Docstoc

Internal-Audit-Manual

Document Sample
Internal-Audit-Manual Powered By Docstoc
					ABC Company Internal Audit Manual

Internal Audit Manual

Page 1

TABLE OF CONTENTS
TABLE OF CONTENTS...................................................................................... .....2 CHARTER......................................................................................... ....................5 INTRODUCTION................................................................................................5 ORGANISATION AND BOARD REPORTING.........................................................5 AUTHORISATION AND RESPONSIBILITIES.........................................................5 REPORTING RESPONSIBILITIES.........................................................................6 MISSION OBJECTIVE....................................................................................... ...6 STANDARDS AND ETHICS.................................................................................6 MISSION STATEMENT/OBJECTIVES/VALUES..........................................................7 MISSION STATEMENT........................................................................................7 VALUES...................................................................................................... .......7 GENERALLY ACCEPTED AUDITING STANDARDS...................................................8 100 INDEPENDENCE............................................................................. ............8 110 ORGANISATIONAL STATUS.........................................................................8 120 OBJECTIVITY..............................................................................................9 200 PROFESSIONAL PROFICIENCY..................................................................10 210 STAFFING................................................................................................ .10 220 KNOWLEDGE, SKILLS, AND DISCIPLINES.................................................10 230 SUPERVISION..................................................................................... ......10 240 COMPLIANCE WITH STANDARDS OF CONDUCT.......................................11 250 KNOWLEDGE, SKILLS, AND DISCIPLINES.................................................11 260 HUMAN RELATIONS AND COMMUNICATIONS...........................................12 270 CONTINUING EDUCATION........................................................................12 280 DUE PROFESSIONAL CARE......................................................................12 300 SCOPE OF WORK.....................................................................................13 310 RELIABILITY AND INTEGRITY OF INFORMATION.......................................13 320 COMPLIANCE WITH POLICIES, PLANS, PROCEDURES, LAWS, AND REGULATIONS................................................................................................14 330 SAFEGUARDING OF ASSETS....................................................................14 340 ECONOMICAL AND EFFICIENT USE OF RESOURCES.................................14 350 ACCOMPLISHMENT OF ESTABLISHED OBJECTIVES AND GOALS FOR OPERATIONS OR PROGRAMS..........................................................................15 400 PERFORMANCE OF AUDIT WORK.............................................................15 410 PLANNING THE AUDIT.............................................................................15 420 EXAMINING AND EVALUATING INFORMATION..........................................16 Internal Audit Manual Page 2

430 COMMUNICATING RESULTS......................................................................16 440 FOLLOWING UP....................................................................................... .17 500 MANAGEMENT OF THE INTERNAL AUDITING DEPARTMENT.....................17 510 PURPOSE, AUTHORITY, AND RESPONSIBILITY.........................................17 520 PLANNING...............................................................................................17 530 POLICIES AND PROCEDURES...................................................................18 540 PERSONNEL MANAGEMENT AND DEVELOPMENT.....................................18 550 EXTERNAL AUDITORS..............................................................................19 560 QUALITY ASSURANCE..............................................................................19 CODE OF ETHICS...............................................................................................20 STANDARDS OF CONDUCT.............................................................................20 INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY/CONDUCT..............................20 INDEPENDENCE/OBJECTIVITY.........................................................................20 CONFIDENTIALITY..................................................................................... ......21 CONDUCT............................................................................................ ...........21 AUDIT PROCESS................................................................................................22 PLANNING......................................................................................................22 PLANNING THE DETAILED AUDIT....................................................................32 AUDIT PROGRAM............................................................................................33 FIELDWORK.................................................................................... ................35 STATING FINDINGS/CONCLUSIONS.................................................................40 QUALITY ASSURANCE.....................................................................................42 GENERAL STANDARDS FOR WORKING PAPERS...............................................43 GENERAL STANDARDS - REPORT(S)................................................................45 REPORTING AND FOLLOW-UP.........................................................................46 CONFIDENTIALITY - REPORTS.........................................................................47 EXIT CONFERENCE.........................................................................................47 CLOSING OF THE AUDIT.................................................................................48 PERSONNEL........................................................................................... ............49 JOB DESCRIPTION: DIRECTOR OF AUDIT.........................................................49 JOB DESCRIPTION: ASSOCIATE DIRECTOR OF INTERNAL AUDIT.....................50 JOB DESCRIPTION: INFORMATION SYSTEMS AUDIT MANAGER........................51 JOB DESCRIPTION: AUDIT MANAGER..............................................................53 JOB DESCRIPTION: INFORMATION SYSTEMS AUDITOR....................................54 JOB DESCRIPTION: AUDITOR..........................................................................55 PERFORMANCE EVALUATION..........................................................................56 TRAINING AND PERSONAL DEVELOPMENT.....................................................61 ADMINISTRATIVE PROCEDURES.........................................................................62 MANAGEMENT OF AUDIT RESOURCES............................................................62 Internal Audit Manual Page 3

STANDARD ELECTRONIC TOOLS.....................................................................63 MISCELLANEOUS POLICIES.............................................................................63 APPENDIX A – Audit Announcement Letter........................................................65 APPENDIX B – Audit Feedback Questionnaire Form...........................................66 APPENDIX C – Internal Audit Glossary...............................................................68

Internal Audit Manual

Page 4

General Definition of Internal Audit Internal Audit is a central administrative unit of ABC Company. Internal Audit reports operationally to the Vice President Finance with dotted line representation to the ABC Company Board of Directors. Internal Audit's coverage and service extends to all company entities. Internal Audit is also a control which functions by examining and evaluating the adequacy and effectiveness of other controls throughout ABC Company for managers, the Board of Directors, and external auditors. Finally, Internal Audit provides assistance to the external auditors in their performance of the annual audits of ABC Company financial statements.

CHARTER
INTRODUCTION
ABC Company supports Internal Audit as an independent appraisal function to examine and evaluate ABC Company activities as a service to management and to the Board of Directors. The mission of Internal Audit is to support managers of ABC Company in the effective discharge of their responsibilities. To this end, Internal Audit will furnish them with analyses, recommendations, counsel, and information concerning the activities examined.

ORGANISATION AND BOARD REPORTING
The Director of Internal Audit shall report to the Vice President Finance with dotted line reporting to the Audit Committee. The Audit Committee shall have final approval of the hiring, firing, and salary changes for the Director of Internal Audit. Annually, the Director of Internal Audit shall submit to the Board of Directors a written report on the internal audit activity during the preceding fiscal year. The Director shall also make an oral report to the Audit Committee. The Director of Internal Audit shall make a written report to the Audit Committee whenever there is evidence of defalcations or other problems exceeding €25,000. In addition, if the circumstances ever warrant such action, the Director of Internal Audit may circumvent normal ABC Company reporting lines and communicate directly with the Audit Committee.

AUTHORISATION AND RESPONSIBILITIES
Internal Audit has the authority to audit all parts of ABC Company and shall have full and complete access to any of the organisation's records, physical properties, and personnel relevant to the performance of an audit. Documents and information given to internal auditors during a periodic review will be handled in the same prudent manner as by those employees normally accountable for them. Internal Audit shall have no direct responsibility or authority for any of the activities or operations they review. They should not develop and install procedures, prepare records, or engage in activities that would normally be reviewed by internal auditors. Furthermore, an internal audit does not in any way relieve other persons in ABC Company of the responsibilities assigned to them.

REPORTING RESPONSIBILITIES
A written report shall be prepared and issued by the Director of Internal Audit at the conclusion of every audit. Copies of the report shall be distributed as appropriate. The manager of the entity receiving the report shall respond within thirty days and forward a copy of the response to those included on the distribution list. The response shall indicate what actions were taken regarding specific report findings and recommendations.
Internal Audit Manual Page 5

The manager receiving the report is responsible for ensuring that progress is made toward correcting any unsatisfactory conditions. Internal Audit is responsible for determining whether the action taken is adequate to resolve audit findings. If the action is not adequate, Internal Audit shall inform ABC Company management of the potential risk and exposure in allowing the unsatisfactory conditions to continue.

MISSION OBJECTIVE
Internal Audit's objectives in accomplishing its mission shall include the following: • • Determine the accuracy and propriety of financial transactions Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies, systems, processes, and procedures Verify the existence of ABC Company assets and ensure that proper safeguards are maintained to protect them from loss Determine the level of compliance with ABC Company policies and procedures, and laws and regulations Evaluate the accuracy, effectiveness, and efficiency of ABC Company's electronic information and processing systems Determine the effectiveness and efficiency of the audited entities in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements Coordinate audit efforts with, and provide assistance to, the external auditors Investigate fiscal misconduct

• • • •

•

•

STANDARDS AND ETHICS
In all of its activities, Internal Audit will adhere to Generally Accepted Auditing Standards and the Code of Ethics adopted by the Institute of Internal Auditors.

MISSION STATEMENT/OBJECTIVES/VALUES
MISSION STATEMENT
Internal Audit exists to support the Board of Directors in the effective discharge of their responsibilities. Using our knowledge and professional judgement, we will provide an independent appraisal of ABC Company's financial, operational, and control activities. We will report on the adequacy of internal controls, the accuracy and propriety of transactions, the extent to which assets are accounted for and safeguarded, and the level of compliance with company policies and government laws and regulations. Additionally, we will provide analyses, recommendations, counsel, and information concerning the activities reviewed.
OUR OBJECTIVES IN ACCOMPLISHING OUR MISSION INCLUDE THE FOLLOWING:

• •

Determine the accuracy and propriety of financial transactions Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies, systems, processes, and procedures
Page 6

Internal Audit Manual

• • • •

Verify the existence of ABC Company assets and ensure that proper safeguards are maintained to protect them from loss Determine the level of compliance with ABC Company policies and procedures, laws and regulations Evaluate the accuracy, effectiveness, and efficiency of ABC Company's electronic information and processing systems Determine the effectiveness and efficiency of audited entities in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements Provide assistance and a coordinated audit effort with the external auditors Investigate fiscal misconduct

•

•

VALUES
In carrying out our mission, we share certain beliefs and values.
•

Our primary focus is to provide excellent service to ABC Company. Our examinations shall be performed in accordance with applicable Generally Accepted Auditing Standards. We are committed to the highest degree of fairness, integrity, and ethical conduct in the performance of our mission. We will adhere to the Code of Ethics as established by the Institute of Internal Auditors. Furthermore, we will not issue a report without first allowing the recipient the opportunity to review, challenge, question, and respond to our findings and conclusions. Our relationships with ABC Company employees will be characterised by respect, helpfulness, sharing, patience, and openness. We are committed to maintaining our professionalism as internal auditors through continuance of our education and training. Although we are a part of ABC Company we are committed to maintaining our independence in defining the scope and objectives of our examinations.

•

•

•
•

GENERALLY ACCEPTED AUDITING STANDARDS
100 INDEPENDENCE
Internal auditors should be independent of the activities they audit.
•

Internal auditors are independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. It is achieved through organisational status and objectivity.

110 ORGANISATIONAL STATUS
The organisational status of the internal auditing department should be sufficient to permit the accomplishment of its audit responsibilities.
•

Internal auditors should have the support of management and of the board of directors so that they can gain the cooperation of audited entities and perform their work free from interference.
1. The director of the internal auditing department should be responsible to an

individual in the organisation with sufficient authority to promote
Internal Audit Manual Page 7

independence and to ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations. 2. The director should have direct communication with the board. Regular communication with the board helps assure independence and provides a means for the board and the director to keep each other informed on matters of mutual interest. 3. Independence is enhanced when the board concurs in the appointment or removal of the director of the internal auditing department.
4. The purpose, authority, and responsibility of the internal auditing department

should be defined in a formal written document (charter). The director should seek approval of the charter by management as well as acceptance by the board. The charter should (a) establish the department's position within the organisation; (b) authorise access to records, personnel, and physical properties relevant to the performance of audits; and (c) define the scope of internal auditing activities. 5. The director of internal auditing should submit annually to management for approval and to the board for its information a summary of the department's audit work schedule, staffing plan, and financial budget. The director should also submit all significant interim changes for approval and information. Audit work schedules, staffing plans, and financial budgets should inform management and the board of the scope of internal auditing work and of any limitations placed on that scope. 6. The director of internal auditing should submit activity reports to management and to the board annually or more frequently as necessary. Activity reports should highlight significant audit findings and recommendations and should inform management and the board of any significant deviations from approved audit work schedules, staffing plans, and financial budgets, and the reasons for them.

120 OBJECTIVITY
Internal auditors should be objective in performing audit. • Objectivity is an independent mental attitude which internal auditors should maintain in performing audits. Internal auditors are not to subordinate their judgment on audit matters to that of others. Objectivity requires internal auditors to perform audits in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Internal auditors are not to be placed in situations in which they feel unable to make objective professional judgments. 1. Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided. The director should periodically obtain from the audit staff information concerning potential conflicts of interest and bias. 2. Internal auditors should report to the director any situations in which a conflict of interest or bias is present or may reasonably be inferred. The director should then reassign such auditors. 3. Staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so.

•

Internal Audit Manual

Page 8

4. Internal auditors should not assume operating responsibilities. But if on

occasion management directs internal auditors to perform non-audit work, it should be understood that they are not functioning as internal auditors. Moreover, objectivity is presumed to be impaired when internal auditors audit any activity for which they had authority or responsibility. This impairment should be considered when reporting audit results. 5. Persons transferred to or temporarily engaged by the internal auditing department should not be assigned to audit those activities they previously performed until a reasonable period of time has elapsed. Such assignments are presumed to impair objectivity and should be considered when supervising the audit work and reporting audit results. 6. The results of internal auditing work should be reviewed before the related audit report is released to provide reasonable assurance that the work was performed objectively. • The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, and operating systems are not audit functions. Also, the drafting of procedures for systems is not an audit function. Performing such activities is presumed to impair audit objectivity.

200 PROFESSIONAL PROFICIENCY
Internal audits should be performed with proficiency and due professional care. • Professional proficiency is the responsibility of the internal auditing department and each internal auditor. The department should assign to each audit those persons who collectively possess the necessary knowledge, skills, and disciplines to conduct the audit properly.

210 STAFFING
The internal auditing department should provide assurance that the technical proficiency and educational background of internal auditors are appropriate for the audits to be performed. • The director of internal auditing should establish suitable criteria of education and experience for filling internal auditing positions, giving due consideration to scope of work and level of responsibility. Reasonable assurance should be obtained as to each prospective auditor's qualifications and proficiency.

•

220 KNOWLEDGE, SKILLS, AND DISCIPLINES
The internal auditing department should possess or should obtain the knowledge, skills, and disciplines needed to carry out its audit responsibilities.
•

The internal auditing staff should collectively possess the knowledge and skills essential to the practice of the profession within the organisation. These attributes include proficiency in applying internal auditing standards, procedures, and techniques. The internal auditing department should have employees or use consultants who are qualified in such disciplines as accounting, economics, finance, statistics, electronic data processing, engineering, taxation, and law as needed to meet audit responsibilities. Each member of the department, however, need not be qualified in all of these disciplines.
Page 9

•

Internal Audit Manual

230 SUPERVISION
The internal auditing department should provide assurance that internal audits are properly supervised. • The director of internal auditing is responsible for providing appropriate audit supervision. Supervision is a continuing process, beginning with planning and ending with the conclusion of the audit assignment. Supervision includes: 1. Providing suitable instructions to subordinates at the outset of the audit and approving the audit program.
2. Seeing that the approved audit program is carried out unless deviations are

•

both justified and authorised. 3. Determining that audit working papers adequately support the audit findings, conclusions, and reports. 4. Making sure that audit reports are accurate, objective, clear, concise, constructive, and timely. 5. Determining that audit objectives are being met. • • • Appropriate evidence of supervision should be documented and retained. The extent of supervision required will depend on the proficiency of the internal auditors and the difficulty of the audit assignment. All internal auditing assignments, whether performed by or for the internal auditing department, remain the responsibility of its director.

