Internal Audit Manual

ABC Company
Internal Audit Manual
Internal Audit Manual Page 1

TABLE OF CONTENTS
TABLE OF CONTENTS...................................................................................... .....2

CHARTER......................................................................................... ....................5
INTRODUCTION................................................................................................5
ORGANISATION AND BOARD REPORTING.........................................................5
AUTHORISATION AND RESPONSIBILITIES.........................................................5
REPORTING RESPONSIBILITIES.........................................................................6
MISSION OBJECTIVE....................................................................................... ...6
STANDARDS AND ETHICS.................................................................................6
MISSION STATEMENT/OBJECTIVES/VALUES..........................................................7
MISSION STATEMENT........................................................................................7
VALUES...................................................................................................... .......7
GENERALLY ACCEPTED AUDITING STANDARDS...................................................8
100 INDEPENDENCE............................................................................. ............8
110 ORGANISATIONAL STATUS.........................................................................8
120 OBJECTIVITY..............................................................................................9
200 PROFESSIONAL PROFICIENCY..................................................................10
210 STAFFING................................................................................................ .10
220 KNOWLEDGE, SKILLS, AND DISCIPLINES.................................................10
230 SUPERVISION..................................................................................... ......10
240 COMPLIANCE WITH STANDARDS OF CONDUCT.......................................11
250 KNOWLEDGE, SKILLS, AND DISCIPLINES.................................................11
260 HUMAN RELATIONS AND COMMUNICATIONS...........................................12
270 CONTINUING EDUCATION........................................................................12
280 DUE PROFESSIONAL CARE......................................................................12
300 SCOPE OF WORK.....................................................................................13
310 RELIABILITY AND INTEGRITY OF INFORMATION.......................................13
320 COMPLIANCE WITH POLICIES, PLANS, PROCEDURES, LAWS, AND
REGULATIONS................................................................................................14
330 SAFEGUARDING OF ASSETS....................................................................14
340 ECONOMICAL AND EFFICIENT USE OF RESOURCES.................................14
350 ACCOMPLISHMENT OF ESTABLISHED OBJECTIVES AND GOALS FOR
OPERATIONS OR PROGRAMS..........................................................................15
400 PERFORMANCE OF AUDIT WORK.............................................................15
410 PLANNING THE AUDIT.............................................................................15
420 EXAMINING AND EVALUATING INFORMATION..........................................16

430 COMMUNICATING RESULTS......................................................................16
440 FOLLOWING UP....................................................................................... .17
500 MANAGEMENT OF THE INTERNAL AUDITING DEPARTMENT.....................17
510 PURPOSE, AUTHORITY, AND RESPONSIBILITY.........................................17
520 PLANNING...............................................................................................17
530 POLICIES AND PROCEDURES...................................................................18
540 PERSONNEL MANAGEMENT AND DEVELOPMENT.....................................18
550 EXTERNAL AUDITORS..............................................................................19
560 QUALITY ASSURANCE..............................................................................19
CODE OF ETHICS...............................................................................................20
STANDARDS OF CONDUCT.............................................................................20
INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY/CONDUCT..............................20
INDEPENDENCE/OBJECTIVITY.........................................................................20
CONFIDENTIALITY..................................................................................... ......21
CONDUCT............................................................................................ ...........21
AUDIT PROCESS................................................................................................22
PLANNING......................................................................................................22
PLANNING THE DETAILED AUDIT....................................................................32
AUDIT PROGRAM............................................................................................33
FIELDWORK.................................................................................... ................35
STATING FINDINGS/CONCLUSIONS.................................................................40
QUALITY ASSURANCE.....................................................................................42
GENERAL STANDARDS FOR WORKING PAPERS...............................................43
GENERAL STANDARDS - REPORT(S)................................................................45
REPORTING AND FOLLOW-UP.........................................................................46
CONFIDENTIALITY - REPORTS.........................................................................47
EXIT CONFERENCE.........................................................................................47
CLOSING OF THE AUDIT.................................................................................48
PERSONNEL........................................................................................... ............49
JOB DESCRIPTION: DIRECTOR OF AUDIT.........................................................49
JOB DESCRIPTION: ASSOCIATE DIRECTOR OF INTERNAL AUDIT.....................50
JOB DESCRIPTION: INFORMATION SYSTEMS AUDIT MANAGER........................51
JOB DESCRIPTION: AUDIT MANAGER..............................................................53
JOB DESCRIPTION: INFORMATION SYSTEMS AUDITOR....................................54
JOB DESCRIPTION: AUDITOR..........................................................................55
PERFORMANCE EVALUATION..........................................................................56
TRAINING AND PERSONAL DEVELOPMENT.....................................................61
ADMINISTRATIVE PROCEDURES.........................................................................62
MANAGEMENT OF AUDIT RESOURCES............................................................62

STANDARD ELECTRONIC TOOLS.....................................................................63
MISCELLANEOUS POLICIES.............................................................................63
APPENDIX A – Audit Announcement Letter........................................................65
APPENDIX B – Audit Feedback Questionnaire Form...........................................66
APPENDIX C – Internal Audit Glossary...............................................................68

General Definition of Internal Audit
Internal Audit is a central administrative unit of ABC Company. Internal Audit reports
operationally to the Vice President Finance with dotted line representation to the ABC
Company Board of Directors. Internal Audit's coverage and service extends to all company
entities. Internal Audit is also a control which functions by examining and evaluating the
adequacy and effectiveness of other controls throughout ABC Company for managers, the
Board of Directors, and external auditors. Finally, Internal Audit provides assistance to the
external auditors in their performance of the annual audits of ABC Company financial
statements.
CHARTER
INTRODUCTION
ABC Company supports Internal Audit as an independent appraisal function to examine and
evaluate ABC Company activities as a service to management and to the Board of Directors.
The mission of Internal Audit is to support managers of ABC Company in the effective
discharge of their responsibilities. To this end, Internal Audit will furnish them with analyses,
recommendations, counsel, and information concerning the activities examined.
ORGANISATION AND BOARD REPORTING
The Director of Internal Audit shall report to the Vice President Finance with dotted line
reporting to the Audit Committee. The Audit Committee shall have final approval of the
hiring, firing, and salary changes for the Director of Internal Audit.
Annually, the Director of Internal Audit shall submit to the Board of Directors a written report
on the internal audit activity during the preceding fiscal year. The Director shall also make an
oral report to the Audit Committee.
The Director of Internal Audit shall make a written report to the Audit Committee whenever
there is evidence of defalcations or other problems exceeding €25,000. In addition, if the
circumstances ever warrant such action, the Director of Internal Audit may circumvent normal
ABC Company reporting lines and communicate directly with the Audit Committee.
AUTHORISATION AND RESPONSIBILITIES
Internal Audit has the authority to audit all parts of ABC Company and shall have full and
complete access to any of the organisation's records, physical properties, and personnel
relevant to the performance of an audit. Documents and information given to internal auditors
during a periodic review will be handled in the same prudent manner as by those employees
normally accountable for them.
Internal Audit shall have no direct responsibility or authority for any of the activities or
operations they review. They should not develop and install procedures, prepare records, or
engage in activities that would normally be reviewed by internal auditors. Furthermore, an
internal audit does not in any way relieve other persons in ABC Company of the
responsibilities assigned to them.
REPORTING RESPONSIBILITIES
A written report shall be prepared and issued by the Director of Internal Audit at the
conclusion of every audit. Copies of the report shall be distributed as appropriate. The
manager of the entity receiving the report shall respond within thirty days and forward a copy
of the response to those included on the distribution list. The response shall indicate what
actions were taken regarding specific report findings and recommendations.
The manager receiving the report is responsible for ensuring that progress is made toward
correcting any unsatisfactory conditions. Internal Audit is responsible for determining whether
the action taken is adequate to resolve audit findings. If the action is not adequate, Internal
Audit shall inform ABC Company management of the potential risk and exposure in allowing
the unsatisfactory conditions to continue.
MISSION OBJECTIVE
Internal Audit's objectives in accomplishing its mission shall include the following:
• Determine the accuracy and propriety of financial transactions
• Evaluate financial and operational procedures for adequacy of internal controls and
provide advice and guidance on control aspects of new policies, systems, processes,
and procedures
• Verify the existence of ABC Company assets and ensure that proper safeguards are
maintained to protect them from loss
• Determine the level of compliance with ABC Company policies and procedures, and
laws and regulations
• Evaluate the accuracy, effectiveness, and efficiency of ABC Company's electronic
information and processing systems
• Determine the effectiveness and efficiency of the audited entities in accomplishing
their mission and identify operational opportunities for cost savings and revenue
enhancements
• Coordinate audit efforts with, and provide assistance to, the external auditors
• Investigate fiscal misconduct
STANDARDS AND ETHICS
In all of its activities, Internal Audit will adhere to Generally Accepted Auditing Standards
and the Code of Ethics adopted by the Institute of Internal Auditors.
MISSION STATEMENT/OBJECTIVES/VALUES
MISSION STATEMENT
Internal Audit exists to support the Board of Directors in the effective discharge of their
responsibilities. Using our knowledge and professional judgement, we will provide an
independent appraisal of ABC Company's financial, operational, and control activities. We
will report on the adequacy of internal controls, the accuracy and propriety of transactions, the
extent to which assets are accounted for and safeguarded, and the level of compliance with
company policies and government laws and regulations. Additionally, we will provide
analyses, recommendations, counsel, and information concerning the activities reviewed.
OUR OBJECTIVES IN ACCOMPLISHING OUR MISSION INCLUDE THE FOLLOWING:
• Determine the accuracy and propriety of financial transactions

• Evaluate financial and operational procedures for adequacy of internal controls and
provide advice and guidance on control aspects of new policies, systems, processes,
and procedures

• Verify the existence of ABC Company assets and ensure that proper safeguards are
maintained to protect them from loss
• Determine the level of compliance with ABC Company policies and procedures, laws
and regulations
• Evaluate the accuracy, effectiveness, and efficiency of ABC Company's electronic
information and processing systems
• Determine the effectiveness and efficiency of audited entities in accomplishing their
mission and identify operational opportunities for cost savings and revenue
enhancements
• Provide assistance and a coordinated audit effort with the external auditors
• Investigate fiscal misconduct
VALUES
In carrying out our mission, we share certain beliefs and values.
• Our primary focus is to provide excellent service to ABC Company. Our examinations
shall be performed in accordance with applicable Generally Accepted Auditing
Standards.
• We are committed to the highest degree of fairness, integrity, and ethical conduct in
the performance of our mission. We will adhere to the Code of Ethics as established by
the Institute of Internal Auditors. Furthermore, we will not issue a report without first
allowing the recipient the opportunity to review, challenge, question, and respond to
our findings and conclusions.
• Our relationships with ABC Company employees will be characterised by respect,
helpfulness, sharing, patience, and openness.
• We are committed to maintaining our professionalism as internal auditors through
continuance of our education and training.
• Although we are a part of ABC Company we are committed to maintaining our
independence in defining the scope and objectives of our examinations.
GENERALLY ACCEPTED AUDITING STANDARDS
100 INDEPENDENCE
Internal auditors should be independent of the activities they audit.
• Internal auditors are independent when they can carry out their work freely and
objectively. Independence permits internal auditors to render the impartial and
unbiased judgments essential to the proper conduct of audits. It is achieved through
organisational status and objectivity.
110 ORGANISATIONAL STATUS
The organisational status of the internal auditing department should be sufficient to permit the
accomplishment of its audit responsibilities.
• Internal auditors should have the support of management and of the board of directors
so that they can gain the cooperation of audited entities and perform their work free
from interference.
1. The director of the internal auditing department should be responsible to an
individual in the organisation with sufficient authority to promote
independence and to ensure broad audit coverage, adequate consideration of
audit reports, and appropriate action on audit recommendations.
2. The director should have direct communication with the board. Regular
communication with the board helps assure independence and provides a
means for the board and the director to keep each other informed on matters of
mutual interest.
3. Independence is enhanced when the board concurs in the appointment or
removal of the director of the internal auditing department.
4. The purpose, authority, and responsibility of the internal auditing department
should be defined in a formal written document (charter). The director should
seek approval of the charter by management as well as acceptance by the
board. The charter should (a) establish the department's position within the
organisation; (b) authorise access to records, personnel, and physical properties
relevant to the performance of audits; and (c) define the scope of internal
auditing activities.
5. The director of internal auditing should submit annually to management for
approval and to the board for its information a summary of the department's
audit work schedule, staffing plan, and financial budget. The director should
also submit all significant interim changes for approval and information. Audit
work schedules, staffing plans, and financial budgets should inform
management and the board of the scope of internal auditing work and of any
limitations placed on that scope.
6. The director of internal auditing should submit activity reports to management
and to the board annually or more frequently as necessary. Activity reports
should highlight significant audit findings and recommendations and should
inform management and the board of any significant deviations from approved
audit work schedules, staffing plans, and financial budgets, and the reasons for
them.
120 OBJECTIVITY
Internal auditors should be objective in performing audit.
• Objectivity is an independent mental attitude which internal auditors should maintain
in performing audits. Internal auditors are not to subordinate their judgment on audit
matters to that of others.
• Objectivity requires internal auditors to perform audits in such a manner that they have
an honest belief in their work product and that no significant quality compromises are
made. Internal auditors are not to be placed in situations in which they feel unable to
make objective professional judgments.
1. Staff assignments should be made so that potential and actual conflicts of
interest and bias are avoided. The director should periodically obtain from the
audit staff information concerning potential conflicts of interest and bias.
2. Internal auditors should report to the director any situations in which a conflict
of interest or bias is present or may reasonably be inferred. The director should
then reassign such auditors.
3. Staff assignments of internal auditors should be rotated periodically whenever
it is practicable to do so.

4. Internal auditors should not assume operating responsibilities. But if on
occasion management directs internal auditors to perform non-audit work, it
should be understood that they are not functioning as internal auditors.
Moreover, objectivity is presumed to be impaired when internal auditors audit
any activity for which they had authority or responsibility. This impairment
should be considered when reporting audit results.
5. Persons transferred to or temporarily engaged by the internal auditing
department should not be assigned to audit those activities they previously
performed until a reasonable period of time has elapsed. Such assignments are
presumed to impair objectivity and should be considered when supervising the
audit work and reporting audit results.
6. The results of internal auditing work should be reviewed before the related
audit report is released to provide reasonable assurance that the work was
performed objectively.
• The internal auditor's objectivity is not adversely affected when the auditor
recommends standards of control for systems or reviews procedures before they are
implemented. Designing, installing, and operating systems are not audit functions.
Also, the drafting of procedures for systems is not an audit function. Performing such
activities is presumed to impair audit objectivity.
200 PROFESSIONAL PROFICIENCY
Internal audits should be performed with proficiency and due professional care.
• Professional proficiency is the responsibility of the internal auditing department and
each internal auditor. The department should assign to each audit those persons who
collectively possess the necessary knowledge, skills, and disciplines to conduct the
audit properly.
210 STAFFING
The internal auditing department should provide assurance that the technical proficiency and
educational background of internal auditors are appropriate for the audits to be performed.
• The director of internal auditing should establish suitable criteria of education and
experience for filling internal auditing positions, giving due consideration to scope of
work and level of responsibility.
• Reasonable assurance should be obtained as to each prospective auditor's
qualifications and proficiency.
220 KNOWLEDGE, SKILLS, AND DISCIPLINES
The internal auditing department should possess or should obtain the knowledge, skills, and
disciplines needed to carry out its audit responsibilities.
• The internal auditing staff should collectively possess the knowledge and skills
essential to the practice of the profession within the organisation. These attributes
include proficiency in applying internal auditing standards, procedures, and
techniques.
• The internal auditing department should have employees or use consultants who are
qualified in such disciplines as accounting, economics, finance, statistics, electronic
data processing, engineering, taxation, and law as needed to meet audit
responsibilities. Each member of the department, however, need not be qualified in all
of these disciplines.

