Professional Documents
Culture Documents
Doracaku I Auditimit Të Brendshëm (Pjesa e II)
Doracaku I Auditimit Të Brendshëm (Pjesa e II)
Doracaku I Auditimit Të Brendshëm (Pjesa e II)
CONTENTS
Foreword .............................................................................................................. 3
Acronyms .............................................................................................................. 5
Introduction.......................................................................................................... 6
Chapter 1: Overview Of The Audit Process .......................................................... 8
Chapter 2: Audit Planning .................................................................................. 10
Chapter 3: Field Work......................................................................................... 40
Chapter 4: Reporting and Audit Closure ............................................................ 58
Chapter 5: Follow-Up Procedures For Details. ................................................... 71
Chapter 6: Follow-Up Procedures And Quarterly Status Reports ...................... 73
Chapter 7: Supervision ....................................................................................... 83
FOREWORD
This Manual was prepared by the Ministry of Finance,
Central Harmonization Unit for Internal Audit, in
cooperation with experts from the EU-funded project
“Further Support on Public Internal Financial Control and
Internal Audit” and subsequently revised under the EU
project to provide “Support to Improving Public
Management, Control & Accountability” and project of
USAID "Transparent, Effective, and Accountable
Municipalities" to comply with the requirements of the
Law on Public Internal Financial Control and International Internal Auditing
Standards.
This Manual is available in three languages, Albanian, Serbian and English, and
comprises two parts supplemented by various material that is available on the
CHU-IA website:
https://mf.rks-gov.net/page.aspx?id=1,79
This first part concerns managing the internal audit function, introducing the
role of the main stakeholders, outlining the guiding principles and policies, and
describing the important processes for developing strategic and annual audit
plans.
The second part details the activities of the audit team as it proceeds through
an individual audit and will be useful as a pocket guide to auditors as they work
on their audit assignments.
ACRONYMS
AC Audit committee
ATL Audit Team Leader
HEAD OF PSE/CAO Head of Public Sector Entity/Chief Administrative Officer
INTRODUCTION
This is Part II of the Internal Audit Manual for internal audits in the Kosovo
public service.
This part of the manual outlines the activities that internal auditors carry out
within the framework of an individual audit assignment, the participants in the
process, and their functions and responsibilities in each phase of the audit
process (planning, field work, reporting and follow-up).
The manual does not consider audit consultancy assignments that internal
auditors may be asked to perform from time to time, as the approach to each
consulting assignment will vary according to the circumstances.
https://mf.rks-gov.net
These Working Papers are provided to guide internal auditors through the audit
process and ensure that appropriate material is gathered during the audit to
fulfil the Standards for audit documentation. Internal audits may take many
different forms depending on the process or organisation being examined and
the audit approach that is being applied. Consequently not all the standard
working papers will be relevant for all audits – some may need to be replaced
or modified and some additional Working Papers may need to be created.
Therefore the internal auditors should use their judgment in determining what
Working Papers are appropriate for each audit.
The Audit Working Papers apply to the four phases of each individual audit:
audit planning; fieldwork; reporting; and follow-up. The working papers are
organized by phase and it is suggested they are given reference numbers
according to the following scheme:
It is assumed for the purpose of this part of the manual that the individual audit
assignment is being done within the context of a Strategic Audit Plan and an
Annual Plan. The methodology and procedures for strategic and annual
planning are presented in the Part I of the Internal Audit Manual.
All terms used in this volume are explained in the Glossary presented with Part
I of the Internal Audit Manual.
The principles applying to financial management and control systems are set
out in the Law on Public Financial Management and Accountability (LPFMA).
Internal auditors should be familiar with this Law and support the Head of the
PSE in its implementation. They should conduct in-depth analyses of the
financial management and control systems to assess the effective functioning
of the control mechanisms. In other words, the emphasis should be on auditing
systems, as opposed to examining transactions.
In systems audits the auditors form an opinion about the control mechanisms
that are in place, how they operate and what is their impact on the objectives
of the organisation. This is done by examining and evaluating the processes in
the organisation, as illustrated by the following figure:
Control
Feedback
Each process in the organization being audited has its own objectives. Internal
auditors must be familiar with all processes and focus audit attention on those
that are significant or prone to risk. Knowing the goals, resources, process flow
and results of the processes, auditors are able to define the objectives and
scope of internal audit.
The key to a high quality audit is the auditors’ approach to the planning and
conduct of the audit. To ensure consistent high quality, internal auditors apply
a standard approach to each audit. This standard audit process has four phases:
planning, fieldwork, reporting and monitoring of the implementation of
recommendations (including follow-up). These phases are discussed in the
following Chapters.
In the course of preparing for the audit the internal auditors should:
At the end of this stage, the Team Leader and the members of the audit team
draw up the audit plan.
The following diagram illustrates the process of planning for the audit:
Understand objectives of
the audited process/unit
Gather information
Risk Control
assessment objectives
Controls and
Information and DICE form
Risk response related
communication
documentation
Audit
field-work
Testing of
Audit report
Monitoring controls by
audit
Actions to improve
The first Audit Planning working paper, number 1001, is a simple checklist
that the Audit Team Leader can use to signify that each working paper has
been duly completed. If a working paper on the list is not to be completed,
the Audit Team Leader should strike it through as being not required. Any
additional working papers created for the audit should be added at the
bottom of the list and initials of the Head of the Audit Team must be
placed, to demonstrate his/her approval.
The annual plan of the IAU is the basis for assigning auditors to specific audits.
Once assigned, the Audit Team Leader should work with the audit team to plan
the specific audit work. The work depends on whether the internal audit
activity in the organization will be done by:
a) An IAU;
b) Shared Internal Audit Unit; or
c) The IAU team within the Ministry of Finance and Transfers.
Assuming in this case that the internal audit team is less familiar with the
organisation, the team members must devote more time to prior study and
preparation of the audit assignment to ensure they have adequate knowledge
of the audited activity/process and the established financial management and
control systems.
As a starting point, the audit team should refer to the material in the
Permanent File. The team should then consider what additional information
may be needed and collect it for addition to the Permanent File as necessary.
