Internal Audit Charter and Methodology Manual

Of the Government of the United Arab Emirates

1|Page
Contents
Definitions 5
Introduction 9
Section 1: Internal Audit charter 10
Internal Audit mission 10
Internal Audit message 10
Internal Audit objectives 10
Independence of the Internal Audit 11
Internal Audit powers 12
Scope of the Internal Audit 12
Missions, responsibilities and duties of the Internal Audit office 14
Technical and administrative dependency 16
Professional conduct codes for the Internal Audit team 16
Audit and Risk Committee 18
Membership of the committee 18
Committee meetings 18
Control of senior management 18
Term of the committee membership 18
Duties and responsibilities of the committee 19
Section 2: Internal Audit methodology 22
Chapter 1: Internal Audit methodology objective 22
Chapter 2: Internal Audit methodology framework 23
Stage (1) : planning 24
Component ]1[: strategic analysis 25
Component ]2[: risk assessment 26
First step: identifying risks 28
Second step: risk analysis 29
Third step: risk assessment 32
Fourth step: follow up risks and reassessment 37
Component ]3[ : preparing the strategic audit plan 37

2|Page
Annual audit plan 38
Benefits of the annual audit plan 39
Steps to prepare the annual audit plan 40
First step: listing the results of the risk assessment process 40
Second step: indicating the activities to be included 40
Third step: indicating the timing of the audit and the required resources 41
Fourth step: approval of the annual plan 41
Fifth step: updating audit plan and the plan re-assessment process 42
Stage (2) : execution 42
General framework for executing Internal Audit 42
Stage 1 : function planning 44
Stage 2 : fieldwork 53
1) Audit methods 53
2) Indicating information and data 55
3) Analysis and assessment 60
4) Fieldwork documentation 61
5) Audit supervision 61
Stage 3 : preparing and issuing the report 63
First: preparing the initial report 64
Second: review the initial report 65
Third: closing meeting 65
Fourth: issuing the Internal Audit report 66
Fifth: the agreed implementation plan 66
Sixth: the final report and presenting the results 66
Internal Audit reports - general guidelines 67
Stage 4 : Monitoring & follow-up 72
Quality assurance and improvement processes 73
Section 3: Internal Audit personnel 75
Chapter 1: personal traits 75
Chapter 2: tasks and competencies 76

3|Page
Tasks and competencies of the Director of the Internal Audit office 76
Tasks and competencies of the Main Internal Auditor 78
Tasks and competencies of the Internal Auditor 79
Chapter 3: basic principles of professional practice of Internal Audit 80
General regulatory provisions 80

4|Page
Definitions
In the charter and methodology of Internal Audit, the following words and vocabulary should have the meanings
ascribed thereto hereunder unless the context indicates otherwise:
Term Definition
State The United Arab Emirates.
Government The government of the United Arab Emirates.
The Cabinet The Council of Ministers of the United Arab Emirates.
The Federal Entity Any ministry established according to Federal Law No. 1 of 1972 regarding the
functions of ministries, powers of ministers and amendments, or an independent
Federal Entity, whether it is a body or institution, in addition to the Federal
regulatory entities of the Government.
Senior management The concerned minister or holder of a similar position in the independent Federal
Entity represented by the Board of Directors.
Executive management The agent, any of his direct affiliated persons or holders of similar positions in the
independent Federal Entity. The management responsible for implementing
policies and procedures aimed at achieving the strategic objectives.
Office The Internal Audit office of the senior management in the Federal Entity.
Office manager The manager of Internal Audit office in the Federal Entity.
The competent The unit responsible for achieving a goal through the initiatives, activities,
organizational unit / operations and projects executed by it.
concerned department
Internal Audit An independent and objective activity, which provides assurances and advisory
services with the aim of adding value to the Entity and improving its operations.
Such activity assists in achieving the objectives of the Federal Entity through
following a systematic and structured approach to assess and improve the
effectiveness of governance, risk management and control processes.
Audit and Risk A committee with professional independence established by senior management
Committee to enhance the ability of senior management to perform its role through effective
review of the internal monitoring and control in addition to monitoring the extent
of the effectiveness of auditing the Federal Entity works whether internal or

5|Page
 external audit and cooperation with the Internal Audit office. Its functions should
also include a comprehensive review of the financial statements, ensuring the
reliability of the same.
Audit Committee A report prepared by the Internal Audit office for the relevant Entity, and submitted
report to the Audit and Risk Committee. It contains a summary of the audit work results
within a specific period with focusing on the most prominent observations.
Charter A document specifying the goals, powers, responsibilities and scope of the Internal
Audit work. The Internal Audit charter establishes the foundations for the Internal
Audit in the Entity. It also establishes the right to access and view records, access to
employees, and related requirements to perform audit functions.
Professional Conduct A set of principles closely related to the profession and practice of Internal Audit. It
Code describes the expected behavior of the Internal Audit team. The Code of Ethics is
binding on all parties and authorities responsible for providing Internal Audit
services. This Charter aims to support an ethical culture for the Internal Audit
profession in general.
Methodology The method of practicing Internal Audit activity in the Federal Government.
Comprehensive A strategic plan that includes the main topics without details. It is prepared based
strategic audit plan on risk assessment results from a strategic perspective over a period of (3) or (5)
years as the Entity deems appropriate. It should be reviewed and updated annually
when necessary.
Annual audit plan A detailed plan emanating from the comprehensive strategic plan. It is an
application of it with added amendments if necessary. It is annually approved and
circulated to the relevant departments.
Permanent file A file encompassing permanent, fixed and continuous data such as the
establishment law / decision and general data such as title and nature of work. It
also contains information on the internal control system, financial system,
procedures manual, organizational structure and financial statements (final
accounts) for previous years. It also includes plans and programs for previous years
and preceding audit reports, in addition to the established accounting standards
and principles.

6|Page
Temporary (current) A file which includes data for the current year, such as the annual plan, the current
file audit program, financial statements, final account, inquiries, observations, and all
the evidence obtained during the current audit.
Assurance services A process of examining evidence to provide an independent and objective
evaluation of governance, risk management and control. This may include, for
example, the functions of financial auditing, performance, compliance, as well as
the security and due diligence system.
Consulting services Consulting services and related services, whose nature and scope are agreed upon
by the Internal Audit office. Consulting services aim to add value and improve the
governance framework, risk management and control, without the Internal Auditor
assuming any responsibilities for implementation.
Control Operations and procedures taken by the senior management, and any affiliated
Entity to manage risks and ensure the achievement of objectives set by the Entity
effectively and efficiently. It also aims at issuing reliable reports and compliance
with the laws, regulations, policies, decisions and circulars issued pursuant to any
of them.
Risk A threat or uncertainty related to future results of current events. Therefore, risk is
the possibility of a negative impact or damage that hinders or prevents the Federal
Entity from achieving its strategic and operational objectives, compliance and
issuing reports. In addition, risk may include the effect resulting from the presence
of material and significant errors with the Federal Entity that were undiscovered
upon completion of the audit. This may cause damage to the Entity related to the
loss of an opportunity that could have been achieved.
Risk management Organized policies and procedures to identify, analyze and evaluate risks, while
monitoring latent factors that may reduce their impact to an acceptable level in
order that it does not negatively affect the ability of the Federal Entity to achieve its
strategic objectives. The competent organizational unit and the relevant
department of the executive management should bear the responsibility for risk
management.

7|Page
Risk assessment The process of indicating the severity of the risk, the probability of occurrence,
degree, and sources, if possible.
Objectivity An impartial state of mind in which the Internal Audit team performs functions
according to scientific and legal standards without being affected by any other
considerations, whether personal, family beneficial or others. Objectivity requires
that the Internal Audit team should not allow their work to be influenced by the
rules or directives of any external party.
Independence Being free of any outside control that may threaten the ability of the Internal Audit
office to carry out its responsibilities without prejudice.
Fraud Any unlawful act characterized by deception, concealment, or breach of trust. Such
actions do not depend on the threat of violence or material force. Fraud is
committed by individuals or facilities to obtain money, property or services
illegally; to avoid payment of amounts; or to ensure access to personal or
commercial benefits for themselves or others.
Governing A set of controls, general principles and optimal procedures that achieve the
institutional discipline of the system in Federal authorities.
Internal control system Systems approved by the concerned department to achieve its objectives, protect
its assets, control and review accounting data, ensure its accuracy and reliability,
increase the efficiency and effectiveness of its operations and functions, and adhere
to the laws and regulations governing its works.
Professional Conduct A set of rules that indicate responsibilities and practices that must be followed by
the employees of the concerned Entity.
The International A conceptual framework which organizes the guidelines issued by the Institute of
Professional Practices Internal Auditors (IIA). The Institute of Internal Auditors is the international entity
Framework (IPPF) responsible for developing auditing guidelines. Therefore, the Institute of Internal
Auditors provides Internal Audit teams around the world with approved guidelines
organized by the International Professional Practices Framework for Internal
Auditing as mandatory and recommended guidelines.

8|Page
Introduction

As part of the Ministry’s endeavor to develop Internal Audit standards, principles, and rules in the Federal Government
according to international professional standards and best practices, it has developed this manual to provide a unified
framework for Internal Audit activities and operations in the Federal Government. It aims at supporting Internal Audit
offices in all Federal authorities, assisting the Internal Audit team in performing their work by adhering to the best
professional standards such as the standards of the Institute of Internal Auditors. Accordingly, this manual is binding
on all Federal authorities.

