You are on page 1of 227

GOVERNMENT OF UGANDA

INTERNAL AUDIT & INSPECTION MANUAL

Acknowledgements ................................................................ Error! Bookmark not defined.
Article 1 ................................................................................................................................. 4
Purpose and Contents of the Manual .................................................................................... 4
1.1
Responsibility for the Manual ................................................................................. 4
1.2
Legal framework .................................................................................................... 4
Article 2 ................................................................................................................................. 6
General Definition of Internal Auditing ................................................................................... 6
2.1
Concept of Internal Auditing................................................................................... 6
2.2
Objectives of Internal Audit .................................................................................... 6
2.3
Tasks of an Internal Auditor/Inspector ................................................................... 7
2.4
Ethics and Professional Conduct of an Internal Auditor/Inspector .......................... 7
Article 3 ................................................................................................................................. 8
Internal Audit Service Delivery Process................................................................................. 8
3.1
Objectives of an effective internal audit methodology......................................... 8
3.2
Stages in the Internal Audit Methodology ........................................................... 8
3.3
Establishing the Audit Objectives and Auditee Expectations .............................. 8
3.4
Preparing for the Expectations Meeting ............................................................. 9
3.5
Developing Audit Objectives and Establishing Auditee Expectations ................. 9
3.6
Developing the Risk Assessment Criteria ........................................................ 10
3.7
Communicating Overall Audit Objectives Expectations Results to Auditees ..... 11
3.8
Risk Assessment ............................................................................................. 11
3.9
Understanding the Auditee’s Business............................................................. 13
3.10
Assessing the Control Environment ................................................................. 14
3.11
Developing and Confirming Your Understanding of the Processes .................. 14
3.12
Linking Internal Audit Focus to Key and Critical Processes.............................. 15
3.13
Identifying Risks and Related High-Level Controls........................................... 16
3.14
Assessing Risks............................................................................................... 17
3.15
Reporting and Agreeing on the Risk Assessment ............................................ 18
3.16
Audit Plan ........................................................................................................ 18
3.17
Major Processes .............................................................................................. 19
3.18
Coordinating the Audit Plan ............................................................................. 21
3.19
Agreeing to the Audit Plan ............................................................................... 21
Article 4 ............................................................................................................................... 22
Audit Execution ................................................................................................................... 22
4.1
Designing Tests of Control................................................................................... 22
4.2
Pre-Audit Work .................................................................................................... 23
4.3
Analytical Review ................................................................................................ 23
4.4
Carrying Out Tests of Detail and Substantive Procedures ................................... 25
4.5
Issues for Management’s Attention ...................................................................... 25
4.6
Concluding the Audit and Report ......................................................................... 27
4.7
Reviewing Working Papers .................................................................................. 28
4.8
Communicating Results ....................................................................................... 33
Article 5 ............................................................................................................................... 34
Working Documentation of an Internal Auditor/Inspector ................................................. 34
5.1
Working Documentation................................................................................... 34
5.2
Principles for the Compilation of Working Documents ...................................... 35
5.3
Principles for the Preparation of Working Lists................................................. 36

i

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

Article 6 ............................................................................................................................... 39
Financial Audits ............................................................................................................... 39
6.1
Introduction ...................................................................................................... 39
6.2
Definition of Financial Audit.............................................................................. 39
6.3
Objective of a Financial Audit........................................................................... 39
6.4
Financial Audit Procedures, Preparations and Execution ................................. 40
6.5
Review of Financial Processes ........................................................................ 42
Article 7 ............................................................................................................................... 56
Audit Inspection .............................................................................................................. 56
7.1
Introduction ...................................................................................................... 56
7.2
PAF Inspection Procedures – Overview ........................................................... 56
7.3
Audit Inspection of Missions Abroad ................................................................ 61
7.4
Compliance & Inspection Checklist .................................................................. 66
7.5
Annual Accounts .............................................................................................. 85
7.6
Inspection of Computerised Accounting Systems ............................................ 85
Article 8 ............................................................................................................................... 87
Performance Audits ......................................................................................................... 87
8.1
Introduction ...................................................................................................... 87
8.2
Definitions ........................................................................................................ 87
8.3
Questions Answered by a Performance Audit .................................................. 87
8.4
Concepts in Performance Auditing ................................................................... 88
8.5
Approaches to Performance Auditing............................................................... 89
8.6
Performance Auditing and the International Auditing Standards ...................... 90
8.7
Performance Audit Methodology ...................................................................... 90
8.8
Understand the entity’s activities...................................................................... 94
8.9
Deciding on the main elements of the study..................................................... 94
8.10
Analysing the main study question into sub-questions ..................................... 95
8.11
Identifying criteria............................................................................................. 95
8.12
Identifying the Audit Evidence That Answers the Study Questions................... 96
8.13
Selecting the Methods of Interpreting Audit Evidence ...................................... 99
8.14
The Preliminary Study Report .......................................................................... 99
8.15
Summarising, Analysing and Interpreting Audit Evidence .............................. 100
8.16
Documentation............................................................................................... 101
8.17
Reviewing the Evidence ................................................................................. 101
8.18
Reporting ....................................................................................................... 102
8.19
Criteria Used to Assess Performance ............................................................ 102
Article 9 ............................................................................................................................. 103
Systems Audit ............................................................................................................... 103
9.1
Manual Purpose and Contents ....................................................................... 103
9.2
Basic Terminology ......................................................................................... 103
9.3
System Audit General Description ................................................................. 104
9.4
Assessment Effectiveness of Internal Control System ................................... 106
9.5
Audit of Operations ........................................................................................ 111
Article 10 ........................................................................................................................... 114
Information Technology Audit ........................................................................................ 114
10.0
Introduction .................................................................................................... 114
10.1
Understanding IT Controls ............................................................................. 115
10.2
Internal Auditing Role in relation to IT ............................................................ 121
10.3
Common IT Process Controls ........................................................................ 121
10.4
Risk Considerations in Determining the Adequacy of IT Controls................... 125
10.5
Control Characteristics to Consider................................................................ 125

ii

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

10.6
The IT Audit Procedures ................................................................................ 125
10.7
Planning an IT Audit ...................................................................................... 126
10.8
Risk Scoring System ...................................................................................... 128
10.9
Application Audit Programme ......................................................................... 128
10.10
Other Issues To consider In the Audit Programme......................................... 132
10.11
Audit Methodology and Best Practices: Summary.......................................... 133
10.12
Audit of the Integrated Financial Management System (IFMS) ...................... 136
10.13
Review of IFMS General Controls ................................................................. 143
10.14
Computer-Assisted Audit Techniques (CAATS) ............................................. 144
10.15
Auditor/Inspector Knowledge Considerations ................................................. 144
Article 11 ........................................................................................................................... 146
Fraud and Irre gularities ................................................................................................. 146
11.0
Introduction .................................................................................................... 146
11.1
Fraud Red Flags ............................................................................................ 146
11.2
Understanding the Business and the Risk of Fraud & Irregularities in ............ 147
Each Business Area/Process ......................................................................................... 147
11.3
Assessing the Impact of Each Possible Fraud & Irregularities........................ 148
Based on its Severity and Potential Frequency .............................................................. 148
11.4
The Internal Auditor’s/Inspector’s Role .......................................................... 149
11.5
Conduct of the Investigation........................................................................... 150
11.6
Interviewing ................................................................................................... 151
11.7
Interviewing Techniques for Fraud Investigations .......................................... 152
11.8
Fact Finding Interviews .................................................................................. 152
11.9
Interviews with Suspect(s) ............................................................................. 153
11.10
Interview Notes .............................................................................................. 157
11.11
Voluntary Statements under Caution ............................................................. 159
11.12
Other Relevant Areas .................................................................................... 160
11.13
Components of an Appropriate Anti-Fraud and Irregularities Culture ............. 162

Appendix 1 ESAAG Guidelines
Appendix 2 International Standards for the Professional Practice of IA
Appendix 3 Fraud Prevention Check up by the Association of Certified Fraud
Examiners

iii

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

Article 1
Purpose and Contents of the Manual
This manual is a handbook for use by the Government of Uganda Internal Audit staff,
departments, agencies, e.t.c. It is tailored to meet the demands of Internal Audit of
adequately discharging its statutory and professional responsibilities towards those being
audited and the people of Uganda.
The manual provides the tools for Internal Audit Service staff to carry out the planning,
monitoring, reporting and execution of internal audit. It offers a number of different audit
approaches, along with the planning tools to decide which approach best fits the local
circumstances.
This manual should be considered as a working document, subject to amendments as new
regulations, rules and working practices are introduced. It is a property of the Government of
Uganda.
1.1

Responsibility for the Manual
§
§

The Permanent Secretary / Secretary to the Treasury, Accountant General and
Commissioner for Inspectorate and Internal Audit have the overall responsibility
for ensuring compliance and for updating the manual.
All suggestions for amendments, additions and improvements to the manual
should be directed to the Permanent Secretary / Secretary to the Treasury

This manual shall be available to all audit personnel and used as guidance in the
conduct of all Internal Audit work within Central Government Ministries, Departments
and Agencies.
1.2

Legal framework
The Internal Auditing Manual makes use of the following laws, regulations, standards,
and directives though direct reference to them is encouraged:
r
r
r
r
r
r
r
r
r

Public Finance and Accountability Act, 2003
Public Finance and Accountability Regulations, 2003;
International Standards for the Professional Practice of Internal Auditing, issued
by (IIA);
International Standards of Auditing issued by the International Standards and
Assurance Services Board of the International Federation of Accountants.
Internal Audit Charter, issued by the Ministry of Finance, Planning and Economic
Development;
Code of Ethics for Internal Auditors/Inspectors, issued by the Ministry of Finance,
Planning and Economi c Development;
Internal Audit Guidelines set by the East and Southern African Association of
Accountants General (ESAAG)
The Treasury Accounting Instructions 2003, and
Circulars issued from time to time by the Permanent Secretary, Accountant
General e.t.c

the Information Systems Auditing Control Association and others .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL r Other Standards of other professional bodies like the Association of Certified Fraud Examiners.

Review and report on the adequacy of action by management in response to internal audit reports. control and governance processes." “Internal Control” means a set of systems operated by an organisation to ensure that financial and other records are reliable and complete. disciplined approach to evaluate and improve the effectiveness of risk management. financial and operational controls and in particular shall – r r r r r r r r r r r Review and report on proper control over the receipt. Be alert to opportunities.2 Objectives of Internal Audit The Internal Audit unit shall appraise the soundness and application of accounting. Respond to ad hoc requests for audit assistance or advice as may be requested by the Accounting Officer or the Heads of Departments of a unit. The objective of internal control system is to ensure that management adhere to policies and procedures for orderly and efficient conduct of the business.1 Concept of Internal Auditing The Institute of Internal Auditors/Inspectors defines Internal Auditing as "an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. the verification of the existence of such assets. Review and report on the reliability and integrity of financial and operational data. custody and utilisation of all financial resources of the unit. Review and report on the adequacy of controls built into computerised systems in place within the unit. finances and related opera tions of the Ministry.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 2 General Definition of Internal Auditing 2. 2. Review and report on operations or programs to ascertain whether results are consistent with established objectives and goals. It helps an organisation accomplish its objectives by bringing a systematic. and as appropriate. . such as control weaknesses that could allow fraud and where fraud is suspected the appropriate authorities within the department will be informed. Review and report on conformity with financial and operational procedures. so that information provided allows for the preparation of accurate financial statements and other reports for the information of the unit and the general public as required by legislation. Department or Agency. Check and report shortcomings in connection with the accounts. proper recording and safeguarding of assets and resources. Review and report on the correct classification. Review and report on the systems in place used to safeguard assets.

and to recommend adequate measures to improve the auditee‘s performance. Monitor and revise the performance of financial management at all levels of management. . Carry out their work with due skill and care Ensure that he keeps all information learnt /got confidential.4 Analyse the activities of the audited organisation periodically. r r r r Be objective in all dealings Behave with integrity and honesty.3 Tasks of an Internal Auditor/Inspector r r r r r r r 2. the internal auditor/inspector should. material. Ascertain whether the entities policies are implemented correctly. Inform the management of any irregularity or anomaly revealed and to recommend appropriate measures for their elimination. Assess the organisation's resources and ensure that all resources (human. Follow-up on whether the recommendations by the internal auditor/inspector have been implemented.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 2. to monitor the management of these activities. Verify the reliability and suitability of the information system. Ethics and Professional Conduct of an Internal Auditor/Inspector Professionally and ethically. and financial) are utilised appropriately so that the best possible results are achieved.

3 Align the internal audit resources with the organisation objectives Deliver value to the organisation.e. Based on that understanding and auditor’s/inspector’s perception of the work needed. management’s views on audit coverage and cycling.. and other information critical to the success of the engagemen t.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 3 Internal Audit Service Delivery Process 3. This understanding helps in determining the criteria for assessing the related risks. and the value to be delivered through the provision of internal audit services Auditors/Inspectors also gain an understanding of the relationship protocols.2 Stages in the Internal Audit Methodology · · · · · 3. Leverage on internal knowledge to efficiently identify and appropriately assess risks Drive efficiencies throughout the service delivery process Establish the Audit Objectives and Auditee Expectations Undertake Enterprise Risk Assessments Audit Plan Execution Communicate Results Establishing the Audit Objectives and Auditee Expectations Auditors/Inspectors develop a mutual understanding of the scope of their internal audit services among the executive management and the Audit Committee. intended audit accomplishments).1 Objectives of an effective internal audit methodology · · · · 3. Importance of this step It helps the Internal Auditor/inspector to: · Determine the auditees’s expectations and establish relationship objectives and protocols · Gain a high-level understanding of the auditee’s organisations objectives and associated critical success factors · Understand the internal audit focus · Determine the benefits the auditee wants to receive from their internal audit services and establish the criteria for measuring and communicating the results of our service · Develop the Risk Assessment Criteria · Obtain sponsorship commitment for their audit process . Objectives will be in enough detail to guide the audit program development. the internal auditor/inspector will determine the objectives of the audit (i.

the chart of accounts.4 Arrange an Auditees’ Expectations Meeting. Confirm attendees and mail correspondence to auditee participants Information that should be documented in the working papers At · · · · 3. Strategic objectives 5. the computer systems (the safety and storage of data) to ascertain the reliability and regularity of accounting and financial data: Assign roles and responsibilities among the internal audit team. Measurement and communication of value 13. Critical and major processes of the organization 7. delegation of powers. organisational chart.5 this stage. and analyze background information by obtaining a copy of the relevant legislation (laws. and internal regulations). definition of the posts. Issues to be examine d in the meeting 1. Desired internal audit focus and value criteria 3. the following information should be maintained in our working papers: Background information obtained about auditee or organisation Institution’s organization chart Institution’s strategic plan Correspondence sent to auditee participants Developing Audit Objectives and Establishing Auditee Expectations Expectations meetings should periodically be conducted with the organization’s key decision makers to discuss and agree upon the engagement’s relationship objectives and protocols. Perform a preliminary review of the accounting environment. Management’s strategic objectives 2. Internal audit focus 6. Overall Audit Objectives . Risk coverage 4.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Steps in establishing audit objectives and auditee expectations a) b) c) d) 3. etc. review. Audit coverage expectations 9. Relationship protocols 10. Develop the Risk Assessment Criteria. Communicate Audit Objectives and Expectations Results to auditees Preparing for the Expectations Meetin g · · · · · · Identify the internal audit team and the auditee liaison person Discuss and agree the role of the auditees liaison. including identifying available dates and location for the meeting Obtain. directives. Develop the Audit Objectives and Auditee Expectations. Receipt of feedback on internal audit services 14. Role of the internal audit liaison 11. Organizational structure and alignment with processes 8. guidelines. Distribution and format of audit reports 12.

· Determine and agree upon the specific characteristics of the likelihood and impact of a risk. · Document the characteristics in a table form. moderate or low scale. at a high level.6 Developing the Risk Assessment Criteria This process consists of the following steps: · Determine the assessment ratings to be used for the auditee. reputation damage?” · Consider both the likelihood and the impact of the risk.e. . The factors could be determined by asking executive management questions such as: “With respect to the agreed-upon business objectives. e.. how would the existence of a risk manifest itself. moderate or low categories. how could the likelihood of the risk be measured and indicate this likelihood within the high. financial cost/lost opportunity. i. · Analyze and detail the respective impacts that would fall within the high. Moderate or Low.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Information to be documented in the working papers · Auditee’s strategic objectives · Agreed-upon internal audit focus · Role of the internal audit liaison · All agreed-upon engagement protocols 3.g. · Where appropriate repeat this analysis for likelihood. · Determine the risk factors against which to assess organizational risks.. The ratings can be High.

7 Communicating Overall Audit Objectives Expectations Results to Auditees The information agreed upon at developing expectations meeting is crucial to the overall success of the internal audit engagement. provide the attendees with a key deliverable from the meeting. To mitigate and manage these risks. Risk assessment is the identification and analysis of risks to the achievement of the institution’s established objectives. To capture the agreements reached during the meeting.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Example of Risk Assessment Criteria Risk Factor Financial Impact Reputation Technology Likelihood High Moderate Low Adverse impact on actual revenues or actual costs > shs50m E xternal audit qualification on the report and accounts Serious failure to comply with legal or regulatory requirements Instances of bad publicity/ reputation damaged to a national audience System enhancement or implemented without major functionality Loss of systems leading to severe or ongoing business disruption (over 1 day) Management information used in key decision making is inaccurate Adverse impact on actual revenues or actual costs of shs.8 Risk Assessment Risks are events. 3. a communication of all issues agreed on.10m E xternal audit raises some isolated findings Failure to comply with legal or regulatory requirements in nonserious and isolated cases Instances of bad publicity/ reputation damaged to local audience Minor delays in implementation of new/enhanced systems Loss to systems leading to business disruption (up to 1hour) D elays in availability of general management information Highly Likely S ystematic O n-going Possible Occasional U nlikely Information to be documented in the working papers § The final agreed-upon Risk Assessment Criteria should be included in our working papers.10m – shs. 3. or inactions that could cause the business objectives not to be achieved.50m External audit management letter contains significant issues Failure to comply with legal or regulatory requirements in some instances Instances of bad publicity/reputation damaged to regional audience System enhancement or implemented without some functionality Loss or disruption to systems leading to significant business disruption (up to 1 day) Management information used for reporting purposes is inaccurate Adverse impact on actual revenues or actual costs of < shs. an organization typically implements controls and other risk management activities. . Information to be documented in the working papers The communication sent to the auditees about the agreed upon expectations and audit objectives should be included in the working papers. actions.

Internal audit has the role of: § Facilitating the identification and assessment of risk and. and manag ing risk. assess. assessing. service lines. § Monitoring how well risks are actually being managed by the entity.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Risk assessment provides a guideline for facilitating a high-level assessment of financial and compliance risks and to identify internal controls to manage those risks. and document the risks and related risk management activities that exist within the organization’s processes and across its key organizational components (g eographic locations. Importance of risk assessme nt It enables the auditor/inspector to: · Identify. Parties responsible for risk assessment Management has the responsibility of identifying. or functional units) · Provide the primary focus for allocating audit resources in the Audit Plan process Potential sources of risk Strategic: Corporate Management: Government Agenda: § Policy and strategy § Structure and reporting § Citizen focus § Corporate reputation § Political factors § Public expectations § Stakeholder relations § Industry developments § Changing demographics § Globalization § National security threats § Business continuity § Competitive trends relationships § Planning and priority setting § Budgeting and resource allocation § Expenditure management § Procurement and contracting § Performance management § Project management § Inventory management § Asset management § Human resources § Information and knowledge § Communications § Risk management Compliance: § Funding and appropriations § Statutory reporting § Compliance with laws and regulations Major steps in risk assessmen t process: § Values and ethics § Accountability § Transparency § Responsible spending § Government on-line § Improved reporting § Modern comptrollership § Fairness & equity § Modern HRM § Integrated Risk Management .

Determinants of the level of analysis to be done § The nature.g.. and § Size of the engagement will drive how much analysis should be undertaken to understand the auditee’s business. team member roles and responsibilities. and timelines Determine advance preparation requirements (if applicable) and documentation methods Determine the final output from the Risk Assessment (e. The Risk Assessment builds on the information obtained during the Co-Develop Expectations process. How to understand the business · · · Assess the organization’s control environment Confirm and review the organization’s business objectives and critical success factors for achieving the objectives. 3.9 Understanding the Auditee’s Business Understanding the Auditee’s business is the necessary first step in performing the Risk Assessment. How it is done · · · Review engagement objectives. recognizing that an organization will have implicit objectives in addition to those explicitly stated Identify how the organization is structured (by process and function) and begin to understand how the business objectives and internal audit focus are related to the processes . presentation to executive management and the Audit Committee) Preparing the preliminary plan A team or individual should be given the responsibility of: § Gathering existing knowledge about the auditee and engagement § Developing a preliminary work-plan for the Risk Assessment. § Scope.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · · · Planning the Risk Assessment Understanding the Auditee’s Entity Mapping Major Processes to the Internal Audit Focus Identifying Risks and Related High-Level Controls Assessing Risks Agreeing on and Report the Risk Assessment Planning the risk assessment The objective of planning the Risk Assessment is to give the engagement team clarity and structure in order to complete the work successfully and efficiently.

Analyse the influence of each factor on the process. and commitment to competence. Identify the key performance indicators used to measure the critical success factors. Issues examined by the questionnaire · · · · · 3.10 Identify both internal and external influences that affect the organization’s business objectives. Integrity and ethical values. . and critical success factors Identify the significant risks inherent in the achievement of the business objectives and critical success factors Identify which process owners to meet with in order to complete the Risk Assessment Understand the auditee’s information technology environment Understand the auditee’s existing risk management process and reporting structures Assessing the Control Environment Control environment refers consciousness and attitude. Organizational structure and assignment of authority and responsibility. practices. Human resource policies. Determine how they are used by management to monitor the effectiveness of the process.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · · 3. Corporate governance arrangements. The questionnaire consists of questions that may indicate risks that should be further evaluated or areas that might require additional audit procedures. Developing and Confirming Your Understanding of the Processes Arrange Meetings with the Key Department Heads to: · Confirm the business objectives and identify critical success factors · Identify Key Performance Indicators (KPIs) · Identify and understand stakeholders and any external factors and how they influence the process · Identify any high-level risks that exist · Discuss any relevant IT issues · Understand departmental strategic objectives Critical success factors and key performance indicators § § § § § For each objective. to management’s explicit and implicit control Use a control environment questionnaire to develop an understanding of the auditee’s control environment. internal audit focus.11 Management’s control consciousness and operating style. Determine the different factors (internal or external) facing the key processes in place. identify and discuss the critical success factors and how these relate to the ma jor processes.

The identification and subsequent assessment of IT risks should be performed in conjunction with the other risks to the organization.g. 2. Key questions to consider § § § § § Is the organization’s strategy heavily IT enabled? What is the IT infrastructure? What is the IT change environment? What is the appropriate size of the IT department and budget? How best is it to use service bureaus (e. enables each process. These include political and economic trends. customers. Technology should be considered as an integral part of the Risk Assessment process. debtors. market conditions. and/or consultants and vendors)? Information to be documented in the working papers The following should be maintained in the working papers: · The auditor/inspector’s assessment of the control environment and any identified risk factors. ADP.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Examples of factors affecting key processes 1. legal and regulatory framework. and suppliers. Examples include shareholders. Stakeholder Influences. Information Technology (IT) and Human Resources (HR).. · Appropriate notes to document the characteristics of the key processes. Information to be maintained in the working papers · A matrix to analyze which processes are relevant to the internal audit focus . External Factors. 3. as it relates to the attainment of the business objectives. Determine how IT supports the key processes. employees. technological change. and social change. Understanding the IT environment Understand the implications and extent to which technology. 3. competitors.12 Linking Internal Audit Focus to Key and Critical Processes The principal objective of this step is to enable available internal audit resources to be efficiently allocated to those processes that significantly affect the strategic objectives or other concerns. which are the agreed-upon focus of the auditor’s/inspector’s internal audit services. Assess how IT and HR enables the key processes.

A matrix to analyze which processes are relevant to business objectives (if this mapping is performed) Identifying Risks and Related High-Level Controls The objective of this process is to provide adequate guidance to the identification of the significant risks as influenced by the internal audit focus (e. acquiring. business objectives) and to determine. and analyzing data is time-consuming and generally considered appropriate for the Execution process only. key transformations and the subprocesses. end. Important questions to be asked by the internal auditor/inspector · · · · · · · · · · · · · · · What could go wrong? How could we fail as an entity? What must go right for us to succeed? Where are we most vulnerable? What assets do we need to protect? Do we have liquid assets or assets with alternative uses? How could someone steal from the department? How could someone disrupt operations? On what information do we rely most? On what do we spend the mos t money? How do we bill and collect our revenue? What de cisions require the most judgment? What activities are most complex? What activities are regulated? Where is our greatest legal exposure? It is important that risk identification be comprehensive at the departmental level and the activity-level for operations. financial reporting and compliance objectives. the controls over these risks. The impact of information technology on the process. . Significant risks that exist in the process Performing an analytical review of the process being audited is important. Capturing. The beginning. including the rationale for this as agreed on with management. key outputs. The purpose and objective(s) of the process and the critical success factors which management has identified. Typically. key inputs. at a high level.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · 3. Issues to discuss with the auditee 1. Such a review will help to provide an indication of the health of the process.13 Documentation of the relative importance of each process. trend analysis is the most appropriate form of analytical review during the Risk Assessment. 2.. 3. Internal and external factors must be considered.g.

or technology). . The resulting impact of the risk (e. people.14 Process characteristics for the key process. Initial evaluation of high-level controls. process. A list of risks and associated controls agreed upon with management.g..GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Questions to help identify significant risks · · · · · · What must go right in order for the process to achieve its objectives? One answer might be: “Purchased materials must be paid for within the discount period. but if it could occur frequently during the year. A risk may have a small impact if it occurs once. high. The relevant time period..g. or low) to use. Information to be maintained in the working papers · · 3. The factors that influence the risk (e.g. Assessing Risks Risk is defined as “any event. Initial assessment of risk. the risks of theft of cash/goods that exists within retailing environment).” How does IT or human resources enable the process and what significant risks exist as a result of these enablers? One answer might be: “Unauthorized or uncontrolled access to networks results in service disruption. The predetermined scale (e. moderate.. Issues to consider when assessing risks · · · · · · · The likelihood of the cause occurring. assuming that controls can mitigate the likelihood and/or impact of the risk occurring. This should be discussed with the auditee. action.g. reputation. on revenue. consider what the cumulative impact would be.” Does the process contain any inherent conditions that may result in a financial or other loss? (e..” Is the process designed to be properly responsive to public and environmental forces (i. stakeholder influences or external factors)? One answer might be: “Failure to respond to regul atory changes resulting in heavy penalties. reporting). or inaction that hinders an organization’s achievement of its business (explicit and implicit) objectives.” What could go wrong with the process that would prevent the entity objectives from being achieved? One answer might be: “Failure to deliver the services within the stipulated time.e..” Risk has two attributes: cause and effect.

executive management.g. Risk assessment rationale for risks. as communicated in developing expectations. system implementation) that should be considered for inclusion in the audit plan are identified. and auditable units agreed upon with management. This allows the audit committee to readily see that the audit resources are allocated to those areas that significantly affect the internal audit focus and business objectives of the organization.16 Audit Plan It is derived from the developing expectations and risk assessment processes.g. Reporting and Agreeing on the Risk Assessment The engagemen t team presents the results of the risk assessment along with the audit plan to the audit committee. Importance of this step It helps the internal auditors/inspectors to: · · · · Review management’s expectations regarding audit coverage. Potential processes and areas (e.) 3. and develop an audit plan that is in line with those expectations (to the extent that audit resources are available) Align the audit plan with the results of the risk assessment (to the extent that audit resources are available) Determine skills needed to execute the audit plan and schedule resources needed for the engagement Prepare the audit plan and obtain approval from the internal audit liaison.15 Documentation of the likelihood and importance of risks.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Questions to use when evaluating high level controls · · · Do the high-level controls appear effective or ineffective at mitigating the likelihood of the risk identified within the process? Are there several controls in place to mitigate the risk that result in process inefficiencies? Do the high-level controls appear effective or ineffective at mitigating the impact of the risk? Information to maintain in the working papers · · · 3. processes. regulatory compliance. as agreed upon with management. an d the audit committee . Rationale for initial evaluation of high-level controls. Information to maintain in the working papers Formalized agreement of the risk assessment (e. copies of minutes of audit committee or executive meeting.

requests by management and/or the board. systems. Identification of Relevant Risk Factors. Examples include: competitive conditions. adequacy and effectiveness of the system of internal controls. The estimated time required to audit the activity. Potential loss and risk Requests by management. 3. Major changes in operations. operational. Auditable Activities. Audit work schedules The risk assessment process leads the Head of Internal Audit to establish audit work schedule priorities. and controls. The internal auditing department develops audit work schedules that include the following: What is included in the audit work schedule · · · The activity to be audited. Opportunities to achieve operating benefits Changes to and capabilities of the audit staff. This is used to: § Develop audit work schedules. The Head may adjust these priorities after considering other information such as coordination with external auditors/inspectors. competency. Risk Assessment. § Analyse the significance of the relative risk factors. 2. programs.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 3. and technological changes. organizational. the internal audit department presents the annual audit plan to the audit committee for approval.t. financial and economic conditions. Financial exposure. Annual audit plan The annual audit plan is prepared based on the risk assessment and is presented in the standardized format established by the Head of Internal Audit. These are identified after reviewing the Ministry’s Chart of Accounts and budget. At the beginning of the fiscal year. .17 Major Processes 1.c. When the activities will be audited. Issues to consider when establishing work schedules · · · · · · · The date and results of the last audit. adequacy and integrity of personnel e. § Identify potential auditable activities.

low) and reason for the priority. The Head of Internal Audit or his designee should approve the audit program prior to beginning the audit work.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Components of the audit plan · · · · · · List of audit projects. complexity of the process. impact on internal audit focus and the audit procedures expected to be performe d. As evidence of work performed. Type of review (internal control. each of the steps in the program should be crossreferenced to the corresponding work paper. the engagement team should review the Plan and consider the following questions: · · · · · Is the audit plan consistent with management’s audit coverage expectations? Is the audit plan consistent with management’s view of cycling audits? Is the audit plan within the budgetary expectations of management? Do significant gaps in risk coverage exist and has this been appropriately communicated? Do we or the auditee have the resources necessary to perform the audit plan? . Developing an audit program § § § § The audit program details each of the audit steps to be performed during the course of the review. identify resource needs and estimate the respective amount of hours required to perform the work for each of the selected processes and areas. the auditor/inspector should initial the audit program in the appropriate box indicating its completeness. Objective of each audit project. compliance). Estimated hours for each audit project. Priority (high. This is achieved by allocating available hours to each of the selected processes and areas based on the significance of the risk. Upon completion of each audit step. Financial budget The Internal Audit unit shall prepare a budget that will be reviewed by the Audit Committee and incorporated into the entity’s budget estimates. Identify resource needs and estimate hours to execute procedures Using the proposed audit strategy as a basis. Reviewing the audit plan to determine its consistency with management’s expectations Upon completing the audit plan. Budgeted hours. Any adjustments should also first be approved by him. In some cases (when not readily apparent). medium. financial. the reason for the audit step should be included in the audit program.

3. the engagement team can easily revisit the engagemen t project plan to accommodate the modification by shuffling resources. upon approval of the audit plan. to execute the plan as resources are preliminary scheduled. Information to be maintained in the working papers · · · A copy of the audit plan A copy of the executive management and audit committee meeting minutes. If managemen t or the audit committee should have changes to the audit plan.18 Are all expectations and coverage issues noted during the co-develop expectations process appropriately considered in the audit plan? Coordinating the Audit Plan Once the engagement team has co-developed the audit plan.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · 3. This allows the engagement team to be ready. The audit plan outlines the following: · · · Risk assessment results Listing of potential audits Timing It is important for the engagement team to follow all change request protocols to ensure the proper allocation of resources.19 Agreeing to the Audit Plan The engagement team and the internal audit liaison present the preliminary audit plan to executive management and the audit committee in accordance with the established protocols communicated in the co-develop expectations process. the next step is to begin to review the schedules of available resources and assign resources to processes and areas based on their individual skill sets. documenting approval of the audit plan as presented or other appropriate documentation showing approval Documentation of any points that auditee personnel have asked you to consider for future audits so that you can revisit them when you update your audit plan .

It is the cheapest form of testing and the least reliable. which should be prepared in accordance with the financial regulations and recording in the cashbook. 4.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 4 Audit Execution 4. Issues to note about the evidence collected § § § § Evidence that substantiates the correctness of transactions does not automatically provide evidence that the control (check) was correctly operated. Inspection and Reperformance In planning tests of control. The best evidence that the auditor/inspector could get is transactions. What to use when designing tests of control 1. When the control operations to be tested are separately listed on the audit working papers. after the PSE. for example. alterations on prime documents observed during testing and errors discovered by the auditor/inspector during substantive testing. 2. evidence is required about the satisfactory operation of the control. When planning substantive tests. the checking of a travel claims. evaluated and found to meet the audit control objectives. in error. Instances when tests of control can be designed · · When the system design has been documented.1 Designing Tests of Control This is necessary when an auditor/inspector is asked to conduct a systems audit or when. The auditor/inspector is seeking evidence of the operation of control procedures. The only evidence of transaction errors will be transactions rejected by the clerk. the auditor/inspector believes it will be feasible to conduct a system based audit as opposed to a substantive approach. Observation. 3. . The audit evidence available respectively will be: formal records or lists of rejected transactions kept by the clerk. the auditor/inspector may use the sample size of 40 tests of control as part of a representative substantive sample. as long as the evidence from the tests of control clearly provides substantive evidence. transactions amended by the clerk or transactions remaining in the population. Enquiry. which were in error when they came before the clerk (the errors which were detected by the clerk whilst conducting the control procedure).

with previous year’s expenditure. Typical procedures. line by line.3 Analytical Review · · · 4.2 Pre-Audit Work The internal auditor/inspector should prepare for the audit visit before commencing the audit. For all income and expenditure heads.1 Familiarisation · · · · Obtain an understanding of the control environment. the auditor/inspector should establish the various relationships between different items of information and examine how they change overtime. the compliance-testing plan can be reused from year to year.2. Using his/her knowledge of the audited body. are suggested below: 4. Care should be taken to ensure that the correct relationships between figures have been established. This provides time for review of the previous years’ reports and papers and such research and information gathering as is necessary to ensure that the team will be ready to start as soon as they arrive on site. For as long as the system remains the same.3. . The population size. Obtain an understanding of the financial regulations and any ministerial or departmental operating policies. with the current year’s budget. Prepare a record of the accounting records in use. which should be included in that process.1 Compare current year’s actual income and expenditure. 4. Compare current year’s actual income and expenditure. The sample size. The method of sample selection.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Items to include when recording the program of tests of control · · · · The population. Obtain copies of all standard financial documents relating to this area. most of the familiarisation tasks should be made easier by the maintenance of permanent files of information so this task might be incorporated within a single procedure: “Review and update permanent file” 4. line by line. NB: If possible. compare monthly income and expenditure during the current year. Other analytical techniques include: Ratios § § § Ratios can be calculated using financial or non-financial information or mixture of both.

over a period of years their cumulative effect may be significant.3. the purchase price is negotiated. 4. and can be used to complement or even replace tests of detail. this provides reasonable audit assurance that the figure is not materially mis-stated. 4.3. specific instructions or completion of returns or other documents. As a guide. Establish whether officials in the Ministry of Finance have experienced problems with the Accounting Officer. It is often considered as a substantive test. An example of this would be posters supplied by the Ministry of Tourism. Relatively small changes from year to year may generate little interest but. . Proof-in-total involves estimating the value of a figure based on independently verified audit evidence.5 Examination of management information · · · 4. the information selected for this type of review needs to be determined by the auditor/inspector using his / her knowledge of the body.3. This is a re-performance test and ought to provide evidence about the exercise of control by the Head of Department based on the use of the information supplied.3. if the estimate is within 3% of the actual figure.4 Proof-in-total techniques Proof-in-total is a predictive test used to gain assurance regarding the correct statement of a financial figure.2 Examination of trends The examination of trends may be seen as an extension of the time comparison over a period of years and may be valid for ratios as well as specific account figures. which appear to be odd. 4.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 4. Confirm that it is accurate and up-to-date.3 Reviewing for consistency Related elements within the financial systems should be reviewed for consistency because there may be a direct relationship between the expenditure and receipts for certain items. Examine information and follow up any items.6 Obtain a copy of any information available to the Head of Department under review for the purposes of exercising overall control. Discuss with officers in the Ministry of Finance their impression of the performance of the Head of Department in adhering to financial regulations. As with the other procedures. It is particularly useful where the expected value of a figure can be calculated based on the prior year value. pricing policy established and the auditor/inspector could calculate the relationship between the cost of stores issues and receipts and use this as a standard from month to month or year to year. Assembly of Information · · · Examine all “intelligence” information filed since the last audit visit relating to allegations and current developments in the ministry or department to be audited. Observed trends must be critically examined. and known changes to the composition of the figure. Explanations of any abnormality must be sought by the auditor/inspector for the procedure to be effective.3.

e. The order of the performance of audit tests is usually. look for alternatives. it may be appropriate to use “Implication” rather than “Risk. and recommendations Co-Develop an understanding of significant reportable issues and non-reportable issues with the auditee Components of the issue summary · · · · Observations: Details of any observations that indicate the absence of control or the results of testing with regard to the appropriateness of the controls. It should be reviewed by the in-charge auditor/inspector. Risk: Details of the risk that is being inadequately controlled because controls have not been implemented or are not functioning as designed. · · · Pre-audit work: To highlight any specific issues which need to be examined this audit.” Recommendation: Action recommended to address the risk.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 4. why the observation occurred). When the issue identified is a process improvement in nature. Always be aware of the cost/ benefit implications of any recommendations made. related controls. Audit programs should be drafted in such a way that the timing of the work is recognised. If the costs of implementing controls exceed the risk. NB: 4.5 Weakness tests should be designed specially for the circumstances discovered at the audit and should not normally stay in the audit program. the observations should also describe the standard that should have been adopted (i.. who will take the action. Objectives of the Issue Summary · · · · · Obtain confirmation of factual accuracy of identified issues Request an action plan from management to address the control weakness. and a date by which the action will be completed.e. . Compliance tests: To form a view about the operation of control. what should be) and the cause (i. Issues for Management’s Attention a) Preparing an Issue Summary It is prepared when risks are inappropriately controlled. If systems are not reliable then substantive or weakness tests will be required Substantive tests: To confirm the correctness of records and documents. for inclusion in the audit report Enable corrective action to take place as soon as possible Communicate a cooperative spirit with auditees by advising them early about business risks. including identifying the action to be taken to address the risk. and presented it to management for action.4 Carrying Out Tests of Detail and Substantive Procedures The conduct of audit work usually follows a standardised route through the audit. Management Response: Management’s response to the observation. If appropriate.

as this will be useful when evaluating management’s suggested action or to provide guidance to management. The in-charge auditor/inspector or designee should: § Be aware of all audit issues § Review the summaries for accuracy and adequat e supporting documentation.1 Format of the Issue Su mmary Client: Audit Project: Audit Date: Topic: Observation: Risk: Recommendation: Management Response (Please include the proposed date of implementation or a reason for nonimplementation): Auditee Signature and Date: Significance: High Include in Report? Yes Moderate No Low Value Idea Order in Report Reviewed by: b) Reviewing the Issue Summary The in-charge auditor/inspector or his/her designee should review it before it is sent to the auditee. § Determine whether the working papers support the conclusions reached § Ensure that the Issue Summaries are professionally written.5. . Allow management to agree that the i ssue exists and co-develop the most appropriate solution to address the risk. It is still critical to consider what action the auditor/inspector would recommend.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Do not include a recommendation in the Issue Summary. This facilitates ownership of the action plan by management. 4.

refer to the protocol agreed to in the Co-Develop Expectations mega process. The audit report is one of our most visible deliverables. including the preparation of the audit report. If management’s response is not received by the agreed date. contact the auditee to determine the reason for the delay and to determine when the response will be received. d) Evaluating Responses When received. The additional response should be provided by the auditee in writing. The best solution may be to arrange a meeting to discuss the action to be taken. but make sure that the recipient will be the person responsible for taking or authorizing the corrective action. At the end of our fieldwork. Ultimately. issues from the audit are collated. discuss the corrective action with the responder and request the additional information needed. if agreement cannot be reached. · For each identified risk. are essential elements for producing a quality audit product. This report is published in draft form prior to holding a closing meeting with process owners. Ask management to provide a response to the issue within a reasonably short time frame. 4.2 Information to be maintained in the working papers Our working papers should include the following: · Analysis of the controls in place to mitigate each risk identified in major processes. reviewed. verify the additional information that management provides and re-evaluate the risk and control. responses should be reviewed for: · Factually inaccurate findings · Adequate corrective action to reduce risk · Timeliness of corrective action When there is a disagreement regarding factual accuracy. providing feedback to auditee management on the results of our audit. and consolidated in the audit report. the auditor/inspector should have an Issue Summary on file containing a response from management.5. The report should include all the significant issues identified as a result of our audit procedures. · The response and details of the action the auditor/inspector take when management’s response accepts the risk but indicates that management is unwilling or unable to take remedial action. during which its contents are discussed and agreed upon. 4. .6 Concluding the Audit and Report The steps taken to conclude the audit. If a response is inadequate. prioritized.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL c) Presenting Issues to Management Present each Issue Summary to management in person and in accordance with the agreed-upon protocol.

