You are on page 1of 68

ABC Company Internal Audit Manual

Internal Audit Manual

Page 1

TABLE OF CONTENTS
TABLE OF CONTENTS...................................................................................... .....2 CHARTER......................................................................................... ....................5 INTRODUCTION................................................................................................5 ORGANISATION AND BOARD REPORTING.........................................................5 AUTHORISATION AND RESPONSIBILITIES.........................................................5 REPORTING RESPONSIBILITIES.........................................................................6 MISSION OBJECTIVE....................................................................................... ...6 STANDARDS AND ETHICS.................................................................................6 MISSION STATEMENT/OBJECTIVES/VALUES..........................................................7 MISSION STATEMENT........................................................................................7 VALUES...................................................................................................... .......7 GENERALLY ACCEPTED AUDITING STANDARDS...................................................8 100 INDEPENDENCE............................................................................. ............8 110 ORGANISATIONAL STATUS.........................................................................8 120 OBJECTIVITY..............................................................................................9 200 PROFESSIONAL PROFICIENCY..................................................................10 210 STAFFING................................................................................................ .10 220 KNOWLEDGE, SKILLS, AND DISCIPLINES.................................................10 230 SUPERVISION..................................................................................... ......10 240 COMPLIANCE WITH STANDARDS OF CONDUCT.......................................11 250 KNOWLEDGE, SKILLS, AND DISCIPLINES.................................................11 260 HUMAN RELATIONS AND COMMUNICATIONS...........................................12 270 CONTINUING EDUCATION........................................................................12 280 DUE PROFESSIONAL CARE......................................................................12 300 SCOPE OF WORK.....................................................................................13 310 RELIABILITY AND INTEGRITY OF INFORMATION.......................................13 320 COMPLIANCE WITH POLICIES, PLANS, PROCEDURES, LAWS, AND REGULATIONS................................................................................................14 330 SAFEGUARDING OF ASSETS....................................................................14 340 ECONOMICAL AND EFFICIENT USE OF RESOURCES.................................14 350 ACCOMPLISHMENT OF ESTABLISHED OBJECTIVES AND GOALS FOR OPERATIONS OR PROGRAMS..........................................................................15 400 PERFORMANCE OF AUDIT WORK.............................................................15 410 PLANNING THE AUDIT.............................................................................15 420 EXAMINING AND EVALUATING INFORMATION..........................................16 Internal Audit Manual Page 2

430 COMMUNICATING RESULTS......................................................................16 440 FOLLOWING UP....................................................................................... .17 500 MANAGEMENT OF THE INTERNAL AUDITING DEPARTMENT.....................17 510 PURPOSE, AUTHORITY, AND RESPONSIBILITY.........................................17 520 PLANNING...............................................................................................17 530 POLICIES AND PROCEDURES...................................................................18 540 PERSONNEL MANAGEMENT AND DEVELOPMENT.....................................18 550 EXTERNAL AUDITORS..............................................................................19 560 QUALITY ASSURANCE..............................................................................19 CODE OF ETHICS...............................................................................................20 STANDARDS OF CONDUCT.............................................................................20 INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY/CONDUCT..............................20 INDEPENDENCE/OBJECTIVITY.........................................................................20 CONFIDENTIALITY..................................................................................... ......21 CONDUCT............................................................................................ ...........21 AUDIT PROCESS................................................................................................22 PLANNING......................................................................................................22 PLANNING THE DETAILED AUDIT....................................................................32 AUDIT PROGRAM............................................................................................33 FIELDWORK.................................................................................... ................35 STATING FINDINGS/CONCLUSIONS.................................................................40 QUALITY ASSURANCE.....................................................................................42 GENERAL STANDARDS FOR WORKING PAPERS...............................................43 GENERAL STANDARDS - REPORT(S)................................................................45 REPORTING AND FOLLOW-UP.........................................................................46 CONFIDENTIALITY - REPORTS.........................................................................47 EXIT CONFERENCE.........................................................................................47 CLOSING OF THE AUDIT.................................................................................48 PERSONNEL........................................................................................... ............49 JOB DESCRIPTION: DIRECTOR OF AUDIT.........................................................49 JOB DESCRIPTION: ASSOCIATE DIRECTOR OF INTERNAL AUDIT.....................50 JOB DESCRIPTION: INFORMATION SYSTEMS AUDIT MANAGER........................51 JOB DESCRIPTION: AUDIT MANAGER..............................................................53 JOB DESCRIPTION: INFORMATION SYSTEMS AUDITOR....................................54 JOB DESCRIPTION: AUDITOR..........................................................................55 PERFORMANCE EVALUATION..........................................................................56 TRAINING AND PERSONAL DEVELOPMENT.....................................................61 ADMINISTRATIVE PROCEDURES.........................................................................62 MANAGEMENT OF AUDIT RESOURCES............................................................62 Internal Audit Manual Page 3

............................STANDARD ELECTRONIC TOOLS.......................................................................65 APPENDIX B – Audit Feedback Questionnaire Form........................................................................68 Internal Audit Manual Page 4 ..........................................................66 APPENDIX C – Internal Audit Glossary........63 MISCELLANEOUS POLICIES..............................................63 APPENDIX A – Audit Announcement Letter..........................

AUTHORISATION AND RESPONSIBILITIES Internal Audit has the authority to audit all parts of ABC Company and shall have full and complete access to any of the organisation's records. They should not develop and install procedures. To this end. Copies of the report shall be distributed as appropriate. and external auditors.General Definition of Internal Audit Internal Audit is a central administrative unit of ABC Company. the Board of Directors. firing. Internal Audit Manual Page 5 . counsel. The manager of the entity receiving the report shall respond within thirty days and forward a copy of the response to those included on the distribution list. Documents and information given to internal auditors during a periodic review will be handled in the same prudent manner as by those employees normally accountable for them. if the circumstances ever warrant such action. Internal Audit shall have no direct responsibility or authority for any of the activities or operations they review. Internal Audit will furnish them with analyses. and information concerning the activities examined. REPORTING RESPONSIBILITIES A written report shall be prepared and issued by the Director of Internal Audit at the conclusion of every audit. The Director of Internal Audit shall make a written report to the Audit Committee whenever there is evidence of defalcations or other problems exceeding €25. ORGANISATION AND BOARD REPORTING The Director of Internal Audit shall report to the Vice President Finance with dotted line reporting to the Audit Committee. Internal Audit reports operationally to the Vice President Finance with dotted line representation to the ABC Company Board of Directors. Internal Audit provides assistance to the external auditors in their performance of the annual audits of ABC Company financial statements. the Director of Internal Audit may circumvent normal ABC Company reporting lines and communicate directly with the Audit Committee. Internal Audit's coverage and service extends to all company entities. CHARTER INTRODUCTION ABC Company supports Internal Audit as an independent appraisal function to examine and evaluate ABC Company activities as a service to management and to the Board of Directors. The mission of Internal Audit is to support managers of ABC Company in the effective discharge of their responsibilities. prepare records. Internal Audit is also a control which functions by examining and evaluating the adequacy and effectiveness of other controls throughout ABC Company for managers. the Director of Internal Audit shall submit to the Board of Directors a written report on the internal audit activity during the preceding fiscal year. In addition. Furthermore. Annually.000. The response shall indicate what actions were taken regarding specific report findings and recommendations. and salary changes for the Director of Internal Audit. or engage in activities that would normally be reviewed by internal auditors. physical properties. and personnel relevant to the performance of an audit. The Director shall also make an oral report to the Audit Committee. an internal audit does not in any way relieve other persons in ABC Company of the responsibilities assigned to them. Finally. The Audit Committee shall have final approval of the hiring. recommendations.

Internal Audit will adhere to Generally Accepted Auditing Standards and the Code of Ethics adopted by the Institute of Internal Auditors. Using our knowledge and professional judgement. and provide assistance to. operational. Internal Audit is responsible for determining whether the action taken is adequate to resolve audit findings. recommendations. MISSION OBJECTIVE Internal Audit's objectives in accomplishing its mission shall include the following: • • Determine the accuracy and propriety of financial transactions Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies. and information concerning the activities reviewed. counsel. MISSION STATEMENT/OBJECTIVES/VALUES MISSION STATEMENT Internal Audit exists to support the Board of Directors in the effective discharge of their responsibilities. processes. effectiveness. systems. and procedures Page 6 Internal Audit Manual . and control activities. We will report on the adequacy of internal controls. OUR OBJECTIVES IN ACCOMPLISHING OUR MISSION INCLUDE THE FOLLOWING: • • Determine the accuracy and propriety of financial transactions Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies.The manager receiving the report is responsible for ensuring that progress is made toward correcting any unsatisfactory conditions. processes. we will provide an independent appraisal of ABC Company's financial. If the action is not adequate. Internal Audit shall inform ABC Company management of the potential risk and exposure in allowing the unsatisfactory conditions to continue. and the level of compliance with company policies and government laws and regulations. the extent to which assets are accounted for and safeguarded. systems. Additionally. the external auditors Investigate fiscal misconduct • • • • • • STANDARDS AND ETHICS In all of its activities. and laws and regulations Evaluate the accuracy. and efficiency of ABC Company's electronic information and processing systems Determine the effectiveness and efficiency of the audited entities in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements Coordinate audit efforts with. we will provide analyses. and procedures Verify the existence of ABC Company assets and ensure that proper safeguards are maintained to protect them from loss Determine the level of compliance with ABC Company policies and procedures. the accuracy and propriety of transactions.

• • • • GENERALLY ACCEPTED AUDITING STANDARDS 100 INDEPENDENCE Internal auditors should be independent of the activities they audit. It is achieved through organisational status and objectivity. • Our primary focus is to provide excellent service to ABC Company. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. and openness. 1. We are committed to maintaining our professionalism as internal auditors through continuance of our education and training. 110 ORGANISATIONAL STATUS The organisational status of the internal auditing department should be sufficient to permit the accomplishment of its audit responsibilities. and respond to our findings and conclusions. helpfulness. Our examinations shall be performed in accordance with applicable Generally Accepted Auditing Standards. patience. We are committed to the highest degree of fairness.• • • • Verify the existence of ABC Company assets and ensure that proper safeguards are maintained to protect them from loss Determine the level of compliance with ABC Company policies and procedures. Although we are a part of ABC Company we are committed to maintaining our independence in defining the scope and objectives of our examinations. laws and regulations Evaluate the accuracy. we share certain beliefs and values. integrity. Our relationships with ABC Company employees will be characterised by respect. question. and ethical conduct in the performance of our mission. sharing. we will not issue a report without first allowing the recipient the opportunity to review. The director of the internal auditing department should be responsible to an individual in the organisation with sufficient authority to promote Internal Audit Manual Page 7 . and efficiency of ABC Company's electronic information and processing systems Determine the effectiveness and efficiency of audited entities in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements Provide assistance and a coordinated audit effort with the external auditors Investigate fiscal misconduct • • VALUES In carrying out our mission. effectiveness. challenge. Furthermore. • Internal auditors are independent when they can carry out their work freely and objectively. We will adhere to the Code of Ethics as established by the Institute of Internal Auditors. • Internal auditors should have the support of management and of the board of directors so that they can gain the cooperation of audited entities and perform their work free from interference.

The director should have direct communication with the board. 4. and responsibility of the internal auditing department should be defined in a formal written document (charter). 120 OBJECTIVITY Internal auditors should be objective in performing audit.independence and to ensure broad audit coverage. Internal auditors should report to the director any situations in which a conflict of interest or bias is present or may reasonably be inferred. adequate consideration of audit reports. authority. The director should seek approval of the charter by management as well as acceptance by the board. and physical properties relevant to the performance of audits. 3. • Internal Audit Manual Page 8 . • Objectivity is an independent mental attitude which internal auditors should maintain in performing audits. and (c) define the scope of internal auditing activities. and financial budgets. Activity reports should highlight significant audit findings and recommendations and should inform management and the board of any significant deviations from approved audit work schedules. staffing plans. Objectivity requires internal auditors to perform audits in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. (b) authorise access to records. and financial budget. Internal auditors are not to subordinate their judgment on audit matters to that of others. The director of internal auditing should submit activity reports to management and to the board annually or more frequently as necessary. The director should periodically obtain from the audit staff information concerning potential conflicts of interest and bias. 2. 3. and financial budgets should inform management and the board of the scope of internal auditing work and of any limitations placed on that scope. staffing plan. staffing plans. and appropriate action on audit recommendations. The director should also submit all significant interim changes for approval and information. The director should then reassign such auditors. 2. Internal auditors are not to be placed in situations in which they feel unable to make objective professional judgments. The director of internal auditing should submit annually to management for approval and to the board for its information a summary of the department's audit work schedule. 5. Staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so. Independence is enhanced when the board concurs in the appointment or removal of the director of the internal auditing department. The purpose. 1. Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided. Regular communication with the board helps assure independence and provides a means for the board and the director to keep each other informed on matters of mutual interest. personnel. The charter should (a) establish the department's position within the organisation. 6. Audit work schedules. and the reasons for them.

Persons transferred to or temporarily engaged by the internal auditing department should not be assigned to audit those activities they previously performed until a reasonable period of time has elapsed. taxation. and operating systems are not audit functions. Designing. • Professional proficiency is the responsibility of the internal auditing department and each internal auditor. The department should assign to each audit those persons who collectively possess the necessary knowledge. SKILLS. • The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Such assignments are presumed to impair objectivity and should be considered when supervising the audit work and reporting audit results. The internal auditing department should have employees or use consultants who are qualified in such disciplines as accounting. and disciplines to conduct the audit properly. These attributes include proficiency in applying internal auditing standards. 200 PROFESSIONAL PROFICIENCY Internal audits should be performed with proficiency and due professional care. and disciplines needed to carry out its audit responsibilities. skills. Moreover. objectivity is presumed to be impaired when internal auditors audit any activity for which they had authority or responsibility. This impairment should be considered when reporting audit results. the drafting of procedures for systems is not an audit function. 210 STAFFING The internal auditing department should provide assurance that the technical proficiency and educational background of internal auditors are appropriate for the audits to be performed. • 220 KNOWLEDGE. however. • The internal auditing staff should collectively possess the knowledge and skills essential to the practice of the profession within the organisation.4. But if on occasion management directs internal auditors to perform non-audit work. Page 9 • Internal Audit Manual . Reasonable assurance should be obtained as to each prospective auditor's qualifications and proficiency. and law as needed to meet audit responsibilities. Also. engineering. Performing such activities is presumed to impair audit objectivity. economics. The results of internal auditing work should be reviewed before the related audit report is released to provide reasonable assurance that the work was performed objectively. and techniques. • The director of internal auditing should establish suitable criteria of education and experience for filling internal auditing positions. need not be qualified in all of these disciplines. installing. finance. giving due consideration to scope of work and level of responsibility. 6. Internal auditors should not assume operating responsibilities. 5. AND DISCIPLINES The internal auditing department should possess or should obtain the knowledge. electronic data processing. skills. it should be understood that they are not functioning as internal auditors. procedures. Each member of the department. statistics.

conclusions. and reports. and disciplines essential to the performance of internal audits. 4. Providing suitable instructions to subordinates at the outset of the audit and approving the audit program. and timely. • The director of internal auditing is responsible for providing appropriate audit supervision. 3. All internal auditing assignments. • The Code of Ethics of The Institute of Internal Auditors sets forth standards of conduct and provides a basis for enforcement among its members. SKILLS. objectivity. The Code calls for high standards of honesty. constructive. objective. • Each internal auditor should possess certain knowledge and skills as follows: 1. procedures. Internal Audit Manual Page 10 . remain the responsibility of its director. Supervision is a continuing process. skills. 2. Seeing that the approved audit program is carried out unless deviations are • both justified and authorised. Supervision includes: 1.230 SUPERVISION The internal auditing department should provide assurance that internal audits are properly supervised. and techniques is required in performing internal audits. 250 KNOWLEDGE. Determining that audit objectives are being met. Making sure that audit reports are accurate. Proficiency in applying internal auditing standards. clear. • • • Appropriate evidence of supervision should be documented and retained. An understanding means the ability to apply broad knowledge to situations likely to be encountered. The extent of supervision required will depend on the proficiency of the internal auditors and the difficulty of the audit assignment. to recognise significant deviations. AND DISCIPLINES Internal auditors should possess the knowledge. diligence. and loyalty to which internal auditors should conform. 240 COMPLIANCE WITH STANDARDS OF CONDUCT Internal auditors should comply with professional standards of conduct. and to be able to carry out the research necessary to arrive at reasonable solutions. 5. 3. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. Proficiency in accounting principles and techniques is required of auditors who work extensively with financial records and reports. 2. An understanding of management principles is required to recognise and evaluate the materiality and significance of deviations from good business practice. Determining that audit working papers adequately support the audit findings. beginning with planning and ending with the conclusion of the audit assignment. concise. whether performed by or for the internal auditing department.

