sop audit process

Controlled Copy – This document must not be copied or disseminated in any way

MALAYSIA AIRPORTS HOLDINGS BERHAD

SSTTAANNDDAARRDD OOPPEERRAATTIINNGG PPRROOCCEEDDUURREE ASSET MANAGEMENT UNIT,

MALAYSIA AIRPORTS (PROPERTIES) SDN BHD

DOCUMENT NO : HQ/SOP/AMU/02 REVISION : 1 TITLE : ASSET REQUISITION PAGE : 1 of 14 EFFECTIVE DATE : 2012

PREPARED BY: ANIS RAZIKIN BINTI MOHD KHUSAIRI, MANAGER, ASSET MANAGEMENT UNIT

REVIEWED BY: KHAIRUN BARIAH BINTI ISMAIL, SENIOR MANAGER, MA (PROPERTIES) SDN BHD

APPROVED BY:

DOCUMENT CONTROL CENTRE COPY NO


ASSET MANAGEMENT UNIT,

MA (PROPERTIES) SDN BHD

Page: 2 of 14

Doc Ref No:

HQ/IA/SOP/02

STANDARD OPERATING PROCEDURE Rev. No: 1

ASSET REQUISITION Effective Date:

15 OCTOBER 2009


REVISION HISTORY

Date Rev.

No.

DCR

No.

Page

No.

Description of Revision DCC

01/08/09 0 - - New 15/09/09 1 3.0 Definition/Abbreviation - to

rearrange according to alphabetical order

5.0 Flow Chart – to include start & end symbol, numbering & decision statement.

19/08/10 2 8 To change 6.4.2 - ISSUE PRIORITISATION MATRIX, from Medium 1, Medium 2 to Medium




Page: 3 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


1.0 PURPOSE The purpose of the procedure is to describe the guidelines in order to perform asset requisition.

2.0 SCOPE The scope of the procedure comprises all audit processes which include preparation towards the audit fieldwork until issuance of Draft Report.

3.0 DEFINITION/ABBREVIATION

AFC - Audit Finding Confirmation

APM - Audit Plan Memorandum

BAC - Board Audit Committee

CAF - Current Audit File

COSO - Committee of Sponsoring Organizations of Treadway Commission

FACD - Follow Up Audit Control Document

GM IAD - General Manager, Internal Audit Division

ICQ - Internal Control Questionnaires

KPI - Key Performance Indicator

MAHB - Malaysia Airports Holdings Berhad

MD - Managing Director

MOS - Memorandum of Suggestions

RAM - Risk Assessment Matrix

4.0 REFERENCE 1. International Standards for Professional Practice of Internal Auditing




Page: 4 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


5.0 FLOW CHART

Responsibility Process Related Document

GM Internal Audit / Senior Manager

Audit Team

Audit Team MAHB/IA/FORM/SOP02/01

Audit Team Team Leader / Manager MAHB/IA/FORM/SOP02/0

2 Team Leader / Manager MAHB/IA/FORM/SOP02/0

3 Manager 6.8 Decision Statement No Yes

Start

6.1 Issue Notification Letter to Audit Client

6.2 Perform Audit Preliminary

6.5 Supervision

6.4 Perform Audit Fieldwork

6.6 Prepare Audit Finding Confirmation

6.7 Prepare Draft Audit Report

6.3 Conduct Opening Meeting

uct Opening Meeting

A




Page: 5 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


Responsibility Process Related Document

GM Internal Audit / Senior Manager / Team Leader

MAHB/IA/FORM/SOP02/04

Audit Client MAHB/IA/FORM/SOP02/05 GM Internal Audit / Senior Manager / Manager

MAHB/IA/FORM/SOP02/06 GM Internal Audit 6.14 Decision

Statement No

Yes

6.9 Conduct Exit Meeting

A

6.10 Update Management Comment

6.11 Issue Final Audit Report

6.12 Internal Audit Management Committee

6.13 Board Audit Committee

End




Page: 6 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


6.0 PROCEDURE

6.1 ISSUE NOTIFICATION LETTER TO AUDIT CLIENT A notification letter is issued 5 working days prior to the preliminary audit to the audit client as scheduled in the Annual Audit Plan. The letter communicates the audit area, audit preliminary, audit fieldwork, timeframe, the audit team assigned and other related information for the audit assignment.

