2. General DefinitionofInternalAudit
InternalAuditis a central administrative unit ofABC Company. InternalAuditreports operationallyto theVice President
Finance withdotted linerepresentation to the ABC CompanyBoardof Directors. InternalAudit's coverageand service extendsto
all company entities. InternalAudit is also acontrol whichfunctionsbyexaminingand evaluating the adequacyand
effectivenessof othercontrolsthroughout ABC Companyfor managers, the Board of Directors, and external auditors.
Finally,InternalAudit providesassistance to the external auditors in their performance of the annual auditsof ABC
Companyfinancial statements.
CHARTER
INTRODUCTION
ABC Companysupports InternalAuditas an independent appraisalfunctionto examine and evaluateABC Companyactivities as
a serviceto management andtotheBoardof Directors.
The missionof InternalAuditis to support managers of ABC Companyinthe effective discharge of their responsibilities.To this
end, InternalAuditwillfurnish themwith analyses, recommendations, counsel,andinformation concerning the activities
examined.
ORGANIZATIONAND BOARD REPORTING
TheDirector of InternalAuditshallreportto theVice PresidentFinance withdotted line reporting to theAudit
Committee.TheAudit Committeeshallhave final approval of the hiring, firing, and salarychangesfor theDirector of
InternalAudit.
Annually,the Director of InternalAuditshall submit to the Boardof Directors a written report on the internal audit
activityduring the preceding fiscalyear.TheDirector shall also make an oral report to the Audit Committee.
TheDirector of InternalAuditshallmakea written reportto the Audit Committee whenever there is evidenceof defalcations or
other problems exceeding€25,000. In addition,if the circumstanceseverwarrantsuch action, the Director of InternalAudit
maycircumventnormal ABC Companyreporting lines and communicate directlywith theAudit Committee.
AUTHORIZATIONAND RESPONSIBILITIES
InternalAudithas the authoritytoaudit all parts of ABC Companyandshall have full and completeaccessto anyof the
organization'srecords, physical properties, and personnel relevant tothe performance of anaudit. Documents and information
givento internal auditors during a periodicreviewwill be handled in the same prudent manneras bythose employees
normallyaccountable for them.
InternalAuditshall have no direct responsibilityor authorityfor anyof the activitiesor operations theyreview.Theyshould
notdevelopand installprocedures,prepare records, or engage in activities that would normallybe reviewed byinternal
auditors.Furthermore, an internal audit does not inanywayrelieve other persons in ABC Companyof the
responsibilitiesassignedtothem.
REPORTING RESPONSIBILITIES
Awritten reportshallbe prepared and issued bytheDirector of InternalAuditatthe conclusion of everyaudit. Copiesof the
reportshall be distributed as appropriate.The managerof theentityreceiving the reportshallrespond withinthirtydays
andforwarda copy of the response tothose included on thedistributionlist.Theresponseshall indicate what actions were taken
regardingspecificreport findings and recommendations Themanager receiving the report is responsiblefor ensuringthat
progress is made toward correcting anyunsatisfactoryconditions.InternalAudit is responsiblefor determiningwhether the
actiontakenis adequate to resolve auditfindings. If the actionis not adequate, Internal Auditshallinform ABC
Companymanagement of the potential risk and exposure in allowing the unsatisfactoryconditionsto continue.
2|Page
3. MISSION OBJECTIVE
InternalAudit's objectivesin accomplishing its mission shallinclude the following:
Determine the accuracyand proprietyof financial transactions
Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice andguidance on
control aspectsof new policies, systems, processes, and procedures
Verifythe existence of ABC Companyassetsand ensurethatproper safeguardsare maintained to protect themfromloss
Determine the level of compliance withABC Companypolicies and procedures,and laws and regulations
Evaluatethe accuracy,effectiveness, and efficiencyof ABC Company's electronic information andprocessingsystems
Determine the effectivenessand efficiencyof the auditedentitiesinaccomplishing their mission and identifyoperational
opportunitiesfor costsavings and revenue enhancements
Coordinate audit efforts with, andprovide assistance to, the external auditors
Investigate fiscal misconduct
STANDARDSAND ETHICS
In all of its activities, InternalAudit will adhere to GenerallyAcceptedAuditingStandards and the Code of Ethics adopted
bythe Institute of InternalAuditors.
MISSION STATEMENT/OBJECTIVES/VALUES
MISSION STATEMENT
InternalAuditexists to support theBoard of Directorsin the effective dischargeof their responsibilities.Using our
knowledgeandprofessional judgement,we willprovide an independent appraisalof ABC Company's financial, operational, and
control activities.We willreport on the adequacyof internal controls, the accuracyand proprietyof transactions, the extent to
whichassets areaccounted for and safeguarded, and the level of compliance with companypolicies and government laws
andregulations.Additionally,we willprovide analyses, recommendations, counsel, and informationconcerning the
activitiesreviewed.
OUR OBJECTIVES INACCOMPLISHING OUR MISSIONINCLUDETHE FOLLOWING:
Determine the accuracyand proprietyof financial transactions
Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice andguidance on
control aspectsof new policies, systems, processes, and procedure
Verifythe existence of ABC Companyassetsand ensurethatproper safeguardsare maintained to protect themfromloss
Determine the level of compliance withABC Companypolicies and procedures,laws and regulations
Evaluatethe accuracy,effectiveness, and efficiencyof ABC Company's electronic information andprocessingsystems
Determine the effectivenessand efficiencyof audited entitiesinaccomplishingtheir mission and identifyoperational
opportunities for cost savings and revenue enhancements
Provide assistance and a coordinated audit effort with the external auditors
Investigate fiscal misconduct
VALUES
In carryingout our mission, we share certain beliefs and values.
Our primaryfocus is toprovide excellent service toABC Company. Our examinations shall be performedin
3|Page
4. accordance withapplicable GenerallyAcceptedAuditing Standards.
Weare committed tothe highest degree of fairness,integrity,andethical conduct in the performanceof our
mission.Wewilladhere to the Code of Ethics as established by the Institute of InternalAuditors. Furthermore, we
willnot issue a reportwithoutfirst allowing the recipient the opportunityto review,challenge, question, and respond to
our findings and conclusions.
Our relationships with ABC Companyemployees willbe characterised byrespect, helpfulness,sharing,patience, and
openness.
Weare committed tomaintaining our professionalismas internal auditors through continuance of our education and
training.
Although we area part ofABC Companywe are committed tomaintaining our independence indefining the scope
andobjectives of our examinations.
GENERALLYACCEPTEDAUDITINGSTANDARDS
100 INDEPENDENCE
Internal auditorsshouldbe independent of the activities theyaudit.
Internal auditorsare independent when theycan carryout their work freelyand objectively.Independence permits
internal auditorstorender the impartial and unbiasedjudgments essential to the properconductof audits. It is achieved
through organizational status and objectivity.
110 ORGANIZATIONALSTATUS
The organizationalstatusof theinternal auditing department should be sufficient to permitthe accomplishment of its audit
responsibilities.
Internal auditorsshouldhave the supportof managementand of the board of directors so that theycan gain the
cooperation of audited entitiesand performtheir work free from interference.
1. The director of the internalauditing departmentshouldbe responsible to an individual in the organizationwithsufficient
authorityto promote independence andto ensure broad audit coverage, adequate consideration of audit reports, and
appropriate action on audit recommendations.
2. The director should have direct communicationwith the board. Regular communication withthe board helps assure
independence and providesa means for theboard and the director to keep each other informed on matters of mutual
interest.
3. Independence is enhanced when theboard concurs in the appointmentor removalof thedirector of the internal auditing
department.
4. The purpose, authority,and responsibilityof theinternal auditing department shouldbe defined in a formal written
document (charter).Thedirector should seek approval of the charter bymanagement as wellas acceptance bythe
board.The charter should (a)establish the department's positionwithinthe organization; (b) authorizeaccess to records,
personnel,and physical properties relevant tothe performance of audits;and(c) define the scope of internal auditing
activities.
5. The director of internal auditing should submitannuallyto management for approval and to the board for its information
a summaryof the department's audit work schedule, staffingplan, and financial budget.The director should also
submitall significant interimchangesfor approval and information.Audit work schedules, staffing plans,and
financialbudgets shouldinform managementand the board of the scope of internal auditing work and of any limitations
placed on that scope.
6. The director of internal auditing should submitactivityreports to management and to the board annuallyor
morefrequentlyas necessary.Activityreports shouldhighlight significant audit findings and recommendations and should
inform management andthe boardof anysignificant deviationsfromapproved audit work schedules, staffing plans,
andfinancial budgets, and thereasons for them.
120 OBJECTIVITY
Internal auditorsshouldbe objective in performingaudit.
Objectivityis an independent mental attitude whichinternal auditors should maintain in performing audits.Internal
4|Page
5. auditorsare not tosubordinate their judgmenton audit matters to that of others.
Objectivityrequiresinternal auditorstoperformaudits in such a manner that theyhave an honest belief intheir work
productand that no significant qualitycompromises are made.Internal auditorsare not tobe placed in situations in
whichtheyfeel unable to makeobjective professional judgments.
1. Staff assignments should bemadeso that potential and actual conflicts of interest and bias are avoided.The
director should periodicallyobtain fromthe audit staff information concerning potential conflictsof interest
and bias.
2. Internal auditorsshouldreport to the director anysituationsinwhicha conflict of interest or bias is presentor
mayreasonablybe inferred.The director should then reassignsuch auditors.
3. Staff assignments of internal auditorsshouldbe rotatedperiodicallywhenever it is practicable to do so.
4. Internal auditorsshouldnot assumeoperating responsibilities. But if on occasion managementdirectsinternal
auditorstoperformnon-auditwork, it shouldbe understood that theyare notfunctioning as internal auditors.
Moreover, objectivityis presumedto be impaired when internal auditors audit anyactivityfor which theyhad
authorityor responsibility.This impairment shouldbe considered whenreporting audit results.
5. Persons transferredto or temporarilyengaged bythe internal auditing departmentshouldnot be assignedtoaudit
those activities theypreviously performeduntil a reasonable period of timehas elapsed.Such assignments are
presumed toimpairobjectivityand should beconsideredwhen supervisingthe audit work andreporting
auditresults.
