Programs
Audit programs are the detailed procedures used to test transactions and processes. Audit
Programs are based on the use of the following test techniques.
Verification: the confirmation of things such as: records, statements, documents, compliance
with laws and regulations, and the effectiveness of internal controls. The purpose of verification
is to establish the accuracy, reliability or validity of a thing.
Audit techniques used in the verification process are:
(a) Compare
The internal auditor should identify similar and/or different characteristics of information from
more than one source. Types of comparison include: comparison of current operations with:
past or similar operations, written policies and procedures, laws or regulations, or other
reasonable criteria. For example, to compare the documentation of a transaction with the
procedure for the transaction.
(b) Examine
Examine means to look something, such as a document, over very carefully in order to detect
errors or irregularities. Example: examine a document to verify that it has been executed by
authorized persons.
(c) Re-compute
The internal auditor should check mathematical computations performed by others.
(d) Confirm
The internal auditor should obtain information from an independent source, a bank statement
for example, for the purpose of verifying information.
(e) Reconcile
Reconciliation is the process of matching two independent sets of records in order to show
mathematically, with the use of supporting documentation, that the difference between the
42 | P a g e
two records is justified. For example, the reconciliation of a bank statement’s balance at the
end of the month with the book balance, or the reconciliation of the supplier’s statement with
the ledger balance.
(f) Vouch
Vouching is verifying recorded transactions or amounts by examining supporting documents. In
vouching, the direction of testing is from the recorded item to supporting documentation. The
purpose of vouching is to verify that recorded transactions are in face, actual transactions that
took place.
(g) Trace
Tracing procedures begin with the original documents and are followed through the processing
cycles into summary accounting records. In tracing, the direction of testing is from supporting
documentation to the recorded item. The purpose of tracing is to verify that all transactions
have been recorded.
(h) Observation
When verifying through observation, the internal auditor is giving consideration to a
document, with a purpose in mind, making mental notes and using judgment to measure what
s/he observes against certain standards.
(i) Inquiry
Internal Auditors perform interviews with the auditee and related parties throughout the audit
process. Good oral communication and listening skills on the part of the internal auditor, assist
in getting accurate and meaningful information from the interviewee. Internal Auditors should
ask open-ended questions as necessary. Depending on the type of information an internal
auditor receives from an interview, written confirmation may be required.
(j) Analysis
Analysis is the “taking apart” of an entity for the purpose of studying the individual parts. The
components of the client entity can be isolated, identified, quantified, and measured. The
quantification may require the internal auditor to perform detailed calculations and
computations. Furthermore, the internal auditor can document ratios and trends, make
comparisons, and isolate unusual transactions or conditions.
43 | P a g e
See Operational Procedure OP11: Audit Program Development, and Annex 15 – Audit
Program Development Form.
8.5 Fieldwork
8.5.1 Definition
Fieldwork is the process of gathering evidence for measurement and evaluation. Audit evidence
is obtained by observing conditions, interviewing people and examining records. Audit evidence
must provide the basis for audit opinions, conclusions and recommendations. The fieldwork
stage concludes with a list of significant findings from which the internal auditor will prepare a
draft audit report.
Fieldwork should begin with an entry conference. During the entry conference, substantive
issues which are directly related to the audit scope, audit objectives and audit timing are
discussed.
After the entry conference, a memorandum confirming the audit scope and audit objectives
(Annex 10), and confirming the mutual understanding of the audit scope and objectives should
be sent by the Internal Audit Department to the auditee of the client entity.
The Fieldwork stage includes:
- Gaining an understanding of the activity, system or process under review and the
prescribed policies and procedures.
- Observing conditions or operations.
- Interviewing people.
- Examining accounting, business and other operational records.
- Analyzing data and information.
- Reviewing systems of internal control and identifying internal control points.
- Evaluating and concluding on the adequacy (effectiveness and efficiency) of internal
controls.
- Conducting compliance testing.
- Conducting substantive testing.
44 | P a g e
- Determining if observations and recommendations reported in prior audits have been
corrected and/or implemented.
- Documenting audit findings.
8.5.2 Objectives of the Fieldwork
The purpose of fieldwork is to perform and complete the audit procedures identified in the
audit agenda in response to the audit objectives, and to support the audit conclusions. These
procedures usually test the major internal controls and the accuracy and propriety of
transactions. Throughout fieldwork, the internal auditor should use professional judgment to:
- determine whether the evidence gathered is sufficient, relevant, competent, and useful
to conclude on the established objectives, and
- based on the information available, re-assess the audit objectives, scope, and
procedures to ensure efficient use of audit resources: should the remaining audit
procedures be eliminated; should the objective or scope be modified; have more
efficient procedures been identified; or, should additional hours be allocated to achieve
an expanded audit objective.
As the fieldwork progresses, the internal auditor should discuss any significant findings with the
client entity, anticipating that the client entity could offer insights and work with the internal
auditor to determine the best method to resolve the findings. Usually, these communications
are oral. However, in more complex situations, memos and/or e-mails are written in order to
ensure full understanding of the issues by the client entity’s auditee and the internal auditor.
8.5.3 Documenting the Fieldwork
All internal audit work should be supported by documented evidence of the work performed.
Each audit program should be supported by, and be cross-referenced to, working papers on
which testing was performed and results documented. Such working papers include schedules,
memos, spreadsheets, etc.
See Operational Procedure OP12: Evidence Gathering procedure, and Annex 16: Summary of
Interview Form.
See Operational Procedure OP13: Test Working Paper procedure, and Annex 17: Test Working
Paper Form.
45 | P a g e
8.5.4 Audit Findings Form
The purpose of the Audit Findings Form is to gather, in one location, the internal auditor’s
opinions regarding all of the findings made during the audit. A working paper should be
created whenever an internal auditor identifies:
opportunity for operational improvement,
discrepancy,
error,
irregularity,
weakness, or
deviation from internal control standards, regulations or policies.
Audit findings are developed on an Audit Finding Form. The Audit Findings Form documents
the results of the analysis of the problem, and the resolution process. The form is not a step-by-
step recipe for doing the audit work itself, because problem analysis and/or resolution is not a
linear process. Simply completing the form is not a substitute for critical analysis of the
situation. The internal auditor should be answering such questions as:
1. Do we understand the situation?
2. Does the auditee at the client entity agree that a problem exists?
3. Does the client entity and internal auditor understand the extent of the problem?
4. Is there a practical solution to the problem?
5. Have others, especially those responsible for executing the solution, been brought into
the internal auditor’s recommendations?
See Operational Procedure OP14: Audit Findings procedure, and Annex 18: Audit Findings
Form.
See Operational Procedure OP14: Audit Findings procedure, and Annex 18: Summary of Audit
Findings Form.