Nevertheless. • Internal auditors should understand human relations and maintain satisfactory relationships with audited entities. be appropriate to the complexities of the audit being performed. They should keep informed about improvements and current developments in internal auditing standards. Professional care should. • Due professional care calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. not infallibility or extraordinary performance. the internal auditor should consider: Page 11 • • • Internal Audit Manual . finance. To this end. the appropriate authorities within the organisation should be informed. economics. The internal auditor may recommend whatever investigation is considered necessary in the circumstances. waste. therefore. inefficiency. and participation in research projects. Continuing education may be obtained through membership and participation in professional societies. Thereafter. • 270 CONTINUING EDUCATION Internal auditors should maintain their technical competence through continuing education. but does not require detailed audits of all transactions. internal auditors should be alert to the possibility of intentional wrongdoing. college courses. attendance at conferences. and computerised information systems. 260 HUMAN RELATIONS AND COMMUNICATIONS Internal auditors should be skilled in dealing with people and in communicating effectively. conclusions. and techniques. quantitative methods. Due care requires the auditor to conduct examinations and verifications to a reasonable extent. and in-house training programs. In exercising due professional care. When an internal auditor suspects wrongdoing. evaluations. Internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as audit objectives. the possibility of material irregularities or non-compliance should be considered whenever the internal auditor undertakes an internal auditing assignment. they should identify inadequate controls and recommend improvements to promote compliance with acceptable procedures and practices. procedures.4. Due care implies reasonable care and competence. and recommendations. An appreciation is required of the fundamentals of such subjects as accounting. seminars. errors and omissions. Accordingly. ineffectiveness. commercial law. 280 DUE PROFESSIONAL CARE Internal Auditors should exercise due professional care in performing internal audits. and conflicts of interest. the auditor should follow up to see that the internal auditing department's responsibilities have been met. Exercising due professional care means using reasonable audit skill and judgment in performing the audit. An appreciation means the ability to recognise the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained. In addition. taxation. • Internal auditors are responsible for continuing their education in order to maintain their proficiency. the internal auditor cannot give absolute assurance that non-compliance or irregularities do not exit. They should also be alert to those conditions and activities where irregularities are most likely to occur.

reliable. The purpose of the review for effectiveness of the system of internal control is to ascertain whether the system is functioning as intended. • The scope of internal auditing work. When such standards are vague. and useful information. 2. internal auditors should examine information systems and. as specified in this standard. timely. that management and the board of directors provide general direction as to the scope of work and the activities to be audited. The adequacy and effectiveness of internal controls 4. 5. The economical and efficient use of resources. they should seek agreement with audited entities as to the standards needed to measure operating performance. 2. procedures. The relative materiality or significance of matters to which audit procedures are applied 3. Therefore. The reliability and integrity of information. however. • • • • 310 RELIABILITY AND INTEGRITY OF INFORMATION Internal auditors should review the reliability and integrity of financial and operating information and the means used to identify measure. Due professional care includes evaluating established operating standards and determining whether those standards are acceptable and are being met. The extent of audit work needed to achieve audit objectives 2. laws. If internal auditors are required to interpret or select operating standards. The purpose of the review for quality of performance is to ascertain whether the organisation's objectives and goals have been achieved. complete. 300 SCOPE OF WORK The scope of the internal audit should encompass the examination and evaluation of the adequacy and effectiveness of the organisation's system of internal control and the quality of performance in carrying out assigned responsibilities.1. authoritative interpretations should be sought. The accomplishment of established objectives and goals for operations or programs. 4. It is recognised. 3. The primary objectives of internal control are to ensure: 1. plans. The cost of auditing in relation to potential benefits 5. and compliance with external requirements. Internal Audit Manual Page 12 . • Information systems provide data for decision making. as appropriate. classify. Controls over record keeping and reporting are adequate and effective. Compliance with policies. control. The purpose of the review for adequacy of the system of internal control is to ascertain whether the system established provides reasonable assurance that the organisation's objectives and goals will be met efficiently and economically. The safeguarding of assets. and regulations. encompasses what audit work should be performed. and report such information. Financial and operating records and reports contain accurate. ascertain whether: 1.

Internal auditors are responsible for determining whether the systems are adequate and effective and whether the activities audited are complying with the appropriate requirements. and exposure to the elements. 4. procedures. and should determine whether the organisation is in compliance. 350 ACCOMPLISHMENT OF ESTABLISHED OBJECTIVES AND GOALS FOR OPERATIONS OR PROGRAMS Internal auditors should review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned. as appropriate. should use appropriate audit procedures. PLANS. • Audits related to the economical and efficient use of resources should identify such conditions as: 1. procedures. Underutilised facilities. • Management is responsible for establishing the systems designed to ensure compliance with such requirements as policies. Corrective action has been taken. plans. • Internal auditors should review the means used to safeguard assets from various types of losses such as those resulting from theft. PROCEDURES. Operating standards have been established for measuring economy and efficiency. Internal auditors are responsible for determining whether: 1. Procedures which are not cost justified. • 340 ECONOMICAL AND EFFICIENT USE OF RESOURCES Internal auditors should appraise the economy and efficiency with which resources are employed. Established operating standards are understood and are being met. 330 SAFEGUARDING OF ASSETS Internal auditors should review the means of safeguarding assets and. 2. plans. Internal Audit Manual Page 13 . laws and regulations which could have a significant impact on operations and reports. and communicated to those responsible for corrective action. and applicable laws and regulations.320 COMPLIANCE WITH POLICIES. Internal auditors. LAWS. 2. 3. AND REGULATIONS Internal auditors should review the systems established to ensure compliance with those policies. fire. improper or illegal activities. Non-productive work. • Management is responsible for setting operating standards to measure an activity's economical and efficient use of resources. verify the existence of such assets. analysed. when verifying the existence of assets. Overstaffing or understaffing. Deviations from operating standards are identified. 4. 3.

8. Sufficient information is factual. competent. Useful information helps the organisation meet its goals. Communicating with all who need to know about the audit. Determining the resources necessary to perform the audit. Establishing audit objectives and scope of work. Information should be collected on all matters related to the audit objectives and scope of work. and relevant information is being used. 6. Writing the audit program. goals. 5. and document information to support audit results. and convincing so that a prudent. and systems by determining whether the underlying assumptions are appropriate. analyse. • The process of examining and evaluating information is as follows: 1. and useful to provide a sound basis for audit findings and recommendations. • The internal auditor is responsible for planning and conducting the audit assignment. • 400 PERFORMANCE OF AUDIT WORK Audit work should include planning the audit. 410 PLANNING THE AUDIT Internal auditors should plan each audit. and to who audit results will be communicated. Determining how. to identify areas for audit emphasis. Obtaining background information about the activities to be audited. and to invite audited entity comments and suggestions. whether accurate. current. Internal Audit Manual Page 14 . Information should be sufficient. as appropriate. informed person would reach the same conclusions as the auditor. and whether suitable controls have been incorporated into the operations or programs. 4. communicating results and following up. when. • Planning should be documented and should include: 1. adequate. 2. Obtaining approval of the audit work plan. Performing. 7.• Management is responsible for establishing operating or program objectives and goals. 420 EXAMINING AND EVALUATING INFORMATION Internal auditors should collect. developing and implementing control procedures. 3. relevant. examining and evaluating information. Internal auditors can provide assistance to managers who are developing objectives. Competent information is reliable and the best attainable through the use of appropriate audit techniques. subject to supervisory review and approval. Relevant information supports audit findings and recommendations and is consistent with the objectives for the audit. 2. Internal auditors should ascertain whether such objectives and goals conform to those of the organisation and whether they are being met. an on-site survey to become familiar with the activities and controls to be audited. interpret. and accomplishing desired operating or program results.

The internal auditor should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports. • • • • • • A signed. where practicable. 510 PURPOSE. 2. AND RESPONSIBILITY Internal Audit Manual Page 15 . concise. Audit procedures. and expanded or altered if circumstances warrant. and.3. The process of collecting. These papers should record the information obtained and the analyses made and should support the bases for the findings and recommendations to be reported. Resources of the internal auditing department are efficiently and effectively employed. The audited entity's views about audit conclusions or recommendations may be included in the audit report. • Internal auditing should determine that corrective action was taken and is achieving the desired results. written report should be issued after the audit examination is completed. or that management or the board has assumed the risk of not taking corrective action on reported findings. The director of internal auditing or designee should review and approve the final audit report before issuance and should decide to whom the report will be distributed. Audit work conforms to Generally Accepted Auditing Standards. clear. • The director of internal auditing is responsible for properly managing the department so that: 1. Interim reports may be written or oral and may be transmitted formally or informally. 4. where appropriate. reports should contain an expression of the auditor's opinion. Audit work fulfils the general purposes and responsibilities approved by management and accepted by the board. 5. including the testing and sampling techniques employed. scope. Working papers that document the audit should be prepared by the auditor and reviewed by management of the internal auditing department. • 440 FOLLOWING UP Internal auditors should follow up to ascertain that appropriate action is taken on reported audit findings. 430 COMMUNICATING RESULTS Internal auditors should report the results of their audit work. constructive. Reports should be objective. Reports should present the purpose. Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action. and timely. analysing. and results of the audit. interpreting. and documenting information should be supervised to provide reasonable assurance that the auditor's objectivity is maintained and that audit goals are met. 500 MANAGEMENT OF THE INTERNAL AUDITING DEPARTMENT The director of internal auditing should properly manage the internal auditing department. AUTHORITY. should be selected in advance. 3.

Its audit staff may be directed and controlled through daily. A small internal auditing department may be managed informally. • • The goals of the internal auditing department should be capable of being accomplished within specified operating plans and budgets and. The planning process involves establishing: 1. Matters to be considered in establishing audit work schedule priorities should include (a) the date and results of the last audit. 4. They should explain the reasons for major variances and indicate any action taken or needed. 2. and (c) the estimated time required.The director of internal auditing should have a statement of purpose. The work schedules should be sufficiently flexible to cover unanticipated demands on the internal auditing department. and responsibility for the internal auditing department. Activity reports should be submitted periodically to management and to the board. and (g) changes to and capabilities of the audit staff. • The form and content of written policies and procedures should be appropriate to the size and structure of the internal auditing department and the complexity of its work. authority. • These plans should be consistent with the internal auditing department's charter and with the goals of the organisation. 3. Formal administrative and technical audit manuals may not be needed by all internal auditing departments. and audit research and development efforts. Staffing plans and financial budgets. to the extent possible. • The director if internal auditing is responsible for seeking the approval of management and the acceptance by the board of a formal written document (charter) for the internal auditing department. should be determined from audit work schedules. 520 PLANNING The director of internal auditing should establish plans to carry out the responsibilities of the internal auditing department. Activity reports. and disciplines required to perform their work. These reports should compare (a) performance with the department's goals and audit work schedules and (b) expenditures with financial budgets. close Page 16 Internal Audit Manual . Audit work schedules should include (a) what activities are to be audited. Audit work schedules. education and training requirements. (b) financial exposure. systems. (e) major changes in operations. and controls. including the number of auditors and the knowledge. Staffing plans and financial budgets. (c) potential loss and risk. They should be accompanied by measurement criteria and targeted dates of accomplishment. administrative activities. (d) requests by management. should be measurable. • • • 530 POLICIES AND PROCEDURES The director of internal auditing should provide written policies and procedures to guide the audit staff. taking into account the scope of the audit work planned and the nature and extent of audit work performed by others. (b) when they will be audited. skills. (f) opportunities to achieve operating benefits. programs. Goals.