6. The resultsof internal auditing work should be reviewed before the related audit report is releasedtoprovide
reasonable assurancethatthe work was performedobjectively.
The internal auditor'sobjectivityis notadverselyaffectedwhen the auditor recommends standardsof controlfor systems
or reviewsproceduresbeforetheyare implemented. Designing,installing, and operating systems arenot audit functions.
Also, the drafting of proceduresfor systems is not an audit function. Performing such activities is presumed
toimpairaudit objectivity.
200 PROFESSIONALPROFICIENCY
Internal auditsshouldbe performedwith proficiencyanddue professional care.
Professional proficiencyis the responsibilityof theinternal auditingdepartment and each internal
auditor.Thedepartment should assign toeachaudit those persons who collectivelypossess
thenecessaryknowledge,skills, and disciplinesto conduct the audit properly.
210 STAFFING
The internal auditing departmentshouldprovide assurance that the technical proficiencyand educational background of
internal auditorsare appropriate for the auditstobe performed.
The director of internal auditing should establish suitable criteria of education and experience for filling internal
auditing positions, giving dueconsideration to scope of work andlevel of responsibility.
Reasonable assurance should be obtainedas toeach prospective auditor's qualifications and proficiency.
220 KNOWLEDGE,SKILLS,AND DISCIPLINES
The internal auditing departmentshouldpossess or shouldobtain the knowledge, skills, and disciplines needed to carryout its
audit responsibilities.
5|Page
6. The internal auditing staff should collectivelypossess the knowledgeand skills essential to the practice of the
profession withinthe organization.Theseattributes include proficiencyinapplyinginternal auditing standards,
procedures,and techniques.
The internal auditing departmentshouldhave employees or use consultants who are qualified in suchdisciplines as
accounting, economics, finance, statistics,electronic data processing,engineering, taxation, and law as needed to meet
audit responsibilities.Each member of thedepartment,however,need notbe qualifiedin all of thesedisciplines.
230 SUPERVISION
The internal auditing departmentshouldprovide assurance that internal audits are properly supervised.
The director of internal auditing is responsible for providing appropriate audit supervision. Supervisionis acontinuing
process, beginningwith planning and ending with the conclusion of the audit assignment.
Supervisionincludes:
1. Providing suitable instructions tosubordinates atthe outset of the audit and approving the audit program.
2. Seeingthat the approved audit programis carried out unless deviationsare both justified andauthorized.
3. Determining that audit working papers adequatelysupport theauditfindings, conclusions,andreports.
4. Making sure that audit reports areaccurate, objective, clear, concise, constructive, and timely.
5. Determining that audit objectives are being met.
Appropriate evidenceof supervisionshould be documented and retained.
The extent of supervisionrequired willdepend on the proficiencyof the internal auditorsandthe difficultyof the audit
assignment.
All internal auditing assignments, whetherperformedbyor for the internal auditing department,remainthe
responsibilityof its director.
240 COMPLIANCEWITH STANDARDS OFCONDUCT
Internal auditorsshouldcomplywithprofessional standardsof conduct.
The Codeof EthicsofTheInstitute of InternalAuditorssets forth standardsof conduct and provides abasis for
enforcement amongits members.The Code calls for high standardsof honesty,objectivity,diligence, and loyaltyto
whichinternal auditors shouldconform.
250 KNOWLEDGE,SKILLS,AND DISCIPLINES
Internal auditorsshouldpossess the knowledge,skills, and disciplinesessential to the performance of internal audits.
Each internal auditor should possess certain knowledge and skillsas follows:
1. Proficiencyin applying internal auditing standards,procedures,and techniques is required in
performinginternal audits. Proficiencymeansthe abilityto apply knowledge tosituations likelyto be
encountered and to deal with themwithout extensive recoursetotechnical researchandassistance.
2. Proficiencyin accounting principles and techniques is required of auditors who work extensivelywith
financial records and reports.
3. An understanding of management principlesis required torecognizeand evaluate the materialityand
significance of deviations from good business practice.An understanding means the abilityto applybroad
knowledgeto situations likelyto beencountered,to recognizesignificant deviations, and to be able to carryout
the researchnecessaryto arrive at reasonable solutions.
4. An appreciation is required of the fundamentalsof such subjects as accounting, economics, commercial
law,taxation, finance, quantitative methods, and computerizedinformationsystems.An appreciation means
theabilityto recognizethe existence of problems or potential problems and to determine the further research
to beundertaken or the assistance to beobtained.
6|Page
7. 260 HUMAN RELATIONSAND COMMUNICATIONS
Internal auditorsshouldbe skilled in dealing withpeopleand in communicating effectively.
Internal auditorsshouldunderstand humanrelations and maintain satisfactory relationships with audited entities.
Internal auditorsshouldbe skilled in oral and written communications so thattheycan clearlyand
effectivelyconveysuchmatters as auditobjectives, evaluations, conclusions,andrecommendations.
270 CONTINUING EDUCATION
Internal auditorsshouldmaintain their technical competence throughcontinuing education.
Internal auditorsare responsible for continuing their education in orderto maintain their proficiency.Theyshouldkeep
informed aboutimprovements and current developments ininternal auditing standards,procedures, and techniques.
Continuing education maybe obtained throughmembershipand participation in professional societies; attendance at
conferences, seminars, college courses, andin-house training programs; andparticipation in research projects.
280 DUE PROFESSIONALCARE
InternalAuditors should exercisedueprofessional care in performing internal audits.
Dueprofessional care calls for the application of the care and skill expected of a reasonablyprudent and competent
internal auditor in the sameor similar circumstances.Professionalcareshould, therefore, beappropriate to the
complexities of the audit being performed.In exercising due professionalcare,internal auditors shouldbe alert tothe
possibilityof intentional wrongdoing, errors and omissions, inefficiency,waste,ineffectiveness, andconflicts of
interest.Theyshould alsobe alert to those conditions andactivities whereirregularities are mostlikelyto occur. In
addition, theyshouldidentifyinadequatecontrolsand recommendimprovements to promotecompliance with acceptable
proceduresand practices.
Duecareimplies reasonable careand competence, not infallibilityor extraordinary performance. Due care requiresthe
auditor to conduct examinations and verifications to a reasonable extent,but does not require detailed auditsof all
transactions. Accordingly,the internal auditor cannot give absolute assurancethat non-compliance or irregularities do
not exit. Nevertheless, the possibilityof material irregularitiesor non-compliance shouldbe considered whenever the
internal auditor undertakes an internal auditingassignment.
When an internal auditor suspects wrongdoing,the appropriate authorities within the organizationshouldbe
informed.The internal auditor mayrecommendwhatever investigationis considerednecessaryin the
circumstances.Thereafter,the auditor shouldfollow up to seethat the internal auditing department's
responsibilitieshave been met.
Exercising due professionalcaremeans using reasonable audit skill and judgment in performingthe audit.To this end,
the internalauditorshould consider:
1. The extent of audit work needed to achieve audit objectives
2. The relative materialityor significance of mattersto which audit procedures are applied
3. The adequacyandeffectiveness of internal controls
4. The costof auditing in relationto potential benefits
5. Dueprofessional care includes evaluatingestablished operating standardsand determiningwhether those
standardsare acceptable and are beingmet.When suchstandardsare vague,authoritative interpretationsshould
besought.If internal auditors are required tointerpret or select operating standards,they shouldseek
agreementwithaudited entitiesas tothe standardsneeded to measureoperating performance.
7|Page
8. 300 SCOPEOFWORK
The scope of the internalauditshould encompass the examinationand evaluationof the adequacyand effectivenessof
theorganization's systemof internal control and the qualityof performance in carrying outassignedresponsibilities.
The scope of internal auditing work, as specified in thisstandard,encompasses what audit work should beperformed.
Itis recognized, however, that management and the board of directors provide generaldirection as to the scope of
work and theactivities to be audited.
The purpose of the reviewfor adequacyof thesystemof internal control is to ascertain whether the systemestablished
provides reasonable assurance that the organization's objectivesandgoals willbe metefficientlyand economically.
The purpose of the reviewfor effectiveness of thesystemof internal control is to ascertain whether the systemis
functioning as intended.
The purpose of the reviewfor qualityof performance is to ascertainwhether the organization's objectivesand goals
have been achieved.
The primaryobjectives of internal control are to ensure:
1. The reliabilityand integrityof information.
2. Compliance with policies, plans, procedures, laws, and regulations.
3. The safeguarding of assets.
4. The economical andefficient use of resources.
5. The accomplishmentof established objectives and goals for operations or programs.
310 RELIABILITYAND INTEGRITYOFINFORMATION
Internal auditorsshouldreviewthe reliabilityand integrityof financial and operating information andthe means
usedtoidentifymeasure, classify,and reportsuch information.
Information systems providedatafor decision making, control, and compliance with external requirements.Therefore,
internal auditorsshouldexamineinformation systems and, as appropriate, ascertain whether:
1. Financial andoperating records and reports containaccurate, reliable, timely, complete,and useful
information.
2. Controlsover recordkeeping and reporting are adequate and effective.
320 COMPLIANCEWITH POLICIES, PLANS, PROCEDURES, LAWS, AND REGULATIONS
Internal auditorsshouldreviewthe systems established to ensure compliance with those policies, plans, procedures,laws and
regulations which couldhave asignificant impacton operations and reports, and should determine whetherthe organizationis
incompliance.
Management is responsible for establishing the systems designedto ensurecompliance with such requirements as
policies, plans, procedures,and applicable laws and regulations. Internal auditors are responsible for
determiningwhether the systems are adequate and effective andwhether the activities audited are complyingwith the
appropriate requirements.
330 SAFEGUARDING OFASSETS
Internal auditorsshouldreviewthe means of safeguardingassets and, as appropriate, verify the existence of suchassets.
Internal auditorsshouldreviewthe means used to safeguardassetsfrom various types of losses such as those resulting
fromtheft, fire, improper or illegal activities, and exposure to the elements.