Other factors 4. date. Personnel/turnover/staffing needs 2. Scope statements should identify the audited activities and include. The background description of the area or process audited should be brief and should provide a short overview of the area. It can provide additional insight to the reader. inform the reader why the audit was conducted and what it was expected to achieve. “to do” notes.7. Organization/major changes 3. The types of information that may be included are: 1. Objectives Purpose statements should describe the internal audit focus and. External factors affecting area audited It is not necessary to include all six types of background information. and report drafts d) Look for complete documentation that supports issues and scope e) Look for findings that have not been recognized and reported f) Document ideas to improve future audits (when appropriate) g) Prioritize observations h) Rate findings op! i) Review for inappropriate language Elements to be included in an audit report · · · · · · · 4. where appropriate. . when necessary. Process ownership and inherent probl ems 6. It also can demonstrate our understanding of the area audited.5 Background: a high-level description of the audit process Objectives and Scope of the Audit Project: a brief description of the scope/objectives of the audit project Period: an indication of the period covered by our procedures Findings: significant issues identified and documented throughout the audit using the issue summary Recommendations: outlines suggested actions that management should consider to address an audit finding Date: the report is dated (month. System issues 5. The objectives of the audit are described in the report Scope The scope is described in the report and should not be a listing of the steps of the audit program. Illustration of writing reports: Section Institute of Internal Auditor/Inspectors Leading Practice Background Background information may identify the organizational units and activities reviewed and provide relevant explanatory information.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 4.7 Reviewing Working Papers a) Review throughout audit project b) Perform final working paper review c) Remove review comments. The nature and e xtent of auditing performed should also be addressed. supportive information such as time period audited. and year) on the day that fieldwork is substantially completed Signature: Report should be signed.

the audit report writing process should be streamlined and be more consistent. The term “signed” means that the authorized internal auditor/inspector’s name should be manually signed in the report. Leading Practice All reports should indicate the period covered by the auditors’/inspectors’ procedures · “Observation and Risk/Implication” is the last section of the report. The business risk identified as a result of the finding should always be listed. The report is signed after all required reviews are completed and issuance of the report has been authorized by the Team leader. Less significant findings may be communicated orally or through informal correspondence. They call for action to correct existing conditions or improve operations. consider grouping the findings together under one topic related to the recommendation. The report is dated (month. written report should be issued after the audit examination is completed. . If the Issue Summary is properly written. · E ach observation and risk should be listed in the order of importance. It may enhance the reader’s experience if like observations and risks are grouped together under each topic. · B ullet points often make it easier for the reader. · W orking papers should indicate that less significant findings have been reviewed with management. noting the date and name of client contact. · Numbering of observations and risks (instead of bullets) is not recommended since it is often perceived as a counting of mistakes. date.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Section Period Findings Recommendations Signature Date Institute of Internal Auditor/inspectors The time and period audited should be included in the scope statements Findings are pertinent statements of fact. A signed. In situations where the recommendations for several observations are the same. and year) on the day it and issued is substantially completed. The recommendations are actions that management should consider to address audit findings. The heading would include the client name and area or process audited. · A ppropriate sections of the Issue Summary can be copied into the audit report. Recommendations are based on the internal auditor/inspector’s findings and conclusions.

may be included in the audit report. the following guidelines should be used. Cover Page The cover should include: · Auditee name · Process or area evaluated · Period covered .” The strengths or leading practices can then be bullet-pointed Management’s response should be included in the internal audit report to put the finding in perspective. Leading Practice A list of strengths and/or best practices may be included in the report. as needed. As part of the internal auditor/inspector's discussions with the auditee. The auditee's views about audit conclusions or recommendations may be included in the audit report. When constructing the report. We cannot endorse any issues without total consideration of the applicability throughout the company As a result.” This approach concentrates on the corrective action taken versus who made the recommendation. Auditee accomplishments. in terms of improvements since the last audit or the existence of a well controlled operation. Although each is considered as strength of the area audited. “Action to Be Taken” or “Action Plan” can be used in our reports instead of “Management’s Response” and “Recommendati on. This typically demonstrates recognition of positive issues (tends to softens the negative). The reader can then understand the finding and the status of the action taken to correct it at one time. They usually put the findings in perspective based upon the findings’ overall implications. the internal auditor/inspector should try to obtain agreement on the results of the audit and on a plan of action to improve operations. the “Strengths” or “Leading Practices” sections should be prefaced by “During the course of our internal audit. the applicability of each of these issues to other areas of the Company must also be considered. we noted the following strengths of the operations.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Section Conclusions/ Summary Positive Comments Management’s Response/Actio n Plan Institute of Internal Auditor/inspectors “Conclusions” are the internal auditor/inspector’s evaluations of the effects of the findings on the activities reviewed.

. c) Schedule the Closing Meeting The closing meeting or exit conference should be held soon after completing the audit field work.6 Conducting a closing meeting a) Select Attendees Members of auditee managemen t who are invited to attend the closing meeting should have been discussed and identified during the scoping stages of the audit project. As a minimum guideline.7. the index should have the same title as the cover sheet and should include a list of the headings of each section within the report. Table of Contents Consider using a table of contents when the report is longer than five pages. The report should be consecutively numbered with the first page number starting after the index. The final report distribution includes executive managemen t and the Audit Committee.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Title The titles and headings should be in a larger font than the text. Appendices Appendices can be used to provide additional information that does not belong to the body of the report. Issuing a Draft Report a) Prepare a Draft Report Prepare a draft report of detailed findings and recommendations. including findings and recommendations. ratings definitions. Page Numbers All reports should have page numbers. Appendices should be used only when needed in order to provide the reader with required reference material. The principal reason for this is that the draft report provides a final opportunity for: · Management to challenge the accuracy of the issues raised in the report · The engagement team to validate the action plan to address each issue b) Issue the Draft Report Issue the draft report in accordance with the agreed-upon distribution. members of management who have ultimate responsibility for implementing the action plan of each issue should be invited to attend. Reference should be made to the fact that the issue was raised previously but remains outstanding. 4. Unresolved Issues from the Previous Audit Report Unresolved issues from a previous audit report are treated in the same manner as other issues identified. etc. If applicable. The draft audit report. typically is only distributed to process owners. It may include an overview of the risks examined.

Specifically.7. particularly when those individuals have specific knowledge of complex or technical matters that may be discussed. and scheduling of follow-up activities and the procedures and techniques employed are determined by the auditee.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL The engagement team member in charge of the audit project should attend.7 Issuing a final audit report Make any required changes to the draft audit report and issue it in accordance with the agreed-upon final audit distribution. the meeting provides an opportunity to: · Clarify points or issues · Resolve any misunderstandings · Demonstrate the value we have provided · Agree on follow-up activities Maintain detailed minutes to provide evidence of management’s response to the issues raised. Follow up on reported audit findings The protocol for the follow-up on reported findings should be discussed with the internal audit liaison during the Co-Develop Expectations process. b) Discuss Draft Audit Report Discuss the draft audit report to reach agreement on each of its components. Additional staff members can also be asked to participate. timing. The nature. 4. extent. The minutes should be kept in the working papers. .

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 4. Throughout the year. agree and approve the Risk Assessment and the Audit Plan prior to executing a substantial portion of the Audit Plan. including significant findings.8 Communicating Results At a minimum. we communicate the status of executing the Audit Plan and a summary of the results of our audit projects. executive management and the Audit Committee must formally review. .

1 Working Documentation Working documentation is a set of documents prepared/for the internal auditor/inspector in connection with the conduct of an internal audit. which are of historical and permanent nature. Name of the auditee Subject of the internal audit. Electronic data media Purposes & uses of audit working papers · · · · · · · · To provide the principal support for our audit opinion To facilitate the conduct of an internal audit. The internal auditor/inspector is obliged to document things that are important as evidence supporting the auditor/inspector's opinion and documenting that the internal audit has been carried out in accordance with the auditing standards. Paper 2. Working documentation consists of a constant part and a variable part. The constant part contains usual data. To record any evidence resulting from the work of an internal auditor/inspector in support of the auditor/inspector's opinion To aid us in the conduct and supervision of the engagement consistent with professional standards and firm policies and procedures To provide important information for subsequent audits and for potential review by third parties who may challenge the sufficiency of our work. . How working papers are stored 1. Organisation/department being audited (auditee). To facilitate supervision and inspection of the work of an internal auditor/inspector. The variable part contains working documents relating to the current year. Reviewer Full names of the auditors/inspectors who carried out the internal audit/inspection (where the audit/inspection is conducted by several auditors/inspectors).GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 5 Working Documentation of an Internal Auditor/Inspector 5. Time period of the internal audit. Films 3. Working papers may provide information for further investigation Review by third parties Components of the title page of the working documentation · · · · · · · · Full name of the internal auditor/inspector. Contents of the working documentation.

The needs in the area of management. The form of the internal auditor/inspector's report. Contents of the working documentation · · · · · · · · · Information about the legal form and organisational chart of the audited organisation. records. Evidence of the internal auditor’s/inspector's decision to carry out an audit and of the conclusions reached. time period. Determinants of the contents of the working documentation · · · · · · The nature and type of the internal audit. which is an adequate basis for an opinion on the activity that is audited. and tests performed. . Analysis of transactions and balances. giving an overall picture of the internal audit performed. and scope of the auditing/inspecting procedures. term.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 5. Extracts or copies of important legal documents. provide sufficient evidence. auditing/inspection procedures applied. The nature and conditions of accounting and financial management applied by the auditee. Information about the sector. relationships. The nature. The specific aspects of the methodology and technology applied during an internal audit. The working documentation obtained. nature. The nature and type of activities performed by the auditee. including the programme of the audit and its changes. In the working documentation. The results of these procedures. Analysis of relations. the internal auditor/inspector should record information on the: · · · · · · · The objective of the audit/inspection The planning. Records in respect of the nature. and The conclusions arising from the audit/inspection performed. The name of the person who determined the auditing process. All the data on which the opinions and judgements of the auditor/inspector are based. and scope of the audit work performed. Evidence of the fact that the internal audit was planned.2 Principles for the Compilation of Working Documents Internal auditors/inspectors are required to compile and maintain detailed working documentation. supervision. including the date. and trends. and control of the work performed by the internal auditor/inspector. the economic and legislative environment in which the organisation operates. contracts. and scope of tests of correctness are based on the evaluation of financial management at t he audited organisation. and plans. time limit.

3 Details about the procedures applied during external audit. report on internal control. the auditor/inspector should record the relevant information received and summarise both the management’s and his conclusion. Principles for the Preparation of Working Lists The internal auditor/inspector should record his activities in working lists on a daily basis. name of the person who has prepared the working list. Working papers should be prepared as the audit proceeds so that details and problems are not omitted. The audit working papers provide. if an external audit was conducted in the organisation concerned. Letters with statements. for future reference. Completed working papers shall clearly document the work of auditors/inspectors. He/she can generally only do this by having available to him/her detailed audit working papers prepared by the audit staff who performed the work. A copy of the organisation's financial statement. Audit working papers should always be sufficiently complete and detailed for an experienced auditor/inspector with no previous connection with the audit to subsequently ascertain from them what work was performed and to support the conclusions reached. date of elaboration and the index – designation of the list. made by the management of the audi ted organisation. The overall in charge of audit needs to be able to satisfy himself/herself that work delegated by him/her has been properly performed. with notes on the working list. If difficult questions of principle or judgement arise. or third parties. title – contents.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · 5. according to the following principles: · · · · · · · · · Each working list should contain the name of the area that is audited. for example. using symbols with clear explanations on the working list. the time limit for the audit. the working lists are to be indexed – marked with cross references enabling rapid search. report of an external auditor/inspector. This can be achieved. The following are typical permanent file materials: . together with the auditor’s/inspector’s conclusions thereon. Permanent File Permanent files are used for data that can reasonably be expected to be needed in audits for more than two years. by writing a final evaluation of the internal audit performed (memorandum). experts. Working papers can conveniently be split into three: 1. Audit working papers should include a summary of all significant matters identified which may require the exercise of judgement. details of problems encountered and adequate evidence of work performed and conclusions drawn there from in arriving at the audit opinion. Copies of correspondence between the internal auditor/inspector and other auditors/inspectors.

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

·
·
·
·
·
·

Law establishing the institution/project
General information about the auditee
Regulations governing the institution/project/ministry
Accounting policies and procedures
Historical analysis of accounts
Income tax information.

2. Systems File
The systems file can be used to record the way in which the auditee’s internal
control and accounting systems operate. Typically, this will be in the form of flow
charts recording each of the accounting areas supplemented, where necessary,
by narrative notes.
3. Current files
The current file will contain all the working papers in relation to the current year’s
audit, and these can be quite extensive. A typical format would be as follows:
Indexing Working Papers
The objective is to make it easy for anyone to retrace the steps we took to complete
the audit, and to make working papers easy to locate.
·
·
·

Use the pyramid system: At the base are detailed working papers. As we proceed
to the top of the pyramid, we need to continue to build a supportive base that
meets our audit objective
Each working paper ha s a unique index
An index is assigned to each audit working paper as soon after its preparation as
is practical. Indexing is used to maintain consistency

Purpose of Cross-Referencing
·
·
·

To indicate where certain numbers or other data originated (i.e. where supporting
detail can be located)
To indicate where various detail amounts have been summarised in the working
papers
How do we Cross-Reference? We cross-reference amounts between two working
papers by placing the other working paper reference next to the number being
cross-referenced. Generally, we try to cross reference our amounts from the detail
working papers up to the summary-level working papers. In this manner,
someone can easi ly follow our process and flow of information.

Effective Working Papers should contain
Working paper headings
·
·

It is important that working papers are properly identified. Details should include;
auditee name, a title or description, and the audit period to which they apply.
The proper use of headings is imperative to appropriate identification.

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

Clear and concise tick marks
·
·
·

·
·
·

Tick marks are used to indicate the procedures performed on data in the working
papers
Tick mark explanations may be customized by the engagement team and will
always have the same meanings when used throughout the engageme nt
Other tick marks may be used on working papers. When creating new tick marks,
their explanations should be clear and concise, specifically describe the work
performed, and be fully explained on the particular working paper where they are
used
Tick mark explanations normally include a description of the following:
Evidence examined, findings, and results
Unusual items noted and how they were resolved

Narrative comments
·
·
·
·
·

Narrative comments on audit schedules can include many forms of
documentation. Narrative comments include;
Brief summary of discussions with auditee personnel
Data needed for notes to the financial statements
Description of an account when it is not evident from the title
Additional information that would clarify data on the schedule and make it easier
for others to review

Audit conclusions
We document overall audit conclusions relating to all audit areas we reviewed.
Signing-off
All audit working papers require the sign-off of the preparer and the detailed reviewer
at a minimum and also should document the date of each sign-off.
An Illustrative example of the general index of working papers
WP
1
2
3
4
5
6
7 and Up

PF
PF
PF
PF

1
2
3
4

PF 5
PF 6

General File
Internal auditor’s/inspector’s report
Exit conference & findings
Entrance conference/notification
Preliminary survey/planning memo
Review & supervision notes
Audit program
Evidence working papers
Permanent File
Organizational chart
Applicable statutes and regulations
Internal control information - narratives, flowcharts, questionnaires, etc
Description of the accounting records, description of the funds, basis of
accounting, etc.
Departmental mission statement
Department budget and othe r strategy documents

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

Article 6
Financial Audits

6.1

Introduction
The purpose of this article is to set procedures for conducting a financial audit and
also to provide an overview on major tools to assist an internal auditor/inspector in
conducting an effective financial audit.

6.2

Definition of Financial Audit
A financial audit evaluates whether financial statements or reports accurately portray
the financial condition and/or activities of the audited entity.
Components of a financial audit
a) Examination and evaluation of financial records, and where applicable,
expression of opinions on financial statements;
b) Verification of financial accountability of the government administration as a
whole;
c) Audit of financial systems and transactions, including an evaluation of compliance
with statutes and regulations;
d) Evaluation of internal control systems;
e) Audit of the integrity and propriety of financial and related administrative decisions
taken within the audited entity.
During a financial audit execution, the Internal Auditor/Inspector also focuses on
evaluation of management procedures, reporting and operations inside an auditee as
well as on effectiveness of financial transaction controls in place.

6.3

Objective of a Financial Audit
The objective of a financial audit is to verify data recorded in financial statements and
evaluate the financial controls in place to ascertain whether there was proper
stewardship of public funds and efficient use of public money;
Issues to Consider
·
·
·
·

Correctness, entirety, provability, understandability of accounting information
Physical safeguards and security of accounting information
Integrity and protection of assets
Timely provision of accurate and reliable information for decision making

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

6.4

Financial Audit Procedures, Preparations and Execution
The following are the usual stages of the Financial Audit Execution:
·
·
·
·
·

6.4.1

Acquaintance with areas which will become subject of Financial Audit
Collection and evaluation of information
Internal control review
Accounts verification – phase of testing and examinations
Audit completion, reporting and follow up.

Acquaintance with areas which will become subject of Financial Audit
Understanding the auditee’s business is an important step in all categories of audit.
This helps the Internal Auditor/inspector to identify risks which could have a
significant effect on financial statements: This can further be analysed as follows:

6.4.2

Acquaintance with legislation relevant for the auditee
·
·
·
·

6.4.3

Acquaintance with auditee's social and economic environment
·
·
·
·
·
·
·
·
·
·
·

6.4.4

laws, regulations and directives effective
legal, taxation or budgetary specific details
special accounting rules
responsibilities related to fund management

overall organisation and structure
organisational charts – task and function descriptions – decision-making system
important external factors
nature and specifics of auditee's activities
strategy and objectives of auditee's management
budgeting
assess the reporting structure
number of staff and working environment
volume and types of transactions
trends of development to be considered, reforms undergoing
evaluation of events that have happened since the beginning of year and after the
financial statements have been produced

Acquaintance with auditee's accounting and financial environment
·
·
·
·
·
·
·

Accounting, financial and budgetary procedures
Managerial arrangements and c ontrol mechanisms for funds managed
Chart of accounts, accounting methods and accounting principles
Accounting entries specific for auditee's activities
Accounting cycles (periods), chains and assignments to be subject of Audit
Forms of accounting records
Types of accounting books, accounting documents and written documents

the internal auditor’s/inspector's role shall be to focus on areas linked with potential financial and system-based risks in terms of missing or insufficient procedures and controls. generally applied valid procedures d) Goals and objectives. accounts. allocations and resource consumption Staff.4.5 Acquaintance with auditee's data processing environment · · · · · · 6. 2. financial and information systems.4. Accounting – Budget – Reporting After the initial overall evaluation of accounting. Potential risks in the accounting area may include for instance: a) b) c) d) e) f) Unrealistic asset values Cases of negligence in maintaining accounting records Accounting documents lacking for some accounting entries Accounting entries with incorrect amounts Accounting entries made on incorrect account Chart of accounts applied incorrectly or not adjusted . administration and control system to adhere to the budget Actual state and frequency of financial control execution Budgetary items.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · · · 6. Management and Strategy (does it exist or not?) a) Organisation structure b) Clear identification of powers and authorisations c) Transparent. registering and accounting each of transactions Possibility to track back the overall course of transactions Cash operation management Financial statements.6 Way of starting. strategies of achieving objectives e) Performance indicators f) Measures to identify risks and areas to be improved f) Actual risk management culture g) Information system to identify internal or external information necessary for management h) Communication system to provide proper information to the recipients within the deadlines set. level of education accomplished Configuration of computer technology and systems What software has been established? Do they cover 100% of financial operations? How are transactions processed and registered in contrary (adverse) cases? What about protecti ve and security systems? Are they reliable and applicable? What systems are used for data archiving? Are there any monitoring tools in place that would monitor systematically execution of controls in the overall course of operations? Evaluation of processes should cover: 1.

5 Review of Financial Processes 6.Approval .5. budgetary structure etc. 2. 3.Formulation . 4.Government’s priority areas may not be catered for as per the set plan. completeness and reality of the budge t. The ministry’s budget is prepared in accordance with the laid down regulations and instructions.Poor quality budget estimates because of the wrong budget estimates being used. There is effective monitoring of expenditure and revenue against estimates 3. o) Risks connected with other than budgetary sources. Key Risks . Important Records needed for the audit At 1. 2. The budgetary control is effective. p) Other risks – for instance: failure to observe the limits of accounts. 6.Inadequate monitoring and reporting results into overspending and under collection . . the auditor/inspector should request for the following. n) Risks connected with the budget observation. Approved budget Development Plan Budget Work Plans Vote books . the start of the audit.1 Budgeting Activities involved The key areas that an auditor/inspector should focus on include budget. . 1. l) Risks of transparency.Control Key Control Objectives: To ensure that. m) Risks connected with budgetary measures.Execution .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL g) No accounting entry made where it should have been made or wrong accounting entry and final balances not explained or unchecked accounting records corrected incorrectly h) disputable state of accounts due to the fact that the auditee concerned does not do any accounting entry or does not report any accounting entry in the period which such entry is related to in terms of time or its subject matter (hereinafter referred to as the “Accounting Period”) i) Concerns about reliability of auditee's financial statements or management schemes Potential budgetary risks may include: k) Risks linked with respecting of the budgetary indices.

Budgeting. There is VFM in the utilization of the funds received. Copies of agreements with service providers and contractors.The annual plan and budget approval. . . Copies of the agreements that were signed with the donors. 2. Bank statements. Key Control Objectives To ensure that. the following should be availed to the auditor/inspector. Copies of Accountability Statemen ts.The various departments’ annual work plans and budgets. RECEIPTING AND BANKI NGS Donor Funds Activities involved The main emphasis is on the receipt and expenditure of donor funds. Key Risks 1. Poor control over the funds resulting into loss of future support from the various donors. Failure to fulfil the donors’ set conditions. Through discussions with the Head of Finance and review of relevant reports. 3. Copies of receipts for the received funds. confirm that there is monitoring of actual revenue against the set revenue estimates.Review the personnel charged with budgeting. Suggested Sampling It is advisable to select 100% of all programmes. . . Monitoring and Control Examine the vote books and confirm that the vote books correctly record the amounts as per the approved budget estimates. Important records needed for the audit At a) b) c) d) e) f) the start of the audit. Examine the vote book and confirm whether the expenditure budget has been adhered to. Review appropriate reports to confirm whether the actual expenditure against budget estimates are monitored by the relevant parties. A listing of all funds received from the donors. Inadequacy in the reporting of donor programme support.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Budget Audit Programme Ref 1 2 3 4 5 6 Audit Programme Tasks Budgetary Preparation Review. Ascertain whether timely action was taken when applying budget revisions. 1. The funds are used in accordance with the set terms and conditions. 2. REVENUES.

All the donations have been posted in the relevant books of accounts and appear on the bank statements Stock register-(for non-financial materials donated) Ensure that the materials have been entered into the relevant books of accounts e. Receipting and Banking Activities involved The auditor’s/inspector’s emphasis will be on all revenue collection and receipting areas.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Audit Programme-Donor Funds Ref 1 2 3 4 5 6 Audit Programme Tasks Funds received and the signed agreements Contact the donor and request for a schedule of all the funds donated to the entity. Key Control Objectives To ensure that. Bank statements. A. The collected revenue is banked promptly. 2. Poor physical control over the collected cash.g. B. All revenue is accurately and promptly recorded. Revenue Collection. Revenue registers. Register of receipt books. 3. 4. Daily cash and cheque summaries. . Incorrect revenue accounting and recording. the donor stock record Undertake site visits to confirm existence of the materials Accountability Confirm that complete and accurate financial statements are prepared and submitted in accordance with the agreed upon terms in the agreement with the donor. a) b) c) d) e) f) g) Organizational chart. Register of paying-in books. Important records needed for the audit The auditor/inspector should request for the following documents at the start of the audit. Key Risks 1. Use the schedule to confirm that the receipts have been issued for all the received donations. Suggested Sampling It is advisable to select 100% of all the previously issued receipt books. Under banking of revenue. Poor revenue collection. Contact each donor and get their view on whether they are satisfied with the way the funds were utilized and accounted for. Cash books.

a) The set procedures are adhered to.c Key Control Objectives To ensure that. Receipting and Banking Ref 1 2 3 4 5 Audit Programme Tasks Preparation and banking of Receipts Ensure that the authentic signature for the officer responsible for signings is on the cover of each and every receipt book.Appointment. . 2. Salaries paid may not be authorised. Posting and Accuracy Check the casting and bal ancing of the receipts cash book.t. b) The maintained records are adequate and accurate. Failure to comply with the set regulations and guidelines in the recording. Reconcile each revenue collector’s receipt books to the central receipts register. Physically inspect all the unused receipt books and ascertain that their sequences agree to the receipt register Examine the receipt register and ascertain that all issued receipt books were signed for.Compulsory deductions. . the following are of emphasis. Incorrect posting of the payments in the ledgers and the cash books. Key Risks 1. Match receipts to the amounts banked and the details on the bank statements.Gross pay. Post the receipt totals to the general ledger PAYMENTS Salaries. . . Pensions. paying and reporting of salaries/pensions. Ascertain that receipted monies were banked intact. validate the authenticity of the signature of the person signing on the receipts.Employee Training e. . Ascertain that the amounts in the revenue collector’s cash book agree with the bank deposit slips. c) The right security measures are in place to safeguard monies/ cheques to be paid out. and Gratuities Activities involved Under salaries and pensions. 3. Confirm that the details on the receipts are legible.Salary levels. . Trace the deposits to the main cash book Receipt Register Integrity Using the receipt register.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Audit Programme-Revenue Collection.

. -All posts are paid as per the established grade. Review the deductions made and ascertain that they are reasonable. Confirm that the contained salary grade in each staff’s record file is the same as that on the Establishment Register Ascertain that there is a permanent record of each employee’s service Ascertain that the necessary changes have been made to the Register. confirm that . f) Leave records. Payroll Deductions Review the casting of the payroll deductions to ascertain that the given total is correct. Suggested Sampling Select one month’s payroll for your audit.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Important records needed for the audit The following records should be requested for at the start of the audit. Ascertain that the total amount of the bank transfer instruction is reflected on the bank statement. Get a list of the significant allowances/advances and ascertain that the transactions were approved by the relevant person and that the correct procedures were followed. e) Time keeping register. b) Staff records (of the selected sample). Ascertain that the recovered advances have been correctly recorded in the advances register. Pensions and Gratuities Ref 1 2 3 4 5 6 7 8 9 10 11 12 13 Audit Programme Tasks Payroll Payments Agree 100% payroll payments to the register. Ascertain that the deductions have been paid to the respective creditors (e. ( and a 25% sample of all staff). Payroll Records For the selected sample of the employees. verify that they are actually in existence. a) The current approved salary structure. g) Training records. Check 100% of the net amounts per the payroll to the bank transfer instructions. Using the current approved salary structure. URA). and h) Sickness records. Investigate any large variances found. especially with regard to new employees and those who have left. d) Overtime register.g. Check that all the amounts tally. Audit Programme-Salaries. c) Advances register.

Important records needed for the audit The auditor/inspector should request for the following documents at the beginning of the audit. Authorisations 3. All payments are within the relevant approved budgets.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Non-Wage Payments Activities involved Such an audit would focus on. Postings in the relevant books of accounts Key Control Objectives To ensure that. Wrong posting of payment s in the cash book. Payment vouchers may not have supporting documents. Accounting records. Receipt of goods 5. Local purchase orders (LPOs) 4. Payments (cash or cheques) 7. Payment vouchers 6. 1. a. Payment made to wrong persons. 2. Stores records. Requisitions 2. a) b) c) d) e) f) g) h) i) Cash book. Non-existent budget allocation for the paymen ts made. 3. The expenditure incurred was approved. Local purchase orders (LPOs) Goods received notes. Requisitions. 4. Copies of bank payment instructions. Listing of all the approved suppliers and contractors . Approved signatories lists. Key Risks 1. b.

Ensure that the payment instructions have been recorded in the Payments register. .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Audit Programme-Non-Wage Payments Ref 1 2. b) The advance accounts are accounted for and well managed. Administrative advances. . a) All personal and administrative allowances are approved in accordance with the specified rates. Key Risks 1. LPO and GRN and ascertain that the appropriate officers have completed and signed on them. Ascertain that the expenditure has been charged to the correct vote. Poor control over advances and allowances. - Personal advances. Advances and Allowances Activities involved The main areas of focus include.Copy of the delivery note from the supplier . .A GRN from the stores. Key Control Objectives To ensure that.A supplier’s invoice Review the purchase requisition. Ensure that the payment instructions were directed to the correct payee as per the contract.A copy of the LPO. Improper use of entity funds. . . Ascertain that the payment voucher is supported by. ascertain that they are correctly recorded in the fixed assets register by checking from the goods received note to the fixed asset register. Ascertain that the payment instructions were signed by the authorised signatories. 2. For fixed assets purchased. 3 4 5 6 7 8 Audit Programme Tasks Ensure that the pa yment voucher has been properly completed and authorised by the concerned parties.A departmental requisition for the required goods/ services.

a) b) c) d) Advance register. Breach of policies concerning the acquisition and disposal of assets.Machinery and Equipment . ascertain that the outstanding advance balance was fully recovered. 3. Audit Programme-Advances and Allowances Ref 1 2 3 4 5 6 7 Audit Programme Tasks Personal Advances Ascertain that recoveries are being made according to schedule. Advance account ledger.Buildings . and recovery is not overdue. . Cash book. Poor maintenance of the assets. Ascertain that the submitted accountability has supporting documents Confirm that the amounts advanced agree with the amounts authorised ASSETS Non Current (Fixed Assets) Activities involved This focuses on assets like.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Important records needed for the audit The auditor/inspector should request for the following records at the sta rt of the audit. Payment vouchers for advances. 2. Key Risks 1. . retirements and dismissals.Roads and bridges . Check salaries to ascertain the necessary deductions were made from the concerned staff. Poor control over the management of the assets.Furniture and fixtures Key Control Objectives To ensure that there is adequate management of all categories of fixed assets.Land . Ascertain that the advance was properly authorised. For resignations. Administrative Advances Confirm that full accountability was submitted within one month of original disbursement.

Ascertain that the title deeds are available and that the ownership is in the names of the entity. Ascertain that appropriate security measures are in place to safeguard the assets. Operations and Usage Confirm that the assets are being used for the tasks that they were intended for. Review the maintenance costs and charges made to the ledger accounts and check that they are reasonable. Ascertain that the asset was recorded in the general ledger.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Important records needed for the audit The following records should be requested for at the start of the audit. and ensure that it balances. Ascertain that a system is in place to record all costs and expenditure for each individual vehicle. add it up. Investigate any variances found. Maintenance Confirm that a policy for repairs and maintenance of assets is in place and ascertain that it is adhered to. or has been formally reconciled with the related general ledger account. . Confirm that the vehicles are being used for the appropriate task that they were meant for. Obtain and review a schedule of the asset balances as per the fixed assets register. Examine the log books for the sampled vehicles and investigate the reasons for the low or excessive use. and ownership details have been properly captured in the asset register. Confirm that the asset cost reflected in the general ledger agrees with the payment voucher. Verify a sample of the assets by physically inspecting them. Confirm that the correct asset details. Vehicles Check that stock records like fuel and tyres for a particular vehicle agree to that vehicle’s maintenance card. a) b) c) d) e) Asset register Title deeds and registration documents Cash book Payment vouchers Policy concerning acquisitions and disposal of assets Suggested Sampling Select all assets acquired during the financial year. Audit Programme – Non Current Assets (Fixed Assets ) Ref 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Audit Programme Tasks Asset Acquisition Confirm that the policies regarding acquisition of assets were adhered to. costs.

Confirm that the debtors’ balances agree with the debtors’ statement. 2.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Debtors. Prepayments For advance payments. Debtors. Inaccurate recording of amounts due from third parties. b. Bad and doubtful debts Establish the basis for the provision of bad and doubtful debts. Ascertain the debtors/ revenues written off during the year. Key Risks 1. Prepayments and Advances Ref 1 2 3 4 5 6 7 8 9 10 Audit Programme Tasks Debtors Obtain a schedule of debtors and prepayments. b) Accounting records c) List of bad debts and write-offs Audit Programme-Debtors. Confirm that prepayments are being made according to the established policies. Inappropriate valuation of debtors. prepayments and advances. Misstatement of debtors. check that a performance bond exists. . prepayments and advances. prepayments and advances have been recorded at period end. and advances. Key Control Objectives To ensure that. 3. Where they don’t agree. Confirm that the schedules add up correctly. ascertain that reconciliation was prepared. Important records needed for the audit The following records should be requested for at the beginning of the audit. The amounts in the balance sheet are stated on a consistent basis. prepayments. Prepayments and Advances Activities involved This covers the audit of debtors. Advances Ascertain that the original payments were authorised. advances and prepayments. Confirm that all write offs were properly approved and accounted for. a. Confirm that the totals agree with those in the debtors’ control account. a) Schedule of debtors.

Misuse of funds due to poor control mechanisms Important records needed for the audit The auditor/inspector should request for the following records at the beginning of the audit. Key Risks 1. Cash book operation Key control objectives To ensure that.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Cash and bank balances Activities involved The following areas are important. a) b) c) d) e) Bank account details Certificates of bank balances Cheque books Bank reconciliations Cash books Suggested Sampling Select 100% of bank accounts . - Treasury managemen t. a) All bank accounts are properly reconciled. Cash and bank balances. b) Cash books are properly maintained and regularly reconciled to the Bank statement.

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Audit Programme-Cash and Bank Balances Ref 1 2 3 4 5 6 7 8 9 10 12 13 Audit Programme Tasks Bank Accounts Obtain details of all bank accounts with full titles. and authorised signatories. The recorded creditors may not represent all the amounts due to third parties. Inaccurate stating of creditors and accruals. LIABILITIES Trade Creditors and Accruals Key Control Objectives To ensure that there is proper and correct recording of creditors and accruals. Verify the arithmetic accuracy of the reconciliation Get direct confirmation of account balances directly from the banks. Key Risks 1. and compare them with the cash book balances. a) b) c) d) e) Accounting records Schedule of trade creditors and accruals Commitments register Age Analysis Annual Accounts . Confirm that the stock balance of cheques is verified regularly e. 2. Check the arithmetic accuracy of all cash books and check every cash book balance to the respective GL accounts.g. Important records needed for the audit The auditor/inspector should request for the following records at the sta rt of the audit. once a month For cancelled/spoilt cheques. Ascertain that a cheque register is in place and that all cheque books in use were recorded down Ascertain the signatures on the cheques. Reconciliation of cash books with Bank statements Verify the independen ce of the person responsible for preparing and despatching cheque instructions. Confirm that all subsidiary bank accounts are operated on an i mprest basis. Obtain a copy of the con tract and correspondences with the entity’s bankers. inspect the cheques to ascertain that they were properly cancelled. Cheque Control Confirm that the cheques are kept in a safe place. account numbers.

4. 3. b) The loans have been obtained in accordance with the relevant laws. Confirm that the creditors’ balances on the schedules agree with the creditors’ statements. Get explanations for any material reconciling differences. Wrong postings in the financial statements. Non Trade Creditors and Accrued Liabilities Verify that the basis for this year’s accrued liabilities is consistent with the previous years’. a) Loans have correctly been recorded in the balance sheet. Provisions Confirm that the basis for the provisions is consistent with the previous years. Important records needed for the audit The auditor/inspector should request for the following at the beginning of the audit. Borrowings/Loans Key Control Objectives To ensure that. Key Risks 1.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Audit programme-Trade Creditors and Accruals Ref 1 2 3 4 5 6 7 8 Audit Programme Tasks Trade Creditors Obtain a schedule of creditors as at the end of the last quarter. 2. Under declaration of the loan amounts received. a) b) c) d) e) Loans register Accounting records Loan agreement Commitments register Loans ledger . Confirm that the material provisions have been disclosed. Non compliance with the loan terms. The correct procedure was not used when obtaining the loan. Confirm that the schedule adds up correctly Ascertain that the creditors’ totals agree with the details in the creditor control account.