46 | P a g e
Since the working papers with the findings contain the internal auditor’s professional analysis
of "problem" situations, they are among the most important working papers created. The
internal auditor should review prior audit reports and corresponding audit finding forms as
necessary, to avoid re-creating a finding already previously developed. The Audit Finding Form
should be independent of the audit working papers and should document the internal auditor's
analysis (criteria, condition, cause, consequence, and corrective action) related to the audit
finding. Documenting the analysis assists the internal auditor in preparing to discuss the
finding(s) with the auditee of the client entity.
Audit findings information should not be a part of the working papers. The working papers, as
well as references supporting the work performed, should be cross-referenced to the Audit
Findings Form.
8.5.5 Finding of Illegal Acts
An illegal act is a violation of a law and/or a regulation. When the internal auditor concludes,
based on evidence obtained, that an illegal act has occurred or is likely to occur, s/he should
promptly report pertinent information to the IAS and the relevant senior management staff of
the client entity.
See Operational Procedure OP15: Findings of Illegal Acts procedure and Annex 18: Audit
Findings Form.
See Operational Procedure OP15: Findings of Illegal Acts procedure, and Annex 19: Suspected
Activities Reporting Form.
8.6 Audit Report
The purpose of the internal audit report is to communicate all of the internal auditor's work to
the client entity. Each finding in the report must be supported by sufficient evidence and be
within the audit's scope and objectives. Each recommendation must fit the facts of the
finding(s) and materially reduce the potential risk, as indicated by the facts of the finding. Each
finding must be provable. It is not important what an internal auditor believes, the important
thing is that the internal auditor can justify the finding(s). Internal Auditors beliefs, without
proper documentation, should not be included in the internal audit report.
8.6.1 Reporting Responsibilities
47 | P a g e
The internal audit staff is responsible for writing the audit report because of their involvement
in the planning, supervision, fieldwork, and review processes. The Director or Head of the
Internal Audit is responsible for reviewing and approving the draft and final audit reports, as
well as any other draft reports, prior to issuance.
See Operational Procedure OP21: Draft Audit Report Review procedure and Annex 23:
Auditors Report Review Sheet.
8.6.2 Working Papers Review
Before issuing a draft report, the internal auditor must ensure that working papers are properly
prepared, and that they provide adequate support of the work performed and the audit
evidence gathered during the audit. The Director/Head of the Internal Audit Department shall
review the working papers, and shall also discuss with the auditee at the client entity the initial
findings of the engagement. This shall constitute the first opportunity to clarify the findings
before drafting the formal report.
The Director/Head of the Internal Audit Department must place importance on the
control of internal auditor’s working papers. Working papers are confidential and are the
property of the Internal Audit Department, and should be kept under its control. Internal
auditors should know exactly where the working papers and the audit files are at all times
during the audit.
Audit files should not be made available to persons who have no authority to have access to
them. However, this does not mean that internal auditors may not show their work to the
client entity under certain circumstances. Also, access to working papers and reports
may be allowed to external auditors and to others within the client entity, except the
specific unit/department being audited. This must however, be with the
permission/approval of the Director or Head of the Internal Audit Department. Where
persons outside the client entity seek access to the working papers, the Director/ Head of
the Internal Audit Department must obtain approval from the Executive Director of the
Secretariat.
See Operational Procedure OP16: Working Paper Review procedure, and Annex 20: Working
Paper Review Sheet.
48 | P a g e
8.6.3 Draft Audit Report
When the working paper review leads to a satisfactory conclusion, the internal auditor should
prepare the draft audit report based on the approved working papers. A general format should
be followed to ensure that all major items are covered.
See Operational Procedure OP18: Draft Audit Report procedure, OP21: Draft Audit Report
Review procedure, and Annex 22: Internal Audit Report Format.
The section below includes some of the basic information that the internal auditor should
consider when preparing the audit report. The following information should be included in the
audit report:
What is the topic or subject of the audit?
What is the main idea (message, conclusion, theme or point of view)?
What are the supporting points?
What are the audit scope objectives?
What corrective action does the internal auditor want the reader to take as a result of
the report?
What impression does the internal auditor want to make on the reader, or what tone
does s/he want to convey?
8.6.4 Transmission of the Draft Audit Report
The auditee of the client entity must be given the opportunity to review the draft audit report
and to prepare a response to the audit finding(s) and recommendations.
See Operating Procedure OP 19: Draft Report Transmitted to the Client Entity’s Auditee.
49 | P a g e
8.6.5 Exit Conference (Closing Meeting)
The internal auditor should meet with the auditee to discuss the findings, recommendations,
and contents of the draft audit report. At this meeting, the management shall comment on the
draft audit report, and the internal auditors and management shall work together to reach an
understanding and agreement on the audit findings. In the event there are unresolved issues,
the internal auditor should document the nature and reasons for the disagreements, including
management’s concerns. An Exit Conference Memo will document the exit conference
session.
See Operational Procedure OP17: Audit Exit Conference procedure, and Annex 21: Audit Exit
Conference Form.
8.7 Final Audit Report
The internal auditor shall prepare a final written report at the conclusion or each internal audit
assignment. After the procedures for the draft report have been adhered to, the internal
auditor shall then prepare a final audit report, taking into account any revisions resulting from
the exit conference meeting. When changes resulting from the review of the draft report have
been made and the updated report has been reviewed by the Director/Head of the Internal
Audit Department and the auditee, the final report shall be issued. The final report shall be
approved by the Director/Head of the Internal Audit Department. The final report shall be
written utilizing the audit report format in Annex 22.
Audit Reports are to be clear, concise, objective, constructive, balanced and timely. They are to
include:
Executive Summary
Background and introduction
audit objectives,
scope of the audit,
description of the audit methods employed,
conclusions on all key issues identified and/or evaluation of the internal control system
operation, deficiencies and limitations,
action agreed upon,
50 | P a g e
audit findings and recommendations,
management’s responses to the audit recommendations, and
limitation on the distribution and use of audit reports.
See Operational Procedure OP20: Final Report procedure, and Annex 22: Audit Report
Format.
8.7.1 Audit Opinion
This section of the audit report should be normally expressed in terms of negative assurance, in
case the work performed or any other information gathered did not disclose any significant
weaknesses in the control process that have a pervasive effect. If the control weaknesses are
significant and pervasive, this section may express a qualified or an adverse opinion, depending
on the projected increase in the level of residual risk and its impact on the client entity’s
objectives.