The letter is issued by General Manager, Internal Audit to the audit client and copied to the MD and/or audit client immediate superior.

6.2 PERFORM AUDIT PRELIMINARY The purpose of audit preliminary is to facilitate the internal auditor in determining the audit scope and objectives. The number of days involved in the preliminary stage is 5 working days.

6.2.1 RISK ASSESSMENT MATRIX RAM is initially prepared during the preliminary audit and to be updated accordingly throughout the audit fieldwork.

6.3 CONDUCT OPENING MEETING The auditor will meet the key audit client and any staff members he/she wishes to invite during the Opening Meeting. The auditor will explain the following agenda: -

Internal Audit, Your Business Partner

APM

Controls

COSO Based Auditing

Audit Process

Non-Closure of Issues

Consequence Management

Self-Reporting – Audit Follow Up Process

Conclusion

Q & A

In the event of GM IAD presence is necessary; opening meeting will be chaired by the incumbent. Attendance of all parties present will be taken and kept in CAF for the assignment by using SOP/IA/FORM/SOP/02/01.




Page: 7 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


6.3.1 AUDIT PLANNING MEMORANDUM The APM prepared during the preliminary audit, consists of Cover Page for approval purposes, APM, Audit Schedule, Task Matrix and RAM. The APM details the overview of the auditable area/function/subsidiaries, expected outcome and distribution of reports, audit objective & period, audit scope and audit logistic and schedule.

APM is given to the audit client during the Opening Meeting.

6.4 PERFORM AUDIT FIELDWORK The fieldwork concentrates on transaction testing and interview process. During this phase the auditor determines whether the controls identified during the preliminary review are operating appropriately and in the manner described by the audit client.

As the fieldwork progresses, the auditor discusses any significant findings with the audit client. This is to get feedback from the audit client as the audit client can offer insights and work with the auditor to determine the best method of resolving the findings.

The fieldwork stage concludes with a list of significant findings from which the auditor will prepare the AFC.

Normal audit fieldwork involves 10 working days whilst for airport audit assignment 2 – 3 working days.

6.4.1 AUDIT PROCEDURE There are four types of procedures: -

6.4.1.1 Walk-through Walk-through tests follow several transactions through the system from the beginning to the end of the process, at each stage identifying the process and controls in place.

6.4.1.2 Compliance Compliance tests or tests of control determine whether system controls are operating as intended. They are based on samples.

Examples of Compliance Tests are: -

Whether loan applications have been authorised in accordance with procedures

Whether customer payments are allocated against outstanding invoices and the debtors accounts reconciled each month.




Page: 8 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


6.4.1.3 Substantive Substantive Tests aim to establish the validity of the outcome of the transactions. They may be used more extensively when Compliance Tests indicate weak controls or when fraud is suspected. They are based on samples. An example of substantive test is checking fixed asset in the fixed asset register to ensure that new assets are correctly recorded from purchase invoices, assets are depreciated correctly, disposals are properly recorded and assets physically exist and are being used by the organization.

6.4.1.4 Analytical Analytical testing involves evaluating and analysing auditable area data. For example, comparison between budgeted and actual sales or expenditure figures, performance analysis, profitability ratio, liquidity ratio etc.

6.4.2 ISSUE PRIORITISATION MATRIX Based on the Audit Issues, they are categorised and prioritised by Extreme (Red), High (Amber), Medium (Yellow) and Low (Green) as highlighted in the Audit Finding Confirmation (Level of Risk). The list of audit issues is highlighted together with the responsible party and implementation timing. The risk assessment must be in accordance to the Risk Map provided by the Risk Management Unit, MAHB.