Obtain an official statement f rom the lender and confirm that it agrees with the loan records. Ascertain that the loan was used for the purpose it was intended for.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Audit Programme-Loans/Borrowings Ref 1 2 3 4 5 6 Audit Programme Tasks Verify that the procedure used to obtain the loan was in line with the relevant laws and guidelines. . Review the terms of the loan and verify that they are being complied to. Verify that the loan as approved by the responsible officer. Confirm that all interest and principle due on the loan has been paid or accrued.

1 Introduction This article provides the Inspector / the Auditor with an overview of the theoretical assumptions concerning the execution of an inspection in the public administration. safeguard and accountability of assets and level of compliance with Government laws. It helps in determining adequacy of internal controls. It is against this background that the inspector MUST first identify and obtain all the applicable standards. 7. inspection will help the Ministry to:a) Confirm that projects being implemented conform to the set goals and objectives b) Review operations and programmes to ascertain whether the implementation is consistent with the regulations c) Establish whether programmes are being carried out in accordance with the budget.1 Mandate: Public Finance and Accountability Act 2003 mandates Ministry of Finance to inspect Local Governments. the accuracy and propriety of transactions. Inspection promotes standardization. municipal councils and town councils b) Reviewing of relevant official documents and records c) Interviewing of key personnel of the local governments d) Site visits to projects under implementation and those already implemented e) Recording of the findings during inspection . monitor and evaluate the performance of Local Governments. regulations and policies and procedures. PAF Inspection is carried out to control.2.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 7 Audit Inspection 7. Central Governments and other entities to ensure that the funds released to them are used for the purpose for which they were appropriated and properly accounted for.2 Expected benefits of inspection When undertaken on a regular basis and in a comprehensive manner. uniformity and consistency in the implementation of Government policies and programmes for improved service delivery across the Local Governments. S/he must then read and understand them prior to undertaking an inspection. and in time d) Identify factors that inhibit satisfactory performance and strategies addressing them are developed and implanted e) Put in place mechanisms for measuring and reporting the accomplishments of objectives and outputs. 7. policies and procedures. regulations.2. standards. regulations and procedures. The objective of the audit inspection is to determine how well financial transactions and/ or operating controls conform to established laws. work plans.2.3 Methodology for inspection PAF inspection will use the following methodology: a) Physical visit to the districts. 7.2 PAF Inspection Procedures – Overview 7.

DB. D/ST.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL f) Reporting to the PS/ST. and other relevant authorities of the findings . AG.

4. § Health § Education § Water and sanitation § Roads § Production § Monitoring and accountability.2. 7.4 Staffing levels § Confirm whether all the positions have been filled § Check whether the positions were filled transparently § Look at the organization structure of finance. cashbook for general account.e .4 Criteria for inspection When carrying out inspections.3 Monitoring and evaluation Obtain monitoring reports and confirm that they are in line with the work plans and budgets. ledgers and Vote books. Obtain minutes of the district council to confirm their involvement in the planning. Confirm the existence of the following statutory Board s and Commissions namely. Check with departments on the implementation of the work plans in the quarter and activities which spill over to other quarters.2. Review work plans for the quarter and progress reports and ascertain the absorption of funds per sector identified and analyse the overall fund absorption per quarter. obtain minutes of their meetings.4.2 Work plans and progress reports Obtain work plans from the CAO and heads of departments for the quarter being inspected. Bank statement and reconciliations. Confirm that cash due to lower councils was remitted and recorded.2. monitoring and evaluation of the PAF Programmes.4. 7. audit and procurement . Ensure that all books of accounts are posted up to date i. Abstracts.2.2. 7. The areas to be covered include. 7. This should be confirmed with the cashbooks.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 7. a) Contracts Committee b) District Service Commission c) Districts Public Accounts Committee To confirm their operations and effectiveness.1 Releases from MoFPED Confirm that cash released was received and dully recorded in the cash book and that the bank account has been reconciled.4. the Inspectors are expected to follow the following procedures.

6 A) Education/UPE Schools § Class room construction § Pupil enrolment levels § Staffing levels § School records B) Health Centres § Constructed health centres – check whether the buildings are of quality to match the money budgeted and paid § Availability of heath workers § Availability of records i. books of accounts. cashbooks. .2.e..5 Establish the number of staff on professional training and those who have completed Check on staff deployment.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL § § 7. e. abstracts. ledgers. C) Water and sanitation § Water coverage and how it has changed over the periods § Boreholes/wells constructed § Springs protected § Confirming whether it is functioning § Confirm the existence of the local water committee D) Roads § Inspect road constructed § Check whether drainage has been provided for § Maintenance of existing roads E) Production § Check whether extension workers are in place § Look at the reports of the extension workers § Look at the projects worked on and their impact on areas where they have been implemented.e. and payroll are posted up to date and are reconciled monthly. Programme implementation While at the departments.4. inventory records.t. randomly identify the projects to inspect (Emphasis should be given to projects far away from the district headquarters) The following should be inspected (At least 3 sectors should be inspected in a quarter) 7. F) LGDP § Check on LGDP funds received § Check how the LGDP funds have been allocated § Check on LGDP expenditures and accountability Bookkeeping and accountability Confirm that all books of accounts i.c.2.4. vote books.

2.2.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Confirm whether the above books of accounts have been checked and verified by CFO and the internal auditor/inspector. § Check for arithmetic accuracy § Confirm the frequency of posting abstracts 7. cashbooks and abstracts 7.9 Abstracts: Revenue & Expenditure § Is there an abstract book showing the funds trail § Confirm whether the abstracts were balanced off.4.12 Expenditure returns § Check whether they are comprehensive and timely prepared § Do they comply with recommended formats? 7.2.4.4.4.4. § Establish if the revenue collections are periodically reconciled or registers updated § Establish whether the arrears of revenue are recorded and summary submitted to the Exec utive Council for appropriate action.2.13 Remittance of taxes to URA § Confirm whether the district deducts PAYE and withholding tax from employees and suppliers § Check whether all taxes deducted have been remitted to URA . 7.2.4.11 Accountability Check for: § Compliance accounting procedure.10 Ledgers § Check whether ledgers are in place § Ledgers should be updated monthly § Check for arithmetic accuracy § Check the ledgers against the abstracts to ensure that the figures reconcile 7.2.8 Cash books § Confirm consistency of opening and closing balances § Confirm whether they are reconciled to bank statements regularly § Check for the arithmetic accuracy of the balances § Check for any unusual items § Confirm that each account has a separate cash book 7. 7. guidelines and regulations followed.4.2. § Transparency in expenditure framework § Accuracy and completeness in transactions § Audit queries raised and responses to them § whether the figures in the returns submitted tally with the ledgers.7 Revenue recording § Obtain sources of locally raised revenue and § Confirm if all local revenue estimates are shown in the revenue register in accordance with Financial Regulations.

v To ensure that all payments made were authorized. § Posts substantially filled § Posts acting § Vacant posts 7. v To ensure that all home based Foreign Service officers recalled or who retire from service are deleted from the mission’s payroll promptly. Development expenditure iii. Remittance to treasury v. Monthly expenditure 7. v To ensure that funds released were put to the purpose intended and properly accounted for. . rent. v To ensure that amounts released are actually remitted and rec eived. quarterly and annually § Establish if management ac ts on the auditor’s/inspector’s reports 7. v To ensure that payments for salaries.1 Releases (RBC’s) Audit Objectives v To establish whether releases (RBC’s) are receipted and accounted for monthly (monthly returns) v To ensure that release are as per the approved budget with the exception of special and supplementary releases. FSA and other allowances to Mission staff are at the approved scales/rates.) iv. etc. Releases (RBC’s. v To ensure that all rent payments for Foreign Service officers are properly supported with tenancy agreements and acknowledgement receipts from the landlords.2. any other) ii. § Establish the budget allocation to the audit department.14 Internal Audit § Obtain a copy of the quarterly audit report.3 Audit Inspection of Missions Abr oad This consists of the following sub accounts areas:i.4.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 7. Revenue (visa.3. passport.15 Staffing position Find out.4.2.

f) Confirm whether officers recalled or those who retire from service are deleted from the mission’s payroll and all their entitlements from the Mission’s funds ceases immediately. m) Others (please specify). Public Procurement and Disposal Act plus other Government regulations and guidelines in the processing of transactions. Public Finance and Accountability Act. j) Confirm whether there was compliance with the TAI. c) Check whether the funds were put to the purpose for which they were requisitioned and note any reallocations. b) Vouch / examine the monthly returns to ensure that there is proper accountability of funds released. .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Assertions · · · · Authorization Completeness Occurrence Measurement Error Conditions · · · · · · Remittances not receipted Amounts remitted less than those released Monthly returns not prepared and sent for audit Over payment of salaries. Minutes and other correspondences should evidence this. l) Confirm whether funds advanced to officers while on official duties were properly accounted for. g) Confirm whether payments made to facilitate officers at the mission conforms to the standing orders for Foreign Service. k) Check whether the engagement of local staff was competitively done and are paid according to the es tablished local terms of service. i) Check whether all payments made were initiated and authorized. h) Confirm whether the Mission’s contracts committee handled all procurements and disposals at the mission. allowances and FSA to home based foreign service officers were at the authorized rates/ scales e) Check whether all rent payments were supported with tenancy agreements and acknowledgement receipts from the landlords. Note any discrepancies. releases. d) Check whether salaries. allowances & FSA Unsupported paymen ts Unauthorized re-allocation of funds Audit Tests a) Obtain copies of the budget. remittance advice and mission bank statements and reconcile.

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 7.2 Revenue and remittances to treasury Audit Objectives v To ensure that all revenue to which the mission (Government of Uganda) is entitled is collected. c) Obtain details of general receipt books issued by the Treasury to the missions and compare with the serial numbers used. Non-remittance of revenue to treasury Circumvention of T.A. general receipt books.I. Assertions · · · Completeness Measurement Occurrence Error Conditions · · · · · · Non-disclosure of revenue collection Unauthorized use of NTR.e. g) Ask for proof of remittance to Treasury (i. e) Ensure that separate bank account (s) for NTR is/are maintained and regularly reconciled f) Check whether all collections were banked intact. Collections not receipted. passport. banked intact. v To ensure that all such revenue collected is properly accounted for and entered in the records (i. b) Compare revenue returns with the general receipt books. revenue cash books etc. revenue abstracts.e.e. d) For Mission confirm whether visa stickers are in use as opposed to Visa stamps.) Invalid receipts brought to account. collections not posted in the revenue cash book etc. Use of Visa stamps instead of Visa stickers Audit Tests a) Ascertain details of all sources and rates of revenue to the mission (i. . h) Investigate any discrepancies between NTR collected and remitted to the consolidated account. T. visa. Investigate any discrepancies. revenue cash books. rent etc).3. and mission bank statements.T forms and general receipts issued by the Treasury).) v To ensure that all such revenue collected is banked intact v To ensure that all revenue collected is remitted to treasury monthly and returns also sent.e. 2003 (i.

f) Where there were disposals. handling and storage are appropriate.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 7. etc. labeled and recorded (assets register) v To ensure that deposals of government assets are properly authorized. check whether it was subjected to established government procedures on disposals. v To ensure that there was adherence to the Public Procurement & Disposal Act in the acquisition & disposal of Government assets Assertions · · · · Existence Completeness Measurement Ownership Error Conditions · · · · · Misuse of government assets Lack of proper documentation Unregistered government assets Disposals without authority Poor maintenance. d) Trace some high value government assets to the fixed asset register e) Check/ reconcile stores ledgers with physical items in the store. purchase agreements.3. land titles/leases. etc. g) Check the physical conditions of the assets and their current state to establish whether their maintenance. scraping.3 Government Assets Audit Objectives v To ensure that all government assets are acquired only with proper authority v To ensure that all government assets are properly maintained and used only in the execution of government business v To ensure that all government assets are accounted for. handling and squalid conditions Audit Tests a) Obtain a fixed asset register of all high value government assets b) Confirm existence by ascertaining the physical location of all high value government assets c) Ascertain ownership of high value government assets by inspecting the logbooks. .

c) Check whether the amount credited to the expenditure item ledgers are as the figures approved. . d) Check whether all credits to the exchequer accounts as counter balanced by debits in the cashbook were all authorized cash releases from the treasury and that there were no omissions or other questionable entries. v To ensure that only transactions pertaining to the financial year in question were included in the accounts.3. v To ensure that all transactions that took place in the financial year where accurately computed. i) Check whether re-allocations were approved by the secretary to the treasury j) Ensure that the trial balance and balance sheet genui nely balance k) Check whether the financial statements submitted were prepared in the format required by the new chart of accounts.4 Financial Statements (Final accounts) Audit Objectives v To ensure that the final accounts portray a true and fair new of the entity as per the available source documents v To ensure that all relevant books of accounts where opened during the financial year and posted. transfe rred and recorded. and miss-postings. omissions. Assertions · Completeness · Measurement · Occurrence · Existence Error Conditions · Omissions of current year transactions. g) Post all the vouchers to the abstract and the abstract to the ledgers to verify the correctness of expenditure items charged h) For a given period. e) Check whether proper expenditure items in the budget where charged according to the nature of the payments f) Post all vouchers to the cashbook to detect errors. abstract and ledgers.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 7. · Inclusion in the final accounts previous year’s transactions · Relevant books of accounts not opened or / and posted · Computational errors · Unauthorized reallocations · Unauthorized expenditure Audit Tests a) Check whether all the appropriate ledgers were opened up b) Check whether the amount debited to the chequer accounts were the approved estimates and supplementary estimates were also approved and properly posted. cast the cashbook.

This checklist provides guidelines in inspecting revenue collections in general and can be easily adopted to help the inspector in checking the appropriation-in-aid (AIA). check the following: · Number of bank accounts maintained · for each of the accounts find out the following: · name and number · name of bank where the account is kept · date when account was opened · letter authorising the opening of the account · signatories to the account · expected sources of revenue · nature of expected expenditure · current balance · is an associated cash book in existence · is it posted up to date · check details of credit to the account to ensure it agrees with what was expressed in expected sources of revenue · check the details of debit transactions in a similar manner Matters Arising Implication Management Response . n) Check whether the accounting officer signed all the financial statements.1 Revenue The objective of inspecting revenue is to ensure that all moneys due to the government are properly and promptly collected. Inspectors will have to modify their inquiries depending on preliminary findings and the nature of the institution that they are inspecting.4 Compliance & Inspection Checklist 7. m) Check whether the necessary footnotes where included in the final accounts. 7.4. safely kept and bank ed as soon as possible so as to minimise losses. It is the duty of accounting officers to ensure that the above is implemented through instituting the necessary procedures and controls. Inspection Reviews Bank account s For each ministry. Any unusual answers or findings to questions in the above checklist should call for further investigation and satisfactory explanations thereto should be sought. recorded. agency or institution. Remember that it should serve as a general guideline. They do not have to follow the check list in its entirety but should pick those areas that are crucial depending on the institution's controls and experiences of the previous inspections.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL l) Check whether the figures appearing in the financial statements agree with those in the already checked ledgers.

if so.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews · · · check bank reconciliation details of the account are they up to date are all direct debits and credits posted to the cash book · have any transfers been made to and from the account to the consolidated fund · how often have they been made · is the account dormant. Check whether the ministry or district maintains a register for the receipt books Find out to whom the receipt books have been issued Pay special attention to those books issued to upcountry centres/ posts Check the register details against the stock of unused receipt books Check the used receipt books · ensure that they are posted regularly to the cash book · ensure all copies of the cancelled receipts are properly marked so and are retained in the book Ensure that the correct receipt is issued for the type of revenue (Treasury Accounting Instructions specify two types of receipts: 1001 and 1002) · Are the receipt books stored in a secure place · Are receipts issued in a sequential order Collections recording Are collections at the headquarters recorded promptly Are the collections from' outposts/upcountry centres sent together with copies of receipts to headquarters for recording and banking How often are collections from the centres sent to headquarters Do the collections tally with receipts records Are the collections from the outposts checked for accuracy before processing Are the collections checked for accuracy to ensure that t he ministry has received the correct amounts from the payer Collections safeguard Are collections stored in a safe area Is security provided for transportation of collections to the bank Matters Arising Implication Management Response . when was the last transaction to the account · why has the account not been closed Receipt Books Find out the details of the receipt books issued from the Treasury to the ministry or district · number of books issued and their serial numbers · when and to whom issued. etc.

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews Are the collections banked intact · are payments made out of collections without authority from the CTOA · are there any un-authorised payments? How are collections in foreign money handled · how soon are they banked · is the correct exchange rate utilised Are collection shortages followed up and recovered How often are surprise cash carried out Cheques and bank drafts Those arriving by mail are they recorded on receipt · who opens the mail -should preferably be somebody different from the cashier For all cheques and bank drafts -are they checked for accuracy before recording When are receipts issued – should be preferably after the cheque or draft is cleared If cheques or drafts are dishonoured · are they recorded in a register and followed up for collection · are penalties recovered from the payers Returns to the Treasury Are they made r egularly and on a timely basis Are they checked by the Treasury on receipt Has the ministry asked for assistance. in case of problems Budget votes/budget line items · Are they overspent · Where did the extra funds come from ensure it is not from collections Outstanding collections · Does the ministry maintain a register of outstanding collections/defaulting payers · Have steps been taken to recover outstanding amounts Budgeted appropriation-in-aid (NTR) · Check the budgeted total AlA · Is any breakdown for it given in the budget estimates · Is distribution of its receipt for the year known · Is total collection still on target to achieve the year's total collection · Is it recorded in a systematic manner · Are collections in excess of NTR remitted to Commissioner. Treasury Officer of Accounts Inter-ministry or departmental transactions · Does the ministry expect to receive revenue from another ministry or a government funded institution Matters Arising Implication Management Response .

who keeps them · is it fireproof Safe Custody of cash in transit: · how regularly is cash transferred to and from the bank · who does the transfer .cashier and another individual · is the transfer done by public means · is the transfer time varied for security purposes · is armed escort requested for Safe custody of cash: · is cash always kept under lock and key · does the person receiving cash sign for it and issue a receipt for the same · are proper hand over procedures followed · are surprise cash counts made regularly · are the surprise cash counts made in the presence of the cashier · are collections banked intact and immediately . Management should therefore ensure that all necessary procedures and controls are in place to be able to achieve the above.how are cash losses reported Imprest matters: · Are imprest holders duly appointed? Matters Arising Implication Management Response .4.2 Cash Safeguard and Management It is the responsibility of the Accounting Officers to ensure that cash is kept safely and that it is only applied for the authorised purposes.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews · Matters Arising Implication Management Response What steps have been taken to speed up the collection Internal control · Check to ensure that the following functions are carried out by different officers -where possible · opening of mails · recording of collections · banking of collections · bank reconciliations 7. Inspection Reviews Check to see whether the following are in place: Safes: · are the safes properly installed · have they been issued by the Treasury and recorded thereat · are they properly installed .are they easily accessible · who keeps the keys · are there any duplicate keys.

Bank reconciliation is one of the control measure used to ensure that cash is not lost. The exercise should not be turned into a mechanical one. preferably monthly. .3 Bank Reconciliation The purpose of bank reconciliation is to agree the balances of cash in the cash book and at the bank and to ensure that all transactions relating to cash are captured and appropriately recorded. After establishing the authenticity of the transactions. This is necessary because cash is a fluid asset which is easy to pilfer. It has to be carried out regularly. It is necessary to investigate the nature and content of those transactions that appear at the ministry and not at the bank and vice-versa.4. necessary accounting entries should be made. all transactions should be examined and any unusual circumstances should be followed up immediately to ensure that if there are errors. their nature and causes are established and remedial action is taken immediately. In this process it is therefore necessary to compare the transactions in the ministry cash book with those of the bank account at Bank of Uganda or any other bank where the account is kept and make sure that they are in order.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews Matters Arising Implication Management Response · · are adequate i mprest sums held? are imprests maintained in accordance with the Treasury Accounting Instructions? Cheques and drafts: · are cheques checked on receipt and registered · are they crossed and stamped on r eceipt · are receipts promptly issued for the cheques · are dishonoured cheques registered and followed up · are unused cheques stored safely/do they have a register · where are spoilt cheques stored/do they have a register Foreign currency: · how is it handled · how is it recorded · when are receipts issued · is there an undue delay between when it is received and when it is banked Cash boo k records: · Are they kept and are they up to date · Are they reconciled regularly Hand-over and take over procedures: · are they in place 7.

reconciliation statements of their bank balances as shown in their cash books. In addition. if so. as certified by the bank. when a bank account is kept. Treasury Accounting Instructions require the Accounting Officer to "file for audit purposes and references. Any irregularities unearthed here should be followed up vigorously. cast and balances extracted Bank Statements: · are bank statements regularly collected from the bank · are they checked for accuracy in transactions' records · are bank balances independently confirmed with the bank Bank Reconciliations: · are they carried out regularly · are they based on the previous ones · are they checked independently · are they reviewed by a competent staff · are the reconciliations carried out by the cashier usually they should not be · are they carried out by a computer. has the bank been requested to · correct them · after identification are they recorded in the cash book immediately · are supporting documents obtained from the bank and filed · is their origin vetted for authenticity and authorisation Matters Arising Implication Management Response . credit and debit advice slips and all other supporting documents will be preserved for audit". will be reconciled with the balance shown by the cash book in a manner shown on Treasury Form 38 (certificate of bank balance) and the reconciliation statement.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL An inspector is therefore expected to pay special attention to bank reconciliation. Inspection Reviews Cash Book: · does each bank account have a cash book · is the cash book posted up to date · is it properly ruled-off. if they are · are they properly filed with the relevant supporting documents · are they submitted to the Accountant General as required Direct Debits: · these originate from the bank and are shown on the bank statement · are they investigated when noticed · are they due to bank errors. the abstracts of their accounts and any other working papers which may be required to verify the accuracy of their accounts". together with paid and cancelled cheques. the balance at the close of business on the last day of each month. The inspector should therefore carry out the following tests.

are there any ascertainable trends Any unusual answers to any of the questions in the above checklist should be thoroughly investigated and relevant explanations and information obtained if it is to be assumed that there is nothing amiss. Any identified problem areas should be discussed with the accounting officer and remedial action should be agreed with him and be implemented. the sums actually expended on each service.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews Matters Arising Implication Management Response Direct Credits: · these also originate from the bank · is the bank contacted immediately for their details · nature · origin · authority · etc.4. 7." Furthermore.. The Constitution of Uganda stipulates that "The Permanent Secretary or the Accounting Officer in charge of a Ministry or department shall be accountable for the funds in that Ministry or department. · are they due to errors. if so.correct them · are they recorded immediately in the cash book · is supporting documentation obtained and filed Un-presented cheques: · Are they listed each month · is the list checked for accuracy · are those that have taken long to clear investigated · do they include those that have not been collected · are uncollected cheques re-banked Outstanding deposits: · are the details of these regularly examined · are they followed up to make sure that they are subsequently banked · is there a mechanism to ensure speedy banking of collections · are the delays in bankings intentional. and the state of each vote compared with the appropriation (as varied by any supplementary estimate approved by the National Assembly before the end of the financial year). has the bank been approached to .4 Budget and Budgetary Control It is the duty of every accounting officer to ensure that the amount appropriated to his vote is properly and economically spent only for those purposes for which the funds have been appropriated. accounting regulations require each accounting officer. which shall contain such additional information and be in such form as may direct and shall be signed by the accounting officer." .. in respect of the votes and monies for which he is responsible (i) an appropriation for which monies expended were voted. the sums actually expended were voted.

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL An inspector will therefore check the budget lines of each vote to ensure that what has been expended is in line with the Appropriation Act details. and if so have they been reported to the proper authority Payment vouchers: · are they properl y · dated · authorised · coded · filled in · are they accompanied by proper supporting documents · are some of the supporting documents photocopies · how is their authenticity established · are suppliers obliged to pledge indemnity to the ministry in cases where photocopies are accepted as supporting documents · are payment vouchers bearing a date later than purchase orders and/or invoices · are payment vouchers properly posted to the vote book and ledgers · are they properl y filed for future reference Appropriation-in-aid (AlA): · has it been authorised in the budget · has it been properly recorded · is it monitored · has it been overspent Prepayments: · are any payment s made in advance · are they posted to a register opened for this purpose · who approves these payments .has it been authorised · are they updated with any supplementary · are any budget lines over committed. Budget control concerns itself with the management of budget allocations.does he have that authority Matters Arising Implication Management Response . To ensure that this is in order an inspector will check the following: Inspection Reviews Vote books: · does the ministry maintain a vote book · are the postings to it up to date · is it accurately posted · is it checked regularly by a senior officer Budget lines: · are these specified · are they given the right codes · are their appropriations reconciled with those posted to the vote book · are they moni tored · has there been a reallocation of funds .

Advances include salary advances which should be subjected to the sa me treatment as other advances.5 Advances and Prepayments Advances and prepayments are one of the most problematic areas in the quest to properly control and manage public funds. As a result a lot of money is lost through advances and prepayments. purpose established and the officer to effect the follow up must also be known and he should have the powers to effect the acquittal of the advance or prepayment. Their records must be thorough: the recipient must be identified. As an inspector proceeds to check these areas.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews Matters Arising Implication Management Response Authorised officers register: · is a register of authorised officers maintained · does it have their specimen signatures · does it specify the financial limit of their delegation Foreign payments: · are these in existence · have they been properly approved · are they recorded in the correct manner using relevant currencies Trial balances and records: · are these extracted monthly · are the appropriate returns sent to the Accounting Officer and · the Treasury Department Filing and storage of records: · are the records appropriately stored · are they f ree from dust · are they protec ted from floods and fires · are they easily retrieved 7. Year in year out these areas receive mention in the Auditor/inspector General's report for most budget votes as the ones with the weakest controls. a lot of care should be taken to ensure that the controls in these areas are not only in existence but are also practised and are reviewed regularly so as to make sure that they remain effective and up to date.4. recorded and followed up for accountability. To ensure that all the above are possible . Advances and prepayments require that amounts given or paid out are properly authorised.an inspector should utilise the check list below: .

Are different registers maintained for the following: · salary advances (in accordance with Treasury Accounting Instructions · travel advances (internal and external) · petrol and car repairs etc.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews Matters Arising Implication Management Response Are registers maintained for advances and prepayments · where are they maintained · who maintains them · are they checked to ensure that they capture all advances and prepayments · are they reviewed by a senior and responsible staff · are they updated on time with acquittals · are reminders sent to the staff regularly Are the advances and prepayments properly authorised · up to the appropriate limits · are they reviewed to make sure that they are relevant · are they approved for the right purposes · are they applied for the right purposes after approval Is it possible to maintain an imprest in a place of the advances The register should indicate the following -in respect of all advances: · date issued · amount issued · purpose of issue. The check list below should assist an inspector in this regard: . It is therefore imperative that inspectors thoroughly review all transactions associated with the payroll. on time and that proper deductions are exacted from those salaries and are remitted to the beneficiaries on time.4. These are basically to ensure that staff are paid the correct salaries. and acquittal date. It is common to be told that there are ghost staffs on the payroll of ministries and departments. 7.6 Payroll This is another of the problematic areas in the quest to control public funds.

g. Matters Arising Implication Management Response .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews How are staff put on or off the payroll · who has that authority · are staff numbers properly controlled for issuance · is his authority free from corruption when it is transmitted · does he get feedback by way of report to cross check and ensure that staff put onto or off the payroll agree with his original authority. Staff cards · are these maintained · are they regularly updated · are they kept safely to ensure no unauthorised amendments · do they contain relevant and crucial data e. · name of staff · staff number · date employed · date promoted · basic pay · allowances · permanent deductions Are staff on payroll compared with the relevant establishment positions Are salary payments in agreement with appropriations. if not what are the reasons Are the right codes used to classify and post salaries Are computations checked for accuracy · are unusual payments investigated for accuracy and authority · are leave payments/entitlements approved and monitored · are any changes to pay checked for accuracy and authority · are differences in total salary payments between different months investigated Are staff advances properly authorised and followed up for recovery Are non acquitted advances recovered from staff entitlements/ salaries Is a payroll register produced as an offshoot of salary processing · is it checked for accuracy · filed for future reference and comparison with payrolls of previous or subsequent months Are salaries paid promptly and to the right staff or their bank accounts · do staff sign for all salaries collected in person (cash or cheques) · is their identity verified Are uncollected salaries kept safely and re-banked if not collected by staff within a reasonable time.

an inspector should satisfy himself that no loss has been incurred and then proceed to suggest remedial recommendations and ensure that they are implemented 7. he is fully conversant with the terms of the contract.? Are payroll returns sent to Ministry of Public Service for cross-checking? Are last pay certificates prepared in accordance with Treasury Accounting Instructions ? Are payroll staff rotated from time to time? Do payroll staff have access to personnel records? An inspector in asking the above questions should satisfy himself that sufficient controls are in place to ensure that the correct salaries are paid to staff and correct deductions are made from staff salaries and paid to the beneficiaries. An inspector should always make sure that before he carries out an inspection.7 Project Accounts Projects are common in all ministries and departments in Uganda.4. It is important to ensure that the accounting records of these projects are appropriately maintained to the expected standards of government. The operation of the project and its accounting records should be guided by the contract. Where there is some risk that the controls are weak. The inspector should use the following check list when planning an inspection of a project: .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews Matters Arising Implication Management Response · if salaries for particular staff are not collected over several months are enquiries made about the identity and actual existence of such staff · are receipts issued for re-banked salaries · are uncollected salaries totals compared with those salaries not signed for Are staff salary deductions checked for accuracy and sent to the beneficiaries on time? Are all statutory deductions made in accordance with the law and remitted on time. donors and other stakeholders. Projects are usually set up as a result of some agreement.

Treasury Officer of Accounts and the Accounting Officer Does the project have the following in place. why has it not been closed Has the account been approved by the Commissioner.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews · · · · · · · · · · · · Establish the project identification number Does the project have an agreement stati ng · purpose · source of funds · objects on which funds will be expended · duration · when set up · conditions attaching to it Does the project have a separate bank account (s) · where is the account kept · who are its financial delegates · is 'the account active · if not active. · are proper books of account kept · are all receipts accounted for · are payments properly authorised · are bank reconciliations done and properly checked · are the internal controls appropriate Are reports regularly prepared for the project · their format and content in agreement with contract · are they reviewed · are they audited Staff on the project · are they civil servants · how were they appointed · are the accounts staff properl y qualified · Is there a budget · has it been properly drawn up by the relevant authorities · is it adhered to · has it been approved Is some of the money invested · with prior authority · where does investment income go · is it authorised Check details of money paid into the account · are the receipts in accordance with the objectives of the project · do they conform to budget expectations Check details of payments out of the account · are they in conformity with the objectives and budget expectations Does the project keep a fixed assets register · is it up to date Are cash balances carried forward at year end · are accounts closed at year end · trial balance extracted · reconciliations carried out · end of year accounts drawn up Matters Arising Implication Management Response .

summarised.4. usually from overseas. An inspector should use the under mentioned check-list whilst planning an inspection of the public debt division. · has a separate bank account been opened for each loan · who are the signatories · are movements to and from the account in accordance with the loan agreement? Has the project which is associated with the loan been reviewed and moni tored Was any budget prepared f or the project · is the loan in accordance therewith · is the budget up to date Are the amounts to be repaid (interest and principal) budgeted for Are the payments processed and remitted in an efficient and effective manner Is the loan information properly recorded. One of the divisions of the treasury department is charged with the responsibility of maintaining accounting records of the government public debt. and grants are donations.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 7. loans usually refer to money borrowed from overseas. It is therefore imperative that their records are properly maintained. Inspectors should therefore once in a while check the accounting records of the public debt division within the treasury department. A distinction should be made between loans. Public debt refers to government borrowing within the economy. Matters Arising Implication Management Response .8 Public Debt The government of Uganda’s public debt accounting records are maintained in the treasury department. analysed and reported · is it possible to easily extract the loan details · due date · outstanding amount · amount repai d to date (principal and interest) · etc. Public debt. public debt and grants. loans and grants are a major component of the government annual budget. Inspection Reviews · · · · · · · · Is there an agreement/ contract for each loan · has it been properly signed and executed · is it filed properly for ease of reference · Is the loan fully disbursed Are the loan repayments being made on time · for both principal and interest · are repayment schedules in existence · are the repayment schedules adhered to Are all pertinent correspondence on the loan properly attended to and filed on the correct loan file. loans and grants.

Inspectors will be familiar with the Treasury Accounting Instructions 1968 . safeguarded and disposed of in accordance with the given financial regulations and instructions.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews · · · · · · · · · · · · 7. These instructions are dated and need revision but they still serve some useful purpose. · were they properly authorised · are they well monitored · are they up to dat e · has Parliament been notified of the same Are ministries or departments borrowings approved/notified to the Treasury Department · do they have the pow ers to do so Procurement and Stores Government ministries hold a substantial value of stores and fixed assets.4. Are the loans properly numbered · do separate files exist for loans Are proper returns and acc ounts made at the end of each year or end of loan period in terms with the loan agreement Is the loan recorded and transacted in the right currency · principal · payments What is the status of counterpart funds · are they readily available · are they released in accordance with the terms of the agreement · are they hamperi ng the success of the project Are the loans included in the budget Have they received approval of Parliament · do they fulfil statutory requirements Are withdrawals properly approved by Auditor/inspector General Are proper books of account kept · trial balances extracted · reconciliations done · accounts prepared on time Are the returns properly prepared and presented to · donors · government Are there other loans for which the government is a guarantor. – . It is the duty of the Accounting Officer to ensure that these stores and assets are economically acquired.9 Matters Arising Implication Management Response Are the total loan figures available · have they been reconciled.Part II Stores. The checklist below is meant to supplement the instructions.

In planning an inspection of stores. an inspector should refer to the following check list. The fixed assets have been handled in the next module. issuance and record keeping and reporting for stores.were · tenders properly advertised · were applications properly received and evaluated · was a meeting appropriately held · were the results communicated Stores Issuance Matters Arising Implication Management Response . In all these steps it should be ensured that stores are safeguarded and losses thereof are rninimised. The check list looks at the procurement.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL For purposes of this manual" stores do not include fixed assets.is it cross checked · is the budget line checked for availability of funds · is the store checked to find out stock levels · Once goods are received · are they checked against the order · is their condition established · is a receipt issued · are the stock records updated · Are purchases made on time · Are they made through the relevant specialist agencies · Is there an officer responsible for procurement · how does he relate to other staff · What is the procedure for handling overseas purchases · Are local purchase orders utilised · to whom are copies of these forms sent · Is there a file of financial delegates · Are tenders advertised -if they are within the required values · Is the tenders board i n place · Are purchases for outstations properly handled · Are staff availed guidelines to assist them in purchasing · where to buy from · who should authorise what amounts · list of approved suppliers · purchases from overseas or f rom in country · If tendering is involved . Inspection Reviews Stores procurement · Who places the orders · are they in conformity with regulations in terms of · size of the order · where to order from -suppliers · Who initiates the order . receipt and storage.

these tasks should be kept separate · ordering · checking deliveries Matters Arising Implication Management Response .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews · Are the goods stored in an appropri ate environment · aired · under lock and key · away from water and fire · When issues are made from the store · are they made by an authorised officer · is the store checked for availability of the goods · are the stock records updated · Are the goods available in the stores · Are supplies made to other: ministries and departments · how are they cleared · are payments made betw een them · Are qualified staff in charge of stores · Is entry to the store restricted · Are book records regularly checked against actual stock · What procedures are there for reporting stock loss · Are documents associated with ordering and issuance of stores · pre-numbered · kept under lock and key · Is stock taking done regularly · is it checked · Is a reconci1iation made between stores requests and stores issues · Are the forms for requisitioning and issuance of stock serially numbered Stores Disposal · How is old and slow moving stock disposed of · Are the procedures for disposing of non useable stock · Are boards of survey regularly carried out · Where do the disposal proceeds go Stores Payments · Before payment is made ensure there is a mechanism to ensure that · goods have been received · proper coding of expenditure has been done · payments are appropriately authorised · funds are available · Are there local stores instructions/manuals which should cover the following: · receipt · custody · issue and disposal · verification of balances · investigation of discrepancies · Is there separation of duties.

However. Government uses cash basis of accounting.4. As a result. fixed assets are an important component of government expenditure and therefore require monitoring and saf eguard to discourage waste. An inspector should ensure that all fixed assets are captured and recorded in a register for control and monitoring purposes. therefore they tend to disappear from accounting records.10 Fixed Assets Fixed assets have been treated separately from stores but the same procedures and controls relating to acquisition. They are expensed on purchase and are not capitalised. . fixed assets do not usually receive the attention they deserve.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews Matters Arising Implication Management Response · authorising payments Stores Records · Does the store keep records · are the records up to date · are they checked regularly · Are stores receipts and issues posted immediately and balances determined · Are corrections appropriately initialled · Ensure all procedures are properly recorded · If contracts-are involved · are they properl y tendered · registered · payments certified · necessary guarantees obtained · retention moneys held until the completion and review of the contract for quality of work certification 7. The check list below should guide him in this regard. safeguard and disposal of stores apply equally to fixed assets.

.qualified professional? are relevant certificates attached ? Is the actual existence of the assets verified ? Has ownership of the assets been verified? Have they been registered with the relevant authorities the appropriate fees been paid ? Are movements properly recorded? Are proper records kept of additions disposals revaluations Have the disposals been made to other government departments? The above check list should assist an inspector to plan the inspection of fixed assets.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Inspection Reviews · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · Matters Arising Implication Management Response Check to see if there is a fixed assets' register. It is imperative that a fixed assets register is maintained as a basis for monitoring and safeguarding the fixed assets. who maintains it is it manually maintained or is maintained on a computer ? is it updated regularly ? is it updated each year and are the opening balances verified where is it kept Are the assets numbered and branded? How are assets disposed of? is proper authority obtained before they are boarded-off? are boarding-off procedures followed? are the assets valued before disposal? how are the sale proceeds handled? are they duly receipted and banked ? Are the fixed assets verified against the register? Review updating of process of the fixed assets register Are there land and buildings where are the registers kept ? Do they have titles are the relevant rents and rates paid ? Have the assets been revalued ? by whom .