240 COMPLIANCE WITH STANDARDS OF CONDUCT
Internal auditors should comply with professional standards of conduct. • The Code of Ethics of The Institute of Internal Auditors sets forth standards of conduct and provides a basis for enforcement among its members. The Code calls for high standards of honesty, objectivity, diligence, and loyalty to which internal auditors should conform.

250 KNOWLEDGE, SKILLS, AND DISCIPLINES
Internal auditors should possess the knowledge, skills, and disciplines essential to the performance of internal audits. • Each internal auditor should possess certain knowledge and skills as follows: 1. Proficiency in applying internal auditing standards, procedures, and techniques is required in performing internal audits. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. 2. Proficiency in accounting principles and techniques is required of auditors who work extensively with financial records and reports.
3. An understanding of management principles is required to recognise and

evaluate the materiality and significance of deviations from good business practice. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognise significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions.
Internal Audit Manual Page 10

4. An appreciation is required of the fundamentals of such subjects as accounting,

economics, commercial law, taxation, finance, quantitative methods, and computerised information systems. An appreciation means the ability to recognise the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained.

260 HUMAN RELATIONS AND COMMUNICATIONS
Internal auditors should be skilled in dealing with people and in communicating effectively.
•

Internal auditors should understand human relations and maintain satisfactory relationships with audited entities. Internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as audit objectives, evaluations, conclusions, and recommendations.

•

270 CONTINUING EDUCATION
Internal auditors should maintain their technical competence through continuing education. • Internal auditors are responsible for continuing their education in order to maintain their proficiency. They should keep informed about improvements and current developments in internal auditing standards, procedures, and techniques. Continuing education may be obtained through membership and participation in professional societies; attendance at conferences, seminars, college courses, and in-house training programs; and participation in research projects.

280 DUE PROFESSIONAL CARE
Internal Auditors should exercise due professional care in performing internal audits. • Due professional care calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Professional care should, therefore, be appropriate to the complexities of the audit being performed. In exercising due professional care, internal auditors should be alert to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. They should also be alert to those conditions and activities where irregularities are most likely to occur. In addition, they should identify inadequate controls and recommend improvements to promote compliance with acceptable procedures and practices. Due care implies reasonable care and competence, not infallibility or extraordinary performance. Due care requires the auditor to conduct examinations and verifications to a reasonable extent, but does not require detailed audits of all transactions. Accordingly, the internal auditor cannot give absolute assurance that non-compliance or irregularities do not exit. Nevertheless, the possibility of material irregularities or non-compliance should be considered whenever the internal auditor undertakes an internal auditing assignment. When an internal auditor suspects wrongdoing, the appropriate authorities within the organisation should be informed. The internal auditor may recommend whatever investigation is considered necessary in the circumstances. Thereafter, the auditor should follow up to see that the internal auditing department's responsibilities have been met. Exercising due professional care means using reasonable audit skill and judgment in performing the audit. To this end, the internal auditor should consider:
Page 11

•

•

•

Internal Audit Manual

1. The extent of audit work needed to achieve audit objectives 2. The relative materiality or significance of matters to which audit procedures are applied 3. The adequacy and effectiveness of internal controls 4. The cost of auditing in relation to potential benefits
5. Due professional care includes evaluating established operating standards and

determining whether those standards are acceptable and are being met. When such standards are vague, authoritative interpretations should be sought. If internal auditors are required to interpret or select operating standards, they should seek agreement with audited entities as to the standards needed to measure operating performance.

300 SCOPE OF WORK
The scope of the internal audit should encompass the examination and evaluation of the adequacy and effectiveness of the organisation's system of internal control and the quality of performance in carrying out assigned responsibilities.
•

The scope of internal auditing work, as specified in this standard, encompasses what audit work should be performed. It is recognised, however, that management and the board of directors provide general direction as to the scope of work and the activities to be audited. The purpose of the review for adequacy of the system of internal control is to ascertain whether the system established provides reasonable assurance that the organisation's objectives and goals will be met efficiently and economically. The purpose of the review for effectiveness of the system of internal control is to ascertain whether the system is functioning as intended. The purpose of the review for quality of performance is to ascertain whether the organisation's objectives and goals have been achieved. The primary objectives of internal control are to ensure: 1. The reliability and integrity of information. 2. Compliance with policies, plans, procedures, laws, and regulations. 3. The safeguarding of assets. 4. The economical and efficient use of resources. 5. The accomplishment of established objectives and goals for operations or programs.

•

•
•

•

310 RELIABILITY AND INTEGRITY OF INFORMATION
Internal auditors should review the reliability and integrity of financial and operating information and the means used to identify measure, classify, and report such information. • Information systems provide data for decision making, control, and compliance with external requirements. Therefore, internal auditors should examine information systems and, as appropriate, ascertain whether: 1. Financial and operating records and reports contain accurate, reliable, timely, complete, and useful information. 2. Controls over record keeping and reporting are adequate and effective.
Internal Audit Manual Page 12

320 COMPLIANCE WITH POLICIES, PLANS, PROCEDURES, LAWS, AND REGULATIONS
Internal auditors should review the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on operations and reports, and should determine whether the organisation is in compliance. • Management is responsible for establishing the systems designed to ensure compliance with such requirements as policies, plans, procedures, and applicable laws and regulations. Internal auditors are responsible for determining whether the systems are adequate and effective and whether the activities audited are complying with the appropriate requirements.

330 SAFEGUARDING OF ASSETS
Internal auditors should review the means of safeguarding assets and, as appropriate, verify the existence of such assets. • Internal auditors should review the means used to safeguard assets from various types of losses such as those resulting from theft, fire, improper or illegal activities, and exposure to the elements. Internal auditors, when verifying the existence of assets, should use appropriate audit procedures.

•

340 ECONOMICAL AND EFFICIENT USE OF RESOURCES
Internal auditors should appraise the economy and efficiency with which resources are employed. • Management is responsible for setting operating standards to measure an activity's economical and efficient use of resources. Internal auditors are responsible for determining whether: 1. Operating standards have been established for measuring economy and efficiency. 2. Established operating standards are understood and are being met.
3. Deviations from operating standards are identified, analysed, and

communicated to those responsible for corrective action. 4. Corrective action has been taken. • Audits related to the economical and efficient use of resources should identify such conditions as:
1. Underutilised facilities. 2. Non-productive work.

3. Procedures which are not cost justified. 4. Overstaffing or understaffing.

350 ACCOMPLISHMENT OF ESTABLISHED OBJECTIVES AND GOALS FOR OPERATIONS OR PROGRAMS
Internal auditors should review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

Internal Audit Manual

Page 13

•

Management is responsible for establishing operating or program objectives and goals, developing and implementing control procedures, and accomplishing desired operating or program results. Internal auditors should ascertain whether such objectives and goals conform to those of the organisation and whether they are being met. Internal auditors can provide assistance to managers who are developing objectives, goals, and systems by determining whether the underlying assumptions are appropriate; whether accurate, current, and relevant information is being used; and whether suitable controls have been incorporated into the operations or programs.

•

400 PERFORMANCE OF AUDIT WORK
Audit work should include planning the audit, examining and evaluating information, communicating results and following up. • The internal auditor is responsible for planning and conducting the audit assignment, subject to supervisory review and approval.

410 PLANNING THE AUDIT
Internal auditors should plan each audit. • Planning should be documented and should include: 1. Establishing audit objectives and scope of work. 2. Obtaining background information about the activities to be audited. 3. Determining the resources necessary to perform the audit. 4. Communicating with all who need to know about the audit.
5. Performing, as appropriate, an on-site survey to become familiar with the

activities and controls to be audited, to identify areas for audit emphasis, and to invite audited entity comments and suggestions. 6. Writing the audit program.
7. Determining how, when, and to who audit results will be communicated.

8. Obtaining approval of the audit work plan.

420 EXAMINING AND EVALUATING INFORMATION
Internal auditors should collect, analyse, interpret, and document information to support audit results. • The process of examining and evaluating information is as follows: 1. Information should be collected on all matters related to the audit objectives and scope of work.
2. Information should be sufficient, competent, relevant, and useful to provide a

sound basis for audit findings and recommendations. Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Competent information is reliable and the best attainable through the use of appropriate audit techniques. Relevant information supports audit findings and recommendations and is consistent with the objectives for the audit. Useful information helps the organisation meet its goals.

Internal Audit Manual

Page 14

3. Audit procedures, including the testing and sampling techniques employed, should be selected in advance, where practicable, and expanded or altered if circumstances warrant.
4. The process of collecting, analysing, interpreting, and documenting

information should be supervised to provide reasonable assurance that the auditor's objectivity is maintained and that audit goals are met. 5. Working papers that document the audit should be prepared by the auditor and reviewed by management of the internal auditing department. These papers should record the information obtained and the analyses made and should support the bases for the findings and recommendations to be reported.

430 COMMUNICATING RESULTS
Internal auditors should report the results of their audit work. • • • • •
•

A signed, written report should be issued after the audit examination is completed. Interim reports may be written or oral and may be transmitted formally or informally. The internal auditor should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports. Reports should be objective, clear, concise, constructive, and timely. Reports should present the purpose, scope, and results of the audit; and, where appropriate, reports should contain an expression of the auditor's opinion. Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action. The audited entity's views about audit conclusions or recommendations may be included in the audit report. The director of internal auditing or designee should review and approve the final audit report before issuance and should decide to whom the report will be distributed.

•

440 FOLLOWING UP
Internal auditors should follow up to ascertain that appropriate action is taken on reported audit findings. • Internal auditing should determine that corrective action was taken and is achieving the desired results, or that management or the board has assumed the risk of not taking corrective action on reported findings.

500 MANAGEMENT OF THE INTERNAL AUDITING DEPARTMENT
The director of internal auditing should properly manage the internal auditing department. • The director of internal auditing is responsible for properly managing the department so that:
1. Audit work fulfils the general purposes and responsibilities approved by

management and accepted by the board. 2. Resources of the internal auditing department are efficiently and effectively employed.
3. Audit work conforms to Generally Accepted Auditing Standards.

510 PURPOSE, AUTHORITY, AND RESPONSIBILITY
Internal Audit Manual Page 15

The director of internal auditing should have a statement of purpose, authority, and responsibility for the internal auditing department. • The director if internal auditing is responsible for seeking the approval of management and the acceptance by the board of a formal written document (charter) for the internal auditing department.

520 PLANNING
The director of internal auditing should establish plans to carry out the responsibilities of the internal auditing department.
•

These plans should be consistent with the internal auditing department's charter and with the goals of the organisation. The planning process involves establishing: 1. Goals. 2. Audit work schedules. 3. Staffing plans and financial budgets. 4. Activity reports.

•

•

The goals of the internal auditing department should be capable of being accomplished within specified operating plans and budgets and, to the extent possible, should be measurable. They should be accompanied by measurement criteria and targeted dates of accomplishment. Audit work schedules should include (a) what activities are to be audited; (b) when they will be audited; and (c) the estimated time required, taking into account the scope of the audit work planned and the nature and extent of audit work performed by others. Matters to be considered in establishing audit work schedule priorities should include (a) the date and results of the last audit; (b) financial exposure; (c) potential loss and risk; (d) requests by management; (e) major changes in operations, programs, systems, and controls; (f) opportunities to achieve operating benefits; and (g) changes to and capabilities of the audit staff. The work schedules should be sufficiently flexible to cover unanticipated demands on the internal auditing department. Staffing plans and financial budgets, including the number of auditors and the knowledge, skills, and disciplines required to perform their work, should be determined from audit work schedules, administrative activities, education and training requirements, and audit research and development efforts. Activity reports should be submitted periodically to management and to the board. These reports should compare (a) performance with the department's goals and audit work schedules and (b) expenditures with financial budgets. They should explain the reasons for major variances and indicate any action taken or needed.

•

•

•

530 POLICIES AND PROCEDURES
The director of internal auditing should provide written policies and procedures to guide the audit staff. • The form and content of written policies and procedures should be appropriate to the size and structure of the internal auditing department and the complexity of its work. Formal administrative and technical audit manuals may not be needed by all internal auditing departments. A small internal auditing department may be managed informally. Its audit staff may be directed and controlled through daily, close
Page 16

Internal Audit Manual

supervision and written memoranda. In a large internal auditing department, more formal and comprehensive policies and procedures are essential to guide the audit staff in the consistent compliance with the department's standards of performance.

540 PERSONNEL MANAGEMENT AND DEVELOPMENT
The director of internal auditing should establish a program for selecting and developing the human resources of the internal auditing department. • The program should provide for: 1. Developing written job descriptions for each level of the audit staff. 2. Selecting qualified and competent individuals. 3. Training and providing continuing educational opportunities for each internal auditor. 4. Appraising each internal auditor's performance at least annually. 5. Providing counsel to internal auditors on their performance and professional development.

550 EXTERNAL AUDITORS
The director of internal auditing should coordinate internal and external audit efforts.
•

The internal and external audit work should be coordinated to ensure adequate audit coverage and to minimise duplicate efforts. Coordination of audit efforts involves: 1. Periodic meetings to discuss matters of mutual interest. 2. Access to each other's audit programs and working papers. 3. Exchange of audit reports and management letters. 4. Common understanding of audit techniques, methods, and terminology.

•

560 QUALITY ASSURANCE
The director of internal auditing should establish and maintain a quality assurance program to evaluate the operations of the internal auditing department.
•

The purpose of this program is to provide reasonable assurance that audit work conforms to these Standards, the internal auditing department's charter, and other applicable standards. A quality assurance program should include the following elements: 1. Supervision. 2. Internal reviews. 3. External reviews.

•

Supervision of the work of the internal auditors should be carried out continually to assure conformance with internal auditing standards, departmental policies, and audit programs. Internal reviews should be performed periodically by members of the internal auditing staff to appraise the quality of the audit work performed. These reviews should be performed in the same manner as any other internal audit.

•

Internal Audit Manual

Page 17

•

External reviews of the internal auditing department should be performed to appraise the quality of the department's operations. These reviews should be performed by qualified persons who are independent of the organisation and who do not have either a real or an apparent conflict of interest. Such reviews should be conducted at least once every three years. On completion of the review, a formal, written report should be issued. The report should express an opinion as to the department's compliance with the Generally Accepted Auditing Standards and, as appropriate, should include recommendations for improvement.

