Doracaku I Auditimit Të Brendshëm (Pjesa e II)

Ministry of Finance and Transfers 2 CHU for Internal Audit
Internal Audit Manual – Part II: The Audit Process
CONTENTS
Foreword .............................................................................................................. 3
Acronyms .............................................................................................................. 5
Introduction.......................................................................................................... 6
Chapter 1: Overview Of The Audit Process .......................................................... 8
Chapter 2: Audit Planning .................................................................................. 10
Chapter 3: Field Work......................................................................................... 40
Chapter 4: Reporting and Audit Closure ............................................................ 58
Chapter 5: Follow-Up Procedures For Details. ................................................... 71
Chapter 6: Follow-Up Procedures And Quarterly Status Reports ...................... 73
Chapter 7: Supervision ....................................................................................... 83
EU Support to Improving Public Management, Control, and Accountability in Kosovo

An EU funded project managed by the European Commission Liaison Office
FOREWORD
This Manual was prepared by the Ministry of Finance,
Central Harmonization Unit for Internal Audit, in
cooperation with experts from the EU-funded project
“Further Support on Public Internal Financial Control and
Internal Audit” and subsequently revised under the EU
project to provide “Support to Improving Public
Management, Control & Accountability” and project of
USAID "Transparent, Effective, and Accountable
Municipalities" to comply with the requirements of the
Law on Public Internal Financial Control and International Internal Auditing
Standards.
This Manual is available in three languages, Albanian, Serbian and English, and
comprises two parts supplemented by various material that is available on the
CHU-IA website:
https://mf.rks-gov.net/page.aspx?id=1,79
This first part concerns managing the internal audit function, introducing the
role of the main stakeholders, outlining the guiding principles and policies, and
describing the important processes for developing strategic and annual audit
plans.
The second part details the activities of the audit team as it proceeds through
an individual audit and will be useful as a pocket guide to auditors as they work
on their audit assignments.
In recent years, the profession of internal audit has undergone rapid

development. As public sector internal auditors, it is important to work hard to
apply modern internal audit techniques in Kosovo. This Manual will be a
valuable tool to help internal auditors in Kosovo’s public sector entities to fulfil
their important role in ensuring accountability and good governance.
A key issue in bringing modern audit to public sector entities in Kosovo is

removing the association of internal audit with the old concept of inspection,
which was a check conducted by an external authority. Instead, managers
should consider the internal auditor as a partner who will help them reduce the
risks they face and who will provide insights into how the organisation could

operate more efficiently, effectively and economically. Being a partner means

working closely with management at each stage of our audit activity - starting
from the initial meeting with management, through each of the phases of
planning and conducting the audit, reporting results and following up
recommendations.
To be respected as professionals, auditors must conduct themselves
professionally, which means:
 not passively waiting for, but actively seeking to work jointly with
the Head of PSE at all levels of their organisation;
 objectively evaluating the effectiveness and efficiency of the
internal control mechanisms of PSE;
 coordinating their work with the Office of the Auditor General of
Kosovo and other control bodies;
 determining compliance of the PSE processes with the relevant
legislation, regulations and other rules;
 verifying the timeliness and accuracy of financial and other
operational reports;
 delivering useful audit reports that help PSE management
understand their risks and provide practical recommendations for
improving control procedures, processes and decisions which
address the risks facing the PSE; and
 performing professional, objective consultancy services when
requested.
This manual represents the current situation of the internal audit function in
Kosovo, and at the same time it focuses on basic principles and does not
address some of the more complex issues. I would like to emphasize that as
the practice of internal audit in Kosovo continues to evolve, the Central
Harmonisation Unit for Internal Audit will reflect the changing circumstances
through its instructions, and we are happy to receive your comments.

ACRONYMS
AC Audit committee
ATL Audit Team Leader
HEAD OF PSE/CAO Head of Public Sector Entity/Chief Administrative Officer
CHU-IA Central Harmonisation Unit

CPE Continuing Professional Education
ECLO European Commission Liaison Office
EU European Union
EWT Effective Working Time
IA Internal Audit
IAL Internal Audit Law
IAM Internal Audit Manual
IAU Internal Audit Unit
IIA Institute of Internal Auditors
MOF Ministry of Finance
OAG Office of the Auditor General
PIFC Public Internal Financial Control
PSE Public Sector Entity
PSS Public Sector Subject

INTRODUCTION
This is Part II of the Internal Audit Manual for internal audits in the Kosovo
public service.
“Internal audit” is an independent and objective advisory activity in

providing reasonable assurance that aims at increasing the value and
improving the functioning of the public sector entity, helping the entity in
meeting the objectives by providing systematic, disciplined approaches, to
assess and improve the effectiveness of risk management, control and
governance processes.
A “systematic” and “disciplined” approach to internal audit is achieved by

implementing a unified methodology and professional standards by internal
auditors. This part of the Internal Audit Manual describes the standard
approach to the conduct of internal audits. Internal auditors need to
understand this approach and apply it consistently to maximise the quality of
internal audit in the PSE’s in Kosovo.
This part of the manual outlines the activities that internal auditors carry out
within the framework of an individual audit assignment, the participants in the
process, and their functions and responsibilities in each phase of the audit
process (planning, field work, reporting and follow-up).
The manual does not consider audit consultancy assignments that internal
auditors may be asked to perform from time to time, as the approach to each
consulting assignment will vary according to the circumstances.
This part of the manual is supplemented by Templates of Audit Working Papers

which can be accessed via the CHU-IA website:
https://mf.rks-gov.net
These Working Papers are provided to guide internal auditors through the audit
process and ensure that appropriate material is gathered during the audit to

fulfil the Standards for audit documentation. Internal audits may take many
different forms depending on the process or organisation being examined and
the audit approach that is being applied. Consequently not all the standard
working papers will be relevant for all audits – some may need to be replaced
or modified and some additional Working Papers may need to be created.
Therefore the internal auditors should use their judgment in determining what
Working Papers are appropriate for each audit.
The Audit Working Papers apply to the four phases of each individual audit:
audit planning; fieldwork; reporting; and follow-up. The working papers are
organized by phase and it is suggested they are given reference numbers
according to the following scheme:
 Phase 1000 Audit Planning

 Phase 2000 Fieldwork
 Phase 3000 Reporting
 Phase 4000 Follow-up
It is assumed for the purpose of this part of the manual that the individual audit
assignment is being done within the context of a Strategic Audit Plan and an
Annual Plan. The methodology and procedures for strategic and annual
planning are presented in the Part I of the Internal Audit Manual.
All terms used in this volume are explained in the Glossary presented with Part
I of the Internal Audit Manual.

CHAPTER 1: OVERVIEW OF THE

AUDIT PROCESS
An internal auditor’s job is to assist the Head of the PSEto discover and
evaluate risks, and contribute to improving the financial management and
control systems operating in that organisation. In general, a “system” is a
combination of interrelated elements, that constitute a single complete
process which performs a particular function.
The principles applying to financial management and control systems are set
out in the Law on Public Financial Management and Accountability (LPFMA).
Internal auditors should be familiar with this Law and support the Head of the
PSE in its implementation. They should conduct in-depth analyses of the
financial management and control systems to assess the effective functioning
of the control mechanisms. In other words, the emphasis should be on auditing
systems, as opposed to examining transactions.
In systems audits the auditors form an opinion about the control mechanisms
that are in place, how they operate and what is their impact on the objectives
of the organisation. This is done by examining and evaluating the processes in
the organisation, as illustrated by the following figure:
Control
Input Processing Output
Feedback

Each process in the organization being audited has its own objectives. Internal
auditors must be familiar with all processes and focus audit attention on those
that are significant or prone to risk. Knowing the goals, resources, process flow
and results of the processes, auditors are able to define the objectives and
scope of internal audit.
The systems audit is a “step-by-step” process. However, steps should not be

regarded as independent stages as each must be completed before starting the
next stage of the audit - the systems audit is an integrated whole process. The
auditors’ basic knowledge of the systems will gradually broaden in the course
of the audit. At each stage of the audit process, the internal auditors will have
the opportunity to reconsider their approach based on their improved
understanding of the system.
The key to a high quality audit is the auditors’ approach to the planning and
conduct of the audit. To ensure consistent high quality, internal auditors apply
a standard approach to each audit. This standard audit process has four phases:
planning, fieldwork, reporting and monitoring of the implementation of
recommendations (including follow-up). These phases are discussed in the
following Chapters.

CHAPTER 2: AUDIT PLANNING

2.1. INTRODUCTION TO AUDIT PLANNING
The planning phase is critically important for the efficient performance of an

effective audit. This phase has two main steps:
 Preparing for the audit; and

 Planning the audit activities and allocating resources.
In the course of preparing for the audit the internal auditors should:
 Document the audited process to understand how it operates;

 Identify the control objectives;
 Define the scope of the audit;
 Conduct the initial meeting with the Head of the PSE of the audited
organization;
 Identify and assess the risks in the audited process;
 Assess the controls against the risks in the audited process; and
 Choose an approach, identifying the type and number of checks to be
carried out.
At the end of this stage, the Team Leader and the members of the audit team
draw up the audit plan.
An audit plan is prepared at the start of every audit assignment envisaged in

the annual plan. It contains the objectives, scope, duration and allocation of
resources for the assignment.

The following diagram illustrates the process of planning for the audit:
Annual audit plan Set out audit scope and

objectives
Understand objectives of
the audited process/unit
Gather information
Identify and assess risks
Formulate control objectives
Assess the control

environment and
management controls
Medium/Strong Weak
Continue Weak Select substantive

assessingthe audit approach (no
a) information
: and reliance on controls)
communication
; b) key (mostly
application) controls
Select the audit strategy
Prepare the Planning

Medium/Strong Document with Audit Work
Program (or forms used at
field-
work)

The sequence of events illustrated by the above diagram is discussed further in

following sections of the manual.
Planning step for the specific audit Included within chapters in

manual of the year 2008
1. Definition of the audit objectives See sub-parts 1.2 and 1.3

and audit scope
2.1 Understading the objectives and Sub-part 1.1.1
the risks for the audited proces
2.2 Gathering hystorical Sub-part 1.1.2

informations
3. Identifying risks and formulating the Sub-part 1.5

control objectives
4. Assessment of the Control Sub-part 1.6.1
Environment
5. Assessment of Management Sub-part 1.6.3
Controls
6.1 Assessment of the applicable Sub- part 1.6.4
controls
6.2 Assessemt of the information Nën-pjesa 1.6.5

and communication, if the
assessment was medium/
strong at the point 5.
7. Slection of the audit approach Part 1.7
8. Drafting the final planning Part 1.8

document and audit plan
preparation.

In addition it is useful to understand how the management process relates to

the whole audit process as presented in the schematic below:
Management process Audit process
Process/ unit Decide on audit scope
Decide upon the audit objectives

Objectives Risks and understand management
objectives/risks
Risk Control
assessment objectives
Controls and
Information and DICE form
Risk response related
communication
documentation
Audit
field-work
Testing of
Audit report
Monitoring controls by
audit
Actions to improve

2.1.1. Understanding and documenting the activity/process to be audited

The planning stage determines how the entire audit assignment will be
executed. Good planning is a prerequisite for efficiently completing the audit
assignment that coupled with the high level of competence of the auditors,
should lead to an improvement in the organisation’s operations. Therefore
internal auditors must approach the planning stage with particular care, making
use of their professional skills and experience, taking into account how well
The first Audit Planning working paper, number 1001, is a simple checklist
that the Audit Team Leader can use to signify that each working paper has
been duly completed. If a working paper on the list is not to be completed,
the Audit Team Leader should strike it through as being not required. Any
additional working papers created for the audit should be added at the
bottom of the list and initials of the Head of the Audit Team must be
placed, to demonstrate his/her approval.
TEMPLATE No 1 – Audit Planning Checklist (WP 1001)
The annual plan of the IAU is the basis for assigning auditors to specific audits.
Once assigned, the Audit Team Leader should work with the audit team to plan
the specific audit work. The work depends on whether the internal audit
activity in the organization will be done by:
a) An IAU;
b) Shared Internal Audit Unit; or
c) The IAU team within the Ministry of Finance and Transfers.