230 SUPERVISION
The internal auditing department should provide assurance that internal audits are properly
supervised.
• The director of internal auditing is responsible for providing appropriate audit
supervision. Supervision is a continuing process, beginning with planning and ending
with the conclusion of the audit assignment.
• Supervision includes:
1. Providing suitable instructions to subordinates at the outset of the audit and
approving the audit program.
2. Seeing that the approved audit program is carried out unless deviations are
both justified and authorised.
3. Determining that audit working papers adequately support the audit findings,
conclusions, and reports.
4. Making sure that audit reports are accurate, objective, clear, concise,
constructive, and timely.
5. Determining that audit objectives are being met.
• Appropriate evidence of supervision should be documented and retained.
• The extent of supervision required will depend on the proficiency of the internal
auditors and the difficulty of the audit assignment.
• All internal auditing assignments, whether performed by or for the internal auditing
department, remain the responsibility of its director.
240 COMPLIANCE WITH STANDARDS OF CONDUCT
Internal auditors should comply with professional standards of conduct.
• The Code of Ethics of The Institute of Internal Auditors sets forth standards of conduct
and provides a basis for enforcement among its members. The Code calls for high
standards of honesty, objectivity, diligence, and loyalty to which internal auditors
should conform.
250 KNOWLEDGE, SKILLS, AND DISCIPLINES
Internal auditors should possess the knowledge, skills, and disciplines essential to the
performance of internal audits.
• Each internal auditor should possess certain knowledge and skills as follows:
1. Proficiency in applying internal auditing standards, procedures, and techniques
is required in performing internal audits. Proficiency means the ability to apply
knowledge to situations likely to be encountered and to deal with them without
extensive recourse to technical research and assistance.
2. Proficiency in accounting principles and techniques is required of auditors who
work extensively with financial records and reports.
3. An understanding of management principles is required to recognise and
evaluate the materiality and significance of deviations from good business
practice. An understanding means the ability to apply broad knowledge to
situations likely to be encountered, to recognise significant deviations, and to
be able to carry out the research necessary to arrive at reasonable solutions.

4. An appreciation is required of the fundamentals of such subjects as accounting,
economics, commercial law, taxation, finance, quantitative methods, and
computerised information systems. An appreciation means the ability to
recognise the existence of problems or potential problems and to determine the
further research to be undertaken or the assistance to be obtained.
260 HUMAN RELATIONS AND COMMUNICATIONS
Internal auditors should be skilled in dealing with people and in communicating effectively.
• Internal auditors should understand human relations and maintain satisfactory
relationships with audited entities.
• Internal auditors should be skilled in oral and written communications so that they can
clearly and effectively convey such matters as audit objectives, evaluations,
conclusions, and recommendations.
270 CONTINUING EDUCATION
Internal auditors should maintain their technical competence through continuing education.
• Internal auditors are responsible for continuing their education in order to maintain
their proficiency. They should keep informed about improvements and current
developments in internal auditing standards, procedures, and techniques. Continuing
education may be obtained through membership and participation in professional
societies; attendance at conferences, seminars, college courses, and in-house training
programs; and participation in research projects.
280 DUE PROFESSIONAL CARE
Internal Auditors should exercise due professional care in performing internal audits.
• Due professional care calls for the application of the care and skill expected of a
reasonably prudent and competent internal auditor in the same or similar
circumstances. Professional care should, therefore, be appropriate to the complexities
of the audit being performed. In exercising due professional care, internal auditors
should be alert to the possibility of intentional wrongdoing, errors and omissions,
inefficiency, waste, ineffectiveness, and conflicts of interest. They should also be alert
to those conditions and activities where irregularities are most likely to occur. In
addition, they should identify inadequate controls and recommend improvements to
promote compliance with acceptable procedures and practices.
• Due care implies reasonable care and competence, not infallibility or extraordinary
performance. Due care requires the auditor to conduct examinations and verifications
to a reasonable extent, but does not require detailed audits of all transactions.
Accordingly, the internal auditor cannot give absolute assurance that non-compliance
or irregularities do not exit. Nevertheless, the possibility of material irregularities or
non-compliance should be considered whenever the internal auditor undertakes an
internal auditing assignment.
• When an internal auditor suspects wrongdoing, the appropriate authorities within the
organisation should be informed. The internal auditor may recommend whatever
investigation is considered necessary in the circumstances. Thereafter, the auditor
should follow up to see that the internal auditing department's responsibilities have
been met.
• Exercising due professional care means using reasonable audit skill and judgment in
performing the audit. To this end, the internal auditor should consider:

1. The extent of audit work needed to achieve audit objectives
2. The relative materiality or significance of matters to which audit procedures
are applied
3. The adequacy and effectiveness of internal controls
4. The cost of auditing in relation to potential benefits
5. Due professional care includes evaluating established operating standards and
determining whether those standards are acceptable and are being met. When
such standards are vague, authoritative interpretations should be sought. If
internal auditors are required to interpret or select operating standards, they
should seek agreement with audited entities as to the standards needed to
measure operating performance.
300 SCOPE OF WORK
The scope of the internal audit should encompass the examination and evaluation of the
adequacy and effectiveness of the organisation's system of internal control and the quality of
performance in carrying out assigned responsibilities.
• The scope of internal auditing work, as specified in this standard, encompasses what
audit work should be performed. It is recognised, however, that management and the
board of directors provide general direction as to the scope of work and the activities
to be audited.
• The purpose of the review for adequacy of the system of internal control is to ascertain
whether the system established provides reasonable assurance that the organisation's
objectives and goals will be met efficiently and economically.
• The purpose of the review for effectiveness of the system of internal control is to
ascertain whether the system is functioning as intended.
• The purpose of the review for quality of performance is to ascertain whether the
organisation's objectives and goals have been achieved.
• The primary objectives of internal control are to ensure:
1. The reliability and integrity of information.
2. Compliance with policies, plans, procedures, laws, and regulations.
3. The safeguarding of assets.
4. The economical and efficient use of resources.
5. The accomplishment of established objectives and goals for operations or
programs.
310 RELIABILITY AND INTEGRITY OF INFORMATION
Internal auditors should review the reliability and integrity of financial and operating
information and the means used to identify measure, classify, and report such information.
• Information systems provide data for decision making, control, and compliance with
external requirements. Therefore, internal auditors should examine information
systems and, as appropriate, ascertain whether:
1. Financial and operating records and reports contain accurate, reliable, timely,
complete, and useful information.
2. Controls over record keeping and reporting are adequate and effective.

320 COMPLIANCE WITH POLICIES, PLANS, PROCEDURES, LAWS,
AND REGULATIONS
Internal auditors should review the systems established to ensure compliance with those
policies, plans, procedures, laws and regulations which could have a significant impact on
operations and reports, and should determine whether the organisation is in compliance.
• Management is responsible for establishing the systems designed to ensure
compliance with such requirements as policies, plans, procedures, and applicable laws
and regulations. Internal auditors are responsible for determining whether the systems
are adequate and effective and whether the activities audited are complying with the
appropriate requirements.
330 SAFEGUARDING OF ASSETS
Internal auditors should review the means of safeguarding assets and, as appropriate, verify
the existence of such assets.
• Internal auditors should review the means used to safeguard assets from various types
of losses such as those resulting from theft, fire, improper or illegal activities, and
exposure to the elements.
• Internal auditors, when verifying the existence of assets, should use appropriate audit
procedures.
340 ECONOMICAL AND EFFICIENT USE OF RESOURCES
Internal auditors should appraise the economy and efficiency with which resources are
employed.
• Management is responsible for setting operating standards to measure an activity's
economical and efficient use of resources. Internal auditors are responsible for
determining whether:
1. Operating standards have been established for measuring economy and
efficiency.
2. Established operating standards are understood and are being met.
3. Deviations from operating standards are identified, analysed, and
communicated to those responsible for corrective action.
4. Corrective action has been taken.
• Audits related to the economical and efficient use of resources should identify such
conditions as:
1. Underutilised facilities.
2. Non-productive work.
3. Procedures which are not cost justified.
4. Overstaffing or understaffing.
350 ACCOMPLISHMENT OF ESTABLISHED OBJECTIVES AND GOALS
FOR OPERATIONS OR PROGRAMS
Internal auditors should review operations or programs to ascertain whether results are
consistent with established objectives and goals and whether the operations or programs are
being carried out as planned.

• Management is responsible for establishing operating or program objectives and goals,
developing and implementing control procedures, and accomplishing desired
operating or program results. Internal auditors should ascertain whether such
objectives and goals conform to those of the organisation and whether they are being
met.
• Internal auditors can provide assistance to managers who are developing objectives,
goals, and systems by determining whether the underlying assumptions are
appropriate; whether accurate, current, and relevant information is being used; and
whether suitable controls have been incorporated into the operations or programs.
400 PERFORMANCE OF AUDIT WORK
Audit work should include planning the audit, examining and evaluating information,
communicating results and following up.
• The internal auditor is responsible for planning and conducting the audit assignment,
subject to supervisory review and approval.
410 PLANNING THE AUDIT
Internal auditors should plan each audit.
• Planning should be documented and should include:
1. Establishing audit objectives and scope of work.
2. Obtaining background information about the activities to be audited.
3. Determining the resources necessary to perform the audit.
4. Communicating with all who need to know about the audit.
5. Performing, as appropriate, an on-site survey to become familiar with the
activities and controls to be audited, to identify areas for audit emphasis, and to
invite audited entity comments and suggestions.
6. Writing the audit program.
7. Determining how, when, and to who audit results will be communicated.
8. Obtaining approval of the audit work plan.
420 EXAMINING AND EVALUATING INFORMATION
Internal auditors should collect, analyse, interpret, and document information to support audit
results.
• The process of examining and evaluating information is as follows:
1. Information should be collected on all matters related to the audit objectives
and scope of work.
2. Information should be sufficient, competent, relevant, and useful to provide a
sound basis for audit findings and recommendations. Sufficient information is
factual, adequate, and convincing so that a prudent, informed person would
reach the same conclusions as the auditor. Competent information is reliable
and the best attainable through the use of appropriate audit techniques.
Relevant information supports audit findings and recommendations and is
consistent with the objectives for the audit. Useful information helps the
organisation meet its goals.

3. Audit procedures, including the testing and sampling techniques employed,
should be selected in advance, where practicable, and expanded or altered if
circumstances warrant.
4. The process of collecting, analysing, interpreting, and documenting
information should be supervised to provide reasonable assurance that the
auditor's objectivity is maintained and that audit goals are met.
5. Working papers that document the audit should be prepared by the auditor and
reviewed by management of the internal auditing department. These papers
should record the information obtained and the analyses made and should
support the bases for the findings and recommendations to be reported.
430 COMMUNICATING RESULTS
Internal auditors should report the results of their audit work.
• A signed, written report should be issued after the audit examination is completed.
Interim reports may be written or oral and may be transmitted formally or informally.
• The internal auditor should discuss conclusions and recommendations at appropriate
levels of management before issuing final written reports.
• Reports should be objective, clear, concise, constructive, and timely.
• Reports should present the purpose, scope, and results of the audit; and, where
appropriate, reports should contain an expression of the auditor's opinion.
• Reports may include recommendations for potential improvements and acknowledge
satisfactory performance and corrective action.
• The audited entity's views about audit conclusions or recommendations may be
included in the audit report.
• The director of internal auditing or designee should review and approve the final audit
report before issuance and should decide to whom the report will be distributed.
440 FOLLOWING UP
Internal auditors should follow up to ascertain that appropriate action is taken on reported
audit findings.
• Internal auditing should determine that corrective action was taken and is achieving
the desired results, or that management or the board has assumed the risk of not taking
corrective action on reported findings.
500 MANAGEMENT OF THE INTERNAL AUDITING DEPARTMENT
The director of internal auditing should properly manage the internal auditing department.
• The director of internal auditing is responsible for properly managing the department
so that:
1. Audit work fulfils the general purposes and responsibilities approved by
management and accepted by the board.
2. Resources of the internal auditing department are efficiently and effectively
employed.
3. Audit work conforms to Generally Accepted Auditing Standards.
510 PURPOSE, AUTHORITY, AND RESPONSIBILITY

The director of internal auditing should have a statement of purpose, authority, and
responsibility for the internal auditing department.
• The director if internal auditing is responsible for seeking the approval of management
and the acceptance by the board of a formal written document (charter) for the internal
auditing department.
520 PLANNING
The director of internal auditing should establish plans to carry out the responsibilities of the
internal auditing department.
• These plans should be consistent with the internal auditing department's charter and
with the goals of the organisation.
• The planning process involves establishing:
1. Goals.
2. Audit work schedules.
3. Staffing plans and financial budgets.
4. Activity reports.
• The goals of the internal auditing department should be capable of being accomplished
within specified operating plans and budgets and, to the extent possible, should be
measurable. They should be accompanied by measurement criteria and targeted dates
of accomplishment.
• Audit work schedules should include (a) what activities are to be audited; (b) when
they will be audited; and (c) the estimated time required, taking into account the scope
of the audit work planned and the nature and extent of audit work performed by others.
Matters to be considered in establishing audit work schedule priorities should include
(a) the date and results of the last audit; (b) financial exposure; (c) potential loss and
risk; (d) requests by management; (e) major changes in operations, programs, systems,
and controls; (f) opportunities to achieve operating benefits; and (g) changes to and
capabilities of the audit staff. The work schedules should be sufficiently flexible to
cover unanticipated demands on the internal auditing department.
• Staffing plans and financial budgets, including the number of auditors and the
knowledge, skills, and disciplines required to perform their work, should be
determined from audit work schedules, administrative activities, education and
training requirements, and audit research and development efforts.
• Activity reports should be submitted periodically to management and to the board.
These reports should compare (a) performance with the department's goals and audit
work schedules and (b) expenditures with financial budgets. They should explain the
reasons for major variances and indicate any action taken or needed.
530 POLICIES AND PROCEDURES
The director of internal auditing should provide written policies and procedures to guide the
audit staff.
• The form and content of written policies and procedures should be appropriate to the
size and structure of the internal auditing department and the complexity of its work.
Formal administrative and technical audit manuals may not be needed by all internal
auditing departments. A small internal auditing department may be managed
informally. Its audit staff may be directed and controlled through daily, close

supervision and written memoranda. In a large internal auditing department, more
formal and comprehensive policies and procedures are essential to guide the audit staff
in the consistent compliance with the department's standards of performance.
540 PERSONNEL MANAGEMENT AND DEVELOPMENT
The director of internal auditing should establish a program for selecting and developing the
human resources of the internal auditing department.
• The program should provide for:
1. Developing written job descriptions for each level of the audit staff.
2. Selecting qualified and competent individuals.
3. Training and providing continuing educational opportunities for each internal
auditor.
4. Appraising each internal auditor's performance at least annually.
5. Providing counsel to internal auditors on their performance and professional
development.
550 EXTERNAL AUDITORS
The director of internal auditing should coordinate internal and external audit efforts.
• The internal and external audit work should be coordinated to ensure adequate audit
coverage and to minimise duplicate efforts.
• Coordination of audit efforts involves:
1. Periodic meetings to discuss matters of mutual interest.
2. Access to each other's audit programs and working papers.
3. Exchange of audit reports and management letters.
4. Common understanding of audit techniques, methods, and terminology.
560 QUALITY ASSURANCE
The director of internal auditing should establish and maintain a quality assurance program to
evaluate the operations of the internal auditing department.
• The purpose of this program is to provide reasonable assurance that audit work
conforms to these Standards, the internal auditing department's charter, and other
applicable standards. A quality assurance program should include the following
elements:
1. Supervision.
2. Internal reviews.
3. External reviews.
• Supervision of the work of the internal auditors should be carried out continually to
assure conformance with internal auditing standards, departmental policies, and audit
programs.
• Internal reviews should be performed periodically by members of the internal auditing
staff to appraise the quality of the audit work performed. These reviews should be
performed in the same manner as any other internal audit.