CODE OF ETHICS
STANDARDS OF CONDUCT
1. Internal auditors shall exercise honesty, objectivity, and diligence in the performance

of their duties and responsibilities.
2. Internal auditors shall exhibit loyalty in all matters pertaining to the affairs of ABC

Company or to whomever they may be rendering a service. However, internal auditors shall not knowingly be a party to any illegal or improper activity.
3. Internal auditors shall not knowingly engage in acts or activities which are

discreditable to the profession of internal auditing or to ABC Company.
4. Internal auditors shall refrain from entering into any activity which may be in conflict

with the interest of ABC Company or which would prejudice their ability to carry out objectively their duties and responsibilities.
5. Internal auditors shall not accept anything of value from an employee, client,

customer, supplier, or business associate of ABC Company which would impair or be presumed to impair their professional judgment.
6. Internal auditors shall undertake only those services which they can reasonably expect

to complete with professional competence.
7. Internal auditors shall adopt suitable means to comply with Generally Accepted

Auditing Standards.
8. Internal auditors shall be prudent in the use of information acquired in the course of

their duties. They shall not use confidential information for any personal gain nor in any manner which would be contrary to law or detrimental to the welfare of ABC Company.
9. Internal auditors, when reporting on the results of their work, shall reveal all material

facts known to them which, if not revealed, could either distort reports of operations under review or conceal unlawful practices.
10. Internal auditors shall continually strive for improvement in their proficiency, and in

the effectiveness and quality of their service.
11. Internal auditors, in the practice of their profession, shall be ever mindful of their

obligation to maintain high standards of competence, morality and dignity.

INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY /CONDUCT
INDEPENDENCE/OBJECTIVITY
To be effective in performing audits the internal audit staff must be independent and objective both in actuality and perception. We maintain our independence by our organisational position
Internal Audit Manual Page 18

(including reporting line to the Board) and our Board approved AUTHORISATION AND RESPONSIBILITIES (see CHARTER). In order to maintain objectivity, auditors shall immediately inform the Director of Auditing of any factors that may be perceived as impairing their objectivity on an assigned audit. Also, auditors will take great care to prevent even a perception of partiality by maintaining a professional distance from the staff of an audited entity while performing an audit. Questions concerning any relationships with audited entities or potential audited entities (i.e., preparing tax returns, attending parties, etc.) should be brought to the attention of the Internal Audit Department. Finally, auditors will not accept anything of value from an employee, supplier, or business associate of ABC Company which would impair or be perceived to impair their professional judgement or objectivity. Any gifts accepted will be immediately reported to the Internal Audit Department.

CONFIDENTIALITY
Much of the information available to internal auditors is of a sensitive or confidential nature. Auditors should be prudent in their use of information acquired in the course of their duties or information which is available to them. They will not discuss any matters pertaining to the audits performed by the departments in other then an official manner. Auditors shall not use confidential information for any personal gain or in a manner which would be detrimental to ABC Company or any employee of ABC Company. (See the Code of Ethics). Auditors will take adequate measures to prevent the unauthorised release of confidential materials or information in any medium including paper copies, microfiche, or computer files. Such materials should be adequately secured from theft, reproduction, or casual observation. Confidential materials include any information (except public information) associated with employee names, social security numbers, or identification numbers. Examples of confidential information include, but are not limited to the following:
1. Employee medical or psychological records. 2. Employee benefit or payroll information. 3. Any information which could cause ABC Company embarrassment or liability.

CONDUCT
The following guidelines are established regarding personal conduct and the confidentiality of audit or business information acquired through audit assignments. As a member of the Internal Audit staff, you are representing the highest level of management. Conduct yourself in a manner that reflects favourably upon yourself and those you represent. You are expected to exercise professional skill, integrity, maturity of behaviour, and tact in your relations with others. In general, you are encouraged to be friendly with all ABC Company employees without affecting your objectivity. You should guard against any conduct or mannerisms which permit an impression that you consider yourself an "expert" sent to check on employees. As far as possible, take the position of an independent/objective analyst and advisor. Avoid the image of policing. In the course of your assignments, you will be in contact with personnel at all levels of authority and position. At all times, independence in mental attitude is to be maintained. Reports resulting from your efforts should always contain full and unbiased disclosure of all but minor audit findings. Although you report to the Internal Audit Department, you have responsibilities to both management and the personnel being audited.

Internal Audit Manual

Page 19

Much of your work is confidential; therefore, be discreet on and off the job in discussing current or past audits or your personal assessments of audited entities. Judgment should be exercised in the security of audit working papers, programs, records, and information at all times. Never indiscreetly discuss any information you obtain during audits. Avoid extremes of dress or personal grooming.

AUDIT PROCESS
PLANNING
The assessment of audit risk is an integral part of our planning process. The audit planning process encompasses all activities related to the development of the internal audit plan and schedule and the determination of the audit scope and objectives, timing, design of detailed procedures, and audit recourse planning for the individual auditable entities. The primary objective of the audit planning process is to design our audit approach to ensure that audits are performed in the most effective and efficient manner. In undertaking this process we attempted the following:
•

Define the potential audit universe at ABC Company Define factors to be used in assessing risk Quantify the potential risk associated with each of the defined audit areas Schedule audits and allocate Internal Audit resources according to the priorities established and the current level and expertise of internal auditors

• •
•

PLANNING - RESEARCH, SCHEDULING, AND AUDITS

Internal Audit's scheduling process begins with requests for audit services (requests, or suggestions, come from several sources). One obvious source is our own Internal Audit staff. Our in-depth knowledge of ABC Company gives us a unique perspective on the types of projects in which we can reduce ABC Company's risk. Hence, some of our projects originate in our own group or as a result of the annual audit of ABC Company as a whole, which is conducted by the external auditors. Several factors influence the selection and scheduling of projects: the degree of risk or exposure to loss; type of audit; current and planned work in other major audit projects requiring substantial time commitments of Internal Audit staff; the availability of staff in entities selected for review; and the availability of Internal Audit staff with the appropriate skills. An analysis will be performed annually in order to quantify risk and schedule audits. This analysis will combine factual information and Internal Audit Department's judgment in the selection, ranking, and weighing of the various audit risk factors. It should be emphasised that the final determination as to which areas should be included in the audit plan cannot be based solely on the results of this audit risk assessment. Rather, the performance of the assessment is a tool for use by Internal Audit Department. Types of Audits 1. AUDIT
•

Operational - Refers to a comprehensive examination of an entity to evaluate its performance, as measured by management's objectives. An operational audit focuses on the efficiency, effectiveness, and economy of operations. Financial - Determine the accuracy and propriety of financial transactions.
Page 20

•

Internal Audit Manual

•

Compliance - The objective of these audits is to determine whether, and to what degree, an audited entity conforms to certain specific requirements of policy, procedures, standards, or laws and regulations. The auditor must know precisely what policies, procedures, standards, etc. are required. Usually, compliance audits require little preliminary survey work or review of internal controls, except to outline precisely what requirements are being audited. The audit focuses almost exclusively upon detailed testing of conditions. Asset Verification - An independent appraisal of ABC Company operations is provided through the verification of accountability, physical safeguards, and valid use of ABC Company assets. This is often performed in conjunction with an audit. Loss/fraud investigations - Conducted to determine existing control weaknesses, assist ABC Company Risk Management in determining the amount of the loss/fraud, and assist the audited entity by recommending corrective measures to prevent subsequent recurrences. Investigation of allegations may also be conducted. The primary mission of the Information Systems audit function of Internal Audit is to support the internal audit function in the evaluation of the accuracy, effectiveness, and efficiency of ABC Company's electronic and information processing systems which are in production or under development. Consultant Services - Information, encouragement, and review will be provided on issues concerning ABC Company policies, procedures, and internal controls. With the addition of an information systems audit function consultation services are expanded to include: 1. Assistance on evaluation of backup procedures and contingency planning 2. Assistance on whether a defined architecture has proper controls 3. Information on computer controls 4. Assistance on implementation of internal financial system

•

2. LOSS
•

3. INFORMATION SYSTEMS AUDIT
•

4. MISCELLANEOUS
•

•

Computer System Design and Enhancement - Internal Audit actively participates in the development of new systems or enhancements to current systems to promote the design of adequate internal controls prior to implementation and reduce the need for corrective measures at a later date. Other Departmental Duties - Such as organising the annual retreat, preparing the annual report, etc., as assigned by the Director. Pre-approved programs are used to audit accuracy and propriety of expenditures and payroll transactions. Income will be audited if the amount is material. These reviews may also include asset confirmations. Follow-up reviews are performed to appraise management of post audit actions and provide assurance that implemented changes adequately resolved audit findings. These reviews also ensure that upper management has been properly notified of ABC Company exposure related to unresolved audit findings.
Page 21

•

5. ADMINISTRATIVE REVIEWS •

6. FOLLOW-UP REVIEW
•

Internal Audit Manual

7. CASH COUNT
•

A cash count is performed to determine custodial fund accountability which may include one or more of the following types of funds: petty cash fund, change fund, or revolving fund. A pre-approved cash count audit program is used for this type of audit.

Audit Assignment All audits/tasks will be authorised by the Internal Audit Department using an audit assignment sheet. The objective of this process is to assure that work is performed on only authorised activity. This form will provide sufficient information on the audit/task scope, objectives, and resource restrictions (allocated hours, expected completion date) so the assigned auditor(s) will have a clear understanding of Internal Audit Department's expectations for their particular assignment. Definition of Terms on the Assignment Sheet • • Task Number: A five digit number used to identify the project Type: The type of project indicated on the assignment form: ○ A=audit; ○ L=loss; ○ C=cash count; ○ F=follow-up; ○ M=miscellaneous;
○ ○ ○

T=continuing education - no trackable hours; D=information Systems audit; R=administrative review. BRU=Brussels; PAR=Paris; BLN=Berlin;

○ E=continuing education; ○ X=task cancelled; • Location of audit:
○ ○ ○

• •
•

Title of Project: A short description of the project Assignment Date: Beginning date that hours can be charged to the project Allocated Hours: Time budgeted for this project. Any deviation from these hours must be approved by the Internal Audit Department Expected Completion Date: The date the report is expected to be issued in final Assigned Staff: Names of the Reviewer, Project Manager, Assigned Staff, Project Consultant, Participant, Instructor, and Non-active staff should be listed on assignment sheet with project hours that are assigned to each Scope & Objectives: A short description of the scope and objectives that will be covered Fiscal Year: Fiscal year to be audited
Page 22

•
•

• •

Internal Audit Manual

Scope and Objectives The scope section shall define the limitations of the audit/task assignment. The scope will generally include a time period, and what records, processes, funds, transactions, policies, controls, etc., we shall be reviewing. Scope limitations that very narrowly restrict audit work should be mentioned in the audit report. (Example: We did not test actual expenditure transactions.) The objectives will explain what the audit is trying to accomplish. Audit objectives will generally include one or more of the following:
1. Determine the accuracy and propriety of financial transactions; 2. Evaluate financial and operational procedures for adequacy of internal controls

and provide advice and guidance on control aspects of new policies, systems, processes, and procedures;
3. Verify the existence of ABC Company assets and ensure that proper safeguards

are maintained to protect them from loss;
4. Determine the level of compliance with ABC Company policies and

procedures, laws and regulations;
5. Evaluate the accuracy, effectiveness, and efficiency of ABC Company's

electronic information and processing systems;
6. Determine the effectiveness and efficiency of audited entities in accomplishing

their mission and identify operational opportunities for cost savings and revenue enhancements;
7. Provide assistance and a coordinated audit effort with the external auditors;

8. Determine if a loss occurred, if so the amount of the loss and circumstances (control weaknesses) that contributed to it. Duties/Responsibilities
•

INTERNAL AUDIT DEPARTMENT
○

Internal Audit Department, the Director and Associate Director of Internal Auditing, will be responsible for ensuring that audit resources are efficiently and effectively employed and that the audit work performed fulfils the mission of the department.

•

AUDIT MANAGER ○ The auditor in charge of the task will normally be an audit manager and will have the following duties and responsibilities: 1. Attend entrance and exit interviews 2. Discuss, direct, advise, etc., the assigned auditors during the course of the assignment including writing the report
3. Will be responsible for assuring the audit program steps accomplish the

objectives, address major risk and exposures, and reasonably assure the completion of the assignment within allocated resources. Final approval of the audit program will be done by Internal Audit Department 4. Review, edit, and approve the draft report

Internal Audit Manual

Page 23

5. Assure the audit is performed according to department standards, staying within the scope and resource allocation limits (hours and dates), and meet stated assigned objectives. • ASSIGNED AUDITOR(S) ○ Assigned auditor(s) will be responsible for performing the audit and will have the following duties and responsibilities: 1. Perform the preliminary review, including the internal control evaluation, with guidance from the Audit Manager 2. After discussions with the Audit Manager, prepare an audit program and time estimate for each program section 3. Perform all assigned activities in conformance with department standards, staying within the scope and resource allocation limits of the assigned activity or program section 4. Write the draft audit report ○ An assigned auditor who is also the Audit Manager of the project will have the additional duties of Audit Manager. • REVIEWER
○

All working papers should be independently reviewed to ensure there is sufficient evidence to support conclusions and that all audit objectives have been met. A detailed review will be conducted by the Audit Manager for assigned staff's working papers and a less comprehensive review will be conducted by department administration or an assigned staff person. Initialling working papers (see "review/approval form") signing the "review/approval form," and filing "cleared" review notes in the current working papers will serve as documentation of the review process.
1. Determine working paper's compliance to the department working

○ The reviewer should: paper standards;
2. Review from audit program steps to the referenced working papers

ensuring cross-referencing is proper, the working papers support the steps performed, and all steps have been completed;
3. Review working paper's from the report(s) to the Digest of Significant

Findings to the working paper summaries to the detailed working papers to ensure that all findings are stated adequately and documented and support the opinions, findings, and recommendations stated in the report;
4. Ensure that working papers "stand alone" in that they clearly state what

work was performed, how and from where samples were selected, the purpose of the working paper, what findings were made, etc.
5. Document review comments on review notes form; 6. After all audit review notes have been resolved, sign off on working

paper section of final working paper/report approval form;
7. Determine report(s) compliance with the department report standards; Internal Audit Manual Page 24

8. Sign off on report(s) section of final working paper/report approval

form;
9. Determine Permanent Audit File's compliance with department

standards. • PROJECT CONSULTANT ○ The project consultant's primary duties and responsibilities are to advise and provide guidance to the assigned auditors. The project consultant does not take an active role in the project, but will be on call to answer questions or volunteer suggestions as applicable.
•

REPORT REVIEWER
○

The Report Reviewer primary responsibility is to provide a final independent review of audit reports to help ensure that proper grammar, spelling, and format have been used. The Report Reviewer will also perform or supervise the: 1. Print revised draft copies for Directors approval 2. Print final report copy for auditors and director signature 3. Mail final report copy 4. Filing of electronic copy on LAN
5. Update Working Papers files: mark complete, recommendation

categories, mark complete, create follow-up when necessary, etc. 6. Mailing feedback questionnaire 7. Updating feedback spreadsheet when feedback received 8. Adding response to electronic copy of report and filing paper copy with final report 9. Creating follow-up working papers, trustee report, electronic copy of report on LAN, etc.
10. Updating Directors report