APPROACH 1 – where internal audit activity is performed by internal

auditors procuder by organizations form an external service provider
Assuming in this case that the internal audit team is less familiar with the
organisation, the team members must devote more time to prior study and
preparation of the audit assignment to ensure they have adequate knowledge
of the audited activity/process and the established financial management and
control systems.
The understanding of the activity is achieved by collecting and studying

information about:
 Legislation and internal regulations and procedures that concern the

audited organisation;
 The objectives of the organisation;
 The organisation structure, including allocation of responsibilities, job
descriptions, etc.;
 Main areas of operation;
 The risk assessment methodology applied in the organization;
 Information processing procedures and key controls;
 The accounting environment and accounting policy;
 Financial management and control systems;
 Staff turnover; and
 Other applicable documents.
As a starting point, the audit team should refer to the material in the
Permanent File. The team should then consider what additional information
may be needed and collect it for addition to the Permanent File as necessary.
The audit team analyses the information collected and prepares for the initial
meeting with the Head of the PSE of the audited PSE.
The Audit Team Leader will judge whether the understanding achieved is
sufficient or if it is necessary to request additional documentation and
explanations from the Head of the PSE. As a result of the work performed at

this stage, the audit team defines in broad terms the objectives and scope of
the audit that are then discussed at the initial meeting with the the Head of the
PSE. After this discussion the Audit Team Leader may supplement or amend the
original objectives, taking into account the opinion of the management on
contentious areas. At a later stage the objectives will be specified in more
detail, and the precise scope of the audit will be defined for incorporation in
the final audit plan.
When the Audit Team Leader is ready to initiate the Internal Audit, s/he will
write to the management responsible for the unit or process to be audited to
inform them of the impending audit, seek a meeting to obtain background
information, and indicate the audit team’s requirement for office space and
equipment. This letter should be sent so that it is received at least a week prior
to the requested meeting. Use: TEMPLATE No. 2 - Request for Initial Meeting
(WP 1002)
The reason for requesting the information is to ensure the auditor has a
sufficient understanding of the organisation unit or process to identify and
evaluate controls and design appropriate tests. The Audit Team Leader should
first consult the Permanent File to determine what information is already in the
possession of the IAU and should limit the request for additional information
about the organisational unit or process that is not on the permanent file.
Further, the Audit Team Leader should not seek copies of all information at this
stage, but should ask where the information can be accessed, such as web
sites, central files, corporate publications and so on, so that the audit team can
follow up.

APPROACH 2 - Fulfilment of an audit assignment, where the internal

audit activity is performed by an IAU
Where the internal audit activity is performed year-round by a permanently

established IAU, the Director of the IAU can plan the specific assignment with
less emphasis on the preliminary data gathering. The assumption here is that
the team is already familiar with the organisation. However, where the IAU or
any of its members are new to the organisation, it is recommended that the
more substantial preliminary work described in Approach 1 be undertaken.
Because it is assumed that the auditors already have an understanding of the

organisation to be audited, planning should focus on an evaluation of the
control environment and risks, from which the objectives and scope of each
specific audit assignment can be defined in general terms.
While completing this step, the auditors should use data from the Permanent
file of the project, results of former audits, meetings and interviews with the
Head of the PSE and other responsible experts. To collect additional
information, internal auditors may draw up and provide questionnaires to
employees, for completion as part of the audit. Use: TEMPLATE No 4 – Internal
Control Questionnaire (WP 1004)
These documents gather basic information to help the auditor understand

the control environment, and identify the systems and controls that are in
place. They can be used to guide an interview with the senior manager of
the organisation unit being audited, or it can be provided to senior
managers for them to complete in their own time. The auditor should
modify the ICQ as s/he sees fit, being careful not to undermine the key
data it is designed to capture
The Director of the IAU should ensure that the Head of the PSE is familiar with
the Strategic and Annual Plans, and should also inform the Head of the
organisation of the planned audit activity. This is an important courtesy.
Reasonable advance notice of each audit should be sent in writing to the
highest-ranking manager of the audited PSE.

Internal Audit Manual 18 Part II – The Audit Process
2.1.2. GATHERING THE INFORMATION
Preliminary preparation for the audit requires the collection of a significant

amount of information. Sources of information include: documents, interviews,
questionnaires, procedure fiches, organizational charts, diagrams, etc., as these
provide important reference points throughout the audit.
The auditors will obtain information from various sources (such as the
Permanent File for the organisation, the sources identified by the audit
manager in the Initial Meeting and subsequently, the Internal Control
Questionnaire) and will review it to identify avenues for further
investigation. This information, and the suggested audit procedures, will
be recorded on this form and initialed by each auditor who contributed.
The Audit Team Leader will review and sign the form as part of the
ongoing quality assurance for the audit.
Use: TEMPLATE No 5 – Record of Information Review (WP 1005)
When choosing data collection methods, internal auditors must judge which
method is most efficient at satisfying the objectives of the review. The choice
will depend on the professional judgment of the auditor and will reflect the
auditor's understanding of the audited organization, the type of the audit and
the specifics of the assignment.
Use: TEMPLATE No 11 – Notes from Information Gathering (WP1011)
At this stage of the planning phase the internal audit team should have a good
understanding of the processes on which they are focusing and the audit
objectives and scope for the audit will have been specified. Now the steps of
the audited process must be documented. For this purpose a working paper
”Analysis of System Risks” is used. Auditors use this document to identify the
processes they will test. Use: TEMPLATE No 12 – Analysis of System Risks (WP
1012)
This working paper records the following key elements: the process to be
audited; the objective of the process; the steps, risks and control procedures
related to the process; and, assessment of the risks related to the process. In
this way, the entire audit process is reflected in the working paper.

Standard 2210 – Engagement Objectives

Objectives must be established for each engagement.
Standard 2210.A1 - Internal auditors must conduct a preliminary

assessment of the risks relevant to the activity under review.
Engagement objectives must reflect the results of risk assessment.
2.2. SETTING AUDIT OBJECTIVES
Audit objectives are broad statements developed by internal auditors to define

what the assignment is intended to accomplish. Audit procedures are the
means to attain audit objectives.
The audit objectives determine the work to be carried out by the internal
auditors.
Audit objectives may be general or specific. In organisations where the internal

audit is performed by an IAU, the general objectives are defined during the
annual planning stage together with the assessment of the control
environment and risks, and the definition of scope for each specific audit
assignment. The Director of the IAU acquaints the Head of the PSE at the initial
meeting with the general objectives and the scope of the internal audit.
The general objectives of the audit must be clear, focusing on important

processes and significant risks and aiming to improve the processes being
audited. Usually, the general objectives of an audit are concerned with
reviewing regulatory compliance, how economically, effectively and efficiently
operations are managed, the safeguarding of assets, and the accuracy of
accounting information.
Internal auditors specify the audit objectives at the same time as identifying
control objectives. The control objectives are related to the objectives of the
audited process.

What is a control objective?

The objectives of the audited process are control objectives for internal
auditors. They are reffered as control objectives as they direct the auditors'
attention to:
- The expected results to be achieved by the audit unit;
- Risks to the achievement of results;
- The controls necessary to mitigate risks and ensure achievement of
results;
- The objectives of the audited process.
The control objectives are the objectives of the audited entity/process

identified by internal auditors for each satge of its operation.
Example: If the internal audit focuses on the accounting and financial

activities of the organisation, the objectives of the audit will relate to the
reliability and accuracy of the financial information and the compliance of the
accounting records and financial reports with the policies, plans, procedures,
regulations and laws, and safeguarding of assets.
Control objectives are the basis for identifying the risks in a process and for
assessing the adequacy of the controls established to manage the risk.
It is important that internal auditors reach the Head of the PSE's agreement on
control objectives prior to identifying risks and assessing the control activities.
The difference between audit objectives and control objectives is shown in the
following example:
Audit of process for defining, calculating and paying remunerations at the PSE
X.
*****************************************************************
(Payroll Audit)

Objectives of the audit
To assess whether the payroll process functions in compliance with the relevant
legislation, management policies and procedures;
To ensure that the payroll systems operate so that staff are paid correctly and
on time;
To ensure that the payroll procedures are efficient and effective.
Scope of the audit
The audit will cover all current payroll procedures operating within the Ministry
X from the commencement of employment of a new member of staff to the
point at which s/he retires from or leaves the Ministry;
The audit will be limited to the processes and procedures operated by other
departments or agencies on behalf of the Ministry.
Control objectives
To ensure employees’ working hours and leavers, promotions, salaries and

deductions from salary are authorised for all employees.
To ensure employees’ time attendance data are properly reviewed, approved,
processed, documented and accurately coded for accounting purposes.
To ensure calculations of gross pay, deductions and net pay are:
- accurate; and
- based on authorised times and amounts.
To ensure tax and social security information is accurately and promptly
reported.
To ensure payroll deductions are correctly accounted for and paid to the third
parties to whom they are due.
To ensure payroll data is handled and maintained confidentially.
The audit objectives determine the work to be performed by the internal

auditors. It is important to remember that different control objectives apply to

different processes. Internal auditors must continuously think about additional

control objectives, reflecting the context in which the process functions and
some specific problems facing the process, which are subject of the review.
Formulation of the objectives
In developing audit objectives, internal auditors may use the following

suggestions as a basis:
 Evaluate whether the policies and procedures in place are adequate
for the objectives of the audited process;
 Establish whether the policies and procedures in place in the audited
process, correspond to the requirements of regulatory acts;
 Verify the existence, condition and custody of physical assets and the
ability of the control systems to protect them against loss or waste;
 Evaluate the completeness, relevance, accuracy and accessibility of
the information system;
 Establish the accuracy and timeliness of financial records; and
 Identify errors and shortcomings and determine the factors (control
weaknesses) that contribute to them.
Control objectives can be formulated as questions, for example:
 Are adequate procedures applied to the processes of the audited

body? Do management decisions relating to this process comply with
statutory requirements and are such decisions fully documented?
 Is there a system to report on the audited processes, and is this
information complete and accurate?
 Are assets properly protected?
 Do the systems ensure that payments are made on time and for the
correct amount?
 Does the accounting system ensure correct entries of the assets,
liabilities, revenues and expenditures and do payments match
contractual obligations?

 Have the requirements for awarding public contracts been met and
have appropriate control mechanisms to ensure fulfilment of the
regulatory requirements been put in place?
The way objectives are formulated depends largely on the type of audit to be
conducted. The annex at the end of the manual gives some examples of audit
objectives for different types of audit.
Please see details in ANNEX No 2 – List of Objectives for Internal Audit
Relationship between audit objectives and audit procedures

Audit procedures are the means for achieving the audit objectives. The basic
and most important procedures are the checks that internal auditors execute
during the audit process. The specific checks to be made are selected during
the planning process to reflect the character of the audited organisation and
may be directed at different types of activities, processes, programs, indicators,
documents, etc.
The objectives and procedures of the assignment, taken together, define the
scope of the internal audit and must be directed to address the risks associated
with the process being checked.
2.3. THE SCOPE OF THE AUDIT
As noted in the preceding section, audit objectives and procedures taken

together define the scope of the internal auditor’s work.
Before the initial meeting with the Head of the PSE, the internal audit team
must define an audit scope that will achieve the objectives for the audit that
were developed in the Annual plan.
The audit scope should define the following parameters of the audit
assignment:
 Audited period;
 Name of the audited process;
 Documents to be checked; and
 Place of conduct of specific checks.

The scope may be constrained by factors or events that reduce the ability of
the auditor to express an independent and professional opinion on the audited
process. Such constraints may relate to:
 The access of internal auditors to assets, documents, information and
key officials with respect to the objectives of the audit; or
 The available human resources and the timetable for the auditor work.
It may be appropriate to include in the scope definition a statement of areas

that, though related to the activity or process being audited, are not to be
included in the audit work. This can clarify the boundaries of the audit and
ensure that expectations about the audit’s results are appropriate.
2.4. INITIAL MEETING
The Director of the IAU or the Audit Team Leader should call a meeting with
the Head of the PSE after the preliminary study of the audited process is
complete, and the scope and objectives of the audit have been defined.
Holding an initial meeting with the Head of the PSE is important for the
efficient fulfilment of the audit assignment and will pave the way for a
cooperative relationship during the course of the audit. The initial meeting
should set a positive tone for the engagement and should calm any
management anxieties.
During the initial meeting, topics of discussion may include:

 Planned audit objectives and scope of work;
 The timing of audit work;
 Internal auditors assigned to the audit;
 The process of communicating during the audit, including the
methods, time frames, and individuals who will be responsible;
 Organisational condition and operations of the activity being
reviewed;
 Concerns or requests for the Head of the PSE;
 Matters of particular interest or concern to the internal auditor; and
 The internal audit reporting procedures and follow-up process.

Template No. 7 provides a draft agenda that can be attached to the “Request
for Initial Meeting” and used to guide the initial meeting. The Audit Team
Leader should modify it to suit the circumstances.
TEMPLATE No 3 – Draft Agenda for Initial Meeting (WP 1003)
The Audit Team Leader will discuss with the Head of the PSE the planned start
and end dates of the audit, and wherever possible should adapt them to
synchronise with other organisational commitments. The Head of the PSE may
use the opportunity to identify specific risks in the audited process that are not
covered by the audit plan, which the audit team should consider for inclusion in
the audit scope.
The auditor should ensure that all those in management who need to know
about the audit are properly informed, and meetings should be held with
managers who are responsible for the activity being examined. A summary
record of matters discussed at meetings and any conclusions reached should be
prepared, distributed to individuals as appropriate, and retained in the
engagement working papers.
2.5. OBJECTIVES AND RISKS
The following activities should be completed and documented in the planning

section of the working papers:
 Assemble background information and document key issues in the
planning section of the working papers;
 Identify objectives for the audit;
 Identify risks related to objectives;
 Assess and identify the critical risks, formulate control objectives
based on the risks and record them with their risk ratings on the
working papers - “Analysis of System Risks”; and
 Identify controls related to critical risks, and document the key
controls in the working paper - “Analysis of System Risks”.
TEMPLATE No 9 – Checklist for Risk Management (WP 1009)
This checklist can be used to get an overview of risk management processes.