• 560 QUALITY ASSURANCE The director of internal auditing should establish and maintain a quality assurance program to evaluate the operations of the internal auditing department.supervision and written memoranda. In a large internal auditing department. Providing counsel to internal auditors on their performance and professional development. These reviews should be performed in the same manner as any other internal audit. 2. Periodic meetings to discuss matters of mutual interest. Exchange of audit reports and management letters. Developing written job descriptions for each level of the audit staff. and terminology. • The program should provide for: 1. departmental policies. 2. methods. Supervision. 3. 5. Access to each other's audit programs and working papers. the internal auditing department's charter. and audit programs. 550 EXTERNAL AUDITORS The director of internal auditing should coordinate internal and external audit efforts. • The internal and external audit work should be coordinated to ensure adequate audit coverage and to minimise duplicate efforts. 540 PERSONNEL MANAGEMENT AND DEVELOPMENT The director of internal auditing should establish a program for selecting and developing the human resources of the internal auditing department. Coordination of audit efforts involves: 1. • Supervision of the work of the internal auditors should be carried out continually to assure conformance with internal auditing standards. and other applicable standards. Appraising each internal auditor's performance at least annually. Internal reviews. External reviews. • The purpose of this program is to provide reasonable assurance that audit work conforms to these Standards. Training and providing continuing educational opportunities for each internal auditor. Selecting qualified and competent individuals. 4. 3. 4. 3. 2. Common understanding of audit techniques. • Internal Audit Manual Page 17 . Internal reviews should be performed periodically by members of the internal auditing staff to appraise the quality of the audit work performed. more formal and comprehensive policies and procedures are essential to guide the audit staff in the consistent compliance with the department's standards of performance. A quality assurance program should include the following elements: 1.

shall reveal all material facts known to them which. internal auditors shall not knowingly be a party to any illegal or improper activity. However. Such reviews should be conducted at least once every three years. 6. Internal auditors shall not accept anything of value from an employee. Internal auditors shall exhibit loyalty in all matters pertaining to the affairs of ABC Company or to whomever they may be rendering a service. when reporting on the results of their work. client. 4. INDEPENDENCE/OBJECTIVITY/CONFIDENTIALITY /CONDUCT INDEPENDENCE/OBJECTIVITY To be effective in performing audits the internal audit staff must be independent and objective both in actuality and perception. 9. 8. 2. Internal auditors. Internal auditors shall be prudent in the use of information acquired in the course of their duties. They shall not use confidential information for any personal gain nor in any manner which would be contrary to law or detrimental to the welfare of ABC Company. Internal auditors shall continually strive for improvement in their proficiency. morality and dignity. CODE OF ETHICS STANDARDS OF CONDUCT 1. Internal auditors shall undertake only those services which they can reasonably expect to complete with professional competence. shall be ever mindful of their obligation to maintain high standards of competence.• External reviews of the internal auditing department should be performed to appraise the quality of the department's operations. Internal auditors shall not knowingly engage in acts or activities which are discreditable to the profession of internal auditing or to ABC Company. The report should express an opinion as to the department's compliance with the Generally Accepted Auditing Standards and. Internal auditors shall refrain from entering into any activity which may be in conflict with the interest of ABC Company or which would prejudice their ability to carry out objectively their duties and responsibilities. or business associate of ABC Company which would impair or be presumed to impair their professional judgment. Internal auditors. written report should be issued. 3. 11. customer. 10. On completion of the review. and in the effectiveness and quality of their service. should include recommendations for improvement. and diligence in the performance of their duties and responsibilities. 5. if not revealed. These reviews should be performed by qualified persons who are independent of the organisation and who do not have either a real or an apparent conflict of interest. Internal auditors shall adopt suitable means to comply with Generally Accepted Auditing Standards. We maintain our independence by our organisational position Internal Audit Manual Page 18 . as appropriate. objectivity. supplier. 7. Internal auditors shall exercise honesty. could either distort reports of operations under review or conceal unlawful practices. a formal. in the practice of their profession.

preparing tax returns. Employee medical or psychological records. auditors shall immediately inform the Director of Auditing of any factors that may be perceived as impairing their objectivity on an assigned audit. You are expected to exercise professional skill. As far as possible. Examples of confidential information include. Employee benefit or payroll information. In the course of your assignments. social security numbers. Also. In general. or business associate of ABC Company which would impair or be perceived to impair their professional judgement or objectivity. Reports resulting from your efforts should always contain full and unbiased disclosure of all but minor audit findings.(including reporting line to the Board) and our Board approved AUTHORISATION AND RESPONSIBILITIES (see CHARTER). independence in mental attitude is to be maintained.) should be brought to the attention of the Internal Audit Department. Questions concerning any relationships with audited entities or potential audited entities (i. (See the Code of Ethics). You should guard against any conduct or mannerisms which permit an impression that you consider yourself an "expert" sent to check on employees. or computer files. auditors will take great care to prevent even a perception of partiality by maintaining a professional distance from the staff of an audited entity while performing an audit. CONFIDENTIALITY Much of the information available to internal auditors is of a sensitive or confidential nature. but are not limited to the following: 1. you are representing the highest level of management. Confidential materials include any information (except public information) associated with employee names. Auditors should be prudent in their use of information acquired in the course of their duties or information which is available to them. Any gifts accepted will be immediately reported to the Internal Audit Department. take the position of an independent/objective analyst and advisor. or casual observation. As a member of the Internal Audit staff. or identification numbers. They will not discuss any matters pertaining to the audits performed by the departments in other then an official manner. and tact in your relations with others. 3. Although you report to the Internal Audit Department. Such materials should be adequately secured from theft. you are encouraged to be friendly with all ABC Company employees without affecting your objectivity. maturity of behaviour. Auditors will take adequate measures to prevent the unauthorised release of confidential materials or information in any medium including paper copies. CONDUCT The following guidelines are established regarding personal conduct and the confidentiality of audit or business information acquired through audit assignments. you will be in contact with personnel at all levels of authority and position.e.. Avoid the image of policing. microfiche. Any information which could cause ABC Company embarrassment or liability. Finally. 2. reproduction. Auditors shall not use confidential information for any personal gain or in a manner which would be detrimental to ABC Company or any employee of ABC Company. attending parties. At all times. In order to maintain objectivity. Internal Audit Manual Page 19 . auditors will not accept anything of value from an employee. integrity. etc. supplier. Conduct yourself in a manner that reflects favourably upon yourself and those you represent. you have responsibilities to both management and the personnel being audited.

come from several sources). An analysis will be performed annually in order to quantify risk and schedule audits. Hence. Page 20 • Internal Audit Manual . The audit planning process encompasses all activities related to the development of the internal audit plan and schedule and the determination of the audit scope and objectives. AND AUDITS Internal Audit's scheduling process begins with requests for audit services (requests. Rather. Our in-depth knowledge of ABC Company gives us a unique perspective on the types of projects in which we can reduce ABC Company's risk. the performance of the assessment is a tool for use by Internal Audit Department. the availability of staff in entities selected for review. Types of Audits 1. and the availability of Internal Audit staff with the appropriate skills. An operational audit focuses on the efficiency. be discreet on and off the job in discussing current or past audits or your personal assessments of audited entities. Avoid extremes of dress or personal grooming. which is conducted by the external auditors. effectiveness. It should be emphasised that the final determination as to which areas should be included in the audit plan cannot be based solely on the results of this audit risk assessment.Determine the accuracy and propriety of financial transactions. AUDIT • Operational .Refers to a comprehensive examination of an entity to evaluate its performance. or suggestions. as measured by management's objectives. One obvious source is our own Internal Audit staff. This analysis will combine factual information and Internal Audit Department's judgment in the selection. and weighing of the various audit risk factors. and economy of operations. Several factors influence the selection and scheduling of projects: the degree of risk or exposure to loss. Never indiscreetly discuss any information you obtain during audits. programs. records. type of audit. therefore. and audit recourse planning for the individual auditable entities. and information at all times. In undertaking this process we attempted the following: • Define the potential audit universe at ABC Company Define factors to be used in assessing risk Quantify the potential risk associated with each of the defined audit areas Schedule audits and allocate Internal Audit resources according to the priorities established and the current level and expertise of internal auditors • • • PLANNING . some of our projects originate in our own group or as a result of the annual audit of ABC Company as a whole.Much of your work is confidential. timing. Judgment should be exercised in the security of audit working papers. The primary objective of the audit planning process is to design our audit approach to ensure that audits are performed in the most effective and efficient manner. design of detailed procedures.RESEARCH. Financial . current and planned work in other major audit projects requiring substantial time commitments of Internal Audit staff. AUDIT PROCESS PLANNING The assessment of audit risk is an integral part of our planning process. SCHEDULING. ranking.

An independent appraisal of ABC Company operations is provided through the verification of accountability. effectiveness.Information.The objective of these audits is to determine whether. etc. Pre-approved programs are used to audit accuracy and propriety of expenditures and payroll transactions. and assist the audited entity by recommending corrective measures to prevent subsequent recurrences. Assistance on whether a defined architecture has proper controls 3. These reviews may also include asset confirmations. With the addition of an information systems audit function consultation services are expanded to include: 1.Internal Audit actively participates in the development of new systems or enhancements to current systems to promote the design of adequate internal controls prior to implementation and reduce the need for corrective measures at a later date.Conducted to determine existing control weaknesses. Assistance on evaluation of backup procedures and contingency planning 2. The auditor must know precisely what policies. procedures. preparing the annual report. Usually.Such as organising the annual retreat. MISCELLANEOUS • • Computer System Design and Enhancement . etc. Investigation of allegations may also be conducted. LOSS • 3. Income will be audited if the amount is material. These reviews also ensure that upper management has been properly notified of ABC Company exposure related to unresolved audit findings.• Compliance . Information on computer controls 4. The audit focuses almost exclusively upon detailed testing of conditions. Page 21 • 5. FOLLOW-UP REVIEW • Internal Audit Manual . and valid use of ABC Company assets. Asset Verification . and review will be provided on issues concerning ABC Company policies. Assistance on implementation of internal financial system • 2. or laws and regulations. compliance audits require little preliminary survey work or review of internal controls. and internal controls. INFORMATION SYSTEMS AUDIT • 4. Consultant Services . procedures. an audited entity conforms to certain specific requirements of policy. procedures. physical safeguards. and to what degree. standards. Follow-up reviews are performed to appraise management of post audit actions and provide assurance that implemented changes adequately resolved audit findings. except to outline precisely what requirements are being audited. encouragement. The primary mission of the Information Systems audit function of Internal Audit is to support the internal audit function in the evaluation of the accuracy. Other Departmental Duties . ADMINISTRATIVE REVIEWS • 6. are required. assist ABC Company Risk Management in determining the amount of the loss/fraud. standards. and efficiency of ABC Company's electronic and information processing systems which are in production or under development. This is often performed in conjunction with an audit. Loss/fraud investigations .. as assigned by the Director.

Assigned Staff. ○ E=continuing education. BLN=Berlin. PAR=Paris. or revolving fund. change fund. The objective of this process is to assure that work is performed on only authorised activity. D=information Systems audit. CASH COUNT • A cash count is performed to determine custodial fund accountability which may include one or more of the following types of funds: petty cash fund. Any deviation from these hours must be approved by the Internal Audit Department Expected Completion Date: The date the report is expected to be issued in final Assigned Staff: Names of the Reviewer. ○ L=loss. BRU=Brussels. Definition of Terms on the Assignment Sheet • • Task Number: A five digit number used to identify the project Type: The type of project indicated on the assignment form: ○ A=audit.no trackable hours. • Location of audit: ○ ○ ○ • • • Title of Project: A short description of the project Assignment Date: Beginning date that hours can be charged to the project Allocated Hours: Time budgeted for this project. objectives. Audit Assignment All audits/tasks will be authorised by the Internal Audit Department using an audit assignment sheet. and resource restrictions (allocated hours. Participant. and Non-active staff should be listed on assignment sheet with project hours that are assigned to each Scope & Objectives: A short description of the scope and objectives that will be covered Fiscal Year: Fiscal year to be audited Page 22 • • • • Internal Audit Manual . expected completion date) so the assigned auditor(s) will have a clear understanding of Internal Audit Department's expectations for their particular assignment. ○ F=follow-up. This form will provide sufficient information on the audit/task scope. ○ M=miscellaneous. R=administrative review. ○ C=cash count.7. Project Manager. Instructor. Project Consultant. ○ ○ ○ T=continuing education . ○ X=task cancelled. A pre-approved cash count audit program is used for this type of audit.

6. the Director and Associate Director of Internal Auditing. 2. laws and regulations. etc. Scope limitations that very narrowly restrict audit work should be mentioned in the audit report. controls. Will be responsible for assuring the audit program steps accomplish the objectives. funds. Determine if a loss occurred. Determine the level of compliance with ABC Company policies and procedures. transactions. policies. and approve the draft report Internal Audit Manual Page 23 . Audit objectives will generally include one or more of the following: 1. edit. and reasonably assure the completion of the assignment within allocated resources. Verify the existence of ABC Company assets and ensure that proper safeguards are maintained to protect them from loss. systems. Duties/Responsibilities • INTERNAL AUDIT DEPARTMENT ○ Internal Audit Department. Discuss. will be responsible for ensuring that audit resources are efficiently and effectively employed and that the audit work performed fulfils the mission of the department. 4. Determine the accuracy and propriety of financial transactions. Provide assistance and a coordinated audit effort with the external auditors. Review. Determine the effectiveness and efficiency of audited entities in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements. Final approval of the audit program will be done by Internal Audit Department 4. direct.. the assigned auditors during the course of the assignment including writing the report 3. processes. • AUDIT MANAGER ○ The auditor in charge of the task will normally be an audit manager and will have the following duties and responsibilities: 1. we shall be reviewing. 3. Evaluate the accuracy. address major risk and exposures. and efficiency of ABC Company's electronic information and processing systems. and what records. Attend entrance and exit interviews 2. Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies. 7.Scope and Objectives The scope section shall define the limitations of the audit/task assignment.. The scope will generally include a time period. advise. processes. and procedures. etc.) The objectives will explain what the audit is trying to accomplish. 5. if so the amount of the loss and circumstances (control weaknesses) that contributed to it. effectiveness. 8. (Example: We did not test actual expenditure transactions.

and meet stated assigned objectives. 4. Determine working paper's compliance to the department working ○ The reviewer should: paper standards. • ASSIGNED AUDITOR(S) ○ Assigned auditor(s) will be responsible for performing the audit and will have the following duties and responsibilities: 1. Review working paper's from the report(s) to the Digest of Significant Findings to the working paper summaries to the detailed working papers to ensure that all findings are stated adequately and documented and support the opinions. 7. and all steps have been completed. Review from audit program steps to the referenced working papers ensuring cross-referencing is proper. including the internal control evaluation. Document review comments on review notes form. 2. sign off on working paper section of final working paper/report approval form. findings. 6. 3. and recommendations stated in the report. with guidance from the Audit Manager 2. Ensure that working papers "stand alone" in that they clearly state what work was performed. staying within the scope and resource allocation limits (hours and dates). Perform all assigned activities in conformance with department standards. how and from where samples were selected. • REVIEWER ○ All working papers should be independently reviewed to ensure there is sufficient evidence to support conclusions and that all audit objectives have been met. the working papers support the steps performed. the purpose of the working paper. 1. prepare an audit program and time estimate for each program section 3." and filing "cleared" review notes in the current working papers will serve as documentation of the review process. 5. Internal Audit Manual Page 24 . Write the draft audit report ○ An assigned auditor who is also the Audit Manager of the project will have the additional duties of Audit Manager. Determine report(s) compliance with the department report standards. A detailed review will be conducted by the Audit Manager for assigned staff's working papers and a less comprehensive review will be conducted by department administration or an assigned staff person. After all audit review notes have been resolved. After discussions with the Audit Manager.5. what findings were made. Assure the audit is performed according to department standards. etc. Initialling working papers (see "review/approval form") signing the "review/approval form. staying within the scope and resource allocation limits of the assigned activity or program section 4. Perform the preliminary review.

and the auditor(s) assigned to the project. The announcement letter shall communicate the scope and objectives of the audit. create follow-up when necessary. recommendation categories. Mailing feedback questionnaire 7. Additionally. Filing of electronic copy on LAN 5. Determine Permanent Audit File's compliance with department standards. the period covered. Preliminary Review The objective of the Preliminary Review is to gain sufficient knowledge of the entity being reviewed so the auditor can design an audit program to accomplish the assigned objectives. but will be on call to answer questions or volunteer suggestions as applicable. Print revised draft copies for Directors approval 2. trustee report. Internal Audit will not provide advance notifications for cash counts and fraud investigations. Print final report copy for auditors and director signature 3. The review will help the auditor to determine if the assigned objectives are attainable with the allocated resources and what audit procedures should be performed. 9. However. Internal Audit may not send an announcement letter for requested consulting services. The preliminary review work can be broken down into four distinct phases: Internal Audit Manual Page 25 . Adding response to electronic copy of report and filing paper copy with final report 9. Creating follow-up working papers. and format have been used. Updating Directors report Announcement Letter The audited entity shall be informed of the audit project through an announcement letter from the Internal Audit Director. The Report Reviewer will also perform or supervise the: 1. The project consultant does not take an active role in the project. 6. • REPORT REVIEWER ○ The Report Reviewer primary responsibility is to provide a final independent review of audit reports to help ensure that proper grammar. Update Working Papers files: mark complete. spelling. to achieve the objectives. Internal Audit's mission statement shall also be enclosed for the audited entity’s information. Updating feedback spreadsheet when feedback received 8. Sign off on report(s) section of final working paper/report approval form. electronic copy of report on LAN. • PROJECT CONSULTANT ○ The project consultant's primary duties and responsibilities are to advise and provide guidance to the assigned auditors. based on assessed risks and exposures. etc. etc. Mail final report copy 4.8. mark complete. 10.