• External reviews of the internal auditing department should be performed to appraise
the quality of the department's operations. These reviews should be performed by
qualified persons who are independent of the organisation and who do not have either
a real or an apparent conflict of interest. Such reviews should be conducted at least
once every three years. On completion of the review, a formal, written report should
be issued. The report should express an opinion as to the department's compliance with
the Generally Accepted Auditing Standards and, as appropriate, should include
recommendations for improvement.
CODE OF ETHICS
STANDARDS OF CONDUCT
1. Internal auditors shall exercise honesty, objectivity, and diligence in the performance
of their duties and responsibilities.
2. Internal auditors shall exhibit loyalty in all matters pertaining to the affairs of ABC
Company or to whomever they may be rendering a service. However, internal auditors
shall not knowingly be a party to any illegal or improper activity.
3. Internal auditors shall not knowingly engage in acts or activities which are
discreditable to the profession of internal auditing or to ABC Company.
4. Internal auditors shall refrain from entering into any activity which may be in conflict
with the interest of ABC Company or which would prejudice their ability to carry out
objectively their duties and responsibilities.
5. Internal auditors shall not accept anything of value from an employee, client,
customer, supplier, or business associate of ABC Company which would impair or be
presumed to impair their professional judgment.
6. Internal auditors shall undertake only those services which they can reasonably expect
to complete with professional competence.
7. Internal auditors shall adopt suitable means to comply with Generally Accepted
Auditing Standards.
8. Internal auditors shall be prudent in the use of information acquired in the course of
their duties. They shall not use confidential information for any personal gain nor in
any manner which would be contrary to law or detrimental to the welfare of ABC
Company.
9. Internal auditors, when reporting on the results of their work, shall reveal all material
facts known to them which, if not revealed, could either distort reports of operations
under review or conceal unlawful practices.
10. Internal auditors shall continually strive for improvement in their proficiency, and in
the effectiveness and quality of their service.
11. Internal auditors, in the practice of their profession, shall be ever mindful of their
obligation to maintain high standards of competence, morality and dignity.
INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY
/CONDUCT
INDEPENDENCE/OBJECTIVITY
To be effective in performing audits the internal audit staff must be independent and objective
both in actuality and perception. We maintain our independence by our organisational position

(including reporting line to the Board) and our Board approved AUTHORISATION AND
RESPONSIBILITIES (see CHARTER).
In order to maintain objectivity, auditors shall immediately inform the Director of Auditing of
any factors that may be perceived as impairing their objectivity on an assigned audit. Also,
auditors will take great care to prevent even a perception of partiality by maintaining a
professional distance from the staff of an audited entity while performing an audit. Questions
concerning any relationships with audited entities or potential audited entities (i.e., preparing
tax returns, attending parties, etc.) should be brought to the attention of the Internal Audit
Department. Finally, auditors will not accept anything of value from an employee, supplier, or
business associate of ABC Company which would impair or be perceived to impair their
professional judgement or objectivity. Any gifts accepted will be immediately reported to the
Internal Audit Department.
CONFIDENTIALITY
Much of the information available to internal auditors is of a sensitive or confidential nature.
Auditors should be prudent in their use of information acquired in the course of their duties or
information which is available to them. They will not discuss any matters pertaining to the
audits performed by the departments in other then an official manner.
Auditors shall not use confidential information for any personal gain or in a manner which
would be detrimental to ABC Company or any employee of ABC Company. (See the Code of
Ethics).
Auditors will take adequate measures to prevent the unauthorised release of confidential
materials or information in any medium including paper copies, microfiche, or computer files.
Such materials should be adequately secured from theft, reproduction, or casual observation.
Confidential materials include any information (except public information) associated with
employee names, social security numbers, or identification numbers. Examples of confidential
information include, but are not limited to the following:
1. Employee medical or psychological records.
2. Employee benefit or payroll information.
3. Any information which could cause ABC Company embarrassment or liability.
CONDUCT
The following guidelines are established regarding personal conduct and the confidentiality of
audit or business information acquired through audit assignments.
As a member of the Internal Audit staff, you are representing the highest level of
management. Conduct yourself in a manner that reflects favourably upon yourself and those
you represent. You are expected to exercise professional skill, integrity, maturity of behaviour,
and tact in your relations with others. In general, you are encouraged to be friendly with all
ABC Company employees without affecting your objectivity. You should guard against any
conduct or mannerisms which permit an impression that you consider yourself an "expert"
sent to check on employees. As far as possible, take the position of an independent/objective
analyst and advisor. Avoid the image of policing.
In the course of your assignments, you will be in contact with personnel at all levels of
authority and position. At all times, independence in mental attitude is to be maintained.
Reports resulting from your efforts should always contain full and unbiased disclosure of all
but minor audit findings. Although you report to the Internal Audit Department, you have
responsibilities to both management and the personnel being audited.

Much of your work is confidential; therefore, be discreet on and off the job in discussing
current or past audits or your personal assessments of audited entities. Judgment should be
exercised in the security of audit working papers, programs, records, and information at all
times.
Never indiscreetly discuss any information you obtain during audits.
Avoid extremes of dress or personal grooming.
AUDIT PROCESS
PLANNING
The assessment of audit risk is an integral part of our planning process. The audit planning
process encompasses all activities related to the development of the internal audit plan and
schedule and the determination of the audit scope and objectives, timing, design of detailed
procedures, and audit recourse planning for the individual auditable entities. The primary
objective of the audit planning process is to design our audit approach to ensure that audits are
performed in the most effective and efficient manner. In undertaking this process we
attempted the following:
• Define the potential audit universe at ABC Company
• Define factors to be used in assessing risk
• Quantify the potential risk associated with each of the defined audit areas
• Schedule audits and allocate Internal Audit resources according to the priorities
established and the current level and expertise of internal auditors
PLANNING - RESEARCH, SCHEDULING, AND AUDITS
Internal Audit's scheduling process begins with requests for audit services (requests, or
suggestions, come from several sources). One obvious source is our own Internal Audit staff.
Our in-depth knowledge of ABC Company gives us a unique perspective on the types of
projects in which we can reduce ABC Company's risk. Hence, some of our projects originate
in our own group or as a result of the annual audit of ABC Company as a whole, which is
conducted by the external auditors.
Several factors influence the selection and scheduling of projects: the degree of risk or
exposure to loss; type of audit; current and planned work in other major audit projects
requiring substantial time commitments of Internal Audit staff; the availability of staff in
entities selected for review; and the availability of Internal Audit staff with the appropriate
skills.
An analysis will be performed annually in order to quantify risk and schedule audits. This
analysis will combine factual information and Internal Audit Department's judgment in the
selection, ranking, and weighing of the various audit risk factors. It should be emphasised that
the final determination as to which areas should be included in the audit plan cannot be based
solely on the results of this audit risk assessment. Rather, the performance of the assessment is
a tool for use by Internal Audit Department.
Types of Audits
1. AUDIT
• Operational - Refers to a comprehensive examination of an entity to evaluate its
performance, as measured by management's objectives. An operational audit focuses
on the efficiency, effectiveness, and economy of operations.
• Financial - Determine the accuracy and propriety of financial transactions.

• Compliance - The objective of these audits is to determine whether, and to what
degree, an audited entity conforms to certain specific requirements of policy,
procedures, standards, or laws and regulations. The auditor must know precisely what
policies, procedures, standards, etc. are required. Usually, compliance audits require
little preliminary survey work or review of internal controls, except to outline
precisely what requirements are being audited. The audit focuses almost exclusively
upon detailed testing of conditions.
• Asset Verification - An independent appraisal of ABC Company operations is
provided through the verification of accountability, physical safeguards, and valid use
of ABC Company assets. This is often performed in conjunction with an audit.
2. LOSS
• Loss/fraud investigations - Conducted to determine existing control weaknesses, assist
ABC Company Risk Management in determining the amount of the loss/fraud, and
assist the audited entity by recommending corrective measures to prevent subsequent
recurrences. Investigation of allegations may also be conducted.
3. INFORMATION SYSTEMS AUDIT
• The primary mission of the Information Systems audit function of Internal Audit is to
support the internal audit function in the evaluation of the accuracy, effectiveness, and
efficiency of ABC Company's electronic and information processing systems which
are in production or under development.
4. MISCELLANEOUS
• Consultant Services - Information, encouragement, and review will be provided on
issues concerning ABC Company policies, procedures, and internal controls. With the
addition of an information systems audit function consultation services are expanded
to include:
1. Assistance on evaluation of backup procedures and contingency planning
2. Assistance on whether a defined architecture has proper controls
3. Information on computer controls
4. Assistance on implementation of internal financial system
• Computer System Design and Enhancement - Internal Audit actively participates in
the development of new systems or enhancements to current systems to promote the
design of adequate internal controls prior to implementation and reduce the need for
corrective measures at a later date.
• Other Departmental Duties - Such as organising the annual retreat, preparing the
annual report, etc., as assigned by the Director.
5. ADMINISTRATIVE REVIEWS
• Pre-approved programs are used to audit accuracy and propriety of expenditures and
payroll transactions. Income will be audited if the amount is material. These reviews
may also include asset confirmations.
6. FOLLOW-UP REVIEW
• Follow-up reviews are performed to appraise management of post audit actions and
provide assurance that implemented changes adequately resolved audit findings. These
reviews also ensure that upper management has been properly notified of ABC
Company exposure related to unresolved audit findings.

7. CASH COUNT
• A cash count is performed to determine custodial fund accountability which may
include one or more of the following types of funds: petty cash fund, change fund, or
revolving fund. A pre-approved cash count audit program is used for this type of audit.
Audit Assignment
All audits/tasks will be authorised by the Internal Audit Department using an audit assignment
sheet. The objective of this process is to assure that work is performed on only authorised
activity. This form will provide sufficient information on the audit/task scope, objectives, and
resource restrictions (allocated hours, expected completion date) so the assigned auditor(s)
will have a clear understanding of Internal Audit Department's expectations for their particular
assignment.
Definition of Terms on the Assignment Sheet
• Task Number: A five digit number used to identify the project
• Type: The type of project indicated on the assignment form:
○ A=audit;
○ L=loss;
○ C=cash count;
○ F=follow-up;
○ M=miscellaneous;
○ T=continuing education - no trackable hours;
○ E=continuing education;
○ D=information Systems audit;
○ X=task cancelled;
○ R=administrative review.
• Location of audit:
○ BRU=Brussels;
○ PAR=Paris;
○ BLN=Berlin;
• Title of Project: A short description of the project
• Assignment Date: Beginning date that hours can be charged to the project
• Allocated Hours: Time budgeted for this project. Any deviation from these hours must
be approved by the Internal Audit Department
• Expected Completion Date: The date the report is expected to be issued in final
• Assigned Staff: Names of the Reviewer, Project Manager, Assigned Staff, Project
Consultant, Participant, Instructor, and Non-active staff should be listed on assignment
sheet with project hours that are assigned to each
• Scope & Objectives: A short description of the scope and objectives that will be
covered
• Fiscal Year: Fiscal year to be audited

Scope and Objectives
The scope section shall define the limitations of the audit/task assignment. The scope will
generally include a time period, and what records, processes, funds, transactions, policies,
controls, etc., we shall be reviewing. Scope limitations that very narrowly restrict audit work
should be mentioned in the audit report. (Example: We did not test actual expenditure
transactions.)
The objectives will explain what the audit is trying to accomplish. Audit objectives will
generally include one or more of the following:
1. Determine the accuracy and propriety of financial transactions;
2. Evaluate financial and operational procedures for adequacy of internal controls
and provide advice and guidance on control aspects of new policies, systems,
processes, and procedures;
3. Verify the existence of ABC Company assets and ensure that proper safeguards
are maintained to protect them from loss;
4. Determine the level of compliance with ABC Company policies and
procedures, laws and regulations;
5. Evaluate the accuracy, effectiveness, and efficiency of ABC Company's
electronic information and processing systems;
6. Determine the effectiveness and efficiency of audited entities in accomplishing
their mission and identify operational opportunities for cost savings and
revenue enhancements;
7. Provide assistance and a coordinated audit effort with the external auditors;
8. Determine if a loss occurred, if so the amount of the loss and circumstances
(control weaknesses) that contributed to it.
Duties/Responsibilities
• INTERNAL AUDIT DEPARTMENT
○ Internal Audit Department, the Director and Associate Director of Internal
Auditing, will be responsible for ensuring that audit resources are efficiently
and effectively employed and that the audit work performed fulfils the mission
of the department.
• AUDIT MANAGER
○ The auditor in charge of the task will normally be an audit manager and will
have the following duties and responsibilities:
1. Attend entrance and exit interviews
2. Discuss, direct, advise, etc., the assigned auditors during the course of
the assignment including writing the report
3. Will be responsible for assuring the audit program steps accomplish the
objectives, address major risk and exposures, and reasonably assure the
completion of the assignment within allocated resources. Final approval
of the audit program will be done by Internal Audit Department
4. Review, edit, and approve the draft report

5. Assure the audit is performed according to department standards,
staying within the scope and resource allocation limits (hours and
dates), and meet stated assigned objectives.
• ASSIGNED AUDITOR(S)
○ Assigned auditor(s) will be responsible for performing the audit and will have
the following duties and responsibilities:
1. Perform the preliminary review, including the internal control
evaluation, with guidance from the Audit Manager
2. After discussions with the Audit Manager, prepare an audit program
and time estimate for each program section
3. Perform all assigned activities in conformance with department
standards, staying within the scope and resource allocation limits of the
assigned activity or program section
4. Write the draft audit report
○ An assigned auditor who is also the Audit Manager of the project will have the
additional duties of Audit Manager.
• REVIEWER
○ All working papers should be independently reviewed to ensure there is
sufficient evidence to support conclusions and that all audit objectives have
been met. A detailed review will be conducted by the Audit Manager for
assigned staff's working papers and a less comprehensive review will be
conducted by department administration or an assigned staff person. Initialling
working papers (see "review/approval form") signing the "review/approval
form," and filing "cleared" review notes in the current working papers will
serve as documentation of the review process.
○ The reviewer should:
1. Determine working paper's compliance to the department working
paper standards;
2. Review from audit program steps to the referenced working papers
ensuring cross-referencing is proper, the working papers support the
steps performed, and all steps have been completed;
3. Review working paper's from the report(s) to the Digest of Significant
Findings to the working paper summaries to the detailed working
papers to ensure that all findings are stated adequately and documented
and support the opinions, findings, and recommendations stated in the
report;
4. Ensure that working papers "stand alone" in that they clearly state what
work was performed, how and from where samples were selected, the
purpose of the working paper, what findings were made, etc.
5. Document review comments on review notes form;
6. After all audit review notes have been resolved, sign off on working
paper section of final working paper/report approval form;
7. Determine report(s) compliance with the department report standards;

8. Sign off on report(s) section of final working paper/report approval
form;
9. Determine Permanent Audit File's compliance with department
standards.
• PROJECT CONSULTANT
○ The project consultant's primary duties and responsibilities are to advise and
provide guidance to the assigned auditors. The project consultant does not take
an active role in the project, but will be on call to answer questions or
volunteer suggestions as applicable.
• REPORT REVIEWER
○ The Report Reviewer primary responsibility is to provide a final independent
review of audit reports to help ensure that proper grammar, spelling, and
format have been used. The Report Reviewer will also perform or supervise
the:
1. Print revised draft copies for Directors approval
2. Print final report copy for auditors and director signature
3. Mail final report copy
4. Filing of electronic copy on LAN
5. Update Working Papers files: mark complete, recommendation
categories, mark complete, create follow-up when necessary, etc.
6. Mailing feedback questionnaire
7. Updating feedback spreadsheet when feedback received
8. Adding response to electronic copy of report and filing paper copy with
final report
9. Creating follow-up working papers, trustee report, electronic copy of
report on LAN, etc.
10. Updating Directors report
Announcement Letter
The audited entity shall be informed of the audit project through an announcement letter from
the Internal Audit Director. However, Internal Audit will not provide advance notifications for
cash counts and fraud investigations. Additionally, Internal Audit may not send an
announcement letter for requested consulting services.
The announcement letter shall communicate the scope and objectives of the audit, the period
covered, and the auditor(s) assigned to the project. Internal Audit's mission statement shall
also be enclosed for the audited entity’s information.
Preliminary Review
The objective of the Preliminary Review is to gain sufficient knowledge of the entity being
reviewed so the auditor can design an audit program to accomplish the assigned objectives.
The review will help the auditor to determine if the assigned objectives are attainable with the
allocated resources and what audit procedures should be performed, based on assessed risks
and exposures, to achieve the objectives.
The preliminary review work can be broken down into four distinct phases:

1. Familiarisation
2. Identification of potential problem areas
3. Evaluation of internal controls
4. Planning the detailed audit
One of the problems in performing an effective preliminary review is the failure to complete
all phases of the review before preparing the formal audit program and beginning the
fieldwork.
Initial Research (Familiarisation)
Before meeting with the audited entity, the assigned auditor(s) shall obtain a basic
understanding of the operation or system under review. This review will normally include:
• Review of Permanent Audit File (if one exists)
• Review of Previous Audit Working Papers, Reports, Management letters (if available)
• Review of department financial statements (transactions) including historical trends if
available
• Review of department organisation and staffing (payroll/personnel listing)
• Review of department equipment listing
• Consultations with other auditors that have been involved in similar audits or are
familiar with this department, related ANAEL files, systems, etc.
• Review department focus
• Review department's mission statement, organisation chart and other information
requested in the "announcement letter"
• Review and research for applicable laws, regulations, and departmental policies and
procedures
• Conduct the initial meeting with audited entity
Identification of Potential Problem Areas
An objective of the preliminary review is the identification of potential problem areas. One of
the first steps in determining problem areas is to identify those programs, activities, and
functions which are significant.
These can be identified as those programs or activities:
• Which are susceptible to fraud, abuse, or mismanagement
• In which there is a large volume of transactions or large investments in assets which
are subject to loss if not carefully controlled
• About which concerns have been expressed by management
• In which prior audits have disclosed major weaknesses or deficiencies
This phase of the preliminary review should identify the significant activities of the area and
what inherent risks exist. Once these activities and risks have been identified, the next step is
to evaluate controls.
The auditor is responsible for determining how much reliance can be placed on the entity's
controls to protect its assets, assure accurate information, assure compliance with applicable
laws and regulations, promote efficiency and economy, and produce effective results.
A complete review of all controls is not always necessary because some controls may be
irrelevant to basic issues which are the subject of the audit effort. Therefore, the auditor must
identify those controls which are the most important and critical to the operation and
concentrate on them. Some controls which can normally be identified as critical are those
which are designed to protect against:
• Substantial financial losses
• Program violations
• Mismanagement
• Legal violations
• Adverse publicity
• Lack of program or mission accomplishment
The auditor's evaluation should include identification of areas in which essential controls
appear to be weak, non-functioning, or missing.
Vast amounts of data are stored electronically. Internal Audit has a library of standardised
ANAEL queries that will assist in obtaining some of this information.
Review and Evaluation of Internal Control Environment
The auditor will review the audited entity's internal control structure. In doing this, the auditor
uses a variety of tools and techniques, including flow charts, interviews, data gathering, and
analysis. The review of internal controls helps the auditor design tests to be performed in the
fieldwork section of the audit.
The evaluation of the system of internal controls should provide reasonable, but not absolute,
assurance that the fundamental elements of the system are sufficient to accomplish their
intended purpose. The study and evaluation should be adequately documented and properly
supported by results of tests, observations, and inquiries. The use of electronic data processing
methods that can affect the reliability, accuracy, or usefulness of financial or statistical data,
and reports should be included as part of the study and evaluation.
Internal controls are evaluated throughout the audit examination. Audit Managers should
prepare the program to assist assigned auditors in performing this aspect of the audit work.
Generally, the guidelines are incorporated into an audit program in the form of internal control
questionnaires, checklists, and specific audit tests and procedures. Although the written audit
guidelines (programs) are invaluable aids, Audit Managers must ensure that each assigned
auditor is familiar with the scope and objectives of the internal control review.
The review of the system of internal controls is performed by discussing the control
procedures, methods, and plan of organisation with audited entity’s officials. The auditor may
use internal control questionnaires or checklists as well as written narrative memoranda, flow
charts, a transaction walk through, and other applicable techniques in determining the adopted
control procedures and the method and plan of organisation. These techniques are preferred
because they provide adequate documentation. In addition to discussions with audit customer
officials, auditors make inquiries and perform observations relating to the system of internal
controls. These inquiries and observations, and resulting findings and conclusions are also
documented in the working papers. This documentation includes identifying control strengths
and weaknesses and cross-referencing them to the audit tests and procedures concerned with
substantive testing.
To assist in evaluating the system of internal control the auditor should consider the
following:

• Types of errors and irregularities that could occur.
• Control procedures to prevent or detect such errors and irregularities.
• Whether the procedures have been adopted and are being followed satisfactorily.
• Weaknesses which would enable errors and irregularities to pass through existing
control procedures.
• The effect these weaknesses have on the nature, timing, and extent of auditing
procedures to be applied.
• Audit methods used to study and evaluate existing internal controls include:
• Internal Control Questionnaires - These guide the auditor to query responsible
managers regarding specific or general internal controls. The questionnaires are
designed so that a negative response indicates a potential internal control weakness. A
negative response will cause the auditor to determine whether compensating controls
are in existence which would offset the negative response.
• Narratives - These describe the system of internal control.
• Flow Charts - A flow chart is beneficial because it visually depicts processes designed
or intended for control purposes. Flow-charting provides the auditor with a good
understanding of the process being evaluated.
• Documentation supports the auditor's understanding of the internal controls. Audit
working papers provide the support for the conclusions reached by the auditor
regarding the study and evaluation of internal controls. Only those internal control
functions, which are deemed critical or important to the strength within a particular
transaction cycle, should be tested and evaluated. Working papers should be prepared
to highlight the internal control attributes within the processes to be evaluated.
• Tests of compliance are performed to obtain sufficient evidence that the system is
operating in accordance with the understanding the auditor obtained from the review.
These are performed for those control procedures or methods upon which the auditor
has chosen to rely. Conversely, when the auditor determines that certain controls
cannot be relied upon; tests of compliance are not ordinarily performed.
• The nature, timing, and extent of tests of compliance are closely related to the control
procedures and methods studied by the auditor. Additionally, the auditor must consider
the availability of evidence and the audit effort required to test compliance. In
considering the required audit effort, the auditor assesses whether precluding certain
tests of compliance will reduce the reliance on the controls and procedures, and
whether such reduced reliance significantly affects subsequent audit tests and
procedures.
Flowcharting
The primary purpose of preparing a flow chart is to identify the key control attributes - those
attributes that achieve control objectives. This can efficiently point out cases of under/over
control and processing redundancy.
Clarity and simplicity in presentation are essential. Mistaken use of extreme detail may tend
to conceal rather than expose key points. Complexities such as exception controls can be
better explained in attached memoranda. However, narrative explanations should be kept
brief. In most cases, the combination of the flow chart and a narrative description tends to be
far superior to either document alone.

Only transactions/documents with control significance should be shown (i.e., control over
authorisation, recording, safeguarding, reconciliation, and valuation). This can generally be
accomplished by including only those activities within an application where data is initialised,
changed, or transferred to other departments. For a process to be flow charted, it must be
broken down into its component parts, namely actions and decisions. Also, the name(s) and
position(s) of the people performing the transactions should be indicated for each action. The
names of each document should also be included within the document symbols.
The auditor usually obtains information necessary for preparing or updating flow charts by
interviewing personnel at each site about procedures followed, and by reviewing procedure
manuals, existing flow charts and other system documentation. Sample documents are
collected and each department involved is questioned about its specific duties. Inquiries can
be made concurrently with the performance of transaction reviews, particularly when flow
charts are being updated. If possible, the auditor should observe the process.
Internal Control Questionnaires
The primary purpose of completing the internal control questionnaire is to identify critical
areas, strengths, and weaknesses in process.
PLANNING THE DETAILED AUDIT
The elements of materiality and relative risk must be considered in performing the audit. The
due professional care standards do not imply unlimited responsibility for disclosure of
irregularities and other deficiencies. The auditor's principal effort should be in those areas
where significant problems or deficiencies may exist, rather than in areas that are relatively
unimportant. Time should not be spent examining or developing evidence beyond what is
necessary to afford a sound basis for a professional opinion.
The results of the preliminary review should be analysed to determine the need for a detailed
audit and the specific areas to be covered. The detailed audit program should be prepared
allocating the project budget time established for the fieldwork to the specific areas to be
covered in the audit.
Statement of Risk and Exposure
• Rationale:
○ A risk/exposure analysis will be performed to prioritise audit testing that must
be performed to achieve the audit objectives. This determination is essential for
providing reasonable assurance that internal audit resources are deployed in an
optimal manner (i.e. the most time is spent examining areas with the greatest
risk exposure).
○ The three types of risks that will be considered are:
 Inherent Risk - The risk related to the fundamental characteristics of the
assigned area (i.e., an area that receives income in the form of currency
and coin has a greater inherent risk of theft of that income then one that
receives internal billing income form another department).
 Control Risk - The risk that the assigned areas internal control system
would fail to prevent or detect a significant intentional or unintentional
error in the process.
 Detection Risk - The risk that the internal audit would fail to detect
errors that had occurred.
○ Exposure is the potential loss or liability to ABC Company. It is not only loss
of money but also ABC Company's reputation, etc.

○ A Risk/Exposure analysis will involve determining the highest possible
combined factors. (high risk/high exposure as opposed to high risk/low
exposure or low risk/high exposure)
• Policy:
○ During the preliminary review/internal control evaluation stage of the audit,
the auditor will make a determination of what areas contain the greatest risks
and potential exposures. This determination will be discussed with the Internal
Audit Department before the audit program is written.
• Process:
○ During the preliminary review/internal control evaluation stage of the audit,
the auditor will complete a schedule detailing the greatest risks and potential
exposures and discuss with Internal Audit Department.
Permanent Audit Files
A permanent file should give the auditor general knowledge about the audited entity. The
information in the file is not expected to change significantly from year-to-year, but it is
pertinent to the current year's audit. Prior year's financial statements would aid the auditor in
gathering general knowledge about the audited entity. It might also be useful in comparing the
current year to the prior year or performing analyses. A permanent file should only be
prepared for audits that we continually do or if the area audited is a system such as payroll,
accounts payable, etc. Before a permanent file is established, consult with the Audit Manager
and Internal Audit Department. If a permanent file is not prepared, useful information can be
filed in section D of the working papers.
AUDIT PROGRAM
Preparation of the audit program concludes the Preliminary Review phase. The audit program
outlines the necessary steps to achieve the objectives of the audit within the defined scope as
listed on the assignment sheet. The audit program is a detailed plan for the work to be
performed during the audit. A well-constructed program is essential to completing the audit
project in an efficient manner.
A well constructed program provides:
• A systematic plan for each phase of the work that can be communicated to all audit
personnel concerned
• Means of self control for the audit staff assigned
• Means by which the audit supervisor/manager can review and compare performance
with approved plans
• Assistance in training inexperienced staff members and acquainting them with the
scope, objectives, and work steps of an audit
• An aid to supervisor/manager making possible a reduction in the amount of direct
supervisory effort needed
• Assistance in familiarising successive audit staff with the nature of work previously
carried out
The program consists of specific directions for carrying out the assignment. It should contain
a statement of the objectives of the operation being reviewed. For each segment of the audit
the program should (1) list the risks that must be covered in that segment; (2) show for each
risk the controls that exist or that are needed to protect against the indicated risk; (3) show for

each of the listed controls the work steps required to test the effectiveness of those controls, or
set forth the recommendations that will be required to install needed controls; and (4) provide
space for referencing the related audit working papers.
Standardised audit programs are available and should be used or modified to achieve the audit
objectives. The auditor shall include an estimate of the hours necessary to complete the
project. Internal Audit Department reviews the auditor's work to-date (preliminary review
work) and then discusses any concerns or proposed program changes.
Objectives
The audit program shall contain a statement of the objectives of the area being reviewed. The
statement of objectives in the audit program shall correspond with the audit objectives stated
in the assignment sheet. These objectives should be achieved through the detailed audit
program steps.
Audit Steps
A well-constructed audit program provides specific, detailed steps (procedures) for achieving
the audit objectives. Standardised audit programs with specific audit steps for achieving
objectives are available and should be used or modified.
Time Budget
A project time budget provides overall guidelines for the performance of the audit. In
addition, it enables the audit manager to control the audit work in process. It is essential that
we control our time carefully in order that it may be used in the most effective manner
possible. The detailed project time budget should be completed at the conclusion of the
preliminary review.
Each project will have a time budget that will be approved by the audit manager and Internal
Audit Department. This budget will include all time necessary to complete the audit, from
assignment through issuance of the final report. The preliminary review phase should be
completed when no more than 25 percent of the total time budget has been depleted.
The budget process will be broken down into two phases. A portion of the budget should be
allocated for the planning process. This will provide the necessary control over this phase of
audit work.
Near the completion of the planning process, the remaining budget should be allocated to the
rest of the audit and recorded on the Time Budget Summary. For purposes of overall control,
the time budget should be broken down into the following general categories (more may be
used if warranted):
• Planning - initial planning, preliminary survey, audit program
• Fieldwork - allocated to the various segments of the audit project
• Audit report and wrap-up - audit manager's review, quality assurance review, report
writing and editing, report review, audited entity's review, exit conference, etc.)
• Preparation and Approval - The project time budget should be prepared by the audit
manager and approved by Internal Audit Department.
• Budget Revisions - Any revisions to the project time budget should be discussed with
Internal Audit Department at the earliest possible time and, when approved by Internal
Audit Department, documented on the Time Budget Summary.
FIELDWORK
Evidential Matter