The audit team analyses the information collected and prepares for the initial
meeting with the Head of the PSE of the audited PSE.
The Audit Team Leader will judge whether the understanding achieved is
sufficient or if it is necessary to request additional documentation and
explanations from the Head of the PSE. As a result of the work performed at
this stage, the audit team defines in broad terms the objectives and scope of
the audit that are then discussed at the initial meeting with the the Head of the
PSE. After this discussion the Audit Team Leader may supplement or amend the
original objectives, taking into account the opinion of the management on
contentious areas. At a later stage the objectives will be specified in more
detail, and the precise scope of the audit will be defined for incorporation in
the final audit plan.
When the Audit Team Leader is ready to initiate the Internal Audit, s/he will
write to the management responsible for the unit or process to be audited to
inform them of the impending audit, seek a meeting to obtain background
information, and indicate the audit team’s requirement for office space and
equipment. This letter should be sent so that it is received at least a week prior
to the requested meeting. Use: TEMPLATE No. 2 - Request for Initial Meeting
(WP 1002)
The reason for requesting the information is to ensure the auditor has a
sufficient understanding of the organisation unit or process to identify and
evaluate controls and design appropriate tests. The Audit Team Leader should
first consult the Permanent File to determine what information is already in the
possession of the IAU and should limit the request for additional information
about the organisational unit or process that is not on the permanent file.
Further, the Audit Team Leader should not seek copies of all information at this
stage, but should ask where the information can be accessed, such as web
sites, central files, corporate publications and so on, so that the audit team can
follow up.
While completing this step, the auditors should use data from the Permanent
file of the project, results of former audits, meetings and interviews with the
Head of the PSE and other responsible experts. To collect additional
information, internal auditors may draw up and provide questionnaires to
employees, for completion as part of the audit. Use: TEMPLATE No 4 – Internal
Control Questionnaire (WP 1004)
The Director of the IAU should ensure that the Head of the PSE is familiar with
the Strategic and Annual Plans, and should also inform the Head of the
organisation of the planned audit activity. This is an important courtesy.
Reasonable advance notice of each audit should be sent in writing to the
highest-ranking manager of the audited PSE.
The auditors will obtain information from various sources (such as the
Permanent File for the organisation, the sources identified by the audit
manager in the Initial Meeting and subsequently, the Internal Control
Questionnaire) and will review it to identify avenues for further
investigation. This information, and the suggested audit procedures, will
be recorded on this form and initialed by each auditor who contributed.
The Audit Team Leader will review and sign the form as part of the
ongoing quality assurance for the audit.
When choosing data collection methods, internal auditors must judge which
method is most efficient at satisfying the objectives of the review. The choice
will depend on the professional judgment of the auditor and will reflect the
auditor's understanding of the audited organization, the type of the audit and
the specifics of the assignment.
At this stage of the planning phase the internal audit team should have a good
understanding of the processes on which they are focusing and the audit
objectives and scope for the audit will have been specified. Now the steps of
the audited process must be documented. For this purpose a working paper
”Analysis of System Risks” is used. Auditors use this document to identify the
processes they will test. Use: TEMPLATE No 12 – Analysis of System Risks (WP
1012)
This working paper records the following key elements: the process to be
audited; the objective of the process; the steps, risks and control procedures
related to the process; and, assessment of the risks related to the process. In
this way, the entire audit process is reflected in the working paper.
The audit objectives determine the work to be carried out by the internal
auditors.
Internal auditors specify the audit objectives at the same time as identifying
control objectives. The control objectives are related to the objectives of the
audited process.
Control objectives are the basis for identifying the risks in a process and for
assessing the adequacy of the controls established to manage the risk.
It is important that internal auditors reach the Head of the PSE's agreement on
control objectives prior to identifying risks and assessing the control activities.
The difference between audit objectives and control objectives is shown in the
following example:
Audit of process for defining, calculating and paying remunerations at the PSE
X.
*****************************************************************
(Payroll Audit)
To assess whether the payroll process functions in compliance with the relevant
legislation, management policies and procedures;
To ensure that the payroll systems operate so that staff are paid correctly and
on time;
The audit will cover all current payroll procedures operating within the Ministry
X from the commencement of employment of a new member of staff to the
point at which s/he retires from or leaves the Ministry;
The audit will be limited to the processes and procedures operated by other
departments or agencies on behalf of the Ministry.
Control objectives
To ensure payroll deductions are correctly accounted for and paid to the third
parties to whom they are due.
Have the requirements for awarding public contracts been met and
have appropriate control mechanisms to ensure fulfilment of the
regulatory requirements been put in place?
The way objectives are formulated depends largely on the type of audit to be
conducted. The annex at the end of the manual gives some examples of audit
objectives for different types of audit.
Please see details in ANNEX No 2 – List of Objectives for Internal Audit
The objectives and procedures of the assignment, taken together, define the
scope of the internal audit and must be directed to address the risks associated
with the process being checked.
Before the initial meeting with the Head of the PSE, the internal audit team
must define an audit scope that will achieve the objectives for the audit that
were developed in the Annual plan.
The audit scope should define the following parameters of the audit
assignment:
Audited period;
Name of the audited process;
Documents to be checked; and
Place of conduct of specific checks.
The scope may be constrained by factors or events that reduce the ability of
the auditor to express an independent and professional opinion on the audited
process. Such constraints may relate to:
The access of internal auditors to assets, documents, information and
key officials with respect to the objectives of the audit; or
The available human resources and the timetable for the auditor work.
The Director of the IAU or the Audit Team Leader should call a meeting with
the Head of the PSE after the preliminary study of the audited process is
complete, and the scope and objectives of the audit have been defined.
Holding an initial meeting with the Head of the PSE is important for the
efficient fulfilment of the audit assignment and will pave the way for a
cooperative relationship during the course of the audit. The initial meeting
should set a positive tone for the engagement and should calm any
management anxieties.
Template No. 7 provides a draft agenda that can be attached to the “Request
for Initial Meeting” and used to guide the initial meeting. The Audit Team
Leader should modify it to suit the circumstances.