2.6. ASSESSING THE INTERNAL CONTROL SYSTEM
Auditors must understand the internal control system that the Head of the PSE
has designed and implemented. The basis for reviewing the control systems is
provided by the COSO internal control systems model.
Auditors should address this model in a systematic way to ensure efficient use
of audit resources. Accordingly, the internal control system evaluation is
performed in the following sequence:
 Understand the objectives and nature of a program/function/process
and define risks related to them, assess risks;
 Assess the control environment;
 Assess the management controls and the process for monitoring their
effectiveness;
 If the auditor decides that the control environment is weak then a no-
control reliance audit approach should be adopted. In this scenario do
not assess the other internal control systems elements;
 If the assessment at point (d) is that the control environment is
medium to strong, then the auditor should proceed to identify and
assess key application controls. There may well be very many
application controls, in which case the auditor should select key
controls that mitigate more than one risk; and
 Assess the effectiveness of information and communication flows and

formulate your audit approach.
2.6.1. ASSESSMENT OF THE CONTROL ENVIRONMENT
Should be considered that the concept of a control environment is not

tangible or easy to understand. Rather it describes an atmosphere or a culture
in the institution, whereby the Head of the PSE sets the tone at the top that
results in a strong or weak control environment.
Note that the concept of control environment usually relates to the whole
audited organisation. If the auditor has previously prepared an assessment of

the control environment, it should only need updating when there have been
significant changes in management, organisational structure, human resources,
or organisational policies.
Attention!
Although auditors should document their assessment of the control

environment, it will generally not be supported by hard evidence. Therefore it
should not be made public even inside the IAU, as this information may be
easily misunderstood or misused. However, even as an estimate, or a feeling,
it is accepted as a valuable planning tool in deciding whether or not to rely on
controls, and if so, to what extent.
Use TEMPLATE No 7 – Checklist for Control Environment (WP 1007)
2.6.2. FRAUD INDICATORS
A strong control environment plays an important role in preventing fraud, and

internal auditors should be alert for indications of fraud. This means:
 Having sufficient knowledge of fraud to be able to identify indicators

that fraud may have been committed. The auditor should know the
characteristics of fraud, the techniques used to commit fraud, and the
types of frauds associated with the activities reviewed;
 Being alert to opportunities, such as control weaknesses, that could
allow fraud. If significant control weaknesses are detected, auditors
should conduct additional tests to look for indicators of fraud. Some
examples of indicators are unauthorized transactions, overriding
controls, unexplained procurement exceptions, and unusually large
project losses or delays. Internal auditors should recognize that the
presence of more than one indicator at any one time increases the
probability that fraud may have occurred; and
 Evaluating the indicators that fraud may have been committed and
deciding whether any further action is necessary or whether to
recommend a fraud investigation.
Where there is enough evidence of fraud to warrant an investigation, the
findings should be turned over to the Audit Committee who will contact the
appropriate authorities to initiate the investigation.

2.6.3. ASSESSMENT OF THE MANAGEMENT CONTROLS
Controls are all activities of management that aim to increase the probability of
the organisation’s objectives being achieved by reducing or eliminating the
impact of identified risks.
Controls are:
 Preventive Controls - Designed to limit the possibility of adverse

outcomes (separation of duties, approval, authorization, verification);
 Detective Controls - Designed to identify adverse outcomes after the

event; (reviews, balances, analysis, counting (physical inventory),
audit);
 Corrective Controls - Designed to correct undesirable outcomes which

have occurred (accounting error correction, repayments);
 Directive Controls - Designed to avoid the undesirable outcome

(orders to do something, restrictions to do something).
The auditor’s assessment of controls directly impacts how many checks will be
conducted during the audit.
The process of assessing risks can be split into 2 stages:
 Identify management controls; and

 Test the key management controls.
The following process is useful in identifying management controls:

Identifying Controls
Is it automated? No
Yes
Yes Is it preventative?
It’s an application
control
No
Yes
Is itt checking that an
application control
has been performed ?
No
Is it’s primary
No purpose to help
Probably not a control! management run the
business?
Yes
It’ s a Management
Monitoring
Control
The second assessment stage could be performed using the checklist from
TEMPLATE No 8 - Checklist for Management Controls (WP 1008). This checklist
presents a series of questions to which the auditor should determine the
answers:
1. Does the Head of the PSE periodically (at least quarterly) review
reports to detect potential problems/errors?
2. Is the Head of the PSE competent to identify problems from those
reports?
3. Does the Head of the PSE get timely feedback of causes of problems, if
it has identified any?
4. Does the Head of the PSE initiate corrective actions in return for the
information related to problems?
5. Does the Head of the PSE check for the successful implementation of
corrective actions?
6. Does the Head of the PSE ensure through (delegated) reality checks
the sufficient achievement of objectives and progress?

7. Does the Head of the PSE react with constructive action on audit
reports/findings?
If all these questions can be answered affirmatively, i.e. “YES”, then the
controls can be considered “effective”. If there is one ”NO” answer, the
management controls should not be assessed as “effective”.
2.6.4. ASSESSMENT OF THE APPLICATION CONTROLS
Application controls differ from management controls in that they are not
performed on aggregated (sum of) transactions, but are exercised on each
transaction individually.
They can be either:
 Manual (performed by staff); or

 Computerized (performed within IT systems).
In cases where an auditor has previously determined that no reliance should be
placed on the controls, application controls will not be tested.
When detailed activity-level risks have been identified and captured on

TEMPLATE No 12 – Analysis of System Risks (WP 1012) the related application
controls (preferably the key controls) should also be recorded on this form.
2.6.5. ASSESSMENT OF INFORMATION AND COMMUNICATION
TEMPLATE No 10 - Checklist for Information and Communication (WP 1010)

can be used while assessing the availability, sufficiency and timeliness of
information and communication.
2.7. SELECTING AN AUDIT APPROACH
Using the results of the internal control system evaluation as described in the
preceding chapters, the auditor must select the appropriate audit approach.
This involves deciding how much to rely on the controls based on the
assessment of the controls and the environment in which they operate.
Alternative audit approaches to this decision are presented in the following

sections.

2.7.1. ALTERNATIVE AUDIT APPROACHES

Broadly an audit approach considers how many tests of a control are necessary
for the auditor to form an opinion about how well a control is working. It is not
usually necessary to test every transaction that passes through a particular
control. Instead, the auditor can test a sample and extrapolate the results from
the sample to the population as a whole.
The key question for an auditor is: how much and what work should I do to
minimize my audit risk, i.e. the risk of arriving at wrong conclusions?
The audit risk is higher when the control system is weak and lower if the
control system is strong. The auditor has to choose how much audit work and
that audit activities should be conducted based on the results of assessment of
the internal control system.
Option 1: no reliance on controls due to weak control

environment
This applies when the control environment is assessed as weak. There is no

point assessing management and application controls if the control
environment has been assessed as weak. The controls cannot be relied upon.
Audit approach: The audit will not include any tests of controls (as controls
cannot be relied upon). Instead, the auditor will perform analytical review and
substantive tests of transactions for financial and compliance audits, and in the
case of a systems audit, the auditor should advise the organisation as to what
management and application controls are required and recommend
improvements to the control environment, using examples of control failures
or poor risk management to demonstrate the problem.
Irrespective of the assessment reached about control environment and

management controls, this approach must be followed if the process or
organisational unit is being audited for the first time.
Option 2: no reliance on controls due to ineffective management

controls
This is the situation when the control environment may have been assessed as
medium, but management controls are not effective. In this situation the

management is not able to detect problems if they occur and corrective action
by the management is not assured.
Audit approach: The audit will not include any tests of controls (as we cannot
rely on them). Instead the auditors should perform extensive analytical review
and substantive tests of transactions in the case of financial or compliance
audits. In the case of a systems audit the auditor should again recommend
controls that need to be designed. Examples of control failures or poor risk
management should be used to demonstrate the problem.
Irrespective of the auditor’s assessment of the control environment and

management controls, this option must be chosen if the process/unit is being
audited the first time.
Option 3: Some limited reliance on controls
When the control environment has been assessed as medium or high and
management controls have been assessed as medium at the planning stage
with some key application controls considered to be effective when they were
tested at the planning stage.
The use of this option assumes that the auditors have audited the process
under review before - so there is some accumulated audit knowledge and
experience.
Audit approach: The auditor should perform analytical reviews and conduct
further testing of management controls and key application controls,
supplemented by limited substantive testing of transactions.
Option 4: Almost complete reliance on controls
Where there is a strong control environment coupled with effective

management controls, the auditors can place almost full reliance on controls,
focusing their attention on testing management and application controls
supplemented with limited substantive tests.

The use of this option assumes that the auditors have audited the process
under review before, so there is significant accumulated audit knowledge and
experience.
The logic behind this approach is that if a material problem had occurred on
any individual transaction, management controls would have identified it and
at the application control level the error would have been prevented or
corrected. Therefore the focus is on testing to check that the controls work as
intended instead of looking for errors that have slipped through on individual
transactions.
Audit approach: The auditor should focus on testing management controls and
key application controls with minimal substantive tests.
2.7.2. RISK-BASED SELECTION OF A SAMPLE

To avoid testing 100% of transactions the auditor should select a sample. In
determining the size of the sample, and the transactions to select, the auditor
should consider factors like monetary value, potential of fraud and frequency
of irregularities, change as a default risk indicator, and timing, as follows:
a) Monetary value
The larger the amount of money involved the bigger is the risk (e.g. risk of
misusing funds or making ineligible payments). Therefore projects, contracts
and detailed transactions are sorted by their size in monetary terms and the
biggest ones selected into the sample.
b) Potential fraud and frequency of irregularities
The Head of the PSE gathers information from different sources (e.g. exception
reports, irregularities database) to record, prevent and understand risks and
irregularities. The units with the highest record of irregularities in their
transactions should be selected into the sample before units with no record of
problems.
c) Change
If change occurs in a programme’s systems, staff or procedures, there is a risk

that the new systems, staff or procedures may not be working as intended, so
they are good candidates for inclusion in the sample.

d) Appropriate spread over the period
If a program period under question is one calendar year, the controls should
not be tested just at the beginning of the year but should be tested evenly
across different periods throughout the year.
If the program period is more than one calendar year, the auditors should aim
at auditing as much as possible from the total program volume. In order to
facilitate this in practice:
 Careful strategic planning is needed on year by year basis; and

 A database should be kept per program to keep track of the amounts
tested.
Use: TEMPLATE No 13 – Control Test Procedures and Results (WP 1013)
While auditors may use their own judgment, the following guidance is provided
for determining sample size:
Population size Sample size
Less than 1,000 units Select one third of the units
2,000 units 371 units
5,000 units 418 units
10,000 units or more 450 units
Select the units in the sample using a random technique.
(The guidance above approximates a confidence level of 95%, for sample

precision of 2%).
2.8. CONTENTS OF THE FINAL PLANNING DOCUMENT
The audit planning phase ends when the Audit Plan has been fully developed.
The content of the Audit Plan will vary depending on the size and complexity of
the area audited, but should contain the following types of information about
the audit:
Section I: Background

This section contains three elements that summarise the team’s understanding
of the organisation and processes being audited. The first concerns the
organisation and processes, and should read something like the following:
“The process we will audit is called <process name> and is the primary
responsibility of <organisation name>. Other organisational units and external
bodies involved in this process are <name of organisations>. The objective of
the process is to <state objective>, and the organisation accomplishes this
through <x> steps, which are conducted at the following locations <list
locations>”.
The second element outlines the Law which legally empowers or obliges the
organisation being audited to perform the process, noting specific sections or
clauses of particular significance, and summarises any regulations or
procedures that define how the objective of the process is to be achieved.
Finally, this section includes a list of factors identified during the analysis of
planning data that could have a material impact on the conduct of the audit.
Section II: Objectives
Provide a list of the results to be achieved by the audit, such as:

“To review the operation of the car pool and assess whether the systems in
place provide appropriate controls over access to government vehicles and
consumption of fuel and maintenance resources.”
The objective should be written so that it can be easily determined at the
completion of the audit whether the objective has been achieved.
Section III: Scope
The purpose of this section is to describe what is included in the audit and also
what is not. Identify the organisation units and processes that are subject to
audit and the key positions that are responsible for them. Include a statement
about which geographic locations of the organisation unit or process will be
covered. Also describe any constraints to scope, specifically indicating any
areas that will not be covered where there is any room for misunderstanding.
Indicate the place where the audit will be conducted.

Section IV: Risks
This section should summarise the audit team’s review of the risk management
approach adopted by the organisation being audited and their assessment of
the risks.
Section V: Audit Programme
This section describes how the team plans to achieve the audit objective and
fulfill the requirements of the Internal Audit standards by presenting an audit
programme which summarises the test procedures that were documented in
the Control Test Procedures working papers including:
 Brief description of each test and its objective;

 Documents to review;
 Tests to perform;
 Criteria for the tests;
 Size of sample; and
 Method of sample selection.
This information can be provided by attaching forms 1012 and 1013, or by

using a tabular presentation that consolidates the information from the forms.
TEMPLATE No. 14_Audit Programme (WP 1014)
Section VI: Resources
Identify the members of the team and confirm their availability, independence
and qualification to participate. Specifically indicate who is responsible for
quality assurance.
Indicate any special skills, e.g. IT expertise or asset valuation, that the audit will
require to be sourced from outside the IAU.
Note that there is currently no requirement to develop a cost budget for each
audit since there are no budget lines for internal audit. If this situation changes,
the Audit Plan should include an estimate of out of pocket expenses (usually
travel related) and outsourcing costs that will be incurred by the audit team.