Evidential matter obtained during the course of the audit provides the documented basis for
the auditor's opinions, findings, and recommendations as expressed in the audit report. As
internal auditors, we are obligated by our professional standards to act objectively, exercise
due professional care, and collect sufficient, competent, relevant, and useful information to
provide a sound basis for audit findings and recommendation (see examining and evaluating
information).
Audit Sampling
Audit sampling is performing an audit test on less then 100 percent of a population. In
'sampling' the auditor accepts the risk that some or all errors will not be found and the
conclusions drawn (i.e. all transactions were proper and accurate) may be wrong.
Types of Sampling:
Statistical or probability sampling allows the auditor to stipulate, with a given level of
confidence, the condition of a large population by reviewing only a percentage of the total
items. Several sampling techniques are available to the auditor.
• Attribute sampling - Is used when the auditor has identified the expected frequency or
occurrence of an event.
• Variables sampling - Is used when the auditor samples for values in a population
which vary from item to item.
• Judgment sampling - Is used when it is not essential to have a precise determination of
the probable condition of the universe, or where it is not possible, practical, or
necessary to use statistical sampling.
The type of sampling used and the number of items selected should be based on the auditors
understanding of the relative risks and exposures of the areas audited.
Policy/Process:
All audit testing will include sampling. The type and sample size shall be described in the
program and approved by the Internal Audit Department.
Testing and Working Paper Documentation
Policy/Purpose:
Working papers serve both as tools to aid the auditor in performing his work, and as written
evidence of the work done to support the auditor's report. Information included in working
papers should be sufficient, competent, relevant, and useful to provide a sound basis for audit
findings and recommendations. Generally Accepted Auditing Standards define sufficient,
competent, relevant, and useful as follows:
• Sufficient information is factual, adequate, and convincing so that a prudent, informed
person would reach the same conclusions as the auditor.
• Competent information is reliable and the best attainable through the use of
appropriate audit techniques.
• Relevant information supports audit findings and recommendations and is consistent
with the objectives for the audit.
• Useful information helps the organisation meet its goals.
In addition to serving as a reference for the preparer when called upon to report findings or
answer questions, other individuals may find it necessary to use the working papers.
The Internal Audit Department will use the papers to review the quality of the audit project
and to evaluate the audit staff assigned to the work.
The manager whose entity is being audited may use details included in the working papers to
help implement corrective action to a problem or refute the assertion that a problem exists.
ABC Company management or other individuals who may have requested the audit require
timely reports. Well-organised working papers help to accomplish this goal.
External auditors review the work performed by the Department and evaluate the effect that
its activities had on ABC Company's system of internal control.
In fulfilling their public responsibility, certain regulatory agencies monitor ABC Company
operations, and the Department's working papers may he subjected to their review. Solid
working paper documentation is essential for questions from these and other potential outside
reviewers.
Qualities of Good Working Papers
Good working papers should be:
• Complete - Working papers must be able to "stand alone." This means that all
questions must be answered, all points raised by the reviewer must be cleared, and a
logical, well-thought out conclusion must be reached for each audit segment.
• Concise - Working papers must be confined to those that serve a useful purpose.
• Uniform - All working papers should be of uniform size and appearance. Smaller
papers should be fastened to standard working papers, and larger papers should be
folded to conform to size restrictions.
• Neat - Working papers should not be crowded. Allow for enough space on each
schedule so that all pertinent information can be included in a logical and orderly
manner. At the same time, keep working papers economical. Forms and procedures
should be included only when relevant to the audit or to an audit recommendation.
Also, try to avoid unnecessary listing and scheduling. All schedules should have a
purpose which relates to the audit procedures or recommendations.
Working Paper Techniques
Descriptive Headings - All working papers should include the audit stamp, title of the audit,
audit project number, title of the working paper, preparer's initials, date prepared, source of
information, and purpose of the working paper.
Tick-marks - The auditor makes frequent use of a variety of symbols to indicate work that
has been done. These symbols are commonly referred to as tick-marks. As these tick-marks
have no special or uniform meaning in themselves, an explanation of each tick-mark should
be made on the schedule on which it appears.
Cross-referencing - Cross-referencing within working papers should be complete and
accurate. Working papers should be cross-referenced to the Audit Findings. Audit Findings
should be cross-referenced to the exit conference memo and/or the audit report, to indicate
final disposition of the item. Cross-referencing should be done in the margins of audit report
drafts. These references readily provide direct access to the working papers.
Indexing - The system of indexing audit working papers should be simple, yet leave room for
flexibility. A capital letter should be used to identify each segment of the audit, and Arabic
numerals used to identify schedules within the segments.
Carry forward - The auditor should make full use of the working papers developed in the
prior audit. Flow charts, system descriptions, and other data may still be valid. Those papers
which remain useful should be made a part of the current working papers. They should be
updated with current information, renumbered, referenced, initialled, and dated by the current
auditor.

Types of Working Papers
All working papers should be maintained in binders. Schedules, analyses, documents, flow
charts, and narratives should be filed in a standard binder. Documentation which is not of
standard size should be mounted on standard size paper or referenced to a non-standard
binder.
1. Schedules and Analyses
Schedules and analyses are useful for identifying statistical trends, verifying the accuracy of
data, developing projections or estimations, and determining if tasks or records have been
properly completed. Each record review, data schedule, or analyses should include the
following items:
• An explanation of its purpose (reference audit step)
• The methodology used to select the sample, make the calculation, etc.
• The criteria used to evaluate the data
• The source of data and time frame considered
• A summary of the results of the analyses
• The auditor's conclusion
2. Documents
Copies or actual samples of various documents can be used as examples, for clarification, and
as physical evidence to support a conclusion or prove the existence of a problem. These
documents can be memos, reports, computer printouts, procedures, forms, invoices, flow
charts, contracts, or any of numerous other items. Any copied document should serve a useful
audit purpose.
The following suggestions are offered for preparation of working papers using documents
rather than the auditor's notes:
• Indicate both the person and/or file that the document came from (source).
• Copy and insert only that portion of the report, memo, procedure, etc., which is needed
for purposes of explanation or as documentation of a potential finding. Do not include
the entire document in the working papers unless absolutely necessary.
• Fully explain the terms and notations found on the document, as well as its use. This is
especially true when including maps, engineering drawings, or flow charts in the
papers. These explanations may be made on an attached preceding page or on the face
of the document itself.
• Each document should be cross-referenced either to the page or separate analysis
where it was discussed.
• No document should be included in the working papers without an explanation of why
it was included.
• Documents larger than A4 size should be reduced when practicable.
3. Process Write-ups and Flow charts
In many audits, it is necessary to describe systems or processes followed by the audited entity.
Describe such procedures or processes through the use of write-ups or flow charts or some
combination of the two. The choice of which method to use will depend on the relative
efficiency of the method in relation to the complexities of the system being described.
Write-ups are often easier to use, and should be used, if the system or process can be
described clearly and concisely. However, when write-ups would be lengthy, and description
of related control points difficult to integrate in the narrative, flow-charting (or a combination
of write-ups and flow-charting) is an appropriate alternative. Flow charts conveniently

describe complex relationships because they reduce narrative explanations to a picture of the
system. They are concise and may be easier to analyse than written descriptions.
4. Interviews
Most verbal information is obtained through formal interviews conducted either in person or
by telephone. Formal interviews are most desirable because the interviewees know they are
providing input to the audit; however, impromptu interviews, or even casual discussions can
often provide important information. Any verbal information which is likely to support a
conclusion in the audit working papers should be documented. Interviews are useful in
identifying problem areas, obtaining general knowledge of the audit subject, collecting data
not in a documented form, and documenting the audit customer's opinions, assessments, or
rationale for actions. Interview notes should contain only the facts presented by the person
interviewed, and not include any of the auditor's opinions.
In preparing interviews for working papers, consider the following suggestions:
• Be sure to include the name and position title of all persons from whom information
was obtained. This includes data gathered during casual conversations.
• Indicate when and where the meeting occurred.
• Organise notes by topic wherever possible.
• Identify sources of information quoted by interviewee.
5. Observations
What the auditor observes can serve the same purposes as interviews. If observations can be
used to support any conclusions, then they should be documented. They are especially useful
for physical verifications.
Observations used as supporting documentation should generally include the following items:
• Time and date of the observations
• Where the observations were made
• Who accompanied the auditor during the observations
• What was observed (when testing is involved, the working papers should include the
sample selections and the basis of the sample)
6. Findings
All audit findings must be documented in a SECTION SUMMARY (see next section)
schedule in the working papers. Unfavourable findings shall be summarised on a Digest of
Significant Findings working paper whether or not they are to be included in the audit report.
All findings should be documented immediately by the auditor discovering the situation.
STATING FINDINGS/CONCLUSIONS
Upon the conclusion of the fieldwork, the auditor shall summarise the audit findings,
conclusions, and recommendations necessary for preparation of the audit report discussion
draft. Each audit finding will have documented in the SECTION SUMMARY the following
ATTRIBUTES
1. Statement of Condition (What is!)
2. Criteria (What should be!)
3. Effect (So what?)
4. Cause (Why did it happen?)
5. Recommendation (What should be done?)

1. Statement of Condition
The condition identifies the nature and extent of the find or unsatisfactory condition. It often
answers the question: "What was wrong?" Normally, a clear and accurate statement of
condition evolves from the auditor's comparison or results with appropriate evaluation
criteria.
2. Criteria
This attribute establishes the legitimacy of the finding by identifying the evaluation criteria
and answers the question: "By what standards was it judged?" In financial and compliance
audits, criteria could be accuracy, materiality, consistency, or compliance with applicable
accounting principles and legal or regulatory requirements.
In audits of efficiency, economy, and program results (effectiveness), criteria might be defined
in mission, operation, or function statements; performance, production, and cost standards;
contractual agreements; program objectives; policies, procedures, and other command media;
or other external sources of authoritative criteria.
3. Effect
This attribute identifies the real or potential impact of the condition and answers the question:
"What effect did it have?"
The significance of a condition is usually judged by its effect. In operational audits, reduction
in efficiency and economy, or not attaining program objectives (effectiveness), are appropriate
measures of effect. These are frequently expressed in quantitative terms; e.g., value, number
of personnel, units of production, quantities of material, number of transactions, or elapsed
time. If the real effect cannot be determined, potential or intangible effects can sometimes be
useful in showing the significance of the condition.
4. Cause
The fourth attribute identifies the underlying reasons for unsatisfactory conditions or findings,
and answers the question: "Why did it happen?"
If the condition has persisted for a long period of time or is intensifying, the contributing
causes for these characteristics of the condition should also be described.
Identification of the cause of an unsatisfactory condition or finding is a prerequisite to making
meaningful recommendations for corrective action. The cause may be quite obvious or may
be identified by deductive reasoning if the audit recommendation points out a specific and
practical way to correct the condition. However, failure to identify the cause in a finding may
also mean the cause was not determined because of limitation or defects in audit work, or was
omitted to avoid direct confrontation with responsible officials.
5. Recommendations
This final attribute identifies suggested remedial action and answers the question: "What
should be done?"
The relationship between the audit recommendation and the underlying cause of the condition
should be clear and logical. If a relationship exists, the recommended action will most likely
be feasible and appropriately directed.
Recommendations in the audit report should state precisely what needs to be changed or
fixed. How the change will be made is the audited entity's responsibility. More generalised
recommendations (e.g., greater attention be given, controls be re-emphasised, a study made,
or consideration be given) should not be used in the audit report, but they are sometimes
appropriate in summary reports to direct top management's attention to compliance-type
findings disclosed in several areas.

Unless benefits of taking the recommended action are obvious, they should be stated. The cost
of implementing and maintaining recommendations should always be compared to risk.
Recommendations should be directed to an individual capable of taking action.
6. Policy/Process
Audit findings will include: the nature of the findings, the criteria used to determine the
existence of the condition; the cause of the condition; the significance of its impact; and what
the auditors think should be done to correct the situation.
QUALITY ASSURANCE
The purpose of "quality assurance" is to provide reasonable assurance that audit work
performed by ABC Company - Internal Audit conforms to Generally Accepted Auditing
Standards.
Quality Assurance Policy
All working papers shall be independently reviewed to ensure there is sufficient evidence to
support conclusions, document the extent of audit work performed, and ensure that all audit
objectives have been met, as well as substantiate compliance with applicable auditing
standards.
A detailed review shall be conducted by the Audit Manager for assigned staff's working
papers. A less comprehensive review shall be conducted by Internal Audit Department or an
assigned Quality Assurance staff person. EXCEPTION: If the Audit Manager is the only staff
member assigned to the audit/task then the detailed review shall be performed by department
administration or an assigned Quality Assurance staff person.
Initialling (Director/Quality Assurance staff person and the Audit Manager) working papers
(Section Summaries, Audit Programs, Draft Report) and completing the "Quality Assurance
Review form," will serve as documentation of the review process and will be filed with the
working papers.
NOTE: Auditors are encouraged to perform an "informal" self-review of their working papers.
However, this review would be for their benefit only and therefore this document SHALL
NOT be a part of the working papers.
Quality Assurance Review Process
In performing the review the reviewer should:
• Review working papers from audit program steps to the referenced working papers
ensuring cross-referencing is proper, the working papers support the steps performed,
and all steps have been completed (or why steps were not completed).
• Review working papers from the report(s) to the digest to the working paper
summaries to the detailed working papers to ensure that all findings are stated,
adequately document and support the OPINIONS, FINDINGS, and
RECOMMENDATIONS stated in the report.
• Determine working paper's compliance to department working paper standards.
• Determine report(s) compliance with department report standards.
• Determine Permanent Audit File's compliance with department standards.
• Record any deficiencies, comments, etc. on a Working Paper Review Notes form.

• The auditor(s) who prepared the working papers will then respond (if necessary) to
these points on the same form.
• After the reviewer has "cleared" the points and completed (initialled) the "Quality
Assurance Review form," the working papers will be forwarded to Internal Audit
Department.
• Internal Audit Department will review the working papers and discuss the findings and
review comments with the Assigned Auditor, Audit Manager, and Reviewer, then
complete the relevant parts of the "Quality Assurance Review form," and approve the
draft report for the exit conference.
• The Report Reviewer will perform a pre-exit conference edit check for spelling,
cursory grammatical, and consistency review.
• The assigned auditor will forward a copy of the draft report to the audited entity prior
to the exit conference.
• After exit conference amendments, the Report Reviewer will perform a spell check, as
well as a cursory grammatical and consistency review, then print out the FINAL
version of the report.
• The Audit Manager, assigned Auditor(s) and Director will review and sign the final
report.
NOTE: The working papers and report will be factors used in the Performance Evaluation
process.
GENERAL STANDARDS FOR WORKING PAPERS
Functions of Working Papers
• Support auditor's opinion
• Aid in the conduct and supervision of the engagement
• Provide a record of:
1. Procedures applied
2. Test performed
3. Information obtained
4. Pertinent conclusions reached
• Provide evidence that the audit was conducted in accordance with Generally Accepted
Auditing Standards
Completeness of Working Papers
• Working papers should be accurate and complete
1. No significant questions within the scope or related to the objective of the audit
should go unanswered
2. Working papers must "stand alone," in that they clearly state what work was
performed, how and from where samples were selected, the purpose of the
working papers, what findings were made, etc.
• Each item in the working papers should contain:
1. A descriptive heading

2. Identification of source if not obvious
3. The date of preparation and the auditor's initials
4. The index number of the work paper
• Working papers should be sufficient, competent, relevant, and useful to provide a
sound basis for audit findings and recommendations
1. Consistent, neat, not crowded
2. Only essential items included
3. Arranged in a uniform style
• Working papers should prove that standards have been followed such as:
1. Adequate planning and supervision
2. Adequate review of internal control
3. Sufficient competent evidential matter
Examples of Working Papers
• Working papers may include any or all of the following:
1. Audit programs, summaries, schedules, computations, or analysis prepared or
obtained
2. Memoranda, interviews, letters of confirmation or representation
3. Data stored on tapes, films, disk, or other media
• The working papers listed below constitute the minimum REQUIRED support for an
assignment
1. Working Papers Index
2. Assignment Form
3. Draft Report
4. Digest of Significant Findings
5. Quality Assurance Review
6. Audit Program
7. Section Summaries for each audit program section
8. Worksheet or Lead Schedules
9. Final Report
• The following working papers should generally be prepared, but may not be
considered mandatory for all assignments:
1. Permanent Audit File
2. Summary of Audit Objectives and Time Control
3. Announcement Letter
4. Contact List
5. Audited Entity Financial Statements
6. Interim Memoranda and Meetings

7. Exit Conference Record
Cross-Referencing of Working Papers
• All significant amounts and items should be cross-referenced
Indexing of Working Papers
• Every page should have an index number
• The index should be simple
• The index should be capable of infinite expansion
GENERAL STANDARDS - REPORT(S)
• Reports conform to the department format guidelines.
• Report title specifically states what was audited.
• Report is copied to right people (at a minimum this should be the Vice President in
Internal Audit reporting line, and the report addressee's direct supervisor, reporting
line, etc.)
• Audit objectives are stated clearly and in agreement with those stated in the
announcement letter or Audit Assignment form (if no announcement letter sent).
• Scope clearly states what we examined including, if applicable, what period,
transactions, documents, and limitations.
• Opinion (where appropriate) are supported by audit findings.
• Background contains mission and other information of value to reader.
• Findings are presented clearly and contain the following elements:
○ Statement of Condition - Is stated in first sentence
○ Criteria - Policy, etc.,
○ Effect - potential or actual exposure to ABC Company
○ Cause - how did it happen (if known)
○ Recommendation
• Recommendations are specific enough so the audited entity understands what is
expected, something that can be accomplished, cost beneficial, followed-up on, etc.
• Draft Report is referenced to the working papers.
• Reports are objective, clear, concise, constructive, and timely.
• The auditor presents to appropriate management a draft of the final report for
discussion before issuance of the final report.
• If appropriate, a Management Letter may be issued.
REPORTING AND FOLLOW-UP
The most successful audit projects are those in which the audited entity and the Internal
Auditors have a constructive working relationship. Our objective is to have the audited
entity's continuing involvement as well as communication at every stage, so that the audited
entity understands what we are doing and why we are doing it.