The Audit Team Leader will discuss with the Head of the PSE the planned start
and end dates of the audit, and wherever possible should adapt them to
synchronise with other organisational commitments. The Head of the PSE may
use the opportunity to identify specific risks in the audited process that are not
covered by the audit plan, which the audit team should consider for inclusion in
the audit scope.
The auditor should ensure that all those in management who need to know
about the audit are properly informed, and meetings should be held with
managers who are responsible for the activity being examined. A summary
record of matters discussed at meetings and any conclusions reached should be
prepared, distributed to individuals as appropriate, and retained in the
engagement working papers.
Auditors must understand the internal control system that the Head of the PSE
has designed and implemented. The basis for reviewing the control systems is
provided by the COSO internal control systems model.
Auditors should address this model in a systematic way to ensure efficient use
of audit resources. Accordingly, the internal control system evaluation is
performed in the following sequence:
Understand the objectives and nature of a program/function/process
and define risks related to them, assess risks;
Assess the control environment;
Assess the management controls and the process for monitoring their
effectiveness;
If the auditor decides that the control environment is weak then a no-
control reliance audit approach should be adopted. In this scenario do
not assess the other internal control systems elements;
If the assessment at point (d) is that the control environment is
medium to strong, then the auditor should proceed to identify and
assess key application controls. There may well be very many
application controls, in which case the auditor should select key
controls that mitigate more than one risk; and
Note that the concept of control environment usually relates to the whole
audited organisation. If the auditor has previously prepared an assessment of
the control environment, it should only need updating when there have been
significant changes in management, organisational structure, human resources,
or organisational policies.
Attention!
Controls are all activities of management that aim to increase the probability of
the organisation’s objectives being achieved by reducing or eliminating the
impact of identified risks.
Controls are:
The auditor’s assessment of controls directly impacts how many checks will be
conducted during the audit.
Identifying Controls
Is it automated? No
Yes
Yes Is it preventative?
It’s an application
control
No
Yes
Is itt checking that an
application control
has been performed ?
No
Is it’s primary
No purpose to help
Probably not a control! management run the
business?
Yes
It’ s a Management
Monitoring
Control
The second assessment stage could be performed using the checklist from
TEMPLATE No 8 - Checklist for Management Controls (WP 1008). This checklist
presents a series of questions to which the auditor should determine the
answers:
1. Does the Head of the PSE periodically (at least quarterly) review
reports to detect potential problems/errors?
2. Is the Head of the PSE competent to identify problems from those
reports?
3. Does the Head of the PSE get timely feedback of causes of problems, if
it has identified any?
4. Does the Head of the PSE initiate corrective actions in return for the
information related to problems?
5. Does the Head of the PSE check for the successful implementation of
corrective actions?
6. Does the Head of the PSE ensure through (delegated) reality checks
the sufficient achievement of objectives and progress?
7. Does the Head of the PSE react with constructive action on audit
reports/findings?
If all these questions can be answered affirmatively, i.e. “YES”, then the
controls can be considered “effective”. If there is one ”NO” answer, the
management controls should not be assessed as “effective”.
Application controls differ from management controls in that they are not
performed on aggregated (sum of) transactions, but are exercised on each
transaction individually.
Using the results of the internal control system evaluation as described in the
preceding chapters, the auditor must select the appropriate audit approach.
This involves deciding how much to rely on the controls based on the
assessment of the controls and the environment in which they operate.
The key question for an auditor is: how much and what work should I do to
minimize my audit risk, i.e. the risk of arriving at wrong conclusions?
The audit risk is higher when the control system is weak and lower if the
control system is strong. The auditor has to choose how much audit work and
that audit activities should be conducted based on the results of assessment of
the internal control system.
Audit approach: The audit will not include any tests of controls (as controls
cannot be relied upon). Instead, the auditor will perform analytical review and
substantive tests of transactions for financial and compliance audits, and in the
case of a systems audit, the auditor should advise the organisation as to what
management and application controls are required and recommend
improvements to the control environment, using examples of control failures
or poor risk management to demonstrate the problem.
management is not able to detect problems if they occur and corrective action
by the management is not assured.
Audit approach: The audit will not include any tests of controls (as we cannot
rely on them). Instead the auditors should perform extensive analytical review
and substantive tests of transactions in the case of financial or compliance
audits. In the case of a systems audit the auditor should again recommend
controls that need to be designed. Examples of control failures or poor risk
management should be used to demonstrate the problem.
When the control environment has been assessed as medium or high and
management controls have been assessed as medium at the planning stage
with some key application controls considered to be effective when they were
tested at the planning stage.
The use of this option assumes that the auditors have audited the process
under review before - so there is some accumulated audit knowledge and
experience.
Audit approach: The auditor should perform analytical reviews and conduct
further testing of management controls and key application controls,
supplemented by limited substantive testing of transactions.
The use of this option assumes that the auditors have audited the process
under review before, so there is significant accumulated audit knowledge and
experience.
The logic behind this approach is that if a material problem had occurred on
any individual transaction, management controls would have identified it and
at the application control level the error would have been prevented or
corrected. Therefore the focus is on testing to check that the controls work as
intended instead of looking for errors that have slipped through on individual
transactions.
Audit approach: The auditor should focus on testing management controls and
key application controls with minimal substantive tests.
a) Monetary value
The larger the amount of money involved the bigger is the risk (e.g. risk of
misusing funds or making ineligible payments). Therefore projects, contracts
and detailed transactions are sorted by their size in monetary terms and the
biggest ones selected into the sample.
b) Potential fraud and frequency of irregularities
The Head of the PSE gathers information from different sources (e.g. exception
reports, irregularities database) to record, prevent and understand risks and
irregularities. The units with the highest record of irregularities in their
transactions should be selected into the sample before units with no record of
problems.
c) Change
If a program period under question is one calendar year, the controls should
not be tested just at the beginning of the year but should be tested evenly
across different periods throughout the year.
If the program period is more than one calendar year, the auditors should aim
at auditing as much as possible from the total program volume. In order to
facilitate this in practice:
While auditors may use their own judgment, the following guidance is provided
for determining sample size:
Population size Sample size
Less than 1,000 units Select one third of the units
2,000 units 371 units
5,000 units 418 units
10,000 units or more 450 units
The audit planning phase ends when the Audit Plan has been fully developed.