the assigned auditor(s) shall obtain a basic understanding of the operation or system under review. and departmental policies and procedures Conduct the initial meeting with audited entity • • • • • • • • • Identification of Potential Problem Areas An objective of the preliminary review is the identification of potential problem areas. the next step is to evaluate controls. Once these activities and risks have been identified.1. abuse. or mismanagement In which there is a large volume of transactions or large investments in assets which are subject to loss if not carefully controlled About which concerns have been expressed by management In which prior audits have disclosed major weaknesses or deficiencies • • This phase of the preliminary review should identify the significant activities of the area and what inherent risks exist. and produce effective results. Reports. The auditor is responsible for determining how much reliance can be placed on the entity's controls to protect its assets. Evaluation of internal controls 4. assure compliance with applicable laws and regulations. Identification of potential problem areas 3. systems. Internal Audit Manual Page 26 . Review department focus Review department's mission statement. Management letters (if available) Review of department financial statements (transactions) including historical trends if available Review of department organisation and staffing (payroll/personnel listing) Review of department equipment listing Consultations with other auditors that have been involved in similar audits or are familiar with this department. These can be identified as those programs or activities: • • Which are susceptible to fraud. promote efficiency and economy. related ANAEL files. Familiarisation 2. assure accurate information. organisation chart and other information requested in the "announcement letter" Review and research for applicable laws. and functions which are significant. activities. regulations. One of the first steps in determining problem areas is to identify those programs. etc. Planning the detailed audit One of the problems in performing an effective preliminary review is the failure to complete all phases of the review before preparing the formal audit program and beginning the fieldwork. This review will normally include: • Review of Permanent Audit File (if one exists) Review of Previous Audit Working Papers. Initial Research (Familiarisation) Before meeting with the audited entity.

or usefulness of financial or statistical data. observations. the auditor uses a variety of tools and techniques. Although the written audit guidelines (programs) are invaluable aids.A complete review of all controls is not always necessary because some controls may be irrelevant to basic issues which are the subject of the audit effort. and inquiries. These techniques are preferred because they provide adequate documentation. To assist in evaluating the system of internal control the auditor should consider the following: Internal Audit Manual Page 27 . The review of the system of internal controls is performed by discussing the control procedures. Generally. and analysis. and plan of organisation with audited entity’s officials. The review of internal controls helps the auditor design tests to be performed in the fieldwork section of the audit. Audit Managers should prepare the program to assist assigned auditors in performing this aspect of the audit work. Internal controls are evaluated throughout the audit examination. but not absolute. This documentation includes identifying control strengths and weaknesses and cross-referencing them to the audit tests and procedures concerned with substantive testing. and specific audit tests and procedures. In doing this. auditors make inquiries and perform observations relating to the system of internal controls. accuracy. interviews. Vast amounts of data are stored electronically. The evaluation of the system of internal controls should provide reasonable. The use of electronic data processing methods that can affect the reliability. and reports should be included as part of the study and evaluation. Audit Managers must ensure that each assigned auditor is familiar with the scope and objectives of the internal control review. including flow charts. Internal Audit has a library of standardised ANAEL queries that will assist in obtaining some of this information. non-functioning. methods. These inquiries and observations. a transaction walk through. The auditor may use internal control questionnaires or checklists as well as written narrative memoranda. In addition to discussions with audit customer officials. and other applicable techniques in determining the adopted control procedures and the method and plan of organisation. Some controls which can normally be identified as critical are those which are designed to protect against: • • • • • • Substantial financial losses Program violations Mismanagement Legal violations Adverse publicity Lack of program or mission accomplishment The auditor's evaluation should include identification of areas in which essential controls appear to be weak. Review and Evaluation of Internal Control Environment The auditor will review the audited entity's internal control structure. flow charts. and resulting findings and conclusions are also documented in the working papers. data gathering. checklists. the guidelines are incorporated into an audit program in the form of internal control questionnaires. the auditor must identify those controls which are the most important and critical to the operation and concentrate on them. The study and evaluation should be adequately documented and properly supported by results of tests. or missing. Therefore. assurance that the fundamental elements of the system are sufficient to accomplish their intended purpose.

and whether such reduced reliance significantly affects subsequent audit tests and procedures. timing. Control procedures to prevent or detect such errors and irregularities. In considering the required audit effort. narrative explanations should be kept brief. • • • • • Flowcharting The primary purpose of preparing a flow chart is to identify the key control attributes . The questionnaires are designed so that a negative response indicates a potential internal control weakness. Clarity and simplicity in presentation are essential. and extent of auditing procedures to be applied. the auditor assesses whether precluding certain tests of compliance will reduce the reliance on the controls and procedures. timing. tests of compliance are not ordinarily performed. The effect these weaknesses have on the nature.A flow chart is beneficial because it visually depicts processes designed or intended for control purposes. Additionally. Flow Charts . Conversely. Working papers should be prepared to highlight the internal control attributes within the processes to be evaluated. In most cases. A negative response will cause the auditor to determine whether compensating controls are in existence which would offset the negative response. Audit methods used to study and evaluate existing internal controls include: Internal Control Questionnaires .those attributes that achieve control objectives. Complexities such as exception controls can be better explained in attached memoranda. Narratives . the combination of the flow chart and a narrative description tends to be far superior to either document alone.These guide the auditor to query responsible managers regarding specific or general internal controls. should be tested and evaluated. the auditor must consider the availability of evidence and the audit effort required to test compliance.• • • • • • • Types of errors and irregularities that could occur. when the auditor determines that certain controls cannot be relied upon. However. which are deemed critical or important to the strength within a particular transaction cycle. Mistaken use of extreme detail may tend to conceal rather than expose key points. Documentation supports the auditor's understanding of the internal controls. This can efficiently point out cases of under/over control and processing redundancy. Whether the procedures have been adopted and are being followed satisfactorily. Tests of compliance are performed to obtain sufficient evidence that the system is operating in accordance with the understanding the auditor obtained from the review. Only those internal control functions. These are performed for those control procedures or methods upon which the auditor has chosen to rely. Weaknesses which would enable errors and irregularities to pass through existing control procedures. Audit working papers provide the support for the conclusions reached by the auditor regarding the study and evaluation of internal controls. Internal Audit Manual Page 28 .These describe the system of internal control. The nature. and extent of tests of compliance are closely related to the control procedures and methods studied by the auditor. Flow-charting provides the auditor with a good understanding of the process being evaluated.

The risk that the assigned areas internal control system would fail to prevent or detect a significant intentional or unintentional error in the process. ○ The three types of risks that will be considered are: ○ Exposure is the potential loss or liability to ABC Company. and weaknesses in process. The due professional care standards do not imply unlimited responsibility for disclosure of irregularities and other deficiencies. The auditor's principal effort should be in those areas where significant problems or deficiencies may exist. safeguarding.The risk related to the fundamental characteristics of the assigned area (i. reconciliation.e. Page 29 Internal Audit Manual . the name(s) and position(s) of the people performing the transactions should be indicated for each action.  Control Risk . namely actions and decisions. the auditor should observe the process. Statement of Risk and Exposure • Rationale: ○ A risk/exposure analysis will be performed to prioritise audit testing that must be performed to achieve the audit objectives. The results of the preliminary review should be analysed to determine the need for a detailed audit and the specific areas to be covered. changed. The names of each document should also be included within the document symbols. This determination is essential for providing reasonable assurance that internal audit resources are deployed in an optimal manner (i. or transferred to other departments. Time should not be spent examining or developing evidence beyond what is necessary to afford a sound basis for a professional opinion. The detailed audit program should be prepared allocating the project budget time established for the fieldwork to the specific areas to be covered in the audit. control over authorisation. strengths..e. and by reviewing procedure manuals. rather than in areas that are relatively unimportant. PLANNING THE DETAILED AUDIT The elements of materiality and relative risk must be considered in performing the audit.The risk that the internal audit would fail to detect errors that had occurred. existing flow charts and other system documentation.e.  Detection Risk . recording. If possible. This can generally be accomplished by including only those activities within an application where data is initialised.Only transactions/documents with control significance should be shown (i. Inquiries can be made concurrently with the performance of transaction reviews. Internal Control Questionnaires The primary purpose of completing the internal control questionnaire is to identify critical areas. particularly when flow charts are being updated. Sample documents are collected and each department involved is questioned about its specific duties. it must be broken down into its component parts. The auditor usually obtains information necessary for preparing or updating flow charts by interviewing personnel at each site about procedures followed. and valuation). For a process to be flow charted. etc. It is not only loss of money but also ABC Company's reputation.. an area that receives income in the form of currency and coin has a greater inherent risk of theft of that income then one that receives internal billing income form another department). Also. the most time is spent examining areas with the greatest risk exposure).  Inherent Risk .

(3) show for Internal Audit Manual Page 30 . For each segment of the audit the program should (1) list the risks that must be covered in that segment. During the preliminary review/internal control evaluation stage of the audit. A well constructed program provides: • • • A systematic plan for each phase of the work that can be communicated to all audit personnel concerned Means of self control for the audit staff assigned Means by which the audit supervisor/manager can review and compare performance with approved plans Assistance in training inexperienced staff members and acquainting them with the scope. the auditor will make a determination of what areas contain the greatest risks and potential exposures. consult with the Audit Manager and Internal Audit Department. objectives. If a permanent file is not prepared. Prior year's financial statements would aid the auditor in gathering general knowledge about the audited entity. (2) show for each risk the controls that exist or that are needed to protect against the indicated risk. accounts payable. useful information can be filed in section D of the working papers. but it is pertinent to the current year's audit. Before a permanent file is established. AUDIT PROGRAM Preparation of the audit program concludes the Preliminary Review phase. This determination will be discussed with the Internal Audit Department before the audit program is written. etc. and work steps of an audit An aid to supervisor/manager making possible a reduction in the amount of direct supervisory effort needed Assistance in familiarising successive audit staff with the nature of work previously carried out • • • The program consists of specific directions for carrying out the assignment. (high risk/high exposure as opposed to high risk/low exposure or low risk/high exposure) • Policy: ○ During the preliminary review/internal control evaluation stage of the audit. It might also be useful in comparing the current year to the prior year or performing analyses.○ A Risk/Exposure analysis will involve determining the highest possible combined factors. the auditor will complete a schedule detailing the greatest risks and potential exposures and discuss with Internal Audit Department. The information in the file is not expected to change significantly from year-to-year. It should contain a statement of the objectives of the operation being reviewed. A permanent file should only be prepared for audits that we continually do or if the area audited is a system such as payroll. The audit program outlines the necessary steps to achieve the objectives of the audit within the defined scope as listed on the assignment sheet. A well-constructed program is essential to completing the audit project in an efficient manner. The audit program is a detailed plan for the work to be performed during the audit. • Process: ○ Permanent Audit Files A permanent file should give the auditor general knowledge about the audited entity.

) Preparation and Approval . The statement of objectives in the audit program shall correspond with the audit objectives stated in the assignment sheet.each of the listed controls the work steps required to test the effectiveness of those controls. from assignment through issuance of the final report. and (4) provide space for referencing the related audit working papers. This will provide the necessary control over this phase of audit work. Objectives The audit program shall contain a statement of the objectives of the area being reviewed. report writing and editing. preliminary survey. The auditor shall include an estimate of the hours necessary to complete the project. it enables the audit manager to control the audit work in process. quality assurance review. audit program Fieldwork . detailed steps (procedures) for achieving the audit objectives. Audit Steps A well-constructed audit program provides specific.Any revisions to the project time budget should be discussed with Internal Audit Department at the earliest possible time and. This budget will include all time necessary to complete the audit. Budget Revisions . etc. The preliminary review phase should be completed when no more than 25 percent of the total time budget has been depleted. The budget process will be broken down into two phases. Each project will have a time budget that will be approved by the audit manager and Internal Audit Department. A portion of the budget should be allocated for the planning process. In addition. audited entity's review. Standardised audit programs are available and should be used or modified to achieve the audit objectives. the remaining budget should be allocated to the rest of the audit and recorded on the Time Budget Summary. For purposes of overall control. FIELDWORK Evidential Matter Internal Audit Manual Page 31 . The detailed project time budget should be completed at the conclusion of the preliminary review.The project time budget should be prepared by the audit manager and approved by Internal Audit Department. the time budget should be broken down into the following general categories (more may be used if warranted): • • • • • Planning . report review. Internal Audit Department reviews the auditor's work to-date (preliminary review work) and then discusses any concerns or proposed program changes.audit manager's review.initial planning. Near the completion of the planning process. These objectives should be achieved through the detailed audit program steps. It is essential that we control our time carefully in order that it may be used in the most effective manner possible. exit conference. or set forth the recommendations that will be required to install needed controls. documented on the Time Budget Summary. Time Budget A project time budget provides overall guidelines for the performance of the audit.allocated to the various segments of the audit project Audit report and wrap-up . Standardised audit programs with specific audit steps for achieving objectives are available and should be used or modified. when approved by Internal Audit Department.