8.7.2 Distribution of the Final Report
The approval of the Executive Director of the Secretariat is required for release of the final
audit report. Internal Audit Departments should print and issue final audit reports to the
relevant and respective parties whose actions on the final audit report are required. Copies of
the final report should also be given to the Audit Recommendation Implementation Committee
and the Secretariat. If an error is found in the final audit report after it has been issued, the
Internal Auditor will issue a Note correcting the final audit report, which Note will be approved
by the Executive Director of the Secretariat. After approval by the Executive Director of the
Secretariat, this Note is to be distributed to all the recipients of the final internal audit report. =
8.7.3 Auditee’s Response to Audit Findings
The auditee of the client entity shall be given the opportunity to respond to the audit findings
prior to issuance of the final report. The Auditee’s responses can be included in, or attached to,
the final audit report. However, if the Auditee decides to respond after the final audit report is
issued, the first page of the final audit report should be a letter requesting the auditee's written
response to the recommendations in the final audit report. In the response, the auditee should
explain how the findings in the final audit report will be resolved and include an
implementation timetable. In some cases, the Auditee may choose to respond with a decision
51 | P a g e
not to implement an audit recommendation and to accept the risks associated with an audit
finding.
The auditee should send copies of its response to all recipients of the final audit report if the
decision is not to have its response to the recommendations included in the final audit report.
The Auditee’s decision not to implement an audit recommendation should be documented in
the audit file.
See Operational Procedure OP23: Management Response Letter, and Annex 25: Management
Response Letter Format.
8.7.4 Auditee’s Comments on the Performance of the Internal Auditor
As part of the Internal Auditor’s Department’s self-evaluation program, an audit performance
evaluation form is sent by the Secretariat to the client entity’s management. This gives
management an opportunity to comment on internal auditors’ performance, which the internal
auditors should use to improve their audit performance.
8.8 Monitoring the Implementation of Recommendations
The IAD should have a process to monitor the implementation of audit recommendations.
8.8.1 Follow-up Process
The objective of the follow-up process is to determine whether the audit recommendations
made by the internal auditors have been sufficiently addressed by management of the client
entity. Follow-up by internal auditors is defined as a process by which they determine the
adequacy, effectiveness, and timeliness of actions taken by management on reported audit
findings. Internal auditors should ascertain that actions taken on internal audit findings resolve
the underlying conditions. On a monthly basis, the Internal Audit Department will perform a
follow-up review to verify whether the findings in the final audit report have been resolved. The
same standards for audit evidence used for documenting the internal auditor’s original work
are to be applied to follow-up work. When follow-up work is performed, the internal auditor
will find one of the following situations:
the concern has been adequately addressed by implementing the original corrective
action recommended in the final audit report,
the concern has been adequately addressed by implementing an alternate corrective
action,
52 | P a g e
the concern no longer exists because of changes in the processes,
the corrective action has been initiated but is not complete, or
the concern has not been addressed.
The internal auditor should determine which of the above listed conditions apply.
8.8.2 Follow-up Report: Audit Recommendation Status Report
The follow up review will conclude with a report which lists the actions taken by the auditee to
resolve the original report findings. The internal auditor’s recommendation regarding the status
(i.e., Implemented, Partly Implemented, Implementation no Longer Required, Not
Implemented) should be documented in the Audit Recommendation Follow-up Report.
See Operational Procedure OP26: Audit Recommendations Follow Up procedure, and Annex
29: Audit Recommendation Follow-up Process Report.
The internal auditor should communicate the results of follow-up work to the auditee. If the
audit findings have not been adequately addressed, a meeting may be held to discuss why the
findings have not been adequately addressed. The internal auditors shall continue to have
follow up reviews and discussions with the auditee until the audit findings are resolved. If at
any time during the follow up process the internal auditor concludes that the audit findings will
not be addressed, s/he should document his/her opinion in the working papers file and discuss
the matter with the Secretariat and the Audit Recommendation Implementation Committee,
rather than simply noting the audit finding(s) resolution as “in progress”.
8.9 Pre-Audit of Client Entity’s Transactions
Pre-audit of transactions are the verification of transactions before payment is made (see
section 8.9.2 below). Pre-audits of transactions should be classified as a priority (thrust) area,
when preparing strategic and annual audit plans. Internal auditors should therefore be assigned
to pre-audit transactions as part of their regular schedule of activities.
8.9.1 Establishment of a Voucher Register
The internal Audit Department of the client entity shall maintain a voucher register to record, monitor
and track vouchers that it has received, examined and passed for payment during the pre-audit process.
The register is a complementary control over expenditures and it also enables the Internal Auditor to
determine which vouchers they have actually worked on.
53 | P a g e
See Annex 33: Pre-Audit Register Form.
8.9.2 Verification of Transactions
The internal Audit Department in every client entity is required to verify that all transactions are
appropriate in all respects, including compliance with the Public Procurement and Concessions Act
(PPCA), Public Financial Management Act and Regulations, contract payment terms, signature authority,
arithmetical accuracy, correct accounts coding, budget authority and physical verification of items.
8.9.3 Reports of Pre-Audit of Transactions
The pre-audit of transactions that is conducted by the Internal Audit Department is considered
a “thrust or priority auditable area”. Any findings that are identified in the review of these
transactions should be compiled in the summary of audit findings form, developed in detailed
in the Audit Finding Form and included in the quarterly reports (see 8.10 below).
See Annex 18: Summary of Audit Finding(s) Form.
See Annex 18-1: Audit Finding(s) Form.
8.10 Monthly, Quarterly and Annual Reports
The Director or Head of the Internal Audit Department shall at intervals of one month and three
months and annually, prepare a report on the internal audit work carried out by the IAD during
the period of the one month and three months immediately preceding the preparation of the
report. The Director/Head of the Internal Audit Department shall also prepare an annual report
for the year ended. The Director/Head of the IAD shall submit the reports to the Secretariat.
The Director/Head of the Internal Audit Department shall include in each report such
observations as appear to him/her necessary concerning the operational and financial affairs of
the client entity during the period to which the report relates. The Director/ Head of the
Internal Audit Department shall send a copy of each report prepared by him/her to the
Secretariat no later than seven working days after the end of the reporting period for the
monthly and quarterly reports, and no later than 15 working days after the end of the year for
the annual report.
See Annex 30: Quarterly Internal Audit Report and Annex 31: Annual Report
54 | P a g e
9.0 VALUE-FOR MONEY AUDITING
9.1 BACKGROUND
Value-for–money (VFM) auditing is a concept that was initiated by the Swedish National Audit Office and the Office of the Auditor General of Canada in the late 70’s and early 80’s. Value- for-money auditing adds an operational dimension to the traditional compliance and financial attest audits that had been known as regulatory auditing in the public sector. While value-for-money auditing started in the Supreme Audit Institutions, it has spread throughout the internal audit community, strengthening the traditional operational audit practices of internal auditors.
9.2 Due Regard for Economy, Efficiency and Effectiveness
Value-for-money auditing is concerned with assessing whether government entities are managed with due regard to economy, efficiency and effectiveness. These are known as the three E’s in VFM auditing. “Due regard” means considering the factors of economy and efficiency in a reasonable and appropriate manner, given the circumstances.