Page: 9 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


6.5 SUPERVISION

It is necessary for the team leader to plan the work and organize the team members under him/her, to keep the GM IAD informed of the progress of the audit as the work progresses. It is the duty and responsibility of the team leader to see that the team members to whom he/she has allocated the work understand the nature and the purpose of the task involved. The team leader is responsible for ensuring that the audit is completed efficiently within the allocated time. He/she has to ensure that: -

Audit engagement should be properly supervised to ensure objectives are achieved, quality is assured and staffs are developed.

Proper working papers are prepared by all staff indicating the purpose of the working paper, the work carried out, the matters arising and the audit conclusion drawn. All the comments related to the working papers will be highlighted in the Review Notes.

All working papers are clearly referenced to the relevant RAM.

A draft report has been prepared.

Fill in MAHB/IA/FORM/02/02

6.6 PREPARE AUDIT FINDING CONFIRMATION At the end of audit fieldwork, AFC is used for all audit assignments to confirm the findings. The main contents of AFC include the followings: -

Criteria – stipulates the standard to be adhered.

Findings – issues/areas for improvement highlighted.

Cause – reason attributed by the related findings.

Risk/Implication – explains the effect of occurrence of the related findings.

Recommendation – suggestions to improve the areas of concern.

Target of Completion/Audit Client Action Plan – Commitment from the audit client to address the issue within stipulated time frame.

Signatories of both parties i.e. responsible party and auditor in-charge are required to agree on issues highlighted. In the event the audit client does not agree to sign, the matter will still be raised accordingly.

Should any finding found to be resolved at this stage, the related AFC must be kept in the CAF. In the case of non-agreeable issues, the issues need to be highlighted to the GM IAD for review or if necessary to be further discussed during the Exit Meeting.

Finally, the RAM, COSO Element and the risk rating need to be updated after finalization of AFC by using MAHB/IA/FORM/SOP/02/03.




Page: 10 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


6.7 PREPARE DRAFT AUDIT REPORT

Refer to HQ/WIS/IA/02 for format of Audit Report. RAM Rating Performance Scorecard

In deriving performance scorecard, refer to HQ/WIS/IA/01 for details on Audit

Programme.

6.8 DECISION STATEMENT If yes, proceed with an exit meeting with audit client. If no, amend report accordingly prior to tabling at exit meeting.

6.9 CONDUCT EXIT MEETING During the Exit Meeting, the audit team meets the audit client to discuss the audit issues as stated in the draft Audit Report. At this meeting, the AFC would be re-emphasized and non-agreeable issues will be deliberated prior final agreement on the audit issues.

For non-airport audit assignments the Exit Meeting is to be held within 15 working days upon completion of audit fieldwork and is chaired by GM IAD or Team Leader, whereas for airport audit assignments the Exit Meeting is to be held on the last day and is chaired by the Team Leader.

Attendance of all parties present will be taken and kept in CAF for the assignment by using MAHB /IA/FORM/SOP/02/04.




Page: 11 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


6.10 UPDATE MANAGEMENT COMMENT

6.10.1 Follow Up Control Document (FACD) The implementation of agreed audit recommendations is the direct responsibility of the management. In attaining the objective, IAD has implemented FACD to facilitate audit client in addressing follow-up issues on internal audit findings.

The FACD is forwarded to audit client together with the final audit report.

The content of FACD includes the followings: -

Audit Issue

IAD Recommendation

Management Comment

Timeline

Current Status

Revised Timeline (if any)

It is the requirement for audit client to revert on status of ALL issues to IAD: -

First update is for IAMC (Final Report FACD).

Second update is when tabled to BAC (Reminder to be sent out 2 weeks before BAC).

IAD updates on BAC decision into FACD.