As internal auditors. Relevant information supports audit findings and recommendations and is consistent with the objectives for the audit. Useful information helps the organisation meet its goals. competent. relevant. Testing and Working Paper Documentation Policy/Purpose: Working papers serve both as tools to aid the auditor in performing his work. the condition of a large population by reviewing only a percentage of the total items. The type of sampling used and the number of items selected should be based on the auditors understanding of the relative risks and exposures of the areas audited. we are obligated by our professional standards to act objectively. Audit Sampling Audit sampling is performing an audit test on less then 100 percent of a population. Judgment sampling . In 'sampling' the auditor accepts the risk that some or all errors will not be found and the conclusions drawn (i. adequate.Evidential matter obtained during the course of the audit provides the documented basis for the auditor's opinions. and as written evidence of the work done to support the auditor's report. relevant. or necessary to use statistical sampling. findings. Types of Sampling: Statistical or probability sampling allows the auditor to stipulate. competent. relevant. Variables sampling . and useful information to provide a sound basis for audit findings and recommendation (see examining and evaluating information). Generally Accepted Auditing Standards define sufficient. The Internal Audit Department will use the papers to review the quality of the audit project and to evaluate the audit staff assigned to the work. exercise due professional care. with a given level of confidence. and recommendations as expressed in the audit report. other individuals may find it necessary to use the working papers. In addition to serving as a reference for the preparer when called upon to report findings or answer questions. or where it is not possible. Policy/Process: All audit testing will include sampling. and useful to provide a sound basis for audit findings and recommendations. all transactions were proper and accurate) may be wrong. and convincing so that a prudent. competent.Is used when it is not essential to have a precise determination of the probable condition of the universe. Several sampling techniques are available to the auditor.Is used when the auditor samples for values in a population which vary from item to item. • • • Attribute sampling . Internal Audit Manual Page 32 . Competent information is reliable and the best attainable through the use of appropriate audit techniques.e. and useful as follows: • • • • Sufficient information is factual. practical. The type and sample size shall be described in the program and approved by the Internal Audit Department. Information included in working papers should be sufficient.Is used when the auditor has identified the expected frequency or occurrence of an event. and collect sufficient. informed person would reach the same conclusions as the auditor.

referenced.Working papers must be confined to those that serve a useful purpose. try to avoid unnecessary listing and scheduling.Working papers must be able to "stand alone." This means that all questions must be answered. Indexing . Smaller papers should be fastened to standard working papers.All working papers should include the audit stamp. Those papers which remain useful should be made a part of the current working papers. They should be updated with current information. title of the audit. Qualities of Good Working Papers Good working papers should be: • Complete . and the Department's working papers may he subjected to their review. Well-organised working papers help to accomplish this goal. initialled. All schedules should have a purpose which relates to the audit procedures or recommendations. Tick-marks . A capital letter should be used to identify each segment of the audit. and other data may still be valid.The auditor should make full use of the working papers developed in the prior audit.The system of indexing audit working papers should be simple. all points raised by the reviewer must be cleared. an explanation of each tick-mark should be made on the schedule on which it appears. and purpose of the working paper. Also. Concise . date prepared. Neat . As these tick-marks have no special or uniform meaning in themselves. audit project number. Working papers should be cross-referenced to the Audit Findings. and a logical. Audit Findings should be cross-referenced to the exit conference memo and/or the audit report. Solid working paper documentation is essential for questions from these and other potential outside reviewers. External auditors review the work performed by the Department and evaluate the effect that its activities had on ABC Company's system of internal control. Forms and procedures should be included only when relevant to the audit or to an audit recommendation. title of the working paper. ABC Company management or other individuals who may have requested the audit require timely reports. and larger papers should be folded to conform to size restrictions.Cross-referencing within working papers should be complete and accurate. keep working papers economical. Allow for enough space on each schedule so that all pertinent information can be included in a logical and orderly manner. well-thought out conclusion must be reached for each audit segment. and dated by the current auditor. renumbered. to indicate final disposition of the item. preparer's initials. certain regulatory agencies monitor ABC Company operations. These references readily provide direct access to the working papers. Internal Audit Manual Page 33 . Carry forward . source of information. yet leave room for flexibility.The auditor makes frequent use of a variety of symbols to indicate work that has been done.Working papers should not be crowded. These symbols are commonly referred to as tick-marks. At the same time.The manager whose entity is being audited may use details included in the working papers to help implement corrective action to a problem or refute the assertion that a problem exists.All working papers should be of uniform size and appearance. • • • Working Paper Techniques Descriptive Headings . Cross-referencing should be done in the margins of audit report drafts. Uniform . In fulfilling their public responsibility. Cross-referencing . Flow charts. system descriptions. and Arabic numerals used to identify schedules within the segments.

. and description of related control points difficult to integrate in the narrative. This is especially true when including maps. Schedules. or analyses should include the following items: • • • • • • An explanation of its purpose (reference audit step) The methodology used to select the sample. • • • 3.Types of Working Papers All working papers should be maintained in binders. as well as its use. However. The following suggestions are offered for preparation of working papers using documents rather than the auditor's notes: • • • Indicate both the person and/or file that the document came from (source). Write-ups are often easier to use. make the calculation. etc. and as physical evidence to support a conclusion or prove the existence of a problem. and determining if tasks or records have been properly completed. which is needed for purposes of explanation or as documentation of a potential finding. procedure. The criteria used to evaluate the data The source of data and time frame considered A summary of the results of the analyses The auditor's conclusion 2. Copy and insert only that portion of the report. flow-charting (or a combination of write-ups and flow-charting) is an appropriate alternative. contracts. or flow charts in the papers. Describe such procedures or processes through the use of write-ups or flow charts or some combination of the two. if the system or process can be described clearly and concisely. or any of numerous other items. when write-ups would be lengthy. reports. 1. Process Write-ups and Flow charts In many audits. computer printouts. Schedules and Analyses Schedules and analyses are useful for identifying statistical trends. Each document should be cross-referenced either to the page or separate analysis where it was discussed. Fully explain the terms and notations found on the document. The choice of which method to use will depend on the relative efficiency of the method in relation to the complexities of the system being described. Documentation which is not of standard size should be mounted on standard size paper or referenced to a non-standard binder. analyses. and should be used. These explanations may be made on an attached preceding page or on the face of the document itself. and narratives should be filed in a standard binder. for clarification. forms. documents. engineering drawings. flow charts. Any copied document should serve a useful audit purpose. etc. invoices. These documents can be memos. Each record review. it is necessary to describe systems or processes followed by the audited entity. Documents larger than A4 size should be reduced when practicable. No document should be included in the working papers without an explanation of why it was included. flow charts. data schedule. verifying the accuracy of data. Flow charts conveniently Internal Audit Manual Page 34 . memo. Documents Copies or actual samples of various documents can be used as examples. Do not include the entire document in the working papers unless absolutely necessary. procedures. developing projections or estimations.

Identify sources of information quoted by interviewee. Any verbal information which is likely to support a conclusion in the audit working papers should be documented. They are concise and may be easier to analyse than written descriptions. then they should be documented. All findings should be documented immediately by the auditor discovering the situation. Each audit finding will have documented in the SECTION SUMMARY the following ATTRIBUTES 1. impromptu interviews. Organise notes by topic wherever possible. Cause (Why did it happen?) 5. and documenting the audit customer's opinions. the auditor shall summarise the audit findings. Interview notes should contain only the facts presented by the person interviewed. Observations used as supporting documentation should generally include the following items: • • • • Time and date of the observations Where the observations were made Who accompanied the auditor during the observations What was observed (when testing is involved. Interviews Most verbal information is obtained through formal interviews conducted either in person or by telephone. assessments. conclusions. Statement of Condition (What is!) 2. or rationale for actions. obtaining general knowledge of the audit subject. Effect (So what?) 4. Unfavourable findings shall be summarised on a Digest of Significant Findings working paper whether or not they are to be included in the audit report. the working papers should include the sample selections and the basis of the sample) 6. Observations What the auditor observes can serve the same purposes as interviews. and not include any of the auditor's opinions. STATING FINDINGS/CONCLUSIONS Upon the conclusion of the fieldwork. collecting data not in a documented form. consider the following suggestions: • • • • Be sure to include the name and position title of all persons from whom information was obtained. 5.describe complex relationships because they reduce narrative explanations to a picture of the system. This includes data gathered during casual conversations. or even casual discussions can often provide important information. If observations can be used to support any conclusions. Findings All audit findings must be documented in a SECTION SUMMARY (see next section) schedule in the working papers. and recommendations necessary for preparation of the audit report discussion draft. Criteria (What should be!) 3. 4. Formal interviews are most desirable because the interviewees know they are providing input to the audit. Interviews are useful in identifying problem areas. They are especially useful for physical verifications. Indicate when and where the meeting occurred. Recommendation (What should be done?) Internal Audit Manual Page 35 . however. In preparing interviews for working papers.

performance. failure to identify the cause in a finding may also mean the cause was not determined because of limitation or defects in audit work. In audits of efficiency. In operational audits. but they are sometimes appropriate in summary reports to direct top management's attention to compliance-type findings disclosed in several areas. economy. or consideration be given) should not be used in the audit report. policies. contractual agreements.. 3. operation. criteria could be accuracy. Statement of Condition The condition identifies the nature and extent of the find or unsatisfactory condition. and other command media.g. or function statements. criteria might be defined in mission. units of production. procedures. If a relationship exists. 4. value. number of personnel. the recommended action will most likely be feasible and appropriately directed. and answers the question: "Why did it happen?" If the condition has persisted for a long period of time or is intensifying. Identification of the cause of an unsatisfactory condition or finding is a prerequisite to making meaningful recommendations for corrective action.g. 2. greater attention be given. a clear and accurate statement of condition evolves from the auditor's comparison or results with appropriate evaluation criteria. potential or intangible effects can sometimes be useful in showing the significance of the condition. However. The cause may be quite obvious or may be identified by deductive reasoning if the audit recommendation points out a specific and practical way to correct the condition. the contributing causes for these characteristics of the condition should also be described. These are frequently expressed in quantitative terms. controls be re-emphasised.. or compliance with applicable accounting principles and legal or regulatory requirements. program objectives. or other external sources of authoritative criteria. Recommendations This final attribute identifies suggested remedial action and answers the question: "What should be done?" The relationship between the audit recommendation and the underlying cause of the condition should be clear and logical. Criteria This attribute establishes the legitimacy of the finding by identifying the evaluation criteria and answers the question: "By what standards was it judged?" In financial and compliance audits. and program results (effectiveness). More generalised recommendations (e. or was omitted to avoid direct confrontation with responsible officials. are appropriate measures of effect. or elapsed time. Internal Audit Manual Page 36 . consistency. or not attaining program objectives (effectiveness). quantities of material.1. e. 5. number of transactions. How the change will be made is the audited entity's responsibility. Recommendations in the audit report should state precisely what needs to be changed or fixed. It often answers the question: "What was wrong?" Normally. materiality. Effect This attribute identifies the real or potential impact of the condition and answers the question: "What effect did it have?" The significance of a condition is usually judged by its effect. If the real effect cannot be determined. and cost standards. production. a study made. Cause The fourth attribute identifies the underlying reasons for unsatisfactory conditions or findings. reduction in efficiency and economy.

Audit Programs. FINDINGS. comments. Quality Assurance Policy All working papers shall be independently reviewed to ensure there is sufficient evidence to support conclusions.Unless benefits of taking the recommended action are obvious. Determine Permanent Audit File's compliance with department standards. adequately document and support the OPINIONS. and what the auditors think should be done to correct the situation. Determine working paper's compliance to department working paper standards. EXCEPTION: If the Audit Manager is the only staff member assigned to the audit/task then the detailed review shall be performed by department administration or an assigned Quality Assurance staff person. the significance of its impact. the cause of the condition. Recommendations should be directed to an individual capable of taking action. on a Working Paper Review Notes form. • • • • • Internal Audit Manual Page 37 . Determine report(s) compliance with department report standards. this review would be for their benefit only and therefore this document SHALL NOT be a part of the working papers. and RECOMMENDATIONS stated in the report. the working papers support the steps performed. However. document the extent of audit work performed. Review working papers from the report(s) to the digest to the working paper summaries to the detailed working papers to ensure that all findings are stated. The cost of implementing and maintaining recommendations should always be compared to risk. A less comprehensive review shall be conducted by Internal Audit Department or an assigned Quality Assurance staff person. and ensure that all audit objectives have been met. etc. Draft Report) and completing the "Quality Assurance Review form. Initialling (Director/Quality Assurance staff person and the Audit Manager) working papers (Section Summaries. as well as substantiate compliance with applicable auditing standards. Policy/Process Audit findings will include: the nature of the findings. they should be stated. 6. the criteria used to determine the existence of the condition. Quality Assurance Review Process In performing the review the reviewer should: • Review working papers from audit program steps to the referenced working papers ensuring cross-referencing is proper. NOTE: Auditors are encouraged to perform an "informal" self-review of their working papers. QUALITY ASSURANCE The purpose of "quality assurance" is to provide reasonable assurance that audit work performed by ABC Company . Record any deficiencies. A detailed review shall be conducted by the Audit Manager for assigned staff's working papers.Internal Audit conforms to Generally Accepted Auditing Standards." will serve as documentation of the review process and will be filed with the working papers. and all steps have been completed (or why steps were not completed).

as well as a cursory grammatical and consistency review. the Report Reviewer will perform a spell check. GENERAL STANDARDS FOR WORKING PAPERS Functions of Working Papers • • • Support auditor's opinion Aid in the conduct and supervision of the engagement Provide a record of: 1. the purpose of the working papers. assigned Auditor(s) and Director will review and sign the final report. cursory grammatical. and Reviewer. Test performed 3." the working papers will be forwarded to Internal Audit Department." and approve the draft report for the exit conference. A descriptive heading Internal Audit Manual Page 38 . etc. and consistency review. what findings were made. then print out the FINAL version of the report. then complete the relevant parts of the "Quality Assurance Review form. Procedures applied 2.• • The auditor(s) who prepared the working papers will then respond (if necessary) to these points on the same form. The Audit Manager. • • • • • NOTE: The working papers and report will be factors used in the Performance Evaluation process. Internal Audit Department will review the working papers and discuss the findings and review comments with the Assigned Auditor. how and from where samples were selected. Audit Manager. • Each item in the working papers should contain: 1. No significant questions within the scope or related to the objective of the audit Completeness of Working Papers • should go unanswered 2. After exit conference amendments. Working papers must "stand alone." in that they clearly state what work was performed. Pertinent conclusions reached • Provide evidence that the audit was conducted in accordance with Generally Accepted Auditing Standards Working papers should be accurate and complete 1. The assigned auditor will forward a copy of the draft report to the audited entity prior to the exit conference. Information obtained 4. The Report Reviewer will perform a pre-exit conference edit check for spelling. After the reviewer has "cleared" the points and completed (initialled) the "Quality Assurance Review form.

Audited Entity Financial Statements 6. Announcement Letter 4. Consistent. Audit Program 7. summaries. schedules. Section Summaries for each audit program section 8. Data stored on tapes. interviews. and useful to provide a sound basis for audit findings and recommendations 1. Contact List 5. Quality Assurance Review 6. Draft Report 4. but may not be considered mandatory for all assignments: 1. disk. Memoranda. letters of confirmation or representation 3. Arranged in a uniform style • Working papers should prove that standards have been followed such as: 1. Interim Memoranda and Meetings Internal Audit Manual Page 39 . Assignment Form 3. or other media • The working papers listed below constitute the minimum REQUIRED support for an assignment 1. Audit programs. films. Digest of Significant Findings 5. computations. Identification of source if not obvious 3. neat. The date of preparation and the auditor's initials 4.2. Adequate planning and supervision 2. Final Report • The following working papers should generally be prepared. Permanent Audit File 2. The index number of the work paper • Working papers should be sufficient. not crowded 2. Worksheet or Lead Schedules 9. relevant. competent. or analysis prepared or obtained 2. Summary of Audit Objectives and Time Control 3. Working Papers Index 2. Adequate review of internal control 3. Sufficient competent evidential matter Examples of Working Papers • Working papers may include any or all of the following: 1. Only essential items included 3.