Internal auditors,when verifying theexistence of assets,should use appropriate audit procedures.
340 ECONOMICALAND EFFICIENTUSE OFRESOURCES
8|Page
9. Internal auditorsshouldappraisethe economyand efficiencywithwhich resourcesare employed.
Management is responsible for setting operating standardsto measurean activity's economical and efficient useof
resources.Internal auditorsare responsible for determiningwhether:
1. Operatingstandardshave been established for measuringeconomyand efficiency.
2. Established operating standardsareunderstood and arebeing met.
3. Deviations from operating standardsareidentified, analysed, and communicated to those responsible for
corrective action.
4. Corrective action has been taken.
Audits related tothe economical and efficient use of resourcesshould identifysuch conditions as:
1. Underutilised facilities.
2. Non-productive work.
3. Procedureswhich arenot cost justified.
4. Overstaffing or understaffing.
350ACCOMPLISHMENTOFESTABLISHED OBJECTIVESAND GOALS FOR OPERATIONS
ORPROGRAMS
Internal auditorsshouldreviewoperations or programs to ascertain whether resultsare consistent with established
objectivesand goals and whether the operations or programs are being carried out as planned.
Management is responsible for establishing operating or programobjectives and goals, developing and
implementingcontrol procedures,and accomplishing desiredoperating or programresults. Internal
auditorsshouldascertain whethersuchobjectivesandgoals conformtothose of theorganizationandwhether theyare being
met.
Internal auditorscan provide assistance tomanagers who aredeveloping objectives, goals, and systems bydetermining
whether the underlying assumptions are appropriate;whether accurate, current,and relevant informationis being
used;and whether suitable controls havebeen incorporated into the operations or programs.
400 PERFORMANCE OFAUDITWORK
Audit work shouldinclude planning the audit, examiningand evaluating information, communicating resultsandfollowingup.
The internal auditor is responsible for planning and conductingthe audit assignment, subjectto
supervisoryreviewandapproval.
410 PLANNINGTHEAUDIT
Internal auditorsshouldplan each audit.
Planningshould bedocumented and should include:
1. Establishing audit objectivesandscope of work.
2. Obtaining background informationabout the activities to beaudited.
3. Determining the resourcesnecessarytoperformtheaudit.
4. Communicating with all who need toknow abouttheaudit.
5. Performing, as appropriate, an on-site surveyto becomefamiliar with the activities and controls to be audited,
to identifyareasfor audit emphasis, and to invite audited entitycomments and suggestions.
6. Writing the audit program.
7. Determining how, when, and towho audit resultswill be communicated.
8. Obtaining approval of the audit work plan.
420 EXAMININGAND EVALUATING INFORMATION
9|Page
10. Internal auditorsshouldcollect, analyse, interpret, and document informationto support audit results.
The process of examiningand evaluatinginformation is as follows:
1. Information should be collected on all matters related to the audit objectives and scope of work.
2. Information should be sufficient, competent, relevant, andusefulto provide a sound basis for audit
findingsand recommendations. Sufficient informationis factual, adequate,and convincingso thata prudent,
informed person would reach the sameconclusionsas theauditor.Competent information is reliable and the
best attainable throughthe use of appropriate audit techniques. Relevant informationsupports audit findings
and recommendations and is consistent with the objectives for theaudit. Useful information helps the
organization meetits goals.
3. Audit procedures,including the testing andsampling techniques employed, shouldbe selected in advance,
wherepracticable, and expanded or altered if circumstanceswarrant.
4. The process of collecting, analysing, interpreting, and documenting information should besupervisedto
provide reasonable assurance that the auditor'sobjectivityis maintained andthat auditgoals are met.
5. Workingpapers that documenttheauditshould be preparedbythe auditor and reviewed bymanagementof the
internal auditing department.Thesepapers shouldrecord the information obtained and the analysesmadeand
should supportthe bases for thefindings and recommendationstobe reported.
430 COMMUNICATING RESULTS
Internal auditorsshouldreport the resultsof their audit work.
Asigned, written reportshouldbe issued after the audit examination is completed. Interimreports maybe written or
oraland maybetransmittedformallyor informally.
The internal auditor shoulddiscuss conclusions and recommendations at appropriate levels of managementbefore
issuing final written reports.
Reportsshould be objective, clear, concise, constructive,and timely.
Reportsshould presentthe purpose, scope, and results of the audit;and, where appropriate, reports should contain an
expressionof theauditor'sopinion.
Reports mayinclude recommendations for potential improvements and acknowledge satisfactoryperformance and
corrective action.
Theaudited entity's views aboutaudit conclusionsor recommendations maybe included in the audit report.
The director of internal auditing or designee should reviewandapprove the final audit report before
issuanceandshoulddecide to whom thereport will be distributed.
440 FOLLOWING UP
Internal auditorsshouldfollow up to ascertainthatappropriate action is taken on reported audit findings.
Internal auditing should determinethat correctiveaction was taken and is achievingthe desired results,or that
management or the board has assumedtherisk of not taking corrective actionon reportedfindings.
500 MANAGEMENTOFTHEINTERNALAUDITING DEPARTMENT
The director of internal auditing should properlymanagethe internal auditing department.
The director of internal auditing is responsible for properlymanaging the department so that:
1. Audit work fulfilsthegeneral purposes and responsibilitiesapproved by managementand accepted bythe
board.
2. Resourcesof the internal auditing departmentare efficientlyandeffectively employed.
3. Audit work conforms to GenerallyAcceptedAuditing Standards.
510 PURPOSE,AUTHORITY,AND RESPONSIBILITY
The director of internal auditing should havea statementof purpose,authority,and responsibilityfor theinternal auditing
department.
The director ifinternal auditingis responsible for seekingthe approval of management and the acceptance bythe
boardof a formalwritten document(charter) for the internal auditing department.
520 PLANNING
10 | P a g e
11. The director of internal auditing should establish plans tocarryout the responsibilitiesof the internal auditingdepartment.
Theseplans should beconsistent with the internal auditing department's charter and with the goals of theorganization.
The planning process involvesestablishing:
1. Goals.
2. Audit work schedules.
3. Staffing plansand financialbudgets.
4. Activityreports.
The goalsof the internal auditing departmentshouldbe capable of being accomplished withinspecifiedoperating plans
and budgets and,to the extent possible, should be measurable.Theyshould beaccompanied bymeasurement criteria
and targeteddatesof accomplishment.
Audit work schedulesshould include (a)whatactivities are tobe audited;(b) when theywill be audited; and (c) the
estimatedtimerequired, taking into account the scope of the audit work planned and the natureand extent of audit
work performed byothers. Matterstobe considered in establishing audit work schedulepriorities shouldinclude (a)
thedateand resultsof thelastaudit; (b) financial exposure; (c) potential loss and risk; (d) requestsbymanagement;(e)
major changesinoperations,programs, systems, and controls; (f) opportunities toachieveoperating benefits; and (g)
changes to and capabilities of theaudit staff.The work schedulesshould be sufficientlyflexible to cover unanticipated
demands on theinternal auditing department.
Staffing plansand financialbudgets, including the number of auditors and the knowledge, skills, and disciplines
required to performtheir work, should be determinedfrom audit work schedules, administrative activities,education
and training requirements, andaudit researchanddevelopment efforts.
Activityreports should besubmitted periodicallyto management and to the board. Thesereports should compare(a)
performance with the department's goals andaudit work schedules and (b) expenditures withfinancial
budgets.Theyshould explain the reasons for majorvariances and indicate anyaction taken or needed.
530 POLICIESAND PROCEDURES
The director of internal auditing should provide written policies and proceduresto guide the audit staff.
The formand content of written policies and procedures shouldbe appropriate to the sizeandstructureof the internal
auditing department andthe complexityof its work. Formal administrative and technical audit manuals maynotbe
needed byall internal auditing departments.Asmall internal auditingdepartment maybe managed informally.Its
auditstaffmaybe directed and controlledthrough daily,close
supervision and written memoranda.In a largeinternal auditing department, more formaland
comprehensivepoliciesandproceduresareessential to guide the audit staff in the consistent compliance with the
department's standardsof performance.
540 PERSONNELMANAGEMENTAND DEVELOPMENT
The director of internal auditing should establish a programfor selecting anddeveloping the human resourcesof the
internalauditing department.
The programshould provide for:
1. Developing writtenjob descriptions for eachlevel of the audit staff.
2. Selecting qualified and competent individuals.
3. Training and providing continuing educational opportunities for each internal auditor.
4. Appraising each internal auditor's performance at leastannually.
5. Providing counsel to internalauditorson their performance andprofessional development.
550 EXTERNALAUDITORS
The director of internal auditing should coordinate internal and external audit efforts.
11 | P a g e
12. The internal and external audit work should be coordinated to ensure adequateaudit coverage and to minimise
duplicate efforts.
Coordination of audit efforts involves:
1. Periodic meetings to discuss matters of mutual interest.
2. Accessto eachother's auditprograms and working papers.
3. Exchange of audit reports and management letters.
4. Common understanding of audit techniques, methods, and terminology.
560 QUALITYASSURANCE
The director of internal auditing should establish and maintain a qualityassuranceprogramto evaluate the operations of the
internal auditing department.
The purpose of thisprogramis to provide reasonable assurancethat audit work conformstotheseStandards,the internal
auditing department's charter, and other applicable standards.Aqualityassurance program shouldinclude the following
elements:
1. Supervision.
2. Internal reviews.
3. External reviews.
4. Supervisionof thework of theinternal auditors should be carried out continuallyto assureconformance with
internal auditing standards,departmentalpolicies, and audit programs.
5. Internal reviewsshould be performed periodicallybymembers of theinternal auditing staff to appraise
thequalityof the audit work performed.Thesereviewsshould be performedin the same manneras
anyotherinternal audit.
External reviews of the internalauditing departmentshouldbe performedto appraise the qualityof the department's
operations.Thesereviews shouldbe performedby qualified persons who are independent of the organization and who
do not haveeither a real or an apparent conflict of interest. Such reviewsshould be conducted at least once everythree
years. On completion of the review,a formal,written report should be issued.The report should express an opinionas
to the department's compliance with theGenerallyAcceptedAuditingStandards and,as appropriate, should include
recommendations for improvement.