Announcement Letter The audited entity shall be informed of the audit project through an announcement letter from the Internal Audit Director. However, Internal Audit will not provide advance notifications for cash counts and fraud investigations. Additionally, Internal Audit may not send an announcement letter for requested consulting services. The announcement letter shall communicate the scope and objectives of the audit, the period covered, and the auditor(s) assigned to the project. Internal Audit's mission statement shall also be enclosed for the audited entity’s information. Preliminary Review The objective of the Preliminary Review is to gain sufficient knowledge of the entity being reviewed so the auditor can design an audit program to accomplish the assigned objectives. The review will help the auditor to determine if the assigned objectives are attainable with the allocated resources and what audit procedures should be performed, based on assessed risks and exposures, to achieve the objectives. The preliminary review work can be broken down into four distinct phases:
Internal Audit Manual Page 25

1. Familiarisation

2. Identification of potential problem areas 3. Evaluation of internal controls 4. Planning the detailed audit One of the problems in performing an effective preliminary review is the failure to complete all phases of the review before preparing the formal audit program and beginning the fieldwork. Initial Research (Familiarisation) Before meeting with the audited entity, the assigned auditor(s) shall obtain a basic understanding of the operation or system under review. This review will normally include:
•

Review of Permanent Audit File (if one exists) Review of Previous Audit Working Papers, Reports, Management letters (if available) Review of department financial statements (transactions) including historical trends if available Review of department organisation and staffing (payroll/personnel listing) Review of department equipment listing Consultations with other auditors that have been involved in similar audits or are familiar with this department, related ANAEL files, systems, etc. Review department focus Review department's mission statement, organisation chart and other information requested in the "announcement letter" Review and research for applicable laws, regulations, and departmental policies and procedures Conduct the initial meeting with audited entity

• •
•

• •
• •

•
•

Identification of Potential Problem Areas An objective of the preliminary review is the identification of potential problem areas. One of the first steps in determining problem areas is to identify those programs, activities, and functions which are significant. These can be identified as those programs or activities: •
•

Which are susceptible to fraud, abuse, or mismanagement In which there is a large volume of transactions or large investments in assets which are subject to loss if not carefully controlled About which concerns have been expressed by management In which prior audits have disclosed major weaknesses or deficiencies

• •

This phase of the preliminary review should identify the significant activities of the area and what inherent risks exist. Once these activities and risks have been identified, the next step is to evaluate controls. The auditor is responsible for determining how much reliance can be placed on the entity's controls to protect its assets, assure accurate information, assure compliance with applicable laws and regulations, promote efficiency and economy, and produce effective results.
Internal Audit Manual Page 26

A complete review of all controls is not always necessary because some controls may be irrelevant to basic issues which are the subject of the audit effort. Therefore, the auditor must identify those controls which are the most important and critical to the operation and concentrate on them. Some controls which can normally be identified as critical are those which are designed to protect against: • • • • • • Substantial financial losses Program violations Mismanagement Legal violations Adverse publicity Lack of program or mission accomplishment

The auditor's evaluation should include identification of areas in which essential controls appear to be weak, non-functioning, or missing. Vast amounts of data are stored electronically. Internal Audit has a library of standardised ANAEL queries that will assist in obtaining some of this information. Review and Evaluation of Internal Control Environment The auditor will review the audited entity's internal control structure. In doing this, the auditor uses a variety of tools and techniques, including flow charts, interviews, data gathering, and analysis. The review of internal controls helps the auditor design tests to be performed in the fieldwork section of the audit. The evaluation of the system of internal controls should provide reasonable, but not absolute, assurance that the fundamental elements of the system are sufficient to accomplish their intended purpose. The study and evaluation should be adequately documented and properly supported by results of tests, observations, and inquiries. The use of electronic data processing methods that can affect the reliability, accuracy, or usefulness of financial or statistical data, and reports should be included as part of the study and evaluation. Internal controls are evaluated throughout the audit examination. Audit Managers should prepare the program to assist assigned auditors in performing this aspect of the audit work. Generally, the guidelines are incorporated into an audit program in the form of internal control questionnaires, checklists, and specific audit tests and procedures. Although the written audit guidelines (programs) are invaluable aids, Audit Managers must ensure that each assigned auditor is familiar with the scope and objectives of the internal control review. The review of the system of internal controls is performed by discussing the control procedures, methods, and plan of organisation with audited entity’s officials. The auditor may use internal control questionnaires or checklists as well as written narrative memoranda, flow charts, a transaction walk through, and other applicable techniques in determining the adopted control procedures and the method and plan of organisation. These techniques are preferred because they provide adequate documentation. In addition to discussions with audit customer officials, auditors make inquiries and perform observations relating to the system of internal controls. These inquiries and observations, and resulting findings and conclusions are also documented in the working papers. This documentation includes identifying control strengths and weaknesses and cross-referencing them to the audit tests and procedures concerned with substantive testing. To assist in evaluating the system of internal control the auditor should consider the following:
Internal Audit Manual Page 27

• • • • • •
•

Types of errors and irregularities that could occur. Control procedures to prevent or detect such errors and irregularities. Whether the procedures have been adopted and are being followed satisfactorily. Weaknesses which would enable errors and irregularities to pass through existing control procedures. The effect these weaknesses have on the nature, timing, and extent of auditing procedures to be applied. Audit methods used to study and evaluate existing internal controls include: Internal Control Questionnaires - These guide the auditor to query responsible managers regarding specific or general internal controls. The questionnaires are designed so that a negative response indicates a potential internal control weakness. A negative response will cause the auditor to determine whether compensating controls are in existence which would offset the negative response. Narratives - These describe the system of internal control. Flow Charts - A flow chart is beneficial because it visually depicts processes designed or intended for control purposes. Flow-charting provides the auditor with a good understanding of the process being evaluated. Documentation supports the auditor's understanding of the internal controls. Audit working papers provide the support for the conclusions reached by the auditor regarding the study and evaluation of internal controls. Only those internal control functions, which are deemed critical or important to the strength within a particular transaction cycle, should be tested and evaluated. Working papers should be prepared to highlight the internal control attributes within the processes to be evaluated. Tests of compliance are performed to obtain sufficient evidence that the system is operating in accordance with the understanding the auditor obtained from the review. These are performed for those control procedures or methods upon which the auditor has chosen to rely. Conversely, when the auditor determines that certain controls cannot be relied upon; tests of compliance are not ordinarily performed. The nature, timing, and extent of tests of compliance are closely related to the control procedures and methods studied by the auditor. Additionally, the auditor must consider the availability of evidence and the audit effort required to test compliance. In considering the required audit effort, the auditor assesses whether precluding certain tests of compliance will reduce the reliance on the controls and procedures, and whether such reduced reliance significantly affects subsequent audit tests and procedures.

• •

•

•

•

Flowcharting The primary purpose of preparing a flow chart is to identify the key control attributes - those attributes that achieve control objectives. This can efficiently point out cases of under/over control and processing redundancy. Clarity and simplicity in presentation are essential. Mistaken use of extreme detail may tend to conceal rather than expose key points. Complexities such as exception controls can be better explained in attached memoranda. However, narrative explanations should be kept brief. In most cases, the combination of the flow chart and a narrative description tends to be far superior to either document alone.
Internal Audit Manual Page 28

Only transactions/documents with control significance should be shown (i.e., control over authorisation, recording, safeguarding, reconciliation, and valuation). This can generally be accomplished by including only those activities within an application where data is initialised, changed, or transferred to other departments. For a process to be flow charted, it must be broken down into its component parts, namely actions and decisions. Also, the name(s) and position(s) of the people performing the transactions should be indicated for each action. The names of each document should also be included within the document symbols. The auditor usually obtains information necessary for preparing or updating flow charts by interviewing personnel at each site about procedures followed, and by reviewing procedure manuals, existing flow charts and other system documentation. Sample documents are collected and each department involved is questioned about its specific duties. Inquiries can be made concurrently with the performance of transaction reviews, particularly when flow charts are being updated. If possible, the auditor should observe the process. Internal Control Questionnaires The primary purpose of completing the internal control questionnaire is to identify critical areas, strengths, and weaknesses in process.

PLANNING THE DETAILED AUDIT
The elements of materiality and relative risk must be considered in performing the audit. The due professional care standards do not imply unlimited responsibility for disclosure of irregularities and other deficiencies. The auditor's principal effort should be in those areas where significant problems or deficiencies may exist, rather than in areas that are relatively unimportant. Time should not be spent examining or developing evidence beyond what is necessary to afford a sound basis for a professional opinion. The results of the preliminary review should be analysed to determine the need for a detailed audit and the specific areas to be covered. The detailed audit program should be prepared allocating the project budget time established for the fieldwork to the specific areas to be covered in the audit. Statement of Risk and Exposure • Rationale:
○

A risk/exposure analysis will be performed to prioritise audit testing that must be performed to achieve the audit objectives. This determination is essential for providing reasonable assurance that internal audit resources are deployed in an optimal manner (i.e. the most time is spent examining areas with the greatest risk exposure).  Inherent Risk - The risk related to the fundamental characteristics of the assigned area (i.e., an area that receives income in the form of currency and coin has a greater inherent risk of theft of that income then one that receives internal billing income form another department).  Control Risk - The risk that the assigned areas internal control system would fail to prevent or detect a significant intentional or unintentional error in the process.  Detection Risk - The risk that the internal audit would fail to detect errors that had occurred.

○ The three types of risks that will be considered are:

○

Exposure is the potential loss or liability to ABC Company. It is not only loss of money but also ABC Company's reputation, etc.
Page 29

Internal Audit Manual

○ A Risk/Exposure analysis will involve determining the highest possible combined factors. (high risk/high exposure as opposed to high risk/low exposure or low risk/high exposure) • Policy:
○

During the preliminary review/internal control evaluation stage of the audit, the auditor will make a determination of what areas contain the greatest risks and potential exposures. This determination will be discussed with the Internal Audit Department before the audit program is written. During the preliminary review/internal control evaluation stage of the audit, the auditor will complete a schedule detailing the greatest risks and potential exposures and discuss with Internal Audit Department.

•

Process:
○

Permanent Audit Files A permanent file should give the auditor general knowledge about the audited entity. The information in the file is not expected to change significantly from year-to-year, but it is pertinent to the current year's audit. Prior year's financial statements would aid the auditor in gathering general knowledge about the audited entity. It might also be useful in comparing the current year to the prior year or performing analyses. A permanent file should only be prepared for audits that we continually do or if the area audited is a system such as payroll, accounts payable, etc. Before a permanent file is established, consult with the Audit Manager and Internal Audit Department. If a permanent file is not prepared, useful information can be filed in section D of the working papers.

AUDIT PROGRAM
Preparation of the audit program concludes the Preliminary Review phase. The audit program outlines the necessary steps to achieve the objectives of the audit within the defined scope as listed on the assignment sheet. The audit program is a detailed plan for the work to be performed during the audit. A well-constructed program is essential to completing the audit project in an efficient manner. A well constructed program provides: •
• •

A systematic plan for each phase of the work that can be communicated to all audit personnel concerned Means of self control for the audit staff assigned Means by which the audit supervisor/manager can review and compare performance with approved plans Assistance in training inexperienced staff members and acquainting them with the scope, objectives, and work steps of an audit An aid to supervisor/manager making possible a reduction in the amount of direct supervisory effort needed Assistance in familiarising successive audit staff with the nature of work previously carried out

• •
•

The program consists of specific directions for carrying out the assignment. It should contain a statement of the objectives of the operation being reviewed. For each segment of the audit the program should (1) list the risks that must be covered in that segment; (2) show for each risk the controls that exist or that are needed to protect against the indicated risk; (3) show for
Internal Audit Manual Page 30

each of the listed controls the work steps required to test the effectiveness of those controls, or set forth the recommendations that will be required to install needed controls; and (4) provide space for referencing the related audit working papers. Standardised audit programs are available and should be used or modified to achieve the audit objectives. The auditor shall include an estimate of the hours necessary to complete the project. Internal Audit Department reviews the auditor's work to-date (preliminary review work) and then discusses any concerns or proposed program changes. Objectives The audit program shall contain a statement of the objectives of the area being reviewed. The statement of objectives in the audit program shall correspond with the audit objectives stated in the assignment sheet. These objectives should be achieved through the detailed audit program steps. Audit Steps A well-constructed audit program provides specific, detailed steps (procedures) for achieving the audit objectives. Standardised audit programs with specific audit steps for achieving objectives are available and should be used or modified. Time Budget A project time budget provides overall guidelines for the performance of the audit. In addition, it enables the audit manager to control the audit work in process. It is essential that we control our time carefully in order that it may be used in the most effective manner possible. The detailed project time budget should be completed at the conclusion of the preliminary review. Each project will have a time budget that will be approved by the audit manager and Internal Audit Department. This budget will include all time necessary to complete the audit, from assignment through issuance of the final report. The preliminary review phase should be completed when no more than 25 percent of the total time budget has been depleted. The budget process will be broken down into two phases. A portion of the budget should be allocated for the planning process. This will provide the necessary control over this phase of audit work. Near the completion of the planning process, the remaining budget should be allocated to the rest of the audit and recorded on the Time Budget Summary. For purposes of overall control, the time budget should be broken down into the following general categories (more may be used if warranted): • •
• • •

Planning - initial planning, preliminary survey, audit program Fieldwork - allocated to the various segments of the audit project Audit report and wrap-up - audit manager's review, quality assurance review, report writing and editing, report review, audited entity's review, exit conference, etc.) Preparation and Approval - The project time budget should be prepared by the audit manager and approved by Internal Audit Department. Budget Revisions - Any revisions to the project time budget should be discussed with Internal Audit Department at the earliest possible time and, when approved by Internal Audit Department, documented on the Time Budget Summary.

FIELDWORK
Evidential Matter
Internal Audit Manual Page 31

Evidential matter obtained during the course of the audit provides the documented basis for the auditor's opinions, findings, and recommendations as expressed in the audit report. As internal auditors, we are obligated by our professional standards to act objectively, exercise due professional care, and collect sufficient, competent, relevant, and useful information to provide a sound basis for audit findings and recommendation (see examining and evaluating information). Audit Sampling Audit sampling is performing an audit test on less then 100 percent of a population. In 'sampling' the auditor accepts the risk that some or all errors will not be found and the conclusions drawn (i.e. all transactions were proper and accurate) may be wrong. Types of Sampling: Statistical or probability sampling allows the auditor to stipulate, with a given level of confidence, the condition of a large population by reviewing only a percentage of the total items. Several sampling techniques are available to the auditor.
• • •

Attribute sampling - Is used when the auditor has identified the expected frequency or occurrence of an event. Variables sampling - Is used when the auditor samples for values in a population which vary from item to item. Judgment sampling - Is used when it is not essential to have a precise determination of the probable condition of the universe, or where it is not possible, practical, or necessary to use statistical sampling.

The type of sampling used and the number of items selected should be based on the auditors understanding of the relative risks and exposures of the areas audited. Policy/Process: All audit testing will include sampling. The type and sample size shall be described in the program and approved by the Internal Audit Department. Testing and Working Paper Documentation Policy/Purpose: Working papers serve both as tools to aid the auditor in performing his work, and as written evidence of the work done to support the auditor's report. Information included in working papers should be sufficient, competent, relevant, and useful to provide a sound basis for audit findings and recommendations. Generally Accepted Auditing Standards define sufficient, competent, relevant, and useful as follows: • • •
•

Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Competent information is reliable and the best attainable through the use of appropriate audit techniques. Relevant information supports audit findings and recommendations and is consistent with the objectives for the audit. Useful information helps the organisation meet its goals.