Internal Audit Manual Page 40 . • • • • REPORTING AND FOLLOW-UP The most successful audit projects are those in which the audited entity and the Internal Auditors have a constructive working relationship. Opinion (where appropriate) are supported by audit findings. so that the audited entity understands what we are doing and why we are doing it. clear.. and timely. Draft Report is referenced to the working papers.7.) Audit objectives are stated clearly and in agreement with those stated in the announcement letter or Audit Assignment form (if no announcement letter sent). Background contains mission and other information of value to reader.Policy. transactions. what period. etc. Report title specifically states what was audited. Report is copied to right people (at a minimum this should be the Vice President in Internal Audit reporting line. followed-up on. The auditor presents to appropriate management a draft of the final report for discussion before issuance of the final report. documents. if applicable.Is stated in first sentence Effect . constructive. reporting line. Reports are objective.how did it happen (if known) ○ Recommendation • Recommendations are specific enough so the audited entity understands what is expected. If appropriate. etc.potential or actual exposure to ABC Company ○ Criteria . etc. something that can be accomplished. and limitations. Findings are presented clearly and contain the following elements: ○ Indexing of Working Papers GENERAL STANDARDS .REPORT(S) • • • • • Statement of Condition . cost beneficial. ○ ○ Cause . and the report addressee's direct supervisor. Scope clearly states what we examined including. a Management Letter may be issued. Our objective is to have the audited entity's continuing involvement as well as communication at every stage. Exit Conference Record Cross-Referencing of Working Papers • • • • • • • All significant amounts and items should be cross-referenced Every page should have an index number The index should be simple The index should be capable of infinite expansion Reports conform to the department format guidelines. concise.

This letter will contain suggestions for improving controls. The audited entity's response is included in Internal Audit's annual report to the Board of Directors.Do not disclose information in this document. and Follow. Internal Audit ALWAYS discusses the rough draft with the audited entity prior to issuing the final report. our reports must clearly and persuasively convey the results of our audits and convince readers to recognise the validity of the findings and the benefit of implementing any recommendations. Internal Audit prints and distributes the final report to the audited entity's operating management. certain reports will contain information that SHOULD NOT BE DISCLOSED OUTSIDE OF THE AREAS RECEIVING THE REPORT." on each page. and anything Internal Audit Department feels needs to be in writing. This report is primarily for internal ABC Company management use. The Internal Audit Director's approval is required for release outside of ABC Company. Therefore. when and how report findings will be resolved with an implementation timetable. The audited entity should explain. the audit process is similar for most engagements.Although every audit project is unique.REPORTS Although Internal Audit reports are internal documents exclusively for the use of ABC Company. Transmittal Letter and Management Letter Our principal product is the final report in which we express our opinions about the audit findings and discuss our recommendations for improvements. Audit Report. To facilitate communication and ensure that the recommendations presented in the final report are practical. in order for Internal Audit to be effective. We encourage the audited entity to copy this response to all recipients of the final report. Policy Audit reports will be classified as CONFIDENTIAL if they meet the following criteria: • • Report discloses a weakness (potentially resulting in a loss) which has not been corrected at the time of distribution Report discloses sensitive information which could prove an embarrassment to ABC Company (if made public) Report discloses information classified as "restricted data" At the discretion of the Director of Internal Audit • • Audit reports classified as CONFIDENTIAL will contain the words CONFIDENTIAL REPORT on the title page and the footnote "Confidential . The results of the audit are also included in the Internal Audit's annual report to the Board of Directors. A management letter written to and distributed to only the audited entity manager may be issued.up Review. Internal Audit Manual Page 41 . Fieldwork. in the written response. The audit process normally consists of four stages: Preliminary Review. operations. The first page (transmittal letter) of the report is a letter requesting the audited entity's written response to the report recommendations within 30 days. the audited entity's reporting supervisor. CONFIDENTIALITY . Audit Report. the Finance Director and other appropriate members of senior ABC Company management. Process The Audit Manager will discuss their recommendation and rationale regarding the classification of a report when it is given to the Director of Internal Audit for initial review.

At this time. Internal Audit Manual Page 42 . additions. and the follow. the final report is issued. and other appropriate members of ABC Company management. When the changes have been reviewed by Internal Audit Department and the audited entity. The results of all report findings and recommendations. taking into account any revisions resulting from the exit conference and other discussions. Input in Board of Directors Report The establishment of a clear reporting structure with the Board of Directors enhances Internal Audit's independence and strengthens our ability to function freely within ABC Company. Try to anticipate potential questions/conflicts Go through verbal recommendations: Discuss the following and go through report and management letter: ○ Do they want to respond after receiving the final report or would they like their response either included or attached to the final report (department preference is to include or attach the audit response with the final report)? ○ A follow-up will be done within one year to review action taken. comments. ○ Where there any questions about the scope and objectives? ○ Are there any questions about the opinion? ○ Are there any questions. the response from the audited entity. It also provides us the opportunity to acquaint the Board with any critical audit findings or issues. our assessments of operations during the past year. goals and plans for the next fiscal year. and any inaccuracies or impractical recommendations resolved to the extent possible.EXIT CONFERENCE After the draft report has been approved by Internal Audit Department. The report is then printed in final by the report reviewer and distributed to the audited entity's reporting supervisor. and text of the draft. response. This report is primarily for internal ABC Company management use. or deletions on background? ○ Any comments or questions about other sections (go through each)? ○ General comments about audit process? CLOSING OF THE AUDIT The auditor then prepares a draft. The Internal Audit Director's approval is required for release outside of ABC Company. recommendations. ○ Exit conference agenda Results of audit. the audited entity comments on the draft report. the auditor(s) meet with the audited entity's management team to discuss the findings. Pre-exit conference items • • • • • There should be no surprises . and our concerns. the Finance Director.everything in the draft should have been discussed during the fieldwork. Be sure you can easily find supporting documentation for findings in the working papers in case questions arise at the exit conference. and follow-up will be included in our annual report to the Board of Directors.up shall be reported in an annual report to the Board of Directors.

client response.the follow-up review will note this as an unresolved finding. inspection of physical operations. • • • • Internal Audit Manual Page 43 . managers may choose not to implement an audit recommendation and to accept the risks associated with an audit finding . Ascertain the extent to which ABC Company assets are accounted for and safeguarded from losses. and compliance with applicable laws and established ABC Company policies and procedures. planned missions are accomplished effectively and the organisation's objectives are being achieved. the follow-up review results will also be included in the Internal Audit Annual Report to the Board of Directors. current condition. The actions taken to resolve the findings shall be reviewed and may be tested to ensure that the desired results were achieved. Direct and coordinate analysis of operating departments and functions and make recommendations to promote maximum managerial effectiveness and operational efficiency when appropriate. resources are used efficiently and economically. and the continued exposure to ABC Company. confirmation of accounts.Audit Feedback Questionnaire An audit feedback questionnaire will be sent to the audited entity immediately after an audit report (excluding cash count and follow-up reports) has been issued. and investigations of irregularities and errors. audit recommendation. Unresolved findings will also appear in the report and will include a brief description of the finding. PERSONNEL JOB DESCRIPTION: DIRECTOR OF AUDIT Reports To: Board of Directors. Questionnaires returned shall be recorded and summarised. Follow-up Review Within one year of the final report. The follow-up report will list the actions taken by the audited entity to resolve the original report findings. established standards met. In addition to the original report recipients and other officials as deemed appropriate. In some cases. Supervise examination and analysis of records to insure the effectiveness of accounting and managerial controls at reasonable cost. accuracy of transactions. Finance Director SUMMARY: Direct and coordinate internal auditing within ABC Company as an independent appraisal of the various operations and systems of control to determine if acceptable policies and procedures are followed. Internal Audit shall perform a follow-up review of audited entities to ascertain the resolution of the report findings. DUTIES AND RESPONSIBILITIES: • Supervise and coordinate internal audit programs of ABC Company accounting and financial operations to include the review of accounting procedures. Counsel and guide auditors to ensure that approved audit objectives are met and practical coverage is achieved.

Represent ABC Company at professional organisations. Make recommendations for improved fiscal management systems. Serve in advisory capacity for ABC Company officials. Determine fiscal requirements of internal auditing operations and prepare budgetary operations. including recommendations for improvements. • • • • • • • • • • • • • • • • • • JOB DESCRIPTION: ASSOCIATE DIRECTOR OF INTERNAL AUDIT Reports To: Internal Audit Director SUMMARY: Provide administrative and supervisory support to the Director for the coordination and administration of system-wide audits. Monitor. Perform other duties incidental to the work described herein. Monitor work performance for accuracy and completeness to ensure compliance with established departmental objectives.• Identify those activities subject to audit coverage. Internal Audit Manual Page 44 . procedures. schedule. the planning and development of department operations. Perform special reviews as requested by the Finance Director. evaluating their significance and assessing the degree of risk inherent in the activity in terms of cost. but not limited to hiring. Authorise the publication of reports on the results of audit examinations. verify. merit recommendations. Provide executive management with annual reports on the results of audit activities. associations. Review ABC Company policy and structural changes that might alter audits and coverage. Train and instruct supportive staff. Appraise the adequacy of corrective action taken by operating management and prepare a variety of related reports and analysis. transfers. Serve on various ABC Company committees. and dismissals. and the supervision of department staff. appraising policies. standards of performance. and quality. Supervise audit participation and participate in systems and procedures development and testing. Contact with staff. and plans relating to the activity of function. vacation schedules. Serve as liaison with many departments and offices to assist with problems and determine need for audits. Supervise review of procedures and records for their adequacy to accomplish intended objectives. Recommend and develop internal auditing policies. promotions. and committees. Direct various personnel functions including. and programs. outside businesses and agencies regarding ABC Company audit related or business problems. Review and ascertain the reliability of management data developed within the organisation. and reconcile expenditure of budgeted funds.

DUTIES AND RESPONSIBILITIES: • • Supervise professional staff by evaluating performance. Manage day-to-day office operations such as ensuring audits are on schedule. Maintain knowledge of current accounting and auditing practices through continuing professional education. Serve as department head in the absence of the Director and assist the Director with budget planning. Continue to develop expertise in specialised areas to advise other auditors or ABC Company units. Attend entrance and exit conferences for audits in the absence of the Director. Assist the Director in developing an audit plan that provides for the effective audit coverage of ABC Company systems based on an assessment of potential risk and exposure to ABC Company. Determine the direction and extent of audits. Maintain an effective liaison with ABC Company managers and external auditors to coordinate audits of ABC Company records. • • • • • • • • • • • • • • • • JOB DESCRIPTION: INFORMATION SYSTEMS AUDIT MANAGER Reports To: Internal Audit Director SUMMARY: Using specialised knowledge of accounting. Review audits to ensure that they are conducted according to audit standards. Provide guidance. Survey functions and activities of units to evaluate nature of operations and existence and adequacy of internal controls. and electronic data processing (EDP) to perform audits of adequacy of internal controls and the accuracy of institutional data in ABC Internal Audit Manual Page 45 . and assignment forms are issued. and that procedures are properly documented to support audit findings. training. Appraise the adequacy of departmental replies to audit reports. Assist the Director in developing and implementing new and revised department policies and procedures necessary for providing internal auditing services to all entities within ABC Company. auditing. and terminating when necessary. Design technically complex audit programs for specialised computer software to retrieve information from ABC Company computer systems. and assistance to auditors. Perform other related duties incidental to the work described herein. Recommend to ABC Company Administration control issues that should be addressed with ABC Company Institutional policies. Serve on various ABC Company committees in an advisory capacity. sufficient evidence is obtained. weekly time reports are submitted. Certify financial reports at the request of external agencies. hiring. Plan and prepare formal written reports addressed to department managers or external agencies.

business administration. assess potential risk. Verify that users and computer operation's staff have been trained in the system functions and controls 3.Company's data processing areas. ABC Company policies. the accuracy of institutional data. Assign work and supervise EDP audit staff (when applicable) so that the audit is conducted in a professional manner and the audit objectives are accomplished. the related network links and the supporting computer data centres. 2. Provide guidance. etc. Draft written reports expressing opinions on the adequacy and effectiveness of system controls. analyse and summarise data to support an objective informed opinion on the adequacy and effectiveness of internal controls. Ensure that adequate controls are established and installed to meet management objectives. Recommend changes in policies and procedures to enhance controls or correct deficiencies. • • Appraise the adequacy of replies to final audit reports and perform post-audit reviews to determine the extent to which audit recommendations have been implemented. training. computer and network security. Four years experience as an EDP auditor. and a certificate or licensing for CPA and/or CIA. the accuracy of institutional data. maintaining library of standard audit programs. and assistance to staff auditors in using computerised audit techniques. and government regulations so that audits are conducted professionally and in accordance with department standards. Page 46 • • • Internal Audit Manual . etc. system design. Provide support to internal auditors in the development of computer-assisted audit techniques. Obtain sufficient competent and relevant evidential matter. Determine whether level of security is appropriate 4. Stay current with technical changes in auditing. accounting. and prepare detailed audit program describing tests to be performed. 2. 1. finance or computer science. and knowledge of computer environment similar to the one at ABC Company. Verify that backup and recovery procedures are complete • Perform audits of existing financial and security applications. DUTIES AND RESPONSIBILITIES: • Participate in the development of new ABC Company system applications to: 1. and exposure to ABC Company. and the level of compliance with ABC Company policies. 3. Requirements needed for this position are a minimum of an undergraduate degree in accounting. Serve on various ABC Company committees addressing such items as data access. Review working papers and conduct performance appraisals so that standards are complied with and evaluations can be accurately completed. and the level of compliance with relevant policies and procedures. and efficiency of ABC Company's information (EDP-based) systems. data processing. effectiveness. administering the department's computer network. Attest to the accuracy. laws and contractual obligations regarding privacy and security in data processing areas. Based on a review and evaluation of current internal controls. two years experience as a financial auditor. Determine level of compliance with institutional policies and procedures.

Use specialised knowledge to retrieve information from ABC Company mainframe computers. and in a manner consistent with both ABC Company objectives and high standards of administrative practice. Page 47 • • • • • • • • • Internal Audit Manual . This includes performing advanced and complex analytical procedures and recommending material adjustments (i. and control activities in compliance with managerial guidelines. Prepare and evaluate working papers supporting opinions presented in the report to administration and external agencies. Maintain an effective liaison with managers and external auditors to coordinate audits of ABC Company records. DUTIES AND RESPONSIBILITIES: • Plan and perform complex. safeguard ABC Company assets. and electronic data processing. Analyse evidential data as a basis for an informed. Conduct special reviews requested by administration. technical financial and managerial audits of ABC Company operations in accordance with accepted professional standards. promote efficiency. Perform audits of ABC Company operations to ensure effectiveness of accounting and managerial controls and accuracy of recorded data. to ABC Company financial statements). which may include statistical sampling and electronic data processing.• Develop an EDP audit plan that provides for the effective audit coverage of ABC Company's EDP application systems based on an assessment of potential risk and exposure to ABC Company. Prepare the program and establish procedures. Develop an audit plan that provides for the effective audit coverage of ABC Company operations. Determine whether areas reviewed are performing their planning. Survey functions and activities of units to evaluate nature of operations and existence and adequacy of internal controls. Exercise professional judgment to determine materiality of findings and adequacy and effectiveness of the operation. and monitor compliance with applicable laws and ABC Company policies and procedures. objective opinion.e. Appraise the adequacy of replies to audit reports and perform post-audit reviews to determine the extent to which audit recommendations have been implemented. Determine the direction and extent of assigned audits. Monitor performance of staff and evaluate performance of supervised staff. auditing. informed opinion on the accuracy and fairness of financial statements. Arrive at independent decisions concerning recommendations for administration. Prepare comprehensive reports addressed to campus and ABC Company administration and external agencies. Establish audit procedures involving statistical sampling and electronic data processing. custodial. Supervise and direct staff assigned to assist on audits. applicable statements of policy and procedures. plan and conduct complex and technical financial and managerial audits of ABC Company operations. Obtain and analyse data to provide an objective. accounting. based on an assessment of potential risk and exposure. JOB DESCRIPTION: AUDIT MANAGER Reports To: Internal Audit Director / Associate Director SUMMARY: Using specialised knowledge of accounting.