The content of the Audit Plan will vary depending on the size and complexity of
the area audited, but should contain the following types of information about
the audit:
Section I: Background
This section contains three elements that summarise the team’s understanding
of the organisation and processes being audited. The first concerns the
organisation and processes, and should read something like the following:
“The process we will audit is called <process name> and is the primary
responsibility of <organisation name>. Other organisational units and external
bodies involved in this process are <name of organisations>. The objective of
the process is to <state objective>, and the organisation accomplishes this
through <x> steps, which are conducted at the following locations <list
locations>”.
The second element outlines the Law which legally empowers or obliges the
organisation being audited to perform the process, noting specific sections or
clauses of particular significance, and summarises any regulations or
procedures that define how the objective of the process is to be achieved.
Finally, this section includes a list of factors identified during the analysis of
planning data that could have a material impact on the conduct of the audit.
The purpose of this section is to describe what is included in the audit and also
what is not. Identify the organisation units and processes that are subject to
audit and the key positions that are responsible for them. Include a statement
about which geographic locations of the organisation unit or process will be
covered. Also describe any constraints to scope, specifically indicating any
areas that will not be covered where there is any room for misunderstanding.
This section should summarise the audit team’s review of the risk management
approach adopted by the organisation being audited and their assessment of
the risks.
This section describes how the team plans to achieve the audit objective and
fulfill the requirements of the Internal Audit standards by presenting an audit
programme which summarises the test procedures that were documented in
the Control Test Procedures working papers including:
Identify the members of the team and confirm their availability, independence
and qualification to participate. Specifically indicate who is responsible for
quality assurance.
Indicate any special skills, e.g. IT expertise or asset valuation, that the audit will
require to be sourced from outside the IAU.
Note that there is currently no requirement to develop a cost budget for each
audit since there are no budget lines for internal audit. If this situation changes,
the Audit Plan should include an estimate of out of pocket expenses (usually
travel related) and outsourcing costs that will be incurred by the audit team.
This section will summarise the information from the Audit Resource Plan
working paper concerning the key activities and their planned dates for
completion.
The Audit Team Leader should sign the Audit Plan and indicate the date it was
prepared. The Audit Plan should also be approved by the Director of the IAU.
Use: TEMPLATE No 17 – Audit Plan (WP 1017)
Part of the Audit Plan involves assigning auditors to the various audit tasks that
address the audit objectives. This is important to ensure the required audit
team members are available when needed and that resources are used
efficiently across the IAU’s different audits.
At the beginning of the planning process the Audit Team Leader should identify
the different audit tasks, such as:
These tasks should be entered on the Working Paper. For each of the planned
tasks, the Audit Team Leader should assign team members and estimate the
number of days each team member will need to complete the tasks they have
been assigned.
Working Paper 1015 provides a template for capturing tasks, assigning audit
team members and estimating required time (in hours or days, as preferred).
The template form assumes one Team Leader (TL) and 3 other Team Members
(Q2, Q3, Q4). If the plan calls for more or fewer team members the template
should be modified accordingly. Assuming there is one Team leader and 3 other
Team Members, you will use Column 1 to identify all planned tasks, Columns 2
to 5 to allocate time to each auditor and Column 11 to show when each task is
planned to be completed.
Once completed and signed by the Audit Team Leader, this document should
be reviewed with the Director of the IAU. The review may result in
adjustments. Once the Director is satisfied with the estimate, s/he signs the
working paper to approve the resource plan.
Subsequently the Audit Team Leader will use this form to track how much time
is actually used by each auditor on each task and record the variance. Similarly
the actual completion dates are recorded and a variance of time taken against
the time planned can be noted. This will provide valuable information for
monitoring the productivity of the Internal Audit Unit and for planning
subsequent audits. Use: TEMPLATE No 15 – Audit Resource Planning and
Tracking Form (WP 1015)
As the Audit Team Leader assigns team members to the audit, s/he should
check to ensure the assigned members are not disqualified from the audit
This working paper provides the means to collect from each team member
their declaration that they are not disqualified. The working paper takes the
form of a questionnaire which each assigned auditor should complete prior to
commencing the audit. Auditors who are disqualified from participating in
any given audit should be re-assigned
CHAPTER 3: FIELDWORK
By the end of the planning phase and after completing the detailed activity and
resource planning work, the auditors will have updated the:
Permanent file;
Planning file;
Audit Plan;
Staffing requirements, and the staff to be assigned to each component
of the audit;
Budget requirements;
Timing considerations; and
List of information to be obtained from entity officials.
The internal auditors will use this information during the fieldwork phase of the
audit process to perform the audit work. In particular, the audit program
selected for the audit will guide the detailed activities of the auditor. Use:
TEMPLATE No 18 – Audit Execution Checklist (WP2001)
These forms document the tests that the auditor conducts to satisfy the
planned tests identified in the planned “Control Test Procedures and Results”
documented in the series of Working Paper 1013’s in the Planning File. There
should be one working paper 2002 or 2003 for each form 1013 and they should
be cross referenced.
Working Paper 2002 relates to tests that are conducted on a single process
step. The auditor develops a test or question to determine whether the
expected control (from working paper 1013) is present and working effectively
and documents the question on working paper 2002. The auditor then
indicates which sampling units that were selected, and documents the result of
the test.
When the test has been conducted on each item in the sample, the auditor
concludes as to whether the evidence shows the expected control is present
and whether it is working effectively. Generally it is not necessary for the
control to have been properly executed on every single transaction tested.
Often the auditor can accept up to 2 failures without considering the control to
have completely failed. This process is repeated for all the controls that are to
be tested.
Working Paper 2003 illustrates the approach where the auditor is testing a
transaction through all steps of the process. The form is designed so that all
tests are documented on the same form, rather than using a separate form for
each test.
Each working paper should be initialed and dated by the auditor who
conducted the test procedure, and verified, signed and dated by the Audit
Team Leader.