The Ministry of Finance has prepared this manual as a flexible guide on the effective management of auditing and risk
assessment based on a professional methodology for Internal Audit. It can be applied and followed by all Federal
Entities regardless of their size or nature of work. However, please note that this manual cannot be considered a
comprehensive reference for all details of the audit process.

In order to ensure the correct use and full understanding of this manual, it is necessary to continuously refer to the
various parts and chapters according to the stage or process to be implemented.

This manual has been prepared in line with the International Professional Practices Framework for performing Internal
Audit and international standards and guidelines as defined by bodies such as the Institute of Internal Auditors, taking
into account the specificities and work environment of the Federal Government in the United Arab Emirates.
Auditors in the Federal authorities should be aware of the contents of this manual before commencing any Internal
Audits, as this manual includes frameworks and rules for Internal Audit activity which have been approved in the
Federal Government.

9|Page
 Section 1: Internal Audit charter

Internal Audit mission:

The internal audit performs an independent and objective activity according to the professional standards issued
by the international Authorities. It also provides assurances and consulting services with the aim of adding value
to the Entity and improving its operations. This activity helps in achieving the objectives of the Federal Authority
through a systematic and disciplined approach to asses and improve the effectiveness of governance, risk
management and control processes .

Internal Audit message:

The Internal Audit message aims to promote and protect the values of the Federal Entity by providing assurance and
objective advice based on risk assessment.

Internal Audit objectives:

The main objectives of the Internal Audit office are to provide assurances to senior management of the Federal Entity
about the efficiency and effectiveness of the policies and procedures for managing major risks. It also assesses the
efficiency of risk management, controls, and governance and providing recommendations and independent
consultations to assist senior management in discharging their duties and responsibilities.

According to the International Standards for Internal Audit Standard No. 1000 concerning objectives, powers and
responsibilities, the goal of the Internal Audit must be specified before commencing an audit. In line with Standard No.
2210 regarding mission objectives, the objectives should be defined by way of the following:

 Conducting a preliminary assessment of the risks related to the activity being audited. The objectives of the
audit mission should reflect the results of that assessment.
 When indicating the objectives of the audit, the possibility of material errors, frauds, restrictions, or other risks
must be taken into account.
 Having appropriate measures is necessary to assess governance, risk management and controls. The Internal
Audit team should verify the extent to which senior management has developed measures to indicate whether
the objectives and objectives have been achieved. If the standards are appropriate, the Internal Audit team

10 | P a g e
 should utilize them in their assessment. However, if they are not appropriate, the Internal Audit team may
indicate the appropriate assessment scale through discussion with the senior management.

Independence of the Internal Audit

 The Internal Audit team should not be subjected to any factors which may threaten the ability of the Internal
Audit team or the Director of the Audit Office to carry out their responsibilities without prejudice. In order to
achieve the degree of independence necessary for the effective performance of the responsibilities of the
Internal Audit work, the Director of the Audit Office and the Internal Audit team should have direct access,
without any restrictions to the senior management. This can be achieved through a dual link, ensuring that
the Internal Audit office administratively assumes the highest administrative position in the Federal Entity
“Senior Management”. It should also work closely with the Audit Committee according to the International
Professional Practices Framework for Internal Audit. Any sources that threaten independence must be
controlled at the Internal Auditor level individually and at the level of the audit missions’ interests and the
functional and organizational levels "Standard No. 1100 regarding independence and objectivity."
 The concept of independence is generally considered the cornerstone of any control or assessment process,
whereby independence refers to being free of any conflicts of interest and conducting the work on an
impartial basis. Internal Auditors should be independent from the influence of the Entity whose operations
are under review. An Internal Auditor should be independent from his personal interests in the Entity. Internal
Auditors should feel capable of making their own decisions without pressure and or influence from affected
parties.
 Based on the foregoing, the Internal Audit team should refrain from assessing the operations for which they
have been previously responsible. This is because the objectivity of the Internal Auditor is likely to weaken
when providing assurance services related to an activity that he was responsible for during the previous year.
In addition, a third party should supervise any assurance functions related to the activities of the Director of
the Internal Audit office.
 Notwithstanding the foregoing, this does not prevent the Internal Audit team from providing Consulting
services related to the operations for which they were previously responsible, unless there are any potential
obstacles to the independence and objectivity of the Internal Audit team relating to the proposed Consulting
services. In this case, the necessary disclosures must be made to senior management.

11 | P a g e
Internal Audit powers
The Internal Audit office has unrestricted and unlimited power to review all activities, records, documents, assets,
property and electronic systems within the Entity. It should have access to all administrative levels within the Entity so
that it can fully perform its mission. In addition, the Entity should define the nature, manner, scope and timing of the
various Internal Audit work according to the scope of work indicated below.

Scope of the Internal Audit

According to the international standards for Internal Auditing, Standard No. 1000 regarding objectives, powers and
responsibilities the Internal Audit team should carry out Internal Audit processes in the Federal Entity. The scope of the
Internal Audit process includes many assurances and Consulting services. The following are examples:

1. Assurance services including but not limited to the following:

a. Compliance audit
Compliance audits aim to review financial or operational activities of the Federal Entity to determine their
compatibility with specific conditions, rules and regulations. It is the responsibility of the Internal Audit to indicate
whether the internal control systems are sufficient and effective, and to verify the compliance of the departments
under audit with the legislative requirements.

b. Operational audit "Performance assessment"

Operational audits are intended to review the methodology of the operational activities of the Federal Entity compared
to specific objectives. It can be described as a value-added audit compared to the resources used or an administrative
audit. This type of audit allows the evaluation of performance and identification of development opportunities, as well
as the issuance of recommendations in this regard.

c. Information Technology Systems Audit

Information Technology Systems audits are designed to identify strengths and weaknesses in current IT policies,
results delivery methods, skills and knowledge gaps between Federal Entity strategists and IT project managers and
subsequently to provide advice and recommendation at all management levels on internal control systems. It is
necessary to provide assurance to balance risk and control investment in an often unpredictable IT environment. The
use of specialists in this field is recommended as required.

12 | P a g e
2. Consulting Services

Consulting services are the provision of advice and related services, the nature and scope of which are agreed upon
with the applicant. Their main objective is to provide added value to the operations of the Federal Entity and to improve
the procedures for governance, risk management and control without any administrative or executive responsibilities
being entrusted to the Internal Auditor in this regard. For example providing advice, guidance and training. (Practice
Advisory No. 1000/A /2-1).

In addition, some principles should be taken into account when performing any consulting work according to (Practice
Advisory No. 1000/A/1-1), including, but not limited to the following:
a. The added and expected value of the provided service.
b. Alignment with the concept of Internal Audit.
c. Internal Audit services that exceed assurance and consulting services.
d. The relationship between assurance and consulting services.

Such consulting services include, but are not limited to, assistance with the following:
 The systems followed in public policies, and the extent of their adherence to relevant laws, regulations,
instructions and procedures.
 The integrity and safety of financial and non-financial information, data and reports, and the extent of relying
on them in making decisions.
 The methods and systems applied to ensure the protection of the assets and properties of the Federal Entity
and verification of the basis used in its assessment, as well as disclosure in the financial statements.
 The effectiveness and economical investment of the resources available to the Federal Entity.
 The effectiveness of the risk management systems in the Federal Entity, checking the integrity of identification
and assessment methods, as well as the verification of their management in an efficient manner. (It should be
noted that the responsibility for preparing the risk register and risk management rests with the management
of the concerned Federal Entity - Practice Advisory 3/2100).
 Verifying the adequacy and effectiveness of control and institutional governance mechanisms components
practiced by parties related to the Federal Entity, and their consistency with the work of the Federal Entity.

13 | P a g e
  Verifying the appropriate level of control tools in applied computer systems, the completeness and validity of
documentation of those systems, their achievement of user and management objectives, as well as assessing
the extent of proper use of available resources.
 Participating in risk assessment and giving advice on how to develop effective controls for new projects or
modified computer systems.
 Carrying out the necessary review before and after the completion of projects to develop computer systems
and programs that have a critical impact on the work of the Federal Entity.
 Other specific topics related to the nature of audit work, based on assignments from senior management.
The accepted consulting missions must be included in the annual audit plan.

Missions, responsibilities and duties of the Internal Audit office:

Missions and responsibilities of Internal Audit are clearly indicated within the Internal Audit charter, in line with the
Internal Audit message and the mandatory components of the International Professional Practices Framework . These
are as follows:

1. Carrying out Internal Audits according to the recognized principles, rules and standards with commitment at
legal level and assurance at financial level and operation at administrative level. Federal Entities
2. Following the professional and ethical standards issued by the Institute of Internal Auditors (IIA), and any
related changes issued in the future.
3. Preparing the strategic and annual Internal Audit plan in consultation with senior management.
4. Preparing risk assessments that may affect the objectives, activities and operations of the office and
developing policies and procedures to reduce risk.
5. Studying reports submitted by supervisory authorities to verify the extent of the departments' commitment to
apply all financial, administrative and operating systems and regulations in force in the Federal Government.
6. Assisting in investigating suspected fraud and tampering, and informing the department of the results without
prejudice to the jurisdiction of the State Audit Institution.
7. Submitting a comprehensive report to the senior management on the results of the audit, the analysis of
reports of other supervisory bodies, assessing the efficiency of work in the departments, and submitting
appropriate suggestions and recommendations.