12 | P a g e
13. CODE OFETHICS
STANDARDS OFCONDUCT
1. Internal auditorsshall exercisehonesty,objectivity,and diligence inthe performance of their dutiesandresponsibilities.
2. Internal auditorsshall exhibitloyaltyin all matters pertaining to the affairs of ABC Companyor towhomever
theymayberenderinga service.However, internal auditors shall not knowinglybe apartyto anyillegalor improper
activity.
3. Internal auditorsshall not knowinglyengage in acts or activities whichare discreditable to the professionof internal
auditing or to ABC Company.
4. Internal auditorsshall refrain fromentering into anyactivitywhichmaybein conflict with the interest of ABC
Companyor whichwouldprejudice their abilityto carryout objectivelytheir dutiesandresponsibilities.
5. Internal auditorsshall not accept anythingof value from an employee,client, customer,supplier,or business associate of
ABC Companywhich would impair or be presumed toimpairtheir professional judgment.
6. Internal auditorsshall undertake onlythose serviceswhichtheycanreasonablyexpect to complete with
professionalcompetence.
7. Internal auditorsshall adopt suitable means to complywith GenerallyAcceptedAuditing Standards.
8. Internal auditorsshall be prudent inthe use of informationacquired in the course of their duties.Theyshall notuse
confidentialinformation for anypersonalgain nor in anymannerwhich would be contrarytolaw or detrimental tothe
welfare of ABC Company.
9. Internal auditors, whenreporting on the resultsof their work, shallreveal all material factsknown to themwhich, ifnot
revealed, could either distort reports of operations under reviewor concealunlawfulpractices.
10. Internalauditorsshall continuallystrivefor improvementin their proficiency,andin the effectiveness andqualityof their
service.
11. Internalauditors, in the practice of their profession, shallbe evermindfulof their obligation to maintainhigh
standardsof competence, moralityand dignity.
INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY/CONDUCT
INDEPENDENCE/OBJECTIVITY
To be effective in performingauditsthe internalaudit staff mustbe independent andobjective both in actualityand
perception.Wemaintain our independence byour organizationalposition
(Including reporting line to the Board) and our BoardapprovedAUTHORIZATIONAND RESPONSIBILITIES(see
CHARTER).
In order to maintain objectivity,auditorsshall immediatelyinformtheDirector ofAuditingof anyfactorsthatmaybe perceived as
impairing their objectivityon anassignedaudit.Also, auditorswill take great careto prevent even a perception of
partialitybymaintaining a professional distance fromthe staff of an audited entitywhileperformingan audit. Questions
concerning anyrelationshipswithaudited entitiesor potentialaudited entities(i.e.,preparing tax returns,attending parties, etc.)
shouldbe brought tothe attention of the InternalAudit Department. Finally,auditors will not accept anything of value from
anemployee, supplier,or business associate ofABC Companywhich would impair or beperceivedto impair their professional
judgementor objectivity.Anygifts accepted will be immediatelyreported tothe InternalAuditDepartment.
CONFIDENTIALITY
Muchof the informationavailable to internal auditorsis of asensitive or confidential nature. Auditors shouldbe prudent in their
use of information acquired inthe courseof theirduties or information whichis available to them.Theywillnot discuss
anymatters pertaining to the auditsperformed bythedepartments inother then an official manner.
Auditors shall not useconfidential information for anypersonal gain or in a manner which wouldbe detrimental to ABC
Companyor anyemployeeof ABC Company. (Seethe Code of Ethics).
Auditors willtake adequate measures to prevent the unauthorizedrelease of confidential materialsor information in
anymediumincluding paper copies, microfiche, or computer files. Such materialsshouldbe adequatelysecuredfrom theft,
reproduction, or casual observation.
13 | P a g e
14. Confidential materialsincludeanyinformation (except public information)associated with employeenames,
socialsecuritynumbers, or identification numbers. Examples of confidential information include,but are not limitedto the
following:
1. Employeemedical or psychological records.
2. Employeebenefitor payroll information.
3. Anyinformation which could causeABC Companyembarrassment or liability.
CONDUCT
The following guidelines areestablished regarding personal conduct and the confidentialityof audit or business
informationacquired through audit assignments.
As a memberof the InternalAudit staff, youarerepresenting the highest level of management.Conductyourselfin a manner that
reflectsfavourablyupon yourselfand those yourepresent.You are expected to exercise professionalskill, integrity,maturityof
behaviour, and tact inyourrelations with others. In general, youareencouraged to be friendlywithall ABC Companyemployees
without affecting your objectivity.You should guard against any conduct or mannerisms which permitan impressionthat
youconsideryourself an"expert"
sent to check on employees.As far as possible, take the position of an independent/objective analystand advisor.Avoid the
imageof policing.
In the courseof yourassignments, youwillbe in contact with personnelat all levels of authorityandposition.At all
times,independence in mental attitudeis to be maintained. Reportsresulting from your efforts should alwayscontain full and
unbiaseddisclosure of all but minoraudit findings.Althoughyoureport totheInternalAudit Department, youhave
responsibilitiestoboth managementand the personnelbeing audited.
Muchof yourwork is confidential; therefore, be discreet on and off thejob indiscussing current or past auditsor your
personalassessments of audited entities. Judgmentshould be exercised in the securityof auditworking papers, programs,
records, and informationat all times.
Never indiscreetlydiscuss anyinformation youobtain during audits. Avoid extremes of dress or personal grooming.
AUDITPROCESS
PLANNING
The assessment of audit risk is anintegral part of our planning process.Theaudit planning process encompasses allactivities
related to the development of the internal audit plan and schedule and the determination of the audit scope andobjectives,
timing,designof detailed procedures,and audit recourse planning for the individual auditable entities.The primary objective of
the audit planning process is to design our audit approach to ensurethat auditsare performedin the mosteffective andefficient
manner. In undertaking this process we attemptedthe following:
Definethe potential audit universeat ABC Company
Definefactors to be used inassessing risk
Quantifythepotential risk associated with each of the defined audit areas
Schedule auditsand allocate InternalAudit resourcesaccordingto the priorities established and the current leveland
expertise of internalauditors
PLANNING-RESEARCH,SCHEDULING,ANDAUDITS
InternalAudit's schedulingprocess begins with requestsfor audit services (requests,or suggestions, comefrom several sources).
One obvious sourceis our own InternalAudit staff. Our in-depth knowledge of ABC Companygivesus a unique perspective
on the types of projects in which we canreduceABC Company's risk. Hence,someof our projects originate in our own group
or as a resultof the annual audit of ABC Companyas a whole,whichis conducted bythe external auditors.
Several factorsinfluence the selectionand scheduling of projects:the degree of risk or exposure to loss; typeof audit; current
and planned work in othermajor audit projects requiring substantial timecommitments of InternalAudit staff;the availabilityof
staff in entitiesselected for review;andthe availabilityof InternalAuditstaff with theappropriate skills.
14 | P a g e
15. An analysiswillbe performedannuallyin order toquantifyrisk and schedule audits.This analysis willcombine
factualinformation andInternalAudit Department's judgment in the selection, ranking, and weighing of the various audit risk
factors. It should be emphasised that the final determination as to which areasshouldbe included in the audit plan cannot
bebased solelyon theresultsof thisauditrisk assessment.Rather,the performance of the assessment is a tool for use
byInternalAuditDepartment.
Types ofAudits
1.AUDIT
Operational - Refers to acomprehensive examination of an entityto evaluate its performance, as
measuredbymanagement's objectives.An operational auditfocuses on the efficiency,effectiveness,and economyof
operations.
Financial - Determine the accuracyand proprietyof financial transactions.
Compliance -Theobjective of these auditsis to determinewhether, andto what degree, an audited entityconforms to
certain specific requirements of policy, procedures,standards, or laws and regulations.Theauditor must know
preciselywhat policies, procedures,standards,etc.are required. Usually,compliance audits require little
preliminarysurveywork or reviewof internal controls, except to outline preciselywhat requirementsare being
audited.The auditfocuses almost exclusively upon detailedtestingof conditions.
AssetVerification -An independent appraisal of ABC Companyoperations is provided throughthe verification of
accountability,physical safeguards, and valid use of ABC Companyassets.This is oftenperformedin conjunction with
an audit.
2. LOSS
Loss/fraud investigations- Conducted to determineexisting control weaknesses,assist ABC CompanyRisk
Managementin determiningthe amount of the loss/fraud,and assisttheaudited entitybyrecommendingcorrective
measuresto prevent subsequent recurrences. Investigation of allegations mayalso be conducted.
3. INFORMATION SYSTEMSAUDIT
The primarymissionof the Information Systems audit function of InternalAudit is to supportthe internal audit
function in the evaluation of the accuracy,effectiveness, and efficiencyof ABC Company's electronic and information
processingsystems which are inproduction or under development.
4. MISCELLANEOUS
Consultant Services - Information,encouragement, andreviewwill be provided on issues concerningABC
Companypolicies, procedures,andinternal controls.Withthe addition of an informationsystems audit function
consultation services are expanded to include:
1. Assistanceon evaluationof backup proceduresand contingencyplanning
2. Assistanceon whetheradefinedarchitecture has proper controls
3. Information on computer controls
4. Assistanceon implementation of internal financial system
ComputerSystemDesign and Enhancement- InternalAuditactivelyparticipatesin the development of new systems
or enhancementsto current systems to promotethe design of adequate internal controlspriorto implementation and
reduce the need for corrective measures at alater date.
OtherDepartmental Duties - Such as organisingthe annual retreat, preparingthe annual report, etc., as
assignedbytheDirector.
5. ADMINISTRATIVE REVIEWS
Pre-approvedprograms are used to audit accuracyandproprietyof expenditures and payrolltransactions.
Incomewillbeaudited if the amountis material.Thesereviews mayalsoinclude assetconfirmations.