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 7. If reminders are unheeded then the inspectors should visit the ministry and find out what the problem is.5 Annual Accounts All ministries and institutions that receive government funding are supposed to lodge their annual accounts with the Treasury Department. Treasury Officer of Accounts should be checked for accuracy and completeness before they are consolidated and submitted to the Auditor/inspector General's office. The details and specifications of these returns are given in the Treasury Accounting Instructions manual. ledgers and bank accounts are closed. 7. All Accounting Officers are meant to submit to the Commissioner. It may be necessary to assist the staff in compiling the returns. books. The format of the accounts and statements is specified in the Treasury Accounting Instructions and this should strictly be adhered to. Inspectors should monitor the regularity by which the returns are submitted and reminders should be sent to errant ministries and institutions.11 Statutory Returns All ministries and institutions that receive government funding are supposed to lodge statutory returns regularly with the Accounting Officer and/or the Treasury Department in respect of monies received or expended by them. It is therefore important that inspectors be versed with computerised accounting systems if they are to carry out effective inspections. 7.4. . It is the duty of the inspectors to ensure that the records and books are properly kept throughout the year to enable extraction of trial balances which will be used to compile the accounts and statements. Treasury Officer of Accounts and the Auditor/Inspector General signed statements which include: a balance sheet. More statements which are to be lodged at year end are specified in the Treasury Accounting Instructions. the necessary reconciliations carried out and trial balances are extracted. summary of revenue and expenditure and a statement of contingent liabilities. The accounts and statements on being received by the Commissioner. In order to be able to produce the above accounts and statements accounts.6 Inspection of Computerised Accounting Systems Some ministries and institutions have computerised accounting systems and those that have manual accounting systems are slowly computerising them. They include the following: · revenue returns · arrears of revenue · counterfoil forms · revenue stamps · safes and cash boxes Inspectors should ensure that these returns are lodged on time and should check them for accuracy and completeness by ensuring that they are in agreement with the accounting records and books from which they have been prepared.

g. He will have to know its component parts. the processing and the reports it produces. He will be able to get that reassurance if he knows the various components of the accounting system. The system will usually consist of a general ledger. The source documents and the reports are generally not problematic because these can be seen.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL The inspector will need to be familiar with the accounting system. It is only after he has acquired this understanding that he can carry out meaningful inspections. inventory. the source documents. The inspector ought to be able to understand them. fixed assets etc. The inspector should therefore seek assurance that what comes out of the machine is what he expects. He should request the accounts and data processing staff to help him understand the system and how it operates. sub-components e. Inspection Reviews The inspector should always assure himself that the following are in place: · The system is documented · The system has user manuals · Access to the computer is controlled through use of physical access limitations passwords · Data is checked for correctness before it is input to the computer through use of batches · check digits · Data once input will not be deleted or overwritten without proper authority · All processing failures are logged and enquired into · Backup is carried out regularly and backup files are stored off site · Data processing staff are readily available to deal within breakdowns · Check the output reports for accuracy Matters Arising Implication Management Response . The system should be documented and it should have user manuals. payroll. cash book and several other. However the processing of the data takes place within the machine and it is not visible.

3. with due regard to economy. efficiency and effectiveness with which the audited entity uses its resources in carrying out its responsibilities. financial and other resources. performance measures and monitoring arrangements. and management pol icies. and opinions. 8. efficiency and effectiveness of the means used in order implement it . efficiency. and the aim of leading to improvements. and audit of the actual impact of activities compared with the intended impact. b) audit of the efficiency of using human.3.1 Special Features of Performance Auditing · · · 8.3 Questions Answered by a Performance Audit · Are things done in the right way? · Are the right things being done? 8.1 Introduction 8. and procedures followed by audited entities for remedying identified deficiencies.2 Definitions The INTOSAI auditing standards define performance audit as an audit of the economy.2 Not subject to specific requirements and expectations. and effectiveness of government programs and agencies made on a nonrecurring basis. It does not have its roots in the form of auditing common to the private sector. methods. audit objects. programs organizations. wide-ranging analyses of the economy. including examining information systems. Performance auditing is an independent examination of the efficiency and effectiveness of government undertakings. c) Audit of the effectiveness of performance in relation to the achievement of the objectives of the audited entity. Its roots lie in the need for independent. It is an independent examination made on a non-recurring basis.” INTOSAI standards state that performance audit is an: a) Audit of the economy of administrative activities in accordance with sound administrative principles and practices.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 8 Performance Audits 8. efficiency and effectiveness of implementation of practices in certain governmental programmes and to the economy. Objectives of Performance Auditing · to provide the legislature and audited entities with independent examination as to the economy. Flexible in its choice of subjects.

having regard to proper quality.Effects compared with goals and related to the resources used to achieve these goals. and the resources used to produce them.Minimising the cost of resources for an activity. ministry or department a re. 2) Efficiency-The relationship between the output in terms of goods. services or other results.4.4.c acquired at the best prices and to what extent are they the right resources? · How does actual expenditure compare to the budge t? · To what extent are all resources utilised? · Are the staffs often unoccupied or are they fully utilised? · Is the organization using the optimum mix of inputs (e.t.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · 8. Some of the questions dealt with include.4 to identify and analyse any problems of economy. and thus help the Government of the audited entity to make correct managerial decisions to report on the programme impact and to analyse the achievement of the stated objectives. 3) Effectiveness. to formulate recommendations intended to the legislature and the audited entity.g. should less staff have been employed and more money sp ent on computers)? 8. · · Could the project have been implemented in another way which could have resulted in lower production costs? Are the working methods the most rational ones? .1 The Economy Approach The auditor/inspector focussing on economy has to define expenditure correctly. Questions that may be used in the efficiency analysis of a particular project.2 The Efficiency App roach The auditor/inspector aiming at measuring efficiency has to start the audit by first analysing the different types of output of the ministry or department being audited. It also provides an assessment of the degree of liability of self-evaluation indices stated and reported by the entities developing programmes of managing public funds. efficiency and effectiveness in government programmes and in the field with poor performance. based on the findings and conclusions resulted from the auditing Concepts in Performance Auditing Performance auditing is based on three concepts: 1) Economy. · To what extent are resources like raw materials. equipment e. If these have not been achieved (partially or totally) the causes will be identified to provide the legislature or the audited entity with results of independent analyses related to the currency and the degree of credibility of stated performance indices. 8.

verification and analysis. objectives. reasonable and attainable.the results obtained. i. standards etc. without pre-defined auditing criteria.3 Are there any bottle-necks which should have been avoided? Is there any unnecessary overlapping in the delegation of duties? How well do the different units cooperate in promoting the common goal? Are there any incentives for the staff involved to aim for cost reduction and to complete the work on time? The Effectiveness Approach If the auditor/inspector is focussing on effectiveness. · The auditing is concentrated on problem identification. relevant.5 Has the goal been achieved at a reasonable cost and within the set time limit? Was the target group defined correctly? Are the objectives of managerial policy being achieved with the means used.the fulfilment of criteria and the observance of requirements.the performance results. efficiency and effectiveness by comparing the auditors/inspectors observations to the given norms (goals. he will start by identifying the goals of the programme and operationalise the goals to measure effectiveness.4. . · · · · · 8. 1) The Results-Oriented Approach This approach deals mainly with: .) and the audit criteria defined before the complete study begins. . The auditor/inspector will also need to identify the target group for the programme and search for answers to questions like.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · 8. Auditors/inspectors may work with experts in the field in order to set up criteria that are objective. 2) The Problem-Oriented Approach The purpose of this approach is to deliver updated information about the problems and how to deal with them In this type of approach. In this approach there is analysed the resulted performance in the context of economy. regulations. are the predicted results being obtained? Are the means used and the results obtained compatible with the objectives of the managerial policy? Does the predicted impact represents direct results of the managerial policy rather than one due to ot her circumstances Approaches to Performance Auditing There are two approaches. .e.

audit approach. audit quality. 8. audit documentation.The type of investigations to be conducted. The methodology is almost similar to that used in other audits. Performance Audit Methodology Performance auditors/inspectors may deal with a multitude of topics and perspectives covering the entire government sector. It is founded on a good knowledge of audited fields. Many methods for collecting and processing information may be used. assessment of accounting and internal control systems. Analyses .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · 8.The techniques for data collection to be used.7 audit planning (examples: the risk is assessed in both audits).2 The strategic performance audit plan · · This defines the department’s performance audit programme and priorities and the necessary personnel and resources. Even though these steps constitute the performance audit methodology. it must be stated that a performance audit must also always be based on such issues like individual insight.7. experience. audit evidence. the changing environment and the opportunities presented to the department. 8. imagination and creativity. There is formulation of questions like: do the stated problems really exist? how can they be understood and what causes them? The auditor/inspectors formulate hypotheses on the causes and possible effects of these problems and test them. Performance Auditing and the International Auditing Standards The international auditing standards that regulate the activity of financial auditing are also applied to performance auditing.The process of defining issues or problems to be studied Audit Questions .6 The starting point is the indication of shortcomings and problems (malfunctions).7. . Data Collection .1 Common Provisions There are common provisions related to: - 8.1 Summary of the Methodology 1) 2) 3) 4) 5) 6) Planning .6. 8.The explanations and the relationships to be explored.The information needed and the study to be done Audit Program .The questions to be answered Study Design .

The entity’s reporting obligations. b) identifying risks to performance. the auditors/inspectors will refer to the financial audit reports and working papers. and outcomes. which aims to reach an opinion on the completeness and accuracy of financial statements and the legality and regularity of underlying transactions. The environment in which the entity operates. The incomes. To obtain the information and understand the entity/activity/project.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · 8.7. The resources. with performance audit the audit institution is free to choose the audit topics and audit objectives. va riables. the government and entity publications. the auditor/inspectors must identify the important aspects of the environment in which the entity develop its activity. · The auditors/inspectors must also seek to identify the main sources of audit evidence. 8. Defining fields and selecting studies Selecting studies includes: a) the preliminary documentation and understanding of the activity of the entity. · · Here. the business plan. The entity’s legal framework. processes. The human resources from a qualitative and quantitative point of view. The organisation ad structure. Looks for objectives that are specific enough to be mea sured. inputs. The programme analysis includes the following rubrics: objectives. Geographic considerations.3.7. d) choosing topics. The information obtained may be summarised in a standard document called a “programme analysis”*. the auditor/inspector. Discusses aims and objectives with officials to clarify any ambiguities and identify any that are unstated. and any research from the academic world. · · · Identifies the outcomes the entity aims to achieve. c) evaluating of parliamentary and public interest. including assets. reports of previous audits. Unlike a financial audit. the static plans of the entity.3 It needs to be flexible enough to allow new topics that emerge during the year to be introduced. e) Setting priorities. .1 Preliminary documentation and understanding of the entity’s activities In order to achieve this purpose. mainly by collecting information related to: § § § § § § § § § The entity’s objectives. outputs.

There is no universal formula to establish areas with high-risk. experts from the academic field or researchers etc.7. Internal systems (of accounting and of control) organised or managed inappropriately. The auditor/inspector should rank risks depending on their probability of occurrence and their impact. Untouched or partially touched economic objectives. Significant losses due to natural disasters.3. theft or extravagance. The auditor/inspector should also identify and contact certain persons interested with an interest in the subject matter being consider. Selecting topics To better deal with this. 8. 8.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · May analyse information on entity incomes and expenditures (detailed by programmes and elements). There should be an ongoing survey of the governmental activities.7. Auditors/inspectors must take into consideration that some activities carry an inherent risk.3.4 Unjustified expenditures. Cost increases and significant failure to meet deadlines in the case of certain projects.7. High levels of public budgetary debts. and effects. litigations and reactions of the representatives of consumers’ groups concerning the quality of services. New initiatives inappropriately founded. exceeding the provisions.2 Factors that may warn of existence of risk § § § § § § § § § · · 8. the auditor/inspector should ask the following questions. These persons can be „key persons” from the audited clients or beneficiaries of public services having commercial relationship with the entity. Contracts assigned without a competitive process. of the allocation of public funds and of the management of these funds. · Was the programme well implemented? · Were the objectives achieved? · Are the economy. Auditors/inspectors should seek to identify the causes. efficiency and effectiveness at risk? · Will the study give something new on performance improving? · Is there the appropriate moment to perform the audit? · Is it possible to perform the study? .2 Identifying risks and assessing the quality of management · · · This stage is fundamental. Complaints.

1 Possible areas for selection In drawing up performance audit programme it will be important to select matters that cover a large area of s tudies. the analysed aspect. . Studies of assessment of managerial performances in fields as: public acquisitions. Elements of a study proposal For each study. The report on the preliminary study should confirm whether the study is well founded and whether it should be completed. · Provide a balanced programme of performance audit.7. project management. processes and resources).6 Studies performed in areas with high levels or cases of frauds or illegalities. · What is the outcome likely to be? · What is the opinion of the entity about the study idea? 8. service quality. legislative environment and the questions. The study proposals must be clearly and concisely formulated in a brief notice which will include the following elements: · What the study is about (the department or the departments. · The motivation of the proposal to perform the study (the existence of the risk in performance achieving. user reasons.7. It involves a preliminary study and drawing up an audit plan for each selected study. there are 2-3 proposals after answering with “yes” to the questions presented above and after ordering them on priorities. the parliament and public concern). criteria.7 Planning the audit activity · · · · · This comes after the study selection.5. Always perform a preliminary study before drawing up the pe rformance audit plan. such as: · · · 8.7.7. · The main methods to obtain and analyse data and information. and how we propose to obtain and interpret audit evidence.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 8. 8. · What ques tions will be asked.5 Setting priorities The main criteria that underlay the matter priority are: · The responsibility towards the parliament and the citizens · Improving performance auditing. New governmental initiatives. It should also include an analysis of the context for the activities involved including the objectives.

9 Visiting the en tity locations. Question: Was the project well managed? .e. Understanding key systems of management and information flow. bidders and representatives of the beneficiaries related to the entity activity.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 8. The term situation defines a brief description of the main study topic. “the stated results of effects of the study” and may revise the main questions formulated in the selection stage. academics. a Department intended to introduce in 2001 a new computer system for which there were allocated 600 millions lei with an estimated increase of efficiency of 50 millions lei starting from the next year. The audit objectives should improve the performance.1 Auditor’s/inspector’s role at this stage · · · · 8. The term complication defines the problem or the problems arising out of the situation.8 Understand the entity’s activities · The auditor/inspector should start by obtaining the information necessary to understand the entity activity. Performing interviews with “key persons”. To improve efficiency. The situation-complication technique is used to clarify the main questions of the audit. The computer system was purchased at a price higher than expected by 200 millions lei. Evaluating whether the study could improve the situation. the implementation was done 5 month later than planned and the efficiency level is lower than expected. Questions are determined by the nature of topic and by the audit objectives. Consulting experts. Gathering enough evidence to formulate questions. This is achieved by: · · · · 8. including the objectives of the audited programme or activity. relevant and reasonable evidence. i.8. Example 1: Situation Complication Study of implementing a new informatics system. Setting up criteria for performance assessment Selecting the most appropriate methods of obtaining other reliable. and is the reason for the study. Deciding on the main elements of the study · · · · · · The auditor/inspector formulates “the audit objectives”.

1. Auditors/inspectors should verify that the criteria is: § Reliable § Reasonable § Tangible § Valid.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 8.3. Did the entity survey the observance of the contractual clauses by the supplier? Secondary question (level 2) – Does the informatics system satisfy the user needs at a reasonable cost? – may be divided in other three secondary questions. the auditor/inspector should formulate hypothesis and identify the audit evidence that can validate or invalidate the hypothesis.3. From these.3. Did the entity done the acquisition according to the regulations in force? 2. Is the section C efficient?. assure the performance? There are three secondary questions: 1.3. Was there a correct competition for the contract adjustment? 2.11 Identifying criteria · · These are the standards used to judge (evaluate) the performance achievement. Was a good price obtained? The secondary question (level 2. Does the contractual clauses concerning the service comply with the requirements? 2. · to abandon uness ential questions. Is the department B efficient. Were the requirements for the system clearly formulated from the beginning? 2. Were the different forms of public acquisitions taken into consideration? 8.3) – Was a good price obtained? Is divided in other three secondary questions: 2.10 Analysing the main study question into sub-questions · · The main questions are divided into secondary questions.2.3. Were they well done?. etc. 2. · depending on objectives – Are social indemnities paid to the right people? Are the stated quantum paid? Example Main question – can the purchasing of a new informatics system.1. and § Based on authorised sources .2. Does the informatics system satisfy the needs of the users at a reasonable cost? 3. Was the competitions maintained during all the contracting process? 2. Hints It is necessary: · to formulate questions in a logic and strict succession: · in a logic order – Were the acquisitions well planned?. Was the contract executed? · in a structured order – Is the department A efficient?.

Managerial practices accepted by the dep artments. Relevant performance objectives and tasks (published). § § § Identify.3 (e))”. Take into account any limits that they can find in formulating conclusions. Industrial standards and other relevant indices. standards. in order to support findings.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · The auditor/inspector should consider both the quantitative criteria (numeral) and the qualitative criteria (good practice in a certain field). relevant and reasonable evidence should be obtained to support the auditor/inspector's judgement and conclusions regarding the organisation. .4 Considerations in assessing reliability of evidence · · Audit evidence from sources external to the audited entity are much more consistent than ones placed inside the entity.11.1 Role of the auditor/inspector The auditor/inspector should. Contractual requirements. 8. Collect audit evidence to answer the lowest level questions. The audit evidence obtained as documents are more consistent than verbal (oral) ones. official policy declarations.12. The INTOSAI Auditing Standards state that “Competent.12 Legislation.12.0. 8. 8.3 Characteristics of audit evidence · Audit evidence is only reliable if the information and data obtained by the auditors/inspectors is: ü ü ü ü Sufficient Appropriate (in order to achieve the audit objectives) Objectives Reliable 8.1 Examples of authorised sources § § § § § § 8. process description.12. Identifying the Audit Evidence That Answers the Study Questions · · Audit evidence are documents and information collected by auditor/inspectors. collect and analyse audit evidence related to the inputs. conclusions and recommendations included in the audit reports. Departmental guides and regulations. and to the public perceptions or opinions (for instance public opinion about public services). program. activity or function under audit (paragraph 3. outputs and effects.

diagram. How Declarations are consolidated as audit Evidence This is done by: · Getting a written confirmation from the person interviewed. b) Oral audit evidence · Takes the form of declarations. Oral audit evidence corroborated with written evidence are much more consistent that isolate oral audit evidence. a) Physical audit evidence · Obtained by direct observation of the persons and events · Takes the form of photos.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · The audit evidence directly obtained by the auditor/inspector are more consistent than those indirectly obtained.5 Types of audit evidence · Audit evidence is: Ø Used to demonstrate whether the management and the personnel of the audited entity perform its activity according to the operative principle stated by policies and standards adopted. used the resources in an economic. Ø Instrumental in protecting the audited entity in its relationship with other entities. · Subsequent verification of recording. Types of audit evidence include. efficient and effective way.12. The original documents are more consistent than copies. The corroboration of obtained is a secure technique to consolidate their reliability. which fervently are answers to interviews. · The declarations are usually obtained from the entity employees. and graphical maps and other forms and representations. · Soliciting independent s ources that relate similar facts. opinion tests etc. but if the original documents are copied by the auditor/inspector. the beneficiaries of the audited programme. Evidence by analysing: . then he must note the source and the date of photocop y. experts and special advisors hired to give support in providing additional evidence and even from the representatives of the public opinion. their level of knowledge and the desire to collaborate determines the relevance of such evidence. 8. The sincerity of the persons interviewed their position inside the entity. c) Testimonial audit evidence · · · Is obtained through documents. It can be presented in written or electronic form.

8. The analyses mainly suppose: assessments (evaluations) of indices and trends obtained from the audited entity and from other sources. Usually numeral (i.6 Selecting the methods to obtain and analyse audit evidence The audit evidence may be obtai ned by: § § § Visiting the locations of the audited entity in order to analyse the different documents existing in files or to perform interviews with key persons. Analysis of files · · The auditor/inspector should use professional reasoning when choosing the most appropriate methods and techniques to obtain audit evidence. internal policies and procedures. Logically these indices and/or trends are compared to the recommendations of standards applicable in the field or of certain technical guides (if the case stands). Analysis can be by: Observation By studying the general behaviour of the entity personnel one can obtain information related to: § sensitive problems. § the management ethics and § the relationship between the entity personnel and the public/beneficiaries of public services. i. Internal documents (issued by the entity). internal reports. other reports Confirmation letters from third parties. external correspondence. Analysing a representative sample. but they may also be not numeral (i.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL § § § § § § External documents such as: letters and memoranda received by the audited entity Inquiries from suppliers Leasing contracts.e. entity description. static synthesis of the activity carried out by the entity. d) Analytic evidence · · · Obtained by verifying the explanation and the analysis of data related to the activities on implementing a programme by the audited entity.e. . accounting. Sending letters or addressing questionnaires that include a list of questions on the audited matter. noting a growing trend of a certain type of contestations in the audited entity). assessment of the result of using resources or the ratios of budged e xpended). budgets.e.12. other contracts Reports of external auditor/inspectors.

then questionnaires are sent by mail. § drawing up and anal ysing diagrams. the updated results and the legislative framework.14 The Preliminary Study Report · This shows the motivation and the procedure that the auditor/inspector intends to use to perform the study. . Using Questionnaires · · 8. including the auditing objectives.13 Are used to highlight facts or opinions If the entity has regional locations. by selecting activities appropriate for observation and that are representative for the audited field. video or audio recording give value to direct observations.14. § calculation of performance indices (cost on product unit. Selecting the Methods of Interpreting Audit Evidence In performance audit the audit evidence can the explained by using the following methods: § by fulfilling tables and designing graphical representation in order to summarise quantitative data and information. § describing and analysing process in a flowchart. In such situations the auditor/inspectors will refer to the quality management of the entity in order to obtain the approval for using this technique. but the inconvenience is that those who are interviewed may not answer. b) The analysis of the context in which the activities of the entity proposed for audit are carried out. § analyse the relationships between variables. income produced by each person). complete it with errors or it may be late. § Fulfilling a matrix and performing a comparison between criteria and conditions. 8.1 Contents of the report a) The study scope and costs and the estimation of the publishing moment. Auditors/inspectors must obtain behaviour similar with auditees’ behaviour. Photos. d) The audit objectives (stated impact and audit effect). c) The risk analysis in achieving the performance. 8.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · Auditors/inspectors should only choose those activities which will be directly observed.

Test relations process-effect. outputs and/or effects? 8. A matrix is used to: .Describe audit evidence which does not sustain that the effect is determined or influenced by the process. the auditor/inspector should perform an assessment so as to ascertain the consistency. Entity Were tenders invited to send offe rs? Was the specification drafted? Contract A B Ö Ö X Ö C X X D Ö Ö E X Ö F Ö Ö Was a contracting collective created? Was a project manager appointed? Ö Ö Ö Ö Ö Ö X Ö Ö Ö Ö Ö 8. · · · After summarising the audit evidence. .15. F Coding (ordering by topic and ideas) of the narrative information. results of documents analysis. the entity’s activity. .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 8. i. Analysing and Interpreting Audit Evidence 8.15 Summarising.1 Summarising data and information The auditor/inspector can use any of these methods: F Tables – statistical data. Matrix and diagrams will be used to summarise data and information of a process in order to interpret them.e. in case of audit evidence which generate doubts. Data and information are coded depending on topics and ideas.2 Analysing causes and effects · This is after audit evidence has been summarised and analysed.Describe audit evidence which sustain that the effect is induced or influenced by the process.15.3 Studying the causes · · A process-effect matrix is used to understand how a certain process determines and influences the effect. · The auditors/inspectors start their interpretation using a procedure that takes into consideration four main elements: § § Criteria: What should be? Condition: what is. notes during the interviews and focus groups and responses to open questions of the questionnaires. so that the auditor/inspector may perform comparisons and other analysis. . results of observations.15. responses to close questions of questionnaires.

An appropriate documentation is important if we take into account that it: § confirms and sustain auditors/inspectors conclusions and recommendations.16 Documentation The auditors/inspectors have to appropriately document audit evidence (the results of the analysis) in order to sustain conclusions and to confirm that the audit was performed according to the standards of performance audit. The auditor/inspector can phrase a conclusion if he finds out that the cause and the effect appears recurrently while implementing a process or carrying out an activity. Reviewing the Evidence The auditor/inspector-in-charge will analyse whether the plan of collecting audit evidence has been achieved. whether answers were obtained to all study questions and whether the results were well documented. Ensure an effective connection between successive audits. which will compare to costs and benefits of programmes of with other unintended effects. and the relation cause-effect. one or more findings can sustain one conclusion. they must formulate conclusions and recommendations. § serves as source of information in the stage of drawing up reports and can give answers to any questions of the audited entity or of thirds. If auditor/inspectors find out that the cause and the effect are recurrent. § assure the recording of the activity carried out for further references. if the following considerations are taken into account: § § § § 8. · The auditors/inspectors must identify and analyse the most important effects. and one or more conclusions are the basis to formulate a recommendation. Usually. A detailed and strict documentation is a premise to maintain an acceptable level of auditing. § contribute to the auditors/inspectors training. § sustains and sometimes provides defence evidence in case of litigates. and one or more conclusions ground a recommendation. § increases the audit efficiency and effectiveness.15. Provides a basis for the audit quality control. the findings sustain conclusions.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 8. Generally. · · · 8. § serves as evidence of the audit compliance with auditing standards in force. defensive basis for the audit opinions expressed in the report. They will approve the documents analysed. .17 It is necessary to exist an appropriate. Allows the auditors/inspectors to more consistently explain to the legislator the findings resulted from the performed audit. actions. § Facilitates the control activity and assure the audit quality.4 Studying important effects.

18 Reporting · · · Every performance audit mission should culminate in drawing up a report. 8. To draw up the audit report. because by key messages can give a vision of the future. § the syntactical presentation of the context of development of activities submitted to the auditing. In this context. § the description of methodologies used in collecting and analysing audit evidence.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 8. solutions and assurances concerning the economy. and edit it. . (even if it refers to past events). logically based on the conclusions.18. The recommendations.1 Report content Performance audit reports generally include the following elements: § report title. it is important that the information of reports be clear and documented. These reports offer independent information. On the basis of this plan the auditor/inspector will write the report. the auditor/inspectors draft in the first stage a plan of the report. details necessary in view to support the audit objectives. efficiency and effectiveness of public funds use by the audited entities. by précising their sources. including the institutional context. 8. Conclusions on the audit objectives. § the objectives of the activity of the audited entity and the analysis of the perspective analysis related on efficiency. effectiveness and economy.19 Criteria Used to Assess Performance · · · Audit findings considered relevant for the report consignees and users.

Effective performance shall mean to achieve goals and objectives accurately and on time with minimal resource spending. threat or hazard of any type.2 Basic Terminology Adequate control and management mechanisms are in place if the management plans and organises in a way that would provide an adequate certainty that goals and objectives of an organisation shall be achieved in an effective and economic way. 9. Framework and objectives to be achieved by the Internal Auditor/inspector are defined. That means that while projecting the systems the management shall consider the ratio of the resources spent to the benefit to be achieved.1 Manual Purpose and Contents System Audit execution within the overall internal audit framework is dealt with in this manual. The term “adequate certainty” shall mean that the absolute certainty can not be ensured by internal control. it is not a mere adherence to legislation or internal rules of organisation but specific measures adopted to ensure protection of organisation against any impact. Performance shall indicate that the scope of internal control is very broad and that it refers not only to financial aspects but also to the quality of financial information. organisation's growth. In such a case. If the system project is correct. activities should be implemented according to the plan and the results envisaged should be achieved.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 9 Systems Audit 9. yet the procedures are in place that are as efficient as possible. . The process of establishing the systems starts by setting goals and objectives. improving its profitability or efficiency at the costs as low as possible. Potential loss associated with any demonstration of risk. The purpose of this manual is to provide an overview on main tools to be applied for an objective assessment and evaluation of auditee's activities within the system audit. to handle the risks “adequately”. Economic performance aspect also shall be included in the term “effective”. measured by costs needed to make the risk under control. Adequate certainty is in place if the adequate measures are adopted to limit biases and deviations down to the tolerance level. Economic performance shall mean to achieve goals and objectives at costs proportional to the risks. etc. improvement of social environment. Mutual links of the concepts or people operating together follow so that the goals and objectives set are achieved.

function or activity. standards and instructions of the organisation management To monitor and revise financial control executions at all levels of activities of the organisation and in all its structures and systems To inform the management on any irregularities or deviations found out with recommendations how to eliminate them To evaluate and ensure that all of the organisation's resources both. manufacturing. finances. system audit is to examine whether or not the systems established provide adequate guarantee that the goals (general statements on what the organisation seeks to achieve. It includes capital acquisition. are applied adequately to achieve the best possible results To pay special attention to the new management trends and systems. time. standards operated. at the same time to propose appropriate recommendations and measure s to the management To verify reliability and appropri ateness of information system at the organisation To audit correctness of development policy implementation. Program shall mean a repeated operation of an organisation of a special purpose. accounting and Government support. to contribute to establish environment open to the new changes and nature of team work To conduct special studies and economic overviews on environment in which the organisation occurs. the program usually ceases to exist. operation and maintenance of the systems where the purpose is to implement goals and objectives of the organisation concerned) and objectives (specific intentions of specific systems. 9. operation. set or selection of concepts. promotion events to attract financial resources (ways how such financial resources are collected). it is necessary to indicate them as operational or program intentions or objectives. activities or employees in some relationships with the purpose to achieve goals and objectives) of internal management and control mechanisms. purchase. Programme results are compared with the programme goals and objectives set. capital expenses and targeted Governmental subsidies. equipment sale. human resources. new service. it is an arrangement.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Operation shall mean a repeated activity of an organisation with the objective to produce a product or deliver a service. Activities may include marketing. financial or operational plans. Goal setting is followed by objective setting and development. Minimal scope of the internal auditor’s/inspector's work includes: 1. performance . Examination and evaluation of adequacy and efficiency of management and control mechanisms and performance quality while implementing the functions assigned – while assessing the system adequacy (for instance. sale.3 System Audit General Description System audit includes: r r r r r r r r To execute a continual analysis of a central authority and organisations reporting to it monitoring thus a correct organisation management. Once accomplished. process. The results of activities carried out shall be compared with the goals and objectives set covering budgets. period of more intensive activity when introducing new product. human and material ones.

its operation systems and adequate use of resources . management and control. their adequacy should be assessed. laws and provisions – Internal Auditor/inspector is to examine whether or not these systems are adequate and efficient and whether or not they comply with the above relevant requirements. Government resolutions (Government regulations) Following objectives shall be met by proper accomplishment of the above assignments through the System Audit conducted: r efficient internal control which will be neither paralysing nor bureaucratic. Implementation of the goals and objectives set for operations or programmes – System Audit should find out whether or not any criteria have been set for this field. 3. damage. and/or exposition to natural disasters. the whole case should be communicated to the competent management level and alternative source of criteria should be recommended such as: r r r Norms and standards recognised Standard s developed by professional or other associations Legislation.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL degrees. Property protection Internal Auditor/inspector is to assess whether or not the tools used for property (asset) protection are secured against different types of damages such as theft. measure. classify and report such information. procedures. It is therefore important to examine whether or not: r r accurate. plans. 2. whether or not any deviations have been identified. 4. objective plans or results projected / expected) are implemented in an efficient and economic way. If yes. If such criteria are not adequate according to the Auditor/inspector's opinion. analysed and communicated to people responsible for their remedy 6. 5. Economic and effective resource spending – within this type of Internal Audit the Internal Auditor/inspector is accountable for determining whether or not r r internal standards for measuring the economy and effectiveness have been set internal management acts established have been understood correctly and are followed. reliable. however not of a centralistic nature r achievement of a good organisation operation. Compliance with the principles. complete and helpful information is contained in financial and operational records record keeping and reporting are verified by management and control mechanisms and whether or not they are adequate and efficient. In the framework of a System Audit Internal Auditor/inspectors should assess reliability and integrity of financial and operational information and resources used to identify. incorrect or illegal activity. time. Information reliability and integrity – information systems provide data for decision making.

One of the crucial aspects of an audit is to enhance the organisation's environment by: r r r strengthening the awareness about organisation's objectives and the role of internal control while achieving them motivating staff to propose and implement control processes carefully and continual improving control processes. organisational chart sufficiently detail has to be in place and administrative and accounting procedures available in writing 2. weaknesses enhancing quality in control activities (areas) better overview on control systems in particular units (departments. mistake or neglecting.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL r r r r r 9. standards and management instructions implementation continual improvement of management of organisation on going information communication to the management and finding out any irregularities and also proposals of relevant measures for their elimination to verify how the recommendations and measures approved by responsible employees upon auditor/inspector's proposal are implemented by a range of organisation's departments support of the necessary changes undertaken and encouragement of staff to adapt to the new systems.4 assurance of policy. efficiency and effectiveness of operations. reliability of financial reports presented and compliance with the laws and regulations applied. prerequisite for that is function-separation principle reducing the risk of fraud. Efficiency of an internal control system is a process where the objective is to have a reasonable assurance that all of the organisation's objectives shall be achieved. internal control may only be executed upon a precondition that the two aspects below are met by the organisation concerned: 1. Objectives of internal control system include: r r r r r finding out any deficiencies. clear and unambiguous role separation between employees of the unit concerned. Management involvement plays a crucial role when introducing rules of ethics in public organisation. workplaces) management co-involvement in control system verification transparency of standards used for organisation management . competent and coherent staff shall mean that employees are honest and adhere to the ethics within the organisation which is a crucial factor for assessing the internal control environment. Regardless of quality of procedures established. Assessment Effectiveness of Internal Control System Internal control is the process identified to ensure adequately that the specific objectives are achieved in the field of accountability.

Furthermore. guarantee stability (reliability) of financial conditions and adherence to legislation. its efficiency shall mean a state in a given moment in time. has to be responsible for any of the problems at work. duration or magnitude of audit procedures to be focused on control mechanism. Following should be taken into account by the Auditor/inspector: r r r r r any potential mistake which may occur control procedures which may be of a preventive nature or to detect the mistakes whether or not control procedures have been established any shortcomings of control system established leading potentially to mistakes effects of such shortcomings affecting the scope. The role of an Internal Auditor/inspector is to asses all components of internal control as follows: . Staff. any non-permitted deviations from standard or breach of legislation or activities concept to be communicated.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Objective of the internal control system is to detect any deviations from the goals set by organisation and minimise any potential “surprise”. Since internal control system is a process. Questionnaire should be structured in such a way that a negative response indicates any potential shortcoming of the control system verbal description of a control system flow chart Following is the crucial knowledge of an Internal Auditor/inspector in this context: r r r r r r r r r r r knowledge about control system of an organisation knowledge about risks and risk management internal audit procedures and techniques familiarity with information technologies resource management knowledge about organisation and its activities strategy management managerial procedures familiarity with the environment in which the organisation concerned opera tes financial management social patterns effective in the given time period. All employees play some role in activities control. Methods applicable for evaluation of internal control system include: r r r questionnaire regarding internal control system (see Annex 1). In the framework of internal control system anybody in the organisation has responsibilities. Within the overall system audit execution one of the crucial aspects is to evaluate internal control system. control enables management to face any potential risks within speedy development of economic environment and competition. at large. resource spending and way of how their particular work is carried out.

collected and forwarded in an appropriate form and deadline enabling thus every employee to fulfill his/her responsibility. flowing to all of managerial levels through all units and departments including both. how to manage effective communication with the third party. can hardly help to achieve the objectives set. It constitutes a basis for all other components including structure and discipline. However. Preliminary condition of assessment is to identify objectives at different levels and in their mutual links. What cannot be achieved by internal control: r r success of an organisation is guaranteed by a control. itself. i. Within the information systems messages are created containing operative information. changes in the Government policy or economic environment may remain beyond the scope of management control. On the other hand.e. to the higher levels and also. however. ethic values and capabilities of staff. it can only provide a reasonable certainty. way of how employees are organised and developed professionally risk assessmen t: any organisation is to face a range of external and internal risks that have to be assessed. not an absolute one! Success opportunities are subject to limitations inherent to any of the internal control systems. it can not ensure that a poor manager changes to a good one! Similarly. They assist in assuring that tools necessary for risk control are really applied in link with achieving the organi sational objectives information and communication –where information has to be identified. financial data and data on meeting the standards which enable to manage and control activities in a suitable manner. Risk assessment shall mean that relevant risks are identified and analysed to achieve the objectives and shall be used as a basis for identification of a way how such risks are to be managed control activity shall mean procedures assisting in meeting the management instructions. control.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL r r r r control environment setting the way of operation of an organisation and determining employees' relationship to control. way of delegating powers and responsibilities. There must be a sharing efficient in a broad sense. However. bottom-up and top-down flows. Control may provide information for managemen t regarding the overall development of organisation to achieve the objectives. Information systems do not work with information only that has originated within the organisation concerned but with the information also referring to the external events. Employees have to understand what their respective roles are. . at least it ensures that the basic objectives are achieved or an organisation sustains. Control environment factors include integrity. Internal control can not ensure success neither sustainability of an organisation reliability of financial information and compliance with relevant legislation is ensured by control. in the internal control system and what their individual activities are. management philosophy and style. activities or conditions relating to decision-making and for information sharing with the third party as well. it is necessary to use the tools for transfer of important information up. Such limitations include an undeniable fact that any effort which decisions are based on may be wrong and may lead to failures due to mistakes or errors made. in common with the work of others.

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

Internal control is not made up by one single event or circumstance; it comprises of
several actions covering all activities of an organisation. Such actions are present
everywhere and are independent from management.
Management processes implemented within an organisation and their functions are
co-ordinated by management process phases including:


planning
performance
monitoring

Internal control shall be a part of the processes above and shall be integrated in
them, assisting to their adequate operation, monitoring and applicability at any time. It
shall mean a helpful management tool, however it shall not replace it.
Internal control system is linked with operative activities of an organisation. Internal
control shall be much more efficient if included into the infrastructure of an
organisation and constituting thus part of its heart of the matter. It must be
incorporated not only by its formal inclusion. Internal control inclusion may affect
directly the ability of an organisation to achieve its objectives and at the same time
support its initiatives from the quality perspective.
Considering the control concept the objectives are classified as follows:
1. Efficiency and effectiveness of operations - shall mean that resources to protect
property (assets) shall be assessed and economy and efficiency of resource
spending evaluated.
2. Reliability of financial statements – shall mean assessment of reliability and
integrity of financial and operational information.
3. Compliance with valid legislation and regulations – shall mean that systems to
ensure compliance with main principles, regulations, etc. shall be assessed.
Internal Control Assessment
Justification of assessment by an internal auditor/inspector
r
r
r

r

no audit of operations that would be really “detail” one can be conducted neither
sufficiently representative sample of such operations can be taken, except for
very small organisational units
opinion that “all” entries have been made in the accounting books can not be
made without relaying on internal control procedures
some of the verification tests of operations can only be conducted if an Internal
auditor/inspector adopts procedures enabling him/her to asses correctness of
documents “demonstrated” which may be presented to him/her managerial
employees can not verify by themselves that relevant procedures and decisions
have been applied
many of the procedures which are not of a strict accounting nature, contribute to
reliability of financial statements

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

r
r
r

r

quality of budgetary control and management control shall be enhanced by
reliable internal control
in the field of an on-going monitoring and management of liabilities and
commitments of an organisation, continuity of an operation can be assessed by
an internal auditor/inspector through efficient management tools
on-going monitoring and collection of reliable information on liabilities received
regarding expenditures shall enable to control continuity of costs accounted in last
month of an accounting period and to confirm thus correctness of separation of
respective accounting periods
quality beyond the accounting information (reports, business records, various
records, statistics, etc.) shall enable to an internal auditor/inspector to become
assured in his/her understanding of economic conditions of an organisation as
results from analysis of accounts.