Although every audit project is unique, the audit process is similar for most engagements. The
audit process normally consists of four stages: Preliminary Review, Fieldwork, Audit Report,
and Follow- up Review.
Audit Report, Transmittal Letter and Management Letter
Our principal product is the final report in which we express our opinions about the audit
findings and discuss our recommendations for improvements. Therefore, in order for Internal
Audit to be effective, our reports must clearly and persuasively convey the results of our
audits and convince readers to recognise the validity of the findings and the benefit of
implementing any recommendations.
To facilitate communication and ensure that the recommendations presented in the final report
are practical, Internal Audit ALWAYS discusses the rough draft with the audited entity prior
to issuing the final report.
Internal Audit prints and distributes the final report to the audited entity's operating
management, the audited entity's reporting supervisor, the Finance Director and other
appropriate members of senior ABC Company management. This report is primarily for
internal ABC Company management use. The Internal Audit Director's approval is required
for release outside of ABC Company. The results of the audit are also included in the Internal
Audit's annual report to the Board of Directors.
The first page (transmittal letter) of the report is a letter requesting the audited entity's written
response to the report recommendations within 30 days. The audited entity should explain, in
the written response, when and how report findings will be resolved with an implementation
timetable. We encourage the audited entity to copy this response to all recipients of the final
report. The audited entity's response is included in Internal Audit's annual report to the Board
of Directors.
A management letter written to and distributed to only the audited entity manager may be
issued. This letter will contain suggestions for improving controls, operations, and anything
Internal Audit Department feels needs to be in writing.
CONFIDENTIALITY - REPORTS
Although Internal Audit reports are internal documents exclusively for the use of ABC
Company, certain reports will contain information that SHOULD NOT BE DISCLOSED
OUTSIDE OF THE AREAS RECEIVING THE REPORT.
Policy
Audit reports will be classified as CONFIDENTIAL if they meet the following criteria:
• Report discloses a weakness (potentially resulting in a loss) which has not been
corrected at the time of distribution
• Report discloses sensitive information which could prove an embarrassment to ABC
Company (if made public)
• Report discloses information classified as "restricted data"
• At the discretion of the Director of Internal Audit
Audit reports classified as CONFIDENTIAL will contain the words CONFIDENTIAL
REPORT on the title page and the footnote "Confidential - Do not disclose information in this
document." on each page.
Process
The Audit Manager will discuss their recommendation and rationale regarding the
classification of a report when it is given to the Director of Internal Audit for initial review.
EXIT CONFERENCE
After the draft report has been approved by Internal Audit Department, the auditor(s) meet
with the audited entity's management team to discuss the findings, recommendations, and text
of the draft. At this time, the audited entity comments on the draft report, and any inaccuracies
or impractical recommendations resolved to the extent possible.
Pre-exit conference items
• There should be no surprises - everything in the draft should have been discussed
during the fieldwork.
• Be sure you can easily find supporting documentation for findings in the working
papers in case questions arise at the exit conference.
• Try to anticipate potential questions/conflicts
Exit conference agenda
• Go through verbal recommendations:
• Discuss the following and go through report and management letter:
○ Do they want to respond after receiving the final report or would they like their
response either included or attached to the final report (department preference
is to include or attach the audit response with the final report)?
○ A follow-up will be done within one year to review action taken.
○ Results of audit, response, and follow-up will be included in our annual report
to the Board of Directors.
○ Where there any questions about the scope and objectives?
○ Are there any questions about the opinion?
○ Are there any questions, comments, additions, or deletions on background?
○ Any comments or questions about other sections (go through each)?
○ General comments about audit process?
CLOSING OF THE AUDIT
The auditor then prepares a draft, taking into account any revisions resulting from the exit
conference and other discussions. When the changes have been reviewed by Internal Audit
Department and the audited entity, the final report is issued.
The report is then printed in final by the report reviewer and distributed to the audited entity's
reporting supervisor, the Finance Director, and other appropriate members of ABC Company
management. This report is primarily for internal ABC Company management use. The
Internal Audit Director's approval is required for release outside of ABC Company.
Input in Board of Directors Report
The establishment of a clear reporting structure with the Board of Directors enhances Internal
Audit's independence and strengthens our ability to function freely within ABC Company. It
also provides us the opportunity to acquaint the Board with any critical audit findings or
issues, our assessments of operations during the past year, and our concerns, goals and plans
for the next fiscal year.
The results of all report findings and recommendations, the response from the audited entity,
and the follow- up shall be reported in an annual report to the Board of Directors.

Audit Feedback Questionnaire
An audit feedback questionnaire will be sent to the audited entity immediately after an audit
report (excluding cash count and follow-up reports) has been issued. Questionnaires returned
shall be recorded and summarised.
Follow-up Review
Within one year of the final report, Internal Audit shall perform a follow-up review of audited
entities to ascertain the resolution of the report findings.
The actions taken to resolve the findings shall be reviewed and may be tested to ensure that
the desired results were achieved. In some cases, managers may choose not to implement an
audit recommendation and to accept the risks associated with an audit finding - the follow-up
review will note this as an unresolved finding.
The follow-up report will list the actions taken by the audited entity to resolve the original
report findings. Unresolved findings will also appear in the report and will include a brief
description of the finding, audit recommendation, client response, current condition, and the
continued exposure to ABC Company. In addition to the original report recipients and other
officials as deemed appropriate, the follow-up review results will also be included in the
Internal Audit Annual Report to the Board of Directors.
PERSONNEL
JOB DESCRIPTION: DIRECTOR OF AUDIT
Reports To: Board of Directors, Finance Director
SUMMARY:
Direct and coordinate internal auditing within ABC Company as an independent appraisal of
the various operations and systems of control to determine if acceptable policies and
procedures are followed, established standards met, resources are used efficiently and
economically, planned missions are accomplished effectively and the organisation's objectives
are being achieved.
DUTIES AND RESPONSIBILITIES:
• Supervise and coordinate internal audit programs of ABC Company accounting and
financial operations to include the review of accounting procedures, confirmation of
accounts, inspection of physical operations, and investigations of irregularities and
errors.
• Supervise examination and analysis of records to insure the effectiveness of
accounting and managerial controls at reasonable cost, accuracy of transactions, and
compliance with applicable laws and established ABC Company policies and
procedures.
• Direct and coordinate analysis of operating departments and functions and make
recommendations to promote maximum managerial effectiveness and operational
efficiency when appropriate.
• Ascertain the extent to which ABC Company assets are accounted for and safeguarded
from losses.
• Counsel and guide auditors to ensure that approved audit objectives are met and
practical coverage is achieved.

• Identify those activities subject to audit coverage, evaluating their significance and
assessing the degree of risk inherent in the activity in terms of cost, schedule, and
quality.
• Monitor work performance for accuracy and completeness to ensure compliance with
established departmental objectives.
• Supervise audit participation and participate in systems and procedures development
and testing.
• Supervise review of procedures and records for their adequacy to accomplish intended
objectives, appraising policies, and plans relating to the activity of function.
• Train and instruct supportive staff.
• Review and ascertain the reliability of management data developed within the
organisation. Recommend and develop internal auditing policies, standards of
performance, procedures, and programs.
• Authorise the publication of reports on the results of audit examinations, including
recommendations for improvements.
• Serve in advisory capacity for ABC Company officials. Make recommendations for
improved fiscal management systems.
• Appraise the adequacy of corrective action taken by operating management and
prepare a variety of related reports and analysis.
• Serve as liaison with many departments and offices to assist with problems and
determine need for audits.
• Contact with staff, outside businesses and agencies regarding ABC Company audit
related or business problems.
• Provide executive management with annual reports on the results of audit activities.
• Direct various personnel functions including, but not limited to hiring, merit
recommendations, promotions, transfers, vacation schedules, and dismissals.
• Determine fiscal requirements of internal auditing operations and prepare budgetary
operations. Monitor, verify, and reconcile expenditure of budgeted funds.
• Perform special reviews as requested by the Finance Director.
• Review ABC Company policy and structural changes that might alter audits and
coverage.
• Serve on various ABC Company committees.
• Represent ABC Company at professional organisations, associations, and committees.
• Perform other duties incidental to the work described herein.
JOB DESCRIPTION: ASSOCIATE DIRECTOR OF INTERNAL AUDIT
Reports To: Internal Audit Director
SUMMARY:
Provide administrative and supervisory support to the Director for the coordination and
administration of system-wide audits, the planning and development of department
operations, and the supervision of department staff.

• Supervise professional staff by evaluating performance, hiring, and terminating when
necessary.
• Review audits to ensure that they are conducted according to audit standards,
sufficient evidence is obtained, and that procedures are properly documented to
support audit findings.
• Plan and prepare formal written reports addressed to department managers or external
agencies.
• Attend entrance and exit conferences for audits in the absence of the Director.
• Appraise the adequacy of departmental replies to audit reports.
• Manage day-to-day office operations such as ensuring audits are on schedule, weekly
time reports are submitted, and assignment forms are issued.
• Assist the Director in developing and implementing new and revised department
policies and procedures necessary for providing internal auditing services to all
entities within ABC Company. Determine the direction and extent of audits.
• Serve as department head in the absence of the Director and assist the Director with
budget planning.
• Recommend to ABC Company Administration control issues that should be addressed
with ABC Company Institutional policies.
• Design technically complex audit programs for specialised computer software to
retrieve information from ABC Company computer systems.
• Maintain an effective liaison with ABC Company managers and external auditors to
coordinate audits of ABC Company records.
• Certify financial reports at the request of external agencies.
• Serve on various ABC Company committees in an advisory capacity.
• Assist the Director in developing an audit plan that provides for the effective audit
coverage of ABC Company systems based on an assessment of potential risk and
exposure to ABC Company.
• Survey functions and activities of units to evaluate nature of operations and existence
and adequacy of internal controls.
• Provide guidance, training, and assistance to auditors. Continue to develop expertise in
specialised areas to advise other auditors or ABC Company units.
• Maintain knowledge of current accounting and auditing practices through continuing
professional education.
• Perform other related duties incidental to the work described herein.
JOB DESCRIPTION: INFORMATION SYSTEMS AUDIT MANAGER
Reports To: Internal Audit Director
SUMMARY:
Using specialised knowledge of accounting, auditing, and electronic data processing (EDP) to
perform audits of adequacy of internal controls and the accuracy of institutional data in ABC

Company's data processing areas. Attest to the accuracy, effectiveness, and efficiency of ABC
Company's information (EDP-based) systems. Determine level of compliance with
institutional policies and procedures, laws and contractual obligations regarding privacy and
security in data processing areas. Provide support to internal auditors in the development of
computer-assisted audit techniques.
Requirements needed for this position are a minimum of an undergraduate degree in
accounting, business administration, finance or computer science, and a certificate or
licensing for CPA and/or CIA. Four years experience as an EDP auditor, two years experience
as a financial auditor, and knowledge of computer environment similar to the one at ABC
Company.
• Participate in the development of new ABC Company system applications to:
1. Ensure that adequate controls are established and installed to meet
management objectives,
2. Verify that users and computer operation's staff have been trained in the system
functions and controls
3. Determine whether level of security is appropriate
4. Verify that backup and recovery procedures are complete
• Perform audits of existing financial and security applications, the related network links
and the supporting computer data centres.
1. Based on a review and evaluation of current internal controls, assess potential
risk, and exposure to ABC Company, and prepare detailed audit program
describing tests to be performed.
2. Obtain sufficient competent and relevant evidential matter, analyse and
summarise data to support an objective informed opinion on the adequacy and
effectiveness of internal controls, the accuracy of institutional data, and the
level of compliance with ABC Company policies.
3. Draft written reports expressing opinions on the adequacy and effectiveness of
system controls, the accuracy of institutional data, and the level of compliance
with relevant policies and procedures. Recommend changes in policies and
procedures to enhance controls or correct deficiencies.
• Appraise the adequacy of replies to final audit reports and perform post-audit reviews
to determine the extent to which audit recommendations have been implemented.
• Assign work and supervise EDP audit staff (when applicable) so that the audit is
conducted in a professional manner and the audit objectives are accomplished. Review
working papers and conduct performance appraisals so that standards are complied
with and evaluations can be accurately completed.
• Serve on various ABC Company committees addressing such items as data access,
computer and network security, system design, etc.
• Provide guidance, training, and assistance to staff auditors in using computerised audit
techniques, maintaining library of standard audit programs, administering the
department's computer network, etc.
• Stay current with technical changes in auditing, data processing, accounting, ABC
Company policies, and government regulations so that audits are conducted
professionally and in accordance with department standards.
• Develop an EDP audit plan that provides for the effective audit coverage of ABC
Company's EDP application systems based on an assessment of potential risk and
exposure to ABC Company.
JOB DESCRIPTION: AUDIT MANAGER
Reports To: Internal Audit Director / Associate Director
SUMMARY:
Using specialised knowledge of accounting, auditing, and electronic data processing, plan and
conduct complex and technical financial and managerial audits of ABC Company operations.
Analyse evidential data as a basis for an informed, objective opinion. Prepare comprehensive
reports addressed to campus and ABC Company administration and external agencies.
• Plan and perform complex, technical financial and managerial audits of ABC
Company operations in accordance with accepted professional standards. Determine
whether areas reviewed are performing their planning, accounting, custodial, and
control activities in compliance with managerial guidelines, applicable statements of
policy and procedures, and in a manner consistent with both ABC Company objectives
and high standards of administrative practice. Obtain and analyse data to provide an
objective, informed opinion on the accuracy and fairness of financial statements. This
includes performing advanced and complex analytical procedures and recommending
material adjustments (i.e. to ABC Company financial statements).
• Develop an audit plan that provides for the effective audit coverage of ABC Company
operations, based on an assessment of potential risk and exposure. Survey functions
and activities of units to evaluate nature of operations and existence and adequacy of
internal controls.
• Perform audits of ABC Company operations to ensure effectiveness of accounting and
managerial controls and accuracy of recorded data, promote efficiency, safeguard
ABC Company assets, and monitor compliance with applicable laws and ABC
Company policies and procedures.
• Supervise and direct staff assigned to assist on audits. Monitor performance of staff
and evaluate performance of supervised staff.
• Exercise professional judgment to determine materiality of findings and adequacy and
effectiveness of the operation.
• Conduct special reviews requested by administration. Arrive at independent decisions
concerning recommendations for administration.
• Maintain an effective liaison with managers and external auditors to coordinate audits
of ABC Company records.
• Determine the direction and extent of assigned audits. Prepare the program and
establish procedures, which may include statistical sampling and electronic data
processing. Prepare and evaluate working papers supporting opinions presented in the
report to administration and external agencies.
• Appraise the adequacy of replies to audit reports and perform post-audit reviews to
determine the extent to which audit recommendations have been implemented.
• Establish audit procedures involving statistical sampling and electronic data
processing. Use specialised knowledge to retrieve information from ABC Company
mainframe computers.
• Discuss deficiencies and recommend corrective actions to improve operations and
reduce costs. Plan and prepare formal written reports addressed to managers or
external agencies.
• Continue to develop expertise in specialised areas to advise other auditors or ABC
Company units.
• Review and evaluate the adequacy of the overall accounting and non-accounting
controls of computerised information systems residing on departmental computers.
This requires a general understanding of departmental activities in relation to
computerised information systems under review.
• Perform general administrative tasks including those assigned by the Director.
JOB DESCRIPTION: INFORMATION SYSTEMS AUDITOR
Reports To: Information Systems Audit Manager
SUMMARY:
Using specialised knowledge of auditing and information technology, participate in audits of
ABC Company's information systems, systems development processes, LANs, and related
resources/processes to determine the adequacy of general and application controls and to
assess compliance with applicable policies, procedures, statutes, and contract requirements.
This entails analysing evidential data as a basis for an informed, objective opinion and
preparing comprehensive reports addressed to ABC Company administration.
With guidance from the Information Systems Audit Manager, plan and conduct audits in
accordance with applicable professional and office standards.
• Exercise professional judgment to determine adequacy of controls, materiality of
findings, and sufficiency of evidence to support opinions and findings presented in
audit reports. Prepare working papers containing sufficient, competent, and relevant
evidence to support findings and opinions in audit reports. Draft audit reports
containing the results of the audit, including findings, recommendations, opinions.
• Assist financial and operational auditors in applying information systems audit
principles and concepts, identifying the relevant automated controls to include in the
audit scope, designing audit programs/procedures to assess their adequacy, and
documenting the impact of strengths or weaknesses to current audit
procedures/objectives. Perform post-audit reviews to determine the extent to which
audit recommendations have been implemented. Appraise the adequacy of replies to
final audit reports, and perform post-audit reviews to determine the extent to which
audit recommendations have been implemented.
• Discuss deficiencies with management and recommend actions to improve controls,
enhance information integrity, streamline processes, and reduce costs. Where
appropriate, recommend changes in policies and procedures to enhance controls or
correct deficiencies.
• Write/develop computer assisted audit techniques (CAATs) to extract and manipulate
data from complex computer systems and to facilitate audit compliance and
substantive testing procedures.