Internal auditors should check that there is a complete audit trail for all
transactions, and that there are mechanisms to keep the audit trail up to date.
Sufficient testing should be carried out to enable the audit team to reach sound
conclusions about the effectiveness of the systems under examination. The
tests will address the audit objectives that were discussed in the previous
chapter. The content of each audit may be adjusted by the auditor to take
account of any divergence between the actual control environment
encountered during the audit and the control environment that was envisioned
during the audit planning stage that was discussed in the previous chapters.
Information Technology (IT) may be used for tracking financial and accounting
information as well as for tracking operational information, related to business-
specific activities, processes, etc.
The specific controls within each of the above areas are normally a mix of
manual and automated controls. For example, controls ensuring appropriate
security within an information system consist of automated controls that
restrict users’ access to system utilities. However, the functionality and
effectiveness of these automated controls is dependent on manual controls to
ensure that the users’ capabilities properly reflect their responsibilities and
needs.
The internal auditor does not need to have special technical skills to evaluate
many of the general management computer controls. Nevertheless, the auditor
should have sufficient understanding of the IT process, system or program to
identify, assess and test controls over systems development and
implementation, while some of the automated controls over system operations
will need to be tested by IT specialists, especially when assessing security of
access to the systems and data. The IT specialist will be required to test the
program’ automated controls, examine the source code, and review the change
control procedures including version controls.
Each of the areas referred to above should be addressed. However, the nature
and extent of testing of general computer controls will depend on a number of
factors:
Complexity of the environment and controls;
Breadth of coverage that a control provides;
Extent to which a control provides assurance over a particular
automated process;
Extent of risk and the assurance required;
Extent of change to systems; and
The effectiveness of the management of the entity’s information
systems and technology activities.
IT staff;
Users; and
Consultants, and other external providers of IT services.
Key information needed for planning the IT audit includes:
Tests of controls should include checks that management and control systems
are operating consistently and effectively. Tests should be carried out on a
sample of transactions selected for the audit. Where the effectiveness of the
management and control system is likely to vary (for example where different
staff are responsible for applying the same checks on different transaction
streams), the auditor should ensure that the sample is representative of these
possible differences. It is important during tests of controls to identify the
reasons for any errors and omissions identified as they might indicate
weaknesses in management and control systems.
The previous Chapter described how the audit team plans for sample-based
tests of controls. The resulting plan guides the audit team as to what tests to
apply and how many items are required to make a valid sample.
In the fieldwork phase, the audit team needs to fulfil the following steps:
Select the sample;
Test the sample items;
The audit team needs to select the number of sampling items determined in
the planning phase. Samples can be selected statistically or non-statistically.
The difference between these two approaches is the method of selecting the
sample items. The planning requirements remain the same, as does the
evaluation process.
Rule 1, affects how the auditor defines the population from which the sample is
to be drawn. This rule applies equally to statistical and non-statistical sampling
and requires the auditor to define the population carefully. For example, if the
auditor wants to rely on an internal control for the entire year, then the
population must include all transactions for the whole year.
Rule 2 relates to how specific items in the population are selected into the
sample. The auditor has a better chance of complying with Rule 2 with a
statistical sample than with a non-statistical sample. When using a non-
statistical sample, though, the auditor should strive to ensure that his/her
sample is as representative of the population as possible.
There are several sample selection methods that are very good at ensuring that
the sample is representative of the population from which it is selected, as
follows:
Random;
Fixed interval (systematic);
Cell (random selection); and
Stratified random.
- RANDOM SELECTION
This method is difficult to use unless the sampling units are already pre-
numbered such as pre-numbered sales invoices, or can easily be numbered
(30 supplier invoices per page and the pages are numbered, for example).
This method involves choosing a random starting point and then selecting
every nth item. It requires the auditor to have a good idea of the total
number of items in the population. For example, if the auditor knows that
there are 30,000 invoices in the population and needs to draw a sample of
200, then s/he could select every 150th supplier invoice (calculated by
dividing 30,000 population sizes by 200, the sample size). The random start
would be a number between 1 and 150. If, say, the auditor picked a
random start of 50, he/she would select the 50th item, the 200th item, the
350th item, etc.
This method essentially combines the previous two methods. The auditor
divides the population into cells and then picks a random item from within
each cell. In our example, the first cell would contain the first 150 items,
the second cell items 151 to 300, the third cell items 301 to 450, etc.
Some automated audit (CAATS) tools may offer a fourth method - stratified
random sampling. Using this approach, the population is first stratified
based on monetary ranges, type of transaction, etc., and then a random
sample is drawn from each range. This could be used, for example, to
weight an attribute sample to the larger value items or specific
expenditure types, or to ensure that at least one sample item is drawn
from each expenditure type.
- NON-STATISTICAL SELECTION
In this step, the audit team applies the tests that were developed during the
planning stage to each of the sampled transactions, taking care to fully
document any sample items in which a deviation is found. Sampling items
containing deviations must be clearly identified so they can be retrieved at a
later stage if further investigation or validation of the deviation is required.
The audit team will tabulate the results of the tests of controls, essentially
recording each deviation that has been identified.
If the actual number of deviations found in the sample exceeds the acceptable
number of deviations identified in the planning stage, then the results are
unacceptable and the control will be considered not to be working correctly.
In these circumstances the audit team may consider increasing the sample size
to see if the deviations continue to occur at the same rate. In general though,
the control will be considered to have failed and the audit team should
determine how and why it failed, and develop a recommendation to the Head
of the PSE for improving its future reliability.
It is important that the audit team can demonstrate that they followed good
practice in arriving at their conclusions concerning the reliability of the
controls, and that they can show the data on which the conclusions are based.
Therefore the audit file must be updated with a complete description of the
procedures used for sampling and testing as well as the results and draft
recommendations.
Working paper 1013, which originates in the planning phase is also used to
capture the results of each test when the tests are performed in Phase 2,
Fieldwork. In this phase we add information about the actual units included in
the sample, the results of the test, causes of any failures, the impact on the
organization and leads to the auditor’s development of conclusions and
preliminary recommendations.
Each working paper should be initialed and dated by the auditor who
conducted the test procedure, and verified, signed and dated by the Audit
Team Leader.