In addition to serving as a reference for the preparer when called upon to report findings or answer questions, other individuals may find it necessary to use the working papers. The Internal Audit Department will use the papers to review the quality of the audit project and to evaluate the audit staff assigned to the work.
Internal Audit Manual Page 32

The manager whose entity is being audited may use details included in the working papers to help implement corrective action to a problem or refute the assertion that a problem exists. ABC Company management or other individuals who may have requested the audit require timely reports. Well-organised working papers help to accomplish this goal. External auditors review the work performed by the Department and evaluate the effect that its activities had on ABC Company's system of internal control. In fulfilling their public responsibility, certain regulatory agencies monitor ABC Company operations, and the Department's working papers may he subjected to their review. Solid working paper documentation is essential for questions from these and other potential outside reviewers. Qualities of Good Working Papers Good working papers should be:
•

Complete - Working papers must be able to "stand alone." This means that all questions must be answered, all points raised by the reviewer must be cleared, and a logical, well-thought out conclusion must be reached for each audit segment. Concise - Working papers must be confined to those that serve a useful purpose. Uniform - All working papers should be of uniform size and appearance. Smaller papers should be fastened to standard working papers, and larger papers should be folded to conform to size restrictions. Neat - Working papers should not be crowded. Allow for enough space on each schedule so that all pertinent information can be included in a logical and orderly manner. At the same time, keep working papers economical. Forms and procedures should be included only when relevant to the audit or to an audit recommendation. Also, try to avoid unnecessary listing and scheduling. All schedules should have a purpose which relates to the audit procedures or recommendations.

• •

•

Working Paper Techniques Descriptive Headings - All working papers should include the audit stamp, title of the audit, audit project number, title of the working paper, preparer's initials, date prepared, source of information, and purpose of the working paper. Tick-marks - The auditor makes frequent use of a variety of symbols to indicate work that has been done. These symbols are commonly referred to as tick-marks. As these tick-marks have no special or uniform meaning in themselves, an explanation of each tick-mark should be made on the schedule on which it appears. Cross-referencing - Cross-referencing within working papers should be complete and accurate. Working papers should be cross-referenced to the Audit Findings. Audit Findings should be cross-referenced to the exit conference memo and/or the audit report, to indicate final disposition of the item. Cross-referencing should be done in the margins of audit report drafts. These references readily provide direct access to the working papers. Indexing - The system of indexing audit working papers should be simple, yet leave room for flexibility. A capital letter should be used to identify each segment of the audit, and Arabic numerals used to identify schedules within the segments. Carry forward - The auditor should make full use of the working papers developed in the prior audit. Flow charts, system descriptions, and other data may still be valid. Those papers which remain useful should be made a part of the current working papers. They should be updated with current information, renumbered, referenced, initialled, and dated by the current auditor.
Internal Audit Manual Page 33

Types of Working Papers All working papers should be maintained in binders. Schedules, analyses, documents, flow charts, and narratives should be filed in a standard binder. Documentation which is not of standard size should be mounted on standard size paper or referenced to a non-standard binder. 1. Schedules and Analyses Schedules and analyses are useful for identifying statistical trends, verifying the accuracy of data, developing projections or estimations, and determining if tasks or records have been properly completed. Each record review, data schedule, or analyses should include the following items: • • • • • • An explanation of its purpose (reference audit step) The methodology used to select the sample, make the calculation, etc. The criteria used to evaluate the data The source of data and time frame considered A summary of the results of the analyses The auditor's conclusion

2. Documents Copies or actual samples of various documents can be used as examples, for clarification, and as physical evidence to support a conclusion or prove the existence of a problem. These documents can be memos, reports, computer printouts, procedures, forms, invoices, flow charts, contracts, or any of numerous other items. Any copied document should serve a useful audit purpose. The following suggestions are offered for preparation of working papers using documents rather than the auditor's notes: • • • Indicate both the person and/or file that the document came from (source). Copy and insert only that portion of the report, memo, procedure, etc., which is needed for purposes of explanation or as documentation of a potential finding. Do not include the entire document in the working papers unless absolutely necessary. Fully explain the terms and notations found on the document, as well as its use. This is especially true when including maps, engineering drawings, or flow charts in the papers. These explanations may be made on an attached preceding page or on the face of the document itself. Each document should be cross-referenced either to the page or separate analysis where it was discussed. No document should be included in the working papers without an explanation of why it was included. Documents larger than A4 size should be reduced when practicable.

• •
•

3. Process Write-ups and Flow charts In many audits, it is necessary to describe systems or processes followed by the audited entity. Describe such procedures or processes through the use of write-ups or flow charts or some combination of the two. The choice of which method to use will depend on the relative efficiency of the method in relation to the complexities of the system being described. Write-ups are often easier to use, and should be used, if the system or process can be described clearly and concisely. However, when write-ups would be lengthy, and description of related control points difficult to integrate in the narrative, flow-charting (or a combination of write-ups and flow-charting) is an appropriate alternative. Flow charts conveniently
Internal Audit Manual Page 34

describe complex relationships because they reduce narrative explanations to a picture of the system. They are concise and may be easier to analyse than written descriptions. 4. Interviews Most verbal information is obtained through formal interviews conducted either in person or by telephone. Formal interviews are most desirable because the interviewees know they are providing input to the audit; however, impromptu interviews, or even casual discussions can often provide important information. Any verbal information which is likely to support a conclusion in the audit working papers should be documented. Interviews are useful in identifying problem areas, obtaining general knowledge of the audit subject, collecting data not in a documented form, and documenting the audit customer's opinions, assessments, or rationale for actions. Interview notes should contain only the facts presented by the person interviewed, and not include any of the auditor's opinions. In preparing interviews for working papers, consider the following suggestions: • •
•

•

Be sure to include the name and position title of all persons from whom information was obtained. This includes data gathered during casual conversations. Indicate when and where the meeting occurred. Organise notes by topic wherever possible. Identify sources of information quoted by interviewee.

5. Observations What the auditor observes can serve the same purposes as interviews. If observations can be used to support any conclusions, then they should be documented. They are especially useful for physical verifications. Observations used as supporting documentation should generally include the following items:
• • •

•

Time and date of the observations Where the observations were made Who accompanied the auditor during the observations What was observed (when testing is involved, the working papers should include the sample selections and the basis of the sample)

6. Findings All audit findings must be documented in a SECTION SUMMARY (see next section) schedule in the working papers. Unfavourable findings shall be summarised on a Digest of Significant Findings working paper whether or not they are to be included in the audit report. All findings should be documented immediately by the auditor discovering the situation.

STATING FINDINGS/CONCLUSIONS
Upon the conclusion of the fieldwork, the auditor shall summarise the audit findings, conclusions, and recommendations necessary for preparation of the audit report discussion draft. Each audit finding will have documented in the SECTION SUMMARY the following ATTRIBUTES 1. Statement of Condition (What is!) 2. Criteria (What should be!) 3. Effect (So what?) 4. Cause (Why did it happen?) 5. Recommendation (What should be done?)
Internal Audit Manual Page 35

1. Statement of Condition The condition identifies the nature and extent of the find or unsatisfactory condition. It often answers the question: "What was wrong?" Normally, a clear and accurate statement of condition evolves from the auditor's comparison or results with appropriate evaluation criteria. 2. Criteria This attribute establishes the legitimacy of the finding by identifying the evaluation criteria and answers the question: "By what standards was it judged?" In financial and compliance audits, criteria could be accuracy, materiality, consistency, or compliance with applicable accounting principles and legal or regulatory requirements. In audits of efficiency, economy, and program results (effectiveness), criteria might be defined in mission, operation, or function statements; performance, production, and cost standards; contractual agreements; program objectives; policies, procedures, and other command media; or other external sources of authoritative criteria. 3. Effect This attribute identifies the real or potential impact of the condition and answers the question: "What effect did it have?" The significance of a condition is usually judged by its effect. In operational audits, reduction in efficiency and economy, or not attaining program objectives (effectiveness), are appropriate measures of effect. These are frequently expressed in quantitative terms; e.g., value, number of personnel, units of production, quantities of material, number of transactions, or elapsed time. If the real effect cannot be determined, potential or intangible effects can sometimes be useful in showing the significance of the condition. 4. Cause The fourth attribute identifies the underlying reasons for unsatisfactory conditions or findings, and answers the question: "Why did it happen?" If the condition has persisted for a long period of time or is intensifying, the contributing causes for these characteristics of the condition should also be described. Identification of the cause of an unsatisfactory condition or finding is a prerequisite to making meaningful recommendations for corrective action. The cause may be quite obvious or may be identified by deductive reasoning if the audit recommendation points out a specific and practical way to correct the condition. However, failure to identify the cause in a finding may also mean the cause was not determined because of limitation or defects in audit work, or was omitted to avoid direct confrontation with responsible officials. 5. Recommendations This final attribute identifies suggested remedial action and answers the question: "What should be done?" The relationship between the audit recommendation and the underlying cause of the condition should be clear and logical. If a relationship exists, the recommended action will most likely be feasible and appropriately directed. Recommendations in the audit report should state precisely what needs to be changed or fixed. How the change will be made is the audited entity's responsibility. More generalised recommendations (e.g., greater attention be given, controls be re-emphasised, a study made, or consideration be given) should not be used in the audit report, but they are sometimes appropriate in summary reports to direct top management's attention to compliance-type findings disclosed in several areas.
Internal Audit Manual Page 36

Unless benefits of taking the recommended action are obvious, they should be stated. The cost of implementing and maintaining recommendations should always be compared to risk. Recommendations should be directed to an individual capable of taking action. 6. Policy/Process Audit findings will include: the nature of the findings, the criteria used to determine the existence of the condition; the cause of the condition; the significance of its impact; and what the auditors think should be done to correct the situation.

QUALITY ASSURANCE
The purpose of "quality assurance" is to provide reasonable assurance that audit work performed by ABC Company - Internal Audit conforms to Generally Accepted Auditing Standards. Quality Assurance Policy All working papers shall be independently reviewed to ensure there is sufficient evidence to support conclusions, document the extent of audit work performed, and ensure that all audit objectives have been met, as well as substantiate compliance with applicable auditing standards. A detailed review shall be conducted by the Audit Manager for assigned staff's working papers. A less comprehensive review shall be conducted by Internal Audit Department or an assigned Quality Assurance staff person. EXCEPTION: If the Audit Manager is the only staff member assigned to the audit/task then the detailed review shall be performed by department administration or an assigned Quality Assurance staff person. Initialling (Director/Quality Assurance staff person and the Audit Manager) working papers (Section Summaries, Audit Programs, Draft Report) and completing the "Quality Assurance Review form," will serve as documentation of the review process and will be filed with the working papers. NOTE: Auditors are encouraged to perform an "informal" self-review of their working papers. However, this review would be for their benefit only and therefore this document SHALL NOT be a part of the working papers. Quality Assurance Review Process In performing the review the reviewer should:
•

Review working papers from audit program steps to the referenced working papers ensuring cross-referencing is proper, the working papers support the steps performed, and all steps have been completed (or why steps were not completed). Review working papers from the report(s) to the digest to the working paper summaries to the detailed working papers to ensure that all findings are stated, adequately document and support the OPINIONS, FINDINGS, and RECOMMENDATIONS stated in the report. Determine working paper's compliance to department working paper standards. Determine report(s) compliance with department report standards. Determine Permanent Audit File's compliance with department standards. Record any deficiencies, comments, etc. on a Working Paper Review Notes form.

•

• • •

•

Internal Audit Manual

Page 37

•
•

The auditor(s) who prepared the working papers will then respond (if necessary) to these points on the same form. After the reviewer has "cleared" the points and completed (initialled) the "Quality Assurance Review form," the working papers will be forwarded to Internal Audit Department. Internal Audit Department will review the working papers and discuss the findings and review comments with the Assigned Auditor, Audit Manager, and Reviewer, then complete the relevant parts of the "Quality Assurance Review form," and approve the draft report for the exit conference. The Report Reviewer will perform a pre-exit conference edit check for spelling, cursory grammatical, and consistency review. The assigned auditor will forward a copy of the draft report to the audited entity prior to the exit conference. After exit conference amendments, the Report Reviewer will perform a spell check, as well as a cursory grammatical and consistency review, then print out the FINAL version of the report. The Audit Manager, assigned Auditor(s) and Director will review and sign the final report.

•

•
•

•

•

NOTE: The working papers and report will be factors used in the Performance Evaluation process.

GENERAL STANDARDS FOR WORKING PAPERS
Functions of Working Papers • • • Support auditor's opinion Aid in the conduct and supervision of the engagement Provide a record of:
1. Procedures applied 2. Test performed 3. Information obtained 4. Pertinent conclusions reached •

Provide evidence that the audit was conducted in accordance with Generally Accepted Auditing Standards Working papers should be accurate and complete
1. No significant questions within the scope or related to the objective of the audit

Completeness of Working Papers •

should go unanswered
2. Working papers must "stand alone," in that they clearly state what work was

performed, how and from where samples were selected, the purpose of the working papers, what findings were made, etc. • Each item in the working papers should contain:
1. A descriptive heading Internal Audit Manual Page 38

2. Identification of source if not obvious 3. The date of preparation and the auditor's initials 4. The index number of the work paper

•

Working papers should be sufficient, competent, relevant, and useful to provide a sound basis for audit findings and recommendations
1. Consistent, neat, not crowded 2. Only essential items included 3. Arranged in a uniform style

•

Working papers should prove that standards have been followed such as:
1. Adequate planning and supervision 2. Adequate review of internal control 3. Sufficient competent evidential matter

Examples of Working Papers • Working papers may include any or all of the following:
1. Audit programs, summaries, schedules, computations, or analysis prepared or

obtained
2. Memoranda, interviews, letters of confirmation or representation 3. Data stored on tapes, films, disk, or other media

•

The working papers listed below constitute the minimum REQUIRED support for an assignment 1. Working Papers Index 2. Assignment Form 3. Draft Report 4. Digest of Significant Findings 5. Quality Assurance Review 6. Audit Program 7. Section Summaries for each audit program section 8. Worksheet or Lead Schedules 9. Final Report

•

The following working papers should generally be prepared, but may not be considered mandatory for all assignments:
1. Permanent Audit File

2. Summary of Audit Objectives and Time Control 3. Announcement Letter 4. Contact List
5. Audited Entity Financial Statements 6. Interim Memoranda and Meetings Internal Audit Manual Page 39

7. Exit Conference Record Cross-Referencing of Working Papers • • • • • • • All significant amounts and items should be cross-referenced Every page should have an index number The index should be simple The index should be capable of infinite expansion Reports conform to the department format guidelines. Report title specifically states what was audited. Report is copied to right people (at a minimum this should be the Vice President in Internal Audit reporting line, and the report addressee's direct supervisor, reporting line, etc.) Audit objectives are stated clearly and in agreement with those stated in the announcement letter or Audit Assignment form (if no announcement letter sent). Scope clearly states what we examined including, if applicable, what period, transactions, documents, and limitations. Opinion (where appropriate) are supported by audit findings. Background contains mission and other information of value to reader. Findings are presented clearly and contain the following elements:
○

Indexing of Working Papers

GENERAL STANDARDS - REPORT(S)

• •
•

• •

Statement of Condition - Is stated in first sentence Effect - potential or actual exposure to ABC Company

○ Criteria - Policy, etc.,
○

○ Cause - how did it happen (if known) ○ Recommendation
•

Recommendations are specific enough so the audited entity understands what is expected, something that can be accomplished, cost beneficial, followed-up on, etc. Draft Report is referenced to the working papers. Reports are objective, clear, concise, constructive, and timely. The auditor presents to appropriate management a draft of the final report for discussion before issuance of the final report. If appropriate, a Management Letter may be issued.