14 | P a g e
 8. Helping the Entity to maintain effective systems of internal control by assessing the capability of these
systems, and providing useful suggestions towards continuous improvement.
9. Coordination with departments during the planning stage and following up on the implementation of the
recommendations and observations contained in the reports of the State Audit Institution.
10. Suggesting additional control standards or any matters that lead to continuous improvement and
development and adding value to the entity.
11. Refraining from performing any administrative or executive responsibilities related to the design or
implementation of internal control systems, which would affect their independence and objectivity, as well as
refraining from assuming any responsibility or executive authority for the work being audited. This does not
preclude the expression of opinion and advice about the systems before and after applying them or the
suggestion of additional control standards, in particular, the risk assessment process, which is the
responsibility of the concerned department.

In order for the Internal Audit office to be able to perform its duties and missions with the required
professional competence, the following matters must be taken into consideration:
 The Internal Audit team should have knowledge, skills and other competencies necessary to implement the
responsibilities entrusted to each of them as per the “Internal Audit Standard No. 1200 concerning the
necessary professional skills and due diligence.”
 The Director of the Audit Office must obtain advice and assistance from qualified persons if the Internal Audit
team lack the knowledge, experience and various skills needed to carry out all or part of the audit mission as
per “Internal Audit Standard No. 120/A/1”.
 The Internal Audit team should have sufficient knowledge that enables them to assess fraud risks and how
the entity manages these risks, but it is not expected that they will have the same experience as the person
whose main responsibility is to discover and investigate fraud as per “Internal Audit Standard No. 1210/A/2”.
 The Internal Audit team should have sufficient knowledge of the most critical information technology risks
and controls related to them. They should also have knowledge of audit techniques based on the technology
available in order to complete their work. However, not all Internal Audit team members are expected to have
the same experience as the Internal Auditor, whose basic responsibility is to audit the information system as
per “Internal Audit Standard No. 1210/A/3”.

15 | P a g e
Note: if the Internal Audit office in any of the Federal Entities needs to allocate specific clauses regarding the duties
and missions of the office or the scope of their work, these matters can be added in an annex to the charter approved
in this manual. The annex must be approved by senior management.

Technical and administrative dependency

 The Internal Audit offices of the Federal Entities are directly affiliated with the senior management, according to
the organizational structures approved in the Federal Government.
 All technical reports are submitted to the senior management while the administrative reports are submitted to
the competent departments of each Federal Entity according to competencies of each department.
 The authority to appoint, dismiss, or terminate the directors of the Internal Audit offices should be within the
competence of senior management in each Federal Entity according to the provisions of the Human Resources
Law in the Federal Government.

Professional conduct codes for the Internal Audit team

All Internal Audit team members must adhere to the professional conduct codes indicated in Decree of Federal Law
No. (11) of 2008 and its amendments regarding human resources in the Federal Government and its executive
regulations and international standards for Internal Audit “Standard No. 1100 concerning independence and
objectivity – Standard No. 1110 concerning organizational independence- Standard No. 1120 concerning Objectivity
at the individual level and Standard No. 1130 concerning impact on independence”. In particular, they must adhere to
the following:

 To avoid carrying out any action that does not meet the objectivity and responsibilities of the Internal Audit and
refraining from any behavior or declaration of any matter within the scope of the Internal Audit work except for
the competent authorities unless there is a legal or professional commitment to do so.
 Not to participate in any work or activity that negatively affects the reputation of the Internal Audit.
 To hold the knowledge, skills and other competencies necessary to implement the responsibilities assigned to each
of them.
 Commitment to honesty, integrity, objectivity and due diligence while performing their duties and responsibilities.
 Loyalty in all matters related to the interests of the Federal Entity and the avoidance of any illegal or inconsistent
actions with the rules of professional and ethical conduct.

16 | P a g e
 Not to accept any gifts from any employee, customer, supplier or any person who has business interests with the
Federal Entity, in a manner that might prejudice their neutrality or affect professional decisions related to their
functions.
 Immediately informing the Director of the Internal Audit Office in the event of the occurrence of any evidence that
neutrality of the Internal Audit team may be affected, whether due to interests in the work being audited or
otherwise. They may not, in any case, keep the original data, documents and information that were reviewed or
collected during the performance of their missions in their personal capacity. They are also not permitted to store
the mentioned data, documents and information in an inappropriate place or manner. They also have to abide by
the confidentiality of this data and not disclose it to any person who is not authorized to view, receive or keep it.
They may not, under any circumstances, whether during or after their service, publish this data, irrespective of the
passage of time.
 The Internal Audit team should perform their duties objectively and maintain independence at all times.
 Neutrality and impartiality. They should avoid everything that would put them in a position of conflict of interest.
 Internal Audit team should refrain from assessing the operations that they previously supervised. It is expected
that the objectivity of the Internal Auditor will be affected if he provides assurance services related to an activity
he was responsible for during the previous year.
 To establishing assertive functions related to jobs under the supervision of the Director of the Internal Audit office
in conjunction with a third party outside the Internal Audit activity.
 To provide assurance services in the areas in which consulting services have been previously submitted provided
that the consulting services do not adversely affect its objectivity and that they are dealt with in a manner
commensurate with the objectivity when allocating the necessary resources for the new mission.
Providing consulting services related to operations they were previously supervising in the past, provided that they
do not take over any administrative or executive responsibilities. On the other hand, and in all cases, auditors are
not permitted to provide consulting services in the event that the decision of the senior management is mainly
based on their recommendations only. In all cases, the independence, professionalism and due diligence must be
taken into account when providing any consulting services requested by the senior management and clearly
clarify the role of the Internal Audit and its independence when providing recommendations in this regard.

17 | P a g e
Audit and Risk Committee

 Membership of the Committee

The senior management should constitute the Audit and Risk Committee, if necessary, using members of the senior
management who do not perform any executive functions, provided that the majority of the members of the
committee are independent members. The Committee should comprise of at least three members, and one of its
members must be an expert in financial and accounting affairs. One or more members may be appointed from outside
the entity in the event that there are insufficient non-executive members of the senior management.
It is prohibited for any former employee of the external audit office responsible for auditing the accounts of the Federal
Entity or the State Audit Institution charged with auditing the accounts of the entity to be a member of the Audit and
Risks Committee. This should apply for a period of one year as the expiration date of his capacity as an employee or
the expiration date of any financial interest for him at the State Audit Institution, whichever is later.

 Committee meetings
The committee holds its meetings at least four times a year or whenever needed. A member may attend in person, or
participate in the meeting via telephone or video. The member may approve decisions and recommendations by
circular resolution.

 Control of senior management

The committee is subject to the control and monitoring of senior management of the entity. The performance of the
committee will be evaluated to verify its achievement of its functions. The committee must submit its written reports
to the senior management with absolute transparency. The committee must also assess its performance annually to
ensure efficiency and effectiveness of performance, highlighting areas for improvement and development, and submit
its recommendations to senior management.

 Term of committee membership

The membership term of the committee should be for a maximum of three (3) years, renewable for another similar
period for one time, unless the senior management decides otherwise. The membership period must be renewed or
new members must be appointed by a decision of the senior management.

18 | P a g e
 Duties and responsibilities of the committee:
The Audit and Risk Committee has the following duties and functions:

1. Coordination with senior management in order to perform its duties.

2. Monitoring the integrity of the annual, semi-annual, and quarterly financial statements of the entity and their
compliance with the standards approved by the Federal Government and review them as a part of its regular
work during the year. In particular, it should focus on the following:
a. Changes in accounting policies and principles.
b. Highlighting areas subject to management discretion.
c. Significant amendments resulting from the audit.
d. Assuming the continuity of the entity’s work.
e. Adherence to the approved accounting standards and rules for preparing final accounts.
3. Submitting recommendations to senior management regarding the appointment or dismissal of the office
director.
4. Submitting recommendations to senior management regarding the appointment or dismissal of the external
auditor, and approving his fees and the period of his appointment.
5. Monitoring the independence and objectivity of the external auditor on an ongoing basis, meeting with him
at least once a year, and discussing the nature and scope of the audit process and its effectiveness.
6. Ensuring that the external auditor submits an annual report to the senior management within three months
at the most as of the expiration date of the fiscal year, including the data and observations resulting from the
audit and its recommendations.
7. Ensuring that there is a coordination between the Internal Audit office and the external auditor in case of
bodies and entities whose establishment law states the appointment of an external auditor or that the State
Audit Institution audits in the case of ministries and other federal agencies. Ensuring that the necessary
resources are available to the Internal Audit office, reviewing and monitoring the effectiveness of that office.
8. Cooperating with the State Audit Institution and responding to the comments contained in its issued report,
and submitting it to senior management.
9. Reviewing the external auditor's message (report of observations and gaps) in case of bodies and entities
whose establishment law states the appointment of an external auditor or the State Audit Institution in case
of ministries and other Federal Entities. This should be in addition to any significant inquiries that the auditor