Note that the Audit Resource Planning & Tracking Form (Working Paper 1015)
should be completed for the Fieldwork tasks by the Audit Team Leader to track
how much time was actually used compared with the plan, and to record any
variance.
Examples of typical evidence for different types of audit are given below. How
much and what type of audit evidence should be gathered and recorded in the
Current File is a matter for the auditors’ judgment and case by case decisions
by the audit team leader.
Financial audit
In general, working papers for an audit should document all aspects of the
audit process.
A flowchart depicting the elements and actors in the process and the
information flow (documents, databases, reports, decisions);
A table associating risks and related controls with the elements in the
process (based on risk assessment and procedure manuals);
Selected tests of the controls;
Notes of interviews with key staff involved in the process;
Analyses of the organizational structure, roles and responsibilities, and
the segregation of duties in the process vis a vis other related
processes (e.g. procurement versus payment); and
The legal basis that provides a sufficient and proper mandate for those
involved in the process.
The Audit Team leader will have maintained open channels of communication
with the Head of the PSE or process being reviewed to keep them informed of
the audit progress and any significant findings during the fieldwork phase. The
Reporting phase follows completion of the fieldwork and formalizes the
submission of findings to the Head of the PSE in a Draft Audit Report. The Head
of the PSE’s responses are incorporated into the Final Audit Report.
The first reporting working paper, number 3001, is used by the Audit Team
Leader to provide a link between the results of the audit tests that were
performed during Fieldwork and the contents of the Draft Audit Report.
The Audit Team Leader records, for each test conducted during the fieldwork
(referenced to the relevant working paper), whether the test revealed a
negative finding and led to a recommendation for improvement (indicated by a
simple Yes or No response). For each test where there was a negative
conclusion, the Audit Team leader should also indicate whether that conclusion
and the related recommendation have been carried into the Draft Audit
Report.
In general, the Audit Report should focus on significant findings that suggest
systemic problems that expose the organization to a risk. Individual errors, if
they are not symptomatic of a systemic weakness generally are not included in
the report. Again, the Audit Team leader indicates with a Yes or No response
whether the finding and recommendation has been carried into the Draft Audit
Report. The Audit Team leader must justify any instance where s/he has
decided not to include a finding in the report.
When the internal auditors find an error or problem they should follow these
steps:
Analyze the error to see if it the result of a systemic failure;
Understand the root cause of the error;
If there is no preventive control to stop a similar error from recurring,
it can be concluded that the error might be systemic and the audit risk
increases - to mitigate the increased audit risk, the sample size should
be increased accordingly (to be decided by audit team leader); and
Classifying findings
Internal auditors must be able to defend the seriousness with which they
regard a finding. While analysing the finding, the auditor should answer the
following:
Once the issue is fully understood, the audit team should consider:
Should corrective action be taken?
Is it an isolated incident?
Will existing controls usually preclude the problem?
Are there any mitigating controls in place?
Do existing instructions need to be clarified or amplified?
Is it control weakness?
Is a systems change needed?
Has a cost-benefit action been undertaken?
The audit team should ensure that supporting evidence for identified findings is
carefully assembled to provide:
The auditor should work with the management team of the organization to
ensure the best solution to the issue is recommended. When documenting the
findings, auditors must carefully consider how they will look in the final audit
report. A well-documented finding will make it unnecessary to write two
separate findings - one for the working papers and, later, one for the audit
report.
Reviewing all the findings in the working paper for relevance and to
ensure they are supported by sufficient evidence that is documented
in the working papers;
Ensuring the working papers are cross referenced to the draft report
(preferably using red annotations if done on paper format, or using
Track Changes if using electronic format); and
Ensuring all findings in the draft report are referenced back to the
working papers (using the same technique as described above).
Any discrepancies found must be discussed with the team and corrected i.e.
unjustified issues should be deleted from the report or and issues noted in the
working papers but not reported, must be added.
The auditor should not rely on verbal reporting and must ensure all relevant
material issues are included in the written reports.
The Audit Team Leader should prepare the Draft Audit Report based on the
work that has been documented in the working papers. This report confirms
the objectives and scope of the audit, presents the findings, and most
importantly, presents the audit team’s conclusions and recommendations for
improvement. The sample Draft Audit Report template provides guidance as to
the content of the report. It is important that the report is written clearly and
crisply so that the reader can quickly grasp what the audit team discovered and
what remedial actions are required.
At the draft stage, the purpose of the report is to provide the Head of the PSE
with a formal statement of finding and recommendations so that the Head of
the PSE can consider them and decide whether to accept the
recommendations, suggest an alternative remedy or reject the
recommendation. Until the Head of the PSE has responded, there can be no
Action Plan component, so this element of the report template is left blank at
this stage.
Although the format and content of the audit communication would vary by
organisation and the type of audit, the following general format is suggested:
EXECUTIVE SUMMARY
The executive summary should present an overview of the objectives and
scope of the audit, and the main findings, conclusions and recommendations
which identify the main areas to be addressed by the auditee.
The following table outlines the four potential audit ratings that can be given,
together with descriptions of the associated level of concern for consideration
by the Head of the PSE and the Audit Committee:
Assessment Description Level of Concern
1 – Adequate No significant findings. An appropriate None or limited
control framework is in place given the
risks of the area of activities
1. INTRODUCTION
The Introduction may include background information such as identifying the
organisational units and activities reviewed and provide relevant explanatory
information.
The nature and extent of audit work performed also should be described.
3. RESULTS
Results should include findings, conclusions, recommendations, and action
plan.
3.1. FINDINGS
Findings are statements of fact. Only those findings that are necessary to
support or prevent misunderstanding of the internal auditor’s conclusions and
recommendations should be included in the final audit communications. Less
significant observations or recommendations may be communicated verbally
or in memoranda to management.
3.2. CONCLUSIONS
Conclusions are the internal auditor’s evaluations of the effects of the findings
on the activities reviewed. Conclusions should be clearly identified as such.
3.3. R ECOMMENDATIONS
Recommendations are based on the internal auditor’s findings and
conclusions. They call the management to act to correct existing conditions or
improve operations.