6. FOLLOW-UPREVIEW
Follow-up reviewsareperformed toappraise management of post audit actions and provide assurance that
15 | P a g e
17. 7. CASH COUNT
Acash countis performed todeterminecustodial fund accountabilitywhichmay include one or moreof the following
types of funds: pettycash fund, change fund, or revolving fund.Apre-approvedcash countaudit programis used for this
typeof audit.
AuditAssignment
All audits/taskswillbe authorizedbytheInternalAudit Departmentusingan audit assignment sheet.Theobjective of this process
is to assure thatwork is performed on onlyauthorized activity.This formwillprovide sufficient information on the audit/task
scope, objectives, and resourcerestrictions(allocated hours, expected completion date) so the assignedauditor(s)
willhave a clear understanding of InternalAudit Department's expectations for their particular assignment.
DefinitionofTerms on theAssignment Sheet
Task Number:Afive digit numberusedto identifytheproject
Type:The typeof projectindicated on the assignmentform:
o A=audit;
o L=loss;
o C=cashcount;
o F=follow-up;
o M=miscellaneous;
o T=continuing education- no trackable hours;
o E=continuing education;
o D=information Systems audit;
o X=taskcancelled;
o R=administrative review.
Location of audit:
o BRU=Brussels;
o PAR=Paris;
o BLN=Berlin;
Title of Project:Ashort description of the project
Assignment Date: Beginning date that hours canbe chargedto the project
Allocated Hours:Timebudgetedfor this project.Anydeviationfrom thesehours must be approvedbytheInternalAudit
Department
Expected Completion Date:Thedate the report is expected to be issued in final
Assigned Staff:Names of theReviewer,ProjectManager,Assigned Staff, Project Consultant, Participant,Instructor,
andNon-active staff shouldbe listed on assignment sheet withprojecthours thatare assignedto each
Scope & Objectives:Ashort descriptionof the scope andobjectives that will be covered
FiscalYear:Fiscal yearto be audited
17 | P a g e
18. Scope and Objectives
The scope sectionshalldefine the limitationsof the audit/task assignment.Thescope will generallyinclude
atimeperiod, andwhatrecords, processes,funds, transactions,policies, controls,etc., we shallbe reviewing. Scope
limitationsthatverynarrowlyrestrict audit work shouldbe mentionedin the audit report. (Example:We didnot test
actual expenditure transactions.)
The objectives willexplain whatthe audit is trying to accomplish.Auditobjectives will generallyinclude oneor
more of the following:
1. Determine the accuracyand proprietyof financial transactions;
2. Evaluatefinancial andoperational procedures for adequacyof internal controls and provide advice and
guidance on control aspectsof new policies,systems, processes,and procedures;
3. Verifythe existence of ABC Companyassetsand ensurethatproper safeguards are maintained to protect
themfrom loss;
4. Determine the level of compliance withABC Companypolicies and procedures,laws and regulations;
5. Evaluatethe accuracy,effectiveness, and efficiencyof ABC Company's electronic information
andprocessingsystems;
6. Determine the effectivenessand efficiencyof audited entitiesinaccomplishing their mission and
identifyoperational opportunitiesfor costsavings and revenue enhancements;
7. Provide assistance and a coordinated audit effort withtheexternal auditors;
8. Determine ifa loss occurred, ifso theamountof the loss and circumstances (control weaknesses) that
contributed to it.
Duties/Responsibilities
INTERNALAUDITDEPARTMENT
o InternalAuditDepartment, theDirector andAssociate Director of Internal Auditing,
willberesponsible for ensuring that audit resourcesareefficiently and effectivelyemployedand that
the audit work performed fulfils the mission of the department.
AUDITMANAGER
o The auditor incharge of the task will normallybe an audit manager andwill have the
followingdutiesand responsibilities:
1. Attendentrance and exit interviews
2. Discuss, direct, advise, etc., the assignedauditors during thecourse of the assignment
including writing the report
3. Will be responsible for assuringthe audit programsteps accomplish the
objectives,address major risk and exposures, and reasonablyassure the completionof the
assignment within allocated resources.Finalapproval of the audit programwillbe done
byInternalAudit Department
4. Review, edit, and approve the draft report
5. Assure theaudit is performed according todepartmentstandards, staying within the scope
and resourceallocationlimits (hours and dates),andmeetstated assignedobjectives.
ASSIGNEDAUDITOR(S)
18 | P a g e
19. o
Assigned auditor(s) willbe responsible for performing theaudit and will have the following
duties and responsibilities:
1. Perform thepreliminaryreview, including the internalcontrol evaluation,with guidance
from theAuditManager
2. After discussionswith theAudit Manager,prepare an audit program and time estimate for
each programsection
3. Perform all assignedactivitiesinconformance with department standards,stayingwithinthe
scope and resourceallocation limits of the assignedactivityor programsection
4. Write the draft audit report
o An assignedauditor who is also theAuditManagerof theproject will have the additional
dutiesofAuditManager.
REVIEWER
o All working papers should beindependentlyreviewed to ensurethereis sufficient evidence to
support conclusions and that all audit objectiveshave been met.Adetailed review will be
conducted bytheAudit Managerfor assignedstaff's working papersand a less
comprehensivereview willbe conducted bydepartmentadministration or an assignedstaff person.
Initialling workingpapers (see "review/approval form") signing the "review/approval form," and
filing "cleared" reviewnotes inthe current working papers will serve as documentation of
thereviewprocess.
o The reviewer should:
1. Determine working paper's compliance to the department working paper standards;
2. Reviewfromaudit programsteps to thereferenced working papers ensuring cross-
referencing is proper, theworking papers support the steps performed,and all steps have
beencompleted;
3. Reviewworking paper's from the report(s) tothe Digestof Significant Findings to the
workingpaper summaries to the detailed working papers to ensure that all findingsare
stated adequatelyand documented and support theopinions, findings,
andrecommendationsstatedin the report;
4. Ensure that working papers "standalone"in that theyclearlystatewhat work was
performed,how and from where samples were selected, the purposeof the working
paper,what findingsweremade,etc.
5. Documentreviewcomments on review notes form;
6. After all audit reviewnoteshave been resolved,sign off on working paper section of final
working paper/report approval form;
7. Determine report(s)compliance with thedepartment report standards;
8. Sign off on report(s) section of final workingpaper/report approval form;
9. Determine PermanentAudit File'scompliance with department standards.
PROJECTCONSULTANT
o The projectconsultant'sprimarydutiesand responsibilitiesare to advise and provide guidance tothe
assignedauditors.The projectconsultant does not take an active role in the project, butwillbe on
callto answer questionsor volunteer suggestionsas applicable.
REPORTREVIEWER
19 | P a g e
20. o The Report Reviewer primaryresponsibilityis to provide a final independent reviewof audit
reports tohelp ensurethatproper grammar, spelling, and formathave beenused.The Report
Reviewerwill also performor supervise the:
1. Print reviseddraft copies for Directorsapproval
2. Print final report copyfor auditorsand director signature
3. Mailfinal report copy
4. Filing of electroniccopyon LAN
5. UpdateWorking Papers files: markcomplete, recommendation categories, markcomplete,
create follow-up when necessary,etc.
6. Mailing feedback questionnaire
7. Updating feedback spreadsheet when feedback received
8. Addingresponseto electronic copyof reportand filing paper copywith final report
9. Creating follow-up working papers, trustee report, electronic copyof report on LAN, etc.
10. UpdatingDirectors report
20 | P a g e
21. Announcement Letter
Theaudited entityshall be informedof the audit projectthroughan announcementletter from the InternalAudit
Director.However,InternalAudit will not provide advance notifications for cash counts and
fraudinvestigations.Additionally,InternalAudit maynot send an announcement letter for requested consulting services.
The announcementlettershallcommunicate the scope and objectives of the audit, the period covered, and the auditor(s)
assignedto the project.InternalAudit's mission statementshall also be enclosed for theaudited entity’sinformation.
Preliminary Review
The objective of the PreliminaryReview is to gainsufficient knowledge of the entitybeing reviewed so theauditor can design
anaudit programtoaccomplish theassignedobjectives. The review willhelp the auditor to determineif the assignedobjectives
areattainable with the allocated resourcesand what audit procedures shouldbe performed,based on assessed risks and
exposures, to achieve the objectives.
The preliminaryreviewwork canbe broken down intofour distinct phases:
1. Familiarization
2. Identification of potential problemareas
3. Evaluationof internal controls
4. Planningthe detailed audit
Oneof the problems in performing an effective preliminaryreviewis thefailure to complete all phases of the
reviewbeforepreparing the formalaudit programand beginning the fieldwork.
Initial Research (Familiarization)
Before meetingwith the audited entity, theassigned auditor(s)shall obtain abasic understanding of the operation or
systemunder review.Thisreviewwill normallyinclude:
Reviewof PermanentAudit File (if one exists)
Reviewof PreviousAuditWorkingPapers, Reports,Management letters(ifavailable) Reviewof department financial
statements (transactions) includinghistorical trends ifavailable
Reviewof department organization and staffing (payroll/personnel listing) Reviewof department
equipmentlistingConsultations with otherauditorsthat have been involved in similarauditsor are familiarwith this
department, relatedANAELfiles, systems, etc.
Reviewdepartmentfocus
Reviewdepartment's missionstatement, organizationchart and other information requested in the
"announcementletter"
Reviewandresearch for applicable laws, regulations, anddepartmental policies and procedures
Conductthe initial meeting withaudited entity
IdentificationofPotential ProblemAreas
An objective of the preliminaryreviewis theidentificationof potential problemareas. Oneof the first steps in
determiningproblemareasis to identifythose programs, activities,and functionswhichare significant.
Thesecan be identified as those programs or activities:
Which are susceptible to fraud,abuse, or mismanagement
In which there is a large volumeof transactions or largeinvestments in assetswhich are subject toloss ifnot
carefullycontrolled
Aboutwhich concernshave been expressedbymanagement
In which prior audits have disclosed major weaknessesor deficiencies
This phase of thepreliminaryreviewshould identifythesignificant activitiesof the area and what inherent risks
exist.Oncetheseactivities and risks havebeen identified, thenext step is to evaluate controls.