19 | P a g e
 submits to management regarding accounting records, financial accounts or control systems and their
response.
10. Ensuring that the senior management responds at the required time to the comments raised in the report of
the State Audit Institution or the external auditor (report of observations and gaps).
11. Conducting an annual evaluation of the adequacy of the risk management and internal control policies related
to financial and operational objectives and substantive discipline by the executive management of the Federal
Entity.
12. Conducting an annual evaluation of the effectiveness of the Internal Audit management and the extent to
which its work is consistent with this manual and the approved professional framework for conducting
Internal Audit work. The committee should conduct an annual evaluation regarding the need for an Internal
Audit office if it is non-existent.
13. Reviewing the financial and accounting policies and procedures in the entity.
14. Reviewing financial control, internal control, risk management and governance systems reports.
15. Discussing the internal control system with the management, and ensuring that the management is
performing its duty to establish an effective internal control system.
16. Understanding and recognizing the impact of changes in information technology on the activity and work of
the concerned entities with a view to keeping pace with developments and staying at the level of global
institutions.
17. Initial investigation of any possible financial violations or other violations and ensuring that appropriate
measures are established as a result of these investigations, as well as studying the results of the main
investigations of the internal control matters assigned to it by the senior management.
18. Establishing controls that enable the entity’s employees to report any potential violations in financial reports,
internal control, or other matters in a confidential manner, and the steps to conduct independent and fair
investigations of those violations.
19. Monitoring the compliance of the authority with the rules of professional conduct.
20. Ensuring the application of work rules of its functions and powers delegated to it by the senior management.
21. Approving the requirements for carrying out the work indicated by the Director of the Internal Audit office
including human resources, the type of required skills and the use of experts and consultants from a third
party.
22. Submitting a comprehensive and detailed annual report to senior management.

20 | P a g e
 23. Considering any other issues specified by the senior management and analyzing whether they conflict with
laws in force or international standards.

21 | P a g e
Section 2: Internal Audit Methodology

Chapter 1: Internal Audit Methodology Objective

Internal Audit methodology objective

The Internal Audit methodology aims to create a unified operational framework for Internal Audit activities and
processes in the Federal Government by providing guidance for the standards, policies, and operational procedures
that the Internal Audit team must adhere to while performing their duties. This is in line with the approved professional
framework for the practice of Internal Audit work, guidelines and standards issued by the Institute of Internal Auditors,
in addition to helping to achieve the following:

 Establishing guidance for planning, performance and preparing Internal Audit work reports.
 Establishing work procedures at the level of the main procedures aimed at assisting Internal Audit employees in
performing their duties.
 Formalizing the administrative and organizational policies of the Internal Audit offices of the Federal Entities.
 Defining responsibility, powers and accountability for Internal Audit activity.
 Helping to achieve consistency in the implementation of Internal Audit activities.
 Developing a framework for a unified methodology for the Internal Audit process and risk assessment in the
Federal Government.
 Providing a reference material to help train Internal Audit employees.

Focus on the value added

The criterion for the success of Internal Audit in carrying out its functions is the extent to which other departments
and audited activities benefit from the audit process, by measuring the value that Internal Audit contributed to adding
to the auditee. This should be achieved by studying and understanding the causes of problems and errors and focusing
on how to solve those problems, rather than merely monitoring them.

Focus on the value added to the Internal Audit work

Traditional practices: Modern practices:

22 | P a g e
  Focusing on problems related to financial and  Dependence on identifying and assessing
documentary aspects only. strategic risks.
 Focus on compliance with financial policies and  Developing control procedures.
procedures.  Adding value by providing the necessary
 Monitoring problems and errors without recommendations and proposals.
clarifying the causes of the problem and solution.  Taking care to avoid repeating mistakes.

Chapter 2: Internal Audit Methodology Framework

According to internationally recognized best practices, Risk Assessment

Internal Audit functions are performed according to
Preparing strategic audit plan
the stages indicated below: Strategic Analysis
Planning
Stage (1): planning
This stage includes the following components: Mission Planning
Component ]1[: Strategic Analysis.
Component ]2[: Risk Assessment. Monitoring and follow-up
Component ]3[: preparation of a comprehensive
Implementation
strategic audit plan.
Stage (2) : implementation Preparing and issuing reports Fieldwork
This stage includes the following:
Stage1 : Mission planning.
Stage 2: Fieldwork.
Stage 3: Preparing and issuing the report.
Stage 4: Monitoring and follow-up.

23 | P a g e
Stage (1) : Planning

Internal Audit planning

The concept of risk-based planning is based on the International Standards for the Professional Practice of Internal
Auditing issued by the Institute of Internal Auditors. The standards require the Director of the Internal Audit office to
develop a risk-based plan to prioritize the Internal Audit activity in line with the objectives of the Federal Entity
“Standard No. 2010 concerning planning”.

In order to develop a plan based on a documented risk assessment, the director of the office consults with senior
management, executive management and other stakeholders to obtain their opinion and expectations in order to gain
a clear understanding of the entity's strategies, main work objectives, associated risks and methods of risk
management. He should also review and amend the plan as necessary and respond to work changes, risks, processes,
programs, and systems of the Federal Entity and its regulatory controls.

The Planning Stage includes the following components according to the International Standards of Internal Auditing,
the above-mentioned Standard No. 2010:

Component Description Main Deliverables

Component ]1[ Strategic  Basic information gathering.  Understanding objectives -
analysis  Conducting interviews with activity strategies - initiatives.
officials.  Identifying strengths,
 Data processing. weaknesses, opportunities and
threats.
Component ]2[ Risk  Risk identification.  Risk assessment record.
assessment  Risk analysis.
 Risk assessment.
 Follow up risks and reassessment.

24 | P a g e
 Component ]3[
Preparing the strategic
(comprehensive)
Internal Audit plan
 Inserting the results of the risk  Strategic (comprehensive)
assessment process in the Internal Internal Audit plan.
Audit plan.  Annual audit plan.
 Determining the activities to be
included in the Internal Audit plan.
 Determining the audit timing and
the required resources.
 Approving the plan from senior
management.
 Updating the audit plan.

The following is a detailed explanation for each of the above-mentioned components:

First component: strategic analysis

The strategic analysis process aims to reach a degree of initial understanding of the strategic and operational objectives
of the department as well as the environment surrounding it, including the challenges and opportunities in addition
to how that department deals with the challenges and risks that it may face. Among the most important strategic
analysis processes and procedures that are carried out are the following:

1. Basic information:
Viewing the basic information helps in reaching an initial understanding of the activities and operations of the
departments in the Federal Entity and the surrounding environment. Among the most important basic information
that can be viewed and studied are the following:
 Organizational structure of management and followed policies and procedures.
 The opinion and expectations of senior management, executive management and other stakeholders.
 Previous (internal and external) regulators reports.
 Significant changes in the work environment such as management, the surrounding environment, laws and
regulations, etc.

25 | P a g e
2. Conducting interviews:
Interviews with the officials in charge of the audited activities is considered to be one of the most important means
that helps in completing the process of understanding the activities and the work environment, as it provides the
opportunity to obtain the necessary information from the experienced and the specialists in each field.
The aim of the interview process is to understand the strategic and operational objectives, the surrounding
environment, and the risks that may face the achievement of the objectives of the concerned department as well as
the actions taken to face or reduce the effects of risks and constraints to which the auditee may be exposed.

3. Information processing:
All data is analyzed, taking into account the meetings with officials and the basic information collected, to get a full
understanding of the following:
 Objectives.
 Strategies.
 Operations and activities.
 Initiatives.
 Strengths and weaknesses
 Opportunities and threats.

In addition, there should be consultation with a legal advisor to comment on any legal considerations. (Practice
Advisory 5-2100)

Second Component: risk assessment

Risk management is a sensitive function of the executive management functions as it is a basic step in the process of
rationalizing the distribution of resources and taking the necessary decisions towards achieving the objectives of the
Federal Entity. The executive management is responsible for assessing, managing and reducing risks and for the
internal control systems applied in the Federal Entity.

The Internal Audit office assesses risks according to the “international standards for Internal Audit, standard No. 2120
concerning risk management" for the purpose of establishing the audit plan only and classifies activities according to

26 | P a g e
the related risks. This does not release the executive management, the relevant organizational unit, if any, and the
relevant department of the Federal Entity from carrying out its duty towards institutional risk management that
requires preparing a risk register, assessing and managing risks and constantly updating the register.

The office assesses the risks for the purposes of the audit functions based on the information obtained during the
strategic analysis stage, and based on the opinion of the auditee, by obtaining “observations” from that department,
which is the primary responsible and main source for identifying, assessing and managing the risks related to its
activities.

The office assesses the risks of the activity being audited and verifies the existence and effectiveness of internal control
systems. In the event that the risk assessment process is unclear or being documented, the Internal Audit office may
provide advice to the relevant department without affecting its independence.

The Internal Investigation Office may assist the Federal Entity by providing advice on the design and development of
internal control systems and risk reduction strategies, but the responsibility for selecting internal control systems and
strategies lies with the senior management, while the responsibility for compliance and implementation rests with the
executive management.

The Federal Entity must continually assess its risks. Works risk assessment at the Federal Entity level as a whole, taking
into account its approved objectives and strategy can contribute greatly to enhancing the ability of senior and
executive management to identify, understand and manage the main risks that hinder the achievement of its
objectives. It also provides a structured process that will become the cornerstone to indicate risk priorities and focus
on areas which require monitoring and attention by senior management. Moreover, this process establishes the
confidence and knowledge that makes management more experienced in understanding the risks it bears, how it is
managed, and what needs to be done to manage those risks in a more effective and successful manner.