Section VII: Schedule
This section will summarise the information from the Audit Resource Plan
working paper concerning the key activities and their planned dates for
completion.
Section VIII: Communication
Identify key audit entity contacts.
Describe the approach to communications that will be adopted throughout the

audit including planned and ad-hoc communications with the audit entity and
any outside bodies that may be contacted for corroboration.
List the planned communication points – formal letters, scheduled meetings,

draft reports, final reports and indicate the planned date for each.
Section IX: Sign off
The Audit Team Leader should sign the Audit Plan and indicate the date it was
prepared. The Audit Plan should also be approved by the Director of the IAU.
Use: TEMPLATE No 17 – Audit Plan (WP 1017)
Part of the Audit Plan involves assigning auditors to the various audit tasks that
address the audit objectives. This is important to ensure the required audit
team members are available when needed and that resources are used
efficiently across the IAU’s different audits.
At the beginning of the planning process the Audit Team Leader should identify
the different audit tasks, such as:
 Preparing for the Initial Meeting

 Conducting the Initial Meeting
 Gathering data (documentary reviews and interviews)
 Analysing and documenting the data
 Identifying risks
 Developing related controls
 Planning the tests and samples
 Finalising the Audit Plan
 Conducting the fieldwork

 Evaluating results and developing findings and recommendations

 Developing the draft Audit Report
 Meetings with client
 Audit management and correspondence
 Finalising the Audit Report and
 Following up the audit.
These tasks should be entered on the Working Paper. For each of the planned
tasks, the Audit Team Leader should assign team members and estimate the
number of days each team member will need to complete the tasks they have
been assigned.
Working Paper 1015 provides a template for capturing tasks, assigning audit
team members and estimating required time (in hours or days, as preferred).
The template form assumes one Team Leader (TL) and 3 other Team Members
(Q2, Q3, Q4). If the plan calls for more or fewer team members the template
should be modified accordingly. Assuming there is one Team leader and 3 other
Team Members, you will use Column 1 to identify all planned tasks, Columns 2
to 5 to allocate time to each auditor and Column 11 to show when each task is
planned to be completed.
Once completed and signed by the Audit Team Leader, this document should
be reviewed with the Director of the IAU. The review may result in
adjustments. Once the Director is satisfied with the estimate, s/he signs the
working paper to approve the resource plan.
Subsequently the Audit Team Leader will use this form to track how much time
is actually used by each auditor on each task and record the variance. Similarly
the actual completion dates are recorded and a variance of time taken against
the time planned can be noted. This will provide valuable information for
monitoring the productivity of the Internal Audit Unit and for planning
subsequent audits. Use: TEMPLATE No 15 – Audit Resource Planning and
Tracking Form (WP 1015)
The Audit Plan should be updated as necessary to reflect any significant

changes made during the audit.
As the Audit Team Leader assigns team members to the audit, s/he should
check to ensure the assigned members are not disqualified from the audit

because of conflicts of interest or lack of appropriate certification. Each

assigned auditor must sign the auditor’s declaration. Use: TEMPLATE No 16 –
Auditor’s Declaration (WP 1016).
This working paper provides the means to collect from each team member
their declaration that they are not disqualified. The working paper takes the
form of a questionnaire which each assigned auditor should complete prior to
commencing the audit. Auditors who are disqualified from participating in
any given audit should be re-assigned

CHAPTER 3: FIELDWORK
Standard 2300 - Internal auditors must identify, analyze, evaluate, and

document sufficient information to achieve the engagement’s objectives.
3.1. OVERVIEW OF ACTIVITIES ON SITE
By the end of the planning phase and after completing the detailed activity and
resource planning work, the auditors will have updated the:
 Permanent file;
 Planning file;
 Audit Plan;
 Staffing requirements, and the staff to be assigned to each component
of the audit;
 Budget requirements;
 Timing considerations; and
 List of information to be obtained from entity officials.
The internal auditors will use this information during the fieldwork phase of the
audit process to perform the audit work. In particular, the audit program
selected for the audit will guide the detailed activities of the auditor. Use:
TEMPLATE No 18 – Audit Execution Checklist (WP2001)
The fieldwork is conducted in accordance with the planned “Control Test

Procedures and Results” documented in the different copies of working paper
1013. Use:
TEMPLATE No 19 – Test Procedures – Single Step (WP 2002)
TEMPLATE No 20 – Test Procedures – Complete Process (WP 2003)
These forms document the tests that the auditor conducts to satisfy the
planned tests identified in the planned “Control Test Procedures and Results”
documented in the series of Working Paper 1013’s in the Planning File. There
should be one working paper 2002 or 2003 for each form 1013 and they should
be cross referenced.

There are two broad types of tests:
 Rests that are conducted on multiple instances of a single step in the

whole process; and
 Tests that follow a single event through a complete multi-step process
(sometimes called “walk through tests”).
Working Paper 2002 relates to tests that are conducted on a single process
step. The auditor develops a test or question to determine whether the
expected control (from working paper 1013) is present and working effectively
and documents the question on working paper 2002. The auditor then
indicates which sampling units that were selected, and documents the result of
the test.
When the test has been conducted on each item in the sample, the auditor
concludes as to whether the evidence shows the expected control is present
and whether it is working effectively. Generally it is not necessary for the
control to have been properly executed on every single transaction tested.
Often the auditor can accept up to 2 failures without considering the control to
have completely failed. This process is repeated for all the controls that are to
be tested.
Working Paper 2003 illustrates the approach where the auditor is testing a
transaction through all steps of the process. The form is designed so that all
tests are documented on the same form, rather than using a separate form for
each test.
Each working paper should be initialed and dated by the auditor who
conducted the test procedure, and verified, signed and dated by the Audit
Team Leader.
3.1.1. TESTS FOR SYSTEMS AND COMPLIANCE AUDITS

When conducting the audit work on site, the internal auditor must gather
sufficient convincing, appropriate and reliable evidence to determine whether
the management and control systems in place are operating as described and
that they are adequate to ensure the regularity of expenditure and the
accuracy and completeness of financial and other information.

Internal auditors should check that there is a complete audit trail for all
transactions, and that there are mechanisms to keep the audit trail up to date.
Procedures to be carried out are:
 Evaluating systems documentation by reviewing files, supplemented

where necessary by interviewing relevant staff; and
 Testing the operation of those systems by examining a sample of

transactions.
Sufficient testing should be carried out to enable the audit team to reach sound
conclusions about the effectiveness of the systems under examination. The
tests will address the audit objectives that were discussed in the previous
chapter. The content of each audit may be adjusted by the auditor to take
account of any divergence between the actual control environment
encountered during the audit and the control environment that was envisioned
during the audit planning stage that was discussed in the previous chapters.
3.1.2. TESTS FOR FINANCIAL AUDIT

Financial audits are concerned with validating the contents of the
organisation’s financial reports. Tests of systems are supplemented by tests
designed to substantiate reported amounts. These are referred to as
“substantive tests”, and include techniques like analytical review and tests of
transactions and balances.
The objective of a financial audit is to state an opinion as to whether the figures

in the financial statements are free from material misstatement, specifically in
respect of the criteria noted in the table below.
Criterion Nature and example of a substantive test

Valuation A check that assets and other items are recorded at the
correct value in financial records. For example, a
substantive test may check that the sale or purchase of
an asset is recorded at the correct value in the
accounting system by checking the original invoice or
sale note.
Existence A check that assets and other items recorded in the
financial statements actually exist. These substantive

tests may involve the physical verification of existence

through confirmation by the custodian of the assets, or
actually inspecting the asset.
Ownership A check that assets recorded are actually owned or
legally used by the audited body. For example, a
substantive test may involve checking that the audited
body has a valid lease for premises used.
Proper period A check that a transaction is recorded in proper period.
For example a purchase transaction may be recorded on
December 30, where in fact the title to the related asset
did not pass over until January 2 the following year.
Quality (accuracy A check that inputs and outputs are of an appropriate
and completeness) quality. For example, for inputs we could check that the
of inputs and accounting system has input controls built in, to ensure
outputs completeness and integrity control of data. For outputs,
we could check that the system applies process controls
to ensure that reporting is complete and correct.
Typical substantive tests for financial audits:
 Analysing balances by obtaining related general ledger account

breakdowns;
 Reconciling general ledger summary amounts to related sub-ledgers;
 Testing detailed transactions from ledgers against related base
documents for proper recording, accuracy, cut off and valuation;
 Obtaining balance confirmations from third parties;
 Inspecting assets to verify the existence and value of the items
recorded in ledgers;
 Performing two-way tests of the complete recording of assets,
consisting of: selecting assets from the ledger to test their existence
and also tracing physical assets back to the general ledger;
 Checking ownership documents of assets recorded in ledgers; and
 Re-calculating accruals and management estimates (e.g. bad debt
provisions).
Test of controls in financial audits are limited to controls in related accounting

and reporting functions and often also include coverage of IT controls that
relate to those functions.

3.1.3. TESTS FOR PERFORMANCE AUDITS

Performance audits extend beyond the traditional audit domain to include a
review of the management of operational units where performance is achieved
and value is created.
Performance audits provide reasonable assurance about the reliability and

integrity of the organisation reporting structure, and the performance of
programs, services, activities, and functions, and includes recommendations for
improvements.
Performance audits are concerned with the economy, efficiency and

effectiveness of operational units. Because each operating unit has different
objectives, organisation structure and processes, each audit will have to be
defined specifically for each operating unit.
A typical performance audit requires the auditor to:
 Consider the environment in which an organization operates by

gathering information about local, regional, global and sector trends,
competitors' strategies, etc.;
 Ascertain the best practice for similar activities/process;
 Understand the managements strategies and how they manage their
organisations to achieve performance goals. Understanding the Head
of the PSE’s focus allows auditors to better understand potential
business risks, and on the effectiveness of strategic measures to
identify and mitigate those risks;
 Assess financial and non-financial performance, by considering such
issues as:
o customer satisfaction;
o cost-benefit and cost-effectiveness;
o quality;
o quantity;
o economy;
o achievement of mission;
o measurement of achievement of the organisation’s
designated outputs/outcomes;
o return on investment;
o financial condition; and
o timeliness.

 Analyse the information against relevant benchmarks to fulfil the

objectives that were defined for the specific audit.
Performance audit approaches and example of items to be considered:
 Approach focusing on economy (inputs)
The auditor should consider:

o whether inputs are suitable and obtained for the lowest
price;
o variances between budget and actual financial
performance;
o to what extent all resources have been used; and
o whether the value chain has been optimized.
 Approach focusing on efficiency (processes)
The auditor should consider whether:
o results could be achieved for lower cost;

o there are bottlenecks in the process that could be
avoided;
o duties are properly segregated without overlaps;
o different units that are working to reach the same target
are cooperating effectively; and
o there are any incentives to motivate employees to
minimise expenses or maximise revenues.
 Approach focusing on effectiveness (outcomes)
The auditor should consider whether:

o operational targets are achieved according to schedule;
o outcomes are properly defined;
o clients or beneficiaries are satisfied with the outcome;
and
o the outcome achieved will meet clients’ or beneficiaries’
needs.

3.1.4. TESTS FOR IT AUDITS
Information Technology (IT) has an increasingly important role in the

management of organizations and the internal auditors must focus on
evaluating them, regardless of their complexity.
Information Technology (IT) may be used for tracking financial and accounting
information as well as for tracking operational information, related to business-
specific activities, processes, etc.
When conducting an audit of the IT environment internal auditors must bear in

mind that the principal goals of IT systems are to:
 Store sufficient trustworthy data and information to support effective

control; and
 Provide timely information to the Head of the PSE to help them
achieve the goals of the organization.
IT systems have various characteristics that can be used to formulate

objectives. Some examples are given in the following table.
Information system Objectives of the audit

characteristics
Content Does the information system contain all the
information required?
Deadline Can the information be obtained at the moment

desired?
Updating Is the most recent information available?
Integrity of data Is the information contained in the information

system complete and accurate?
Accessibility Are interested parties able to obtain this information

easily and is it protected against unauthorized
access?