Assessment Criteria
Assessment has to be conducted in phases:
r

acquaintance with procedures – does not mean a detail or complete description of
a procedure examined but to find out main elements to be identified as those
elements contributing to audit reliability or which, on the other hand, represent
weaknesses. Relatively standard elements encountered with in most of
organisations or boards of directors can be included. For instance, in the field of
order processing it is necessary to verify whether or not following assignments
have been separa ted thoroughl y:


r

delivery
invoicing
payment

procedure descriptions – description available within an organisation should be
used preferably such as:
– detail description
– flow chart

The following has to be tak en into account in system description:
r
r

reliable partners for discussions have to be selected, who are familiar with
procedures to be verified
to much details have to be avoided. However, more time shall be needed to
produce such description which may become a barrier for acquiring sufficient
overview on the matter

However, detailed description may be necessary:
r
r

for the purpose of activities or comprehensive part of activities
to meet the objective of a board of directors to have a model of its procedures
available for instance for informatisation, mainly if such information refers to
information systems that are common for more boards.

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

In practice, it is a matter of:
r
r

r
r
r
r

9.5

elaborating schematic and brief description of a procedure (list of main
participants and description of their respective assignments)
a description of key elements of procedure which may be identified upon
reflecting related risks and through an internal control questionnaire where
auditor/inspector's statements shall be recorded (responses to the questions in
questionnaires) referring to the procedure upon examination
compliance or understanding tests – enable to make sure that the procedures and
key elements established have been understood. The tests include:
tests of link-up and sequence to track the whole course of procedure upon some
selected operations
specific tests focused on some particular procedural elements which are not clear
enough
return to the employees concerned by describing their respective operations and
asking them to provide explanation. Advantage of such procedure is its simplicity
and involvement of more employees which, at the end, shall mean a guarantee
that no element is neglected or forgotten.

Audit of Operations
This type of audit action can be described as a formal and systematic verification
conducted by qualified professionals to identify to what extend an auditee
accomplishes particular objectives set by management and to find out room for
improvement. Therefore within the audit of operations an in-depth study of an auditee
is to be conducted focused either on a particular department and function or on
activity, methods, systems and utilisation of equipment and human resources.
Objective is to assist management to achieve more efficiency through detecting
defects or irregularities and recommending appropriate measures which must be
feasible in the context of organisation's objectives and policy.
Audit of operations must be an independent and objective exercise implemented by
staff specialised in the field of audit, and according to the goals set before. It may be
a survey of sets of auditee's activities or functions, and/or part of them, while the
current level of internal control and adequacy of procedures and systems applied in
an audited area are being verified.
Comparison of audit of operations with financial audit
There is whole bunch of similarities between financial audit and that of operations. In
the essence, one can say that both of them represent a need to say some opinion
backed duly and based on facts detected and formulated from the position which
does not depend on auditee's functional structure. Within an Internal Audit methods
and procedures are assessed from the perspective of compliance with some
requirements and principles, however not from a perspective of person concerned.
Financial audit and that of operations meet frequently in using accounting as an
information and verification resource. Anyway, what distinguishes these two audits is
the objective.

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

Financial Audit – is to verify operations authenticity, accuracy and compliance with
the organisation's standards and policy set. It seeks to have a coherent (rational
coherence, mutual knits) approach of an internal control to ensure integrity of
auditee's assets.
Audit of Operations – is to improve management of audited areas. Therefore its role
is to point out any shortcomings preventing from proper activity and produce
recommendations for their remedy to come to the improved situation.
Financial audit programme (plan) is standardised. It includes audit objectives and
internal control questionnaires necessary to collect basic information so that the
program components are accomplished gradually.
In case of an audit of operations it is necessary to compile for each of the areas or
functions audited a specific programme (plan) according to the auditee's
characteristic feature and its internal policy. While a financial audit detects a failure to
comply with some of accounting standards or principles, its immediate
recommendation has to point out the obligation of its compliance. Recommendations
formulated within an audit of operations are not mandatory as they do not result from
principles of their obligatory adoption and are backed only by rational contemplation
and common sense. Recommendations referring to the failure to comply with
standards and management instructions are the only exception. During this type of
audit the Auditor/inspector has to be very creative to verify situations from the
management perspective.
Within such perception of audit of operations the workplace of internal audit actually
becomes management's “extended arm” which has given their authorisation to an
auditor/inspector to carry out his/her work.
Any audit of operation may only be implemented if its methodology and requirements
are known.
Internal Auditor/inspectors conducting audit of operations have to know the principles
and rules of financial management and should possess an accurate and
comprehensive knowledge of managing the auditee concerned. Quality audit of
operations can only be conducted by internal audit units equipped for such action with
staff and degree of independen ce and have some level of prestigious position and
are acknowledged.
Objective of this type of internal audit is to endure that functions of the systems,
processes and mechanisms of management are the best possible. Therefore, all
units, including management, have to keep in mind that the elements of any system
are gradually “worn-out” and procedures may become obsolete and structures
affected by ravages of time. Organisation can always be improved and enhanced.
Basic issue emerging during the audit of operation execution is a total lack of
standard rules, procedures or programmes as each organisation is different and has
its own characteristic nature. Auditor/inspector, on the other hand, shall not be (and
he/she even does not need to be!) an expert on every single field or activity audited.
He/she has to rely on systematic survey leading to his/her knowledge of specific

Core of the internal audit is related to the audit of operations where the objective is to enhance efficiency of organisations. Audit of operations is to verify whether or not an auditee carries out the activities properly. on: r r r r an inconvenient organisational chart unnecessary actions or activities complicated information flow inappropriate working methods. functions or departments to be audited.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL methods. etc. using a proper way. activities. whether or not an auditee behaves in an ethic way and has responsible . economy . systems. etc. in a cost-effective manner. objective achievement – audit shall focus on: r r r level of achieving the objectives planning system to plan realistic objectives factors reducing the value of a result achieved. Audit of operations shall be tied up with an analysis of: efficiency and effectiveness – audit shall focus.audit shall focus on: r r r any resource wasting and whether or not control mechanisms are in place to prevent from the wasting whether or not unnecessary expensive equipment is used any labour force wasting in units or at operations To expand the audit of operations would mean that the following factors that become subject of auditor/inspector's interests are reflected: r r r Equity – to assess results of operations in relation to the environment so that no discrimination neither unfairness occurs – to work correctly Environment – to assess operations and their results in relation to the working and natural environment Ethics – to assess correct and moral behaviour of management and employees – to work morally. processes and control mechanisms in each of the areas. procedures. for instance.

There are numerous changes in IT and its operating environment that emphasise the need to better manage IT related risks. The key issue is to understand IT best practices and the organisations’ business environment. Many Ministries. decreased delivery time and continuously improving service levels – while demanding that this be accomplished at lower costs. pro cesses and controls. The onus is on the internal auditor/inspector. . All audit findings must take into account the level of risk to the business associated with the finding/s. management have heightened expectations regarding IT delivery functions – management requires increased quality. These risks place a great responsibility on management. This chapter discusses a simple approach for auditing in an IT environment. Dependence on electronic information and IT systems is essential to support critical business processes. covering key areas of audit planning. Conversely. The Integrated Financial Management system is a good example of process automation. has implemented the Integrated Financial Management System (IFMS) to improve on the quality of financial management and decision making. then it is as good as its IT. Consequently. The management of IT related risks is now considered as a key part of an organisation’s governance. however good.0 Introduction Information and technology that supports it represent the organisation’s most valuable assets. Specifically. internal and external auditor/inspectors and staff to continuously monitor automated processes and manage such risks The major concern that all auditor/inspectors must bear in mind before undertaking any audit assignment is that of risk. The Ministry of Finance. etc… are increasingly becoming computerised. If the organisation’s core business processes are automated.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 10 Information Technology Audit 10. step-by-step IT audit procedures. the regulatory environment a nd best practices call for stricter control over information and IT due to the increasing disclosures of information system disasters and increasing electronic fraud. since failure of its IT system may result into failure of the business as a whole. functionality and ease of use. Automation. it replaces manual processes and controls (checks and balances) with programmed ones. to plan and adequately review IT systems in use and report to management on IT risks and how to mitigate them. the success of the Ministry is more and more dependant on its IT system/s. comes with specific risks. risk assessment and reporting. Government departments and processes. In today’s rapidly changing environment. The issue is therefore to consider the risk to the organisation associated with the use of Information Technology (IT). the Internal Auditor/inspector must understand the organisation’s business environment and plan the audit accordingly. Additionally. for example.

The internal auditor/inspector’s role in IT controls begins with a sound conceptual understanding and ends with providing the results of risk and control assessments. and requirements change. 10. 10.1. IT controls include those processes that provide assurance for information and information services and help mitigate the risks associated with an organization’s use of technology. effected by an organization’s board of directors. and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the categories below.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Internal auditors/inspectors should ask the following questions. · What do we mean by IT controls? · Why do we need IT controls? · Who is responsible for IT controls? · When is it appropriate to conduct IT controls? · Where exactly are IT controls applied? · How do we perform IT control assessments? The audit process provides a formal structure for addressing IT controls within the overall system of internal controls. dependencies.1 Control Classifications Controls are classified to help understand their purposes and how they fit into the overall system of internal controls. risks. · · key Are the detective controls adequate to identify errors that may get past the preventive controls? Are corrective controls sufficient to fix the detected errors? . and from automatic edits to reasonability analysis for large bodies of data. from physical access protection to the ability to trace actions and transactions to the individuals who are responsible for them. uses. · Effectiveness and efficiency of operations · Reliability of financial reporting · Compliance with applicable laws and regulations. strategies. Internal auditors/inspectors interact with the people responsible for controls and must pursue continuous learning and reassessment as new technologies emerge and the organization’s opportunities. The controls range from written corporate policies to their implementation within coded instructions. Understanding of the classification will help the auditor/inspector in answering questions like.1 Understanding IT Controls Internal control is defined as: “A process. management.

· Identifying account numbers of inactive accounts · Identifying accounts that have been flagged for monitoring of suspicious activities . access.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL The following are the classifications of IT controls. omissions. 1) General Controls (Infrastructure controls) This applies to all systems components. transaction initiation versus Controls are further classified as. · Information security policy · Administration. They include. a) Preventive Controls These prevent errors. processes. General controls include. · Data edits · Separation of business functions authorization) · Balancing of processing totals · Transaction logging · Error reporting (e.g. and authentication · Separation of key IT functions · Management of systems acquisition and implementation · Change management · Backup · Recovery and business continuity 2) Application Controls These are concerned with the scope of individual business processes or application systems. · Access controls that protect sensitive data or systems resources from unauthorised people · Antivirus software · Firewalls · Intrusion prevention systems b) Detective Controls These detect errors or incidents not curtailed by the preventive controls. and data for Ministry of Finance. They include. Application controls include. or security incidents from occurring.

1. or falsification. The controls should also be subject to detective and preventive controls. because they represent another opportunity for errors. 10. · Personnel policies that define and enforce conditions for staff in sensitive areas. They include. · A statement on the classification of information and the rights of access at each level. · Definitions of overall business continuity planning requirements. or incidents that have been detected.1 IT Controls 1) Policies Clear policy statements regarding all aspects of IT should be devised and approved by management. This policy also includes related disciplinary procedures. omissions. · Identifying and removing unauthorized users or software from systems or networks · Recovery from disruptions or disasters To simplify correction.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · Monitoring and analysis to uncover activities or events that exceed authority limits c) Corrective Controls These correct errors. or delete information. and confidentiality. it is more efficient to prevent errors or detect them as close as possible to their source. · A general policy on the level of security and privacy throughout Ministry of Finance. omissions. security. This should be consistent with all relevant national and international legislation and should specify the level of control and security required depending on the sensitivity of the system and data processed. · simple correction of data entry errors . and communicated to all staff.2. . This includes having employees sign agreements accepting responsibilities for the required levels of control. The policy should ensure that all aspects of the business are considered in the event of a disruption or a disaster. modifies. The policy should also define any limitations on the use of this information by those approved for access. Examples of IT policy statements include. · Clear distinction of the parties with the authority to originate.

The way operating systems. · Housing sensitive equipment. Questions to ask include. and data away from environmental hazards like low lying. testing. processes. 3) Organization and Management Issues to look at include. Under this.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 2) Standards Standards enable the organization to maintain the whole operating environment more efficiently. inputting. authorising. or other irregularity and authorize it or obscure the evidence. · Systems Software Configuration Systems software provides a large element of control in the IT environment. · What will the organization do if there is a fire or flood. This includes servers and workstations that allow staff access to the applications. networking software. · Separation of duties This is a vital element of many controls. implementing. · Restricting server access to specific individuals. and database management systems are configured can either enhance security or create weaknesses that can be exploited. · Providing fire detection and suppression equipment. 4) Physical and Environmental Control All equipment must be protected. · Documentation Standard s should specify the minimum level of documentation required for each application system or IT installation. or if any other threat manifests itself? . The functions of initiating. and maintaining systems and programs. · Locating servers in locked rooms to which access is restricted. The structure should not allow responsibility for all aspects of processing data to rest upon one individual or department. Some physical controls include. There should be standards on issues like: · Systems Development Process This looks at the processes for designing. as well as for different classes of applications. and checking data should be separated so that no individual can both create an error. and processing centres. processing. serious consideration should be put on contingency planning. omission.flood plains or flammable liquid stores. developing. · Applications Controls All applications that support business activities should be controlled. applications.

The objective of internal controls over application systems is to ensure that. the auditor/inspector gains assurance that applications work in a controlled manner. application systems and users are able to use the organization’s IT equipment. Linux. By examining application development procedures. Software products include: operating systems like Windows. · All data is processed as intended · All data stored is accurate and complete · All output is accurate and complete . and correct. and detection in place and continuously monitored Intrusion testing performed on a regular basis Encryption services applied where confidentiality is a stated requirement Change management processes 6) Systems Development and Acquisition Controls All applications should perform only those functions the user requires in an efficient way. · All input data is accurate. firewalls. prevention. The following controls should be in a well managed IT environment. and database management systems like Oracle. complete. All internal auditors/inspectors should be able to evaluate a business process and understand and assess the controls provided by automated processes. 7) Application –based Controls Application controls should be the priority of every internal auditor/inspector. · Systems design should follow a formal process to ensure that user requirements and controls are designed into the system. The following basic control issues should be evident in all systems development and acquisition work. · User requirements should be documented and their achievement should be measured. · Systems development should be conducted in a structured manner to ensure that requirements and design features are incorporated into the finished produ ct. authorized. · · · · · · Access rights allocated and controlled according to MOF’s stated policy Division of duties enforced through systems software and other configuration controls Intrusion and vulnerability assessment.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · How will the organization restore the business and related IT services to ensure normal processing continues with minimum effect on regular operations? 5) Systems Software Controls Through system software products. antivirus products.

1.2. · Do IT policies exist? · Have responsibilities for IT and IT controls been defined.These enable the tracking of transactions from the source to the ultimate result and to trace backward from results to identify the transactions and events they record. Integrity Controls .These monitor data in process and/ or in storage to ensure that data remains consistent and correct. Input is checked to ensure that it remains within the specified parameters. These controls should be adequate to monitor the effectiveness of overall controls and identify errors as close as possible to their sources.2 Control Weaknesses In IT Systems · Lack of formal IT planning mechanisms with the result that IT does not serve the ministry’s pressing needs or does not do so in a timely and secure manner. and review of key security reports. accurate and authorized. Processing Controls . and accepted? · Are IT infrastructure equipment and tools logically and physically secured? · Are access and authentication control mechanisms used? · Is antivirus software implemented and maintained? · Is firewall technology implemented in accordance with policy? · Are change and configuration management and quality assurance processes in place? · Are structured monitoring and service measurement processes in place? · Are specialist IT audit skills available (either internally or outsourced)? 10. 8) Baseline IT Controls These are the basic set of controls that need to be in place in order to provide a fundamental level of IT security.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · A record is maintained to track the process of data from input to storage. · · · · Input Controls . . Management Trail (Processing History Controls) . Some of the controls expected to be found in any application include. Baseline controls are most widely applicable to all IT infrastructures. enforcement of stringent password rules. assigned.These provide automated means to ensure processing is complete. Some of the questions to be considered when selecting a suitable set of baseline controls include. and to the eventual output.These check the integrity of the data entered into the IFMS application. · Lack of formal security policies resulting in a piecemeal or ‘after-an-incident’ approach to security · Inadequate program change control leaving software vulnerable to unauthorized changes · Little or no awareness of key security issues and inadequate staff to address the issues · Failure to take full advantage of all security software features like selective monitoring capabilities.

2. 10. · Liaising with audit auditees to determine what they want or need to know · Performing IT risk assessments · Determining what constitutes reliable and verifiable evidence. Virus definitions that are not kept up to date Failure to formally assign security administration responsibilities to staff that are technically competent.3 Monitoring IT Controls Management is responsible for monitoring and assessing controls. independent. · Performing specialist technical IT control audits. · Performing IT application controls audits. · Performing IT enterprise-level control audits. 10. · Defining IT resources needed by the internal audit department. Management’s control monitoring and assessment activities should be planned and conducted within several categories like. and report to senior management. They are not intended to be checklists for identifying controls over the IT processes.3 Common IT Process Controls This Appendix includes illustrative IT Process controls that are commonly used. nor are they intended to be considered exhaustive lists of potential controls over the IT processes. ongoing monitoring and special reviews. · During systems development or analysis activities. · Making effective and efficient use of IT to assist the audit process. · Ensuring that audit planning considers IT issues for each audit.2 Internal Auditing Role in relation to IT This involves the following. The absence of one or more of these controls does not necessarily mean that the auditee’s controls are ineffective. These lists are intended for use as a guide for discussions between the engagemen t team and auditee personnel. · Performing IT general control audits.1. The evaluation of the effectiveness of controls over . 10. operating as experts who understand how controls can be implanted and circumvented. · Advising the audit committee and senior management on IT internal control issues · Ensuring IT is included in the annual audit plan · Ensuring IT risks are considered when assigning resources and priorities to audit activities. The internal auditor/inspector’s monitoring and assessment are performed to independently attest to management’s assertions regarding the adequacy of controls. · Helping to monitor and verify the proper implementation of activities that minimize all known and documented IT risks. including specialized training of audit staff.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · Inadequate user involvement in testing and sign-off for new applications resulting in systems that fail to meet user functional requirements or confidentiality integrity.

g. and Maintenance of IT Solutions Below is a listing of common controls over the IT process of Acquisition. Ø Environments (either logical or physical) separate from production systems exist for development (or modification) and testing of IT solutions. Ø The auditee’s systems acquisition and change approach addresses data conversion. Ø The auditee’s systems acquisition and change approach addresses security risks.. Ø Development personnel are prohibited from migrating applications and data from the test environment to production. Ø The auditee has formal policies and procedures in place that define its approach to system security (including confidentiality of data and information). Ø End users are actively involved in the test process. are performed for any system 10. 10. and Maintenance of IT Solutions. Ø The auditee has formal policies and procedures in place that define its approach to systems acquisition and change management (e. Ø Management must review and approve IT solutions prior to their implementation. Implementation. Ø Post-implementation review procedures modifications made during an emergency.1 Acquisition. and cost-benefit analyses is maintained. a formal systems development methodol ogy). Ø Project documentation that includes systems requirements definitions.. .3. requiring users to sign an acknowledgement that they have read and understood the auditee’s security policies). risk analyses.g. Ø A mechanism is in place for communicating security policy to employees (e.2 Delivery and Support of IT Solutions Below is a listing of common controls over the IT process of delivery and support of IT solutions.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL an IT process is considered within the context of all of the controls in place over that process.3. Ø User department and IT department management approval is required before systems acquisition and/or change projects are undertaken. Ø There is a mechanism in place for the periodic review of the service organization’s operational and control effectiveness. Implementation.

Ø Physical access to technology infrastructure is restricted. Ø Communications with public networks are controlled by a firewall. and/or other business partners is approved by appropriate management and limited to those networks and/or applications required for the conduct of business.Remote connection to networks and/or applications. Ø IT department personnel do not have operational or accounting responsibilities. .Users created their own passwords (e..Administrator rights are assigned to a limited number of individuals who require those rights to perform their job duties.Defend itself and/or the auditee’s network against attack.Applications and application modules. - User accounts are disabled after a limited number of unsuccessful logon attempts. . .Measures are in place to prevent the repeated use of a password. . upper and lower case alphabetic characters). and security standards when accessing the auditee’s systems.Provide an audit trail of communications with public parties.). .Generate alarms when suspicious activity is suspected. Ø Access to internal networks and/or applications by suppliers. .Internet/intranet sites. Ø Appropriate user department and IT department management controls access to the following: ..Periodic password changes are required. The firewall is implemented to: .Adequate passwords are required (e. . .g. passwords are not assigned). procedures.Local and wide area networks. Ø Procedures for protection against malicious programs are in place through the use of anti-virus software and other measures (which may include policies limiting the installation of unapproved programs. customers. Ø The following user account security parameters are in place: . and/or other business partners are required to adhere to the auditee’s policies. .g. etc. non-alphabetic characters. .Hide the structure of the auditee’s network.Users are assigned unique accounts.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Ø A security organization exists that is independent of both the user departments and other I T department functions.. minimum and maximum password length. .g. concurrent sessions or logons are not allowed). . customers. - Users are limited to one session per account (e. Ø Representatives of suppliers. procedures for reporting suspected occurrences of viruses.

Ø Control effectiveness of service organizations is periodically reviewed..g. Internal Audit reports). the auditee may conduct an audit or request of the service organization. . These logs are routinely reviewed and follow-up is performed for any unusual or unexpected items appearing in the logs. Ø Management acts on recommendations provided by independent per formance assessments (e. Ø User department and IT department management periodically review each significant system and application for unauthorized user accounts. Ø Activities of systems administrators and other privileged users are logged and frequently reviewed.) Ø Policies and procedures are revised (in a timely manner) to reflect organizational and/or opera tional changes in the business. 1 Ø Security settings and parameters are periodically reviewed for compliance with organizational standards.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Below is a listing of common controls over the IT process of Monitoring IT Solutions. Ø The auditee has formal policies and procedures in place concerning the update and/or removal of systems access rights to employees who change job duties or leave the company. (For example. 1 These controls may be identified while we gain an understanding of the other IT processes. Ø Processing errors and access violations are logged.

The following guidelines provide a step-by-step procedures which the Internal Auditor/inspector may follow when undertaking an audit of information systems. IT risks faced by MOF and the quality of service provided by its users. and as sess the extent of au tomation · Establish whether the organisation has policies. The Auditor/inspector shall: (i) Determine the audit objective/s (ii) Conduct a preliminary survey · Ascertain the organisations core processes and operations. [Lack of policies . and whether they have been communicated to ALL employees. manual processes and IT applications.4 Risk Considerations in Determining the Adequacy of IT Controls The chosen IT controls must add value to the organization by reducing risk efficiently and increasing effectiveness. Control Characteristics to Consider Some of the issues to be add ressed during the IT control evaluation process include.6 The IT Audit Procedures The Auditor/inspector must identify the principal audit risks so as to develop an appropriate audit strategy in the overall audit plan. In considering the adequacy of IT controls with MOF’s internal control framework. Harmful IT incidents in the past 24 months. procedures and guidelines in respect to both automated. Ministry of Finance’s risk appetite and tolerance for each function and process. · Is the control effective? · Does it achieve the desired result? · Is the mix of preventive. The appropriate IT controls and the benefits they provide.5 The value and criticality of information. determine whether they are automated.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 10. The IT auditor/inspector must therefore gain a thorough understanding of the IT environment prior to planning the audit. and which steps are expected to be taken? · Is evidence retained (audit trail)? 10. the internal auditor/inspector should consider the processes established by management to determine: · · · · · · 10. detective and corrective controls effective? · Do the controls provide evidence when control parameters are exceeded or when controls fail? How is management alerted to failures. The complexity of the IT structure.

Audit Software (used for substantive procedures) or Test Data (used for testing controls). Identify the standards and best practices against which the organisation’s IT systems can be benchmarked. · If the policies and procedures exist. the auditor/inspector shall obtain an understanding of the significance and complexity of the IT activities and the availability of data for use in the audit. etc… this helps to determine the appropriate CAATs and BEASTs to use. CoBIT . IT system and the related business process relevant to financial reporting. auditing and IT standards – for example. the Auditor/inspector must ensure that they are up-to-date. the Organisation’s own IT policy.– a code of practice for information security management. Report any inconsistency and advise accordingly · Understand the organisations hardware and software platforms. These are quiet a number and they include: accounting. 10. BEASTs (beneficial electronic analysis and support tools) and audit tools to use i. ISO 17799 – the international standards on security. The auditor/inspector may consider the following issues at this stage of the audit: (a) Undertake all those procedures that may enable obtaining an understanding of the entity and its environment. The Auditor/inspector must thereafter benchmark the policies and procedures against best practices. International Standards on Auditing (ISAs). (iii) Develop an audit program and budget (iv) Conduct field work and undertake audit tests (v) Determine findings and conclusions (vi) Communicate results to appropriate parties (vii) Follow up and review the extent of implementation of recommendations. OS/400/390.e. Identify whether the computing environment is Linux or LAN environment. Windows NT.7 Planning an IT Audit In planning an IT audit. including: - (b) Holding meetings with management and IT personnel Making inquiries of manageme nt and others within the entity Observing and inspecting the entity’s processes and operations so as to obtain the required understanding of the entity’s control environment. the Basel Accord on IT operational risk management guidelines.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL and procedures indicates a weak control environment and high control risk] – this helps the Auditor/inspector to plan and select the appropriate CAATs (computer assisted audit techniques).

it got spoilt) Automatically generated transactions (The IFMS system automatically generates reports and accounts) .. This risk of fraud and error is increased in absence of proper segregation of duties) Potential for errors and irregularities (potential for the IT staff (or other staff) to gain unauthorised access to data or to alter data without visible evidence) Decreased human involvement in handling transactions processed by a CIS environment reduce the potential for observing errors and irregularities (IT environment decrease the need for human involvement) Concentration of knowledge. the internal auditor/inspector shall obtain an understanding of the IT environment and whether it may influence the assessment of inherent and control risks. all the financial information is kept in one server. all transactions processed would be incorrect. authorising transactions and updating the system. this threatens the Ministry’s operations. (c) The auditor/inspector must consider the significance and complexity of computer processing in each accounting application. (e) When conducting an IT systems review. These typically include the following: (i) (ii) (iii) (iv) (v) (vi) Uniform processing of transactions and consistency of performance (In case of a system error. This may be considered complex. programs and data (The IFMS. The internal auditor/inspector must be aware of the internal control characteristics and the nature of the risks in an IT environment. may affect segregation of duties. Significance relates to materiality of the financial statement assertions affected by computer processing. unlike manual processing). when for example.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 4th Edition – Control Objectives for IT Strategic Management and any other known best practice in IT management and control. · · · · The volume of transactions is such that users would find it difficult to identify and correct errors in processing The computer automatically generates material transactions or entries directly to another application The computer performs complicated computations of financial information and or automatically generates material transactions or entries that can not be (or are not) validated independen tly Transactions are exchanged electronically with other organisations (as the case with EDI systems) without manual review for propriety or reasonableness (d) The organisational structure of the IT activities and the extent of concentration or distribution of computer processing throughout the organisation. Lack of segregation of duties (where a staff performs incompatible functions like receiving cash. if say. for example. particularly.

passwords can be cracked or copied – a policy is needed here too) (viii) Ease of access to data and programs (it could be easier to tap into a network. groupings like low. Virus and other spy ware(s) from the internet can easily find their way in) (ix) Multiple files update (incorrect data input may incorrectly update all other accounts in the system) (x) Vulnerability of storage media (Computer diskettes. including third parties. The nature of the operating environment (for example. Working Paper Reference . 2. medium. The following are some of the major risk factors that should be considered. Auditor/inspectors need to develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee. and high risk) 10. Other controls (like access rights show this. 10. Gain an understanding of the use of the application in the business area. Identify the population of application users.8 Risk Scoring System An effective scoring system ensures that the risk-based IT audit program is successful. · · · · · The adequacy of internal controls The nature of transactions The age of the application or system.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL (vii) Lack of source documentation and audit trail (computers do not show handwriting.9 Application Audit Programme This is a sample of the Application Audit programme that can be used by an IT auditor/inspector Procedure 1. however. The guidelines should be used to asses major risk areas and to define the range of scores or assessments (e. administrators and members of the IT department by obtaining a system-generated report of users and discussing the list with the administrator. so as to indicate who authorised what and when. memory chips and floppy disks may be vulnerable to risks of theft and loss in absence of a policy and proper access controls). including the key processes supported. or access the server from within in case of lack of security controls. and premises. changes in volume) The physical and logical security of information.g. equipment.

7. For example. and the user administration process should be clearly documented. Administrators should not have operational responsibilities or be involved in processing transactions in the application. Gain an understanding of the method of adequately segregating duties2 within the application. there are also elements within a transaction or process that should be segregated. deleted or amended (for transfers). The process should include · Authorisation for users’ access from an appro priate person. process and report a transaction independently. confirm that the access assigned to him or her matches that authorised. These reviews should be evidenced. such that users are not capable of processing an entire transaction without independent authorisation. Select a sample of leavers (including transfers) from the pas t 12 months and confirm that their access to the application has been revoked. identify users whose accounts have been inactive for more than 30 days. An individual user should not be able to initiate record. . Assess whether there is a process in place for identifying incompatible functions and for ensuring access rights do not compromise the effective segregation of duties. invoices or receiving goods to reduce the risk of fraud. For each member of t he sample. Select a sample of users and confirm their access to the application has been appropriately authorised. 4. · Periodic reviews of user access.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Procedure 3. 2 Working Paper Reference Gain an understanding of the user administration process. Verify whether periodic reviews of user access are performed and whether appropriate follow-up actions have been executed. Appropriateness of user access is tested under procedure 8. 5. For any such users confirm that they are valid employees with authorised access. it is recommended that users with the ability to create or amend vendor details not be involved in processing purchase orders. · Identification of employees leaving the organization and revocation of their access. 6. Using system reports. As well as preventing users from executing a transaction independently from initiation to reporting.

g. 10. Identify users with access to sensitive or privileged transactions (including the ability to amend. Gain an understanding of how users IDs are assigned to users. gain an understanding of authorisation procedures and authority limits for key activities within related business processes. If applicable. · Requirement for particular characters (e. through the use of profiles. profiles or groups (as applicable) evaluate whether the access assigned is appropriate for their role in the business.g. Assess whether procedures and authority limits are appropriate and that only authorised users have access to amend them. Gain an understanding of how users’ access rights are assigned (e.e. · Password masking upon entry (i. the corresponding transactions within the application used to initiate or control such activities and the users with access to them.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Procedure 8. Investigate questionable IDs. Identify the existence of any shared or standard IDs (e. membership of groups). Gain an understanding of the password structure and usage within the application. For a sample of users. cancel or delete transactions) or powerful access rights (including administrator rights). · Password expiry (frequency of enforced change. 9. identify users with access to transactions identified as being key to elements of related business audit procedures and confirm that users with such rights are appropriate. numeric in addition to alpha characters). reverse. Confirm whether any globally established password settings could be overridden at the user level.g. test) and assess the controls surrounding their usage. · Password history (to prevent reuse of old passwords). Users should be assigned unique user IDs. If applicable. every 30 to 90 days). passwords are not visible when entered). guest. · Account lockout after a given number of failed access attempts (three to five attempts). Characteristics to identify include: · Minimum/maximum password length (6-10 characters). Confirm that users with such rights are appropriate. and · Disabling of user IDs after a given period of inactivity (30 days). Working Paper Reference .

14. gain an understanding of the physical security controls around servers. fire detection and suppression. maintenance and internally initiated developments. If not. that the change passes cost/benefit analysis). that the change should be implemented). separately from the application hardware). If not. including: · Unauthori sed access attempts.g.g. Working Paper Reference . are regularly tested and are stored securely offsite (i. Confirm that application data is subject to centrally managed backup procedures. Confirm that the hardware (e. 12. Identify whether any audit logs are created relating to user activities. that the change meets business requirements). If available.e. and · Alterations to security parameters. gain an understanding of the procedures implemented for the backing up and restoration of application data. uninterruptible power supply. Changes could include vendor patches. repeated failed access attempts by a single user) and ensure they have been appropriately resolved. Confirm that the changes to the application are managed under centrally established processes.g. Review security logs to identify any apparent issues (e. · testing (e. Hardware should be physically secured from accidental or deliberate abuse. Data should be regularly backed up (typically daily). 13. If not. gain an understanding of procedures implemented for the changes: · authorisation (e.g.g. Controls should be in place to ensure backups have been successful. terminals and workstations related to the application. · Access to privileged functions (eg creation/deletion of users). assess whether they are reviewed on a timely basis and appropriate follow-up actions taken.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Procedure 11. server(s)) on which the application operates is centrally hosted by the IT department. air conditioning). and · approval (e. The environment in which the hardware operates should have appropriate environmental controls (e.g.

e.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Procedure 15.g. . These controls might be programmed (e. the auditor/inspector should focus on the following. For back-ups.g. § Physical access to computer facilities and data should be appropriately restricted. and · accurate (i. that all data sent is received). output and processing (including transaction audit trails).Is data retained sufficiently to meet regulatory requirements? § Recovery from operational failure . reconciliation of data from source application to destination).10 Other Issues To consider In the Audit Programme § Logical access controls relating to supporting operating systems.e. Consider the need to identify and evaluate controls designed to ensure data passed between related applications is: · complete (i.Are backup procedures appropriate for data and programs? .What en sures that backup and recovery procedures will work when required? . The auditor/inspector needs to ascertain that there is adequate back-up of information and that the procedure to deal with operational failures is effective. § Continuity and availability procedures (including disaster recovery plans and documentation). Working Paper Reference Gain an understanding of the interfaces in place with other applications. 10. that the data is not subject to unauthorised change during the interface process).Are backups accurately logged and stored in a secure location? . The auditor/inspector should consider the following points of focus: · How is physical access to the site/building containing the computer facilities restricted? · How is physical access to the room(s) containing the computers restricted? · How well protected is removable media (such as off-line data storage)? · How are confidential documents labelled and protected? · To what extent has the organisation adopted a clear desk policy? · How well secured is systems documentation? · How secure is the disposal of discarded computer equipment and data media? § Controls over data input. networks or databases § Physical security controls (including environmental controls and data centre procedures). header and footer records in interface files) or involve manual intervention (e.

an IT environment exists. It is unlikely that these processes would be manually operated) – as long as any computer is involved in the processing.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL There should be appropriate procedures to ensure that operational failures (e. water. (Note: A number of processes may exist in the finance department. implementation and 10.) For the finance department. from fire. each organisational department or process may be identified as an audit area. electromagnetic radiation)? To what extent is equipment being appropriately maintained? What controls are in place to prevent operational failures arising from hardware failure? How is the power supply to the computer facilities secured? What procedures are in place to ensure performance meets business needs? How are faults logged? What procedures are in place to resolve operational failures? · · · · · · o o o o o Anti-virus procedures. maintenance). smoke. where appropriate. Define the audit subject Explanation Example Identify the area to be audited. e. Software licenses. program amends. procurement and payments processing. and.g . chemicals. Determine the audit Identify the intention or purpose of the Examples of audit objectives could include: . and Change control (including application selection. 2. approved retrospectively by appropriate IT staff and users.g. disk drive problems. MIS and asset management. Audit subject: Finance Department in the Finance Ministry. which may further be classified into sub-audit areas. resolved in a timely manner. For example. Data privacy considerations.g. dust. vibration. Operational controls (including batch processing). the audit subject would be the Accounting and Stock Control System. other emergencies) are identified. It must not be used in lieu of an expert opinion and advice. The following are some of the points of focus for the auditor/inspector auditing this area: · To what extent is computer equipment appropriately sited or protected to prevent the risk of accidental damage (e. Action 1.11 Audit Methodology and Best Practices: Summary The following methodology may be used as a reference guide to help successfully undertake an audit in an IT environment. payroll processing.

This helps the auditor/inspector to plan the audit adequately. At this stage. and -Identify the sources · · · · · · Finance and accounting policy IT security policy Risk management policy Operational policies and procedures Functional flow-charts Standards.. change and maintenance -information security and internet use 3.g. For example. in the above systems backups’ example. EFT system etc…) or to a limited period of time. the accounting system. by ensuring that each asset. standards. Existence. · To determine whether business systems are adequately backed and that backup copies are held in a secure and remote media store. -Identify the appropriate CAAT tool/s to use. The auditor/inspector must then consider whether risks are of magnitude to result in material misstatement of the financial statements based on the degree the entity’s standards divert from best practices. processes or systems of the organisation to be included in the review. 4. · To ensure that assets. the auditor/inspector needs to obtain the entity’s The auditor/inspector must: -Identify processes/ assets/ facilities to be audited -Identify technical skills and resources needed. one may consider the use of CAATs (ACL.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Action Explanation Example objective/s audit. Occurrence. · To determine that policies and procedures exist in respect to -data centre and network operations -software and hardware acquisition. liabilities and transactions are free from material misstatements. Valuation. Reasonable Measurement Presentation (COVER MP) assertions. based on the organisation’s IT platform. SQL. practices and procedures against best standard practices identified. liability and transaction meet the Completeness. payroll. X Ltd’s accounting system. Audit scope or extent This involves identification of specific functions.g. IDEA etc…) to do this. fiduciary and security requirements. . Pre-audit planning The auditor/inspector shall obtain an understanding of how the entity responds or has responded to the risks arising from IT. · To determine whether the company’s information meets the quality. the audit scope statement might limit the review to a single application system (e. The scope of the audit is usually limited to the 12 months period ended. The auditor/inspector has to benchmark the entity’s policies. E.

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

Action

Explanation

Example

of information for
test or review.
Depending on the
results of the risk
assessment, the
auditor/inspector has
to identify and select
the audit approach to
verify and test the
controls or to
undertake detailed
tests of account
balances and
transactions relevant
to the entity’s
financial reporting
objective/s (which are
material).

· Review the policy documents
· Use audit tools, e.g. BEASTS, (CAATs which
review data and those which review controls) to
reduce the audit risk to acceptable levels (you may
consider the use of specialist) – examples of
CAATs include IDEA, ACL, SQL. It is important to
obtain a professional advice prior to using CAATs.
· Analyse data and identify areas of risk. Evaluate
whether identified weaknesses/risks could result
into material weaknesses and fail the entity’s
financial reporting objective/s.

6. Evaluate
and review
results

The auditor/inspector
must review all the
working papers and
document fi ndings.
This is important for
audit work quality
control in line with
ISA 220.