One of the main responsibilities of the Internal Audit office is to ensure that the annual audit plan is prepared from the
comprehensive audit plan and based on reliable, complete and accurate information about the operations, activities
and risks of the Federal Entity. The availability of sufficient information about the risks to which the Federal Entity is
exposed in the Internal Audit office is an essential and vital part of the process of preparing the annual audit plan.

27 | P a g e
The risk assessment process includes the following:
 Understanding management strategy and objectives.
 Creating an initial understanding of the main operations and risks of the concerned authority, and working to
make them consistent with the strategy of the Federal Entity and its objectives on the one hand and with the
Federal Government's strategy on the other hand.
 Understanding the effectiveness of internal control systems at the different levels of the concerned authority,
such as the general framework of governance, the professional codes of conduct, the separation among
conflicting functions, business continuity, a disaster recovery plan, financial reporting processes at the end of
the specified periods, fraud prevention and detection programs etc.
 Understanding the effectiveness of internal control systems on key and documented processes in policies and
procedures.
 Defining the scope of risk assessment with the participation of all the stakeholders.
 Issuing reports on the results of the risk assessment in order to focus on the high risk operations of the Federal
Entity.

The main risks are related to critical conditions, events and actions, or the failure to accomplish these critical functions,
which may negatively affect the ability of the Federal Entity to achieve its goals.

The successful risk assessment process depends on three basic steps that the Internal Audit work team must apply,
namely:

First step: identifying risks

The methodology used for identifying risks depends on the context of use for the risk assessment, noting that the
following matters must be taken into consideration in choosing the methodology for identifying risks:

 Exchanging ideas amongst the team. This can be carried out, for example, through workshops which are
considered a preferred way to achieve the exchange of ideas and experiences, as they build commitment and
take into account different points of view and experiences.

28 | P a g e
  Techniques such as graphs, systems analysis, system design reviews, risk studies and operational models
should be used if potential outcomes are objectionable, and the use of these techniques is cost-effective.
 For less clear cases, such as identifying strategic risks, the probability method can be used, a “what-if” scenario,
and a method for analyzing different scenarios.
 When the resources available for identifying and analyzing risks are limited, the structure and methodology
for achieving effective results within the specific audit budget should be modified. For example, in the event
of limited time devoted to identifying risks, a smaller number of key processes can be focused on in the public
domain or questionnaires can be used.

In many circumstances, risk identification is useful and effective at multiple levels. In the stage of identifying the initial
or preliminary audit scope, risks can be identified at the higher levels of operations and then access to the initial
priorities, while in the later stages; risks are identified and analyzed at the level of sub-operations.

Second step: risk analysis

Risk analysis requires taking into account both the sources of risk, its positive and negative consequences, likelihood
of occurrence and the resulting impact.

1. Likelihood of risk occurrence

The likelihood is the chance for something to happen, as some events may happen once, others may happen regularly
and perhaps even on a daily basis. Risk analysis requires an assessment of their recurrence. Here is a guided example
that can be used to rate the likelihood:

Rating Likelihood of occurrence Degree

Almost certain The event will occur in most circumstances 5
Likely The event will probably occur in most circumstances 4
Possible The event should occur in some circumstances 3
Unlikely The event could occur in some circumstances 2
Rare The event may occur in some exceptional circumstances 1

29 | P a g e
The specified period for measuring the likelihood of a danger is once a year, and this period may be lengthened or
shortened depending on the nature or circumstances of the risk.

The likelihood of the risk can be assessed by the following factors:

 Complexity – how complex is the process in terms of multiple functions or technology? Consider the
complexity of the underlying processes or environment in which the Federal Entity operates.
 Susceptibility – how susceptible or vulnerable is the Federal Entity to the risk? Consider how new people or
processes impact, the number of stakeholders involved, high level of change etc.
 Repetition - to what extent is the risk known to have occurred previously? Consider the history of risk within
the Federal Entity or the Federal Government in general.

1. Classification of consequence / impact

The following table includes an indicative example for illustrative purposes on how to determine the impact degree of
the expected risk on operational objectives, business continuity and financial reports, etc. in the event of the
occurrence of any of the risks mentioned in the table.

Rating Danger Expected impact

Human Resources Financial Business Regulatory / Reputation &
continuity Legal Image

5.  Unplanned loss of Financial Loss of Significant Extended national

Catastrophic a senior impact in service legal, regulatory adverse media
executive, or excess of capacity or internal coverage, and/ or
several key staff. AED XX between xx policy failure significant loss of
 Loss of life or and xx days resulting in confidence by
permanent substantial stakeholders/
incapacitation criminal clients.
penalties

30 | P a g e
 4. Major  Unexpected loss of Financial Loss of Major legal, Adverse national
a key staff member impact service regulatory or media coverage,
with specialist between capacity internal policy and/or some loss
knowledge without AED xx and between xx failure resulting of confidence by
which the business AED xx and xx days in a visit by stakeholders/
is significantly regulators in clients
affected relation to non-
 Serious injury or compliance
incident
3. Moderate  Unexpected loss of Financial Loss of Limited legal, Extended local
a key staff member impact service regulatory and adverse media
who is integral to between capacity internal policy coverage and/or
the business with AED xx and between xx failure loss of confidence
specialist AED xx and xx days (resulting in by stakeholders/
knowledge. reportable clients
 Injury or incident incident(s) to
requiring medical regulators)
attention
2. Minor  Unexpected loss of Financial Loss of Minor legal, Isolated adverse
a senior staff impact service regulatory local media
member between capacity or internal coverage and/ or
 Minor injury or AED xx and between xx policy failure adverse client or
incident AED xx and xx days (able to be stakeholder
resolved comments or
without complaints
material
penalty)

31 | P a g e
 Isolated
incident.
1. Notable  Unexpected loss of Financial Loss of Insignificant No impact or
but not a single staff impact service legal, regulatory minimal impact.
effective member between capacity or internal
 Near miss incident AED xx and between xx policy failure
AED xx and xx days

Third step: Risk Assessment

A risk is a threat or uncertainty related to the future results of current events, and therefore the risk is the possibility of
a negative impact or harm that hinders or prevents the Federal Entity from achieving its strategic, operational
objectives, compliance, and reporting.
The risk can also be defined as the impact resulting from the presence of material and significant errors in the Federal
Entity that have not been discovered after the end of the audit process, which may cause damage to that entity that
may be related to the loss of an opportunity that could have been achieved. The following risks are evaluated:

a. Inherent risks
An inherent risk is the risk resulting from the nature of the activity, regardless of the control procedures used, as well
as the surrounding environment and human errors.
Through the matrix below, risks can be classified by calculating the result from the sum of the consequence or impact
and likelihood of occurrence rating. The terms on the right side of the matrix define what is meant by each risk level.

32 | P a g e
 Extreme risk: Must complete control evaluation. Senior
Management must review.
Significant risk: Must complete control evaluation. Executive
Management must review.
Moderate risk: Management responsibility must be defined.
Likelihood
Control evaluation must be performed where appropriate. The
concerned department must review.
Low risk: Monitor. Examination of controls is not specifically
required.

All inherent risks ranked as “Extreme”, “Significant” or “Moderate” require detailed analysis of controls to determine
the residual risk rating.
Low risks may be excluded from further analysis, however the rationale for excluding these risks (and management’s
ongoing responsibilities) should be documented to demonstrate the completeness of the analysis undertaken.
The controls existing to mitigate the risk are then considered for existence and effectiveness using the criteria shown
in the controls rating table.

Identification and assessment control practices and procedures for risk reduction
Control practices and procedures include all the policies, procedures, practices and processes in place to provide
reasonable assurance of the management of risks by the Federal Entity.

33 | P a g e
Where control practices / procedures exist to reduce risks but are not being followed and monitored, then adequate
control procedures does not exist. Accordingly, for the control practices / procedures to be effective, they also must be
communicated, actioned and monitored. Therefore, a rating of 5 or above should be applied.

Control procedures rating*

Excellent 1 or 2 Systems and processes exist to manage the risks and management
responsibilities are assigned. The systems are well documented and
Adequate

regular monitoring/management review indicates high compliance to the

process and that the system is effective in mitigating the risk.
Good 3 or 4 Systems and processes exist which manage the risk. Improvement
opportunities have been identified but not yet actioned.
Fair 5 or 6 Some systems and processes exist to manage the risk.
Inadequate

Poor 7 or 8 Systems and processes for managing the risk have been subject to major
change or are in the process of being implemented and their effectiveness
cannot be confirmed.
Unsatisfactory 9 or 10 No systems and processes exist to manage the risk.

*Range of rating allows for strengths and weaknesses of the control procedures to be varied.

b. Residual risk
Residual risk is the level of risk that remains within the Federal Entity after consideration of all existing controls. The
residual risk table below provides the Federal Entity with the required level of management attention and the cases
that require developing treatment or remedy plans.
The residual risk rating is calculated by adding the inherent risk and control procedures assessment rating. The result
is used to indicate the required management role according to the below mentioned matrix to deal with the residual
risks.