21 | P a g e
22. The auditor is responsiblefor determininghow muchreliance can be placed on the entity's controlstoprotect its assets,assure
accurate information, assure compliance with applicable laws and regulations, promote efficiencyand economy,and
produceeffective results produceeffective results.
Acomplete reviewof all controls is not alwaysnecessarybecause some controls maybe irrelevantto basicissues which arethe
subject of the audit effort.Therefore, theauditormust identifythose controls which arethe mostimportant and critical to the
operationand concentrate on them. Somecontrolswhichcan normallybe identified as critical are those which aredesigned to
protectagainst:
Substantial financial losses
Program violations
Mismanagement
Legal violations
Adversepublicity
Lack of programor missionaccomplishment
The auditor's evaluation should include identification of areasin which essential controls appear to be weak, non-
functioning,or missing.
Vast amounts of data are storedelectronically.InternalAudithas alibraryof standardized ANAEL queries that
willassistinobtaining some of this information.
Reviewand Evaluationof InternalControl Environment
The auditor will reviewtheaudited entity's internal control structure. In doing this,the auditor uses avarietyof tools and
techniques,including flow charts,interviews,data gathering, and analysis.Thereviewof internal controlshelps the auditor
design teststobe performedin the fieldworksection of the audit.
The evaluation of the systemof internal controls should providereasonable, but not absolute, assurance that the fundamental
elements of the systemare sufficient to accomplish their intended purpose.The studyand evaluation should be
adequatelydocumentedand properly supported byresultsof tests,observations, and inquiries.Theuse of electronic data
processing methods that can affect the reliability,accuracy,or usefulnessof financial or statistical data, and reports should
beincluded as part of the studyand evaluation.
Internal controlsare evaluated throughout the audit examination.AuditManagers should prepare the programto assistassigned
auditors in performing this aspect of the audit work. Generally,theguidelines are incorporated into an audit programin the
form of internal control questionnaires, checklists, and specific audit testsandprocedures.Although the written audit
guidelines (programs) areinvaluable aids,Audit Managersmustensure that each assigned auditor is familiarwith the scopeand
objectivesof the internalcontrolreview.
The review of the systemof internal controls is performedbydiscussing the control procedures, methods, and planof
organizationwithaudited entity’sofficials.Theauditor may useinternal control questionnaires or checklistsas wellas written
narrative memoranda, flow charts,atransactionwalk through,and other applicable techniquesindeterminingthe adopted control
proceduresand the methodand plan of organization.Thesetechniques arepreferred becausetheyprovideadequatedocumentation.
In addition todiscussions withauditcustomer officials, auditors make inquiries and performobservationsrelating to the
systemof internal controls.Theseinquiries and observations, andresulting findings and conclusionsare also documented
intheworking papers.This documentation includesidentifyingcontrol strengths and weaknessesand cross-referencingthemto
the audit testsand proceduresconcerned with substantive testing.
22 | P a g e
23. To assist in evaluating the system of internal control the auditor should consider the following:
Typesof errors andirregularities that could occur.
Controlprocedures to prevent or detect such errors andirregularities.
Whether the procedures have beenadopted and are being followedsatisfactorily. Weaknesses whichwouldenable
errors and irregularities to pass through existingcontrol procedures.
The effect these weaknesses haveon the nature, timing,and extent of auditing procedurestobe applied.
Audit methods usedto studyand evaluate existing internal controls include:
Internal ControlQuestionnaires-Theseguide the auditor to queryresponsiblemanagersregardingspecific or
generalinternal controls.Thequestionnaires aredesignedso that a negativeresponse indicates a potential internal
control weakness.A negative response willcausethe auditor to determinewhether compensating controls are
inexistencewhich would offset thenegative response.
Narratives -Thesedescribe the systemof internal control.
Flow Charts-Aflow chart is beneficial because it visuallydepicts processesdesigned or intended for control purposes.
Flow-charting provides the auditor with agood understanding of the process beingevaluated.
Documentationsupports theauditor'sunderstanding of the internal controls.Audit workingpapersprovide the support
for theconclusionsreached bytheauditor regarding the studyand evaluation of internal controls.Onlythoseinternal
control functions,whichare deemed critical or important to the strengthwithin a particular transaction cycle, should
betestedand evaluated.Working papers should be prepared to highlight the internalcontrolattributes within the
processesto beevaluated.
Tests of compliance are performedto obtain sufficient evidence that the systemis operating in accordance with the
understanding the auditor obtained fromthe review. Theseareperformedfor those control proceduresor methods upon
whichtheauditor has chosen to rely.Conversely,whenthe auditor determines that certain controls cannot be relied
upon;testsof compliance arenot ordinarilyperformed.
The nature, timing, andextent of testsof compliance arecloselyrelated to the control proceduresand methods
studiedbythe auditor.Additionally,the auditor mustconsider the availabilityof evidence andthe audit effortrequiredto
testcompliance. In considering the required audit effort, the auditor assesses whetherprecludingcertain testsof
compliance will reducethe reliance on the controls and procedures,and whether such reduced reliance
significantlyaffects subsequent audit testsand procedures.
Flowcharting
The primarypurpose of preparinga flow chart is to identifythe keycontrol attributes - those attributesthat achieve
controlobjectives.This canefficientlypoint out casesof under/over control and processingredundancy.
Clarityand simplicityinpresentation are essential.Mistaken use of extreme detail maytend to conceal rather than expose
keypoints.Complexitiessuch as exception controlscan be better explained in attached memoranda.However,narrative
explanations shouldbe kept brief. In mostcases,the combination of the flow chartand a narrativedescription tends to be far
superior toeither documentalone.
Onlytransactions/documents with control significance should be shown (i.e., control over authorization, recording,
safeguarding, reconciliation, and valuation).This cangenerallybe accomplishedbyincluding onlythose activitieswithin an
application wheredatais initialised, changed, or transferredtoother departments.For aprocess tobe flow charted, it must be
broken down into its componentparts, namelyactions and decisions.Also, thename(s) and position(s) of thepeople performing
the transactions should be indicated for each action.The names of each document should also beincluded withinthe document
symbols.
The auditor usuallyobtainsinformation necessaryfor preparing or updating flow chartsby interviewingpersonnel at each site
about procedures followed,andbyreviewingprocedure manuals,existing flow chartsand other systemdocumentation. Sample
documents are collected and each departmentinvolvedis questioned about its specific duties. Inquiriescan be
madeconcurrentlywiththe performanceof transactionreviews,particularlywhen flow chartsarebeing updated. If possible,the
auditor should observe theprocess.
23 | P a g e
24. InternalControl Questionnaires
The primarypurpose of completing theinternalcontrol questionnaire is toidentifycritical areas,strengths,andweaknesses
inprocess.
PLANNINGTHEDETAILEDAUDIT
The elements of materialityandrelative risk mustbe considered in performing theaudit.The due professionalcarestandardsdo
notimplyunlimitedresponsibilityfor disclosureof irregularities and otherdeficiencies.Theauditor'sprincipal effort should be
inthose areas wheresignificant problems or deficiencies mayexist,rather thanin areasthat are relatively
unimportant.Timeshould not bespentexamining or developingevidencebeyond what is necessaryto afforda sound basis for
aprofessional opinion.
The resultsof the preliminaryreviewshould beanalysedto determinethe need for a detailed audit and the specific areasto
becovered.Thedetailed audit programshould be prepared allocating the projectbudget timeestablished for the fieldwork to
thespecific areastobe covered in the audit.
Statement of Risk and Exposure
Rationale:
o Arisk/exposureanalysiswillbe performedto prioritise audit testing that must be performedto achieve the audit
objectives.Thisdetermination is essential for providing reasonable assurance that internal audit
resourcesaredeployedin an optimal manner (i.e.the mosttimeis spent examiningareaswith the greatest risk
exposure).
o The three types of risks thatwillbe considered are:
Inherent Risk -Therisk related to the fundamental characteristics of the assignedarea (i.e., anareathat
receives income inthe formof currency and coin has a greater inherent risk of theft of that
incomethenone that receives internal billingincomeform another department).
ControlRisk -Therisk that the assignedareas internal control system wouldfail to prevent or detect
asignificant intentional or unintentional error in the process.
Detection Risk -Therisk thatthe internalauditwould fail to detect errors thathad occurred.
o Exposure is thepotential loss or liabilitytoABC Company. Itis not onlyloss of moneybutalso ABC Company's
reputation, etc.
o ARisk/Exposureanalysiswillinvolve determining the highestpossible
combinedfactors.(highrisk/highexposureas opposed tohigh risk/low exposure or low risk/highexposure)
Policy:
o Duringthe preliminaryreview/internalcontrolevaluation stage of the audit, the auditor will makea
determination of what areascontain the greatest risks and potential exposures.This determination will be
discussedwith theInternal Audit Departmentbefore the audit programis written.
Process:
o Duringthe preliminaryreview/internalcontrolevaluation stage of the audit, the auditor will complete a
schedule detailingthe greatest risks and potential exposures and discuss withInternalAuditDepartment.
PermanentAudit Files
Apermanent file should givethe auditor general knowledge abouttheaudited entity.The information inthe file is notexpectedto
change significantlyfrom year-to-year, butit is pertinent tothe current year's audit.Prior year's financialstatements wouldaid
the auditor in gathering general knowledge abouttheaudited entity. Itmightalso be useful incomparingthe current year to the
prior yearor performinganalyses.Apermanent file should onlybe prepared for auditsthat we continuallydo or if the areaaudited
is a systemsuch as payroll, accounts payable,etc.Before a permanentfile is established, consultwiththeAuditManager and
InternalAudit Department. If a permanent file is notprepared,usefulinformation can be filed in section D of the working
papers.
24 | P a g e
25. AUDITPROGRAM
Preparation of theauditprogramconcludes the PreliminaryReviewphase.Theaudit program outlines the necessarysteps to
achieve the objectivesof the audit withinthe defined scope as listed on the assignment sheet.Theaudit programis adetailed
plan for thework tobe performedduring the audit.Awell-constructed programis essential tocompleting the audit project in an
efficient manner.