Archiving Is a regular archive of data compiled according to a

schedule and what are the rules of access to
archived files?
Clarity Is the information easy to use?
In conducting IT audits, generally IT specialists should be included in the audit

team. In principle, the IT audit follows a similar process to a systems audit,
described earlier.
The evaluation of the IT system relates to the adequacy and performance of

the IT systems to meet management needs, and its contribution to achieving
the goals of the organization and to the effectiveness of the financial
management and control systems.
Testing general computer controls
If audited management systems are strongly supported by information

technology and internal controls are mainly automated or significantly
dependent on information systems and technology, the internal auditor should
assess the general computer controls to ensure that they are continuous and
effective.
General computer controls address four broad areas:

 Development and implementation: To ensure that systems are
developed, configured and implemented to meet financial,
operational and compliance objectives.
 Maintenance: To ensure that modified systems continue to meet
financial, operational and compliance business objectives.
 Computer operations: To ensure that production systems are
implemented as approved and that production problems are quickly
identified and corrected.
 Security: There are two aspects to Security, the physical environment
of the system and its components and access to system resources and
data is authenticated and authorised

The internal auditor has to develop an understanding of the organisation’s

processes so as to determine the relevant computer environments and systems
to be reviewed. There may be more than one environment or system,
depending on the technical complexity of the entity being audited.
The specific controls within each of the above areas are normally a mix of
manual and automated controls. For example, controls ensuring appropriate
security within an information system consist of automated controls that
restrict users’ access to system utilities. However, the functionality and
effectiveness of these automated controls is dependent on manual controls to
ensure that the users’ capabilities properly reflect their responsibilities and
needs.
The internal auditor does not need to have special technical skills to evaluate
many of the general management computer controls. Nevertheless, the auditor
should have sufficient understanding of the IT process, system or program to
identify, assess and test controls over systems development and
implementation, while some of the automated controls over system operations
will need to be tested by IT specialists, especially when assessing security of
access to the systems and data. The IT specialist will be required to test the
program’ automated controls, examine the source code, and review the change
control procedures including version controls.
Each of the areas referred to above should be addressed. However, the nature
and extent of testing of general computer controls will depend on a number of
factors:
 Complexity of the environment and controls;
 Breadth of coverage that a control provides;
 Extent to which a control provides assurance over a particular
automated process;
 Extent of risk and the assurance required;
 Extent of change to systems; and
 The effectiveness of the management of the entity’s information
systems and technology activities.
Gathering information for the IT audit

Key contacts for the auditor conducting IT audit are:
 IT director or head of the IT department;
 Managers from individual IT sub-departments/sections;

 IT staff;
 Users; and
 Consultants, and other external providers of IT services.
Key information needed for planning the IT audit includes:
 IT organization (role, responsibilities, reporting);

 List of key systems/applications and their business purpose;
 Complexity of the IT environment;
 IT strategy, changes already running and planned;
 Existence of security and operational standards and procedures; and
 Existence of standards and procedures for management of changes to
the systems and development activities.
3.2. TESTING AND RELATED DOCUMENTATION
A key element of the internal audit is examining whether management and

control systems are operating effectively at all relevant levels. This involves
documenting relevant systems (including appropriate information from the
audit trail), together with testing controls to examine whether the systems are
actually operating as described and are effective.
Tests of controls should include checks that management and control systems
are operating consistently and effectively. Tests should be carried out on a
sample of transactions selected for the audit. Where the effectiveness of the
management and control system is likely to vary (for example where different
staff are responsible for applying the same checks on different transaction
streams), the auditor should ensure that the sample is representative of these
possible differences. It is important during tests of controls to identify the
reasons for any errors and omissions identified as they might indicate
weaknesses in management and control systems.
The previous Chapter described how the audit team plans for sample-based
tests of controls. The resulting plan guides the audit team as to what tests to
apply and how many items are required to make a valid sample.
In the fieldwork phase, the audit team needs to fulfil the following steps:
 Select the sample;
 Test the sample items;

 Evaluate the sample results; and

 Document the sampling procedure.
These steps are discussed below:
 Select the sample
The audit team needs to select the number of sampling items determined in
the planning phase. Samples can be selected statistically or non-statistically.
The difference between these two approaches is the method of selecting the
sample items. The planning requirements remain the same, as does the
evaluation process.
There are two basic sample selection rules:
1. The sample conclusion only applies to the population from which it is

selected; and
2. The sample should be representative of the population from which it
is selected.
Rule 1, affects how the auditor defines the population from which the sample is
to be drawn. This rule applies equally to statistical and non-statistical sampling
and requires the auditor to define the population carefully. For example, if the
auditor wants to rely on an internal control for the entire year, then the
population must include all transactions for the whole year.
A common mistake by auditors is to simplify sampling by selecting a sample of

transactions from only one month. The result of this approach is that the
auditor’s conclusion only applies to that one month - the auditor does not have
any assurance with respect to the other 11 months.
Rule 2 relates to how specific items in the population are selected into the
sample. The auditor has a better chance of complying with Rule 2 with a
statistical sample than with a non-statistical sample. When using a non-
statistical sample, though, the auditor should strive to ensure that his/her
sample is as representative of the population as possible.

There are several sample selection methods that are very good at ensuring that
the sample is representative of the population from which it is selected, as
follows:
 Random;
 Fixed interval (systematic);
 Cell (random selection); and
 Stratified random.
These methods are described in the following sections. For non-statistical

sampling, the objective is to try to approximate one of these methods.
- RANDOM SELECTION
Random selection involves numbering all of the items in the population

and then using a random number table or software programme to select
random numbers for each item in the sample. So if the planned sample
size is 200, then the audit team will need to generate 200 random
numbers that correspond to a unique reference number on each item in
the population (e.g. invoice number, purchase order number or employee
number). The auditor then identifies the sampling unit that corresponds to
each number.
This method is difficult to use unless the sampling units are already pre-
numbered such as pre-numbered sales invoices, or can easily be numbered
(30 supplier invoices per page and the pages are numbered, for example).
- FIXED INTERVAL (SYSTEMATIC) SELECTION
This method involves choosing a random starting point and then selecting
every nth item. It requires the auditor to have a good idea of the total
number of items in the population. For example, if the auditor knows that
there are 30,000 invoices in the population and needs to draw a sample of
200, then s/he could select every 150th supplier invoice (calculated by
dividing 30,000 population sizes by 200, the sample size). The random start
would be a number between 1 and 150. If, say, the auditor picked a
random start of 50, he/she would select the 50th item, the 200th item, the
350th item, etc.

- CELL (RANDOM INTERVAL) SELECTION
This method essentially combines the previous two methods. The auditor
divides the population into cells and then picks a random item from within
each cell. In our example, the first cell would contain the first 150 items,
the second cell items 151 to 300, the third cell items 301 to 450, etc.
- STRATIFIED RANDOM SELECTION
Some automated audit (CAATS) tools may offer a fourth method - stratified
random sampling. Using this approach, the population is first stratified
based on monetary ranges, type of transaction, etc., and then a random
sample is drawn from each range. This could be used, for example, to
weight an attribute sample to the larger value items or specific
expenditure types, or to ensure that at least one sample item is drawn
from each expenditure type.
- NON-STATISTICAL SELECTION
The auditor can use judgment to select a sample in a way that

approximates one of the methods described above. If done with care, this
can be an acceptable way to select a sample. However, it is prudent to
increase the sample size by 20 to 50 percent to compensate for the fact
that the sample may not be truly representative. The size of the increase
depends on how close the auditors believe they are to approximately a
statistical sample.
Test the Sample Items
In this step, the audit team applies the tests that were developed during the
planning stage to each of the sampled transactions, taking care to fully
document any sample items in which a deviation is found. Sampling items
containing deviations must be clearly identified so they can be retrieved at a
later stage if further investigation or validation of the deviation is required.
Evaluate the Sample Results
The audit team will tabulate the results of the tests of controls, essentially
recording each deviation that has been identified.

If the actual number of deviations found in the sample exceeds the acceptable
number of deviations identified in the planning stage, then the results are
unacceptable and the control will be considered not to be working correctly.
In these circumstances the audit team may consider increasing the sample size
to see if the deviations continue to occur at the same rate. In general though,
the control will be considered to have failed and the audit team should
determine how and why it failed, and develop a recommendation to the Head
of the PSE for improving its future reliability.
This approach applies equally whether statistical or non-statistical methods

have been used to select the sample.
Documenting the sample procedure
It is important that the audit team can demonstrate that they followed good
practice in arriving at their conclusions concerning the reliability of the
controls, and that they can show the data on which the conclusions are based.
Therefore the audit file must be updated with a complete description of the
procedures used for sampling and testing as well as the results and draft
recommendations.
Working paper 1013, which originates in the planning phase is also used to
capture the results of each test when the tests are performed in Phase 2,
Fieldwork. In this phase we add information about the actual units included in
the sample, the results of the test, causes of any failures, the impact on the
organization and leads to the auditor’s development of conclusions and
preliminary recommendations.
Each working paper should be initialed and dated by the auditor who
conducted the test procedure, and verified, signed and dated by the Audit
Team Leader.
Note that the Audit Resource Planning & Tracking Form (Working Paper 1015)
should be completed for the Fieldwork tasks by the Audit Team Leader to track
how much time was actually used compared with the plan, and to record any
variance.

3.3. AUDIT EVIDENCE AND WORKING PAPERS
The purpose of performing the audit engagement is to gather audit evidence

for use in supporting the facts, conclusions, and findings that will be contained
in the audit report.
Auditors should base findings and conclusions on adequate evidence. The

evidence should be retained in the audit working papers.
Working papers need to be prepared, organised, and summarised in sufficient

detail and with sufficient care to enable the work to be reviewed, judged, and
understood by persons independent of the audit.
Examples of typical evidence for different types of audit are given below. How
much and what type of audit evidence should be gathered and recorded in the
Current File is a matter for the auditors’ judgment and case by case decisions
by the audit team leader.
Systems and compliance audit
 Audit trail descriptions (flow charts or other representations);

 Detailed audit trail descriptions for the accounting and reporting
functions;
 Official documents establishing the mandate of the organizational unit
under review and the responsibilities associated with organisational
positions with respect to operational processes, together with
evidence that these documents have been analysed by the auditors
and their conclusions;
 Laws and regulations that govern the process under audit review as
well as evidence that the key conditions have been audited and the
related conclusions;
 Record of the tests of key controls in the systems;
 Working papers relating to IT systems and controls;
 Interview scripts;
 Working papers documenting physical observations (e.g. work sites,
training courses, IT tests being carried out, bank transfer being
performed etc.); and
 Risk-control work sheets.

Financial audit
 Report on which the audit report/assurance is given (e.g. expenditure

declaration);
 Ledger print-out of the reported items;
 Written balance confirmations received from third parties (e.g.
suppliers’ confirmation of works delivered and payments received
related to their invoices);
 Bank statements;
 Reconciliations performed by staff and reviewed by the Head of the
PSE;
 Working papers to document tests of control or substantive tests;
 Interview scripts;
 Contracts; and
 Recalculations of management estimates and contingent amounts
(e.g. accruals and bad debt estimates) and related supporting
evidence (e.g. possible court cases).
The organization, design, and content of audit working papers will depend on
the nature of the audit.
In general, working papers for an audit should document all aspects of the
audit process.
Minimum requirements for compliance audit working papers

Working papers for compliance audits are prepared in a table format, where
the first column is prepared at the planning stage and the following columns
are filled in during the field work stage.
Compliance Planned Description of the Test results of Comments and
requirement control/ actual control/ actual controls conclusions
measure measure
Regulation …. Usually Filled in the 3 times out of To be reported
taken from course of field the test of 10 for
procedure work when transactions, improvement
manuals observing the control
controls in was not
practice, working as
interviewing intended
staff or testing
IT systems

Minimum requirements for a substantive test working paper

In the case of substantive testing the auditor seeks assurance that transactions
are:
 Properly valued;
 Accurately calculated and recorded;
 Recorded in proper period;
 Properly recorded from ownership point of view;
 Properly categorized and reported;
 Recorded completely (i.e. no transactions are omitted).
Accordingly the working paper should reflect:

 The description and purpose of the test;
 Reconciliation with the (summary) account in which the transaction
under review is recorded;
 The reconciliation with the summary account and the related report
line where the summary account is reported;
 Details of the base document that relates to the transaction under
review (e.g. bank statement, invoice) to enable re-performance of the
audit test;
 Dates as of which the accounts are prepared;
 The period in question for income statement accounts;
 Sample selection methods and extent of the sample (how many
transactions were selected);
 If errors are noted, reasons for them (failure of planned control,
human or system error or other); and
 Conclusion (incl. about potential irregularity).
Minimum requirements for test of control working paper

For tests of controls working papers should note:
 Description and purpose of the test;
 Description of the control(s);
 If the key control mitigates more than 1 risk, an explanation of what
risks it mitigates;
 Details of the transactions selected for testing (e.g. invoice details);
 Reasons for control failure (if any); and
 Conclusion as to whether or not a control failure is systematic, or
whether it is an isolated irregularity.

Minimum requirements for systems audit working paper

A systems audit aims to check that systems or processes are working as
intended to achieve the objectives of a government programme. In this type of
audit, the auditor may work with:
 Each system or process individually; or

 Review all components of a vertically or horizontally integrated
process in a single step.
The working papers for analysing systems should include:
 A flowchart depicting the elements and actors in the process and the
information flow (documents, databases, reports, decisions);
 A table associating risks and related controls with the elements in the
process (based on risk assessment and procedure manuals);
 Selected tests of the controls;
 Notes of interviews with key staff involved in the process;
 Analyses of the organizational structure, roles and responsibilities, and
the segregation of duties in the process vis a vis other related
processes (e.g. procurement versus payment); and
 The legal basis that provides a sufficient and proper mandate for those
involved in the process.