34 | P a g e
 Extreme
Inherent Risk Rating

Significant Active
Continuous Management
Review

Moderate

No major
Low Periodic
Concern
Monitoring

Adequate Inadequate

Control procedures assessment ratings

Active Current risks require treatment options, active review and management to be
management prepared on an ongoing basis.
Continuous Control is adequate, continued monitoring of controls over time (e.g. at least
review quarterly) is required to confirm this.

Periodic Control is not strong but risk impact is not high. Options to improve control or
monitoring monitor risk impact to ensure it does not increase over time.

No major Systems and processes adequately reduce risks, taking into account
concern unnecessary or excessive controls.

35 | P a g e
The above matrix demonstrates the relevance of inherent and residual risk to the Internal Audit process.
The area for "continuous review" in the above matrix shows that the degree of inherent risk is high, but the control
systems are good. As such, any defect in the control procedures for reducing risks in this area could have an immediate
and significant impact on the Federal Entity.

The area for “periodic review” shows that the degree of inherent risk is weak to medium, but control procedures are
weak. Therefore, any increase in the degree of risk under the current control systems can have an immediate and
significant impact on the Federal Entity.

As for the risks in the “active management” area, management attention should be directed towards them and they
should be closely monitored by the Internal Audit office.

Factors affecting the risk assessment process

There are many factors affecting the risk assessment process and that the Internal Auditor should take into account
during all the steps and stages of the risk assessment process. These factors differ according to the activity of the
auditee noting that these factors are indicative and cannot be considered a comprehensive list:

 The extent of the existence of legislation, laws and regulations governing the work of the department.
 The approved budget for initiatives related to the work of the department.
 The degree of significance and number of observations on the performance of the activities mentioned in the
various audit reports.
 The complexity of operations and procedures.
 The volume of daily transactions.
 Extent of reliance on information systems in daily transactions.
 Number of employees in the department.
 Changes in management and staff.
 The extent and clarity of the followed procedures.
 The extent of the existence of control procedures followed in the department.
 Relationships with external parties, clients, suppliers, banks, or others.

36 | P a g e
  Technical competence of employees.
 The extent of the existence of periodic reports and the efficiency of those reports.
 Risks resulting from fraud.
 Any other control reports.

Fourth step: follow up risks and reassessment

Federal Entities are subject to continuous changes and as they play a major role in the Federal Government, this has a
significant impact on the risks that the Federal Entities may be exposed to. Therefore, the need for a continuous
assessment of these risks arises, which will result in reprioritization of the audited activities and consequently will have
a reflection on the annual Internal Audit plan.

Through the implementation of the annual Internal Audit plan, it is possible that additional data may become known
that was not observed in the stage of collecting, analyzing or evaluating the risks. In addition, there is a possibility to
discover the ineffectiveness of the approved control procedures to deal with known risks. This will increase the
possibility of these activities being exposed to risks and thus reassess the risks related to this activity.

Based on the foregoing, the risk must be reassessed periodically and the Internal Audit plan should be amended based
on the results. The period necessary to reassess the risk is determined by the director of the office according to the
needs of each Federal Entity.

Third component: preparing the strategic audit plan

The comprehensive audit strategy means the plan set by the office with the aim of completing the audit process during
the specified period. To achieve this, the director of the office distributes work among the Auditors according to the
nature of activities and operations being audited throughout the plan period, which is usually from (3) to (5) years
through an executive program. It should reflect the objectives of the plan in the form of procedures and practical steps
which can be followed up and supervised.

The audit strategy covers the scope, timing, and expected guidance of the audit and the course of the audit process,
from knowing the nature of the department activity that will be audited until preparing the report.

37 | P a g e
This plan is a roadmap to guide the development of the annual audit plan which is generally more detailed. Therefore,
the comprehensive strategic audit plan must contain sufficient details to enable the preparation of the annual audit
plan so that it is clear and sufficient to prepare the annual plan even in the event of a change of personnel.

In addition, it should be flexible enough to accommodate any changes that may occur, and be approved by senior
management. In the event of amendments due to a reassessment of risks, this amendment must be reflected in the
strategic (comprehensive) Internal Audit plan. It must also be approved by senior management. From the strategic
plan, the annual audit plan and the audit budget are derived.

Annual audit plan

The annual audit plan is an implementation of the strategic (comprehensive) audit plan with the addition of
amendments as required. It is approved annually and circulated to the relevant departments in the entity. The audit
budget is prepared based on the annual audit plan and accordingly the annual audit plan is considered an
embellishment of the comprehensive strategic audit plan into a detailed program of work that will be accomplished
by the team. It specifies the detailed procedures for the audit that enable the team to obtain sufficient and appropriate
evidence to achieve the objectives of the audit. Therefore, this plan must be in writing.

The annual audit plan includes details of the nature, timing, and scope of the audit procedures related to the activities
and processes to be audited. The form and scope of the plan details depend on the professional judgment of the office
manager, as these details vary depending on the size and complexity of the activity and process subject to the audit,
the relative importance, and the team's experience.

The nature, scope and timing of the review procedures mean the following:

Nature of audit procedures: special audit procedures that are used and applied to specific elements and items.
Scope of audit procedures: the number of items and vocabulary to which the procedure will be applied, such as the
sample size, and the number of different tests that will be performed.
Timing of audit procedures: the appropriate time to complete each audit procedure.

The considerations when preparing an audit plan include the following without limitation:

38 | P a g e
  Gaining a full understanding of the nature of the activity, the environment and risks of business related to it.
 Levels of relative importance identified for audit purposes.
 Estimates of associated inherent risks and internal control risks.
 Timing of internal controls and basic tests.
 Risks that require special attention such as significant errors, fraud, or the presence of related parties.
 Complex accounting fields, including areas that contain accounting estimates.
 The need for other auditors or experts to participate in the review process.
 Reconsidering the audit plan and program, as necessary, during the audit period.
 Full documentation of the audit plan and the changes or updates that are required in the audit process.

Benefits of the annual audit plan:

The plan achieves a number of advantages, the most important of which is to provide instructions to the team and a
tool to monitor the time spent in each step of the audit. The plan that is well prepared and used represents the
following:

1. Evidence of appropriate planning for the audit work.

2. Allow team members to evaluate the proposed scope of audits and the ability to make any adjustments to the
audit procedures before they are implemented.
3. Guiding the less experienced team members as the plan outlines the investigation steps that each team
member must take.
4. Evidence of completion of the work, whereby each member of the team signs the procedure he has taken to
fully demonstrate that this work has been done.
5. Evidence that internal control risks were taken into account when preparing the plan.

The selection of risks, the identification of tests and the extent of their application require high-level professional skills
and judgments. Therefore, the annual audit plan should include all major risks, provided that they are not exaggerated
or inappropriate in terms of the effort required to implement them. In addition, the director of the Internal Audit office
should set the criteria on the basis of which the risks and tests will be selected and discussed with the audit committee.

39 | P a g e
It is natural to select all remaining risks with a high rating within the scope of annual tests. All control procedures are
also covered and tested at least once every three years, and the estimated time for implementing the annual audit plan
should be determined so that it includes job grades and different skills required, and then submitted for review and
approval by the audit committee.

The Director of the Internal Audit office should exchange information and coordinate activities with external and
internal parties that provide assurance and consulting services related to the field of audit activity, in order to ensure
the necessary coverage for the business and avoid duplication of efforts as per “Internal Audit Standard No. 2050
regarding coordination and accreditation.”

Steps to prepare the annual audit plan

First step: listing the results of the risk assessment process
The results of the risk assessment process are taken into account when preparing the annual audit plan in order to
ensure that all risks related to the activities are covered. Internal Audit efforts must be distributed in a proper way to
ensure coverage of activities that are exposed to high risks while taking into account the general objectives of the
concerned authority.

Second step: indicating the activities to be included

There are many principles that must be followed to ensure that the value is added to the Federal Entity, while meeting
the expectations of senior management from the Internal Audit office. It is also necessary to cover activities that are
exposed to high risks which have a significant impact on achieving the objectives of the Federal Entity. These principles
are as follows:

 Results of the risk assessment process.

 Trends of senior and executive management.

The priority of the activities subject to the audit must also be arranged according to the return and the expected added
value. The value of the return from auditing these activities should be greater than the expected cost of completing the
audit process. That cost is the value of time taken by the Internal Audit team to complete the audit of those activities.

40 | P a g e
Third step: indicating the timing of the audit and the required resources
It should be borne in mind that the audit plan should be flexible enough to accommodate any changes that may occur
during planning and implementation process. This can be achieved by building in additional time that represents a
certain percentage of the actual audit time to accommodate any potential change.

In order to accurately estimate the time spent on the audit process, the timing necessary to perform all of the following
operations must be taken into account in addition to the previously noted additional time:

 The time required to plan the audit.

 The time required to carry out the audit.
 The time required to complete the reporting.
 The time required to discuss observations and reports with the auditee.
 The time required to update the investigation plan in case of changes.
 The time required for training and development.
 The time required to perform administrative procedures related to the implementation of the audit, such as
the travel time, conducting interviews, visits with employees and preparing audit requirements etc.

The Director of the Internal Audit office must ensure the efficiency and adequacy of human resources and their ability
to complete the Internal Audit process in addition to having the basic skills necessary to complete these operations on
time. It should be borne in mind that there are some audited activities which require specialized competencies and
skills. For example, auditing of insurance activities needs expertise in the field of insurance, and auditing of project
activity needs experience in the field of construction projects etc.