• Assist in administering and supporting the Internal Audit Local Area Network (LAN).
• Maintain knowledge of current auditing, data processing, and accounting practices and
ABC Company policies and government regulations. Provide in-house information
systems audit and technical training for internal audit staff.
• Perform other duties as assigned.
QUALIFICATIONS:
• Required Degree in business, accounting, or information systems discipline or
equivalent combination of education and experience. One year of related work
experience in information systems auditing or related field (e.g., information systems
analysis, or development). Excellent planning, organisation, research, analysis,
writing, and interpersonal skills.
• Ability to communicate effectively with individuals and groups at all organisational
levels.
• Able to work in a team-oriented environment.
• Preferred: Certification preferred. (e.g., ACCA, CPA, CIA)
• Proficient in providing mainframe and PC support to internal audit staff using
computerised audit tools to retrieve and analyse data stored on mainframe and
departmental systems.
• Familiar with diverse computing environments and architecture, including mainframe,
client-server, network, and personal computers.
• Familiar with operations, policies, and procedures in ABC Company environment.
JOB DESCRIPTION: AUDITOR
Reports To: Director of Internal Audit Department
SUMMARY:
Provide assistance to the audit manager in performing financial and managerial audits of
general ABC Company operations. The duties include analysing evidential data as a basis for
an informed, objective opinion and preparing comprehensive reports addressed to ABC
Company administration and/or external agencies.
• Participate in performing financial and managerial audits of general ABC Company
operations in accordance with accepted professional standards.
• Aid the audit manager in determining whether areas reviewed are performing their
planning, accounting, custodial, and control activities in compliance with managerial
guidelines and applicable statements of policy and procedures, and in a manner
consistent with both ABC Company objectives and high standards of administrative
practice.
• Obtain and analyse data to provide an objective, informed opinion on the accuracy and
fairness of financial statements. This includes performing analytical procedures and
recommending adjustments to ABC Company financial statements.
• With guidance from the audit manager, determine the direction and extent of assigned
audits. Prepare the program and establish procedures which may include statistical

sampling and electronic data processing. Prepare working papers supporting opinions
presented in the report to administration and external agencies.
• Participate in audits of ABC Company systems to ensure effectiveness of accounting
and managerial controls and accuracy of recorded data, promote efficiency, safeguard
ABC Company assets, and monitor compliance with applicable laws and ABC
Company policies and procedures.
• Exercise professional judgement to determine materiality of findings and adequacy
and effectiveness of the operation.
• Assist in the review and evaluation of the overall accounting and non-accounting
controls of computerised information systems residing on departmental computers.
This requires a conceptual understanding of the departmental activities in relation to
computerised information systems under review.
• Discuss deficiencies and recommend corrective actions to improve operations and
reduce costs. Plan and prepare formal written reports addressed to department
managers or external agencies.
• Perform post-audit reviews to determine the extent to which audit recommendations
have been implemented.
• Assist in the performance of special reviews requested by administration.
• Perform other related duties incidental to the work described herein.
PERFORMANCE EVALUATION
Performance evaluation will serve two major functions in our department. First, it will be
used for employee development. The feedback that employees receive from the appraisal
process should provide them with information they can use to improve job performance.
Second, performance appraisal provides bottom-line evaluations of employees that can be
used for administrative decisions such as promotion, salary evaluation, recommendation for
training, or remedial action.
Performance Evaluation Policy
All Internal Audit full-time appointed employees will have an evaluation of their work
performance at least every semester and once a fiscal year. The results of these evaluations
will be the primary means for administrative decisions.
Performance Evaluation Process
The evaluation process will be a twofold approach (interim evaluation and annual evaluation).
These evaluations will be performed in September and March respectively.
Specific factors that will be considered in the annual Performance Evaluation shall include:
• Audits
1. Total Chargeable Hours at department standard
2. Audit Completed Timely
3. Audit Within Budget hours
4. Working papers Technically Correct (Dept Standards)
5. Audits Performed according to standards

6. Hours at Audited Entity Location
• Professional Knowledge
1. Competent in required job skills and knowledge
2. Exhibits ability to learn and apply new skills
3. Exhibits sound and accurate judgment
4. Requires minimal supervision
5. Displays understanding of how job relates to others
• Professional Development
1. Keeps current on ABC Company Policies and Processes
2. Keeps current on ABC Company systems
3. Participates in available Continuing Education
4. Certified as CIA, CPA, ACCA
5. Keeps current with Accounting and Auditing trends
• Teamwork
1. Balances team and individual responsibilities
2. Exhibits objectivity and openness to others' views
3. Gives and welcomes feedback
4. Contributes to building a positive team spirit
5. Puts success of team above own interests
• Written Communication
1. Writes clearly, precisely and informatively
2. Edits work for spelling, grammar, and format
3. Varies writing style to meet needs
4. Follows standards for presenting elements of findings
5. Scope, Objective and Opinion consistent w/ work done
6. Selects and uses appropriate communication methods
• Oral Communication
1. Speaks clearly and persuasively
2. Listens and gets clarification
3. Responds well to questions
4. Demonstrates group presentation skills
5. Participates in meetings
6. Keeps others adequately informed
• Innovation
1. Displays original thinking and creativity
2. Meets challenges with resourcefulness
3. Generates suggestions for improving work
4. Develops innovative approaches and ideas
General comments could be made in the following areas:
• Adaptability
1. Adapts to changes in the work environment
2. Manages competing demands
3. Accepts criticism and feedback
4. Changes approach or method to best fit the situation
• Analytical Skills
1. Synthesises complex or diverse information
2. Collects and researches data
3. Uses intuition and experience to complement data
4. Identifies data relationships and dependencies
5. Designs work flows and procedures
• Attendance & Punctuality
1. Schedules time off in advance
2. Begins working on time
3. Keeps absences within guidelines
4. Ensures work responsibilities are covered when absent
5. Arrives at meetings and appointments on time
• Cooperation
1. Establishes and maintains effective relations
2. Exhibits tact and consideration
3. Displays positive outlook and pleasant manner
4. Offers assistance and support to co-workers
5. Works cooperatively in group situations
6. Works actively to resolve conflicts
• Cost Consciousness
1. Works within approved budget
2. Conserves organisational resources
3. Develops and implements cost saving measures
4. Contributes to profits and revenue
• Customer Service
1. Displays courtesy and sensitivity
2. Manages difficult or emotional customer situations
3. Meets commitments
4. Responds promptly to customer needs
5. Solicits customer feedback to improve service
• Dependability
1. Responds to requests for service and assistance
2. Follows instructions
3. Responds to management direction
4. Takes responsibility for own actions
5. Commits to doing the best job possible
6. Keeps commitments
7. Meets attendance and punctuality guidelines
• Initiative
1. Volunteers readily
2. Undertakes self-development activities
3. Seeks increased responsibilities
4. Takes independent actions and calculated risks
5. Looks for and takes advantage of opportunities
6. Asks for help when needed
• Judgment
1. Displays willingness to make decisions
2. Includes appropriate people in decision making process
3. Makes timely decisions
• Leadership
1. Exhibits confidence in self and others
2. Inspires respect and trust
3. Reacts well under pressure
4. Shows courage to take action
5. Motivates others to perform well
• Managing People
1. Provides direction and gains compliance
2. Includes subordinates in planning
3. Takes responsibility for subordinates' activities
4. Makes self available to subordinates
5. Provides regular performance feedback
6. Develops subordinates' skills and encourages growth
• Organisation Support
1. Follows policies and procedures
2. Completes administrative tasks correctly and on time
3. Supports organisation's goals and values
4. Benefits organisation through outside activities
5. Supports affirmative action and respects diversity
• Personal Appearance
1. Dresses appropriately for position
2. Keeps self well-groomed
• Planning & Organisation
1. Prioritises and plans work activities
2. Uses time efficiently
3. Plans for additional resources
4. Integrates changes smoothly
5. Sets goals and objectives
6. Works in an organised manner
• Problem Solving
1. Identifies problems in a timely manner
2. Gathers and analyses information skilfully
3. Develops alternative solutions
4. Resolves problems in early stages
5. Works well in group problem solving situations
• Project Management
1. Develops project plans
2. Coordinates projects
3. Communicates changes and progress
4. Completes projects on time and budget
5. Manages project team activities
• Quality
1. Demonstrates accuracy and thoroughness
2. Displays commitment to excellence
3. Looks for ways to improve and promote quality
4. Applies feedback to improve performance
5. Monitors own work to ensure quality
• Quantity
1. Meets productivity standards
2. Completes work in timely manner
3. Strives to increase productivity
4. Works quickly
5. Achieves established goals
• Safety & Security
1. Observes safety and security procedures
2. Determines appropriate action beyond guidelines
3. Uses equipment and materials properly
4. Reports potentially unsafe conditions
• Sales Skills
1. Achieves sales goals
2. Overcomes objections with persuasion and persistence
3. Initiates new contacts
4. Maintains customer satisfaction
5. Maintains records and promptly submits information
TRAINING AND PERSONAL DEVELOPMENT
Certification Programs
One aspect of professional development is obtaining professional certification as a Certified
Public Accountant, Certified Internal Auditor, Certified Information Systems Auditor, or
Certified Fraud Examiner. To increase the professionalism and credibility of the audit staff,
the department supports employees' efforts in achieving certification through obtaining study
aids and providing reimbursement for sitting for exams. Support is also given by making
study time available during working hours and allowing time off to sit for exams. Professional
certification is a factor used in the department's annual employee performance appraisal.
Professional development through certification, membership, and participation in professional
organisations is encouraged. Internal Audit Department funds may be available and budgeted
to support this activity.
Continuing Education
Internal Audit has a responsibility to provide for the most effective use of available continuing
education funds in supporting staff member requests for professional training.
Process:
• Auditors should review seminar material.
• Staff members who desire to attend a particular seminar should (if total expenditures
will exceed €100) complete the above mentioned form. (Requests to attend seminars
that will cost less than €100 can be communicated informally to the Director.)
• The Director will make the decision for the expenditure based on availability of funds
and the staff members’ current professional development responsibilities and
requirements in maintaining their technical competence and proficiency.
ADMINISTRATIVE PROCEDURES
MANAGEMENT OF AUDIT RESOURCES
The principal resource that Internal Audit has to accomplish its mission is the amount of
available staff hours. Therefore, it is paramount that we have a process that will provide the
information necessary to effectively manage this resource.
Audit Resource Reporting Policies
All professional training requires prior approval of the Internal Audit Director.
The departmental standard for staff hours is expected to charge to projects each year is 1,500
hours.
Auditors shall perform fieldwork at the audited entity location whenever possible.
All staff members will submit a weekly progress report, using the electronic Audit Reporting
and Management System (ARMS) detailing the hours spent on assigned projects. The
MISCELLANEOUS UNBUDGETED TASK will be used to list duties that you performed
that were not budgeted and for days that you were not in the office because of paid time off or
sick time. Progress reports must be completed by Friday 6:00 p.m.
Projects will be reported in half-hour increments using the project control numbers assigned
by the director. The comments field will be used to provide a brief description of the work
performed or if no work was performed an explanation of why. The comments field should
also include a statement of how many hours was spent performing fieldwork at the audited
entity location
Any audit work or other activity that is material (e.g. expected to accumulate more than 8
hours or for which a written report/memo will be issued) will be assigned a project control
number.
STANDARD ELECTRONIC TOOLS
ANAEL Queries
To establish a library of standard 'off the shelf' ANAEL queries, these queries will be written
so that they can be easily executed, by changing well-defined parameters, or simply modified
to OUTPUT data in a different format.
• The library will be controlled by the department ANAEL LIBRARIAN who will be
responsible for updating the library and informing staff of the current library's
contents.
• Queries will be written by staff members who have developed an appropriate
understanding of the structure and the data in the accessed files.
• Queries will be written according to standards established by the department.
• Queries will be thoroughly reviewed and tested before being placed in the library by
the librarian.
• Whenever practical these queries will be used to extract data from ANAEL defined
files for use in audit testing.
Electronic Working Papers
To assure standardisation of working papers and reports, standardised reports, programs and
working papers have been developed as Word templates. In addition, there is an Audit Macros
toolbar that will enable you to input your information in a form that will automatically add the
information to the new Word document.
MISCELLANEOUS POLICIES
Purging Working Papers
Working papers shall be retained for five years after the date of the report. The working
papers shall be purged once a year after the Directors' approval. The exception to this policy is
when we are required to retain working papers longer by law or by agreement.
Paid Time Off
Whenever possible, paid time off (PTO) should be requested and scheduled in advance. If you
are SICK you should call or e-mail the Director or the secretary as soon as you can.
Computer Software
Only computer software that the department or ABC Company owns the rights to should be
installed on department computers. If you wish to install other software on a department
computer, you must receive prior approval from the Director and provide evidence that you
own the rights to the software.
Housekeeping

Good housekeeping bears a direct relationship to orderly and efficient work habits. When out
of the office, material in work areas should be straightened. Care is to be exercised to avoid
exposure of confidential or potentially sensitive documents.

APPENDIX A – Audit Announcement Letter
{Date}
{Name of Audited Entity}

Attn:
{Address}
{Address}
RE: Audit of {Name of Audited Entity}

We are in the process of planning the audit for {Name of Audited Entity}. The audit is
presently scheduled to begin {Begin Date of Audit}, and we anticipate being on site between
two to three weeks. We understand that some scheduling adjustments may become necessary
to accommodate your staff’s schedules. Please review the audit schedule with your
management team to ensure the timing is coordinated with them. We will work with {name
of person} as our main contact.
Our audit will be conducted in accordance with generally accepted auditing standards and,
accordingly, will include such tests of the accounting records and other auditing procedures as
we consider necessary to accomplish our audit objectives. We will follow-up on previously
raised audit issues, review internal controls, the human resource function, operating
efficiencies, computer systems, year 2008 status, and other audit procedures considered
necessary based on the circumstances encountered.
We appreciate your support and the cooperation of your staff as we work together on this
engagement. If you would like to discuss the audit, areas that need special audit attention or
this schedule, please call me at 555-323-4123.
INTERNAL AUDIT DEPARTMENT
Audit Manager

APPENDIX B – Audit Feedback Questionnaire Form
The purpose of this questionnaire is to solicit your opinions concerning the quality of service
we provided during our recent engagement. This information will help to foster future
improvements in the Internal Audit function.
We request that you, or the staff member most familiar with our recent work, complete and
submit the questionnaire. Please feel free to expand on any areas that you wish to clarify in
the comments area. We sincerely appreciate your assistance.
Questions Please Select

1. During the initial conference, the audit team explained
the objectives, timing, and audit process and solicited
your questions and concerns.
2. The audit team exhibited an understanding of your unit's
mission/operations/procedures.
3. The audit team was cooperative in attempting to
minimise interruptions to your operations and schedule.
4. The audit team demonstrated technical proficiency in
audit areas and knowledge of company policies.
5. The audit team demonstrated courtesy, professionalism,
and a constructive and positive approach.
6. You or your key staff members were adequately
informed of the audit status, major issues, and final
results on a timely basis.
7. You had the opportunity to provide explanations or
responses to audit findings as they developed during the
audit process.
8. During the exit conference, all findings were adequately
discussed and all issues of fact were resolved.
9. The final report was accurate and clearly communicated
the audit results.
10. The audit recommendations were constructive, relevant,
and actionable.
On a scale of 0 (no value) to 10 (high value), how much
value do you feel this audit added to your unit?
Please use the comment box below to let us know what specific changes we can make to
improve our audit process.