The procedures for evaluating the test or review of
results might be organisation specific. Each audit firm
or internal audit dep’t must have documented
procedures for reviewing and evaluating audit results.
The audit senior might re-perform the audit tests prior
to signing off.

7. Prepare draft
report and
communicate
with
managemen t

A draft report
detailing potential
areas of risk has to
be prepared, which
must then be
discussed with the
auditee management
before a final audit
report is written.

Whether the auditor/inspector’s opinion is qualified or
unqualified, reasons for arriving at the opinion must be
documented and explained to the auditee. Detailed
analysis of weaknesses within the entity’s system is
necessary. The auditor/inspector must also provide
recommendati ons which may help mitigate the
identified risks.

8. Prepare final
audit report

The final report may
also contain a
summery report of
observations, risks
recommendati ons,
and auditee
responses.

The final report may be submitted to senior
management (because they make decisions and can
implement the auditor/inspector’s recommendations
and make a follow up).

5. Design audit
procedures
and steps of
information
gathering

Assess the entity’s risk assessment and management
process. Review the entity’s risk management policy.
Determine how management identifies business risks
relevant to financial reporting, estimates the
significance of the risks and their likelihood of
occurrence and how the risks are managed

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

Action
9. Review and
follow up

Explanation

Example

It is important for the
auditor/inspector to
make a follow up so
as to ascertain the
extent to which the
auditor/inspector’s
recommendati ons
have been
implemented.

Follow up would help ease auditing exercise of the
subsequent audit. This is good to both the
auditor/inspector and the entity, as it would help
reduce the amount of audit work and cost.

The above methodology is not conclusive. The auditor/inspector must
continuously keep abreast with latest changes in technology and be able to
undertake real value adding audits.
10.12 Audit of the Integrated Financial Management System (IFMS)
The IFMS is organized according to modules. Each module has risks attached to it
and therefore the internal auditor/inspector has to apply different procedures
depending on the category being audited.
10.12.1

Journal Voucher Processing
This is the entering of journals manually or from sub ledger systems and other
IFMS modules as input data into the General Ledger.

10.12.1.1 Control Objectives
· Only valid and authorized JVs may be entered into the GL
10.12.1.2 Control Questionnaire
Key control questions

Yes/No

Remarks

WP
Ref

Are the journals posted timely from the subledgers?
Are procedures in place to ensu re that only
authorised manual journals are posted to GL?
Are some journal entries not in accordance with
the Generally Accepted accounting principles?
Do they result in material misstatement?
10.12.1.3 Audit Procedure
· Review documentation relating to the manual procedures concerning the
preparation, submission and approval of manual JVs
· Export a list of journals whose source is manual (use the GL Journal enquiry
facility).
· Get a sample of the manual JVs and ascertain whether their purpose is clearly
recorded and whether the authorized officer approved them

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

·
·
·
·
·
·

Interview the HOA to ascertain whether he checks the accuracy of the JV
entries
Review the sample of journals online
Download the posted General Journal report from the system
Review the posted journal batches and the journals associated with each
posted journal batch. (This will help you trace transactions back to the original
source)
Review journals posted from the sub ledgers using the drill down facility of GL
Export the Trial Balance detail report. Analyze and identify accounts with
significant balances. Use the account enquiry feature to investigate the
corresponding journals.

10.12.2.0 General Ledger Set Up
Set up documentation helps to maintain the continuity of the set up parameters
and to ensure that no unauthorized changes to the GL set up were made. The
biggest risk here is unauthorised changes being made to the GL set up.
10.12.2.1 Control Questionnaire
Key control questions

Yes/No

Remarks

WP
Ref

Is the suspense account posting allowed in IFMS
GL?
Is the journal approval feature enabled?
Are procedures in place to ensu re that all
changes to the GL set up are authorized and
documented?
Is there restriction and monitoring of changes to
GL set up parameters, flex field security rules,
and cross validation rules?
10.12.2.2 Audit Procedure
·
·
·

Review documentation regarding the GL set up, segment qualifiers and cross
validation rules.
Ascertain that no unauthorised changes to the set up parameters have been
made.
Review the set of books documentation and also the options.

10.12.3.0 Chart of Accounts Maintenance
The process of maintaining the Chart of Accounts (CoA) includes functions like
system maintenance of application control files, configuration of standard tables,
user access and control issues, as well as defining currency, accounting periods
and user parameters. Once the structure has been defined, it can not be
modified. The IFMS captures, stores, reports and controls all information and
transactions at the Code Combination level. It is only the Commissioner, Treasury
Office of Accounts with the Chart of Account value access.

GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL

10.12.3.1 Control Objective
·

Before any alteration/ addition is made to the COA, a valid request from an
MALG and approved by the Accountant General should be got. A paper trail
of the request should be in existence.

10.12.3.2 Audit Procedure
·
·
·
·

Review the documentation of procedures
Review the new account code request forms
Review documentation relating to the determination of the code structure by
the DOB.
Review evidence of approval of then new code by the AG

10.12.4.0 Purchasing Module Audit Procedures
The purchasing function has a number of sub-processes as shown below;
· Set up
· Creation of Supplier Master and Item Master
· Requisition
· Request for quotation
· Issuance of Purchased Order
· Receiving
· Invoicing
The purchasing module integrates with the GL module, Payables module and the
Dossier.
10.12.4.1 Purchasing Control Objectives
·
·
·
·
·
·
·
·
·

Laid down procedures are observed
All purchases are authorised
Procurements are as per work plan and in line with the Procurement Act
Procurement of only valid goods and services
Payments are made to only valid people for valid reasons
No overpayment occurs
No undue delays in making payments
Making of purchases at approved rates
Only approved vendors are used.

10.12.4.2 Monitoring Controls
·
·
·

Fraud and wastage is minimised
Reports are reviewed by management so as to give assurance that the made
procurements accomplish the stated objectives
Irregularities are detected, investigated and corrective action taken by
management.

and the selection criteria used.5.4 Application Controls These include.5.5.12. Some important procedures include: inviting applications from suppliers. and validity of data entry to the master file.password Data file integrity controls Access controls 10.2 Controls over supplier master files data 10.12. No purchase can be made from a supplier not in the system.1 Control Objectives · · · Integrity of the supplier master should be protected A hard copy audit trail of the supplier approval process should be present Creation and maintenance of only valid suppliers/employees on the mas ter file 10. one for one check and edits Manual procedures should be in place and adhered to. This information is used when making Requisitions.12.5.12. · Supplier name · Tax payer ID · Tax registration Number 10.g. Supplier information recorded in the master file includes. a) Automated Controls The following are automatically enforced by the IFMS. approval process. accuracy.3 General IT Controls · · · IT security controls .0 Supplier Creation and maintenance Each ministry’s Head of Procurement has the rights to create and enter supplier information. E.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 10. It should justify why a supplier was entered for a particular good or service. Procedure should be established to ensure the completeness.5.12. . Purchase orders. · Unique VAT ID · Unique URA ID · Unique supplier name · Duplicate name check b) Other important controls · · · · Established and documented procedures for reviewing the supplier master file and payment files and for analysis vendor performance. A hard copy audit trail of the approval process should be maintained. Invoices and Expense Payments. recording the received applications.

5. description.12. status.g. one for one checks and edits? Have the basis for inactivation of suppliers been documented? Do the manual procedures precede entering of supplier data e. Some of the details filled in the requisition include.12.5 Audit Procedures Done Date by WP Ref Perform a walk –through of the supplier approval and data entry process Interview the CAO.4 Control Questionnaire Key control questions Yes/ No Remarks WP ref Is the hardcopy audit trail of the supplier approval process maintained? Are there procedures to ensure that only valid MALG employees are entered as suppliers for payment claims? Have the rules and procedures concerning payment of claims and types of claims by employees been docu mented? Are there controls for ensuring completeness. approval of suppliers? 10. and estimate of the amount to be spent. Head of Accounts and the HOP about the supplier creation and maintenance procedures Review documentation and procedural manuals Make a print out of the supplier report and compare a sample with the hard copies of approval documents to ascertain whether the proper approval procedures had been followed Check for evidence of management supervision and monitoring 10.g.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 10.0 The Requisition Process The purchasing cycle begins with a requisition by the authorized officers.6.5.12. accuracy and validity of data entry to the master file e. . requisition type.

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 10.1 Control Objectives · · · · Purchase should be charged to correct accounts Only goods and services that meet the business objectives will have purchase orders issued There should be complete and accurate information regarding description of goods and services. quantity and amount of the requested for expense items must be valid and authorized.12.12.0 Purchase Orders These are created automa tically from the valid and app roved requisitions.3 Audit Procedure Date Interview CAO.12.6.12.6. HODs and HOP Check documentation and manuals Review a sample of amount based requisitions Check for Pos that have no requisitions Check for PO amounts that differ from the requisition amount and quantity 10.7. rates etc Only approved purchase orders should be issued to approved suppliers .7.6. 10.2 Control Questionnaire Key Control questions Yes/No Remarks WP Ref Done by WP Ref Are requisitions only being entered by authorized persons Is a paper audit trail of requisitions maintained Are there developed guidelines for procurement action to ensure that requisitioning officers initiate only valid procurement actions? Do the different departments and cost centres review and analyse the made requisitions and purchases? 10. rate. Specifications.12. 10.1 Control Objectives · · · Requisitions should be made against appropriate charge accounts so as to check the availability of funds Only goods and services with a specific business purpose should be requisitioned. HOA.

8.12.1 Control Objectives · There should be assurance that the receipts are only entered into the IFMS system after ensuring that the description and quantity of the items agree with the details on the pu rchase order.0 Get a print out of the purchase orders and review for appropriateness of charge account Check whether the documented procedures require a hard copy trail to be kept for each transaction in the form of a voucher. 10.8. Ø Cancelled Requisitions Report Ø Cancelled Purchase Orders Report Ø Encumbrance Detail Report Receiving of Goods and Services After the goods have been received and the store keeper prepares a Goods Received Note (GRN).12. the Head of Purchasing will enter it into the IFMS.2 Audit Procedures · · · 10.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 10.7.12.2 Control Questionnaire Key Control questions Is a system in place to inspect the received goods for quality and quantity before the receipts are entered into the system? Does the store keeper have the technical competence to verify the quality of all received items? Is a system in place to record suppliers’ shipping advice details upon receipt of goods? Does the system provide for the correct treatment of partial receipt of goods and services? Does the system allow for receipt of goods? Is a mechanism in place to certify the satisfactory delivery and completion of technical services ordered through amount based purchase orders? Does the store keeper follow documented procedures? Is there an investigation and reconciliation into the receipts that do not match to purchase orders? Yes/No Remarks WP Ref . The following reports should be printed and reviewed.8.12. 10.

infrastructure. · Segregation of duties · Logical access controls · Physical controls (access and environment) · Systems development and program change · Business continuity planning · Organization and management (IT policies and standards) 10.1. 10.13 Interview the storekeeper.13.2 Examples of Control Objectives · · · Senior management should define a framework that promotes the definition of formal service level agreements and defines the minimal contents: availability.1. Some categories of general controls include. These controls are not specific to any individual transaction streams or accounting packages or financial applications. hardware and operating systems are all housed here. Review of IFMS General Controls General IT controls mainly focus on the IT infrastructure. his supervisors.13. people. Key resources like: databases.0 Data centre control objectives and audit procedures The data centre is a very critical facility for the IFMS system. Review a sample of payments for services. continuity planning. Select a sample of GRNs and verify against stores accounts. Appropriate physical security and access control measures should be established for information technology. 10. Issues like IT related policies. procedures and working practices are dealt with.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 10.12. reliability. application software. performance. Key resources are protected and safeguarded Usage of key resources is monitored Usage of key resources is maintained at an optimal level. Review the accounting system in place. level of support provi ded by users. Review documentation regarding the storekeeper’s functions.1.1 Objectives of the data center controls review To · · · get assurance that. including off-site use of devices to conform to the general security policy. . and users. Information services function management should ensure that a low profile is kept and the physical identification of the site of its information technology operations is limited.8.13.3 Audit Procedures · · · · · 10.

utility software. Sampling programs to extract data for audit testing. disciplined approach to evaluating and improving the effectiveness of risk management. CAATS include many types of tools and techniques.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · · · · 10. and other competences needed to perform its responsibilities. . application software tracing and mappi ng. and governance processes. dust.such as identifying inconsistencies of significant fluctuations. timely review and examination of the time sequences of processing and other activities surrounding or supporting processing. excessive heat. skills. such as generalized audit software. Knowledge of how IT is used.15 Tests of transactions and balances. Compliance tests for application controls like testing the functioning of a programmed control. Management controls should guarantee that sufficient chronological information is being stored in operations logs to enable reconstruction. Software vendors should supply technical manuals concerning their products. Analytical review procedures .Proficiency of The IIA’s Standards requires that the internal audit activity collectively should possess or obtain knowledge. Varying levels of IT knowledge are need throughout the organization to provide a systematic. and the ability to use IT as a resource in the performance of audit work is essential for auditor/inspector effectiveness at all levels. the related risks. Management should establish the data centre organizational structure and develop job descriptions Management should ensure that all information assets have an appointed owner who makes decisions about classifications and access rights There should be well documented standard procedures for information technology operations. Some audit procedures where CAATs may be used include. Compliance tests of general controls. such as testing the set-up or configuration of the operating system or access procedures to the program libraries.14 Health and safety practices should be in place and maintained in conformance with applicable international. Recalculating entries performed by MOF’s accounting systems. Computer-Assisted Audit Techniques (CAATS) CAATS should be used to improve audit coverage by reducing the cost of testing and sampling procedures that otherwise would be performed manually. Auditor/Inspector Knowledge Considerations Standard 1210. national. regional and local laws and regulations Sufficient measures should be in place to protect against environmental factors like fire. Penetration testing. such as recalculating interest. · · · · · · · 10. test data. control.

Basic IT knowledge includes. supervisors must understand IT issues and elements sufficiently to address them in audit planning. · · · Understanding concepts like differences in software used in applications.Audit Supervisors This is concerned with the supervisory level of auditing.All Auditor/inspectors This is the knowledge of IT needed by all professional auditor/inspectors. analysis. follow-up. · Ensure the audit team has sufficient competence. and application system controls. c) Category 3 . operations. from new recruits up through the Chief of Audit. and data components.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL The following three categories for IT knowledge for internal auditor/inspectors were identified by the IIA’s International Advanced Technology Committee. b) Category 2 . intrusion detection. reporting. Understanding how business controls and assurance objectives can be impacted by vulnerabilities in business operations and the related supporting systems. · Provide audit recommendation based on business assurance objectives appropriate to the sources of problems noted rather than just reporting on problems or errors detected. a) Category 1 . and assigning auditor/inspector skills to the elements of audit project. . as well as the effectiveness of IT in providing controls for business application and environments. or other ri sk areas. · Approve plans and techniques for testing controls and information. · Assess audit test results for evidence of IT vulnerabilities or control weaknesses. networks. change management. · Analyse symptoms detected and relate them to causes that may have their sources in business or IT: planning.Technical IT Audit Specialists These are the IT specialists who go into the deeper aspects of critically evaluating the IT controls in place. authentication. · Plan and supervise audit tasks to address IT-related vulnerabilities and controls. authentication. operating systems and systems software Comprehending basic IT security and control components like perimeter defences. · Understand business controls and risk mitigation that should be provided by IT.including IT proficiencyfor audits. testing. · Ensure the effective use of IT tools in audit assessment and tes ting. execution. In addition to having basic IT skills. Each audit supervisor must: · Understand the threats and vulnerabilities associated with automated business processes.

establishing their ability to pay. or to secure personal or business advantage. Changes in lifestyle or habits by key members of staff. Fraud can be defined as any illegal acts characterised by deceit. Low morale. The Chief Internal Auditor/Inspector will decide what steps need to be taken and when to contact other institutions. Undue pressure on accounting personnel to complete financial statements or management information in an unreasonably short period. the Internal Auditor/inspector must contact the Commissioner Internal Auditor/Inspector.1 People § § § § § § § § § § § Management dominated by one person (or a small group) and no effective oversight board or committee. 11. auditor/inspectors or other professional advisers. An employee whose lifestyle is at variance with their known sources of income. corruption or other irregularity. These acts are not dependant upon the application of threat of violence or physical force. Internal auditors/inspectors do not have all the expertise to deal with cases of suspected fraud. checking for criminal convictions and regulatory body disciplinary actions. Frauds are perpetrated by individuals and organisations to obtain money.0 Introduction The profile of fraud and corruption in both the public and private sectors continues to be high. No checks to ensure that sales are only made to appropriate customers by. Excessive hours worked by key staff and/or a lack of delegation of apparently mundane tasks. for example. property or services. for example. to avoid payment or loss of services. . 11. Frequent changes of legal advisers.2 Processes § § No checks to ensure that only appropriate employees are recruited by taking references.1. When such a case is found or suspected. the Prevention of Corruption Bureau.1. concealment or violation of trust. who will contact the Head of Internal Audit. Remuneration overly based on financial performance.1 Fraud Red Flags 11. High turnover rate of key accounting and financial personnel.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Article 11 Fraud and Irregularities 11. Inadequate seg regation between the risk-takers and the record makers. Significant and prolonged understaffing of departments such as the accounting or internal audit department.

Results that are out of line with the rest of the industry. Lack of appropriate response to queries from management. for example. Need for a rising surplus trend to support the market price of the company’s shares due to a contemplated public offering. where the only contact details are a mobile phone number. Surplus and cash flow at variance with each other. for example key reconciliations not completed. Inadequate documentation about a auditee or transaction. Payments for services (for example to lawyers. Accounts office not keeping up with operations and the books apparently in a mess. Indications that internal financial information is unreliable. Understanding the Business a nd the Risk of Fraud & Irregularities in Each Business Area/Process · · · · Managers should be prepared to ask if they do not understand.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL § § § § § § § § § § § No checks to ensure that only appropriate suppliers are used by. 11. given low priority and little management time. There is a strong correlation between managers’ understanding of their business and the level of fraud & irregularities in that business. Continuing failure to correct major weaknesses in internal control where such corrections are practicable and cost-effective. Rumours and tipoffs relating to fraud & irregularities not dealt with. Suggestions that internal controls have been overridden by management. Overly complex corporate and/or reporting structure. suppliers. bankers. Control of the business. especially internal control. changes in business practice. Transactions where surplus is not consistent with cash flow. or with the market. or lawyers.3 Surplus/Deficit § § § § § § § § § § § § 11. Unusual transactions with related parties. checking for connections with company employees or officers. consultants or agents) that appear excessive in relation to the services actually provided. Unusually high or unexpected levels of surplus or deficit. Complex transactions or accounting treatments that require such intricate explanations that are difficult for most non-specialists to comprehend. What are the common fraud & irregularities seen in the industry in each area/process? How well do senior management/the board of directors understand each of the business areas/business processes? What level of fraud & irregularities risk is tolerated by the business? . auditors/inspectors. for example increased risk-taking with respect to credit sales. a takeover or other reason. No enforcement of holidays and procedures during absence and work always left until the employee returns. Loss of records or other information. for example. Secrecy about a particular auditee or project and/or where the auditee will only deal with one member of staff. Deteriorating quality of earnings.2 Unusual transactions that have a significant effect on earnings.1.

Exit interviews – ask all leavers whether they are aware of any fraud & irregularities or other irregularity. the provision of a fraud & irregularities hotline. Internal controls – up-to-date procedures manuals explaining the controls applied. Surveillance. Procedures for notification of tip-offs. is it overly secretive/complicated? How would you perpetrate a fraud & irregularities in each business area/process? How would you be found out? What are the key controls on which the business is relying? Assessing the Impact of Each Possible Fraud & Irregularities Based on its Severity and Potential Frequency § § § Repeat the exercise. Internal audit and internal checks. for example. to highlight the key controls and individuals on which the business is relying. Dual signatories on all cheques. Adequate job rotation. coaching and training. Use of pre-numbered. Maintenance and review of audit logs. assuming that a key employee is involved in the fraud & irregularities. . Backing up all data regularly to ensure an adequate audit trail is maintained. for example. performance evaluation. ensuring that all staff take holidays and that their role is handled by another person in their absence. for example. Management involvement and understanding of the key items in all key reconciliations and journal postings. review of amendments to standing data. adequate inductions. Adequate segregation of responsibilities between the risk-takers and the recorders. Appropriate authorisation limits. sequential documents wherever possible.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · · · · · · · · 11.3 Who within each area could produce a comprehensive list of the critical risk areas? Who could check that list for completeness and accuracy? Are understanding and control of any process solely or principally in the hands of one individual? How is this individual monitored and controlled and is this appropriate? Are any such key individuals demonstrating fraud & irregularities warning signs? Is the culture of the business conducive to fraud & irregularities. control failures and their followup. counselling. exceptions. for example. How big would the fraud & irregularities get before it was noticed? Could cost-effective controls be introduced to mitigate the risks? 11.1 Key controls § § § § § § § § § § § § § § § Procedures to prevent management overriding controls.3. Recruitment – pre-employment screening.

The Internal Audit Service should establish a special telephone line for whistleblowers at selected ministries. The auditor/inspector should get as much detail as possible. for example employees working while sick. and therefore require more detailed examination.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 11. anonymous letters. computer fraud. appropriate action? How often does internal audit check to see whether controls are operating? How aware are staff of the key risks facing the business and the controls relied on to prevent it? Who is able to override the control s and how? How responsive are the controls to changes in the business. and also try and obtain the identities of informants. personal circumstances or organisational conditions that could point to fraud. for example. in preparing audit needs assessments and audit plans. responsibility for prevention and detection of fraud rests with management.3. areas typically exposed to fraud. areas where controls are weak.2 Are controls operating effectively? § § § § § § § § § § 11. its people and its processes. The auditor/inspector could usefully identify some signs. through operating hotlines. or living beyond their means. should ensure that high-risk areas are identified. or referrals from the external auditor/inspector. Internal audit may discover fraud either through their audit checks. Information concerning suspected fraud could be received by formal complaints.4 What evidence exists to prove that the control operates? How frequently does managemen t check to see whether a control operates? What information is provided to managemen t on a timely basis? What action does management take to resolve issues and exceptions? How well does management demonstrate prompt. High-risk areas include areas of high inherent risk. telephone calls. redundancies etc? Who is assessing the control over the director/manager undertaking this fraud & irregularities risk review? The Internal Auditor’s/Inspector’s Role As noted above. such as: r r r r r overspending against budget unexplained items in suspense accounts frequent late banking altered petty cash vouchers and receipts goods invoiced that are not normally purchased . or from information received from management or ‘tip-offs’. assuring them of confidentiality. The internal auditor/inspector. Management may come across areas where they suspect fraud. etc. This will allow key officers in these ministries to report suspected fraud or other irregularities to the Internal Audit Service without having to provide their names or posts.

a major one being the stages at which contact with the police should be established. Good working relationships with the local police.5. documentation and other key issues. also staff who constantly work outside normal working hours employees’ personal financial problems employees whose lifestyle is more extravagant than their salary would warrant unusual concerns about visits by auditor/inspectors someone who often breaks the rules and regulations .transport. appropriate police fraud units and with other organisations working in this area should be established. Once an investigation is completed internal audit may have responsibilities in relation to: o recommending improvements to systems o attendance at disciplinary proceedings o attendance at Court Conduct of the Investigation 11.2 Who to inform about the suspected fraud § § § § Chief Executive Officer Internal auditors/inspectors External auditors/inspectors (if fraud is significant) Department head. cameras.1 Objectives of fraud investigations r r r To prove or disprove the original suspicions of fraud If proven. so they become too frightened to question anything lack of effective internal controls failure of management information systems undocumented procedures general laxity of attitude by management and employees towards security. and unnecessary anger. 11. Protocols should be agreed with the police covering interviewing.3 Police involvement · · · There should be a clear policy on the involvement of the police. to support the findings by producing evidence Presenting the evidence got in an appropriate format 11.cutting corners may be a way of concealing fraud complaints about member of staff from customers or employers people who rule their subordinates with a ‘rod of iron’.5.5. mobile phones etc as may be required. sarcasm or criticism.5 employees who never take annual leave. .GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL r r r r r r r r r r r r 11. Agreement should be reached on: r terms of reference and scope of the investigation r estimated target dates r staffing resources r provision of suitable facilities .

the case will not be admissible in court. should be secured by the auditor/inspector at the earliest possible stage. it is preferable to take the strongest cases for full and detailed appraisal. If there is a doubt on whether a caution should be issued. secrecy and confidentiality must be maintained. · Potential suspects should normally be interviewed towards the end of the investigation. If there is a high volume of detail and documentary evidence. and preferably two auditor/inspectors. or during the investigation.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · All investigations must be properly authorised. This will ensure that evidence is not tampered with. · · · 11. All original documentation. The suspension is. without a caution. questions to be asked should be predetermined and written. the interviewee should be given the opportunity to be accompanied.preferably during normal working hours. it should be remembered that.2 The information needed. material to the investigation. Avoid leading questions.all interested parties should be represented. if the suspicion for this was strong enough to be necessary the case should normally be referred to the police. questions should. for example where a successful prosecution is most likely to be secured. preferably.initially. be prepared in advance of interview Arrange the time and place of the interview . and will also prevent any undue influence by the suspect on the course of the investigation. · At some stage .1 Issues to consider before the interview r r r 11.6. Pointers at the interview r r r r One auditor/inspector should ask questions .6 Interviewing Interviews can be of two types: r to seek more information r Interviewing suspects. The auditor/inspector should not be in a position at the start of any suspect interview where it would be required to issue a caution at the outset.and another person should take notes Ensure that nothing is done that can be construed as duress by the interviewee Begin by asking the interviewee to outline their understanding of their duties and responsibilities of the matter under review Ask supplementary questions where necessary . of course. relevant information properly documented.6. The investigation will involve gathering of evidence. but away from the interviewee’s normal place of work The parties to be present . suspension of the suspect may need to be considered. 11. Thorough preparation must always be done for interviews. without prejudice to the outcome of the investigation. A caution should be issued to a person where there are grounds to suspect that they may have committed an offence before any questions about the offence are put. and its evaluation. but auditors/inspectors must always be alert when to ask supplementary questions.

Depending on the scale and sensitivity of the investigation these interviews will normally be undertaken by two auditors/inspectors. If predetermined questions are not used a checklist needs to be prepared to ensure that spontaneous questions cover all the necessary areas of the investigation. Where the interview takes place at a person’s private residence the auditor/inspector should ensure that the interviewee is aware of the auditor’s/inspector’s name and will carry an identification . The second category will involve interviewing the suspect(s) with a view to ascertaining any knowledge of and involvement in the suspected fraud. signed and dated by all present at the interview. Where the interview is conducted with a third party outside the organisation certain additional matters need to be taken into consideration.8 Fact Finding Interviews Although the basic evidence in fraud investigation is more likely to be documentary it will normally be necessary to establish certain other facts either relating to those documents. 11.7 Interviewing Techniques for Fraud Investigations As the investigation develops there will be matters arising that can only be substantiated or clarified by interviews conducted by the auditor/inspector. It is important to ensure proper procedures are adopted in such interviews and they should generally be in line with the procedures set out later. Leading questions (which indicate the answer which is anticipated) should not be asked.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL r r If at any time the auditor/inspector forms the opinion that they have reasonable grounds for believing that the interviewee has committed an offence.3 Action to take after the interview After the interview the following need to be considered: r Suspension r Informing the police r Informing the external auditor/inspector r Insurance r Review of systems 11. the application of rules/regulations. This can be obtained from the testimony and recollection of others through fact-finding interviews which will generally be of a formal nature and comprise predetermined questions although other supplementary questions may be raised during the course of the interview. one of whom will take detailed notes of the answers given to the questions asked. These interviews will broadly fall into two main categories. The questions should be designed to elicit the relevant facts from the interviewee and answers which enhance the auditor’s/inspector’s knowledge of the circumstances connected with the investigation. procedures in operation and/or specific events. firstly there may be a need to obtain more information of a factual nature and this can only be obtained by interviewing those people with the relevant knowledge. These people are more likely to be employees of the organisation but could be third parties who are willing to assist voluntarily with the enquiries. Wherever possible a proper appointment should be made agreeing the arrangements. other people.6. 11. the caution should be administered The auditor/inspector’s notes should be agreed.

during the interview. If the interviewee is an aged person it is sensible for the auditor/inspector to be accompanied by a social/welfare worker.9 Interviews with Suspect(s) · · Interviews with potential suspects should be conducted towards the end of the investigation when the auditor/inspector has assimilated the available evidence and the examination of records and interviews with third parties and others has established. Predetermine and write down the questions to be asked at the interview. Is this the time-sheet which you completed for the week ended 10/12/06?” A positive answer to such a question.9. Give all such documentary evidence produced at interviews unique references which will clearly identify individual documents and which will be recorded in the question asked. Seek confirmation of such documents in total from the suspect in the initial stages of an interview when the suspect is not aware of the detailed suspicions of the auditor/inspector or the direction which the interview will take. Be methodical in approach. Ensure that documents connected with the suspected fraud and those that will be subsequently be relied on in proving that fraud has occurred. are shown to the suspect at interview and accepted as valid. This is also important when the interviewee is female and lives alone and in these circumstances it is preferable that the interview be conducted by a female auditor/inspector where possible. who is known to the person. accurate and complete documents. § § § § § § § § § Understand and be fully conversant with all the details of the case. If the interview is carried out at an early stage where the auditor/inspector is working largely on personal suspicions then the interview becomes a fact finding interview with the possibility of a further interview being necessary. 11. Study the evidence thoroughly and draw upon the strongest aspects of the case and with all the necessary supporting evidence.1 Preparation for interviewing suspects The auditor/inspector should. . if appropriate. This could however enable the suspect to gain considerable insight into areas being covered by the investigation and be given an early opportunity to frustrate the investigation as previously mentioned. as far as possible. Formulate the areas to be covered and the sequence in which those areas should be dealt with in a logical structure. Have sufficient knowledge to introduce supplementary questions spontaneously. the veracity of the facts of the case.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL pass which will be shown on arrival. for example “Would you examine this time-sheet dated 10/12/06 which I have referenced ABI. would be difficult for the suspect to refute at a later date. 11. contemporaneously recorded.

If a question is not understood.9. Where questions are asked about two related documents. especially when a ‘yes’ or ‘no’ answer is given.9. Use either Open questions or closed questions . or one. Ask a question the correct answer to which is already known to the auditor/inspector. “You do open the post on your own. It is better to use several short questions rather than long involved ones. as a matter of course to the effect. Avoid multiple questions as these allow the suspect to choose which individual aspect of the question to answer and can be confusing.g. and the overall interview time is reduced as the process is ‘speeded-up’. as it is impossible to determine whether it is ‘yes’ or ‘no’ to all aspects. don’t you?” Questions should be kept simple. 11. Ensure that the questions are constructed to elicit all information otherwise the auditor/inspector will find that only specific responses are made and these may not reflect the whole truth. r r r · Future disputes as to the conduct of the audit interview can be forestalled to some extent if a final question is included. a correct one and an identical fictitious one.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 11. the fictitious document should be questioned first as the suspect will not be aware that the auditor/inspector possesses the correct one and will have committed an answer before the correct document is produced and therefore be unable to easily retract it. “Are you satisfied with the way in which this interview has been conducted?” An affirmative answer to such a question should preclude any complaints of duress. These are questions which contain the answer the questioner is looking for. or more. for example. This type of question allows the auditor/inspector to determine whether the suspect is telling the truth.3 Formulation of questions · · · · · · · · There should be no leading questions.2 Purpose of pre-determined questions: r the questions are asked in the most beneficial sequence and in the most appropriate form the auditor/inspector taking notes of the answers given can concentrate on writing down the answers only no area of the investigation is ‘missed’ from the interview as a result of the auditor/inspector being ‘side-tracked’ by the interviewee. unfair treatment or denial of natural justice by the auditor/inspectors being made by the interviewee at a later date. repeat it. . e.depending on the situation.

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL a) Open Questions · · · · Allow the suspect to explain matters in detail. A person who wants legal advice may not be interviewed or continue to be interviewed until they have received it. etc. Are useful in circumstances where the person is reluctant to answer. · · · · · · . They may be used to obtain specific ‘yes/no’ answers or to identify a person. and if conducted away from the suspect’s work place it will remove any advantage which the suspect may gain from being on home ground. Audit interviews should always be conducted in a formal manner and are best undertaken at a location away from the interviewee’s normal work place. An example of the first type would be “Are unofficial receipts issued?” and an example of the second type would be “Who authorises payments from petty cash?” 11. · Ensure that adequate safeguards are adopted. “Tell me about…. Begin with expressions such as..4 Other arrangements for the interview · · The auditor/inspector should make other arrangements in advance to enable things to run as smoothly as possible. both from the point of view of the interviewee and the interviewer. Short breaks for refreshment shall also be provided at intervals of approximately two hours.9. ventilated and lit. They allow the auditor/inspector to lose control of the situation if they are widely used particularly where the suspect is talkative and wanders away from the nub of the question. subject to the interviewing officer’s discretion to delay a break if there are reasonable grounds. Arrange the interview at a reasonable time of day (having taken into account the estimated time which will be required to carry out the full interview).” b) Closed Questions · · · Establish specific points of fact. Enable the auditor/inspector to probe single and specific facts. Breaks from interviewing shall be made at recognised meal times. As far as practicable interviews should take place in interview rooms which must be adequately heated. There are several reasons for this: r r r the interview can be confidential it reduces the embarrassment which the interviewee may feel. The interviewee should be given the opportunity to be accompanied if requested so advance warning will be necessary so that the requisite arrangements can be made.

names and positions) of the audit staff conducting the interview. or a colleague) accompanies the interviewee it should be clearly explained at the commencement of the interview that their role is that of an observer to see that the interview is conducted fairly and not to answer on behalf of the interviewee. · . These interviews are not part of the disciplinary process but are conducted by the auditor/inspector in order to seek out the facts. There should be formal note taking. Formulate a standard prefix sheet for use in all audit interviews. Before. during and after the interview nothing should be done in any way whatsoever which could be construed as duress to force the interviewee to answer in a specific way or even confess to an offence. Where someone (this may be a trade union representative. and on whi ch the interviewee is to be questioned the time of commencement of the interview.9. · The prefix sheet should incorporate a paragraph which sets out the auditor’s/inspector’s authority to conduct the interview and seek explanations and information from the interviewee.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 11. The taking of good notes may in fact be the difference between success and failure in a subsequent disciplinary or criminal investigation. It is sensible for the auditor/inspector to explain at the outset the procedure to be followed and that if the interviewee does not wish to answer any question that fact will be recorded in the interview notes. (This record should then be formally certified as accurate and complete by the interpreter). Similar provisions will also need to be made when the interviewee is deaf and the auditor/inspector should contact the social services department of the local authority who should be able to provide assistance.5 Conduct and structure of the interview · · · · · · · · · The interview should be conducted by a senior member of the audit team accompanied by another auditor/inspector whose duty will be to record contemporaneously the answers given by the interviewee together with any supplementary questions asked or explanatory statements made by either party. At the start of the interview both auditors/inspectors should formally introduce themselves to the interviewee giving their names and positions.e. The following details should be recorded: r r r r r r name of the interviewee the place and date of interview details of any “friend” accompanying the interviewee the matters being investigated. a solicitor. An auditor/inspector tapping fingers on the desk could be interpreted as an act of duress and could bring the interview into question in any future court hearing. In the case where an interviewee is not able to understand English or where the interviewing officer cannot speak or understand the language of the interviewee then an interpreter should also be present to record what takes place during the interview in the actual language which is used. This can be read out to the interviewee and will assist in precluding any dispute and consequent delay which might otherwise arise over the right of the auditor/inspector to carry out the interview. and the details (i.

and in the presence of the interviewee the auditor/inspector who has taken the notes should: r consecutively number the pages of notes. together with the relevant times in the contemporaneous notes taken of the interview. The interviewee should be invited to read the interview notes which have been taken and should be given the opportunity to make any additions. When any such alterations have been made and the interviewee agrees that the notes are a complete and accurate record of the interview they should then be asked to sign each page of the interview notes and to initial any alterations which have been made. Include a question in the interview which allows the interviewee to make any comments which they may wish to add and have recorded in the interview notes.10 Interview Notes Audit interviews are normally recorded by the use of contemporaneous notes taken by a member of the audit staff as the interview proceeds. any sheets containing predetermined questions which were not asked. should be removed. where particularly complex investigations require such interviews it is perhaps appropriate that the person taking notes is fully conversant with the case in order to minimise the risk of any significant comment not being recorded. and r enter on the last page of notes the time at which the interview ended.g. This process should be explained to the interviewee at the commencement of the interview. Where an audit interview continues for any length of time. the offer of breaks and their acceptance. The recording of the interview fully and correctly is a vital aspect of the whole investigation. When the interview has been completed. e. To this end. . 1 of 10 etc r cross through all blank spaces on the pages of notes to demonstrate to the interviewee that nothing can subsequently be added to the agreed interview notes r sign each page of notes. together with the auditor/inspector who has conducted the interview. or refusal by the interviewee must be recorded. but which could not later be introduced as evidence if it is not recorded in the interview notes. Auditors/inspectors are not trained shorthand writers and so cannot normally be expected to produce a complete verbatim record of the answers given at interview but the person taking notes should record the answers given as fully as possible. This applies whether or not the interview is being tape recorded. There is a danger that the note taker might disregard. or fail to record an apparently trivial statement made by the interviewee which is in fact of singular significance to the case. 11. Once this has been done. both from the point of view of the auditor/inspector and the interviewee. Any complaints raised by the interviewee should also be recorded in the interview notes.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL · · The auditor/inspector should always be alert to the behaviour/responses/reactions of the suspect. deletions or amendments which are considered necessary.

. If the suspicion were strong enough for that to be necessary the case should normally be referred to the police. This statement should be fully recorded in the interview notes. coupled with other evidence known to the auditor/inspector. Under no circumstances whatsoever should the interviewee be pressured into appending a signature. The circumstances of the refusal should in those cases be noted on the last sheet of the interview notes. give rise to clear grounds to suspect that the interviewee has carried out a fraudulent act or indeed the sus pect may confess. or r issue a caution to the suspect. Even though an auditor/inspector may have accumulated substantial amounts of evidence during the investigation which could be seen as suggestive of the guilt of the suspect there may well be other possible explanations. if the auditor/inspector is to avoid any evidence obtained from the interview ruled to be inadmissible in any subsequent criminal proceedings. As the interview proceeds however.2 Cautioning It is appropriate at this point to examine the circumstances of cautioning a suspect. the auditor/inspector should not be in a position at the start of any suspect interview where it would be required to issue a caution at the outset. A caution should be issued to a person where there are grounds to suspect that they may have committed an offence before any questions about the offence are put. It may well be that a suspect will provide apparently genuine explanations for the actions which have prompted the audit investigation. preferably in the presence of the interviewee. 11. the auditor/inspector may take one of two courses of action: r terminate the interview at that point and refer the investigation to the police for further action. and the notes should be signed by the two auditor/inspectors who conducted the interview. before proceeding with any further questioning. Having discussed the situation informally as previously suggested with the local police.10.1 Refusal of the interviewee to sign the notes taken It may arise that an interviewee will refuse to sign the notes taken of the interview. and which the auditor/inspector will subsequently need to followup and verify.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 11. At this point. This is therefore an important consideration for the auditor/inspector when undertaking suspect interviews. it may be that the answers given by the suspect.10. It is perhaps appropriate to help prevent any future dispute for the auditor/inspector to explain to the suspect at the outset of the interview that the purpose of the interview is to establish facts and obtain explanations. The objective of an audit interview is to establish facts and this applies equally to interviews with suspects in an investigation.