Awell-constructedprogramprovides:
Asystematic plan for each phase of the work that can becommunicated to all audit personnelconcerned
Means of self-control for the audit staff assigned
Means bywhichthe audit supervisor/managercan review and compareperformance with approvedplans
Assistancein training inexperienced staff members andacquainting themwiththe scope, objectives,andwork steps of
anaudit
An aid to supervisor/managermakingpossiblea reduction inthe amount of direct supervisoryeffort needed
Assistancein familiarisingsuccessiveaudit staff with thenature of work previously carried out
The programconsistsof specific directions for carryingout the assignment.It should contain a statementof the objectives of the
operationbeing reviewed. For eachsegment of the audit the programshould (1) listthe risks that must be covered in that
segment;(2) show for each risk the controls that existor that are needed to protect against theindicated risk; (3) show for each
of the listed controls the work steps requiredto test the effectivenessof those controls, or set forth the recommendations that
willbe required to install needed controls; and (4) provide space for referencingthe relatedauditworking papers.
Standardizedaudit programs are available andshouldbe used or modified to achieve the audit objectives.Theauditor
shallinclude anestimate of the hours necessaryto complete the project.InternalAudit Departmentreviewstheauditor's work to-
date (preliminaryreview work) andthen discussesanyconcernsor proposed programchanges.
Objectives
The audit program shallcontain astatement of the objectivesof the area being reviewed.The statementof objectives in the audit
programshallcorrespond withthe audit objectives stated in the assignmentsheet.Theseobjectives shouldbe achieved
throughthe detailed audit programsteps.
Audit Steps
Awell-constructedauditprogramprovides specific, detailed steps (procedures)for achieving the audit objectives.
Standardizedaudit programs with specific audit steps for achieving objectivesare available and should be used or modified.
Time Budget
Aproject time budget provides overall guidelinesfor the performance of the audit. In addition, it enablesthe audit manager to
control the audit work inprocess. It is essential that we control our timecarefullyinorder that it maybe used inthe
mosteffective manner possible.The detailed projecttimebudget should be completed at the conclusion of the
preliminaryreview.
Each projectwillhave a timebudget that will be approved bythe audit manager andInternal Audit Department.This budget will
include all time necessaryto complete the audit, from assignmentthrough issuanceof the final
report.Thepreliminaryreviewphase should be completedwhen no more than 25 percent of the totaltimebudget has been
depleted.
The budget process willbebroken down into two phases.Aportion of the budget should be allocated for the planning
process.This will provide the necessarycontrol overthis phase of audit work.
25 | P a g e
26. Near thecompletion of the planning process, the remainingbudget should beallocated to the rest of theaudit and recorded on
theTimeBudgetSummary.For purposes of overallcontrol, the timebudget should be broken down into the followinggeneral
categories (more maybe usedif warranted):
Planning- initial planning, preliminarysurvey,audit program
Fieldwork- allocated to the various segments of the audit project
Audit report and wrap-up - audit manager's review, qualityassurancereview, report writing and editing, reportreview,
audited entity's review,exit conference, etc.)
Preparation andApproval-The projecttimebudget should bepreparedbytheaudit managerand
approvedbyInternalAuditDepartment.
BudgetRevisions- Anyrevisions to theprojecttimebudgetshouldbe discussedwith InternalAuditDepartmentatthe
earliest possible time and,whenapproved byInternal Audit Department, documented on theTimeBudgetSummary.
FIELDWORK
Evidential Matter
Evidential matter obtained during the courseof the audit provides the documented basis for the auditor's opinions, findings,
andrecommendationsas expressedin the audit report.As internal auditors, we are obligated byour professional standardstoact
objectively,exercise due professionalcare,and collect sufficient, competent, relevant, andusefulinformationto provide asound
basis for audit findings andrecommendation (see examiningand evaluating information).
Audit Sampling
Audit sampling is performingan audit test on less then 100 percent of apopulation. In
'sampling' theauditor accepts the risk that some or all errors willnot be found andthe conclusionsdrawn (i.e.all transactions
were proper and accurate) maybe wrong.
Types of Sampling:
Statistical or probabilitysampling allows the auditor tostipulate, with agiven level of confidence, the condition of a
largepopulation byreviewing onlyapercentage of the total items. Several sampling techniques are available to the auditor.
Attribute sampling- Isused when theauditor has identifiedthe expected frequencyor occurrence of an event.
Variables sampling - Is used when the auditor samples for valuesina population which varyfromitemto item.
Judgment sampling - Is used when it is notessential to have a precise determination of the probable condition of the
universe,or whereit is not possible,practical, or necessaryto use statistical sampling.
The typeof samplingusedand the number of items selected should bebased on the auditors understanding of the relative risks
and exposures of the areas audited.
Policy/Process:
All audit testing willinclude sampling.The typeand samplesizeshallbe described in the programandapproved
bytheInternalAuditDepartment.
Testing andWorkingPaperDocumentation
Policy/Purpose:
Workingpapers serve both as toolsto aid the auditor in performing his work, and as written evidence of the work doneto
support the auditor'sreport. Informationincluded in working papers should be sufficient, competent, relevant, andusefulto
provide a sound basis for audit findings and recommendations.GenerallyAcceptedAuditingStandards define sufficient,
competent,relevant,and useful as follows:
Sufficient information is factual, adequate, and convincing so that a prudent, informed person wouldreachthe
sameconclusionsas theauditor.
Competent informationis reliable and the best attainable through the use of appropriate audit techniques.
Relevant informationsupports audit findings and recommendations and is consistent with the objectives for theaudit.
26 | P a g e
27. Usefulinformation helpsthe organization meetits goals.
In addition to serving as a reference for thepreparerwhen called upon to report findings or answerquestions,other individuals
mayfindit necessaryto use the working papers.
The InternalAudit Departmentwilluse the papers to review thequalityof the audit project and to evaluate the audit staff
assignedto the work.
The manager whose entityis beingaudited may usedetails included in the workingpapers to help implementcorrective action
to a problemor refute the assertion that a problemexists.
ABC Companymanagement or other individuals who mayhaverequested the audit require timelyreports.Well-
organisedworking papers help to accomplish this goal.
External auditors reviewthework performed bythe Department andevaluate the effect that its activities had on ABC
Company's systemof internal control.
In fulfilling their public responsibility,certain regulatoryagencies monitorABC Company operations, and the Department's
working papers maybe subjected to their review. Solid workingpaper documentation is essential for questions from theseand
other potential outside reviewers.
Qualities of GoodWorking Papers
Good working papersshouldbe:
Complete -Workingpapers must be able to "standalone."Thismeans that all questions must beanswered,all points
raisedbythe reviewer must be cleared, and a logical, well-thoughtout conclusion must be reached for each audit
segment.
Concise-Workingpapers must be confined to those that serve a useful purpose.
Uniform-Allworkingpapers shouldbe of uniformsizeand appearance. Smaller papers should be fastened to standard
workingpapers, and largerpapers should be folded toconformtosizerestrictions.
Neat -Workingpapers shouldnot be crowded.Allow for enough spaceon each schedule so that all
pertinentinformation can be included in alogical and orderly manner.At the sametime,keep working papers
economical. Forms and procedures shouldbe included onlywhen relevant to the audit or to an audit recommendation.
Also, tryto avoid unnecessarylisting and scheduling.All schedulesshould havea purposewhichrelates to the audit
proceduresor recommendations.
Working PaperTechniques
DescriptiveHeadings -Allworkingpapers shouldinclude the audit stamp,titleof the audit, audit projectnumber,title of the
working paper,preparer'sinitials, date prepared, sourceof information, andpurposeof the working paper.
Tick-marks-The auditor makesfrequentuse of avarietyof symbols to indicate work that has been done.Thesesymbols are
commonlyreferred toas tick-marks.Asthesetick-marks have no special or uniform meaning inthemselves,an explanationof
eachtick-markshould be madeon the schedule on which it appears.
Cross-referencing - Cross-referencing within working papers should becomplete and accurate.Working papers should
becross-referenced totheAudit Findings.AuditFindings shouldbe cross-referenced to the exit conference memoand/or the
audit report,to indicate final disposition of the item. Cross-referencingshould be done inthe margins of audit report
drafts.Thesereferencesreadilyprovidedirect access tothe working papers.
Indexing -Thesystemof indexing audit workingpapers should be simple, yetleave roomfor flexibility.Acapital letter should be
used to identifyeachsegment of the audit, andArabic numeralsusedto identifyscheduleswithinthe segments.
Carry forward -The auditor should makefulluse of the working papers developed in the prior audit. Flow
charts,systemdescriptions,andother data maystill be valid.Those papers which remain useful should bemadea part of the
current workingpapers.Theyshould be updated with current information, renumbered, referenced, initialled,and dated bythe
current auditor.
27 | P a g e
28. Types of Working Papers
All working papers should be maintained in binders. Schedules, analyses, documents, flow charts, and narratives should be
filed in a standard binder. Documentation which is not of standard size should be mounted on standard size paper or
referenced to a non-standard binder.
1. Schedules and Analyses
Schedules and analyses are useful for identifying statistical trends, verifying the accuracy of data, developing
projections or estimations, and determining if tasks or records have beenproperly completed. Each record review,
data schedule, or analyses should include the following items:
An explanation of its purpose (reference audit step)
The methodology used to select the sample, make the calculation, etc.
The criteria used to evaluate the data
The source of data and time frame considered
A summary of the results of the analyses
The auditor's conclusion
2. Documents
Copies or actual samples of various documents can be used as examples, for clarification, andas physical evidence to
support a conclusion or prove the existence of a problem. Thesedocuments can be memos, reports, computer
printouts, procedures, forms, invoices, flowcharts, contracts, or any of numerous other items. Any copied document
should serve a usefulaudit purpose.
The following suggestions are offered for preparation of working papers using documentsrather than the auditor's
notes:
Indicate both the person and/or file that the document came from (source).
Copy and insert only that portion of the report, memo, procedure, etc., which is neededfor purposes of
explanation or as documentation of a potential finding. Do not includethe entire document in the working
papers unless absolutely necessary.
Fully explain the terms and notations found on the document, as well as its use. This isespecially true when
including maps, engineering drawings, or flow charts in thepapers. These explanations may be made on an
attached preceding page or on the faceof the document itself.