Draft audit reports containing the results of the audit. participate in audits of ABC Company's information systems. Page 48 • • • Internal Audit Manual . and sufficiency of evidence to support opinions and findings presented in audit reports. competent. Perform post-audit reviews to determine the extent to which audit recommendations have been implemented. • Exercise professional judgment to determine adequacy of controls. and contract requirements. and related resources/processes to determine the adequacy of general and application controls and to assess compliance with applicable policies. materiality of findings. streamline processes. Plan and prepare formal written reports addressed to managers or external agencies. and perform post-audit reviews to determine the extent to which audit recommendations have been implemented. Write/develop computer assisted audit techniques (CAATs) to extract and manipulate data from complex computer systems and to facilitate audit compliance and substantive testing procedures. designing audit programs/procedures to assess their adequacy. Review and evaluate the adequacy of the overall accounting and non-accounting controls of computerised information systems residing on departmental computers. recommendations. identifying the relevant automated controls to include in the audit scope. including findings. procedures. LANs. opinions. recommend changes in policies and procedures to enhance controls or correct deficiencies. • • • • JOB DESCRIPTION: INFORMATION SYSTEMS AUDITOR Reports To: Information Systems Audit Manager SUMMARY: Using specialised knowledge of auditing and information technology. systems development processes. This requires a general understanding of departmental activities in relation to computerised information systems under review.• Discuss deficiencies and recommend corrective actions to improve operations and reduce costs. objective opinion and preparing comprehensive reports addressed to ABC Company administration. Prepare working papers containing sufficient. DUTIES AND RESPONSIBILITIES: With guidance from the Information Systems Audit Manager. Where appropriate. plan and conduct audits in accordance with applicable professional and office standards. Assist financial and operational auditors in applying information systems audit principles and concepts. enhance information integrity. This entails analysing evidential data as a basis for an informed. Discuss deficiencies with management and recommend actions to improve controls. Appraise the adequacy of replies to final audit reports. and documenting the impact of strengths or weaknesses to current audit procedures/objectives. Continue to develop expertise in specialised areas to advise other auditors or ABC Company units. and relevant evidence to support findings and opinions in audit reports. statutes. Maintain knowledge of current accounting and auditing practices through continuing professional education. Perform general administrative tasks including those assigned by the Director. and reduce costs.

network. With guidance from the audit manager. and control activities in compliance with managerial guidelines and applicable statements of policy and procedures. determine the direction and extent of assigned audits. Excellent planning. Preferred: Certification preferred. informed opinion on the accuracy and fairness of financial statements. One year of related work experience in information systems auditing or related field (e. Ability to communicate effectively with individuals and groups at all organisational levels. This includes performing analytical procedures and recommending adjustments to ABC Company financial statements. and interpersonal skills. • • QUALIFICATIONS: • • • • • • JOB DESCRIPTION: AUDITOR Reports To: Director of Internal Audit Department SUMMARY: Provide assistance to the audit manager in performing financial and managerial audits of general ABC Company operations. or development). writing.. analysis.g. CPA. Familiar with diverse computing environments and architecture. ACCA. Aid the audit manager in determining whether areas reviewed are performing their planning. Required Degree in business. Familiar with operations. custodial. (e. information systems analysis.g. Provide in-house information systems audit and technical training for internal audit staff. organisation. including mainframe.• • Assist in administering and supporting the Internal Audit Local Area Network (LAN). Obtain and analyse data to provide an objective. research. The duties include analysing evidential data as a basis for an informed. accounting. and personal computers. Prepare the program and establish procedures which may include statistical • • Internal Audit Manual Page 49 . data processing. Perform other duties as assigned. accounting. and accounting practices and ABC Company policies and government regulations. objective opinion and preparing comprehensive reports addressed to ABC Company administration and/or external agencies. policies. CIA) Proficient in providing mainframe and PC support to internal audit staff using computerised audit tools to retrieve and analyse data stored on mainframe and departmental systems. Maintain knowledge of current auditing. or information systems discipline or equivalent combination of education and experience. DUTIES AND RESPONSIBILITIES: • • Participate in performing financial and managerial audits of general ABC Company operations in accordance with accepted professional standards. Able to work in a team-oriented environment. client-server.. and in a manner consistent with both ABC Company objectives and high standards of administrative practice. and procedures in ABC Company environment.

Exercise professional judgement to determine materiality of findings and adequacy and effectiveness of the operation. Working papers Technically Correct (Dept Standards) 5. promote efficiency. and monitor compliance with applicable laws and ABC Company policies and procedures. Audit Completed Timely 3.sampling and electronic data processing. Prepare working papers supporting opinions presented in the report to administration and external agencies. Assist in the performance of special reviews requested by administration. Second. First. Perform post-audit reviews to determine the extent to which audit recommendations have been implemented. Performance Evaluation Policy All Internal Audit full-time appointed employees will have an evaluation of their work performance at least every semester and once a fiscal year. Audit Within Budget hours 4. salary evaluation. Assist in the review and evaluation of the overall accounting and non-accounting controls of computerised information systems residing on departmental computers. Perform other related duties incidental to the work described herein. it will be used for employee development. Plan and prepare formal written reports addressed to department managers or external agencies. safeguard ABC Company assets. Total Chargeable Hours at department standard 2. Audits Performed according to standards Internal Audit Manual Page 50 . The results of these evaluations will be the primary means for administrative decisions. Discuss deficiencies and recommend corrective actions to improve operations and reduce costs. or remedial action. This requires a conceptual understanding of the departmental activities in relation to computerised information systems under review. Specific factors that will be considered in the annual Performance Evaluation shall include: • Audits 1. Performance Evaluation Process The evaluation process will be a twofold approach (interim evaluation and annual evaluation). • • • • • • • PERFORMANCE EVALUATION Performance evaluation will serve two major functions in our department. The feedback that employees receive from the appraisal process should provide them with information they can use to improve job performance. • Participate in audits of ABC Company systems to ensure effectiveness of accounting and managerial controls and accuracy of recorded data. performance appraisal provides bottom-line evaluations of employees that can be used for administrative decisions such as promotion. Maintain knowledge of current accounting and auditing practices through continuing professional education. These evaluations will be performed in September and March respectively. recommendation for training.

precisely and informatively 2. Keeps current on ABC Company Policies and Processes 2. Puts success of team above own interests • Written Communication 1.6. Requires minimal supervision 5. Responds well to questions 4. Keeps others adequately informed • Innovation 1. ACCA 5. Competent in required job skills and knowledge 2. Hours at Audited Entity Location • Professional Knowledge 1. Speaks clearly and persuasively 2. Displays understanding of how job relates to others • Professional Development 1. Scope. Exhibits ability to learn and apply new skills 3. Keeps current on ABC Company systems 3. Demonstrates group presentation skills 5. Writes clearly. Participates in available Continuing Education 4. Follows standards for presenting elements of findings 5. CPA. Objective and Opinion consistent w/ work done 6. Gives and welcomes feedback 4. Keeps current with Accounting and Auditing trends • Teamwork 1. Exhibits sound and accurate judgment 4. Edits work for spelling. Meets challenges with resourcefulness 3. Selects and uses appropriate communication methods • Oral Communication 1. Exhibits objectivity and openness to others' views 3. Contributes to building a positive team spirit 5. grammar. Generates suggestions for improving work 4. Develops innovative approaches and ideas Internal Audit Manual Page 51 . Listens and gets clarification 3. Balances team and individual responsibilities 2. Participates in meetings 6. Certified as CIA. Varies writing style to meet needs 4. and format 3. Displays original thinking and creativity 2.

Accepts criticism and feedback 4.General comments could be made in the following areas: • Adaptability 1. Works within approved budget 2. Responds to requests for service and assistance Page 52 Internal Audit Manual . Develops and implements cost saving measures 4. Begins working on time 3. Arrives at meetings and appointments on time • Cooperation 1. Responds promptly to customer needs 5. Synthesises complex or diverse information 2. Displays positive outlook and pleasant manner 4. Offers assistance and support to co-workers 5. Designs work flows and procedures • Attendance & Punctuality 1. Works actively to resolve conflicts • Cost Consciousness 1. Changes approach or method to best fit the situation • Analytical Skills 1. Displays courtesy and sensitivity 2. Establishes and maintains effective relations 2. Collects and researches data 3. Contributes to profits and revenue • Customer Service 1. Uses intuition and experience to complement data 4. Adapts to changes in the work environment 2. Manages difficult or emotional customer situations 3. Conserves organisational resources 3. Exhibits tact and consideration 3. Identifies data relationships and dependencies 5. Keeps absences within guidelines 4. Works cooperatively in group situations 6. Meets commitments 4. Solicits customer feedback to improve service • Dependability 1. Manages competing demands 3. Schedules time off in advance 2. Ensures work responsibilities are covered when absent 5.

Includes appropriate people in decision making process 3. Commits to doing the best job possible 6. Includes subordinates in planning 3. Asks for help when needed • Judgment 1. Supports organisation's goals and values 4. Undertakes self-development activities 3. Exhibits confidence in self and others 2. Takes responsibility for own actions 5. Looks for and takes advantage of opportunities 6.2. Inspires respect and trust 3. Dresses appropriately for position Page 53 Internal Audit Manual . Volunteers readily 2. Responds to management direction 4. Motivates others to perform well • Managing People 1. Supports affirmative action and respects diversity • Personal Appearance 1. Follows instructions 3. Seeks increased responsibilities 4. Takes independent actions and calculated risks 5. Makes self available to subordinates 5. Completes administrative tasks correctly and on time 3. Follows policies and procedures 2. Keeps commitments 7. Takes responsibility for subordinates' activities 4. Meets attendance and punctuality guidelines • Initiative 1. Benefits organisation through outside activities 5. Reacts well under pressure 4. Provides direction and gains compliance 2. Shows courage to take action 5. Displays willingness to make decisions 2. Provides regular performance feedback 6. Develops subordinates' skills and encourages growth • Organisation Support 1. Makes timely decisions • Leadership 1.

2. Keeps self well-groomed

Planning & Organisation
1. Prioritises and plans work activities

2. Uses time efficiently 3. Plans for additional resources 4. Integrates changes smoothly 5. Sets goals and objectives
6. Works in an organised manner •

Problem Solving 1. Identifies problems in a timely manner
2. Gathers and analyses information skilfully

3. Develops alternative solutions 4. Resolves problems in early stages 5. Works well in group problem solving situations

Project Management 1. Develops project plans 2. Coordinates projects 3. Communicates changes and progress 4. Completes projects on time and budget 5. Manages project team activities

Quality 1. Demonstrates accuracy and thoroughness 2. Displays commitment to excellence 3. Looks for ways to improve and promote quality 4. Applies feedback to improve performance 5. Monitors own work to ensure quality

Quantity 1. Meets productivity standards 2. Completes work in timely manner 3. Strives to increase productivity 4. Works quickly 5. Achieves established goals

Safety & Security 1. Observes safety and security procedures 2. Determines appropriate action beyond guidelines 3. Uses equipment and materials properly 4. Reports potentially unsafe conditions

Sales Skills
Page 54

Internal Audit Manual

1. Achieves sales goals 2. Overcomes objections with persuasion and persistence 3. Initiates new contacts 4. Maintains customer satisfaction 5. Maintains records and promptly submits information

TRAINING AND PERSONAL DEVELOPMENT
Certification Programs One aspect of professional development is obtaining professional certification as a Certified Public Accountant, Certified Internal Auditor, Certified Information Systems Auditor, or Certified Fraud Examiner. To increase the professionalism and credibility of the audit staff, the department supports employees' efforts in achieving certification through obtaining study aids and providing reimbursement for sitting for exams. Support is also given by making study time available during working hours and allowing time off to sit for exams. Professional certification is a factor used in the department's annual employee performance appraisal. Professional development through certification, membership, and participation in professional organisations is encouraged. Internal Audit Department funds may be available and budgeted to support this activity. Continuing Education Internal Audit has a responsibility to provide for the most effective use of available continuing education funds in supporting staff member requests for professional training. Process: •

Auditors should review seminar material. Staff members who desire to attend a particular seminar should (if total expenditures will exceed €100) complete the above mentioned form. (Requests to attend seminars that will cost less than €100 can be communicated informally to the Director.) The Director will make the decision for the expenditure based on availability of funds and the staff members’ current professional development responsibilities and requirements in maintaining their technical competence and proficiency.

ADMINISTRATIVE PROCEDURES
MANAGEMENT OF AUDIT RESOURCES
The principal resource that Internal Audit has to accomplish its mission is the amount of available staff hours. Therefore, it is paramount that we have a process that will provide the information necessary to effectively manage this resource. Audit Resource Reporting Policies All professional training requires prior approval of the Internal Audit Director. The departmental standard for staff hours is expected to charge to projects each year is 1,500 hours. Auditors shall perform fieldwork at the audited entity location whenever possible. All staff members will submit a weekly progress report, using the electronic Audit Reporting and Management System (ARMS) detailing the hours spent on assigned projects. The MISCELLANEOUS UNBUDGETED TASK will be used to list duties that you performed that were not budgeted and for days that you were not in the office because of paid time off or sick time. Progress reports must be completed by Friday 6:00 p.m.
Internal Audit Manual Page 55

Projects will be reported in half-hour increments using the project control numbers assigned by the director. The comments field will be used to provide a brief description of the work performed or if no work was performed an explanation of why. The comments field should also include a statement of how many hours was spent performing fieldwork at the audited entity location Any audit work or other activity that is material (e.g. expected to accumulate more than 8 hours or for which a written report/memo will be issued) will be assigned a project control number.

STANDARD ELECTRONIC TOOLS
ANAEL Queries To establish a library of standard 'off the shelf' ANAEL queries, these queries will be written so that they can be easily executed, by changing well-defined parameters, or simply modified to OUTPUT data in a different format.

The library will be controlled by the department ANAEL LIBRARIAN who will be responsible for updating the library and informing staff of the current library's contents. Queries will be written by staff members who have developed an appropriate understanding of the structure and the data in the accessed files. Queries will be written according to standards established by the department. Queries will be thoroughly reviewed and tested before being placed in the library by the librarian. Whenever practical these queries will be used to extract data from ANAEL defined files for use in audit testing.

• • •

Electronic Working Papers To assure standardisation of working papers and reports, standardised reports, programs and working papers have been developed as Word templates. In addition, there is an Audit Macros toolbar that will enable you to input your information in a form that will automatically add the information to the new Word document.

MISCELLANEOUS POLICIES
Purging Working Papers Working papers shall be retained for five years after the date of the report. The working papers shall be purged once a year after the Directors' approval. The exception to this policy is when we are required to retain working papers longer by law or by agreement. Paid Time Off Whenever possible, paid time off (PTO) should be requested and scheduled in advance. If you are SICK you should call or e-mail the Director or the secretary as soon as you can. Computer Software Only computer software that the department or ABC Company owns the rights to should be installed on department computers. If you wish to install other software on a department computer, you must receive prior approval from the Director and provide evidence that you own the rights to the software. Housekeeping

Internal Audit Manual

Page 56

Good housekeeping bears a direct relationship to orderly and efficient work habits. material in work areas should be straightened. Care is to be exercised to avoid exposure of confidential or potentially sensitive documents. When out of the office. Internal Audit Manual Page 57 .