Economy refers to the terms and condition under which an organization acquires financial, human, physical and information resources. This means striving to get the right level of quality and the right resources, at the right time and at the best price.
o Some Indicators of potential economy issues :
o Financial resources such as overspent budgets, year- end spending sprees,
unspent funds, and duplicate payments or over payments;
o High staff turnover, large number of complaints, lack of job descriptions, duplication of duties, high absenteeism, or excessive use of consultants;
o physical resource issues such as underused or unused equipment, high
maintenance costs, undocumented documented procedures, and lack of adequate procurement processes;
o Technology issues such as a lack of IT strategy, incompatible IT systems, high
systems down time and maintenance costs; and unsuitable reports and poor IT security.
Efficiency refers to the relationship between the quality and quantity of the goods or services produced and the resources used to produce them. When the client entity operates efficiently,
55 | P a g e
it produces the maximum quantity and quality of outputs, or it uses minimum inputs for a given quantity and quality of output. Efficiency is achieving the best possible productive use of goods, people and money.
Some indicators of potential efficiency issues:
backlog,
idle capacity,
complaints about service,
lack of performance measures and measurement procedures, and
inadequate use of performance information to improve efficiency.
Effectiveness has to do with assessing the extent to which the client entity’s program objectives or intended consequences are achieved. To measure effectiveness, the internal auditor must assess the client entity’s procedures for measuring its effectiveness, and determine whether the client entity’s procedures are sufficient, reliable and that information is correctly reported. VFM auditing is aimed at examining:
financial management and accounting for public money;
safeguarding and control over public property;
assessment, collection and allocation of revenues;
compliance with authority;
waste and extravagance
due regard to economy;
due regard to efficiency; and
whether or not there are appropriate procedures in place for measuring and reporting client entity’s program effectiveness.
9.3 Methods of VFM Auditing
In order for VFM audit to be successful, the internal auditor should clearly define the objectives, scope, methods of evaluation and a participatory approach to the audit. The focus of a VFM audit will depend on the objectives of the particular audit. An internal audit could be focused on any one of the matters listed above, or on a combination of them. The internal audit will use considerable judgment to target the best issues to focus the audit on, which depends a lot on the objectives set for the internal audit. Basically there are two ways to focus an audit:
A Procedures or Process-Oriented Approach, or
A Results-Oriented Approach. 9.3.1 Procedures or Process-Oriented Approach
56 | P a g e
The Procedures or Process-Oriented approach involves examining the pertinent activities of the client entity’s program or function, and the related management practices to identify possible strengths and weaknesses, especially those that have an impact on VFM issues. Criteria are developed and used to assess the client entities activities or procedures. These criteria are derived from the client entities policies, procedures, manuals etc., or accepted client entity management practices in other similar situations. The internal audit objective is to assess the extent to which the client entity’s activities, systems and procedures that should be implemented are in fact, in place, and are well designed and functioning properly. Where the internal auditor identifies significant deficiencies, s/he must examine the outputs or results of weaknesses, in order to find out its causes and effects. 9.3.2 Results-Oriented Approach
The Results-oriented approach goes in the opposite direction from the Process-Oriented approach. The internal auditor starts with examining program outputs or program delivery, in order to identify problems in the outputs or program delivery and the underlying reasons for the problem. When the internal auditor observes negatives, s/he must look for root causes. The internal auditor may have to go back to examining the client entity’s systems and procedures to determine why weaknesses persist. Once the weakness is identified, the internal auditor can report his/her finding(s) and recommend corrective action to be taken.
9.4 The Audit Process
The procedures/process approach and the results-oriented approach are complementary. Usually, the internal auditor will use a combination of the two. Both approaches use similar phases, which are:
the planning phase;
the examining and evaluating information phase;
the reporting phase; and
the follow-up phase
See Annex 34 for Generic Questions for VFM Auditing.
57 | P a g e
10.0 INFORMATION TECHNOLOGY AUDIT
10.1 Background
The PFM Act 2009 and its regulations have designated the management of all ministries and departments as stewards of the government’s assets and resources. As such, there is an implicit requirement for them to ensure that a proper system of internal controls is in place. A key element in determining whether management is fulfilling that mandate is to get the information necessary to assess performance. In order to achieve this, information technology is being employed in the various government ministries and departments (client entities). Heads of client entities are therefore required to provide assurance that the type of information that is processed is accurate, timely, useful and relevant. There is an increasing dependence on information systems to carry out the client entity’s operations and to process, maintain and report essential information. The Internal Audit Department is required to regularly monitor and review key controls and procedures of the client entity. Because of the reliance that may be placed on information technology, the internal auditor is required to audit this area. Information Technology (IT) Audit is the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and uses resources efficiently. In order to lessen the risk of loss due to errors, fraud, other illegal acts or incidents, the internal auditor will evaluate the reliability of computer-generated data supporting the financial system or evaluate the adequacy of controls in an information system in the client entity. The purpose of IT audit is to review and provide feedback, assurances and recommendations to management of the client entity about the effectiveness, efficiency, availability, confidentiality and integrity of the system. The major elements of the IT Audit are:
Physical and environmental review – This includes physical security, power supply, air conditioning, humidity and other environmental factors.
System administration review – This includes security review of the operating systems, database management systems, and all administration procedures and compliance.
Application software review – This could be payroll, financial management (e.g. IFMIS), among others. Review of these would include: control over access and authorizations, validations, how errors and exceptions are handled, and process flows within the software, as well as control over software manual and procedures. Also, the internal auditor should also conduct a review of the system development life cycle for information systems being developed and implemented.
58 | P a g e
Network security review – This includes review of internal and external connections to the system such as firewall review, and router access control, among others.
Business continuity review – This includes the existence and maintenance of fault tolerant, redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.
Data integrity review – The purpose of the data integrity review of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g. computer assisted audit techniques- CAATs).
This Manual discusses only the use of computer assisted audit techniques (CAATs) for performing audits of financial data, and not the other areas mentioned above.
10.2 Computer-Assisted Audit Techniques (CAATS)
10.2.1 Concept of CAATs
Computer Assisted Audit Techniques are powerful and important tools for the internal auditor in performing audits. Using of CAATs, the internal auditor can inspect records and perform tests on the records almost instantaneously, which would consume extensive audit effort and time if these tests were performed manually. They include many types of tools and techniques such as generalized audit software, utility software, test data, application software, tracing and mapping and audit expert systems. CAATs may be used in performing various audit procedures including:
Test of detail transactions and balances;
Analytical review procedures;
Compliance test of general and application controls;
Penetration testing. 10. 2.2 Use of CAATs by the Internal Audit Department
When planning a CAAT audit, the Director/Head of the IAD should consider an appropriate combination of manual techniques and CAATs. In determining whether to use CAATs, the Director/Head of the IAD should consider the following:
Computer knowledge, expertise, and experience of the internal auditor;
59 | P a g e
Availability of suitable CAATs and Information Systems (IS) facilities;
Efficiency and effectiveness of using CAATs over manual techniques.
Time constraints;
Integrity of the information systems and IT environment;
Level of audit risk.