• • • •

REPORTING AND FOLLOW-UP
The most successful audit projects are those in which the audited entity and the Internal Auditors have a constructive working relationship. Our objective is to have the audited entity's continuing involvement as well as communication at every stage, so that the audited entity understands what we are doing and why we are doing it.
Internal Audit Manual Page 40

Although every audit project is unique, the audit process is similar for most engagements. The audit process normally consists of four stages: Preliminary Review, Fieldwork, Audit Report, and Follow- up Review. Audit Report, Transmittal Letter and Management Letter Our principal product is the final report in which we express our opinions about the audit findings and discuss our recommendations for improvements. Therefore, in order for Internal Audit to be effective, our reports must clearly and persuasively convey the results of our audits and convince readers to recognise the validity of the findings and the benefit of implementing any recommendations. To facilitate communication and ensure that the recommendations presented in the final report are practical, Internal Audit ALWAYS discusses the rough draft with the audited entity prior to issuing the final report. Internal Audit prints and distributes the final report to the audited entity's operating management, the audited entity's reporting supervisor, the Finance Director and other appropriate members of senior ABC Company management. This report is primarily for internal ABC Company management use. The Internal Audit Director's approval is required for release outside of ABC Company. The results of the audit are also included in the Internal Audit's annual report to the Board of Directors. The first page (transmittal letter) of the report is a letter requesting the audited entity's written response to the report recommendations within 30 days. The audited entity should explain, in the written response, when and how report findings will be resolved with an implementation timetable. We encourage the audited entity to copy this response to all recipients of the final report. The audited entity's response is included in Internal Audit's annual report to the Board of Directors. A management letter written to and distributed to only the audited entity manager may be issued. This letter will contain suggestions for improving controls, operations, and anything Internal Audit Department feels needs to be in writing.

CONFIDENTIALITY - REPORTS
Although Internal Audit reports are internal documents exclusively for the use of ABC Company, certain reports will contain information that SHOULD NOT BE DISCLOSED OUTSIDE OF THE AREAS RECEIVING THE REPORT. Policy Audit reports will be classified as CONFIDENTIAL if they meet the following criteria: •
•

Report discloses a weakness (potentially resulting in a loss) which has not been corrected at the time of distribution Report discloses sensitive information which could prove an embarrassment to ABC Company (if made public) Report discloses information classified as "restricted data" At the discretion of the Director of Internal Audit

• •

Audit reports classified as CONFIDENTIAL will contain the words CONFIDENTIAL REPORT on the title page and the footnote "Confidential - Do not disclose information in this document." on each page. Process The Audit Manager will discuss their recommendation and rationale regarding the classification of a report when it is given to the Director of Internal Audit for initial review.
Internal Audit Manual Page 41

EXIT CONFERENCE
After the draft report has been approved by Internal Audit Department, the auditor(s) meet with the audited entity's management team to discuss the findings, recommendations, and text of the draft. At this time, the audited entity comments on the draft report, and any inaccuracies or impractical recommendations resolved to the extent possible. Pre-exit conference items • • • • • There should be no surprises - everything in the draft should have been discussed during the fieldwork. Be sure you can easily find supporting documentation for findings in the working papers in case questions arise at the exit conference. Try to anticipate potential questions/conflicts Go through verbal recommendations: Discuss the following and go through report and management letter: ○ Do they want to respond after receiving the final report or would they like their response either included or attached to the final report (department preference is to include or attach the audit response with the final report)? ○ A follow-up will be done within one year to review action taken.
○

Exit conference agenda

Results of audit, response, and follow-up will be included in our annual report to the Board of Directors.

○ Where there any questions about the scope and objectives? ○ Are there any questions about the opinion? ○ Are there any questions, comments, additions, or deletions on background? ○ Any comments or questions about other sections (go through each)? ○ General comments about audit process?

CLOSING OF THE AUDIT
The auditor then prepares a draft, taking into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by Internal Audit Department and the audited entity, the final report is issued. The report is then printed in final by the report reviewer and distributed to the audited entity's reporting supervisor, the Finance Director, and other appropriate members of ABC Company management. This report is primarily for internal ABC Company management use. The Internal Audit Director's approval is required for release outside of ABC Company. Input in Board of Directors Report The establishment of a clear reporting structure with the Board of Directors enhances Internal Audit's independence and strengthens our ability to function freely within ABC Company. It also provides us the opportunity to acquaint the Board with any critical audit findings or issues, our assessments of operations during the past year, and our concerns, goals and plans for the next fiscal year. The results of all report findings and recommendations, the response from the audited entity, and the follow- up shall be reported in an annual report to the Board of Directors.
Internal Audit Manual Page 42

Audit Feedback Questionnaire An audit feedback questionnaire will be sent to the audited entity immediately after an audit report (excluding cash count and follow-up reports) has been issued. Questionnaires returned shall be recorded and summarised. Follow-up Review Within one year of the final report, Internal Audit shall perform a follow-up review of audited entities to ascertain the resolution of the report findings. The actions taken to resolve the findings shall be reviewed and may be tested to ensure that the desired results were achieved. In some cases, managers may choose not to implement an audit recommendation and to accept the risks associated with an audit finding - the follow-up review will note this as an unresolved finding. The follow-up report will list the actions taken by the audited entity to resolve the original report findings. Unresolved findings will also appear in the report and will include a brief description of the finding, audit recommendation, client response, current condition, and the continued exposure to ABC Company. In addition to the original report recipients and other officials as deemed appropriate, the follow-up review results will also be included in the Internal Audit Annual Report to the Board of Directors.

PERSONNEL
JOB DESCRIPTION: DIRECTOR OF AUDIT Reports To: Board of Directors, Finance Director SUMMARY: Direct and coordinate internal auditing within ABC Company as an independent appraisal of the various operations and systems of control to determine if acceptable policies and procedures are followed, established standards met, resources are used efficiently and economically, planned missions are accomplished effectively and the organisation's objectives are being achieved. DUTIES AND RESPONSIBILITIES:
•

Supervise and coordinate internal audit programs of ABC Company accounting and financial operations to include the review of accounting procedures, confirmation of accounts, inspection of physical operations, and investigations of irregularities and errors. Supervise examination and analysis of records to insure the effectiveness of accounting and managerial controls at reasonable cost, accuracy of transactions, and compliance with applicable laws and established ABC Company policies and procedures. Direct and coordinate analysis of operating departments and functions and make recommendations to promote maximum managerial effectiveness and operational efficiency when appropriate. Ascertain the extent to which ABC Company assets are accounted for and safeguarded from losses. Counsel and guide auditors to ensure that approved audit objectives are met and practical coverage is achieved.

•

•

•

•

Internal Audit Manual

Page 43

•

Identify those activities subject to audit coverage, evaluating their significance and assessing the degree of risk inherent in the activity in terms of cost, schedule, and quality. Monitor work performance for accuracy and completeness to ensure compliance with established departmental objectives. Supervise audit participation and participate in systems and procedures development and testing. Supervise review of procedures and records for their adequacy to accomplish intended objectives, appraising policies, and plans relating to the activity of function. Train and instruct supportive staff. Review and ascertain the reliability of management data developed within the organisation. Recommend and develop internal auditing policies, standards of performance, procedures, and programs. Authorise the publication of reports on the results of audit examinations, including recommendations for improvements. Serve in advisory capacity for ABC Company officials. Make recommendations for improved fiscal management systems. Appraise the adequacy of corrective action taken by operating management and prepare a variety of related reports and analysis. Serve as liaison with many departments and offices to assist with problems and determine need for audits. Contact with staff, outside businesses and agencies regarding ABC Company audit related or business problems. Provide executive management with annual reports on the results of audit activities. Direct various personnel functions including, but not limited to hiring, merit recommendations, promotions, transfers, vacation schedules, and dismissals. Determine fiscal requirements of internal auditing operations and prepare budgetary operations. Monitor, verify, and reconcile expenditure of budgeted funds. Perform special reviews as requested by the Finance Director. Review ABC Company policy and structural changes that might alter audits and coverage. Serve on various ABC Company committees. Represent ABC Company at professional organisations, associations, and committees. Perform other duties incidental to the work described herein.

• • • •
•

• •

• •
•

• • •
• • • •

•

JOB DESCRIPTION: ASSOCIATE DIRECTOR OF INTERNAL AUDIT
Reports To: Internal Audit Director SUMMARY: Provide administrative and supervisory support to the Director for the coordination and administration of system-wide audits, the planning and development of department operations, and the supervision of department staff.
Internal Audit Manual Page 44

DUTIES AND RESPONSIBILITIES: • • Supervise professional staff by evaluating performance, hiring, and terminating when necessary. Review audits to ensure that they are conducted according to audit standards, sufficient evidence is obtained, and that procedures are properly documented to support audit findings. Plan and prepare formal written reports addressed to department managers or external agencies. Attend entrance and exit conferences for audits in the absence of the Director. Appraise the adequacy of departmental replies to audit reports. Manage day-to-day office operations such as ensuring audits are on schedule, weekly time reports are submitted, and assignment forms are issued. Assist the Director in developing and implementing new and revised department policies and procedures necessary for providing internal auditing services to all entities within ABC Company. Determine the direction and extent of audits. Serve as department head in the absence of the Director and assist the Director with budget planning. Recommend to ABC Company Administration control issues that should be addressed with ABC Company Institutional policies. Design technically complex audit programs for specialised computer software to retrieve information from ABC Company computer systems. Maintain an effective liaison with ABC Company managers and external auditors to coordinate audits of ABC Company records. Certify financial reports at the request of external agencies. Serve on various ABC Company committees in an advisory capacity. Assist the Director in developing an audit plan that provides for the effective audit coverage of ABC Company systems based on an assessment of potential risk and exposure to ABC Company. Survey functions and activities of units to evaluate nature of operations and existence and adequacy of internal controls. Provide guidance, training, and assistance to auditors. Continue to develop expertise in specialised areas to advise other auditors or ABC Company units. Maintain knowledge of current accounting and auditing practices through continuing professional education. Perform other related duties incidental to the work described herein.

•

• • •
•

•
• • •

•
• •

•
•

• •

JOB DESCRIPTION: INFORMATION SYSTEMS AUDIT MANAGER
Reports To: Internal Audit Director SUMMARY: Using specialised knowledge of accounting, auditing, and electronic data processing (EDP) to perform audits of adequacy of internal controls and the accuracy of institutional data in ABC
Internal Audit Manual Page 45

Company's data processing areas. Attest to the accuracy, effectiveness, and efficiency of ABC Company's information (EDP-based) systems. Determine level of compliance with institutional policies and procedures, laws and contractual obligations regarding privacy and security in data processing areas. Provide support to internal auditors in the development of computer-assisted audit techniques. Requirements needed for this position are a minimum of an undergraduate degree in accounting, business administration, finance or computer science, and a certificate or licensing for CPA and/or CIA. Four years experience as an EDP auditor, two years experience as a financial auditor, and knowledge of computer environment similar to the one at ABC Company. DUTIES AND RESPONSIBILITIES:
•

Participate in the development of new ABC Company system applications to: 1. Ensure that adequate controls are established and installed to meet management objectives, 2. Verify that users and computer operation's staff have been trained in the system functions and controls 3. Determine whether level of security is appropriate 4. Verify that backup and recovery procedures are complete

•

Perform audits of existing financial and security applications, the related network links and the supporting computer data centres.
1. Based on a review and evaluation of current internal controls, assess potential

risk, and exposure to ABC Company, and prepare detailed audit program describing tests to be performed.
2. Obtain sufficient competent and relevant evidential matter, analyse and

summarise data to support an objective informed opinion on the adequacy and effectiveness of internal controls, the accuracy of institutional data, and the level of compliance with ABC Company policies.
3. Draft written reports expressing opinions on the adequacy and effectiveness of

system controls, the accuracy of institutional data, and the level of compliance with relevant policies and procedures. Recommend changes in policies and procedures to enhance controls or correct deficiencies.
• •

Appraise the adequacy of replies to final audit reports and perform post-audit reviews to determine the extent to which audit recommendations have been implemented. Assign work and supervise EDP audit staff (when applicable) so that the audit is conducted in a professional manner and the audit objectives are accomplished. Review working papers and conduct performance appraisals so that standards are complied with and evaluations can be accurately completed. Serve on various ABC Company committees addressing such items as data access, computer and network security, system design, etc. Provide guidance, training, and assistance to staff auditors in using computerised audit techniques, maintaining library of standard audit programs, administering the department's computer network, etc. Stay current with technical changes in auditing, data processing, accounting, ABC Company policies, and government regulations so that audits are conducted professionally and in accordance with department standards.
Page 46

• •

•

Internal Audit Manual

•

Develop an EDP audit plan that provides for the effective audit coverage of ABC Company's EDP application systems based on an assessment of potential risk and exposure to ABC Company.

JOB DESCRIPTION: AUDIT MANAGER
Reports To: Internal Audit Director / Associate Director SUMMARY: Using specialised knowledge of accounting, auditing, and electronic data processing, plan and conduct complex and technical financial and managerial audits of ABC Company operations. Analyse evidential data as a basis for an informed, objective opinion. Prepare comprehensive reports addressed to campus and ABC Company administration and external agencies. DUTIES AND RESPONSIBILITIES:
•

Plan and perform complex, technical financial and managerial audits of ABC Company operations in accordance with accepted professional standards. Determine whether areas reviewed are performing their planning, accounting, custodial, and control activities in compliance with managerial guidelines, applicable statements of policy and procedures, and in a manner consistent with both ABC Company objectives and high standards of administrative practice. Obtain and analyse data to provide an objective, informed opinion on the accuracy and fairness of financial statements. This includes performing advanced and complex analytical procedures and recommending material adjustments (i.e. to ABC Company financial statements). Develop an audit plan that provides for the effective audit coverage of ABC Company operations, based on an assessment of potential risk and exposure. Survey functions and activities of units to evaluate nature of operations and existence and adequacy of internal controls. Perform audits of ABC Company operations to ensure effectiveness of accounting and managerial controls and accuracy of recorded data, promote efficiency, safeguard ABC Company assets, and monitor compliance with applicable laws and ABC Company policies and procedures. Supervise and direct staff assigned to assist on audits. Monitor performance of staff and evaluate performance of supervised staff. Exercise professional judgment to determine materiality of findings and adequacy and effectiveness of the operation. Conduct special reviews requested by administration. Arrive at independent decisions concerning recommendations for administration. Maintain an effective liaison with managers and external auditors to coordinate audits of ABC Company records. Determine the direction and extent of assigned audits. Prepare the program and establish procedures, which may include statistical sampling and electronic data processing. Prepare and evaluate working papers supporting opinions presented in the report to administration and external agencies. Appraise the adequacy of replies to audit reports and perform post-audit reviews to determine the extent to which audit recommendations have been implemented. Establish audit procedures involving statistical sampling and electronic data processing. Use specialised knowledge to retrieve information from ABC Company mainframe computers.
Page 47

•

•

•

•
• •

•

• •

Internal Audit Manual

•

Discuss deficiencies and recommend corrective actions to improve operations and reduce costs. Plan and prepare formal written reports addressed to managers or external agencies. Continue to develop expertise in specialised areas to advise other auditors or ABC Company units. Review and evaluate the adequacy of the overall accounting and non-accounting controls of computerised information systems residing on departmental computers. This requires a general understanding of departmental activities in relation to computerised information systems under review. Perform general administrative tasks including those assigned by the Director. Maintain knowledge of current accounting and auditing practices through continuing professional education.