CHAPTER 4: REPORTING AND

AUDIT CLOSURE
Internal Audit Standards provide guidance on the internal auditor’s
responsibilities for reporting the results of audit.
Standard 2400 - Internal auditors must communicate the results of

engagements.
Standard 2410 - Communications must include the engagement’s
objectives, scope, and results. Final communication of engagement
results must include applicable conclusions, as well as applicable
recommendations and/or action plans.
Standard 2410.A1 - The final communication of engagement results
should include applicable conclusions as well as applicable
recommendations and / or action plans. Where appropriate, the opinion
of the internal auditor should be provided. The opinion should take into
account the expectations of senior management, the board, and other
stakeholders and should be supported by sufficient, reliable, relevant and
useful information.
Internal auditors should communicate the results of the engagement. The

purpose of the report is to communicate. If they do not reach the
communication, they will have no value. Better fieldwork and brilliant analysis
are useless if they are not communicated - this means that information about
the findings and recommended actions must be accepted and understood by
the audience who can implement the recommendations.
In seeking to communicate, internal auditors must remember their principal

objectives: (1) to provide useful and timely information, both oral and written,
on significant matters; and (2) to promote improvements in control and
performance of organisation operations.

Communication must be objective, clear, concise, timely, and constructive.
The Audit Team leader will have maintained open channels of communication
with the Head of the PSE or process being reviewed to keep them informed of
the audit progress and any significant findings during the fieldwork phase. The
Reporting phase follows completion of the fieldwork and formalizes the
submission of findings to the Head of the PSE in a Draft Audit Report. The Head
of the PSE’s responses are incorporated into the Final Audit Report.
4.1. CLASSIFYING FINDINGS AND CREATING OVERALL AUDIT CONCLUSIONS
The first reporting working paper, number 3001, is used by the Audit Team
Leader to provide a link between the results of the audit tests that were
performed during Fieldwork and the contents of the Draft Audit Report.
The Audit Team Leader records, for each test conducted during the fieldwork
(referenced to the relevant working paper), whether the test revealed a
negative finding and led to a recommendation for improvement (indicated by a
simple Yes or No response). For each test where there was a negative
conclusion, the Audit Team leader should also indicate whether that conclusion
and the related recommendation have been carried into the Draft Audit
Report.
In general, the Audit Report should focus on significant findings that suggest
systemic problems that expose the organization to a risk. Individual errors, if
they are not symptomatic of a systemic weakness generally are not included in
the report. Again, the Audit Team leader indicates with a Yes or No response
whether the finding and recommendation has been carried into the Draft Audit
Report. The Audit Team leader must justify any instance where s/he has
decided not to include a finding in the report.
When the internal auditors find an error or problem they should follow these
steps:
 Analyze the error to see if it the result of a systemic failure;
 Understand the root cause of the error;
 If there is no preventive control to stop a similar error from recurring,
it can be concluded that the error might be systemic and the audit risk
increases - to mitigate the increased audit risk, the sample size should
be increased accordingly (to be decided by audit team leader); and

 If there are preventive controls in place, the error will be repeated

only as a result of a similar human error (assuming the detected
exception was caused by human error) or as a co-incidence, and no
increase in the audit sample is required.
Every finding in the working papers should have a documented decision on the
systemic nature and any further tests made.The internal auditor should report
to Audit Committee on regard to all violations and events of non-compliance
with the Law on PIFC to the Head of the PSE.
Classifying findings
Internal auditors must be able to defend the seriousness with which they
regard a finding. While analysing the finding, the auditor should answer the
following:
 What is the effect of the issue on the organisation?

 How significant is the problem?
 What is the cause of the problem?
 Who is responsible for the problem?
 Was an existing control violated?
 Was there no control in existence?
 Was there an illegal action? Is it an irregularity? Violations of laws,
rules, etc? Fraud?
 Can the situation be corrected?
 Is physical safety involved?
 Did the Head of the PSE identify the issue prior to the audit? If so,
what are the plans to correct the issue?.
Once the issue is fully understood, the audit team should consider:
 Should corrective action be taken?
 Is it an isolated incident?
 Will existing controls usually preclude the problem?
 Are there any mitigating controls in place?
 Do existing instructions need to be clarified or amplified?
 Is it control weakness?
 Is a systems change needed?
 Has a cost-benefit action been undertaken?

How should corrective action be undertaken?

 By whom?
 When?
 Why?
The audit team should ensure that supporting evidence for identified findings is
carefully assembled to provide:
 Assurance of the existence of the findings;

 Information concerning the materiality of the findings;
 Information to give the Head of the PSE an adequate basis for action.
The auditor should work with the management team of the organization to
ensure the best solution to the issue is recommended. When documenting the
findings, auditors must carefully consider how they will look in the final audit
report. A well-documented finding will make it unnecessary to write two
separate findings - one for the working papers and, later, one for the audit
report.
4.2. CROSS - REFERENCING THE FINDINGS
In internal auditing it is important that:
 All the important findings (reportable issues or significant issues) are

reported - it would be a major failure on the auditor’s part if the Head
of the PSE is not informed of a risk and subsequently the risk is
realised and the organisation suffers damage; and
 All findings are based on work done and supported by documented

objective audit evidence and are not the unsubstantiated opinion of
the auditor.
The Audit Team Leader can address these 2 requirements by:
 Reviewing all the findings in the working paper for relevance and to
ensure they are supported by sufficient evidence that is documented
in the working papers;

 Ensuring the working papers are cross referenced to the draft report
(preferably using red annotations if done on paper format, or using
Track Changes if using electronic format); and
 Ensuring all findings in the draft report are referenced back to the
working papers (using the same technique as described above).
Any discrepancies found must be discussed with the team and corrected i.e.
unjustified issues should be deleted from the report or and issues noted in the
working papers but not reported, must be added.
The auditor should not rely on verbal reporting and must ensure all relevant
material issues are included in the written reports.
4.3. STRUCTURE OF THE INTERNAL AUDIT REPORT
The Audit Team Leader should prepare the Draft Audit Report based on the
work that has been documented in the working papers. This report confirms
the objectives and scope of the audit, presents the findings, and most
importantly, presents the audit team’s conclusions and recommendations for
improvement. The sample Draft Audit Report template provides guidance as to
the content of the report. It is important that the report is written clearly and
crisply so that the reader can quickly grasp what the audit team discovered and
what remedial actions are required.
At the draft stage, the purpose of the report is to provide the Head of the PSE
with a formal statement of finding and recommendations so that the Head of
the PSE can consider them and decide whether to accept the
recommendations, suggest an alternative remedy or reject the
recommendation. Until the Head of the PSE has responded, there can be no
Action Plan component, so this element of the report template is left blank at
this stage.
Although the format and content of the audit communication would vary by
organisation and the type of audit, the following general format is suggested:
EXECUTIVE SUMMARY
The executive summary should present an overview of the objectives and
scope of the audit, and the main findings, conclusions and recommendations
which identify the main areas to be addressed by the auditee.

The summary findings should be cross-referenced to the detailed findings.

The conclusion should set out the opinion of the auditor regarding the related
findings.
The executive summary should also include an audit rating.
The following table outlines the four potential audit ratings that can be given,
together with descriptions of the associated level of concern for consideration
by the Head of the PSE and the Audit Committee:
Assessment Description Level of Concern
1 – Adequate No significant findings. An appropriate None or limited
control framework is in place given the
risks of the area of activities
2 - Needs Significant findings have been noted in Room for

Improvement certain detailed control activities improvement
although overall an appropriate control
framework is in place
3 - Needs Significant control weaknesses have Cause for concern
Significant been noted which may subject the
Improvement management to material exposure*.
Although certain mitigating controls are
in place, significant improvements are
required to adequately safeguard
against such exposure.
4 – Inadequate Significant control weaknesses have Cause for
been noted which may subject the considerable
management to material exposure*. concern
Inadequate (or no) mitigating controls
are in place. Immediate corrective
actions are required to adequately
safeguard against exposure.
*"Material Exposure" is defined as any circumstance, or set of circumstances,

which could lead to material or significant: financial loss, reputation harm, legal
exposure, information systems problems, regulatory or compliance risk, or
delays in the attainment of stated government objectives in the area.

1. INTRODUCTION
The Introduction may include background information such as identifying the
organisational units and activities reviewed and provide relevant explanatory
information.
2. PURPOSE AND SCOPE OF THE AUDIT

Purpose statements should describe the audit objectives and inform the
reader why the audit was conducted and what it was expected to achieve.
Scope statements should identify the activities that were reviewed and should
include supportive information such as the time period reviewed. Related
activities not reviewed should be identified if necessary to delineate the
boundaries of the audit.
The nature and extent of audit work performed also should be described.
3. RESULTS
Results should include findings, conclusions, recommendations, and action
plan.
3.1. FINDINGS
Findings are statements of fact. Only those findings that are necessary to
support or prevent misunderstanding of the internal auditor’s conclusions and
recommendations should be included in the final audit communications. Less
significant observations or recommendations may be communicated verbally
or in memoranda to management.
Findings and recommendations emerge by a process of comparing what

should be with what is the actual practice. This process of comparison
provides the internal auditor with a foundation on which to build the report.
Findings and recommendations should be based on the following attributes:
Criteria The standards, measures, or expectations used
in making an evaluation and/or verification
(what should exist).

Condition The factual evidence that the internal auditor

found in the course of the examination (what
does exist).
Cause The reason for the difference between the

expected and actual conditions (why the
difference exists).
Effect The risk or exposure the organisation or others

encounter because the condition is not the
same as the criteria (the impact of the
difference). In determining the degree of risk
or exposure, internal auditors should consider
the effect their audit findings and
recommendations may have on the
organization’s operations.
3.2. CONCLUSIONS
Conclusions are the internal auditor’s evaluations of the effects of the findings
on the activities reviewed. Conclusions should be clearly identified as such.
Conclusions may encompass the entire scope of an audit or specific aspects.

They may cover, but are not limited to, whether the organisation’s objectives
and goals are being met, and whether the activity under review is functioning
as intended.
3.3. R ECOMMENDATIONS
Recommendations are based on the internal auditor’s findings and
conclusions. They call the management to act to correct existing conditions or
improve operations.
Recommendations may suggest approaches to correcting or enhancing

performance as a guide for management in achieving desired results.
Recommendations may be general or specific.

Classifying findings
 Significant issue (major importance) will prevent a significant

objective of an operation from being achieved. It doesn't matter how
large or small the operation is as long as the issue identified is
significant to that operation. These issues will be highlighted in the
report for the attention of the management of the organisation. All
irregularities belong to this group.
 A reportable issue (medium importance) is one that warrants
reporting because its adverse effect will not be halted until it is
corrected.
 An observation (minor importance) is a random error that should be
corrected, but which may not warrant inclusion in a formal audit
report.
4. ACTION PLAN
The internal auditor should try to obtain agreement with management on the
results of the audit and on a plan of action to improve operations, as needed.
Management responses should include specific actions to be taken, the
person(s) responsible for the corrective action, a timetable for completion and
expected results.
If the internal auditor and the management do not agree on the audit results,
the communications may state both positions and the reasons for the
disagreement. Management’s written comments may be included as an
appendix to the audit report.
A table summarizing the main findings, conclusions and recommendations

should also form part of the report.
Use: TEMPLATE No 21 – Audit Report (WP 3001).
At the Draft stage, the purpose of the report is to provide the Head of the PSE
with a formal statement of findings and recommendations so that the Head of
the PSE can consider them and decide whether to accept the
recommendations, suggest an alternative remedy or reject the
recommendation altogether.

Until the Head of the PSE has responded, there can be no Action Plan
component, so this element of the report template is left blank at the draft
stage.
The Draft Audit Report should be signed by the Audit Team Leader and formally
presented, with a transmittal letter, to the Head of the PSE being reviewed,
copy to the Director of the IAU, for their review and approval. The transmittal
letter should explain the purpose of the Draft Audit Report and outline the
response that the audit team is expecting. A date by which the response is
required should also be indicated.
“Findings for the Audit Report” form tracks, in a tabular format, how each of
the findings presented in the Draft Audit Report has been dealt with. The
Findings are presented in groups that represent their importance (as they
should have been in the Draft Audit Report) and tracks for each finding what
recommendations the audit report provided to the Head of the PSE, the Head
of the PSE’s response to the recommendation, and finally, an action item for
the audit team to follow up the Head of the PSE’s response at a later date.
This working paper tracks the Head of the PSE’s responses to the Draft Audit
Report and is included as an Annex to the Final Audit Report. Use: TEMPLATE
No 22 – Findings for the Audit Report (WP 3002)
During meetings with the Head of the PSE to follow up the Draft Audit Report,
the Audit Team Leader will ask the Head of the PSE to submit an Action Plan for
implementing the recommendations that have been agreed. The Head of the
PSE should be asked to present the Action Plan in a form similar to the
suggested format shown in Working Paper 3003, Management’s Action Plan.
The Action Plan should be signed by the official who will be responsible for
implementing the recommendations. It provides the record of what actions the
Head of the PSE has committed to, and the basis against which the audit team
can subsequently review progress. Use: TEMPLATE No 23 – Management
Action Plan (WP 3003)
Following meetings with the Head of the PSE to discuss the findings and
recommendations and to agree upon management’s Action Plan, the Audit
Team Leader can finalise the Audit Report, appending working papers 3002 and
3003 as annexes. Use: TEMPLATE No 24 – Distribution sheet (WP 3004)

Other formatting standards
Tense:
 When describing the internal audit work performed, the past tense
should be used. For example:
o “We have completed our internal audit of XXXX processes

and controls”
o “The scope of our review included”
o “We examined a selection of XXXXX”
o “Our review focused on the processes utilized by XXXX”
 When describing the operations of auditee, the present tense should

be used:
o “The Accounting Department supports the process by…..”

o “Based upon the results of our review, controls over the XXXX
are adequate.”
 When drafting recommendations, an imperative sentence should be

used. The recommendations should always begin with an action verb:
o “Establish monthly reporting requirements.”

o “Develop and implement formal procedures for XXX.”
o “Document, review and approve manual adjustments.”
Standard practices:
 Specific quarters can be abbreviated using the quarter number and

the year (e.g. Q1/09).
 Specific dates can be abbreviated using the dd/mm/yy format. For
example, November 15, 1998 can be abbreviated as 15/11/98.
 No individual’s name should be mentioned in audit reports.
 All acronyms should be spelled out the first time they appear in the
report.
 The standard currency should be €.
 Management responses should be italicized.