I have made it of my own free will”. Where the interviewee wishes to make a statement rather than answer further questions but wishes the interviewing auditor/inspector to write down what is said the statement should be prefixed as follows: “I. and should be allowed to make any alterations.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL The words to be used to give such a caution should be: “You do not have to say anything. The interviewee should. at the end of the statement. additions or corrections. I want someone to write down what I say. and the time that the caution was given must be recorded in the interview notes. the words used.11 Voluntary Statements under Caution In certain circumstances the interviewee may not wish to answer any further questions but may wish to make a statement to the auditor/inspectors. Anything you do or say may be given in evidence”.” This should be followed by the signature of the i nterviewee. alter or add anything I wish. When the statement has been agreed the following certificate should be added. . This statement may be given in evidence. 11. If the interviewee wishes to write out this statement personally then the statement should begin with this declaration: “I make this statement of my own free will. be invited to re-read what has been written and be given the opportunity to make any amendme nts before signing the statement. This statement is true. The fact that the caution was given. I understand that I do not have to say anything but that it may harm my defence if I do not mention when questioned something which I later rely on in court. on completion of such a statement. Any such changes must be initialled by the interviewee. But it may harm your defence if you do not mention when que stioned something which you later rely on in court. This certificate should then be signed by the i nterviewee. I understand that I do not have to say anything but that it may harm my defence if I do not mention when questioned something I later rely on in court. and I have been able to correct.” In these circumstances what is said by the interviewee must be recorded verbatim and upon completion the interviewee should be asked to read through what has been written. The interviewee must also be formally reminded that they are still under caution after any subsequent breaks in the interview and this must also be recorded and timed in the interview notes. by the interviewee: “I have read the above statement. wish to make a statement. This statement may be given in evidence.

12. The object of such notes is to assist the auditor/inspector to: r r produce an honest and factual statement of evidence if subsequently required by the police or as part of formal disciplinary proceedings. Other Relevant Areas 11. Throughout the investigation of any fraud. the content of a telephone call to an outside organisation to confirm or otherwise alleged events will be very important to the direction of the investigation.2 Rough notes made during conversations.12.1 Offers of resignation/restitution · · · · 11. Auditor/inspectors should not accept money in restitution of an offence at interview as it may be construed as being obtained under duress and legal advice should be taken afterwards. In any such situation any auditor/inspector involved must either at the time. Notes made on this basis may be acceptable to the police in any subsequent criminal investigation. for example. These notes should be signed by the auditor/inspector(s). timed and dated. and refresh the auditor/inspector’s memory and bring all aspects clearly to mind should the auditor/inspector later be called on to give evidence either in a disciplinary or criminal hearing. situations will occur and conversations take place which are material to the matter under investigation. As soon as possible after completion of the conversation the rough notes should be used by the auditor/inspector(s) to produce a full written note of what has occurred. may still be very material to the investigation and in such circumstances the auditor/inspector should record the contents of the interview as contemporaneous rough notes. Any offer of restitution should be incorporated in the interview notes.12 If during the course of an interview the interviewee offers to resign then the auditor/inspector should not accept it but should refer the individual to the manager/personnel officer and record the offer in the interview notes.1 The use of audit notes as evidence As a general principle evidence is essentially fact and not impressions or opinions formed or conclusions drawn. The auditor/inspector should not enter into any discussion on ‘doing a deal’ whereby the employee will pay restitution in order for the matter not to be referred to the police etc.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL 11. and where possible the rough notes attached. etc Occasionally the auditor/inspector will not be able to follow formal interview procedures when speaking to persons connected with an investigation as in some cases the person concerned will not be an employee of the organisation and the auditor/inspector has no authority to interview formally in such cases. 11. or immediately afterwards make a formal note of what has taken place. The evidence which these people have to give. .11. These notes should be made in the manner most appropriate to the circumstances but should attempt to cover the essential facts disclosed. however.

12. The need to obtain legal advice on the evidence resulting from the investigation In almost every fraud investigation some legal advice on the strength of the evidence obtained will be required. It is therefore important that these notes be as detailed as possible and are retained intact. . It may well be prudent to obtain legal advice from within the organisation before finally determining the conclusions of the investigation. At this stage the auditor/inspector must take full account of all their investigations in reaching their conclusions. and must not ever be regarded as definite and infallible prediction of the outcome of any investigation/criminal action.an off the record discussion with a member of the organisation’s legal staff r a referral of a draft report for specific examination as to whether the evidence disclosed is strong enough to warrant referral to the police r a formal referral to outside counsel for advice both on the case and perhaps proper procedures for investigation/reporting when the culprit is covered by a detailed and specific nationally laid down disciplinary code. 11. an expression of opinion. or subsequent discoveries (unforeseen when the information was provided) will effect the validity of the opinion which is drawn from the information supplied. It is also important that conclusions are only based on fact. Therefore any omissions or errors in that information. and can be interpreted as shown below: “The evidence should be sufficient to support successful proceedings” This can be taken as legal opinion that the evidence obtained should be more likely to result in conviction of the culprit than in the acquittal. The following expressions are those generally used by the legal profession when giving an opinion on the strength of evidence.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL Such notes are also generally accepted by the courts for use by a witness when giving evidence but the courts may. It must always be remembered that the legal opinion obtained is purely that. on occasion. rule that only the rough notes made contemporaneously may be used.3 Conclusion of the investigation Having conducted the interviews necessary to complete the auditor/inspector’s knowledge of the situation disclosed by the investigation the auditor/inspector must draw together all the evidence obtained from the investigations and formulate the conclusions based on all the evidence so that the audit report can be pre pared. The opinion given can only be formed from the information available. This may be: r informal .

for example obvious lack of creditability of some witness(es) or failure to prove the connection between the fraudulent action and the culprit. Issues that may suggest the existence of an appropriate anti-fraud & irregularities culture include: Fair treatment of employees/customers and suppliers. Provision of a fraud & irregularities hotline for reporting fraud & irregularities. although the evidence produced may well be sufficient to ensure prosecution there may be certain features. Regular discussion and knowledge sharing with others in the same business/industry . Managers and staff who understand business and risks. encouraging challenges to managers. tested. Segregation of duty between risk-takers and recorders. An emphasis on recruiting staff with high integrity. updated and approved. Such advice will normally detail the deficiencies in the evidence produced and where possible suggest what is required to remedy these deficiencies. Staff accountability for maintaining adequate control s. they should be brought to attention in any legal opinion obtained. and r the age or youth of the culprit. 11.GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL “The evidence should be sufficient to support a prima facie case” This can be taken to mean that the evidence disclosed is evidence of the essential facts of the case which are required to undertake a prosecution but that there are sufficient factors (which would normally be detailed in the opinion) to suggest that the prosecution could fail. An ethics policy and contingency plan that are regularly reviewed. If such features exist. Appropriate anti-fraud & irregularities training. in areas such as staff performance and development evaluation tied in with coaching and counselling. not a list of rules. “The evidence is not sufficient to support proceedings” This is basically self explanatory in that it means that the evidence produced does not prove one or more of the essential facts necessary to secure the conviction of the culprit. Such features include: r the serious ill health of the culprit r the “staleness” of the offence. The existence of an internal audit department of an appropriate size. either of the case and its circumstances or the culprit which would make the case unlikely to succeed. An emphasis on staff’s responsibility to report fraud & irregularities and the existence of appropriate escalation procedures.13 Components of an Appropriate Anti-Fraud and Irregularities Culture · · § § § § § § § § § § § § An anti-fraud & irregularities culture refers to an attitude of mind. Regular two-way communication. In certain circumstances. and therefore to make the prosecution of the case contrary to the interests of the organisation.

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL APPENDIX 1 ESAAG INTERNAL AUDITING GUIDELINES for East and Southern Africa Association of Accountants General February 2001 E S A A G .

.

Objectives and Scope of Internal Audit 1 3. Reporting. Nature.INTERNAL AUDITING GUIDELINES for The East and Southern African Association of Accountants General CONTENTS PAGE 1. Monitoring and Follow-up 28 Glossary of Technical Internal Audit Terms 32 . Relationships 20 7. Internal Audit Planning 23 8. Introduction 1 2. Managing Internal Audit 12 5. Professional Proficiency 15 6. Internal Audit Independence 7 4. Approaches to Internal Audit 26 9.

disciplined approach to evaluate and improve the effectiveness of risk management. 2.1. The Head of Internal Audit should ensure that each Accounting Officer (see Glossary of Technical Internal Audit Terms at the end of these Guidelines) in the public sector organisations for which they are responsible are aware of the full range of activities that fall within the scope of Internal Audit. where appropriate. Each professional Internal Auditor should hold the general skills and knowledge of Internal Audit practice. and other public sector organisations or entities. Regions. 1.0 Explanatory Notes: 2.4 Any standards or guidelines should be dynamic to keep up to date and these guidelines will be revised from time to time as necessary.2 A brief explanatory note to facilitate a clear understanding of the guidelines is included before each guideline.1 The guidelines are intended to provide best practice principals rather than specific guidance on Internal Audit procedures and techniques.2 Nature: The Institute of Internal Auditors defines Internal Auditing as "an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. 1. Departments. 1. objectives and scope of Internal Auditing and indicates the range of responsibilities that Internal Audit should cover. OBJECTIVES AND SCOPE OF INTERNAL AUDIT 2. 1. It helps an organisation accomplish its objectives by bringing a systematic. The Guidelines are prepared in compliance with the “Standards for the Professional Practice of Internal Auditing” developed by the Institute of Internal Auditors and international best practice in public sector Internal Audit. INTRODUC TION 1." 1 .1 This guideline explains the nature. These may include Ministries.0 These Internal Auditing Guidelines are recommended to all government institutions in member countries. 2. control and governance processes.3 These guidelines provide criteria by which Internal Auditing in the Public Sector in member countries should be measured and evaluated. NATURE.

including systems under development · the follow-up action taken to remedy previously identified weaknesses.3 Internal Audit should be an independent function or division within the public sector organisation. It assists management by reviewing. inefficient administration. As a result. Internal Audit undertakes reviews of individual systems and processes. fraud or other causes · the appropriateness.4 Scope: The scope of internal audit needs to cover the systematic review. 2 . reliability and integrity of financial and other management information and the means used to identify. who should ensure that appropriate and adequate arrangements for internal control exist in addition to any Internal Audit activity in their public sector organisation. 2. It is not. appraisal and reporting of the adequacy of the systems of managerial. plans and procedures. however. It is for the Accounting Officer to decide whether or not to accept and implement Internal Audit findings and recommendations. 2. including: · the relevance of established policies. effective internal controls. 2. extravagance. report and act upon that information 2. assessing and helping to improve the internal control system.5 · the integrity of computer systems. recommendations are made to the relevant Accounting Officer on how internal controls could be improved.6 There should be an Internal Audit service for all public sector and government organisations including the armed and secret services. personnel and supervision arrangements · the extent to which assets and interests are accounted for and safeguarded from losses of all kinds arising from waste. classify. the extent of compliance with these · the appropriateness of organisational. measure. The actual areas reviewed by Internal Audit should be determined by a risk assessment that guides Internal Audit planning (see Guideline Seven). Responsibility for internal control rests fully with the Accounting Officer. This is achieved by identifying and evaluating their internal control systems and making recommendations for improvements and refinements to these systems. Internal Auditors work with Accounting Officers and other managers to help to improve internal controls within their public sector organisation and so reduce the risks the Government faces in achieving its objectives to an acceptable level. financial. operational and budgetary control and their reliability in practice.2.8 Internal Audit assists Accounting Officers by evaluating and reporting on the elements of the internal control system for which the Accounting Officer is responsible. 2.7 Objectives: Internal Audit should operate in partnership with management by helping to enhance their accountability. an extension of. transparency and corporate governance. or a substitute for.

Public sector organisations with good internal controls could be rewarded with a reduced requirement to have their expenditure subject to pre-audit. Where this is the case consideration should be given to reducing this role. Could help to ensure that expenditure is properly authorised before payment is made. Could relax Internal Audit objectivity when doing systems audit work. Could help to prevent management fraud. Could provide an opportunity for unethical Internal Auditors to seek bribes.10 If Internal Auditors undertake pre-audit. An Audit Committee may assist in ensuring that prompt and effective action is taken in response to audit recommendations.9 Internal Audit may undertake checks that individual items of expenditure are necessary and have been authorised as required. Could help to confirm the existence of projects. May reduce officers' responsibilities for internal control. 3 . international best practice suggests that the core element of Internal Audit work should be systems audit. Advantages and Disadvantages of Pre-Audit Advantages Disadvantages Could help to ensure that expenditure is necessary and appropriate. but rely on Internal Audit to do these checks. The objective of systems audit is to improve the controls operated by management rather than Internal Audit acting as a control itself. supplies and stores. Internal Audit may also be required to undertake independent checks on stores and fixed assets. It may be an inefficient use of valuable Internal Audit time. This may be undertaken before the payment is made (pre-audit) or may be undertaken later (post-audit). This could be achieved by only undertaking pre-audit on larger payments or those that are particularly vulnerable to fraud or irregularity. 2. Internal Audit may be required to undertake pre-audit. they should not also undertake system reviews of the same transactions or systems. 2. the Accounting Officer should be responsible to an Audit Committee and the Public Accounts Committee for ensuring that prompt and effective action is taken to address Internal Audit's findings. Could put Internal Audit security at risk.However. Could help to reduce the incidence of fraud or irregularity.11 In some countries. 2. Managers may not check payments properly. However. Payments may be delayed until Internal Audit has completed their checks.

For these reasons. where possible. policies.12 Internal Audit is not necessarily best suited to under take investigations into suspected fraud. control and governance processes. efficient and effective use of government resources. deter fraudsters and possibly identify fraud. disciplined approach to evaluate and improve the effectiveness of risk management. fraud investigations should be undertaken by a special unit. The approach to fraud investigation is different to that used in routine Internal Audit work. corruption or irregularity. regulations and legislation. · recommend improvements to internal controls. · provide reassurance to management that their policies are being carried out with adequate control of the associated risks. · facilitate good practice in managing risks.13 Internal Audit can: · independently review and appraise the systems of control throughout the public sector organisation (not just the financial controls). economic. · save money by identifying waste and inefficiency. · by its activities help to ensure that assets and interests are safeguarded from fraud. It is not the responsibility of Internal Audit to detect and/or prevent fraudulent activities and irregularities. · avoid duplication of effort by an effective partnership with the Auditor-General and other review agencies. 4 . OBJECTIVES AND SCOPE OF INTERNAL AUDIT NATURE OF INTERNAL AUDIT 1 Internal Auditing is an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. and by facilitating the spread of good practice. 2. It helps an organisation accomplish its objectives by bringing a systematic. This is a specialised function that requires expert knowledge and experience. The effect of Internal Audit should be continual improvements and refinements to the internal control system as a contribution to proper. · ascertain the extent of compliance with procedures.2. This is the responsibility of all officers.14 The existence of Internal Audit in a public sector organisation should not cause a general relaxation or vigilance on the responsibility of the line managers. 2. managers and the Accounting Officer. GUIDELINE ONE: NATURE.

as: 'A process. designed to provide reasonable assurance regarding the achievement of objectives in the following categories: · Effectiveness and efficiency of operations. with an emphasis on the role of internal controls. (basic operational objectives. b) provide reasonable assurance to the relevant Accounting Officer and the Audit Committee that significant risks in the public sector organisation are being appropriately managed. These are to: a) ensure that internal control and risk management systems are continually being improved and optimised in response to an ever changing environment.OBJECTIVES OF INTERNAL AUDIT 2 Internal Audit has two main objectives. policies and procedures established by management to meet their targets and objectives. 5 . This subject is covered in the Guideline below on Approaches to Internal Audit. effected by an entity’s board of directors. performance goals and safeguarding resources) 7 · reliability of financial reporting · compliance with applicable laws and regulations. The Head of Internal Audit should be required to co-ordinate inter-ministerial or departmental issues concerning control. 3 The way that these objectives are achieved will vary between countries and organisations. Internal control covers the whole system of controls. 4 The Head of Internal Audit should be consulted when the Accounting Officer wishes to change the system of internal control.' Internal control is a management tool used to provide reasonable assurance that the public sector organisation's objectives are being achieved efficiently. management and other personnel(people). INTERNAL CONTROL 6 Internal control has been defined by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in Internal Control – Integrated Framework. An expert team should be created to investigate cases of actual or potential fraud and irregularity. This leads to a variety of different approaches to Internal Audit. 5 If Internal Auditors are used to investigate potential fraud or irregularity they will need specialist knowledge and experience.

6 .8 The responsibility for the adequacy and reliability of internal controls rests with management. 10 The Accounting Officer and Audit Committee should not restrict Internal Audit to work on financial systems or checking that assets are safeguarded. Internal Audit should review all significant operational and management controls. An Audit Committee can assist with this role. systems. and updated to keep them effective. Internal Audit work should go beyond the accounts to check that public officials and others entrusted with public resources are: a) complying with applicable laws and regulations b) achieving government objectives and desired services or benefits established by the public sector organisation. 12 Internal Audit should have unrestricted access to all the people. SCOPE OF INTERNAL AUDIT 9 The potential scope of Internal Audit is the whole system of internal control established by a public sector organisation. including policies and procedures for the management of risk. documents and property it considers necessary for the proper fulfilment of its responsibilities. reviewed. The Accounting Officer of each public sector organisation should ensure that proper internal controls are introduced. 11 The Audit Committee and the Accounting Officers should ensure that Internal Audit has the widest scope to ensure that internal controls across the whole public sector organisation may be subject to review by Internal Audit. The relevant Accounting Officer has overall responsibility for the establishment and maintenance of internal controls within their area of responsibility. not just controls over financial accounting and reporting. This may include controls over all the organisation's activities. Internal Audit should concentrate its efforts on the high risk areas and the most important internal controls. However.

3. For the individual Internal Auditor. For this reason. in some countries it is considered inappropriate for the Accountant-General to be responsible for Internal Audit. the Head of Internal Audit should report (for pay and rations) at a level at least equivalent to the Accountant-General in the Ministry of Finance or the Permanent Secretary in other ministries. 3. Internal Audit’s terms of reference should be approved by the Audit Committee subject to applicable legislation. Internal Audit needs to have adequate authority and report at a sufficiently senior level within the public sector organisation. This may occur if Internal Audit staff are involved with the same work assignments and ministerial officers for several years. 3. The reason for this is that the Accountant-General is the accounting advisor to the Permanent Secretary in the Ministry of Finance and is also in charge of the treasury and the national accounts.1 Internal Audit should be sufficiently independent from line management to ensure that Internal Audit's professional judgements and recommendations are objective and impartial. responsibilities and scope of Internal Audit. To be effective. Internal Audit's terms of reference (or charter) should clearly outline the nature.2 It is generally considered that Internal Audit should not report to a manager if Internal Audit regularly reviews systems that this manager is directly responsible for. Internal Audit should also report to an Audit Committee and have a direct reporting line to the Accounting Officer.4 Internal Audit should take its authority and terms of reference from the Audit Committee and Accounting Officer to whom the Head of Internal Audit should report and have the right of direct access.3 INTERNAL AUDIT INDEPENDENCE 3. The Head of Internal Audit regularly reviews systems that the Accountant-General is responsible for and so should not report on these systems to the same officer.3 Internal Audit will achieve respect through the status it is given in a public sector organisation.0 Explanatory Notes: 3. Objectivity may be impaired through familiarity both with systems and non-audit staff. 7 . As a result. steadfastness and an impartial approach to work. objectives. objectivity is essential to ensure an attitude of mind characterised by integrity.

7 Objectivity requires Internal Auditors to carry out Audits in such a way that the quality of their work or their honest belief in the results of that work is not compromised. 3. (d) Internal Audit should be consulted about significant proposed changes to the internal control system or the implementation of new systems. 3.3. and its authority to obtain such information and explanations.6 Objectivity is an independent attitude of mind that Internal Auditors should maintain when performing Internal Audit work.5 The written terms of reference for Internal Audit should clearly: a) establish Internal Audit's position within the organisation b) establish Internal Audit's right of access to all records (both electronic or otherwise). personnel and premises. Internal Auditors should not be placed in situations in which they feel unable to make objective professional judgements. (b) Internal Auditors should be free from undue influences. Internal Auditors should inform their Head of Internal Audit so that alternative arrangements for the Internal Audit assignment may be made: (a) Internal Auditors. Internal Audit may make recommendations on the standards of control to be applied without prejudicing Internal Audit's objectivity in reviewing those systems at a later date. If any of the situations referred to below arise. should be free from any conflict of interest arising either from professional or personal relationships or from pecuniary or other interests in an organisation or activity that is subject to Audit. 3. which either restrict or modify the scope or conduct of his work or over-rule or significantly affect judgement as to the content of the Internal Audit report. It is important that Internal Auditors always retain a critical edge in undertaking their work. (c) Internal Auditors should not allow their objectivity to be impaired when Auditing an activity for which they have had authority or responsibility in the past. 8 . assets. notwithstanding their employment by the organisation. Internal Auditors need to be sceptical in discussions with officers and to obtain an adequate level of proof from Audit testing. as it considers necessary to fulfil its responsibilities c) define the scope of Internal Auditing activities.8 Internal Auditors should not be placed in situations in which they feel unable to make objective and impartial professional judgements.

9 International best practice suggests that Audit Committees should be established. 9 . its liaison with the Auditor-General and other review agencies and its reporting arrangements · meet regularly two or three times a year and meet with the Internal Auditors at their request as they deem necessary · through its Chair represent the concerns of Internal Audit to the relevant Accounting Officer. An Audit Committee may deal with more than one organisation. but if they do. should be chosen so that they are sufficiently independent from the senior managers of the public sector organisation and so they are suitably experienced. Members of an Audit Committee. Permanent Secretary or Minister · be involved in the process of appointment or dismissal of the Head of Internal Audit · periodically review the Internal Audit terms of reference. especially the chair. and.(e) Internal Auditors should not normally undertake non-Audit duties. its views on the overall quality of internal control · consider the objectives and scope of any additional ( non-audit work) work undertaken by the Internal Auditors to ensure there are no conflicts of interest and that independence is not compromised · review the adequacy of the Internal Audit function. scope. resourcing. Audit Committees should be established for each public sector organisation. they should ensure that management understands that they are not then functioning as Internal Auditors. its adherence to professional standards. particularly independence. exceptionally. 3.10 The role an Audit Committee with regard to Internal Audit is that it should: · approve Internal Audit's strategic and operational plans and review performance against them · discuss with Internal Audit its findings and the responses of management to its major recommendations. 3. Audit Committees are generally considered to improve the independence of Internal Audit. periodically. standing.

If the independence or objectivity of Internal Audit is impaired. objectives. as far as possible. at least every three years. 15 It is the responsibility of the Accounting Officer and the Audit Committee to ensure that conflicts of interest do not arise and that Internal Audit’s objectivity and independence are not compromised. The Head of Internal Audit should actively seek to develop and obtain approval of such terms of reference. Internal Audit needs the support of top management officials so that they can gain the co-operation of officers and perform their work without interference. operationally independent of the management of the public sector organisation. STATUS 16 The Head of Internal Audit should be responsible to an individual with sufficient authority to promote Internal Audit independence and to ensure the broadest Internal Audit coverage. 17 The Head Internal Auditor should report to the Accounting Officer and an Audit Committee. The terms of reference should be reviewed and revised. responsibilities and scope of Internal Audit. TERMS OF REFERENCE 18 Internal Audit should have written terms of reference (or charter) that are agreed by the Accounting Officer and the Audit Committee. the details of the impairment should be disclosed to the Accounting Officer and the Audit Committee. and. 14 Internal Audit independence should permit it to provide impartial and unbiased judgements that are essential for its proper function. 10 . Internal Audit independence should also ensure that the Head of Internal Audit can report without 'fear or favour' to all levels within the public sector organisation. if necessary. These should clearly outline the nature.GUIDELINE TWO: INTERNAL AUDIT INDEPENDENCE 13 Internal Auditors should be objective. adequate consideration of Internal Audit reports and appropriate action on Internal Audit recommendations. Internal Audit should have a direct reporting line to the Accounting Officer and the Audit Committee. Internal Audit independence can be ensured through status and objectivity. in fact or appearance.

by-law or regulation that specifies the position of the Internal Auditor in the government hierarchy. Objectivity may be impaired through familiarity. In order to maintain maximum awareness and motivation amongst Internal Audit staff. Performance of such activities is presumed to impair Internal Audit objectivity. POSITION 25 The position of Internal Audit should be categorised specifically as a Staff function as opposed to all Line Functions. where possible. installing and operating systems is not an Internal Audit function. records. Therefore. Objectivity should ensure that Internal Auditors have an honest belief in their work product and that no significant quality compromises are made. to all personnel. This may be created by Internal Audit staff being involved with work assignments for too long a period of time. Performing such work is presumed to impair Internal Audit objectivity. 20 The terms of reference for Internal Audit should be supported by a law. every few years. work assignments should be rotated on a planned basis. 24 Recommending standards of control for new systems or reviewing procedures before they are implemented is part of Internal Audit work. 11 . 22 Internal Auditors should not be placed in any situation where they feel unable to make objective professional judgements. assets and property that Internal Audit considers necessary for it to undertake its work effectively. with both systems and officers. However. Internal Audit staff should declare any conflict of interest that may arise. Transfers of Internal Audit staff between public sector organisations are to be recommended. the Internal Auditor should not undertake executive functions outside their divisional activities. Internal Auditors should not supervise or manage other sections or activities.19 The terms of reference for Internal Audit should include the requirement for Internal Audit to have the access. Internal Audit staff should not undertake Audits of systems if they worked in this area in the last year. designing. OBJECTIVITY 21 The term objectivity includes the requirement on the part of Internal Auditors to have an independent mental attitude to the performance of their work. 23 Internal Audit assignments should be undertaken in such a way that there is no potential or actual conflict of interest. If Internal Auditors perform non-audit work they are not functioning as Internal Auditors.

12 .26 The position of Internal Audit within the public sector organisation should be high enough to ensure that there is no impairment of Internal Audit scope.

In some countries Internal Audit units in all public sector organisations are managed by a central Controller of Internal Audit in the Ministry of Finance. 4. It may also consider Internal Audit’s effectiveness and any appropriate directional changes. The Internal Audit management unit may have responsibility for the staffing.3 The Head of Internal Audit should continually monitor Internal Auditors' performance.2 Controlling: Internal Audit work should be controlled at all levels of operation to achieve objectives and ensure the economic and efficient use of resources. 4.6 An Internal Audit management unit in the Ministry of Finance may assist in maintaining the quality of internal audit across all public sector organisations and can assist with ensuring the independence of Internal Audit. organisation and co-ordination of Internal Audit units in all public sector organisations. 13 . 4. Internal Auditors must be able to develop good working relationships with all officers. therefore its value should continually be re-assessed.0 Explanatory notes: 4. planning. 4. The Head of Internal Audit should ensure that all their staff are appropriately trained and receive suitable guidance. in common with all other elements of the public sector. This appraisal or assessment should be undertaken by Internal Audit managers and also periodically by independent suitably experienced external assessors. Internal Auditors must also be able to quickly understand how systems work and be able to identify suitable improvements. The management unit may provide guidance to Internal Audit units in other public sector organisations.5 Appraisal: Like any other department.4 MANAGING INTERNAL AUDIT 4. Internal Audit should be constantly appraised to ensure that its performance and value to the management of the public sector organisation is maximised. and co-ordinate training across the public sector. 4. Any significant variations from work plans should be investigated and dealt with appropriately. The assessment should consider the views of the Accounting Officer and other senior managers on the success of Internal Audit.4 Recording: The Head of Internal Audit should specify standards of Audit documentation. The Internal Audit function is subject to budgetary constraints.1 The appointment of appropriate staff is important to the success of Internal Audit. The results of each Internal Audit assignment or groups of Audit assignments should be reviewed against Internal Audit plans. monitor all Internal Audit reports. Efficiency should be assessed and any necessary revisions made to subsequent planned work. ensure that those standards are maintained and monitor compliance with the standards.

14 . 28 The Head of Internal Audit should submit periodic activity reports to the Accounting Officer and the Audit Committee. This supervision should include: (a) provision of suitable instructions and guidance at the outset of an Internal Audit assignment and approving the Audit programme (b) seeing that the approved Audit programme is carried out unless deviations are both justified and authorised (c) ensuring that Internal Audit staff understand the work to be undertaken and obtain and document sufficient relevant and reliable audit evidence (d) determining that Internal Audit objectives are being met. The Head of Internal Audit should explain major variances (positive or negative) together with action taken to address these. 30 The Head of Internal Audit should ensure that the work of all levels of Internal Audit staff is effectively supervised from planning to conclusion.GUIDELINE FOUR: MANAGING INTERNAL AUDIT 27 The Head of Internal Audit should effectively manage Internal Audit to ensure it adds value to the public sector organisation and to ensure that: (a) Internal Audit work fulfils its terms of reference (b) resources for Internal Audit are used efficiently and effectively (c) Internal Audit staff undergo suitable professional development (d) Internal Audit work conforms to approved standards (e) the morale of Internal Audit staff is developed and maintained. These reports should compare: (a) actual performance with goals and Internal Audit plans (b) actual expenditures with financial budgets. 29 The Head of Internal Audit should ensure that Internal Audit staff are provided with a suitable Audit Manual including written policies and procedures to guide them with their work. The Internal Audit programmes should specify reporting lines at each level of management. This guidance should also include programmes for particular Internal Audit assignments.

should include recommendations for improvement. These reviews should be performed by suitably qualified Internal Auditors who are independent of the organisation and who do not have either a real or an apparent conflict of interest. 37 External reviews should be performed to assess the quality of Internal Audit work against these Guidelines. clear. objective. This quality programme should include: (a) supervision (b) internal review (c) external review.MANAGEMENT REVIEW 31 All Internal Audit working papers and reports should be reviewed by Internal Audit managers before the reports are released. This programme should provide reasonable assurance that Internal Audit work conforms to relevant standards and these Internal Auditing Guidelines. QUALITY ASSURANCE APPRAISALS 33 There should be periodical reviews of Internal Audit performance to ensure that its performance and value to the management of the public sector organisation is maximised and to ensure compliance with appropriate standards and guidance. department policies and Audit programmes. These reports should express an opinion on Internal Audit's compliance with these Internal Auditing Guidelines and. 35 Supervision of Internal Audit work should continuously ensure conformance with the Institute of Internal Auditors Standards. conclusions and report (b) making sure that Audit reports are accurate. formal written reports should be issued to the relevant Accounting Officer and the Audit Committee. 38 On completion of such reviews. these Internal Auditing Guidelines. The external reviews should be undertaken at least once every five years. This review should include: (a) determining that Audit working papers adequately support the Audit findings. 15 . 32 Internal Audit working papers should show clear evidence of this management review. where necessary. 34 The Head of Internal Audit should establish and maintain a quality assurance programme to evaluate the operations of Internal Audit. It should also ensure that Internal Audit adds value by improving internal control. concise. 36 Internal reviews should be performed periodically by senior Internal Audit staff to appraise the quality of the Internal Audit work that is undertaken in all public sector organisations. constructive and timely.

updated at least once a year.7 The Head of Audit should ensure that all Internal Audit staff are reminded of their ethical responsibilities and also ensure that their declarations of interest are reviewed.2 Due professional care is defined as carrying out Internal Audit work with competence and diligence.5 Internal Audits should be performed by.1 In carrying out their duties Internal Auditors should exercise due professional care. Due care does not mean infallibility. 5. 5. 5. experience and perspective which will enable them to comply with these Guidelines. and where appropriate.3 Professional care requires the use of Audit skills and judgements based on appropriate experience. This is necessary to maintain Internal Audit's credibility as a dependable instrument of management. training.0 Explanatory notes: 5. training. integrity and objectivity. Audit staff who have the technical skills.5. 16 . it will be incumbent upon the Internal Auditor to consider the effect of significant weaknesses in the systems under review and evaluate the possibility of material irregularity or non-compliance with the legislation and regulations when undertaking Internal Audit. that is competence based on appropriate experience. However. The level of professional care to be exercised should be appropriate to the objective and complexity of the Internal Audit work being performed. Internal Auditors should be able to show that their work has been performed in the manner which meets the criteria set by these Internal Auditing Guidelines or specific departmental policies. ability. 5. or supervised and controlled by. ability. 5. PROFESSIONAL PROFICIENCY 5. integrity and objectivity.6 The Head of Internal Audit should therefore ensure that Audit staff have the capacity to meet the responsibilities identified by the terms of reference agreed with the Audit Committee and the Accounting Officer. 5.4 In order to demonstrate due professional care. Consequently Internal Auditors cannot provide absolute assurance that non-compliance or irregularities do not exist.

5. but not necessarily why they do it.11 An experienced Internal Auditor will ensure that the staff they talk to are relaxed and so describe the system. They may also try and explain the system in the most positive light. 5. supplier or other third party. Internal Auditors also need to be able to critically assess each stage of the process. They will also challenge the staff to ensure that they describe what actually happens and through discussion ascertain whether any improvements are possible and practical. Understanding why each step is taken is more difficult. The skill of Internal Auditors is to enable all the staff they interview to open up and describe what they actually do (not just what they think they should do) and to identify any aspects they think could be improved.10 Staff who operate the system will know what they do. Staff may just do it “because we’ve always done it that way” or even worse “because the Auditors told us to”! 5.8 Internal Auditors should not accept any gift or inducement from an officer. These officers know how the system actually operates and should have a reasonable idea of how practical any improvements may be. worker. 17 . Internal Auditors should only accept hospitality when this is consistent with the public sector organisation’s documented arrangements. its bad points as well as the good points. Thus interviewing skills are essential for all Internal Auditors. Why is its performed? Could it be undertaken more efficiently? 5.9 The most important source of information for Internal Auditors is the staff working within the area subject to Audit. Internal Auditors need to be able to understand what may be a complex system. Information acquired by Auditors in the course of their work should not be used for unauthorised purposes or for personal benefit or gain.

skills and competencies essential to the performance of effective Internal Audit. Internal Auditors should be proficient in oral and written communication to enable effective reporting. The criteria used to fill Internal Audit posts should be suitable and clearly documented. Human Relation and Communication 42 Internal Auditors should possess the skills required to deal with people and to communicate effectively. All Internal Auditors should follow a professional code of conduct which calls for: a) high standards of honesty b) high standards of diligence c) high standards of loyalty. They should cultivate harmonious relationships with officers and managers. All professional Internal Audit staff should be members of the relevant accounting or Internal Auditing professional body and follow their code of conduct or ethics. They should be developed after considering the level of required scope and responsibility. Internal Audit staff should be required to possess the following skills: a) proficiency in applying Internal Auditing Guidelines b) knowledge of techniques required to perform Internal Audit c) proficiency in accounting principles and techniques (especially government accounting) d) an understanding of management principles and administrative procedures to enable recognition and evaluation of the materiality and significance of deviations from good and acceptable practice. 18 .GUIDELINE FIVE: PROFESSIONAL PROFICIENCY Staffing 39 Internal Auditors should be appointed through free and open competition on the basis of merit. Deliberate attempts should be made to ensure the proficiency and qualifications of each prospective Auditor. Compliance with Codes of Conduct 40 Internal Audit staff should follow existing codes of conduct and ethics for their organisation. Knowledge Skills and Discipline 41 Internal Auditors should be required to (individually) possess the knowledge.

19 . 45 If there is an Internal Audit management unit in the Ministry of Finance. in-house training and engage in research to identify new Internal Auditing developments. computer auditing or performance auditing. They should keep themselves informed on changes and developments in their public sector organisation's activities and other Government developments. Internal Auditors also need to be aware of developments across the Internal Auditing profession.Continuing Education 43 Training of Internal Auditors should be a planned and continuous process at all levels and should be designed to cover: a) basic training providing the minimum level of skills and knowledge which all Internal Auditors should possess b) development training in Audit skills. conferences and seminars. as responsible Government officers. 44 Internal Auditors. this unit should be responsible for the co-ordination of training requirements for all government Internal Auditors. should be responsible for continuing their education in order that they maintain their knowledge. skills and proficiency. Due Professional Care 47 The term due professional care means and includes the application of the care and skill expected of a reasonable. techniques and behavioural aspects to improve the effectiveness of those staff currently engaged as Internal Auditors c) management training for those Auditors with responsibility for managing and directing Audit teams. should be the database of Internal Audit staff in all public sector organisations. prudent and competent Internal Auditor in the same or similar circumstances. The foundation. from which the assessment of training requirements of Internal Audit will be derived. together with those staff members who show the potential for management positions d) specialist training for those Auditors responsible for a special field of Audit work which requires specialist skills and knowledge. 46 Internal Auditors should be aware of their responsibility for continuing their education on order to maintain their proficiency through participation in professional societies. college courses. for example.

waste. materiality or significance of matters to which Audit procedures are applied c) adequacy and reliability of risk management and control processes d) likelihood of material irregularities or non-compliance e) the cost of Internal Audit work compared to potential benefits or the risk of poor internal controls.48 In exercising due professional care. 49 In exercising due professional care the Head of Internal Audit is required to consider the following: a) the extent of Internal Audit work needed to achieve the Audit objectives b) the relative complexity. 20 . Internal Auditors should be alert to the following: a) the possibility of intentional wrong doing b) errors and omissions c) inefficiency. ineffectiveness d) conflicts of interest e) conditions and activities likely to give rise to irregularities f) inadequate control situations.