• •

• •

JOB DESCRIPTION: INFORMATION SYSTEMS AUDITOR
Reports To: Information Systems Audit Manager SUMMARY: Using specialised knowledge of auditing and information technology, participate in audits of ABC Company's information systems, systems development processes, LANs, and related resources/processes to determine the adequacy of general and application controls and to assess compliance with applicable policies, procedures, statutes, and contract requirements. This entails analysing evidential data as a basis for an informed, objective opinion and preparing comprehensive reports addressed to ABC Company administration. DUTIES AND RESPONSIBILITIES: With guidance from the Information Systems Audit Manager, plan and conduct audits in accordance with applicable professional and office standards. • Exercise professional judgment to determine adequacy of controls, materiality of findings, and sufficiency of evidence to support opinions and findings presented in audit reports. Prepare working papers containing sufficient, competent, and relevant evidence to support findings and opinions in audit reports. Draft audit reports containing the results of the audit, including findings, recommendations, opinions. Assist financial and operational auditors in applying information systems audit principles and concepts, identifying the relevant automated controls to include in the audit scope, designing audit programs/procedures to assess their adequacy, and documenting the impact of strengths or weaknesses to current audit procedures/objectives. Perform post-audit reviews to determine the extent to which audit recommendations have been implemented. Appraise the adequacy of replies to final audit reports, and perform post-audit reviews to determine the extent to which audit recommendations have been implemented. Discuss deficiencies with management and recommend actions to improve controls, enhance information integrity, streamline processes, and reduce costs. Where appropriate, recommend changes in policies and procedures to enhance controls or correct deficiencies. Write/develop computer assisted audit techniques (CAATs) to extract and manipulate data from complex computer systems and to facilitate audit compliance and substantive testing procedures.
Page 48

•

•

•

Internal Audit Manual

•
•

Assist in administering and supporting the Internal Audit Local Area Network (LAN). Maintain knowledge of current auditing, data processing, and accounting practices and ABC Company policies and government regulations. Provide in-house information systems audit and technical training for internal audit staff. Perform other duties as assigned. Required Degree in business, accounting, or information systems discipline or equivalent combination of education and experience. One year of related work experience in information systems auditing or related field (e.g., information systems analysis, or development). Excellent planning, organisation, research, analysis, writing, and interpersonal skills. Ability to communicate effectively with individuals and groups at all organisational levels. Able to work in a team-oriented environment. Preferred: Certification preferred. (e.g., ACCA, CPA, CIA) Proficient in providing mainframe and PC support to internal audit staff using computerised audit tools to retrieve and analyse data stored on mainframe and departmental systems. Familiar with diverse computing environments and architecture, including mainframe, client-server, network, and personal computers. Familiar with operations, policies, and procedures in ABC Company environment.

•
•

QUALIFICATIONS:

•

•
• •

•
•

JOB DESCRIPTION: AUDITOR
Reports To: Director of Internal Audit Department SUMMARY: Provide assistance to the audit manager in performing financial and managerial audits of general ABC Company operations. The duties include analysing evidential data as a basis for an informed, objective opinion and preparing comprehensive reports addressed to ABC Company administration and/or external agencies. DUTIES AND RESPONSIBILITIES:
• •

Participate in performing financial and managerial audits of general ABC Company operations in accordance with accepted professional standards. Aid the audit manager in determining whether areas reviewed are performing their planning, accounting, custodial, and control activities in compliance with managerial guidelines and applicable statements of policy and procedures, and in a manner consistent with both ABC Company objectives and high standards of administrative practice. Obtain and analyse data to provide an objective, informed opinion on the accuracy and fairness of financial statements. This includes performing analytical procedures and recommending adjustments to ABC Company financial statements. With guidance from the audit manager, determine the direction and extent of assigned audits. Prepare the program and establish procedures which may include statistical

•

•

Internal Audit Manual

Page 49

sampling and electronic data processing. Prepare working papers supporting opinions presented in the report to administration and external agencies.
•

Participate in audits of ABC Company systems to ensure effectiveness of accounting and managerial controls and accuracy of recorded data, promote efficiency, safeguard ABC Company assets, and monitor compliance with applicable laws and ABC Company policies and procedures. Exercise professional judgement to determine materiality of findings and adequacy and effectiveness of the operation. Assist in the review and evaluation of the overall accounting and non-accounting controls of computerised information systems residing on departmental computers. This requires a conceptual understanding of the departmental activities in relation to computerised information systems under review. Discuss deficiencies and recommend corrective actions to improve operations and reduce costs. Plan and prepare formal written reports addressed to department managers or external agencies. Perform post-audit reviews to determine the extent to which audit recommendations have been implemented. Assist in the performance of special reviews requested by administration. Maintain knowledge of current accounting and auditing practices through continuing professional education. Perform other related duties incidental to the work described herein.

•
•

•

• • • •

PERFORMANCE EVALUATION
Performance evaluation will serve two major functions in our department. First, it will be used for employee development. The feedback that employees receive from the appraisal process should provide them with information they can use to improve job performance. Second, performance appraisal provides bottom-line evaluations of employees that can be used for administrative decisions such as promotion, salary evaluation, recommendation for training, or remedial action. Performance Evaluation Policy All Internal Audit full-time appointed employees will have an evaluation of their work performance at least every semester and once a fiscal year. The results of these evaluations will be the primary means for administrative decisions. Performance Evaluation Process The evaluation process will be a twofold approach (interim evaluation and annual evaluation). These evaluations will be performed in September and March respectively. Specific factors that will be considered in the annual Performance Evaluation shall include:
•

Audits 1. Total Chargeable Hours at department standard 2. Audit Completed Timely 3. Audit Within Budget hours
4. Working papers Technically Correct (Dept Standards)

5. Audits Performed according to standards
Internal Audit Manual Page 50

6. Hours at Audited Entity Location •

Professional Knowledge 1. Competent in required job skills and knowledge 2. Exhibits ability to learn and apply new skills 3. Exhibits sound and accurate judgment 4. Requires minimal supervision 5. Displays understanding of how job relates to others

•

Professional Development
1. Keeps current on ABC Company Policies and Processes 2. Keeps current on ABC Company systems

3. Participates in available Continuing Education
4. Certified as CIA, CPA, ACCA

5. Keeps current with Accounting and Auditing trends
•

Teamwork 1. Balances team and individual responsibilities 2. Exhibits objectivity and openness to others' views 3. Gives and welcomes feedback 4. Contributes to building a positive team spirit 5. Puts success of team above own interests

•

Written Communication 1. Writes clearly, precisely and informatively 2. Edits work for spelling, grammar, and format 3. Varies writing style to meet needs 4. Follows standards for presenting elements of findings 5. Scope, Objective and Opinion consistent w/ work done 6. Selects and uses appropriate communication methods

•

Oral Communication 1. Speaks clearly and persuasively 2. Listens and gets clarification 3. Responds well to questions 4. Demonstrates group presentation skills 5. Participates in meetings 6. Keeps others adequately informed

•

Innovation 1. Displays original thinking and creativity 2. Meets challenges with resourcefulness 3. Generates suggestions for improving work 4. Develops innovative approaches and ideas

Internal Audit Manual

Page 51

General comments could be made in the following areas:
•

Adaptability 1. Adapts to changes in the work environment 2. Manages competing demands 3. Accepts criticism and feedback 4. Changes approach or method to best fit the situation

•

Analytical Skills
1. Synthesises complex or diverse information

2. Collects and researches data 3. Uses intuition and experience to complement data 4. Identifies data relationships and dependencies 5. Designs work flows and procedures
•

Attendance & Punctuality 1. Schedules time off in advance 2. Begins working on time 3. Keeps absences within guidelines 4. Ensures work responsibilities are covered when absent 5. Arrives at meetings and appointments on time

•

Cooperation 1. Establishes and maintains effective relations 2. Exhibits tact and consideration 3. Displays positive outlook and pleasant manner 4. Offers assistance and support to co-workers 5. Works cooperatively in group situations 6. Works actively to resolve conflicts

•

Cost Consciousness 1. Works within approved budget
2. Conserves organisational resources

3. Develops and implements cost saving measures 4. Contributes to profits and revenue
•

Customer Service 1. Displays courtesy and sensitivity 2. Manages difficult or emotional customer situations 3. Meets commitments 4. Responds promptly to customer needs 5. Solicits customer feedback to improve service

•

Dependability 1. Responds to requests for service and assistance
Page 52

Internal Audit Manual

2. Follows instructions 3. Responds to management direction 4. Takes responsibility for own actions 5. Commits to doing the best job possible 6. Keeps commitments 7. Meets attendance and punctuality guidelines
•

Initiative 1. Volunteers readily 2. Undertakes self-development activities 3. Seeks increased responsibilities 4. Takes independent actions and calculated risks 5. Looks for and takes advantage of opportunities 6. Asks for help when needed

•

Judgment 1. Displays willingness to make decisions 2. Includes appropriate people in decision making process 3. Makes timely decisions

•

Leadership 1. Exhibits confidence in self and others 2. Inspires respect and trust 3. Reacts well under pressure 4. Shows courage to take action 5. Motivates others to perform well

•

Managing People 1. Provides direction and gains compliance 2. Includes subordinates in planning 3. Takes responsibility for subordinates' activities 4. Makes self available to subordinates 5. Provides regular performance feedback 6. Develops subordinates' skills and encourages growth

•

Organisation Support 1. Follows policies and procedures 2. Completes administrative tasks correctly and on time
3. Supports organisation's goals and values 4. Benefits organisation through outside activities

5. Supports affirmative action and respects diversity
•

Personal Appearance 1. Dresses appropriately for position
Page 53

Internal Audit Manual

2. Keeps self well-groomed
•

Planning & Organisation
1. Prioritises and plans work activities

2. Uses time efficiently 3. Plans for additional resources 4. Integrates changes smoothly 5. Sets goals and objectives
6. Works in an organised manner •

Problem Solving 1. Identifies problems in a timely manner
2. Gathers and analyses information skilfully

3. Develops alternative solutions 4. Resolves problems in early stages 5. Works well in group problem solving situations
•

Project Management 1. Develops project plans 2. Coordinates projects 3. Communicates changes and progress 4. Completes projects on time and budget 5. Manages project team activities

•

Quality 1. Demonstrates accuracy and thoroughness 2. Displays commitment to excellence 3. Looks for ways to improve and promote quality 4. Applies feedback to improve performance 5. Monitors own work to ensure quality

•

Quantity 1. Meets productivity standards 2. Completes work in timely manner 3. Strives to increase productivity 4. Works quickly 5. Achieves established goals

•

Safety & Security 1. Observes safety and security procedures 2. Determines appropriate action beyond guidelines 3. Uses equipment and materials properly 4. Reports potentially unsafe conditions

•

Sales Skills
Page 54

Internal Audit Manual

1. Achieves sales goals 2. Overcomes objections with persuasion and persistence 3. Initiates new contacts 4. Maintains customer satisfaction 5. Maintains records and promptly submits information

TRAINING AND PERSONAL DEVELOPMENT
Certification Programs One aspect of professional development is obtaining professional certification as a Certified Public Accountant, Certified Internal Auditor, Certified Information Systems Auditor, or Certified Fraud Examiner. To increase the professionalism and credibility of the audit staff, the department supports employees' efforts in achieving certification through obtaining study aids and providing reimbursement for sitting for exams. Support is also given by making study time available during working hours and allowing time off to sit for exams. Professional certification is a factor used in the department's annual employee performance appraisal. Professional development through certification, membership, and participation in professional organisations is encouraged. Internal Audit Department funds may be available and budgeted to support this activity. Continuing Education Internal Audit has a responsibility to provide for the most effective use of available continuing education funds in supporting staff member requests for professional training. Process: •
•

Auditors should review seminar material. Staff members who desire to attend a particular seminar should (if total expenditures will exceed €100) complete the above mentioned form. (Requests to attend seminars that will cost less than €100 can be communicated informally to the Director.) The Director will make the decision for the expenditure based on availability of funds and the staff members’ current professional development responsibilities and requirements in maintaining their technical competence and proficiency.

•

ADMINISTRATIVE PROCEDURES
MANAGEMENT OF AUDIT RESOURCES
The principal resource that Internal Audit has to accomplish its mission is the amount of available staff hours. Therefore, it is paramount that we have a process that will provide the information necessary to effectively manage this resource. Audit Resource Reporting Policies All professional training requires prior approval of the Internal Audit Director. The departmental standard for staff hours is expected to charge to projects each year is 1,500 hours. Auditors shall perform fieldwork at the audited entity location whenever possible. All staff members will submit a weekly progress report, using the electronic Audit Reporting and Management System (ARMS) detailing the hours spent on assigned projects. The MISCELLANEOUS UNBUDGETED TASK will be used to list duties that you performed that were not budgeted and for days that you were not in the office because of paid time off or sick time. Progress reports must be completed by Friday 6:00 p.m.
Internal Audit Manual Page 55

Projects will be reported in half-hour increments using the project control numbers assigned by the director. The comments field will be used to provide a brief description of the work performed or if no work was performed an explanation of why. The comments field should also include a statement of how many hours was spent performing fieldwork at the audited entity location Any audit work or other activity that is material (e.g. expected to accumulate more than 8 hours or for which a written report/memo will be issued) will be assigned a project control number.

STANDARD ELECTRONIC TOOLS
ANAEL Queries To establish a library of standard 'off the shelf' ANAEL queries, these queries will be written so that they can be easily executed, by changing well-defined parameters, or simply modified to OUTPUT data in a different format.
•

The library will be controlled by the department ANAEL LIBRARIAN who will be responsible for updating the library and informing staff of the current library's contents. Queries will be written by staff members who have developed an appropriate understanding of the structure and the data in the accessed files. Queries will be written according to standards established by the department. Queries will be thoroughly reviewed and tested before being placed in the library by the librarian. Whenever practical these queries will be used to extract data from ANAEL defined files for use in audit testing.

• • •
•

Electronic Working Papers To assure standardisation of working papers and reports, standardised reports, programs and working papers have been developed as Word templates. In addition, there is an Audit Macros toolbar that will enable you to input your information in a form that will automatically add the information to the new Word document.