4.4. OVERVIEW OF THE REPORTING PROCESS
end of fieldwork Management Final

Draft report
responses report
10 working
1
days/2
week
weeks
closing 2 weeks
meeting
The main purpose of the Audit Report is to inform the Head of the Public Sector
Entity/the Auditee of the results of the audit to:
 Give an assessment of the condition of the audited process by
expressing an independent and objective opinion on the effectiveness
of control procedures concerning lawfulness, financial management
and transparency; and
 Provide recommendations for improving the financial management
and control systems to remedy any errors, weaknesses and
irregularities identified by the audit.
The Draft Audit Report should be:

 Prepared by the audit team members;
 Reviewed by the Audit Team Leader subsequent to the completion of
fieldwork;
 After the review, the overall rating should be discussed with the
Director of the IAU.
A Closing Meeting should be held (see part 3.5):

 Within 10 working days from end of the fieldwork, the draft report
should be submitted to the Head of the PSE to obtain their responses
to the recommendations.
 The Head of the PSE should be allowed ten working days to complete
their responses and if within 10 days there is no response then the

draft report shall be finalized and sent to the Head of the PSE
highlighting that they agree with the recommendations.
 Once all responses have been obtained, the report must be reviewed
by the Audit Team Leader; and
 Any factual errors noted by the Head of the PSE should be corrected
and statements that lacked sufficient supporting evidence in draft
report should be deleted. However the internal audit team should
stick with its findings and recommendations where there is sufficient
evidence and analysis and should not allow themselves to be
pressured by the Head of the PSE into releasing an inappropriate audit
report.
The Final Report should be compiled by audit team members and:
 Reviewed by Audit Team Leader;

 The Director of the Internal Audit Unit should sign the final report and
send it to the budget organisation management;
 One original of the final report should be filed in Internal Audit
Reports file in the IAU and one copy submitted to the Audit
Committee.
Other reports
In addition to the individual audit reports, the IAU should also report quarterly
to Head of the Public Sector Entity to summarise new findings made during the
quarter and the status of findings from previous quarters/periods to facilitate
monitoring of critical findings and their corrective actions. The follow-up
database should be used to assist in preparing these interim reports.
Annual report
The annual activity report describes not only the work done, but also explains
how the internal audit unit itself has developed. It is advisable to agree the
internal audit objectives at the beginning of the year: the annual activity report
should then demonstrate to what extent these objectives have been achieved.
Measurable indicators should be agreed beforehand and then reported on.
The Charter of each Internal Audit Unit requires the basic of duration and the
different types of reports that Internal Audit Unit has to present to the Head of
the Public Sector Entity.

Ministry of Finance 71 CHU for Internal Audit
CHAPTER 5: FOLLOW-UP
PROCEDURES FOR DETAILS
5.1. THE CLOSING MEETING
It is important to maintain good communication with the Head of the PSE, the
audited organisation or activity. Good communication ensures the
effectiveness of the audit process. The presentation of the draft audit report
and an outline of its recommendations are key aspects of such communication.
The closing meeting is designed to give a final overview of the audit issues and
recommendations and emphasise the need for urgent action on the part of the
Head of the PSE to reduce the level of identified risks. The Audit Team Leader
should explain to the Head of the PSE the importance of each recommendation
and the consequences for the organisation of a failure to fulfil it.
The closing meeting is not the time to discuss new issues that have not
previously been identified and discussed with the personnel affected by the
issue.
The entire audit team and the Audit Team Leader should be present in the
closing meeting. The Head of the PSE can be asked to begin compiling their
responses at this time, but are not required to submit responses until they
receive a copy of the draft report.
The Head of the PSE should be informed that the goal of the Internal Audit Unit
is to issue the Final Report within three weeks of the draft report date. This
means that responses should be received within two weeks leaving time to
answer any questions or resolve any disputes.
The Head of the PSE should be informed that their responses should identify:
 Specific actions to be taken;
 The individuals responsible for implementing the corrective action;
and
 A timetable for completion.

In addition they should be informed that, if they don’t accept the audit
recommendations, their objections should be substantiated and evidence
attached to support them.
The agenda for the closing meeting includes:

 Discussion of the issues;
 Requirements for Management’s Responses; and
 Audit rating (should always be discussed last).
It should be emphasised at the closing meeting that the internal audit team will
assume that responses submitted by the Head of the PSE have been approved
by the appropriate levels within the entity.
5.2. AUDIT COMPLETION CHECKLIST
The Audit Completion Checklist provides a means of ensuring that all important
matters and audit components have been satisfactorily considered and
evidenced in the working papers. It also serves to record the participation of
the Audit Team Leader and IAU Director.
The Audit Completion Checklist must be:

 Repared and dated by the Audit Team Leader;
 Reviewed, dated and signed by the Director of the IAU; and
 Filed in the audit working papers Current File
Use: TEMPLATE No 26 - Audit Completion Checklist (WP 4002)

Ministry of Finance 73 CHU for Internal Audit
CHAPTER 6: FOLLOW-UP
PROCEDURES AND QUARTERLY
STATUS REPORTS
Internal audit does not end with preparation of the final audit report or the
discussion of the recommendations and submission of the action plan by the
audited organization. It is also necessary for the Director of the IAU and Audit
Team Leader to monitor the implementation of the audit recommendations.

Monitoring is a follow-up process, in which internal auditors assess the
adequacy, effectiveness and timeliness of the actions undertaken by the Head
of the PSE to address each audit’s recommendations.
6.1. FOLLOW-UP PROCEDURES
The Director of the Internal Audit Unit is responsible for ensuring that a process
is in place to monitor that control deficiencies noted in the audit reports have
been addressed.
The planning of the follow-up and the way it is implemented depends on the
following factors:
 The importance of the audited process and the weaknesses
discovered;
 The cost and effort associated with improving the audited process;
 The risk of an adverse event occurring if remedial measures aren’t
taken;
 The scope of the remedial action to ensure that all related
organisational units implement necessary improvements; and
 The time-frame for implementing changes.
Audit follow-up procedures include:

 Confirming a timeframe within which the the Head of the PSE’s
response to the audit findings and recommendations is required (two
weeks is suggested under Part 4.4 above “Overview of the audit
process”);

Ministry of Finances 74 CHU for Internal Audit
 Evaluating the Head of the PSE’s responses;

 Verifying the responses (if appropriate);
 A follow-up audit (if required); and
 Escalating unsatisfactory responses or actions, including the
acceptance of risks, to the appropriate level of management.
To correctly plan follow-up activities, the Audit Team Leader completes a
working document that summarises the recommendations from prior audits.
The scheduled date for monitoring the fulfilment of recommendations is noted
in this document. A week before expiry of the deadline for implementing each
recommendation, the Audit Team Leader should write a reminder letter to the
Head of the PSE. Use: TEMPLATE No 25: Follow-up Schedule (WP 4001)
6.1.1. MONITORING PROGRESS
Follow-up may be accomplished through monitoring, or through more rigorous

follow-up audits. Monitoring would be appropriate when:
 The audited process or activity is of minor importance and does not

constitute a serious obstacle to achieving the main objectives of the
organisation;
 The established weaknesses, errors, shortcomings or irregularities are
not significant;
 The recommendations are easy to fulfil; and
 The remedial action is not complicated.
The auditor can monitor progress by:
 Receiving and evaluating responses to audit findings within the

reasonable period (say, two weeks) after the audit results are
communicated;
 Receiving periodic updates from the Head of the PSE to evaluate the
status of actions to correct reported weaknesses;
 Receiving and evaluating information from other organisational units
that have been given responsibility for implementing the corrective
procedures; and
 Reporting to Head of the Public Sector Entity on the status of the
responses to the audit findings.

There may be instances where the Director of the IAU judges that the the Head
of the PSE’s oral or written responses show that actions already taken are
insufficient when weighed against the relative importance of the finding. On
such occasions, a follow-up audit may be performed as a part of the next audit
engagement.
The following three results are possible:

 The Head of the PSE’s response contains information about the
implementation of the recommendations within the deadline specified
in the action plan. In such a case the Audit Team Leader should send a
letter expressing appreciation to the the Head of the PSE for the
action taken; or
 The Head of the PSE’s reply indicates that the recommendations have
not been fulfilled within the deadline specified and possibly lists the
causes for such non-fulfilment. The Director or Audit Team Leader
should send a letter reminding the Head of the PSE that, regardless of
the reasons for failing to comply, the recommendations must be
followed, and that failure to fulfil the recommendations will be
reported in the annual operations report; or
 No response is received. The Director or Audit Team Leader should
treat the absence of a reply as non-performance within the deadline
specified and undertake the actions described in the preceding item.
The results of monitoring fulfilment of the recommendations should be

reflected in the annual operations report.
6.1.2. FOLLOW-UP AUDIT
This type of audit is applied in any of the following circumstances:

 Serious errors and shortcomings/irregularities were identified in a
previous audit;
 There is a high risk that the Head of the PSE will fail to undertake
follow-up actions;
 Fulfilling the recommendations calls for the development of further
internal rules and regulations;
 The required change refers to the activities of more than one division
or department; or

 Substantial resources are needed to introduce changes in the

organisation.
The Annual Internal Audit Plan should include tasks for monitoring the
fulfilment of recommendations given in previous audits. The timing of the
follow-up audit should be aligned with the schedule for implementing the
recommendations from the previous year’s audit reports.
A follow-up audit review is similar to a regular audit; however the objectives

and scope are narrowed to focus on the deficiencies noted in the previous
report.
The follow-up audit comprises the same planning, performance, and reporting
procedures as a regular audit, with the addition of some special procedures, as
follows:
 Review the audit findings in the previous report to determine the
scope of the follow-up audit;
 Design appropriate audit tests and procedures to evaluate the
corrective action;
 Conduct the audit fieldwork and document the results of the audit
work performed;
 Verify implementation due dates and revise if necessary; and
 Issue a follow-up audit report.
In the course of the follow-up audit a conclusion should be made about

whether the Head of the PSE’s actions have had an impact on reducing the risks
identified in the previous audit and have improved the functioning of the
organization in achieving its aims.
If it is determined that the Head of the Public Entity did not take action to
correct weaknesses and fulfil the recommendations given, the internal auditors
will reflect this in the annual report and communicate it to the superior of the
person or organisation that is responsible. The internal auditors have to analyse
the consequences of non-performance and make an additional risk assessment
as a result of the failure to undertake remedial action. Where high risk is
detected, the internal auditors will plan another audit of the same activity or
process in the following year.

6.2. FOLLOW-UP DATABASE
It is the responsibility of the Director of the Internal Audit Unit to ensure all
follow-up items are entered into a "follow-up database". The job itself may be
delegated to junior members of the IAU. The Director of the Internal Audit Unit
is also responsible for updating the database when a follow-up item is
completed.
The follow-up database is best kept electronically. Back-ups should be taken

monthly on a CD which should be kept in a fireproof cabinet. Print-outs of the
database should be made quarterly and filed in the IAU.
The main activities relating to the follow-up database are:
 Input recommendations as the final reports are prepared;

 At the beginning of the quarter send Informative Letters to auditee
heads;
 Input information about the Head of the PSE’s responses, resolved
issues, revised due dates etc. as soon as it is received;
 Bring forward information about the Head of the PSE’s action on
recommendations to follow-up audits to check the proper resolving;
 Before the end of each quarter send updated quarterly Late Issues
Report to auditee heads for them to complete;
 Input responses received from auditee; and
 Compile quarterly Late Issues Report.
6.3. LATE ISSUES REPORT AND THE ACCOMPANYING LETTERS

At the end of every quarter, each auditee is sent one of the three standard
letters from the Director of the Internal Audit Unit. The letter sent depends
upon whether:
 The auditee has only current recommendations due this coming

quarter;
 The auditee has both current recommendations and
recommendations that have not been resolved by their promised
completion date; or
 The auditee is new to the organization or position or the audit
process.