For follow-up purpose, audit client to provide latest status within 6 months period after tabling to the BAC.

For year end FACD summarized, issues not closed will be followed up in the following year. Management required to update within new dateline. Closed issues will be stated in the summarized year end FACD.

Refer Appendix 5

6.10.2 Non-Closure of Issues The audit client is given timeline to reply the audit issues within 7 working days. In the event of not replying to the stipulated timeframe, three (3) Reminder letters will be issued accordingly to the respective audit client.

First Reminder – issued by Team Leader, IAD ( 3 working days before due

date)

Second Reminder – issued by Team Leader, IAD (2 working days after 1st Reminder)

Third Reminder – issued by General Manager, IAD (5 working days after due date of 2nd Reminder)

D The subsequent Reminder letter which will be sent by the Managing Director after five (5) days of the third (3rd) Reminder.




Page: 12 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


Timeline for Reminder

2 days after the 1

st Reminder

3 days 5 days 5 days

1st

Reminder (Team Leader)

Due Date

i.e. 31/01/09

3

rd Reminder

(GM IAD)

MD

Negative KPI will be imposed on any delay in management respond to IAD or any unresolved issues. There are two (2) types of deductions to KPI due to delay in audit reply or on outstanding issues: -

Late Reply – 2 % of KPI score

Overdue Outstanding Issue – 75 % resolved (2.5 % of KPI score)

Overdue Outstanding Issue – 50 % resolved (5 % of KPI score)

Deduction of non-closure of issues will be reflected into total KPI score which is built into the Audit Special KPI.

Refer to HQ/WIS/IA/02 for details on Audit Report.

6.11 ISSUE FINAL AUDIT REPORT

Refer to HQ/WIS/IA/02 for details on Audit Report.

6.12 INTERNAL AUDIT MANAGEMENT COMMITTEE The purpose of the IAMC meeting is to update the management on the current status of the audit findings. The respective head of division briefs the meeting on the status of audit findings based on Follow up Control Document (FACD) submitted to IAD prior IAMC meeting.

IAMC is held prior to the BAC and is chaired by MD of MAHB or his designated representative.

Prior to the meeting, the Admin Officer prepares the related summary of audit reports to be reviewed by the GM IAD. The letter of invitation is issued by the GM IAD office and is circulated to the respective divisions 5 working days in advance. Attendance of all parties present will be taken and kept in correspondence file for the

assignment. Refer Appendix 6




Page: 13 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


6.13 BOARD AUDIT COMMITTEE The BAC deliberate audit issues and progress of action taken in the FACD which is a self follow-up done by the audit client The secretary for the BAC meeting is the Company Secretary, MAHB.

6.14 DECISION STATEMENT Upon tabling to the BAC, If yes, issues highlighted will be closed. If no, updates on BAC would be incorporated into the FACD to the audit client for action taken.

7.0 QUALITY STANDARD To ensure all documents are prepared according to the following timeline: -

Audit Preliminary – 5 working days

Audit Fieldwork – 10 working days

Audit Report – 5 working days

8.0 QUALITY RECORD

TITLE DOCUMENT

NUMBER

RETENTION

TIME

LOCATION RESPONSIBILITY

Attendance List Opening Meeting


7 years IAD Office Audit Team

Review Notes MAHB/IA/FORM/SOP02/02


Audit Finding Confirmation (AFC)



Attendance List Exit Meeting



Follow-up Control Document (FACD)



Attendance List Form Internal Audit Management Committee (IAMC)






Page: 14 of 14

Doc Ref No:

HQ/IA/SOP/02



15 OCTOBER 2009


9.0 APPENDIX

1. Attendance List Opening Meeting 2. Review Notes 3. AFC 4. Attendance List Exit Meeting 5. FACD 6. Attendance List Form IAMC

sop audit process

Documents

airport audit assignments

kpi score

draft report

audit report

internal audit

audit fieldwork

working papers

audit team