See Annex 35: Generic Computer Assisted Audit Techniques
11.0. ESSENTIAL PRINCIPLES AND GUIDELINES FOR AUDITING
The following are guidelines and suggestions the internal auditor shall consider when
performing internal audits.
11.1 Human Relations Principles in Auditing
A basic concept of human behavior is that "every individual is different", with different values,
goals, ambitions and standards. The internal auditor can develop sound relationships and
perform his/her internal audit assignments well if this concept is put to work. The following
suggestions will help.
a) The internal auditor should approach each person contacted during the internal audit
with genuine acceptance of the person as an individual. The internal auditor should
adjust his/her approach to each individual's operating environment and background:
Has he person been audited before; is the person familiar with the IAD’s program and
objective; does the person have special problems that the internal auditor should be
aware of?
b) The internal auditor should maintain contact with management of the client entity and
keep them informed of developments during the internal audit.
c) The internal auditor should consider carefully those items that are worthy of being
brought to management's attention, and relegate items of small consequence to their
proper place.
60 | P a g e
d) The internal auditor should return files and records promptly and in good condition to
client entity’s staff. S/he should set a good example in housekeeping.
e) The internal auditor should communicate clearly with the staff of the client entity. S/he
should use feedback in interviews/discussions with the client entity’s staff. The internal
auditor should restate to the staff what s/he thinks the staff said, and should ensure
that the staff confirms it or further clarifies the matter.
11.2 Other Principles
11.2.1 General
The internal auditor should keep the overall audit objectives in mind during the audit. S/he
should use good judgment in determining priorities and in scheduling the time required to
perform the internal audit.
11.2.2 Time Management
The Internal auditor should use good judgment in determining priorities and the amount of
time to be given to various phases of the internal audit. S/he should ensure that the time
scheduled for the internal audit is realistic so that the audit can be performed according to the
schedule.
11.2.3 Obtaining Information
The following methods the internal auditor should use to obtain information about the client
entity’s activity, system of control or process under review include:
Interviewing appropriate personnel of the client entity.
Reviewing policy and procedure manuals, if available.
Reviewing job descriptions, if available.
Reviewing or preparing flowcharts.
Tracing one or more transactions through other related documents, also known as
transaction walkthroughs.
Completing internal control questionnaires.
61 | P a g e
Observing operations of the client entity.
11.2.4 Documenting Information
The internal auditor’s analysis of the internal control system should be documented.
1) Auditing Procedures – the internal auditor should identify the activities for testing
effectiveness of internal controls identified in the internal auditor’s analysis of the
control system. Each procedure should tie directly to an audit objective, and supporting
working papers should document the testing as well as the results.
2) Supporting Working papers – the internal auditor should use schedules and memos to
document the internal auditor’s tests of the system of internal control, as well as other
audit procedures. Supporting working papers should be directly linked to a specific
audit procedure.
3) Conclusion - the internal auditor should give an overall conclusion for each of the Audit
Procedures completed. The control strengths and weaknesses should be identified in
the supporting working papers.
11.2.5 Nature of Compliance Tests and Substantive Tests
The confidence that the internal auditor has in the client entity’s system of internal control is
derived from compliance and substantive testing. If there is a comprehensive system of
internal control and monitoring, it may be possible to reduce compliance testing and
substantive testing. The internal auditor will review the risk assessment performed by
management and where the auditor is satisfied that areas of risk have been correctly identified,
the internal auditor will increase the sampling in these areas both compliance and substantive
testing.
Compliance testing is the testing of an operation or task against predetermined criteria to
measure its fulfillment of such criteria.
Compliance tests take into consideration the following:
Were the necessary procedures performed?
How were they performed?
Who performed them?
62 | P a g e
Were the procedures performed consistently?
Some aspects of internal control require procedures that are not necessary for the execution of
transactions. This class of procedures includes the approval or checking of documents
evidencing the transactions. Tests of such procedures require inspection of the related
documents to obtain evidence (in the form of signatures, initials, certification stamp, and such
similar evidence), to indicate whether the procedures were performed, who performed the
procedures, and to permit an evaluation of the propriety of their performance.
Other aspects of internal control require a segregation of duties so that certain procedures are
performed independently. The performance of these duties is largely self-evident from the
operation of the department or the existence of its essential records; consequently, tests of
compliance with such procedures are primarily to determine whether persons who have no
conflicting functions perform them.
Substantive testing is a procedure to gather evidence of the extent of misstatements in
account balances and in particular, how the value of misstatements detected compares to the
value of materiality derived at for the account balance during the planning stage. Substantive
testing consists of test of details of classes of transactions and account balances and analytical
procedures. In other words, internal auditors gather evidence of the extent to which each
material account balance is materially complete, valid and accurate. It is perhaps the most
critical evidence gathered during the audit.
The objective of substantive testing is to determine the conformity of individual transactions or
activities with the relevant rules or regulations. Because substantive tests are used to
investigate particular types of transaction, audit programs will need to be developed to meet
each eventuality using the criteria set out below. Analytical review is an important part of
substantive testing, and appropriate techniques should be used wherever relevant. Each audit
program for substantive test should be designed to check that the following criteria are met.
Each criterion is illustrated by a possible substantive test. The examples given are not intended
to be definitive or complete.
Substantive testing procedures include:
Test of Details:
physical examination
inspection
vouching
Observation
Reconciliation
63 | P a g e
recalculation
confirmation inquiry
review
regression analysis
ratio analysis
Analytical Procedures
reasonableness tests
scanning
review
regression analysis
ratio analysis
Below are examples of a substantive test:
a) Legality and regularity of the activity Check that the activity actually carried out conforms to the relevant legal base. For example, the tests could examine whether a particular activity undertaken conforms to the detailed requirements of a regulations relating to that particular activity. b) Completeness of financial and other records Check that financial and other information systems record all relevant details. For example, a substantive test could be used to check whether all staff letters of employment are held centrally by the Human Resource Officer and whether these records are complete and in conformity with the requirements of the Human Resource department. Analytical procedures may be used in connection with these tests – especially ratios and predictive tests. c) Reality of the operation Check that transactions recorded within financial and other systems actually took place. For example, a substantive test could check that payments of loans to clients recorded in financial systems actually took place through examining loan agreements signed by the clients and the vouchers on which clients signed for receipt of the payment. Analytical procedures may be used – especially ratios and trend analysis. d) Measurement of the activity Check that the amounts of transactions are calculated on the correct basis. For example, a substantive test may check that the correct exchange rate was used in converting a
64 | P a g e
particular transaction from foreign currency to the national currency. Relevant analytical procedures include predictive tests and trend analysis. e) Valuation Check that assets and other items are recorded at the correct value in financial records. For example, a substantive test would be to check that the purchase of an asset is recorded at the correct value in the accounting system by checking the original invoice or sale note. f) Existence Check that assets and other items actually exist. For example, a substantive test would be to check that an asset recorded in the financial records actually exists. These substantive tests involve the physical verification of existence - actually seeing the asset. g) Ownership This would be to check that assets recorded are actually owned or properly used by the client entity. For example, a substantive test may involve checking that the client entity has a valid lease, or is the legal owner, of premises used. h) Quality of inputs and outputs This would be to check that inputs and outputs are of an appropriate quality. For example, for inputs a check could be that a person providing training was suitably qualified. For outputs, a check would be that those trained were able to carry out their duties effectively.