The 3 letters are formed as follows:
a) Auditee already involved in process, successful in resolving issues

on schedule
Letter = 1.1. + 2 + 3.1. below
b) Auditee already involved in process, unsuccessful in resolving

issues on schedule
Letter = 1.1. + 2 + 3.2. below
c) Auditee first time in the process
Letter = 1.2. + 2 + 3.3. below
1.1. Standard opening text and description of the procedure for

auditees who are aware of the follow-up process
As you are aware, the Internal Audit Unit is responsible for monitoring the
status of all unresolved internal audit issues on an ongoing basis. As part
of our monitoring, we provide quarterly reports to all department heads
of both their issues that are scheduled for resolution during the current
quarter, as well as those issues that are considered "late" (i.e., any issue
that has a "revised" date which is greater than the "promised" date).
Attached is a report relating to the status of internal audit issues relating
to your department.

1.2 Standard opening text and description of the procedure for

auditees who are involved first time of the follow-up process
As part of the Internal Audit Unit’s ongoing responsibility to monitor the

control environment related to management of public budget, we
currently have a process in place whereby all internal audit issues;
including late issues (i.e., those items that have "revised" dates that are
greater than the "promised" date are tracked until resolved).
2. Standard main body of the letter (all occasions)
As a reminder, the following summarizes our process:
a) During the first month of each quarter, the Internal Audit Unit will
send Informative Letters (using the Late Issues Report template) to each
responsible individual within your organisation of all outstanding issues
that they have committed to resolve (late issues, issues due during the
current quarter, and issues due in future quarters). This notification is for
information only and does not require a response back to the IAU.
b) During the first week of the last month of each quarter, the IAU will
send a written request (using the Late Issues Report template) to each
responsible individual within your organisation requesting them to
provide us with a written status of all of their audit issues that are
scheduled for resolution during the current quarter, as well as previously
reported late issues.
c) The IAU determines that issues are late (i.e., not resolved as of the end
of the quarter) based upon the completed templates received. Failure to
respond to our written request will cause us to consider the issues to be
late.
d) The IAU communicates all late issues in a Late Issue Report to the
head of the organisation.

3.1. Completion of the follow-up message to the manager of

an audited entity who has been successful in resolving all
issues within the deadline
Congratulations to you and your team on resolving all issues resolved

by the end of the xxx quarter. (will be modified as appropriate). Your
continued support to ensure that prompt attention is given to any
issues scheduled for resolution during the yyy quarter (will be modified
as appropriate) is greatly appreciated. If you have any questions about
tracking our process or the issue in your report, please feel free to
contact me at zzz (phone or email to the Director of Internal Audit Unit)
3.2. Conclusion of the follow-up message to the head of an auditee

that has been unsuccessful in resolving all issues within the agreed
deadline
We will continue to work with the responsible individuals in your

organisation to ensure that all of the late issues are promptly addressed
and resolved. As noted in the “Comments” column on the attached
report, there are numerous reasons why these issues have not been
resolved. However, due to the volume of issues contained in our
tracking database, we cannot render any conclusion as to the
appropriateness of the explanations for the delay. Accordingly, an issue
which is still open beyond the "promised" date will continue to be
reported as late, regardless of the reason for the delay, until it is
resolved. Your continued support in ensuring prompt attention to these
issues is greatly appreciated. If you have any questions regarding our
follow-up process or the issues in your report, please contact me at […]

3.3. Conclusion of the follow-up message to the head of an auditee

who gets the quarterly follow-up report for the first time
We have attached a report highlighting all late issues as of Month day

(will be modified as appropriate) for your organization. As noted in the
“Comments” column on the attached report, there are numerous
reasons why these issues have not been resolved. However, due to the
volume of issues contained in our tracking database we cannot render
any conclusion as to the appropriateness of the explanations for the
delay. Accordingly, an issue that is still open beyond the “promised”
date will continue to be reported as late, regardless of the reason for
the delay, until it is resolved. In addition, we have also attached a
report of all issues scheduled for resolution during the yyy quarter (will
be modified as appropriate) for your organisation. Your support in
ensuring prompt attention to these issues is greatly appreciated. If you
have any questions regarding our follow-up process or the issues in
your report, please contact me at zzzzzz
Late Issues Report
These detailed reports of the currently scheduled recommendations and late

recommendations provide:
 The audit number;

 Audit title;
 Department head’s name;
 Brief description of the recommendation;
 The promised completion date; and
 Revised completion date (if applicable)
6.4. MEETINGS WITH AUDIT COMMITTEE
Each quarter, the Director of the Internal Audit Unit meets with the Audit
Committee to discuss progress to date against the approved audit plan,
significant issues noted during the quarter from the audits completed, the
status of outstanding and late recommendations, and other items of interest.

Quarterly status report
The Director of the Internal Audit Unit is responsible for submitting a quarterly
status report to the Audit Committee and to the Head of the Public Sector
Entity. The purpose of the status report is to keep the Audit Committee and the
Head of the PSE informed of status of all audit work. Use: TEMPLATE No 30 -
Quarterly Status Report (WP 4006)
6.5. WORKING PAPERS AND AUDIT FILES MANAGEMENT
The organisation and documenting of the audit work are carried out through
the use of two types of dossiers - the current and permanent audit files.
The purpose of the permanent audit file is to provide auditors with a source of
background information about the organisations or processes being audited
thus allowing them to obtain a greater understanding of their systems and
activities. The permanent audit file should be updated each year and will thus
provide the auditor with the most updated information available.
The current file should include all the documents prepared during the planning,
field work reporting and follow-up phase.

CHAPTER 7: SUPERVISION
7.1. SUPERVISION AREAS AND ACTIVITIES BY DIRECTOR OF IAU
The Director of the Internal Audit Unit is responsible for assuring that internal
audit assignments are properly supervised.
Supervision is a process that begins with planning and continues throughout

the fieldwork, reporting, and follow-up phases of the audit.
Supervision includes:
 Ensuring that the auditors assigned possess the requisite knowledge,

skills, and other competencies to perform the assignment. It must be
done during planning when mobilizing the team and through coaching
and review during the execution stage;
 Providing appropriate instructions during the planning of the
assignment, and approving the Audit Plan;
 Ensuring that the approved Audit Plan is carried out unless changes
are both justified and authorized;
 Determine that audit working papers adequately support the
assignment observations, conclusions, and recommendations;
 Ensuring that audit communications are accurate, objective, clear,
concise, and timely;
 Ensuring that audit objectives are met; and
 Providing opportunities for developing internal auditors’ knowledge,
skills, and other competencies.
Appropriate evidence of supervision should be documented and retained. The
extent of supervision required will depend on the proficiency and experience of
internal auditors and the complexity of the audit. The Director of IAU has
overall responsibility for review but may designate the Audit Team Leader to
perform the review.
All internal audits, whether performed by the IAU or by an external service

provider, remain the responsibility of the Director of the Internal Audit Unit.
The Director of the Internal Audit Unit is ultimately responsible for all
significant professional judgments made in the planning, field work, reporting,

and follow-up phases of the assignment. The Director of the Internal Audit Unit
should therefore adopt suitable means to ensure that this responsibility is met.
Suitable means include policies and procedures designed to:
 Minimize the risk that professional judgments may be made by

internal auditors or others performing work for the internal audit
activity that are inconsistent with the professional judgment of the
Director of the Internal Audit Unit such that a significant adverse
effect on the assignment could result – the main risk-management
procedure is that no communication should be made without the
knowledge and agreement of the Director of Internal Audit Unit; and
 Resolve differences in professional judgment between the Director of

the Internal Audit Unit and IAU members over significant issues
relating to the assignment. Such differences may include or require:
(a) discussion of pertinent facts; (b) further inquiry or research; and (c)
documentation and disposition of the differing viewpoints in the audit
working papers.
All working papers should be reviewed to ensure that they properly support
the audit conclusions and that all necessary audit procedures have been
performed. The reviewer should initial and date each working paper after it is
reviewed. Reviewers may make a written record of questions arising from the
review process. When clearing review notes, care should be taken to ensure
that the working papers provide adequate evidence that questions raised
during the review have been resolved.
Acceptable alternatives with respect to disposition of review notes are as

follows:
 Retain the review notes as a record of the questions raised by the
reviewer and the steps taken in their resolution; or
 Discard the review notes after the questions raised have been
resolved and the appropriate engagement working papers have been
amended to provide the additional information requested.
The TEMPLATE No 26 “Audit Completion Checklist” (working paper 4002), is a

key quality review document, and is used by the Audit Team Leader and
Director of the IAU to verify that all steps in the audit have been completed.

Any missing work must be properly completed before the audit can be
considered complete.
7.2. MANAGING FEEDBACK FROM AUDITEES
The “Audit Feedback Survey Form” should be distributed by the Director of

Internal Audit Unit to the auditees. When selecting the recipients of the survey
the Director should use the following as guidelines:
 Recipients should hold a supervisor/manager or higher level position;

 Recipients should include persons with whom the audit team
interacted most frequently, and,;
 At least one person from each department involved in the audit
should be included.
Standard 1300 – Quality Assurance and Improvement Program

The Chief Audit executive must develop develop and maintain a quality
assurance and improvement program that covers all aspects of the internal
audit function.
Standard 1310 – Requirements of the Quality Assurance and Improvement
Program
The quality assuarance and improvement program must include both
internal and external assessments
The completed survey forms are sent back to the Internal Audit Unit, where
they are summarised and the results provided to the Director of the Internal
Audit Unit. A summary of the results of these “Audit Feedback Survey Forms”
should be included in or appended to the Annual Internal Audit Activity Report.
The “Audit Feedback Survey Form” should be sent to respondents with the final
report.
Use: TEMPLATE No 27 - Audit Feedback Survey - COVER LETTER (WP 4003)
and TEMPLATE No 28 - Audit Feedback Survey - FORM (WP 4004)


Doracaku I Auditimit Të Brendshëm (Pjesa e II)

Uploaded by

Copyright:

Available Formats

You might also like

Doracaku I Auditimit Të Brendshëm (Pjesa e II)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Doracaku I Auditimit Të Brendshëm (Pjesa e II)

Uploaded by

Copyright:

Available Formats

Ministry of Finance and Transfers 2 CHU for Internal Audit

Internal Audit Manual – Part II: The Audit Process

EU Support to Improving Public Management, Control, and Accountability in Kosovo

In recent years, the profession of internal audit has undergone rapid

A key issue in bringing modern audit to public sector entities in Kosovo is

EU Support to Improving Public Management, Control, and Accountability in Kosovo

operate more efficiently, effectively and economically. Being a partner means

EU Support to Improving Public Management, Control, and Accountability in Kosovo

CHU-IA Central Harmonisation Unit

EU Support to Improving Public Management, Control, and Accountability in Kosovo

“Internal audit” is an independent and objective advisory activity in

A “systematic” and “disciplined” approach to internal audit is achieved by

This part of the manual is supplemented by Templates of Audit Working Papers

EU Support to Improving Public Management, Control, and Accountability in Kosovo

 Phase 1000 Audit Planning

EU Support to Improving Public Management, Control, and Accountability in Kosovo

CHAPTER 1: OVERVIEW OF THE

Input Processing Output

EU Support to Improving Public Management, Control, and Accountability in Kosovo

The systems audit is a “step-by-step” process. However, steps should not be

EU Support to Improving Public Management, Control, and Accountability in Kosovo

CHAPTER 2: AUDIT PLANNING

The planning phase is critically important for the efficient performance of an

 Preparing for the audit; and

 Document the audited process to understand how it operates;

An audit plan is prepared at the start of every audit assignment envisaged in

EU Support to Improving Public Management, Control, and Accountability in Kosovo

Annual audit plan Set out audit scope and

Identify and assess risks

Formulate control objectives

Assess the control

Continue Weak Select substantive

Select the audit strategy

Prepare the Planning

EU Support to Improving Public Management, Control, and Accountability in Kosovo

The sequence of events illustrated by the above diagram is discussed further in

Planning step for the specific audit Included within chapters in

1. Definition of the audit objectives See sub-parts 1.2 and 1.3

2.2 Gathering hystorical Sub-part 1.1.2

3. Identifying risks and formulating the Sub-part 1.5

6.2 Assessemt of the information Nën-pjesa 1.6.5

7. Slection of the audit approach Part 1.7

8. Drafting the final planning Part 1.8

EU Support to Improving Public Management, Control, and Accountability in Kosovo

In addition it is useful to understand how the management process relates to

Management process Audit process

Process/ unit Decide on audit scope

Decide upon the audit objectives

EU Support to Improving Public Management, Control, and Accountability in Kosovo

2.1.1. Understanding and documenting the activity/process to be audited

TEMPLATE No 1 – Audit Planning Checklist (WP 1001)

EU Support to Improving Public Management, Control, and Accountability in Kosovo

APPROACH 1 – where internal audit activity is performed by internal

The understanding of the activity is achieved by collecting and studying

 Legislation and internal regulations and procedures that concern the

EU Support to Improving Public Management, Control, and Accountability in Kosovo

EU Support to Improving Public Management, Control, and Accountability in Kosovo

APPROACH 2 - Fulfilment of an audit assignment, where the internal