The audit is presently scheduled to begin {Begin Date of Audit}. We will work with {name of person} as our main contact. year 2008 status. operating efficiencies. computer systems. We understand that some scheduling adjustments may become necessary to accommodate your staff’s schedules.APPENDIX A – Audit Announcement Letter {Date} {Name of Audited Entity} Attn: {Address} {Address} RE: Audit of {Name of Audited Entity} We are in the process of planning the audit for {Name of Audited Entity}. the human resource function. areas that need special audit attention or this schedule. and we anticipate being on site between two to three weeks. accordingly. We will follow-up on previously raised audit issues. Please review the audit schedule with your management team to ensure the timing is coordinated with them. will include such tests of the accounting records and other auditing procedures as we consider necessary to accomplish our audit objectives. please call me at 555-323-4123. If you would like to discuss the audit. We appreciate your support and the cooperation of your staff as we work together on this engagement. INTERNAL AUDIT DEPARTMENT Audit Manager Internal Audit Manual Page 58 . and other audit procedures considered necessary based on the circumstances encountered. Our audit will be conducted in accordance with generally accepted auditing standards and. review internal controls.

and a constructive and positive approach. and audit process and solicited your questions and concerns. Please feel free to expand on any areas that you wish to clarify in the comments area. This information will help to foster future improvements in the Internal Audit function. The audit team was cooperative in attempting to minimise interruptions to your operations and schedule. The audit team exhibited an understanding of your unit's mission/operations/procedures. 4. The audit team demonstrated courtesy. and final results on a timely basis. On a scale of 0 (no value) to 10 (high value). The audit recommendations were constructive. Questions During the initial conference. 10. major issues. the audit team explained the objectives. 8.APPENDIX B – Audit Feedback Questionnaire Form The purpose of this questionnaire is to solicit your opinions concerning the quality of service we provided during our recent engagement. You or your key staff members were adequately informed of the audit status. Internal Audit Manual Page 59 . all findings were adequately discussed and all issues of fact were resolved. professionalism. 9. timing. During the exit conference. We sincerely appreciate your assistance. 2. or the staff member most familiar with our recent work. and actionable. You had the opportunity to provide explanations or responses to audit findings as they developed during the audit process. 3. The final report was accurate and clearly communicated the audit results. 7. how much value do you feel this audit added to your unit? Please Select Please use the comment box below to let us know what specific changes we can make to improve our audit process. 6. 5. The audit team demonstrated technical proficiency in audit areas and knowledge of company policies. relevant. We request that you. 1. complete and submit the questionnaire.

Comments: Internal Audit Manual Page 60 .

Adequate Control: Present if management has planned and organised (designed) their operations in a manner that provides reasonable assurance that the Company's risks have been managed effectively and that its goals and objectives will be achieved efficiently and economically. units. written communications. Their primary function is to help ABC Company fulfil its stewardship role by reviewing the systems of risk management. Auditable Activities: Consist of those subjects.APPENDIX C – Internal Audit Glossary A Adding Value: By virtue of our position within the Company. we always agree the scope of our reviews with the unit managers before starting the audit. Examples may include financial. Analytical Review: The examination of ratios. advice. which are capable of being defined and evaluated. Audit working papers support the bases for the findings and recommendations to be reported. Audit scope often includes: Audit objectives: Nature and extent of auditing procedures performed Time period audited: Related non-audit activities that delineate the boundaries of the audit When planning audit assignments at the Company. or through other products. Audit Committee: Committee of the Company that has no operational responsibilities for any of the activities undertaken by the Company. or systems. control. compliance. trends and changes in balances and other values between periods to obtain a broad understanding of the Company financial or operational position and identify areas that may require further or closer investigation. Assurance Services: An objective examination of evidence for the purpose of providing an assessment on risk management. The Company's Audit Committee meets three times a year. or governance processes for the Company. Audit Scope: Refers to the activities covered by an internal audit. performance. the analyses made. Audit Test Matrices: Audit Test Matrices include: • • • Risks The Expected Controls The Compliance Test Audit Working Papers: Record the information obtained. governance and internal control. Auditable activities may include: Internal Audit Manual Page 61 . Audit working papers are a key part of the evidence used by us in arriving at our conclusions and recommendations. Internal Audit is able to gather data to understand and assess risk and develop significant insight into operations and opportunities for improvement that can be beneficial to the Company. This valuable information can be in the form of consultation. and the conclusions reached during an audit.

Functions such as information technology. laws. payroll and capital assets Financial statements Laws and regulations We have adopted risk-based approach in recent years as an approach that uses the Company's Risk Register as a means of identifying our audit universe. or audit universe.• • • • • • • • • Policies. procedures and practices Cost centres. General ledger account balances Information systems (manual and computerised) Major contracts and programmes/projects. will be complied and maintained. treasury management. particularly in a risk-based audit approach which will provide an audit viewpoint in relations to the aims and objectives of the Company. ordinances and statutes. authority. The audit universe serves as the source from which the five-year audit plan and the annual audit schedule are prepared. Conclusions: Our evaluation of the effects of the findings on the activities reviewed. Developments in the approach to auditing and audit planning have meant that the audit universe is determined by risk (i. being a loss. contracts. Authorising: Includes initiating or granting permission to perform activities or transactions.e. accounting. a risk universe) and that the risk-based approach to auditing results in planning that is driven by the Company's risk register. and responsibility. the list included all financial and key operational systems audited as part of the overall cycle of planned work. Authorisation: Implies that the authorising authority has verified and validated that the activity or transaction conforms to established policies and procedures. Consequence: The outcome of an event expressed qualitatively or quantitatively. Conflict of Interest: Any relationship that is or appears to be not in the best interest of the Company. A conflict of interest would prejudice an individual's ability to perform his or her duties and responsibilities objectively. procedures. personnel etc. finance. Audit Universe: An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. regulations. Internal Audit Manual Page 62 . expenditure. C Charter: The charter of the internal audit activity is a formal written document that defines the activity's purpose. Traditionally. Transaction systems for activities such as income. disadvantage or gain. The universe will be periodically revised to reflect changes in the overall risk profile. An inventory of audit areas. Conclusions usually put the findings in perspective based upon their overall implications. Compliance: The ability to reasonably ensure conformity and adherence to Company's policies. injury. plans.

The exercise of due professional care requires that: • Internal auditors be independent of the activities they audit Page 63 Internal Audit Manual . Control Risk: The tendency of the internal control system to lose effectiveness over time and to expose. procedures. (See internal control also). Directive Controls: Actions taken to cause or encourage a desirable event to occur. or fail to prevent /detect weaknesses in the systems of control. The control environment includes the following elements: • • • • • • Integrity and ethical values Management's philosophy and operating style Organisational structure Assignment of authority and responsibility Human resource policies and practices Competence of personnel Control Framework: A recognised system of control categories that covers all internal controls expected in an organisation. organises. Control Environment: The attitude and actions of the members and management regarding the significance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. Detective Controls: Actions taken to detect and correct undesirable events which have occurred.Control: Any action taken by management. Control Processes: The policies. and activities that are part of a control framework. Management plans. often facilitated by internal auditors. Due Professional Care: Calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. D Detection Risk: The probability that an incorrect audit conclusion will be drawn from the results of the examination or that the audit work will fail to detect any serious errors. and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. The "self" assessment refers to the involvement of management and staff in the assessment process. Control Self-Assessment: A class of techniques used in an audit or in place of an audit to assess risk and control strength and weaknesses against a Control Framework. the board. designed to ensure that risks are contained within the risk tolerances established by the risk management process. At the Company. There are many self-assessment techniques in use. we operate an annual self-audit system that is a form of self-assessment. Due professional care is exercised when internal audits are performed in accordance with Generally Accepted Auditing Standards.

targets or expected results. assurance that goals and objectives will be achieved. which brings together related components such as strategic planning. I Internal Audit Manual Page 64 . clear. to avoid payment or loss of services. Fraud: Any illegal acts characterised by deceit. Governance Process: The procedures used by the representatives of the Company's stakeholders to provide oversight of risk and control processes administered by management. Effective Control: Present when management directs systems in such a manner as to provide reasonable assurance that the organisation's objectives and goals will be achieved. E Effect: Effect is the risk or exposure the audited entity and/or others encounter because the condition is not the same as the criteria (the impact of the difference). or to secure personal or business advantage. Audit findings emerge by a process of comparing what should be with what is. performance levels. These acts are not dependent upon the application of threat of violence or of physical force. F Findings: Pertinent statements of fact. Error: As it relates to internal audit reports. we have agreed procedures in place to ensure that we work to recognised professional audit standards. operating standards. concise. it is an unintentional misstatement or omission of significant information in a final audit report. Follow-up: This is a process that we use to determine the adequacy. risk management. Frauds are perpetrated by individuals and organisations to obtain money. G Goals: Goals are specific objectives of specific systems and may be otherwise referred to as operations or programmes. At ABC Company. objectives or goals. concealment or violation of trust. constructive and timely Internal auditors follow up on reported audit findings to ascertain that appropriate section was taken. Governance is the Company's strategic response to risk. property or services. effectiveness and timeliness of actions taken by management on previous audit findings and recommendations.• • • • Internal audits are performed by those persons who collectively possess the necessary knowledge skills and disciplines to conduct the audit properly Audit work be planned and supervised Audit reports be objective. and internal auditing. External Auditors: Refers to those audit professionals who perform independent annual audits of an organisation's financial statements.

plans. O Objectivity: An unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that Internal Audit Manual Page 65 . Likelihood: A qualitative description of a probability or frequency. regulation and contracts The safeguarding of assets The economical and efficient use of resources The accomplishment of established objectives and goals for operations or programmes. other reports. transactions or other significant information. objective assurance and consulting services designed to add value and improve the Company's operations. N Net Risk: See also Residual Risk. Irregularities include: • • • • • • L Fraudulent financial reporting which renders financial statements misleading. M Management: Used to indicate. Internal Control: A process within an organisation designed to provide reasonable assurance regarding the achievement of the following primary objectives: • • • • • The reliability and integrity of information Compliance with policies. firstly. laws. Irregularities: Refers to the intentional misstatement or omission of significant information in accounting records. Monitoring: Encompasses supervising.Inherent Risk: Risks that an account or class of transactions contains material misstatements irrespective of the effects of the controls. Monitoring provides an ongoing verification of progress toward the achievement of objectives and goals. Internal Audit: The Company's in-house team that provides independent. financial statements. the level of management to whom the Director of Internal Audit is responsible and secondly anyone who has responsibilities for setting and/or achieving objectives. observing and testing activities and appropriately reporting to responsible individuals. Irregularities involve: Falsification or alteration of accounting or other records and supporting documents Internal misapplication of accounting principles Misrepresentation or intentional omission of events. documents or records. procedures. and Misappropriation of assets.

Residual risk represents the actual level of exposure that the Company faces. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Risk-Based Auditing: An approach that focuses upon how an organisation responds to the risks it faces in achieving its goals and objectives. Risk Assessment: The identification of risk. Such activities may include. finance and accounting. the management of risk. Risk Evaluation: See risk measurement. low. Risk Classification: Part of the risk assessment process that categorises risks. and the process of communicating about risks. it aims to provide assurance on the management of the identified risks within the context of the Company's corporate plans and aims. Residual Risk: Also known as 'net risk'. Preventative Controls: Actions taken to deter undesirable events from occurring. A systematic use of available information to determine how often specified events may occur and the magnitude of the consequences. personnel.. the measurement of risk. typically into high. Opportunity: An uncertain event with a positive probable consequence.no significant quality compromises are made. procurement. The risk assessment process measures risk by the use of two factors: impact and likelihood. Probability: A measure (expressed as a percentage or a ratio) of estimation sometimes used as a basis of measuring the likelihood and impact of risks when undertaking risk assessments. In risk assessment. medium. Related to risk. Internal Audit Manual Page 66 . it is the risk that the assessment process is inappropriate or improperly implemented. Q Quality Assurance: A programme by which the Head of Internal Audit evaluates operations of the internal auditing service. P Planning Risk: The risk that the planning process is flawed. and intermediate values. R Recommendations: Actions we believe are necessary to correct existing conditions or improve operations. marketing. This is the level of risk remaining after the relevant controls have been applied by management to the gross (or 'absolute') risk. the possibility that one or more individual organisations will experience beneficial consequences from an event or circumstance. Risk Analysis: The assessment of risk. Operations: Refers to the recurring activities of an organisation directed toward producing a product or rendering a service. A systematic process for assessing and integrating professional judgments about probably adverse conditions and/or events. but are not limited to. and the process of communicating about risks.

activities and/or people that are connected or interrelated to achieve objectives and goals. Importantly. monitoring and communicating risk. Often used in analysis in place of risk. Risk Management Strategy: A structure for linking the company's business strategy and organisation to its risk management objectives. a set. accurate and timely information related to risk management. illegal acts. Risk Identification: The method of identifying and classifying risks. errors. Risk Management Process: The systematic application of management policies. identifying. It is measured in terms of impact and likelihood. function or activity) is an arrangement. Risk Management Systems: Principles relating to the design. processes and structures that are directed toward the effective management of potential opportunities and adverse effects. analysing. impact and likelihood. System: System (process operation. development. conflicts of interest. The possibility that one Internal Audit Manual Page 67 . or a collection of concepts. ineffectiveness. parts. although most positive risks are sometimes known as opportunities and negative risks are called simply risks. and the likelihood that the negative event will take place.Risk Factors: Measurable or observable characteristics of a process that either indicates the presence of risk or tends to increase risk exposure. S Significant Audit Findings: Those conditions which in the judgment of the Director of Internal Audit could adversely affect the Company. waste. the consequences of that risk. Significant audit findings may include conditions dealing with irregularities. procedures and practices to the tasks of establishing the context. managing (treating). (This definition applies to both manual and automated systems). T Threat: A combination of risk. Risk Management: Proactive steps that management can take to assess and manage business risks. Risk Register: A central register of the Company's key risks that identifies the classification of risks by area. See risk classification. Risk: The chance of something happening that will have an impact on the Company's or one of its unit's objectives. and management (primarily information technology) of systems for providing reliable. The relation of acceptable levels of risks among alternatives. inefficiency. Risk Measurement: The evaluation of the magnitude of risk which usually involves developing a set of risk factors that are observed and measured to detect the presence of risk. The culture. and control weaknesses. assessing (evaluating). risk can be both positive and negative. A system may also be a collection of subsystems operating together for a common objective or goal. Risk Prioritisation: Ability to measure risks into a logical order by establishing how significant they are in comparison to the achievement of business goals and objectives.

or more individuals or organisations will experience adverse consequences from an event or circumstance. Understanding: Means the ability to apply broad knowledge to situations likely to be encountered. to recognise significant deviations and to be able to carry out the research necessary to arrive at reasonable solutions. uncertainty impacts upon the quality of risk assessments by managers. Internal Audit Manual Page 68 . U Uncertainty: A condition where the outcome can only be estimated due to incomplete or imperfect knowledge of the area / subject in question. In practice.