The internal auditors should perform compliance testing on internal control procedures that
leave an audit trail of documentary evidence of compliance. The general sampling concept
includes selecting items from the entire set of data executed throughout the period under
audit. Internal control procedures that depend on segregation of duties and do not leave an
audit trail should be tested for compliance differently.
Inquiries should relate to the entire audit period.
Observations are confined to the periods that the internal auditor is present and
conducting the audit.
65 | P a g e
11.2.6 Sampling Techniques
The objective of sampling is to obtain information about the characteristic of a population, as it
is often impractical to perform tests of details on 100% of the transactions making up an
account balance.
When compliance and substantive tests involve inspection procedures, sampling is likely to be
the most cost-effective means.
Sampling requires that the internal auditor use professional judgment in planning, performing
and evaluating a sample and in relating the evidential matter produced by the sample to other
evidential matter when forming a conclusion about the related account balance or class of
transactions.
Sampling involves making decisions about the following:
1) Selection of items – which ones to select and how they are selected.
2) Size of Sample – How many items to select.
3) Precision of the sample – how much the sample may vary as a result of error.
4) Reality of sample statistic - how much it may vary as a result of error.
Selecting items for sample – the preferred method to be used by the internal auditor is to
provide a sample that is representative of the whole population.
Sampling Methods
1) Random Selection.
2) Systematic (interval) selection.
3) Block selection.
4) Stratified Selection.
5) Cumulative Monetary Amount selection.
11.2.7 Extent of Testing
The extent of compliance testing is based upon the results of the Internal Control Evaluation.
Compliance tests are used to determine effectiveness of prescribed controls in order that they
may be relied upon to determine the nature, extent and timing of substantive testing. Audit
66 | P a g e
benefit is not derived from applying compliance tests to ineffective internal controls or when
costs of compliance testing exceed the benefits.
The extent of compliance tests will vary directly with the reliance placed on internal controls,
while the extent of substantive tests will vary inversely with the reliance placed on internal
controls. In the case of very serious internal accounting control weaknesses, it may be
impractical to devise adequate substantive tests, thus requiring the internal auditor to issue an
adverse report on the operations of the department being audited.
11.2.8 Effectiveness of Systems of Control
Although the internal auditor’s efforts may be directed more toward the internal controls of the
client entity than to the resulting financial statements that are of prime concern to the external
auditor, the fundamental approach for both is the same - reliance upon an effective system of
internal control. The evaluation of internal control is accomplished through compliance and
substantive testing.
The purposes for compliance and substantive testing differ and will be achieved during the
fieldwork.
Compliance Testing: to provide reasonable assurance that the accounting control
procedures are being consistently applied as prescribed by policies, procedures, rules
and regulations, and sound business practice.
Substantive Testing: to obtain evidence of the validity and propriety of accounting
treatment of transactions and balances or, conversely, of errors or irregularities therein.
Compliance tests are used to help determine the extent of substantive testing to be
performed. Such tests are necessary if the prescribed procedures are to be relied upon in
determining the nature, timing or extent of substantive tests of particular classes of
transactions or balances. The internal auditor may decide not to rely on the prescribed
procedures because he/she concludes:
o The procedures are not satisfactory for that purpose.
o The audit effort required to test compliance with the procedures to justify reliance on
them in making substantive tests, would exceed the reduction in effort that could be
achieved by such reliance.
In evaluating internal controls, various methods of sampling are used to form an opinion on the
population tested. The internal auditor uses sampling to gather information from a limited
67 | P a g e
selection of the entire population for analysis of possible problems, causes and effects, and the
materiality of results.
11.2.9 Efficiency of Systems of Control
The evaluation of efficiency of the controls is the judgment of the internal auditor on the
cost/benefit of implementing, improving or deleting a control. Evaluations should be supported
where possible by mathematical information on the cost of the control and the benefit derived
or potential loss avoided.
12. AUDIT DOCUMENTATION
12.1 Introduction
The internal auditor documents the work performed in working papers. The working papers
serve as the connecting link between the audit assignment, the internal auditor's fieldwork, and
the final audit report.
Working papers contain the records of planning and preliminary reviews, audit procedures,
fieldwork, and other documents relating to the audit. Most importantly, the working papers
document the internal auditor's conclusions and the reasons those conclusions were reached.
They constitute the basis for the preparation of internal audit reports as well as substantiation
base for audit conclusions and recommendations. Working papers should be completed
throughout the audit. The Internal Audit Department is to employ an audit methodology that
requires the use of working papers which document:
The planning process,
examination and evaluation of the adequacy and effectiveness of internal controls,
the audit procedures used, the information obtained and the conclusions reached,
review,
reporting, and
follow-up.
68 | P a g e
As each audit step in the audit agenda is fulfilled, the internal auditor should ensure that the
related working papers are reviewed. The working papers also provide a basis for evaluating the
Internal Audit Department’s quality assurance program and demonstrate the Internal Audit
Department’s compliance with the Standards.
Although the quantity, type and content of working papers will vary between audits, they
should be sufficiently extensive so as to:
assist internal auditors in the performance of their work,
provide adequate support for the internal auditor’s opinion,
enable the work carried out to be independently reviewed, and
encourage a methodical approach to the work being undertaken.
Access to the IAD working papers for non- IAD persons can only be granted by the Director/
Head of the Internal Audit Department, upon written permission from the Secretariat.
12.2 Requirements
All audits must be assigned a number and a title. Internal Auditors should assemble an audit
file and indicate the audit number on the file. The audit number should include:
Designation of auditee at the client entity (identification code to be designed by the
IAD),
Year of internal audit, and
Sequential numbering.
Working papers should be clear and understandable. The internal auditor should keep in mind
that others will examine and refer to the working papers. The working papers should not need
any supplementary information and should be able to stand alone. Anyone reviewing the
working papers, without referring to documents outside of those included in the working
papers and without asking questions, should be able to understand what the internal auditors
set out to accomplish, what they did accomplish, what they found, and what they concluded.
Internal Auditors should include in their working papers only those things that are essential,
and they should ensure that each working paper included in the file serves a purpose that
relates to an audit procedure.
69 | P a g e
The internal auditors’ working papers should specify:
A heading/title and a reference number (identification of the form);
The name of the client entity being audited;
The period covered by the audit;
The trust/priority area being audited;
The date the work papers were created;
The date of review of the work papers; and
The signatures of the internal auditor(s) and reviewers.