Comments:

APPENDIX C – Internal Audit Glossary
A
Adding Value: By virtue of our position within the Company, Internal Audit is able to gather
data to understand and assess risk and develop significant insight into operations and
opportunities for improvement that can be beneficial to the Company. This valuable
information can be in the form of consultation, advice, written communications, or through
other products.
Adequate Control: Present if management has planned and organised (designed) their
operations in a manner that provides reasonable assurance that the Company's risks have been
managed effectively and that its goals and objectives will be achieved efficiently and
economically.
Analytical Review: The examination of ratios, trends and changes in balances and other
values between periods to obtain a broad understanding of the Company financial or
operational position and identify areas that may require further or closer investigation.
Assurance Services: An objective examination of evidence for the purpose of providing an
assessment on risk management, control, or governance processes for the Company.
Examples may include financial, performance, compliance.
Audit Committee: Committee of the Company that has no operational responsibilities for
any of the activities undertaken by the Company. Their primary function is to help ABC
Company fulfil its stewardship role by reviewing the systems of risk management,
governance and internal control. The Company's Audit Committee meets three times a year.
Audit Scope: Refers to the activities covered by an internal audit. Audit scope often includes:
Audit objectives: Nature and extent of auditing procedures performed
Time period audited: Related non-audit activities that delineate the boundaries of the audit
When planning audit assignments at the Company, we always agree the scope of our reviews
with the unit managers before starting the audit.
Audit Test Matrices: Audit Test Matrices include:

• Risks
• The Expected Controls
• The Compliance Test
Audit Working Papers: Record the information obtained, the analyses made, and the
conclusions reached during an audit. Audit working papers support the bases for the findings
and recommendations to be reported. Audit working papers are a key part of the evidence
used by us in arriving at our conclusions and recommendations.
Auditable Activities: Consist of those subjects, units, or systems, which are capable of being
defined and evaluated. Auditable activities may include:

• Policies, procedures and practices
• Cost centres,
• General ledger account balances
• Information systems (manual and computerised)
• Major contracts and programmes/projects,
• Functions such as information technology, finance, accounting, personnel etc,
• Transaction systems for activities such as income, expenditure, treasury management,
payroll and capital assets
• Financial statements
• Laws and regulations
We have adopted risk-based approach in recent years as an approach that uses the Company's
Risk Register as a means of identifying our audit universe.
Audit Universe: An inventory of audit areas that is compiled and maintained to identify areas
for audit during the audit planning process. Traditionally, the list included all financial and
key operational systems audited as part of the overall cycle of planned work. The audit
universe serves as the source from which the five-year audit plan and the annual audit
schedule are prepared. Developments in the approach to auditing and audit planning have
meant that the audit universe is determined by risk (i.e. a risk universe) and that the risk-based
approach to auditing results in planning that is driven by the Company's risk register. The
universe will be periodically revised to reflect changes in the overall risk profile. An inventory
of audit areas, or audit universe, will be complied and maintained.
Authorisation: Implies that the authorising authority has verified and validated that the
activity or transaction conforms to established policies and procedures.
Authorising: Includes initiating or granting permission to perform activities or transactions.
C
Charter: The charter of the internal audit activity is a formal written document that defines
the activity's purpose, authority, and responsibility.
Compliance: The ability to reasonably ensure conformity and adherence to Company's
policies, plans, procedures, laws, regulations, contracts, ordinances and statutes.
Conclusions: Our evaluation of the effects of the findings on the activities reviewed.
Conclusions usually put the findings in perspective based upon their overall implications,
particularly in a risk-based audit approach which will provide an audit viewpoint in relations
to the aims and objectives of the Company.
Conflict of Interest: Any relationship that is or appears to be not in the best interest of the
Company. A conflict of interest would prejudice an individual's ability to perform his or her
duties and responsibilities objectively.
Consequence: The outcome of an event expressed qualitatively or quantitatively, being a
loss, injury, disadvantage or gain.

Control: Any action taken by management, the board, and other parties to enhance risk
management and increase the likelihood that established objectives and goals will be
achieved. Management plans, organises, and directs the performance of sufficient actions to
provide reasonable assurance that objectives and goals will be achieved. (See internal control
also).
Control Environment: The attitude and actions of the members and management regarding
the significance of control within the organisation. The control environment provides the
discipline and structure for the achievement of the primary objectives of the system of internal
control. The control environment includes the following elements:
• Integrity and ethical values

• Management's philosophy and operating style
• Organisational structure
• Assignment of authority and responsibility
• Human resource policies and practices
• Competence of personnel
Control Framework: A recognised system of control categories that covers all internal
controls expected in an organisation.
Control Processes: The policies, procedures, and activities that are part of a control
framework, designed to ensure that risks are contained within the risk tolerances established
by the risk management process.
Control Risk: The tendency of the internal control system to lose effectiveness over time and
to expose, or fail to prevent /detect weaknesses in the systems of control.
Control Self-Assessment: A class of techniques used in an audit or in place of an audit to
assess risk and control strength and weaknesses against a Control Framework. The "self"
assessment refers to the involvement of management and staff in the assessment process,
often facilitated by internal auditors. There are many self-assessment techniques in use. At the
Company, we operate an annual self-audit system that is a form of self-assessment.
D
Detection Risk: The probability that an incorrect audit conclusion will be drawn from the
results of the examination or that the audit work will fail to detect any serious errors.
Detective Controls: Actions taken to detect and correct undesirable events which have
occurred.
Directive Controls: Actions taken to cause or encourage a desirable event to occur.
Due Professional Care: Calls for the application of the care and skill expected of a
reasonably prudent and competent internal auditor in the same or similar circumstances. Due
professional care is exercised when internal audits are performed in accordance with
Generally Accepted Auditing Standards. The exercise of due professional care requires that:
• Internal auditors be independent of the activities they audit

• Internal audits are performed by those persons who collectively possess the necessary
knowledge skills and disciplines to conduct the audit properly
• Audit work be planned and supervised
• Audit reports be objective, clear, concise, constructive and timely
• Internal auditors follow up on reported audit findings to ascertain that appropriate
section was taken.
At ABC Company, we have agreed procedures in place to ensure that we work to recognised
professional audit standards.
E
Effect: Effect is the risk or exposure the audited entity and/or others encounter because the
condition is not the same as the criteria (the impact of the difference).
Effective Control: Present when management directs systems in such a manner as to provide
reasonable assurance that the organisation's objectives and goals will be achieved.
Error: As it relates to internal audit reports, it is an unintentional misstatement or omission of
significant information in a final audit report.
External Auditors: Refers to those audit professionals who perform independent annual
audits of an organisation's financial statements.
F
Findings: Pertinent statements of fact. Audit findings emerge by a process of comparing what
should be with what is.
Follow-up: This is a process that we use to determine the adequacy, effectiveness and
timeliness of actions taken by management on previous audit findings and recommendations.
Fraud: Any illegal acts characterised by deceit, concealment or violation of trust. These acts
are not dependent upon the application of threat of violence or of physical force. Frauds are
perpetrated by individuals and organisations to obtain money, property or services; to avoid
payment or loss of services; or to secure personal or business advantage.
G
Goals: Goals are specific objectives of specific systems and may be otherwise referred to as
operations or programmes, objectives or goals, operating standards, performance levels,
targets or expected results.
Governance Process: The procedures used by the representatives of the Company's
stakeholders to provide oversight of risk and control processes administered by management.
Governance is the Company's strategic response to risk, which brings together related
components such as strategic planning, risk management, assurance that goals and objectives
will be achieved, and internal auditing.
I

Inherent Risk: Risks that an account or class of transactions contains material misstatements
irrespective of the effects of the controls.
Internal Audit: The Company's in-house team that provides independent, objective assurance
and consulting services designed to add value and improve the Company's operations.
Internal Control: A process within an organisation designed to provide reasonable assurance
regarding the achievement of the following primary objectives:
• The reliability and integrity of information

• Compliance with policies, plans, procedures, laws, regulation and contracts
• The safeguarding of assets
• The economical and efficient use of resources
• The accomplishment of established objectives and goals for operations or
programmes.
Irregularities: Refers to the intentional misstatement or omission of significant information
in accounting records, financial statements, other reports, documents or records. Irregularities
include:
• Fraudulent financial reporting which renders financial statements misleading, and
• Misappropriation of assets.
• Irregularities involve:
• Falsification or alteration of accounting or other records and supporting documents
• Internal misapplication of accounting principles
• Misrepresentation or intentional omission of events, transactions or other significant
information.
L
Likelihood: A qualitative description of a probability or frequency.
M
Management: Used to indicate, firstly, the level of management to whom the Director of
Internal Audit is responsible and secondly anyone who has responsibilities for setting and/or
achieving objectives.
Monitoring: Encompasses supervising, observing and testing activities and appropriately
reporting to responsible individuals. Monitoring provides an ongoing verification of progress
toward the achievement of objectives and goals.
N
Net Risk: See also Residual Risk.
O
Objectivity: An unbiased mental attitude that requires internal auditors to perform
engagements in such a manner that they have an honest belief in their work product and that

no significant quality compromises are made. Objectivity requires internal auditors not to
subordinate their judgment on audit matters to that of others.
Operations: Refers to the recurring activities of an organisation directed toward producing a
product or rendering a service. Such activities may include, but are not limited to, marketing,
procurement, personnel, finance and accounting.
Opportunity: An uncertain event with a positive probable consequence. Related to risk, the
possibility that one or more individual organisations will experience beneficial consequences
from an event or circumstance.
P
Planning Risk: The risk that the planning process is flawed. In risk assessment, it is the risk
that the assessment process is inappropriate or improperly implemented.
Preventative Controls: Actions taken to deter undesirable events from occurring.
Probability: A measure (expressed as a percentage or a ratio) of estimation sometimes used
as a basis of measuring the likelihood and impact of risks when undertaking risk assessments.
Q
Quality Assurance: A programme by which the Head of Internal Audit evaluates operations
of the internal auditing service.
R
Recommendations: Actions we believe are necessary to correct existing conditions or
improve operations.
Residual Risk: Also known as 'net risk'. This is the level of risk remaining after the relevant
controls have been applied by management to the gross (or 'absolute') risk. Residual risk
represents the actual level of exposure that the Company faces.
Risk Analysis: The assessment of risk, the management of risk, and the process of
communicating about risks. A systematic use of available information to determine how often
specified events may occur and the magnitude of the consequences.
Risk Assessment: The identification of risk, the measurement of risk, and the process of
communicating about risks. A systematic process for assessing and integrating professional
judgments about probably adverse conditions and/or events. The risk assessment process
measures risk by the use of two factors: impact and likelihood.
Risk-Based Auditing: An approach that focuses upon how an organisation responds to the
risks it faces in achieving its goals and objectives; it aims to provide assurance on the
management of the identified risks within the context of the Company's corporate plans and
aims..
Risk Classification: Part of the risk assessment process that categorises risks, typically into
high, medium, low, and intermediate values.
Risk Evaluation: See risk measurement.

Risk Factors: Measurable or observable characteristics of a process that either indicates the
presence of risk or tends to increase risk exposure.
Risk Identification: The method of identifying and classifying risks. See risk classification.
Risk Management: Proactive steps that management can take to assess and manage business
risks. The culture, processes and structures that are directed toward the effective management
of potential opportunities and adverse effects.
Risk Management Process: The systematic application of management policies, procedures
and practices to the tasks of establishing the context, identifying, analysing, assessing
(evaluating), managing (treating), monitoring and communicating risk.
Risk Management Strategy: A structure for linking the company's business strategy and
organisation to its risk management objectives.
Risk Management Systems: Principles relating to the design, development, and management
(primarily information technology) of systems for providing reliable, accurate and timely
information related to risk management.
Risk Measurement: The evaluation of the magnitude of risk which usually involves
developing a set of risk factors that are observed and measured to detect the presence of risk.
Risk Prioritisation: Ability to measure risks into a logical order by establishing how
significant they are in comparison to the achievement of business goals and objectives. The
relation of acceptable levels of risks among alternatives.
Risk Register: A central register of the Company's key risks that identifies the classification
of risks by area, impact and likelihood.
Risk: The chance of something happening that will have an impact on the Company's or one
of its unit's objectives. It is measured in terms of impact and likelihood. Importantly, risk can
be both positive and negative, although most positive risks are sometimes known as
opportunities and negative risks are called simply risks.
S
Significant Audit Findings: Those conditions which in the judgment of the Director of
Internal Audit could adversely affect the Company. Significant audit findings may include
conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness,
conflicts of interest, and control weaknesses.
System: System (process operation, function or activity) is an arrangement, a set, or a
collection of concepts, parts, activities and/or people that are connected or interrelated to
achieve objectives and goals. (This definition applies to both manual and automated systems).
A system may also be a collection of subsystems operating together for a common objective
or goal.
T
Threat: A combination of risk, the consequences of that risk, and the likelihood that the
negative event will take place. Often used in analysis in place of risk. The possibility that one

or more individuals or organisations will experience adverse consequences from an event or
circumstance.
U
Uncertainty: A condition where the outcome can only be estimated due to incomplete or
imperfect knowledge of the area / subject in question. In practice, uncertainty impacts upon
the quality of risk assessments by managers.
Understanding: Means the ability to apply broad knowledge to situations likely to be
encountered, to recognise significant deviations and to be able to carry out the research
necessary to arrive at reasonable solutions.

Internal Audit Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Audit Manual

Uploaded by

Copyright:

Available Formats

ABC Company

Internal Audit Manual

Internal Audit Manual Page 1

TABLE OF CONTENTS...................................................................................... .....2

Internal Audit Manual Page 2

Internal Audit Manual Page 3

Internal Audit Manual Page 4

• Determine the accuracy and propriety of financial transactions

Internal Audit Manual Page 6

Internal Audit Manual Page 8

Internal Audit Manual Page 9

Internal Audit Manual Page 10

Internal Audit Manual Page 11

Internal Audit Manual Page 12

Internal Audit Manual Page 13

Internal Audit Manual Page 14

Internal Audit Manual Page 15

Internal Audit Manual Page 16

Internal Audit Manual Page 17

Internal Audit Manual Page 18

Internal Audit Manual Page 19

Internal Audit Manual Page 20

Internal Audit Manual Page 21

Internal Audit Manual Page 22

Internal Audit Manual Page 23

Internal Audit Manual Page 24

Internal Audit Manual Page 25

Internal Audit Manual Page 27

Internal Audit Manual Page 28

Internal Audit Manual Page 29

Internal Audit Manual Page 30

Internal Audit Manual Page 31

Internal Audit Manual Page 33

Internal Audit Manual Page 34

Internal Audit Manual Page 35

Internal Audit Manual Page 36

Internal Audit Manual Page 37

Internal Audit Manual Page 38

Internal Audit Manual Page 39

Internal Audit Manual Page 40

Internal Audit Manual Page 42

Internal Audit Manual Page 43

Internal Audit Manual Page 44

Internal Audit Manual Page 45

Internal Audit Manual Page 48

Internal Audit Manual Page 49

Internal Audit Manual Page 50

Internal Audit Manual Page 56

Internal Audit Manual Page 57

{Name of Audited Entity}

RE: Audit of {Name of Audited Entity}

INTERNAL AUDIT DEPARTMENT

Internal Audit Manual Page 58

Questions Please Select

Internal Audit Manual Page 59

Internal Audit Manual Page 60

Audit Test Matrices: Audit Test Matrices include:

Internal Audit Manual Page 61

Internal Audit Manual Page 62

• Integrity and ethical values

• Internal auditors be independent of the activities they audit

Internal Audit Manual Page 63

Internal Audit Manual Page 64

• The reliability and integrity of information