2 The Head of Internal Audit should seek to foster and maintain constructive working relationships with stock verifiers.4 It is important for Internal Audit to market the services it can provide to managers. respective strengths and special abilities. fraud investigators. Internal Audit is an independent appraisal function within the organisation and Internal Auditors are direct employees. if not so revealed. quite properly. 6. Internal Audit will. It is the Auditor-General's role to ensure that the financial statements. leading to a joint improvement in performance and the avoidance of unnecessary overlapping of work. This should be reflected and maintained in good working relationships between Internal Auditors and the staff in the sections that they review. 6. may prevent the uncovering of unlawful acts or could distort Audit reports. This could include producing leaflets and making presentations to Accounting Officers and other senior officers on the services. RELATIONSHIPS 6.6.6 The aim should be to achieve mutual recognition and respect. operating performance and related statements are properly stated in all material respects. subject to limits determined by their different responsibilities.3 Internal Audit should not improperly disclose any information obtained during the course of their work.1 Management and staff at all levels should have confidence in the integrity. 6. independence and capacity of Internal Audit. 6. reveal to appropriate responsible parties (for example. inspectors and any other review staff. Permission should be provided by senior management before any information is passed outside the organisation.0 Explanatory notes: 6. Internal Audit does not automatically have a right of access to the records of the Auditor-General. The passing of this information should be treated as confidential and legally privileged. police or Auditor-General) all material facts they have established which.5 The relationship between Internal Audit and the Auditor-General's Office needs to take account of their differing roles and responsibilities. assistance and role that Internal Audit can play. Consultations should be held and consideration given to whether any work of either Auditor is adequate for the purpose of the other. Consultations between Internal Audit and review staff should lead to effective co-ordination and minimise duplication of work. Internal Audit and the Auditor-General may also have responsibility for performance audit to ensure that economy. It should be possible for the Auditor-General and the Head of Internal Audit to rely on each other's work. efficiency and effectiveness are improved. That is the Internal Auditor will be exempt from any legal liability from the passing of such information. 6. 21 .

the AuditorGeneral. 6. The Auditor-General's Office will have to decide if they can place reliance on the work of Internal Audit and so reduce the amount of work undertaken by their own staff. 51 There should not be any form of rivalry or conflict between the Internal Auditors and staff in the Auditor-General's Office. 22 . independence and capability of the Internal Audit unit. 6.8 The Head of Internal Audit should meet regularly with staff from the Auditor-General's Office to: · discuss work plans for Internal Audit and the Auditor-General's Office · agree and review the performance of the work relied on · evaluate the relationships with the Auditor-General's Office and report as required to the Accounting Officer and Audit Committee on this relationship · agree access to each other's audit programmes and working papers · exchange audit reports and management letters · enhance understanding of each other's audit techniques and methods · discuss any other matters of mutual interest. stock verifiers and other review agencies. stock verifies and other review agencies should be based on mutual confidence. for example. co-ordination of the plans of Internal Audit with those of the Auditor-General's Office and the programme of. This cooperation should promote the most effective total audit coverage and should avoid duplication of work. stock verifiers. where appropriate. Similarly.7 The Head of Internal Audit should seek. there should be a constructive relationship between Internal Auditors. the relationship between the Head of Internal Audit and the Auditor-General should be such that the Auditor-General will allow access to the necessary records. Management. GUIDELINE SIX: RELATIONSHIPS 50 Internal Audit’s relations with other staff in the public sector organisation. at all levels should have complete confidence in the integrity. understanding of each others needs and a reciprocal desire for cooperation.However.

duty and rights of access of the Auditor-General. Internal Auditors should not release Audit findings or other information outside the normal reporting arrangements without the knowledge and permission of those concerned. The Head of Internal Audit should recognise the differences between the roles of Internal Audit and that of the Auditor-General. 53 Copies of Internal Audit reports should be made available to the Auditor-General for information and co-ordination. However. effective working relationships and the avoidance of duplication of work with other review agencies. system notes and findings c) arranging for consultation on plans and proposed visits d) reviewing training proposals to arrange joint training sessions where possible e) dissemination of literature for discussion to promote understanding of techniques. planned Internal Audit work may be used by the Auditor General's Office for their own purposes. 55 The staff of the Auditor-General's Office may review the effectiveness of Internal Audit as part of their evaluation of management control arrangements. routine. This review should determine the extent that the Auditor General's Office is able to rely on Internal Audit work. 56 The relationship between the Internal Auditor and the public sector organisation should be considered legally privileged. 23 . This could include: a) liaison meetings to discuss matters of mutual interest b) arranging for access to each other’s plans. The exception to this rule would be for unannounced surprise visits. That is the Internal Auditor will be exempt from any legal liability from the proper undertaking of their work.52 The Head of Internal Audit should initiate action to ensure the development of coordination. 54 Internal Auditors should be familiar with the legislation that defines the statutory responsibility. methods and terminology. 57 Internal Auditors should normally consult and advise managers when arranging Audit visits to their department. Internal Audit should not necessarily undertake special tasks at the request of the Auditor General's Office.

The emphasis of the Internal Audit plan should be directed towards these systems.7. The Accounting Officer and the Audit Committee should formally approve all significant changes to the Internal Audit plans. over. staff and sites within the public sector organisation. The appropriate Audit Committee should then approve the Internal Audit plans. 7.0 Explanatory notes: 7. say.1 Internal Audit work should be planned at all levels of operation in order to establish priorities. GUIDELINE SEVEN: INTERNAL AUDIT PLANNING 24 .5 present the plans to the Accounting Officer and/or the Audit Committee for approval.3 Internal Audit plans should be developed in consultation with senior staff and the relevant Accounting Officer. High-risk systems or transactions and any known problem areas should be clearly identified. Accounting Officers and the Auditor-General's Office and amend as necessary · 7. low · prepare an audit needs assessment based on the risk assessment · develop an overall strategic plan from the audit needs assessment to cover these risks. INTERNAL AUDIT PLANNING 7.2 Internal Audit plans should be based on a comprehensive understanding of the public sector organisation and the way in which it operates. achieve objectives and ensure the efficient and effective use of Audit resources.4 Internal Audit planning should include the following steps: · identify all auditable activities within the agreed scope of Internal Audit · carry out a risk assessment on these activities in conjunction with management. Internal Audit plans should be amended as necessary to take account of changing circumstances. 7. Planning should be based on Internal Audit's terms of reference and allow for coverage of all significant systems. medium. operations. 7. identifying categories such as high. a three-year period · bring to the Accounting Officer and/or the Audit Committee's attention any mismatch between Audit needs and actual Audit resources · identify systems to be covered in the first year of the strategic plan and prepare an annual Internal Audit plan · discuss the strategic and annual plans with appropriate senior managers.

setting target dates and allocating resources. 61 To be effective. the Head of Internal Audit should: (a) define audit needs taking into account the Internal Audit's terms of reference (b) identify the staff and other resources needed and reconcile these with available. the Accounting Officer and the Audit Committee's professional judgement c) identification of activities to be audited. 59 The Internal Audit planning process should include the following: (a) identifying goals (b) preparation of strategic Internal Audit plans (c) establishing proper staffing plans and financial budgets (d) preparation of activity reports. includes an assessment of: a) relevant risks and their significance b) consideration of senior management. to be conducted at least annually. The risk assessment process. resources (c) choose an appropriate time period for the Audit plans (d) record all plans in writing (e) monitor work against planned activity and revise plans as appropriate. 62 Internal Audit plans should be based on a risk assessment. 25 .58 The Head of Internal Audit should establish plans to carry out the responsibilities of Internal Audit consistent with the public sector organisation's goals and objectives. 60 Internal Audit plans should: (a) establish a list of systems that could be Audited and prescribe a period within which it is desirable that each significant system should be examined (b) define the tasks to be performed (c) assist in the direction and control of work by identifying critical areas.

All significant amendments to these plans should similarly be approved by the Accounting Officer and Audit Committee. This should prompt the relevant Accounting Officer to take action to ensure that their public sector organisation is provided with sufficient Internal Audit resources. if necessary. taking into account the scope of the planned work and the nature and extent of audit work to be performed by others. administrative activities. 66 The Head of Internal Audit should explain. and controls (e) staffing. education and training requirements and research and development efforts. 26 . staffing plans and financial budgets. (c) requests by management (d) major changes in operations.63 Internal Audit strategic plans should take into account the following factors: (a) the date and results of the last Internal Audit assignment (b) the estimated time required. 64 Internal Audit plans and staffing and financial budgets should be developed from strategic plans. why the Audit needs are not being met. 65 The Head of Internal Audit should submit annually to the Accounting Officer and Audit Committee for approval a summary of Internal Audit's strategic plans. planning and effective utilisation of financial budgets (f) Internal Audit priorities (g) flexibility to cover unanticipated demands on the department. programs systems.

3 Internal Audit evidence should be adequate to meet the objectives of Audit assignments. 8. 8. However. To meet an acceptable standard the evidence should be sufficiently adequate and convincing to the extent that a prudent. Where internal controls are not adequate and reliable Internal Audit should make practical recommendations to ensure that these controls are improved.4 The production of Audit evidence should be supervised and reviewed by the Head of Internal Audit. for example: · performance auditing · control self assessment · advice and assistance on control issues · helping with risk management. the Audit Committee and the Accounting Officer should discuss the extent that this is necessary.8 APPROACHES TO INTERNA L AUDIT 8. If a pre-audit approach is adopted the Head of Internal Audit. GUIDELINE EIGHT: AUDIT APPROACH 27 . They should also consider suitable means of reducing the proportion of time that Internal Auditors spend on pre-audit work.2 The systems approach to Internal Audit seeks to assess and improve the effectiveness of the public sector organisation’s internal control system. The prime purpose of a systems Audit should be to evaluate the extent to which the system may be relied upon to ensure that the objectives of the system are met. adequacy and relevance of Audit evidence before placing reliance on that evidence. Information should be collected analysed and documented by the use of appropriate Audit techniques. Internal Auditors should be satisfied with the nature. 8.0 Explanatory notes: 8.1 There are several different approaches to Internal Audit. informed person would be able to appreciate how the Auditor's conclusions were reached. International best practice suggests that systems audit is the most effective way that Internal Audit can add value to an organisation.5 Internal Audit may also complement its systems approach with other techniques. 8. in many countries it is considered necessary for Internal Audit to complement systems audit with a pre-audit approach.

The systems approach aims to asses and helps to improve the control features that govern the system. 68 Internal Audit should assess and improve the public sector organisation's risk management. where possible. control. adopt a systems approach. This will involve careful thought and discussion with the Accounting Officer. Internal Auditors should ensure that the costs of maintaining controls balances the potential benefits. the Audit Committee and others on the most effective approach to Internal Audit given the particular circumstances of the public sector organisation. This approach should provide reasonable assurance that existing controls will ensure that each system’s objective is achieved. Assistance can be provided by evaluating the public sector organisation's controls to determine their effectiveness and efficiency and by developing recommendations for improvement. reliable and sufficient audit evidence to support their findings and recommendations d) report findings and recommendations for each individual system that is Audited e) provide an opinion on the adequacy and reliability of the controls in the individual system under review f) provide periodic assurance based on an evaluation of the whole internal control system across all public sector organisations. The internal auditing activity should assist the public sector organisation in maintaining effective controls. and governance processes. SYSTEM APPROACH 69 Internal Audit should. 70 When undertaking systems audit an Internal Auditor should: a) document and analyse the internal control system across all public sector organisations and establish Internal Audit plans b) identify and evaluate the controls that are established in individual systems to achieve the public sector organisation's objectives in the most economic and efficient manner c) obtain and record relevant.67 Internal Auditors should ensure that their approach and methods enable them to discharge their responsibilities effectively. 71 The use of the systems approach should enable Internal Audit to confirm the following: a) the official system b) whether it is operating according to agreed guidance and regulations c) whether the system is adequate d) whether the controls are reliable. 28 .

by management. including Internal Audit's opinion on the adequacy of controls · make recommendations that are appropriate and relevant. Recommendations included in the Internal Audit reports should: · be practical and provide constructive solutions to problems identified · be sufficiently detailed to act as a guide for action and facilitate the efficient achievement of the organisations objectives · be prioritised based on the significance of the weakness identified. The recommendations should then be followed up to check that agreed action has been implemented. recommendations and activities should be submitted periodically to the Accounting Officer and the Audit Committee. or proposed.1 The findings and recommendations arising from each Internal Audit assignment should be promptly reported to management. MONITORING AND FOLLOW UP 9.2 In general Internal Audit reports should: · state the scope. 9. 29 . A summary of Internal Audit findings.72 The system's adequacy should be used to ascertain the following: a) what should happen to achieve the system’s objectives b) what could go wrong in view of the system's design c) what has been done to stop things going wrong. that call for action to correct identified weaknesses or improve the efficiency of operations · 9. purpose.3 acknowledge the action taken.0 Explanatory notes: 9. extent and conclusions of the Internal Audit assignment. 9 REPORTING.

9. Internal Audit should periodically follow up Audit reports to review and test the implementation of agreed Internal Audit recommendations. Management and Internal Audit should agree officer responsibility and target dates for implementation of agreed recommendations. The report should compare actual Internal Audit activity against the annual Internal Audit plan and should clearly indicate the extent to which the total Internal Audit needs of the public sector organisation have been met. The responsibility for final editing of Audit reports should remain with the Head of Internal Audit who should always retain the right to issue reports without further editing.4 Conclusions are the Internal Auditor's evaluations of the effects of the findings on the particular system reviewed. They should: · put the findings in perspective based on the overall implications and significance of the weaknesses identified · identify the extent to which the system's control objectives are being achieved and the degree to which the internal control systems should ensure that the goals and objectives of the public sector organisation are accomplished efficiently. 9. at agreed intervals. a report of Internal Audit activity and results.7 The Head of the Internal Audit should submit to the Accounting Officer and Audit Committee.5 Management should be required to respond in writing to each Internal Audit report. 9. The attention of the Accounting Officer and Audit Committee should be drawn to any major Internal Audit findings where action appears to be necessary but has not been undertaken. 9.8 In the annual Internal Audit report the Head of the Internal Audit should give a formal opinion to the Accounting Officer and Audit Committee on the extent to which reliance can be placed on the public sector organisation’s internal control system. GUIDELINE NINE: INTERNAL AUDIT REPORTING 30 .6 Follow-up activity is the process by which Internal Audit confirms that agreed recommendations have been implemented by line managers.9.

73

The Head of Internal Audit should report periodically to the Accounting Officer and the
Audit Committee on Internal Audit's purpose, authority, responsibility, and performance
relative to its plan. Reporting should also include significant risks and control issues,
corporate governance issues, and other matters needed or requested by the Accounting
Officer and the Audit Committee.

74

The findings and recommendations arising from each Internal Audit assignment should be
promptly reported to the Accounting Officer and others who are affected by the report.
The final Internal Audit report including any comments from the Accounting Officer
should be reported to the Audit Committee.

75

The Head of Internal Audit should have complete freedom in the way in which Internal
Audit findings are reported and to whom each report is issued. The Head of Internal
Audit should review and approve each final Internal Audit report before it is issued.

76

Internal Audit reports should contain all material facts known to the Auditor concerning
the system under review to avoid distortion or concealment of any unlawful or improper
practice.

77

Internal Audit reports should be regarded as confidential and exclusive to the public sector
organisation concerned except for privileged external reviews by the Auditor-General and
Permanent Secretary to the Treasury.

78

The Head of Internal Audit should submit monthly or periodic progress reports to the
Accounting Officer and the Audit Committee and explain significant deviations from
approved strategic plans, staffing plans and financial budgets.

79

The Head of Internal Audit should provide an annual report to the Accounting Officer and
the Audit Committee. This report should include:
a) the Head of Internal Audit's opinion on the adequacy and reliability of the whole
internal control system
b) the extent that the Internal Audit needs of the public sector organisation have been met
c) any significant Internal Audit findings where action appears necessary but has not
been taken
d) any systems within the public sector organisation where the internal controls are not
adequate and reliable
e) a comparison of actual Internal Audit activity against the agreed annual plan.

31

COMMUNICATING RESULTS
80

When communicating results of their work Internal Audit should:
a) oral reports may be issued and should be confirmed in writing
b) discuss conclusions and recommendations at appropriate ministerial, departmental or
regional levels before issuing final written reports
c) issue a signed written report after each Internal Audit assignment that is objective
clear, concise, constructive and timely.
d) give reports which clearly present the purpose, scope and results of the Audit
e) give reports with recommendations for potential improvement, suggestions of
corrective action and acknowledgement of satisfactory performance
f) obtain and include in the report the system managers' views about the conclusions or
recommendations
g) include the officer who is to implement each agreed recommendation and a target
dates for its implementation.
MONITORING AND FOLLOW-UP

81

Internal Auditors should follow up their reports to ascertain that appropriate action is
taken on agreed Internal Audit recommendations. Internal Audit should determine, with
appropriate Audit testing, that corrective actin has been taken and is having the desired
effect.

82

If the Accounting Officer does not agree with an Internal Audit recommendation or does
not ensure that agreed recommendations are implemented they should accept the
associated risks. The Audit Committee may advice the Accounting Officer to implement
an Internal Audit recommendation if it considers necessary to achieve sound internal
control.

83

The Auditor-General may review and report on the extent that Internal Audit
recommendations have been implemented. Internal Audit may also review the extent that
recommendations made by the Auditor-General have been implemented.

32

Glossary of Technical Internal Audit Terms
Accounting Officer – the head of a government ministry or department who is personally responsible for the
management and internal controls of the ministry or department and any fraud or irregularity that may occur.
Adequacy of internal control – an assessment of the quality of internal control. Controls may be
considered to be adequate if, when applied consistently, the controls should help to provide reasonable
assurance that a control objective will be achieved.
Auditor-General – the head of the government’s external audit service. The Auditor-General is
responsible for certifying that the government accounts show a true and fair view, there has been a
proper use of public funds and often for undertaking value for money reviews.
Audit Committee – a high level committee, comprising, where possible, independent, non-executive
members, with responsibility for overseeing the independent review of the framework of internal control,
monitoring the Internal Audit function and the ex ternal audit processes.
Audit Needs Assessment - an assessment undertaken by Internal Audit in consultation with
managment to determine the extent of Internal Audit that is needed within an organisation and the
frequency that particular systems should be reviewed.
Control objectives – the objectives of a control system. Used by Internal auditors as a framework for
undertaking systems auditing and so assessing the overall quality of the internal control system.
Control Self Assessment – an approach to risk management, that may be faci litated by Internal Audit,
that enables management to assess the risks and controls to the achievement of the organi sation’s
objectives. It may include the development of a risk register that lists the main risks the organisation
faces and an action plan for improvements to internal control.
Head of Internal Audit - is a generic title for Chief Internal Auditor or Director of Internal Audit or any
other equivalent title.
Internal Audit - is an independent objective assurance and consulting activity designed to add value
and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing
a systematic, disciplined appro ach to evaluate and improve the effectiveness of risk management,
control and governance processes.
Internal Control - is a process, effected by an entity’s board of directors, management and other
personnel (people), designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:
· effectiveness and efficiency of operations; (basic operational objectives, performance goals and
safeguarding resources)
· reliability of financial reporting
· compliance with applicable laws and regulations.
Management - implies the Permanent Secretary and Accounting Officers in Ministries, or Controlling
officers in Regions or other responsible officers in a public sector organisation.
Performance Audit – an approach to Audit that aims to improve the economy, efficiency and
effectiveness of operations. The objective of Performan ce Audit is to improve the value for money
provided by a publ ic sector organisation.
Public Sector Organisation – types of public sector entities, for example, ministries, departments,
regions or districts, as examples of the range of possible governmental entities that may exist.

33

Reliability of Internal Control – an assessment of the extent that internal controls are applied
consistently by all staff, at all times and in all circumstances.
Risk – the chance (or probability) that one or more of the organisation’s objectives will not be achieved.
It may refer to the failure to achieve objectives efficiently or the occurrence of unwanted outcomes. It
may also refer to the inability to exploit possible opportunities.
Risk management - the formal identification, assessment and planned management of significant risks
facing the organisation.
Systems Audit - systems audit is the structured analysis of internal control in relation to the objectives
of the organisation. Systems audit should enable internal audit to make practical recommendations to
address any weaknesses that have been identified within the context of risks to the achievement of the
system’s objectives. It should also enable internal audit to form an opinion on the adequacy and
reliability of the organisation’s internal control system.

34

and Implementation Standards. There are generally three parties involved in assurance services: (1) the person or group directly involved with the process. Establish the basis for the evaluation of internal audit performance. Internal audit activities are performed in diverse legal and cultural environments. control. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. The Performance Standards describe the nature of internal audit activities and 35 . complexity. within organizations that vary in purpose. Performance Standards. Provide a framework for performing and promoting a broad range of value-added internal audit activities.the user. Consulting services generally involve two parties: (1) the person or group offering the advice – the internal auditor. While differences may affect the practice of internal auditing in each environment. and by persons within or outside the organization. It helps an organization accomplish its objectives by bringing a systematic. and are generally performed at the specific request of an engagement client. and (3) the person or group using the assessment . If internal auditors are prohibited by laws or regulations from complying with certain parts of the Standards. compliance with the International Standards for the Professional Practice of Internal Auditing is essential if the responsibilities of internal auditors are to be met. and structure. Foster improved organizational processes and operations. disciplined approach to evaluate and improve the effectiveness of risk management. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Delineate basic principles that represent the practice of internal auditing as it should be. system or other subject matter – the process owner. and (2) the person or group seeking and receiving the advice – the engagement client. Consulting services are advisory in nature. 2. and governance processes. Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions regarding a process. size. 3. The purpose of the Standards is to: 1. (2) the person or group making the assessment – the internal auditor. they should comply with all other parts of the Standards and make appropriate disclosures. objective assurance and consulting activity designed to add value and improve an organization's operations.APPENDIX 2 International Standards for the Professional Practice of Internal Auditing Introduction Internal auditing is an independent. The nature and scope of the assurance engagement are determined by the internal auditor. system or other subject matter. The Attribute Standards address the characteristics of organizations and parties performing internal audit activities. The Standards consist of Attribute Standards. 4.

The Internal Auditing Standards Board engages in extensive consultation and discussion prior to the issuance of the Standards. Professional Practices Group 247 Maitland Avenue Altamonte Springs. The development and issuance of the Standards is an ongoing process. there are multiple sets of Implementation Standards: a set for each of the major types of internal audit activity. If assurances are to be provided to parties outside the organization. the Code of Ethics. and internal auditors should be objective in performing their work. Suggestions and comments regarding the Standards can be sent to: The Institute of Internal Auditors Global Practices Center.A1 . While the Attribute and Performance Standards apply to all internal audit services. the Implementation Standards apply to specific types of engagements.theiia. The Implementation Standards have been established for assurance (A) and consulting (C) activities.The nature of assurance services provided to the organization should be defined in the audit charter. and responsibility of the internal audit activity should be formally defined in a charter. FL 32701-4201. USA E-mail: standards@theiia. and Responsibility The purpose. Authority. and other guidance. All exposure drafts are posted on The IIA’s Web site as well as being distributed to all IIA Affiliates.provide quality criteria against which the performance of these services can be evaluated. the Standards. This includes worldwide solicitation for public comment through the exposure draft process. Guidance regarding how the Standards might be applied is included in Practice Advisories that are issued by the Professional Issues Committee. and approved by the board. authority.C1 . consistent with the Standards. The Professional Practices Framework includes the Definition of Internal Auditing.org ATTRIBUTE STANDARDS 1000 – Purpose. however.The nature of consulting services should be defined in the audit charter. The Standards employ terms that have been given specific meanings that are included in the Glossary. 1000. 1000. 1110 – Organizational Independence 36 . 1100 – Independence and Objectivity The internal audit activity should be independent. the nature of these assurances should also be defined in the charter. There is one set of Attribute and Performance Standards.org Web: http://www. The Standards are part of the Professional Practices Framework.

1130. skills. not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. 1210.A2 – Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity.A2 – The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. skills.A1 – Internal auditors should refrain from assessing specific operations for which they were previously responsible.A1 . and other competencies needed to perform its responsibilities. 1130. However. 1130 – Impairments to Independence or Objectivity If independence or objectivity is impaired in fact or appearance. 1210. 37 . and other competencies needed to perform their individual responsibilities. the details of the impairment should be disclosed to appropriate parties. disclosure should be made to the engagement client prior to accepting the engagement.The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge.The internal audit activity should be free from interference in determining the scope of internal auditing. or other competencies needed to perform all or part of the engagement. The nature of the disclosure will depend upon the impairment.A1 . performing work. 1130. 1200 – Proficiency and Due Professional Care Engagements should be performed with proficiency and due professional care. 1110. 1210 – Proficiency Internal auditors should possess the knowledge. skills.The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1120 – Individual Objectivity Internal auditors should have an impartial.If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services.C1 . Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. 1130. unbiased attitude and avoid conflicts of interest. The internal audit activity collectively should possess or obtain the knowledge. 1210.A3 – Internal auditors should have knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. and communicating results.C2 .

Relative complexity and extent of work needed to achieve the engagement’s objectives. skills. timing. even when performed with due professional care. This program includes periodic internal and external quality assessments and ongoing internal monitoring.Due Professional Care Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor.C1 . 38 .C1 . 1220.A2 . Probability of significant errors. and communication of engagement results. Each part of the program should be designed to help the internal auditing activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics. or resources.The internal auditor should exercise due professional care during a consulting engagement by considering the: · · · Needs and expectations of clients. including the nature. and governance processes. 1230 – Continuing Professional Development Internal auditors should enhance their knowledge. Cost of the consulting engagement in relation to potential benefits.A3 – The internal auditor should be alert to the significant risks that might affect objectives. Due professional care does not imply infallibility. Adequacy and effectiveness of risk management.The internal auditor should exercise due professional care by considering the: · · · · · Extent of work needed to achieve the engagement's objectives. 1220 . irregularities. or noncompliance. materiality. skills. However. Relative complexity. Cost of assurance in relation to potential benefits. and other competencies through continuing professional development.1210. or significance of matters to which assurance procedures are applied. 1300 – Quality Assurance and Improvement Program The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. 1220. control. do not guarantee that all significant risks will be identified.The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge. assurance procedures alone.A1 . 1220. or other competencies needed to perform all or part of the engagement. operations.In exercising due professional care the internal auditor should consider the use of computer-assisted audit tools and other data analysis techniques. 1220.

such as quality assurance reviews. and Periodic reviews performed through self-assessment or by other persons within the organization. The process should include both internal and external assessments. 1312 – External Assessments External assessments.1310 – Quality Program Assessments The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. there may be instances in which full compliance is not achieved." However. internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards. 2010 – Planning The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity. independent reviewer or review team from outside the organization. should be conducted at least once every five years by a qualified. 39 . 1340 – Disclosure of Noncompliance Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics. disclosure should be made to senior management and the board. PERFORMANCE STANDARDS 2000 – Managing the Internal Audit Activity The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization. When noncompliance impacts the overall scope or operation of the internal audit activity. 1311 – Internal Assessments Internal assessments should include: · · Ongoing reviews of the performance of the internal audit activity. 1320 – Reporting on the Quality Program The chief audit executive should communicate the results of external assessments to the board. 1330 – Use of "Conducted in Accordance with the Standards" Internal auditors are encouraged to report that their activities are "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. with knowledge of internal audit practices and the Standards. consistent with the organization's goals.

A1 . The input of senior management and the board should be considered in this process. and improve the organization’s operations. 2100 – Nature of Work The internal audit activity should evaluate and contribute to the improvement of risk management.The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system. 2010.A1 . sufficient. 2020 – Communication and Approval The chief audit executive should communicate the internal audit activity’s plans and resource requirements.C1 . add value. Reporting should also include significant risk exposures and control issues.The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks. The chief audit executive should also communicate the impact of resource limitations. 2030 – Resource Management The chief audit executive should ensure that internal audit resources are appropriate. and performance relative to its plan. 2040 – Policies and Procedures The chief audit executive should establish policies and procedures to guide the internal audit activity. responsibility. Those engagements that have been accepted should be included in the plan. to senior management and to the board for review and approval.The internal audit activity's plan of engagements should be based on a risk assessment. and governance processes using a systematic and disciplined approach. including significant interim changes. 2110 – Risk Management The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. 2110. and other matters needed or requested by the board and senior management. corporate governance issues.2010. and effectively deployed to achieve the approved plan. 40 . authority. control. 2060 – Reporting to the Board and Senior Management The chief audit executive should report periodically to the board and senior management on the internal audit activity’s purpose. undertaken at least annually. 2050 – Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

Effectiveness and efficiency of operations. 2120. 2120.A1 .Adequate criteria are needed to evaluate controls. and information systems.C2 – Internal auditors should incorporate knowledge of risks gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance.Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.Based on the results of the risk assessment. and contracts. 2120. Effectiveness and efficiency of operations.A2 . regulations. internal auditors should address controls consistent with the engagement’s objectives and be alert to the existence of any significant control weaknesses.C1 . regulations. 2120. internal auditors should work with management to develop appropriate evaluation criteria. Safeguarding of assets. operations.During consulting engagements.A3 . internal auditors should use such criteria in their evaluation. Compliance with laws.A2 . 2130 – Governance 41 . internal auditors should address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. 2120. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. 2120. and contracts. If adequate.C1 .2110. and information systems regarding the · · · · Reliability and integrity of financial and operational information.The internal audit activity should evaluate risk exposures relating to the organization's governance. 2110.A4 .During consulting engagements. 2120 – Control The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Compliance with laws. Safeguarding of assets.Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization.C2 – Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. This should include: · · · · Reliability and integrity of financial and operational information. If inadequate. 2110. operations.

this understanding should be documented. The opportunities for making significant improvements to the activity’s risk management and control systems. and other client expectations. Effectively communicating risk and control information to appropriate areas of the organization.C1 – Consulting engagement objectives should be consistent with the overall values and goals of the organization. respective responsibilities and other expectations.A1 – When planning an engagement for parties outside the organization. implementation. respective responsibilities. scope.C1 . including the scope. resources. timing and resource allocations. external and internal auditors and management. 2200 – Engagement Planning Internal auditors should develop and record a plan for each engagement. 2210 – Engagement Objectives Objectives should be established for each engagement.The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: · · · · Promoting appropriate ethics and values within the organization. and operations and the means by which the potential impact of risk is kept to an acceptable level. 42 . For significant engagements.A1 – The internal audit activity should evaluate the design. its objectives. 2130. including restrictions on distribution of the results of the engagement and access to engagement records. Ensuring effective organizational performance management and accountability. The significant risks to the activity. internal auditors should establish a written understanding with them about objectives. 2130. 2201. and effectiveness of the organization’s ethics-related objectives. scope.Internal auditors should establish an understanding with consulting engagement clients about objectives. internal auditors should consider: · · · · The objectives of the activity being reviewed and the means by which the activity controls its performance. Effectively coordinating the activities of and communicating information among the board. The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model.Planning Considerations In planning the engagement. 2201. 2201 . objectives. programs and activities.

2210. time constraints. 2220. These work programs should be recorded. 2220.A2 . evaluating. records. 2220 – Engagement Scope The established scope should be sufficient to satisfy the objectives of the engagement. including those under the control of third parties.Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.A1 . analyzing. controls. 2240.A2 .A1 . noncompliance. and any adjustments approved promptly.C1 . and physical properties.C1 – Consulting engagement objectives should address risks. 2300 – Performing the Engagement Internal auditors should identify. internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. analyze. and available resources.If significant consulting opportunities arise during an assurance engagement. 2240. 2210.2210. The work program should be approved prior to its implementation. personnel. If internal auditors develop reservations about the scope during the engagement.C1 – In performing consulting engagements.The internal auditor should consider the probability of significant errors. Engagement objectives should reflect the results of this assessment. evaluate.The scope of the engagement should include consideration of relevant systems. and other exposures when developing the engagement objectives. respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. irregularities. these reservations should be discussed with the client to determine whether to continue with the engagement. a specific written understanding as to the objectives.A1 – Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. Staffing should be based on an evaluation of the nature and complexity of each engagement. 2220. and record sufficient information to achieve the engagement's objectives.Work programs should establish the procedures for identifying. 2230 – Engagement Resource Allocation Internal auditors should determine appropriate resources to achieve engagement objectives. 2240 – Engagement Work Program Internal auditors should develop work programs that achieve the engagement objectives. 2310 – Identifying Information 43 . scope. and recording information during the engagement. and governance processes to the extent agreed upon with the client.

the communication should include limitations on distribution and use of the results. 2330.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications. 2330.A1 . relevant.A1 – Final communication of engagement results should. and useful information to achieve the engagement’s objectives.A2 .C1 .C1 – Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. contain the internal auditor’s overall opinion and or conclusions. quality is assured. where appropriate. 2410 – Criteria for Communicating Communications should include the engagement’s objectives and scope as well as applicable conclusions. 2320 – Analysis and Evaluation Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.Internal auditors should identify sufficient. and staff is developed.A3 – When releasing engagement results to parties outside the organization. 2400 – Communicating Results Internal auditors should communicate the engagement results. 2410.The chief audit executive should develop policies governing the custody and retention of engagement records. reliable. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties. These policies should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.The chief audit executive should develop retention requirements for engagement records. as well as their release to internal and external parties. as appropriate. 2410. 2330 – Recording Information Internal auditors should record relevant information to support the conclusions and engagement results. and action plans.The chief audit executive should control access to engagement records. 2410. 2420 – Quality of Communications 44 . These retention requirements should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements. 2410. recommendations. 2340 – Engagement Supervision Engagements should be properly supervised to ensure objectives are achieved. 2330.

2500. and timely.The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration.C1 – The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client. concise. communication of the results should disclose the: · · · Standard(s) with which full compliance was not achieved. risk management. 2440.A1 .C2 – During consulting engagements. 2421 – Errors and Omissions If a final communication contains a significant error or omission. and governance issues may be identified. statutory or regulatory requirements. constructive.The chief audit executive is responsible for communicating the final results of consulting engagements to clients.A1 .A2 . prior to releasing results to parties outside the organization. they should be communicated to senior management and the board. 2440. Reason(s) for noncompliance. and Impact of noncompliance on the engagement. Consult with senior management and/or legal counsel as appropriate Control dissemination by restricting the use of the results. 2440 – Disseminating Results The chief audit executive should communicate results to the appropriate parties.If not otherwise mandated by legal. 2440. Whenever these issues are significant to the organization. 2430 – Engagement Disclosure of Noncompliance with the Standards When noncompliance with the Standards impacts a specific engagement. the chief audit executive should: · · · Assess the potential risk to the organization. control.C1 . objective. 2500 – Monitoring Progress The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. complete.Communications should be accurate. 2440. clear.The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. 2500. the chief audit executive should communicate corrected information to all parties who received the original communication. 2600 – Resolution of Management’s Acceptance of Risks 45 .

this would be the internal audit director. Assurance Services .When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization. such as a board of directors. contracts. personnel. identifying operational improvement. The Code of Ethics applies to both parties and entities that provide internal audit services. and inspector general. The charter should (a) establish the internal audit activity’s position within the organization. Charter . compliance. Compliance – Conformity and adherence to policies. In the case where internal audit activities are obtained from outside service providers. authority. performance. Code of Ethics – The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession and practice of internal auditing. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing.The charter of the internal audit activity is a formal written document that defines the activity’s purpose. and (c) define the scope of internal audit activities. and/or reducing risk exposure through both assurance and consulting services. procedures.An objective examination of evidence for the purpose of providing an independent assessment on risk management. and follow–up of engagement results.Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization's risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically. reporting to senior management and the board regarding internal audit activities. and Rules of Conduct that describe behavior expected of internal auditors. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively. and physical properties relevant to the performance of engagements. (b) authorize access to records. or any other designated body of the organization. Normally.Top position within the organization responsible for internal audit activities.Any relationship that is or appears to be not in the best interest of the organization. Adequate Control . Chief Audit Executive . board of governors or trustees of a non profit organization. or other requirements. control. 46 . laws. the chief audit executive and senior management should report the matter to the board for resolution. Examples may include financial. Board – A board is an organization’s governing body. system security. the chief audit executive should discuss the matter with senior management. The term also includes such titles as general auditor. and responsibility. including the audit committee. to whom the chief audit executive may functionally report. chief internal auditor. head of an agency or legislative body. the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities. plans. regulations. Glossary Add Value – Value is provided by improving opportunities to achieve organizational objectives. If the decision regarding residual risk is not resolved. supervisory board. or governance processes for the organization. and due diligence engagements. Conflict of Interest .

Frauds are perpetrated by parties and organizations to obtain money. These acts are not dependent upon the application of threat of violence or of physical force. or to secure personal or business advantage.Any illegal acts characterized by deceit. Engagement Objectives . and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. fraud examination. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: · · · · · · Integrity and ethical values. designed to ensure that risks are contained within the risk tolerances established by the risk management process. to avoid payment or loss of services. who has special knowledge. manage and monitor the activities of the organization toward the achievement of its objectives. Assignment of authority and responsibility. Examples include counsel. organizes. the board.The attitude and actions of the board and management regarding the significance of control within the organization.Any action taken by management. Control Processes . property or services. Governance – The combination of processes and structures implemented by the board in order to inform. the nature and scope of which are agreed with the client and which are intended to add value and improve an organization’s governance. Engagement – A specific internal audit assignment. or consultancy.Broad statements developed by internal auditors that define intended engagement accomplishments. and activities that are part of a control framework. 47 .The policies. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. direct. procedures. outside of the organization. Management plans. Human resource policies and practices. Control Environment . Control . Fraud .A document that lists the procedures to be followed during an engagement. and experience in a particular discipline. designed to achieve the engagement plan. concealment or violation of trust. Engagement Work Program . External Service Provider .Consulting Services – Advisory and related client service activities. facilitation and training. risk management. Management’s philosophy and operating style. and control processes without the internal auditor assuming management responsibility. Control Self-Assessment review. such as an internal audit. Organizational structure. task. or review activity.A person or firm. advice. skill. and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Competence of personnel.

and properties. Such threats to objectivity must be managed at the individual auditor. Objectivity . personnel. to provide reasonable assurance regarding the achievement of the organization’s objectives. control. and governance processes. Internal Audit Activity – A department. Residual Risks – The risk remaining after management takes action to reduce the impact and likelihood of an adverse event. Should – The use of the word “should” in the Standards represents a mandatory obligation. scope limitations. and for evaluating internal audit performance. Independence . The internal audit activity helps an organization accomplish its objectives by bringing a systematic. or other practitioner(s) that provides independent.Impairments to individual objectivity and organizational independence may include personal conflicts of interest. engagement. and resource limitations (funding). restrictions on access to records. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. functional and organizational levels. disciplined approach to evaluate and improve the effectiveness of risk management.The freedom from conditions that threaten objectivity or the appearance of objectivity.An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Standard – A professional pronouncement promulgated by the Internal Auditing Standards Board that delineates the requirements for performing a broad range of internal audit activities. manage. 48 . Risk . assess.The possibility of an event occurring that will have an impact on the achievement of objectives. and control potential events or situations. objective assurance and consulting services designed to add value and improve an organization's operations.Impairments . including control activities in responding to a risk. Risk is measured in terms of impact and likelihood. Risk Management– A process to identify. division. team of consultants.

June 15. 2009 4:16 PM 49 .Appendix II Monday.

50 .

51 .

52 .

53 .

54 .

55 .

56 .

57 .

58 .

59 .

60 .

61 .

62 .