12.3 Cross-Referencing
Working papers should be prepared using an appropriate cross-referencing system. A cross-
reference from the audit agenda to the audit programs and to the primary working paper
provides a reference to where the work was performed. Cross-referencing should be used to
reference information in more than one place, or to other relevant information, including the
source of information, composition of summary totals, or other documents or examples of
transactions. Documents/information should be in the working papers only once.
12.4 Retention Policy
All working papers are to be retained by the Internal Audit Department subject to the retention
requirements below:
Audit working papers are to be maintained until the end of the fiscal year in which all
recommendations are implemented.
At the end of the fiscal year in which all recommendations are implemented, the audit
working papers will be moved to an archive file for the fiscal year in which the audit was
conducted.
Completed investigative audit working papers will be moved to the archive file if a
lawsuit or potential lawsuit is no longer active. Otherwise the working papers will be
70 | P a g e
retained in the production file until the lawsuit is no longer pending, and then moved to
the archive file.
All audit working papers should be retained for six years.
= 12.5 Audit Files
Working papers can be generated and kept in either electronic or paper format. After each
audit, Internal Auditors should prepare a file with the description of all audit related working
papers. The files will consist of current files and permanent files.
12.5.1 Current Files
Current files contain working papers related to the specific audit. These working papers are the
records maintained by the internal auditor of the work planned and carried out, related to the
audit. This includes the procedures followed, the tests performed together with the
information obtained, and the conclusions formed. Working papers should be prepared at the
time the work is carried out. Such working papers are the property of the client entity and the
internal auditors who shall ensure their safe custody and confidentiality.
The purpose of the current file is therefore to provide a record of the audit work performed
and to enable any one reviewing the audit file to be satisfied that an adequate audit
examination has been made of the areas audited.
12.5.2 Permanent Files
The purpose of a permanent file is to provide internal auditors with a source of background
information about the client entity being audited, thus allowing them to obtain a greater
understanding of the systems. The permanent file should be updated each year and will thus
provide the internal auditor with the most up to date information available. (See section 12.7
below for detailed contents of audit files).
12.6 Documentation Management and Control
To ensure the proper management and traceability of documents produced and issued in the
Internal Audit Department, the following principles are to be met:
Documents shall be assigned an identification code (See § 12.7. - Files structure,
Identification and traceability).
71 | P a g e
Each working paper shall be uniquely traceable to the audit.
Each document shall identify the total number of pages/sheets and, on each page, the
issue number of the document. Each page shall be uniquely numbered and show the
document identification and reference.
When a document is distributed, it shall have a defined distribution. All recipients of
controlled copies of documents shall receive subsequent amendments and shall ensure
that previous versions are suitably identified to show that they have been superseded.
The IA charter and the procedures manual shall have an Amendment Record to identify
changes from the previous issue.
Pre-defined audit document formats should be complied with.
Internal auditor(s) are to follow these principles in their day-to-day activities, while the
Director/Head of the Internal Audit Department has an overall responsibility for document
management and control, and is to ensure that:
Audit documentation requirements are identified, planned and scheduled;
All IAD documents are produced, issued and controlled in accordance with these
procedures;
Registers of all documents subject to the controls are maintained and distributed, as
appropriate;
Copies of all documents are retained in secure and traceable files;
The requirements for archiving of audit documents are defined and implemented.
12.7 Files Structure, Identification and Traceability
The file structures for the Internal Audit Department are included below in the next pages.
FILES SECTIONS / Working paper descriptions/Working paper Reference
CURRENT FILES
Section A - Report Section
72 | P a g e
- Assignment Sheet A01
- Independence and Qualification Statement A02
- Reports A03
- Final Report A03 – 1
- Draft Report A03 – 2
- Audit Recommendation Status Report A03 – 3
- Audit Finding Forms A04 – 1
- Summary of Audit Findings A04 – 2
- Suspected Activities Reporting Form A04B
- Audit Agenda (Audit Program Guide) A05
- Audit Programs A06
- Weekly Time Sheets A07
- Transmission Letter to Audit Committee A08
- Management Responses Letter A09
Section B - Administrative Section
- Audit Entrance Memo B01
- Letter to Interested Parties B02
- Entry Conference Memo B03
- Memorandum Confirming Audit Scopes and Objectives B04
- Exit Conference Memo B05
- Other Correspondence with Auditee B06
- Questionnaire to the Auditee (Self-assessment questionnaire) B06 – 1
- Management Input Memo B06 – 2
- Guidelines to Auditee for handling an Audit B06 – 3
73 | P a g e
Section C – Preliminary Review Section
- Thrust Area Procedures Document C01
- Risk Matrix C02
- The Risk Analysis Documentation C03
Section D – Internal Review Section
- Audit Report Review Sheet D01
- Audit Staff Responses to Report Review D02
- Working Paper Review Sheets D03
- Audit Staff Responses to Working Paper Reviews D04
- Audit Performance Evaluation Form D05
- Staff Performance Evaluation Form D06
Section E – Financial Documents Section
- Financial Statements E01
- Trial Balance E02
- Bank Statements and Bank Reconciliation Letters E03
- List of Debtors E04
- List of Creditors E05
- Others E07
Section F – etc – Working Paper File
FILES SECTIONS / Working paper descriptions Working paper Reference
74 | P a g e
The working paper file(s) are used to document the evidence used to support the internal auditor's conclusions. They are indexed on letters (E, F, G....). A letter should be used for each major section. Each major section of the audit file should correspond to an audit objective in the Audit Agenda. There is no standard plan or indexing scheme. The only requirement is that it should be simple and easy to follow.
F G Etc…
Summaries of interviews F01
FILES SECTIONS / Working paper descriptions/Working paper Reference
PERMANENT FILES
Section PF – A : Audit plans and IAD activities
- Strategic plans PF A01
- Annual Plans PF A02
- Review of Activities of the IAD PF A03
- Quarterly Internal Audit Reports PF A03 – 1
- Annual Report on the Functioning of the Internal Audit System PF A03 – 2
- Self-assessment Check-list PF A03 – 3
- Notice to Interested Parties PF A03 – 4
Section PF – B : Environment
- Applicable Rules, Laws and Regulations PF B01
- Material on the Client Entity Division of Duties and Responsibilities, Number
of Employees, Job Descriptions, Organization Chart, Nature and Location of
Accounting Records PF B02
- Financial Information PF B03
- Internal Policies & Operating Procedures Manuals PF B04
75 | P a g e
- Narratives with Key Personnel on Operations and Transaction Flows
Supported by Applicable Documentation PF B05
- Documentation on the Internal Control System. (Including control points,
such as the system of approvals, authorizations, segregation of duties,
supervision, reconciliation, reports, etc.) PF B06
Section PF – C : Audit reports
- Copy of Previous Years Internal Audit Final Reports PF C01
Section PF – D : Audit Manual
- Revisions to the Internal Audit Manual PF D01
13 GENERAL SECURITY ISSUES
13.1 Information Security – Internal Audit Department
The following security policy guidelines should be considered by the Internal Audit Department.