Each document should be cross-referenced either to the page or separate analysiswhere it was discussed.
No document should be included in the working papers without an explanation of whyit was included.
Documents larger than A4 size should be reduced when practicable.
3. Process Write-ups and Flow charts
In many audits, it is necessary to describe systems or processes followed by the audited entity.Describe such
procedures or processes through the use of write-ups or flow charts or somecombination of the two. The choice of
which method to use will depend on the relativeefficiency of the method in relation to the complexities of the system
being described.
Write-ups are often easier to use, and should be used, if the system or process can bedescribed clearly and concisely.
However, when write-ups would be lengthy, and descriptionof related control points difficult to integrate in the
narrative, flow-charting (or a combinationof write-ups and flow-charting) is an appropriate alternative. Flow charts
convenientlydescribe complex relationships because they reduce narrative explanations to a picture of the system.
They are concise and may be easier to analyse than written descriptions.
4. Interviews
Most verbal information is obtained through formal interviews conducted either in person orby telephone. Formal
interviews are most desirable because the interviewees know they areproviding input to the audit; however,
impromptu interviews, or even casual discussions canoften provide important information. Any verbal information
which is likely to support aconclusion in the audit working papers should be documented. Interviews are useful
inidentifying problem areas, obtaining general knowledge of the audit subject, collecting datanot in a documented
form, and documenting the audit customer's opinions, assessments, orrationale for actions. Interview notes should
contain only the facts presented by the personinterviewed, and not include any of the auditor's opinions.
28 | P a g e
29. In preparing interviews for working papers, consider the following suggestions:
Be sure to include the name and position title of all persons from whom informationwas obtained. This includes data
gathered during casual conversations.
Indicate when and where the meeting occurred.
Organise notes by topic wherever possible.
Identify sources of information quoted by interviewee.
5. Observations
What the auditor observes can serve the same purposes as interviews. If observations can beused to support any
conclusions, then they should be documented. They are especially usefulfor physical verifications.
Observations used as supporting documentation should generally include the following items:
Time and date of the observations
Where the observations were made
Who accompanied the auditor during the observations
What was observed (when testing is involved, the working papers should include thesample selections and
the basis of the sample)
6. Findings
All audit findings must be documented in a SECTION SUMMARY (see next section)schedule in the working
papers. Unfavourable findings shall be summarised on a Digest ofSignificant Findings working paper whether or not
they are to be included in the audit report.All findings should be documented immediately by the auditor discovering
the situation.
STATING FINDINGS/CONCLUSIONS
Upon the conclusion of the fieldwork, theauditor shallsummarisethe audit findings,
conclusions,andrecommendationsnecessaryfor preparation of the audit report discussion draft. Each audit finding willhave
documented in the SECTION SUMMARYthefollowing ATTRIBUTES
1. Statementof Condition (Whatis!)
2. Criteria (What should be!)
3. Effect (So what?)
4. Cause(Whydid it happen?)
5. Recommendation (What should be done?)
1. Statement of Condition
The conditionidentifies thenatureand extent of the findor unsatisfactorycondition. It often answers thequestion: "What
was wrong?" Normally,a clear andaccurate statementof condition evolves from the auditor's comparisonor results with
appropriateevaluation criteria.
2. Criteria
This attribute establishes the legitimacyof the finding byidentifying the evaluation criteria and answers the question:
"Bywhat standardswas itjudged?" In financial andcompliance audits,criteria could be accuracy,materiality,consistency,or
compliance withapplicable accounting principlesandlegal or regulatoryrequirements.
In auditsof efficiency,economy,and programresults(effectiveness),criteria mightbe defined in mission, operation,or
function statements; performance,production, and cost standards; contractual agreements; programobjectives; policies,
procedures,andother command media; or other external sourcesof authoritative criteria.
3. Effect
This attribute identifiesthe real or potential impact of the condition and answers the question: "What effectdid it have?"
The significance of a condition is usuallyjudgedbyits effect. In operational audits,reduction in efficiencyand economy,or
not attaining programobjectives (effectiveness),areappropriate measures of effect.Thesearefrequentlyexpressedin
quantitative terms;e.g., value, number of personnel,unitsof production, quantities of material, numberof transactions, or
elapsed time. If therealeffect cannot be determined, potential or intangible effectscan sometimes be useful in showing
29 | P a g e
30. thesignificance of the condition.
4. Cause
The fourthattribute identifies theunderlying reasons for unsatisfactoryconditions or findings, and answers the question:
"Whydidit happen?"
If the conditionhas persisted for a longperiod of time or is intensifying,the contributing causesfor thesecharacteristicsof
the condition should also be described.
Identification of the causeof an unsatisfactorycondition or finding is aprerequisite to making meaningful
recommendations for corrective action.The cause maybequite obvious or may
be identified bydeductive reasoning if the audit recommendation points outa specific and practical wayto correct the
condition. However,failure to identifythe cause in a finding may also meanthe cause was notdeterminedbecauseof
limitation or defects in audit work, or was omitted to avoid direct confrontation with responsibleofficials.
5. Recommendations
This final attribute identifiessuggestedremedial action and answers thequestion: "What shouldbe done?"
The relationship between the audit recommendation and the underlying causeof the condition shouldbe clear and logical.
If a relationship exists,the recommended action will most likely be feasible and appropriatelydirected.
Recommendations in the audit report should state preciselywhat needsto be changed or fixed. How the change will be
madeis the auditedentity's responsibility.More generalised recommendations (e.g., greater attention be given,
controlsbere-emphasised, astudymade, or consideration be given) should not beusedin the audit report, but theyare
sometimes appropriate insummaryreports todirect top management's attention to compliance-type findings disclosed in
several areas.
Unless benefits of taking the recommended actionare obvious, theyshouldbe stated.The cost of implementing
andmaintaining recommendations shouldalwaysbe compared torisk.
Recommendations shouldbe directed to an individual capableof taking action.
6. Policy/Process
Audit findings will include: the nature of the findings, the criteria used todetermine the existence of the condition; the
causeof the condition; the significance of its impact; and what the auditors thinkshouldbe done to correctthe situation.
QUALITYASSURANCE
The purpose of "qualityassurance"is to provide reasonable assurance that audit work performedbyABC Company-
InternalAudit conforms toGenerallyAcceptedAuditing Standards.
QualityAssurancePolicy
All working papers shallbe independentlyreviewed to ensure there is sufficient evidence to supportconclusions,document the
extent of audit work performed,and ensurethat all audit objectiveshave been met, as wellas substantiate compliance with
applicable auditing standards.
Adetailed reviewshallbe conducted bytheAuditManagerfor assignedstaff's working papers.Aless comprehensive
reviewshallbe conducted byInternalAudit Departmentor an assignedQualityAssurance staff person. EXCEPTION:If theAudit
Manageris the onlystaff memberassignedto the audit/taskthen the detailed review shall be performedbydepartment
administration or an assignedQualityAssurancestaffperson.
Initialling (Director/QualityAssurancestaff person and theAudit Manager)workingpapers (Section Summaries,Audit
Programs, Draft Report)and completing the "QualityAssurance Reviewform,"willserve as documentation of the
reviewprocess andwillbefiledwith the workingpapers.
NOTE:Auditors areencouraged to performan "informal" self-reviewof their working papers. However,this reviewwouldbe for
their benefit onlyandtherefore this document SHALL NOTbe apart of the working papers.
30 | P a g e
31. QualityAssuranceReview Process
In performingthe review the reviewer should:
Reviewworking papers fromaudit programsteps tothe referenced working papers ensuring cross-referencing is
proper, theworking papers support thesteps performed, and all steps have beencompleted (or whysteps were
notcompleted).
Reviewworking papers fromthe report(s)to the digestto the working paper summariesto the detailed working papers
toensure that all findings arestated, adequatelydocumentand support the OPINIONS, FINDINGS, and
RECOMMENDATIONS stated in the report.
Determine working paper's compliance todepartment working paperstandards. Determine report(s) compliance
withdepartmentreport standards.
Determine PermanentAudit File'scompliance with department standards.
Recordanydeficiencies,comments,etc.on aWorking PaperReviewNotes form.
The auditor(s) who preparedtheworking papers willthen respond (ifnecessary)to thesepointson the sameform.
After the reviewerhas "cleared" the points and completed(initialled) the"Quality AssuranceReviewform," theworking
papers willbe forwarded toInternalAudit Department.
InternalAuditDepartmentwillreviewthe working papers and discuss thefindings and reviewcomments
withtheAssignedAuditor,Audit Manager,and Reviewer,then completethe relevantparts of the
"QualityAssuranceReview form," andapprove the draft report for theexitconference.
The Report Reviewer willperforma pre-exit conference editcheck for spelling, cursorygrammatical,
andconsistencyreview.
The assignedauditor will forward a copyof the draftreport totheaudited entityprior to the exit conference.
After exit conference amendments,the Report Reviewer willperforma spell check,as wellas acursorygrammatical and
consistencyreview,then print out the FINAL version of thereport.
TheAudit Manager,assignedAuditor(s) and Director will reviewandsign the final report.
NOTE:The working papersand report will be factors usedin the Performance Evaluation process.
GENERALSTANDARDS FORWORKING PAPERS
Functions ofWorking Papers
Support auditor'sopinion
Aid in the conduct and supervision of the engagement
Provide a recordof:
1. Proceduresapplied
2. Testperformed
3. Information obtained
4. Pertinent conclusions reached
Provide evidence that the audit was conductedin accordance withGenerallyAcceptedAuditing Standards
CompletenessofWorkingPapers
Workingpapers should be accurate and complete
1. No significant questionswithinthe scope or related to the objective of the audit shouldgo unanswered
2. Working papers must"standalone," in that theyclearlystate whatwork was performed,how andfrom where
sampleswereselected, the purposeof the workingpapers, what findingsweremade,etc.
Each itemin the workingpapers should contain:
1. Adescriptive heading.
2. Identification of source ifnot obvious
3. Thedateof preparation and theauditor'sinitials
4. Theindexnumber of the work paper
31 | P a g e