Classifying findings
The internal auditor should try to obtain agreement with management on the
results of the audit and on a plan of action to improve operations, as needed.
Management responses should include specific actions to be taken, the
person(s) responsible for the corrective action, a timetable for completion and
expected results.
If the internal auditor and the management do not agree on the audit results,
the communications may state both positions and the reasons for the
disagreement. Management’s written comments may be included as an
appendix to the audit report.
At the Draft stage, the purpose of the report is to provide the Head of the PSE
with a formal statement of findings and recommendations so that the Head of
the PSE can consider them and decide whether to accept the
recommendations, suggest an alternative remedy or reject the
recommendation altogether.
Until the Head of the PSE has responded, there can be no Action Plan
component, so this element of the report template is left blank at the draft
stage.
The Draft Audit Report should be signed by the Audit Team Leader and formally
presented, with a transmittal letter, to the Head of the PSE being reviewed,
copy to the Director of the IAU, for their review and approval. The transmittal
letter should explain the purpose of the Draft Audit Report and outline the
response that the audit team is expecting. A date by which the response is
required should also be indicated.
“Findings for the Audit Report” form tracks, in a tabular format, how each of
the findings presented in the Draft Audit Report has been dealt with. The
Findings are presented in groups that represent their importance (as they
should have been in the Draft Audit Report) and tracks for each finding what
recommendations the audit report provided to the Head of the PSE, the Head
of the PSE’s response to the recommendation, and finally, an action item for
the audit team to follow up the Head of the PSE’s response at a later date.
This working paper tracks the Head of the PSE’s responses to the Draft Audit
Report and is included as an Annex to the Final Audit Report. Use: TEMPLATE
No 22 – Findings for the Audit Report (WP 3002)
During meetings with the Head of the PSE to follow up the Draft Audit Report,
the Audit Team Leader will ask the Head of the PSE to submit an Action Plan for
implementing the recommendations that have been agreed. The Head of the
PSE should be asked to present the Action Plan in a form similar to the
suggested format shown in Working Paper 3003, Management’s Action Plan.
The Action Plan should be signed by the official who will be responsible for
implementing the recommendations. It provides the record of what actions the
Head of the PSE has committed to, and the basis against which the audit team
can subsequently review progress. Use: TEMPLATE No 23 – Management
Action Plan (WP 3003)
Following meetings with the Head of the PSE to discuss the findings and
recommendations and to agree upon management’s Action Plan, the Audit
Team Leader can finalise the Audit Report, appending working papers 3002 and
3003 as annexes. Use: TEMPLATE No 24 – Distribution sheet (WP 3004)
Tense:
When describing the internal audit work performed, the past tense
should be used. For example:
Standard practices:
10 working
1
days/2
week
weeks
closing 2 weeks
meeting
The main purpose of the Audit Report is to inform the Head of the Public Sector
Entity/the Auditee of the results of the audit to:
Give an assessment of the condition of the audited process by
expressing an independent and objective opinion on the effectiveness
of control procedures concerning lawfulness, financial management
and transparency; and
Provide recommendations for improving the financial management
and control systems to remedy any errors, weaknesses and
irregularities identified by the audit.
draft report shall be finalized and sent to the Head of the PSE
highlighting that they agree with the recommendations.
Once all responses have been obtained, the report must be reviewed
by the Audit Team Leader; and
Any factual errors noted by the Head of the PSE should be corrected
and statements that lacked sufficient supporting evidence in draft
report should be deleted. However the internal audit team should
stick with its findings and recommendations where there is sufficient
evidence and analysis and should not allow themselves to be
pressured by the Head of the PSE into releasing an inappropriate audit
report.
Other reports
In addition to the individual audit reports, the IAU should also report quarterly
to Head of the Public Sector Entity to summarise new findings made during the
quarter and the status of findings from previous quarters/periods to facilitate
monitoring of critical findings and their corrective actions. The follow-up
database should be used to assist in preparing these interim reports.
Annual report
The annual activity report describes not only the work done, but also explains
how the internal audit unit itself has developed. It is advisable to agree the
internal audit objectives at the beginning of the year: the annual activity report
should then demonstrate to what extent these objectives have been achieved.
Measurable indicators should be agreed beforehand and then reported on.
The Charter of each Internal Audit Unit requires the basic of duration and the
different types of reports that Internal Audit Unit has to present to the Head of
the Public Sector Entity.
CHAPTER 5: FOLLOW-UP
PROCEDURES FOR DETAILS
5.1. THE CLOSING MEETING
It is important to maintain good communication with the Head of the PSE, the
audited organisation or activity. Good communication ensures the
effectiveness of the audit process. The presentation of the draft audit report
and an outline of its recommendations are key aspects of such communication.
The closing meeting is designed to give a final overview of the audit issues and
recommendations and emphasise the need for urgent action on the part of the
Head of the PSE to reduce the level of identified risks. The Audit Team Leader
should explain to the Head of the PSE the importance of each recommendation
and the consequences for the organisation of a failure to fulfil it.
The closing meeting is not the time to discuss new issues that have not
previously been identified and discussed with the personnel affected by the
issue.
The entire audit team and the Audit Team Leader should be present in the
closing meeting. The Head of the PSE can be asked to begin compiling their
responses at this time, but are not required to submit responses until they
receive a copy of the draft report.
The Head of the PSE should be informed that the goal of the Internal Audit Unit
is to issue the Final Report within three weeks of the draft report date. This
means that responses should be received within two weeks leaving time to
answer any questions or resolve any disputes.
The Head of the PSE should be informed that their responses should identify:
Specific actions to be taken;
The individuals responsible for implementing the corrective action;
and
A timetable for completion.
In addition they should be informed that, if they don’t accept the audit
recommendations, their objections should be substantiated and evidence
attached to support them.
It should be emphasised at the closing meeting that the internal audit team will
assume that responses submitted by the Head of the PSE have been approved
by the appropriate levels within the entity.
The Audit Completion Checklist provides a means of ensuring that all important
matters and audit components have been satisfactorily considered and
evidenced in the working papers. It also serves to record the participation of
the Audit Team Leader and IAU Director.