The Director/Head of the Internal Audit Department is responsible for ensuring compliance.
Restricted information: All information reviewed in the course of an internal audit, and
information that internal auditors have access to should be considered confidential.
Working papers: Upon completion of the internal audit, working papers should be
maintained in locked file cabinets within the Internal Audit Department. Access to
internal audit files will be granted to individuals representing outside audit interests by
the Director/Head of the Internal Audit Department only upon the approval of the
Secretariat. However, files should not leave the Internal Audit Department without due
process.
Data Ownership: All data (manual or electronic) kept by the Internal Audit Department
should pertain to the client entity and related professional duties of the internal auditor.
As such, these files are considered the property of the Internal Audit Department, rather
than the property of the individual who created them. All files, whether paper,
76 | P a g e
electronic, etc., may need to be accessed from time to time. It is the policy of the
Internal Audit Department that such information will be freely accessible to those who
are entitled to have such access.
These guidelines are designed to allow efficient access to information by those who are entitled
to use it, yet protect the integrity of the original files.
14. QUALITY CONTROL
The Secretariat shall establish and maintain a quality assurance program to evaluate the
operations of the Internal Audit Departments.
14.1 General Auditing Quality Criteria
Quality in the internal audit function is achieved when:
There is stakeholder satisfaction
The Secretariat shall identify all relevant stakeholders and the products and services that
are important, or shall be important to each stakeholder. The Secretariat shall perform an
assessment of the current level of satisfaction of the stakeholders, through interviews,
facilitated workshops and/or questionnaires (See Audit Performance Evaluation form on
Annex 27). Any gaps identified should be included in an action plan for resolution in
subsequent periods. Customers of the audit function should also be encouraged to
contribute to the audit process by submitting their inputs prior to the development of audit
plans (See Management Input Memo – Annex 2)
Internal audit processes performance are measured
The Secretariat should undertake the following:
Risk Assessment/Audit Planning Assessment
The Secretariat should assess the extent that key risk areas are being addressed and obtain
feedback from key stakeholders (including the Audit Recommendation Implementation
Committee, senior management, external auditors, etc.) on whether the Internal Audit
Department has effectively addressed concerns of risk.
Planning and Performing the Audit Assignment
77 | P a g e
The Internal Audit Department should perform all audits in accordance with established audit
methodologies and working practices and ensure that, for each assignment, audit plans are
established to include consideration of the scope, objectives, timing and resource allocations
Communication and Reporting
The Internal Audit Department should also obtain feedback from stakeholders on the quality
level of detail, and frequency of audit communications. It should also measure the degree to
which key recommendations are implemented.
Innovation and Capability
Each Internal Audit Department should continuously strive to achieve high standards in the
following areas:
Training
Each Internal Audit Department should establish measures to ensure internal auditors receive
sufficient training.
Technology
Internal Auditors should be trained in the use of technology to effectively support audit testing
and analysis.
Industry Knowledge
The Director/Head of the Internal Audit Department should ensure that internal auditors have
sufficient knowledge of the industry, business, operations and key function in the client entity
(this could be achieved through orientation programs, working in the operational areas, audit
projects in key areas, among others).
14.2 Quality Assurance Program
The purpose of a Quality Assurance Program is to provide reasonable assurance that audit work
conforms to the Internal Audit Charter, and applicable policies and standards. In addition, the
Quality Assurance and Improvement Program should provide reasonable assurance that the
Internal Audit Department is being managed in an effective and efficient manner.
The Quality Assurance Program includes the following elements:
- Ongoing Internal reviews
78 | P a g e
- Periodic Internal reviews
- Periodic External reviews.
14.2.1 Ongoing Internal Reviews
Supervision of the work of the internal auditors is carried out continually to assure compliance
with applicable internal auditing standards, the Secretariat’s policies, and audit programs. Each
assignment of the IAD is covered by documented reviews as established in the Operational
Procedures Manual.
See Operational Procedure OP16: Working Papers Review procedure, OP21: Audit Report
Review procedure, Annex 20: Working Paper Review Sheet Form, and Annex 21: Audit Exit
Conference Format.
14.2.2 Periodic Internal Reviews
Internal auditors of the Internal Audit Department shall participate in a staff development
review. To provide feedback to the internal auditors regarding their performance during an
audit and to help the individual internal auditor maximize his or her potential, at the
completion of each audit, the Director/Head of the Internal Audit Department should complete
a Staff Performance Evaluation Form for each internal auditor.
See Operational Procedure OP25: Audit Performance Evaluation procedure, and Annex 28:
Staff Performance Evaluation Form.
In addition, at the conclusion of each audit review, audit effectiveness feedback shall be sought
in writing from the auditee at the client entity, utilizing the Audit Performance Evaluation Form.
See Operational Procedure OP25: Audit Performance Evaluation procedure, and Annex 27:
Audit Performance Evaluation Form.
Such feedback shall be reviewed on a regular basis as a means of maintaining and/or improving
internal practices and processes, and as a basis for necessary staff development. Periodic self-
reviews for compliance with the IIA Standards for the Professional Practice of Internal Auditing
shall be undertaken by the IAD.
14.2.3 Periodic External Reviews by Independent Auditors
79 | P a g e
If required, the Secretariat may use independent auditors. These reviews should be performed
by qualified persons who are independent of the Secretariat and who do not have either a real
or an apparent conflict of interest. The Secretariat is to rely on a formal, written report which
would express an opinion as to the Internal Audit Department’s compliance with the Standards
for the Professional Practice of Internal Auditing and, as appropriate, including
recommendations for improvement.
14.2.4 Quarterly Report on the Internal Audit Department’s Activities
Each quarter, the IAD will present to the Secretariat a Quarter-End Report on the Internal Audit
Department. This report shall be in a format that shall be determined by the Secretariat (See
Annex 10). The generality of the issues may include the following:
The deficiencies detected in the client entity’s internal control system;
The implementation of an annual IAD activity plan indicating the number of planned
audits and the number of implemented audits;
The cases of audit scope limitation (if any) indicating the causes and potential risks;
The audits carried out which were not scheduled in the annual IAD audit plan or
other assignments;
The principal findings and recommendations;
Indication whether all suggested audit recommendations were implemented;
Review of the status on implementation of audit recommendations and elimination
of deficiencies;
Unimplemented recommendations which the internal auditor considers important
and the associated risks;
Sufficiency of human and material resources to carry out the audits which had been
planned;
Training and qualifications of IAD personnel; and
Other important information.
80 | P a g e
The report has to reflect the significance of internal auditing and underline the operational
improvement of the client entity. This report is to be submitted to the Secretariat no later than
the due date communicated by the Secretariat.