MISCELLANEOUS POLICIES
Purging Working Papers Working papers shall be retained for five years after the date of the report. The working papers shall be purged once a year after the Directors' approval. The exception to this policy is when we are required to retain working papers longer by law or by agreement. Paid Time Off Whenever possible, paid time off (PTO) should be requested and scheduled in advance. If you are SICK you should call or e-mail the Director or the secretary as soon as you can. Computer Software Only computer software that the department or ABC Company owns the rights to should be installed on department computers. If you wish to install other software on a department computer, you must receive prior approval from the Director and provide evidence that you own the rights to the software. Housekeeping

Internal Audit Manual

Page 56

Good housekeeping bears a direct relationship to orderly and efficient work habits. When out of the office, material in work areas should be straightened. Care is to be exercised to avoid exposure of confidential or potentially sensitive documents.

Internal Audit Manual

Page 57

APPENDIX A – Audit Announcement Letter
{Date}

{Name of Audited Entity} Attn: {Address} {Address}

RE: Audit of {Name of Audited Entity} We are in the process of planning the audit for {Name of Audited Entity}. The audit is presently scheduled to begin {Begin Date of Audit}, and we anticipate being on site between two to three weeks. We understand that some scheduling adjustments may become necessary to accommodate your staff’s schedules. Please review the audit schedule with your management team to ensure the timing is coordinated with them. We will work with {name of person} as our main contact. Our audit will be conducted in accordance with generally accepted auditing standards and, accordingly, will include such tests of the accounting records and other auditing procedures as we consider necessary to accomplish our audit objectives. We will follow-up on previously raised audit issues, review internal controls, the human resource function, operating efficiencies, computer systems, year 2008 status, and other audit procedures considered necessary based on the circumstances encountered. We appreciate your support and the cooperation of your staff as we work together on this engagement. If you would like to discuss the audit, areas that need special audit attention or this schedule, please call me at 555-323-4123.

INTERNAL AUDIT DEPARTMENT

Audit Manager

Internal Audit Manual

Page 58

APPENDIX B – Audit Feedback Questionnaire Form
The purpose of this questionnaire is to solicit your opinions concerning the quality of service we provided during our recent engagement. This information will help to foster future improvements in the Internal Audit function. We request that you, or the staff member most familiar with our recent work, complete and submit the questionnaire. Please feel free to expand on any areas that you wish to clarify in the comments area. We sincerely appreciate your assistance.

1.

2. 3. 4. 5. 6.

7.

8. 9. 10.

Questions During the initial conference, the audit team explained the objectives, timing, and audit process and solicited your questions and concerns. The audit team exhibited an understanding of your unit's mission/operations/procedures. The audit team was cooperative in attempting to minimise interruptions to your operations and schedule. The audit team demonstrated technical proficiency in audit areas and knowledge of company policies. The audit team demonstrated courtesy, professionalism, and a constructive and positive approach. You or your key staff members were adequately informed of the audit status, major issues, and final results on a timely basis. You had the opportunity to provide explanations or responses to audit findings as they developed during the audit process. During the exit conference, all findings were adequately discussed and all issues of fact were resolved. The final report was accurate and clearly communicated the audit results. The audit recommendations were constructive, relevant, and actionable. On a scale of 0 (no value) to 10 (high value), how much value do you feel this audit added to your unit?

Please Select

Please use the comment box below to let us know what specific changes we can make to improve our audit process.

Internal Audit Manual

Page 59

Comments:

Internal Audit Manual

Page 60

APPENDIX C – Internal Audit Glossary
A Adding Value: By virtue of our position within the Company, Internal Audit is able to gather data to understand and assess risk and develop significant insight into operations and opportunities for improvement that can be beneficial to the Company. This valuable information can be in the form of consultation, advice, written communications, or through other products. Adequate Control: Present if management has planned and organised (designed) their operations in a manner that provides reasonable assurance that the Company's risks have been managed effectively and that its goals and objectives will be achieved efficiently and economically. Analytical Review: The examination of ratios, trends and changes in balances and other values between periods to obtain a broad understanding of the Company financial or operational position and identify areas that may require further or closer investigation. Assurance Services: An objective examination of evidence for the purpose of providing an assessment on risk management, control, or governance processes for the Company. Examples may include financial, performance, compliance. Audit Committee: Committee of the Company that has no operational responsibilities for any of the activities undertaken by the Company. Their primary function is to help ABC Company fulfil its stewardship role by reviewing the systems of risk management, governance and internal control. The Company's Audit Committee meets three times a year. Audit Scope: Refers to the activities covered by an internal audit. Audit scope often includes: Audit objectives: Nature and extent of auditing procedures performed Time period audited: Related non-audit activities that delineate the boundaries of the audit When planning audit assignments at the Company, we always agree the scope of our reviews with the unit managers before starting the audit. Audit Test Matrices: Audit Test Matrices include: • • • Risks The Expected Controls The Compliance Test

Audit Working Papers: Record the information obtained, the analyses made, and the conclusions reached during an audit. Audit working papers support the bases for the findings and recommendations to be reported. Audit working papers are a key part of the evidence used by us in arriving at our conclusions and recommendations. Auditable Activities: Consist of those subjects, units, or systems, which are capable of being defined and evaluated. Auditable activities may include:
Internal Audit Manual Page 61

• • • • • • • • •

Policies, procedures and practices Cost centres, General ledger account balances Information systems (manual and computerised) Major contracts and programmes/projects, Functions such as information technology, finance, accounting, personnel etc, Transaction systems for activities such as income, expenditure, treasury management, payroll and capital assets Financial statements Laws and regulations

We have adopted risk-based approach in recent years as an approach that uses the Company's Risk Register as a means of identifying our audit universe. Audit Universe: An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. Traditionally, the list included all financial and key operational systems audited as part of the overall cycle of planned work. The audit universe serves as the source from which the five-year audit plan and the annual audit schedule are prepared. Developments in the approach to auditing and audit planning have meant that the audit universe is determined by risk (i.e. a risk universe) and that the risk-based approach to auditing results in planning that is driven by the Company's risk register. The universe will be periodically revised to reflect changes in the overall risk profile. An inventory of audit areas, or audit universe, will be complied and maintained. Authorisation: Implies that the authorising authority has verified and validated that the activity or transaction conforms to established policies and procedures. Authorising: Includes initiating or granting permission to perform activities or transactions. C Charter: The charter of the internal audit activity is a formal written document that defines the activity's purpose, authority, and responsibility. Compliance: The ability to reasonably ensure conformity and adherence to Company's policies, plans, procedures, laws, regulations, contracts, ordinances and statutes. Conclusions: Our evaluation of the effects of the findings on the activities reviewed. Conclusions usually put the findings in perspective based upon their overall implications, particularly in a risk-based audit approach which will provide an audit viewpoint in relations to the aims and objectives of the Company. Conflict of Interest: Any relationship that is or appears to be not in the best interest of the Company. A conflict of interest would prejudice an individual's ability to perform his or her duties and responsibilities objectively. Consequence: The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain.

Internal Audit Manual

Page 62

Control: Any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organises, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. (See internal control also). Control Environment: The attitude and actions of the members and management regarding the significance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: • • • • • • Integrity and ethical values Management's philosophy and operating style Organisational structure Assignment of authority and responsibility Human resource policies and practices Competence of personnel

Control Framework: A recognised system of control categories that covers all internal controls expected in an organisation. Control Processes: The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Control Risk: The tendency of the internal control system to lose effectiveness over time and to expose, or fail to prevent /detect weaknesses in the systems of control. Control Self-Assessment: A class of techniques used in an audit or in place of an audit to assess risk and control strength and weaknesses against a Control Framework. The "self" assessment refers to the involvement of management and staff in the assessment process, often facilitated by internal auditors. There are many self-assessment techniques in use. At the Company, we operate an annual self-audit system that is a form of self-assessment. D Detection Risk: The probability that an incorrect audit conclusion will be drawn from the results of the examination or that the audit work will fail to detect any serious errors. Detective Controls: Actions taken to detect and correct undesirable events which have occurred. Directive Controls: Actions taken to cause or encourage a desirable event to occur. Due Professional Care: Calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Due professional care is exercised when internal audits are performed in accordance with Generally Accepted Auditing Standards. The exercise of due professional care requires that: • Internal auditors be independent of the activities they audit
Page 63

Internal Audit Manual

• • • •

Internal audits are performed by those persons who collectively possess the necessary knowledge skills and disciplines to conduct the audit properly Audit work be planned and supervised Audit reports be objective, clear, concise, constructive and timely Internal auditors follow up on reported audit findings to ascertain that appropriate section was taken.

At ABC Company, we have agreed procedures in place to ensure that we work to recognised professional audit standards. E Effect: Effect is the risk or exposure the audited entity and/or others encounter because the condition is not the same as the criteria (the impact of the difference). Effective Control: Present when management directs systems in such a manner as to provide reasonable assurance that the organisation's objectives and goals will be achieved. Error: As it relates to internal audit reports, it is an unintentional misstatement or omission of significant information in a final audit report. External Auditors: Refers to those audit professionals who perform independent annual audits of an organisation's financial statements. F Findings: Pertinent statements of fact. Audit findings emerge by a process of comparing what should be with what is. Follow-up: This is a process that we use to determine the adequacy, effectiveness and timeliness of actions taken by management on previous audit findings and recommendations. Fraud: Any illegal acts characterised by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by individuals and organisations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage. G Goals: Goals are specific objectives of specific systems and may be otherwise referred to as operations or programmes, objectives or goals, operating standards, performance levels, targets or expected results. Governance Process: The procedures used by the representatives of the Company's stakeholders to provide oversight of risk and control processes administered by management. Governance is the Company's strategic response to risk, which brings together related components such as strategic planning, risk management, assurance that goals and objectives will be achieved, and internal auditing. I

Internal Audit Manual

Page 64

Inherent Risk: Risks that an account or class of transactions contains material misstatements irrespective of the effects of the controls. Internal Audit: The Company's in-house team that provides independent, objective assurance and consulting services designed to add value and improve the Company's operations. Internal Control: A process within an organisation designed to provide reasonable assurance regarding the achievement of the following primary objectives: • • • • • The reliability and integrity of information Compliance with policies, plans, procedures, laws, regulation and contracts The safeguarding of assets The economical and efficient use of resources The accomplishment of established objectives and goals for operations or programmes.

Irregularities: Refers to the intentional misstatement or omission of significant information in accounting records, financial statements, other reports, documents or records. Irregularities include:
• •

• • • • L

Fraudulent financial reporting which renders financial statements misleading, and Misappropriation of assets. Irregularities involve: Falsification or alteration of accounting or other records and supporting documents Internal misapplication of accounting principles Misrepresentation or intentional omission of events, transactions or other significant information.

Likelihood: A qualitative description of a probability or frequency. M Management: Used to indicate, firstly, the level of management to whom the Director of Internal Audit is responsible and secondly anyone who has responsibilities for setting and/or achieving objectives. Monitoring: Encompasses supervising, observing and testing activities and appropriately reporting to responsible individuals. Monitoring provides an ongoing verification of progress toward the achievement of objectives and goals. N Net Risk: See also Residual Risk. O Objectivity: An unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that
Internal Audit Manual Page 65

no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Operations: Refers to the recurring activities of an organisation directed toward producing a product or rendering a service. Such activities may include, but are not limited to, marketing, procurement, personnel, finance and accounting. Opportunity: An uncertain event with a positive probable consequence. Related to risk, the possibility that one or more individual organisations will experience beneficial consequences from an event or circumstance. P Planning Risk: The risk that the planning process is flawed. In risk assessment, it is the risk that the assessment process is inappropriate or improperly implemented. Preventative Controls: Actions taken to deter undesirable events from occurring. Probability: A measure (expressed as a percentage or a ratio) of estimation sometimes used as a basis of measuring the likelihood and impact of risks when undertaking risk assessments. Q Quality Assurance: A programme by which the Head of Internal Audit evaluates operations of the internal auditing service. R Recommendations: Actions we believe are necessary to correct existing conditions or improve operations. Residual Risk: Also known as 'net risk'. This is the level of risk remaining after the relevant controls have been applied by management to the gross (or 'absolute') risk. Residual risk represents the actual level of exposure that the Company faces. Risk Analysis: The assessment of risk, the management of risk, and the process of communicating about risks. A systematic use of available information to determine how often specified events may occur and the magnitude of the consequences. Risk Assessment: The identification of risk, the measurement of risk, and the process of communicating about risks. A systematic process for assessing and integrating professional judgments about probably adverse conditions and/or events. The risk assessment process measures risk by the use of two factors: impact and likelihood. Risk-Based Auditing: An approach that focuses upon how an organisation responds to the risks it faces in achieving its goals and objectives; it aims to provide assurance on the management of the identified risks within the context of the Company's corporate plans and aims.. Risk Classification: Part of the risk assessment process that categorises risks, typically into high, medium, low, and intermediate values. Risk Evaluation: See risk measurement.
Internal Audit Manual Page 66

Risk Factors: Measurable or observable characteristics of a process that either indicates the presence of risk or tends to increase risk exposure. Risk Identification: The method of identifying and classifying risks. See risk classification. Risk Management: Proactive steps that management can take to assess and manage business risks. The culture, processes and structures that are directed toward the effective management of potential opportunities and adverse effects. Risk Management Process: The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, assessing (evaluating), managing (treating), monitoring and communicating risk. Risk Management Strategy: A structure for linking the company's business strategy and organisation to its risk management objectives. Risk Management Systems: Principles relating to the design, development, and management (primarily information technology) of systems for providing reliable, accurate and timely information related to risk management. Risk Measurement: The evaluation of the magnitude of risk which usually involves developing a set of risk factors that are observed and measured to detect the presence of risk. Risk Prioritisation: Ability to measure risks into a logical order by establishing how significant they are in comparison to the achievement of business goals and objectives. The relation of acceptable levels of risks among alternatives. Risk Register: A central register of the Company's key risks that identifies the classification of risks by area, impact and likelihood. Risk: The chance of something happening that will have an impact on the Company's or one of its unit's objectives. It is measured in terms of impact and likelihood. Importantly, risk can be both positive and negative, although most positive risks are sometimes known as opportunities and negative risks are called simply risks. S Significant Audit Findings: Those conditions which in the judgment of the Director of Internal Audit could adversely affect the Company. Significant audit findings may include conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and control weaknesses. System: System (process operation, function or activity) is an arrangement, a set, or a collection of concepts, parts, activities and/or people that are connected or interrelated to achieve objectives and goals. (This definition applies to both manual and automated systems). A system may also be a collection of subsystems operating together for a common objective or goal. T Threat: A combination of risk, the consequences of that risk, and the likelihood that the negative event will take place. Often used in analysis in place of risk. The possibility that one
Internal Audit Manual Page 67

or more individuals or organisations will experience adverse consequences from an event or circumstance. U Uncertainty: A condition where the outcome can only be estimated due to incomplete or imperfect knowledge of the area / subject in question. In practice, uncertainty impacts upon the quality of risk assessments by managers. Understanding: Means the ability to apply broad knowledge to situations likely to be encountered, to recognise significant deviations and to be able to carry out the research necessary to arrive at reasonable solutions.

Internal Audit Manual

Page 68