CHAPTER 6: FOLLOW-UP
PROCEDURES AND QUARTERLY
STATUS REPORTS
Internal audit does not end with preparation of the final audit report or the
discussion of the recommendations and submission of the action plan by the
audited organization. It is also necessary for the Director of the IAU and Audit
The Director of the Internal Audit Unit is responsible for ensuring that a process
is in place to monitor that control deficiencies noted in the audit reports have
been addressed.
The planning of the follow-up and the way it is implemented depends on the
following factors:
The importance of the audited process and the weaknesses
discovered;
The cost and effort associated with improving the audited process;
The risk of an adverse event occurring if remedial measures aren’t
taken;
The scope of the remedial action to ensure that all related
organisational units implement necessary improvements; and
The time-frame for implementing changes.
There may be instances where the Director of the IAU judges that the the Head
of the PSE’s oral or written responses show that actions already taken are
insufficient when weighed against the relative importance of the finding. On
such occasions, a follow-up audit may be performed as a part of the next audit
engagement.
The Annual Internal Audit Plan should include tasks for monitoring the
fulfilment of recommendations given in previous audits. The timing of the
follow-up audit should be aligned with the schedule for implementing the
recommendations from the previous year’s audit reports.
The follow-up audit comprises the same planning, performance, and reporting
procedures as a regular audit, with the addition of some special procedures, as
follows:
Review the audit findings in the previous report to determine the
scope of the follow-up audit;
Design appropriate audit tests and procedures to evaluate the
corrective action;
Conduct the audit fieldwork and document the results of the audit
work performed;
Verify implementation due dates and revise if necessary; and
Issue a follow-up audit report.
If it is determined that the Head of the Public Entity did not take action to
correct weaknesses and fulfil the recommendations given, the internal auditors
will reflect this in the annual report and communicate it to the superior of the
person or organisation that is responsible. The internal auditors have to analyse
the consequences of non-performance and make an additional risk assessment
as a result of the failure to undertake remedial action. Where high risk is
detected, the internal auditors will plan another audit of the same activity or
process in the following year.
It is the responsibility of the Director of the Internal Audit Unit to ensure all
follow-up items are entered into a "follow-up database". The job itself may be
delegated to junior members of the IAU. The Director of the Internal Audit Unit
is also responsible for updating the database when a follow-up item is
completed.
As you are aware, the Internal Audit Unit is responsible for monitoring the
status of all unresolved internal audit issues on an ongoing basis. As part
of our monitoring, we provide quarterly reports to all department heads
of both their issues that are scheduled for resolution during the current
quarter, as well as those issues that are considered "late" (i.e., any issue
that has a "revised" date which is greater than the "promised" date).
Attached is a report relating to the status of internal audit issues relating
to your department.
a) During the first month of each quarter, the Internal Audit Unit will
send Informative Letters (using the Late Issues Report template) to each
responsible individual within your organisation of all outstanding issues
that they have committed to resolve (late issues, issues due during the
current quarter, and issues due in future quarters). This notification is for
information only and does not require a response back to the IAU.
b) During the first week of the last month of each quarter, the IAU will
send a written request (using the Late Issues Report template) to each
responsible individual within your organisation requesting them to
provide us with a written status of all of their audit issues that are
scheduled for resolution during the current quarter, as well as previously
reported late issues.
c) The IAU determines that issues are late (i.e., not resolved as of the end
of the quarter) based upon the completed templates received. Failure to
respond to our written request will cause us to consider the issues to be
late.
d) The IAU communicates all late issues in a Late Issue Report to the
head of the organisation.
Each quarter, the Director of the Internal Audit Unit meets with the Audit
Committee to discuss progress to date against the approved audit plan,
significant issues noted during the quarter from the audits completed, the
status of outstanding and late recommendations, and other items of interest.
The Director of the Internal Audit Unit is responsible for submitting a quarterly
status report to the Audit Committee and to the Head of the Public Sector
Entity. The purpose of the status report is to keep the Audit Committee and the
Head of the PSE informed of status of all audit work. Use: TEMPLATE No 30 -
Quarterly Status Report (WP 4006)
The organisation and documenting of the audit work are carried out through
the use of two types of dossiers - the current and permanent audit files.
The purpose of the permanent audit file is to provide auditors with a source of
background information about the organisations or processes being audited
thus allowing them to obtain a greater understanding of their systems and
activities. The permanent audit file should be updated each year and will thus
provide the auditor with the most updated information available.
The current file should include all the documents prepared during the planning,
field work reporting and follow-up phase.
CHAPTER 7: SUPERVISION
7.1. SUPERVISION AREAS AND ACTIVITIES BY DIRECTOR OF IAU
The Director of the Internal Audit Unit is responsible for assuring that internal
audit assignments are properly supervised.
Supervision includes:
The Director of the Internal Audit Unit is ultimately responsible for all
significant professional judgments made in the planning, field work, reporting,
and follow-up phases of the assignment. The Director of the Internal Audit Unit
should therefore adopt suitable means to ensure that this responsibility is met.
All working papers should be reviewed to ensure that they properly support
the audit conclusions and that all necessary audit procedures have been
performed. The reviewer should initial and date each working paper after it is
reviewed. Reviewers may make a written record of questions arising from the
review process. When clearing review notes, care should be taken to ensure
that the working papers provide adequate evidence that questions raised
during the review have been resolved.
Discard the review notes after the questions raised have been
resolved and the appropriate engagement working papers have been
amended to provide the additional information requested.
Any missing work must be properly completed before the audit can be
considered complete.
The completed survey forms are sent back to the Internal Audit Unit, where
they are summarised and the results provided to the Director of the Internal
Audit Unit. A summary of the results of these “Audit Feedback Survey Forms”
should be included in or appended to the Annual Internal Audit Activity Report.
The “Audit Feedback Survey Form” should be sent to respondents with the final
report.
Use: TEMPLATE No 27 - Audit Feedback Survey - COVER LETTER (WP 4003)
and TEMPLATE No 28 - Audit Feedback Survey - FORM (WP 4004)