Fourth step: approval of the annual plan

The annual audit plan must be approved by senior management, and this plan should include the following:

1. Suggested activities to be audited during the year.

2. The timing of each activity separately i.e. the distribution of activities according to the time specified for the
approved plan.

41 | P a g e
 3. The time period required for each activity, start date and end date.

Fifth step: updating the audit plan and the plan reassessment process
Through the audit procedures and the implementation of the Internal Audit process on the various activities, it may be
found that some activities have been exposed to risks higher or lower than the previously assessed risks. It may also
be found that some control measures are ineffective.

Given that the Internal Audit plan is flexible and responsive to the surrounding changes, the Internal Audit plan can be
amended in the existence of a significant change in the assessment of the exposure degree of activities to different
risks that results from Internal Audit procedures.

In all cases, any amendment to the annual plan should be approved by senior management, provided that the
amendment and its cause is explained. It should be noted that the reasons for amending the annual audit plan may be
the result of any changes, whether internal or external, including, but not limited to the following:

 Changes in the organizational or operational structure of a particular activity, area or unit.

 Changes in the financial, operational, or organizational structure of the Federal Entities.
 Administrative changes.
 Changes in risks and factors involved in the risks.
 Changes in policies, procedures, systems, and technology.

Stage (2) : execution

General framework for executing Internal Audit

The general framework for executing Internal Audit functions in the Federal Government includes the following main
stages:

42 | P a g e
 1. Function planning stage.
2. Fieldwork stage.
3. Preparing and issuing report stage.
4. Monitoring and follow-up stage
Summary of functions and responsibilities during Internal Audit execution stage

Stage Task Planning Field Work Preparing and Control and Follow-up
issuing Reports
Responsible  Audit  Internal Audit  Internal Audit  Audit Committee and
Committee and office office Internal Audit office
Internal Audit  Executive Management
office
 Executive
Management

Description  Conduct initial  Conduct audits.  Preparing and  Monitor progress on

consultation  Identify submitting the management actions
with observations. initial Internal based on action plan
stakeholders to  Conduct closing Audit report. defined in the Internal
receive input meeting.  Receiving Audit report and
and data. management implementation
 Establishing the action plans. schedule determined
scope and  Preparing and by the management.
objectives of the sending the
audit process final audit
methodology report that
and confirming includes the
it with the management
auditee. action plans.

43 | P a g e
  Indicating the
budget for the
audit process
(expected
working hours)
and forming a
team.
 Documenting
systems and
processes.
 Developing a
detailed audit
program.
Key  Audit planning  Observations  Draft Internal  Follow up report.
deliverables letter. form. Audit report.
 Audit scope  Management
form action plan.
 Detailed work  Final Internal
program. Audit report.

Stage 1: function planning

Successful implementation of the planning process ensures, to a large extent, the success of the function as a whole,
and in order to ensure that adequate function planning is undertaken, the Internal Audit team should carry out the
following major functions:

 Meeting of the Internal Audit team nominated to execute the function to discuss the following:
1. Objectives and scope of the audit function.
2. Objectives and purposes of the audit function.

44 | P a g e
 3. Stakeholder expectations of the function and the missions of special nature.
 Indicating the scope of work.
 Indicating the work team and the initial meeting with the team.
 Sending an audit function planning letter to the auditee.
 The inaugural meeting with the auditee.
 Viewing any other reports related to the audit of the activity being audited.
 Developing an initial auditing program for the function.
 Preparing an audit function budget.
 Developing a detailed audit program for the mission according to the objectives and scope of the mission.
 Verifying that the detailed audit program is in line with the scope and purpose of the audit function.

The following criteria should be taken into consideration during all stages of planning and implementation, as well as
reports and follow-up:

 Objectives of the concerned department.

 Internal Audit methodology.
 The expectations of the senior management and all the bodies to which the report is submitted.
 Any other available data or observations.
 Service delivery requirements and conditions.
 Key performance indicators.

The key deliverables of this stage are summarized as follows:

 Audit planning letter.

 Audit scope form.
 Detailed audit program.

45 | P a g e
The following is an explanation of the steps that the auditors might take to implement some of the above-mentioned
major tasks:

1) Indicating the work team and the initial meeting with the team
According to the International Standards on Internal Auditing, Standard No. 2230 regarding the allocation of resources
for the audit function, the following should be done:

 Indicating the work team according to the nature of each activity separately, so that the personal experience
and the technical and professional aspects that the members of the work team possess are consistent with the
nature of the audited activity. In addition, the existence of expertise in the field of information systems must
be considered in the Auditors in the event that the activity relies on computer systems. In addition, the
existence of expertise in the field of construction and contracting must be considered in the event that the
activity is related to dealing with subcontractors, construction work and the like.
 Holding a coordination meeting with the work team before visiting the auditee. The minutes of the meeting
should be documented, provided that the following are discussed:

1. The scope of work and ensuring that there is a complete and clear understanding of this scope.
2. The timing of the work and the start date of the activity.
3. Responsibilities and tasks related to each individual in the team.
4. Indicating the audit procedures that require the intervention of the Director of the Internal Audit office or his
representative.
5. Indicating the methods of communication with the concerned department and settling disputes.
6. Indicating the workflow mechanism and other meetings related to the mission.
7. Any other matters related to the mission.

2) The inaugural meeting with the concerned department and understanding the activity
 Inaugural meeting
An inaugural meeting is held with the concerned department before the beginning of the audit process. Coordination
with the concerned department should be made. It should be emphasized that both the director of the management
and the officials of the audited activities must attend. The main objective of the inaugural meeting is to introduce the

46 | P a g e
management to the team’s scope of work and the time taken by the team to perform its mission, as well as coordinate
with the management to start the actual audit process and facilitate all administrative procedures in addition to starting
the process of understanding activities. The agenda should be sent in advance to the relevant department and the
meeting agenda should include the following:

 Identifying Internal Audit functions.

 Indicating the areas where the Internal Audit team can add value to the management.
 Discussing the scope of work.
 Discussing the time required to complete the audit.
 Knowledge of the administrative, organizational and technical structure of the management under audit.
 Agreeing on all the required administrative and organizational aspects such as the duration of the audit, the
place of the audit, the coordinator, the method of correspondence and the like.
 Communicating the goals, initiatives and plans related to the work of the management in general and the
activity in question in particular.
 Any other significant matters related to the activity at the technical or administrative level.

Note: Meeting minutes should be prepared to document what was presented, discussed and agreed upon at the
inaugural meeting and to be approved by the management to be audited and the concerned auditor.

 Understanding the activity

Procedures for understanding the activity being audited are carried out by various means, including meetings with
those responsible for sub-activities and those in charge of the work. It will also be necessary to view the detailed
organizational structure and functions assigned to the management in relation to the activity being audited, as well as
to review the data obtained previously during the strategic analysis process and risks evaluation stage. The following
are the main data that need to be fully examined and understood before beginning the audit process, for example:

 The management's position in the organizational structure and detailed missions.

 Main and subsidiary activities, initiatives and services of the management.
 All routine and non-routine daily work procedures.

47 | P a g e
  All control points used to ensure efficiency and safety of procedures.
 Laws and legislations that regulate the work of the management.
 The number of employees distributed at different administrative levels.
 Reports issued and received to and from the management with regard to the activity being audited and the
timing of issuance or receipt of these reports.
 The extent of the presence of other supervisory bodies that carry out any control measures on the activity
being audited.
 The extent of dependence on the computer system, or whether all procedures are executed manually.
 Strengths and weaknesses from the point of view of activity officials.
 Powers granted to employees.
 Work relationships that link the concerned department with other managements in the entity or any external
entities.

The managers of Internal Audit offices and employees can also use self-assessment methods for control operations in
evaluating risk management and control processes in the entity. The Internal Audit team can use self- assessment
programs for control. (Practice Advisory 2120/T/1).

A systematic method used in the self-assessment survey work and the necessary workshops is called "self-assessment
of control operations", which represents a useful and effective approach that enables the cooperation of the Director
of the Internal Audit Office and the Internal Audit staff in evaluating the control procedures and aims to integrate the
various business goals and risks with the control operations. The aforementioned method is also known as “self-
assessment of control and risk management processes."

Among the advantages of the self-assessment method is that the Internal Audit activity acquires more information
about the followed control operations and takes advantage of all the information and data available in the statement
of important weaknesses in the procedures and controls. (Practice Advisory 2120/T/1)

There are three basic forms of self-assessment programs for control operations:
 Workshops

48 | P a g e
  Surveys
 Analysis

Workshops: aim to facilitate the process of collecting information and data from the various work teams that represent
all levels in the auditees and the shape of those teams is determined and formed on the basis of objectives, risks,
procedures, and controls.
Surveys: include many questions, most of which are simple (yes) or (no) answers and other questions that are easy to
understand and answer. The survey method is used in the case of the difficulty of conducting workshops due to the
large number of teams or the difference in job levels and work environment or if the prevailing culture hinders candid
discussions or in the event that it is difficult to obtain information during the workshops.
Analysis: analysis performed by the Internal Audit team include most other methods used by groups and
administrative units to collect and view data and information related to work procedures and their implementation,
risk management activities and control procedures. The objective of this analysis is to reach a comprehensive, correct
and timely opinion or assessment. It is possible to combine this analysis with all data and other information to enhance
understanding of the controls and various activities.

3. Emphasizing the common understanding of the general scope of the audit function with the management
to be audited:
First: defining the general scope of the audit function according to the risks identified during the risk assessment
stage. The scope of the audit may include the following matters:

 The nature of the audit function, for example, may be a high-level task, or a task for a broad review of a Federal
Entity’s operations, or a task for detailed risk analysis and control procedures for a specific part of a Federal
Entity operations etc.
 Sub processes, initiatives, functions or activities that will be the focus of the audit function.
 Indicating which areas will be audited and which will not be audited.
 Indicating the main risks affecting the audited processes, initiatives, jobs or activities.
 Characteristics related to operations, initiatives, jobs and activities.
 Analytical procedures to be implemented.

49 | P a g e
  The expectations of senior management, executive management or any third parties if any.

Second: authenticating the common understanding of the general scope of the audit function.
Based on the information obtained from the above steps and the results of the risk assessment process, the Internal
Audit team must certify a common understanding of the overall scope of the function and prepare an audit scope form
that includes the following matters:

 The processes, initiatives, functions and activities that will be covered by the audit function. Taking into
account the matters that attracted the attention of the Internal Audit team during the general understanding
of the processes and the audit methodology that will be followed. For example, if the audit methodology
includes performing analytical procedures, these procedures should be indicated to facilitate discussions with
management regarding the availability, validity, and accessibility of the data required.
 The nature, timing and extent of the audit procedures: The Internal Audit team should determine the nature
of the audit procedures that can be applied, including reviewing operations, testing control procedures, testing
transactions, and the like.
 Documents prepared by the stakeholders: the Internal Audit team must define during this stage the analysis
and documents that should be prepared by the stakeholders. Therefore, the Internal Audit team should
discuss the form and timing of these documents with the stakeholders.

Third: the Internal Audit team should be informed of the scope of the audit model and it should be discussed among
them, to ensure that there is a clear and common understanding among all members of the team assigned to the task.

Fourth: the audit scope form should be sent to the concerned department with an official letter through accepted
channels. A confirmation statement must be obtained from the management under review upon the receipt of the
letter.

1. Viewing any other reports related to the audit of the activity being audited.
Viewing all audit reports on the activity being audited is considered one of the most important means that helps to
understand the activity and weaknesses related to the activity being audited. It also gives a general idea of the nature
of the data and observations that were previously submitted to the management. Therefore, it helps in understanding

50 | P a g e
the reality of the administration before starting the audit process until all the shortcomings are covered as well as the
aspects that need focus during the audit process in order to reach a complete picture and issue reports that affect the
nature of the work and add the desired value to all auditees.

2. Preparing a detailed audit program and setting objectives

The audit program "according to the International Standards for Internal Auditing, standard No. 2240 on the audit
mission work program” is considered a detailed procedures plan on the basis of which the auditing process is carried
out. It is also the deliverables of the process of understanding the activity, because the audit program must be prepared
in the light of understanding the activity. Therefore, the stage of understanding the activity and preparing the audit
program is considered one of the most important stages of an audit. When an accurate understanding of the activity is
reached, the closer the established audit program is to reality and implementation.

 The following should be taken into account in preparing the audit program:
1. All audit procedures included in the audit program should be according to the scope of work previously
agreed upon and discussed with the management during the planning stage and inaugural meeting.
2. Ensuring that all matters that attracted the team’s attention during the risk assessment process as well as
during the audit and inaugural meeting are included.
3. Ensuring that audit steps related to the audit program are included that cover all the observations raised
by the Internal Audit before, whether they are in reports previously issued to the management by the
Internal Audit or any other party.
4. Ensuring that all risks indicated during the risk assessment process and the inaugural meeting have been
included in the audit program's steps.
5. The nature, timing and extent of implementation of the auditing steps should be indicated, for example
whether the sample chosen is distributed throughout the year, or the choice of individual samples from
the end of the year only or from each month, and so on.
6. Ensuring that the audit steps listed in the audit program have included all expectations and points to be
covered that were raised during the internal meetings of the team or meetings that took place with the
relevant department during the risk assessment Stage or during the planning Stage of the audit process.

51 | P a g e
  The results and reports expected to result from the audit mission: the management should agree with the
forecasts related to the reports.
 Timetable protocols, means of communication, and the issuance of reports: for example, clarification of
procedures followed if managements did not submit work plans to address deficiencies within the timetable
required for their inclusion in the follow-up process.
 Members of the Internal Audit team: identifying the members of the Internal Audit team who will work to
carry out the function.
 According to the Practice Advisory 1210/T/2, it is necessary to consider adding some steps related to the
indications of a fraud. The responsibility of the Internal Audit towards the fraud process is to exert the
necessary professional care, to the extent commensurate with the possibility of fraud in the activities that are
covered in the context of the usual performance of the Internal Audit missions. The Internal Audit team should
have a thorough knowledge of the fraud sufficient to understand the indications of potential fraud, and be
alert to the gaps that allow fraud and to assess the need for further investigations and notify the relevant
authorities.
 Senior management should also be notified accordingly and the legislation and laws in force in the country
should be followed in this regard.

1. Ensuring the compliance of the audit program with the scope of mission
Before starting the implementation of the detailed audit program, members of the Internal Audit team should review
the audit scope model and ensure the following:
 Details of the audit program are consistent with the scope of the audit mentioned in the "audit scope form".
 Ensuring that the detailed audit program includes all expectations and issues to be covered and that have
attracted the attention of the Internal Audit team during planning and risk assessment activities, or other risk
assessment activities that have been implemented by the entity’s management.
 Following this, the Internal Audit team should discuss with the responsible management any important
amendments in the scope of the audit that will be reflected in the detailed work program. Then, the team
should take one of the two decisions to either amend the work program to comply with the agreed scope of
the audit or update the "audit scope model" to comply with the amended scope.

52 | P a g e
 2. Preparing the budget for the annual audit plan
The office Director prepares the annual audit budget, which should clarify the following, including but not limited to:
 The total audit hours for the fiscal year.
 The number of hours allocated to each audit mission, distributed to each auditor assigned to that task,
including time for review and quality assurance of teamwork.
 The expected time for the start and end of each function.
 Types of reports to be issued and their history.
 The date of the inventory and the sites to be visited.

The Internal Audit team or the Internal Auditor assigned to the audit mission is responsible for managing the audit
budget and providing clarifications to justify any difference between the actual hours and the estimated hours, so it is
important to note and monitor the reasons that may lead to the actual hours to differ from the estimated hours.

Stage 2: Fieldwork

Stage Procedure description Key deliverables

Implementation of  Implementation of the audit process  Observations form
the Internal Audit through the audit program within the scope
of work.
 Indicating the observations.
 Conducting final interviews.

Fieldwork stage "according to the international standards for Internal Audit Standard No. 2300 on implementing
Internal Audit missions" is the stage for the Internal Audit office team to carry out tests and checks on control
procedures, record results and formulate major and important recommendations. The process of examination or
testing in the Internal Audit aims to obtain evidence and data to achieve the objectives of the Internal Audit process.
The following are guidelines on the most important aspects of implementing the function:
1) Audit methods

53 | P a g e
There are various audit methods that can be used in different scenarios, so the methods that are most compatible with
the conditions and needs of the audit mission must be chosen. Here are some methods that the Internal Audit team
can use to obtain audit evidence or analyze data and performance:

 Surveys (questionnaires).
 Tests.
 Measurements.
 Studies.
 Graphs.
 Interviews.
 Brainstorming.
 Statistical analysis.
 Computer-assisted audit methods.
With regard to the audit of information technology systems, the methods and types of data examination by means of
modern audit software are almost unlimited. For example, the audit software contains many options to audit
transactions for the purpose of detecting fraud, such as the presence of duplicate transactions or lost or other
transactions, such as:

 Comparing suppliers’ addresses with employee addresses to indicate if there are employees who supply to
the relevant entity.
 Search for duplicate cheque numbers to discover if there are other copies of the same cheque.
 Sequence analysis of all transactions to identify lost cheques or invoices.
 Identifying suppliers who have more than one code or more than one postal address.
 Identifying suppliers who have the same postal address.
 Arranging payments according to their value to indicate the transactions that are less than or slightly above a
certain level of disbursement, in order to test the limits of delegation of authority in relation to financial affairs,
procurement and human resources.
Computer-supported auditing methods can also be used to implement several audit procedures, which include any of
the following:

54 | P a g e
  Testing the restricted transactions and balances such as interest recalculation.
 Analytical audit procedures such as identifying inconsistencies or significant changes.
 Compliance tests with general controls such as testing the configuration and activation of the operating
system or testing procedures for program libraries.
 Using sampling programs to extract the data for auditing.
 Compliance tests with application controls, such as testing the operation of a programming control.
2) Indicating information and data
a. Collection of information and data
The Internal Audit team must according to the “International Standards of Internal Auditing, Standard No. 2310”
concerning identifying information” collect reliable, sufficient and relevant information to achieve the objectives of
the audit. The Internal Audit team should do the following:

 Collection of sufficient information and evidence on all matters related to the objectives of the audit and the
scope of work.
 Use of analytical and documentary audit procedures to identify and test information.
The information should be sufficient, reliable, relevant, and useful to provide a sound basis for audit observations and
recommendations.
Sufficient - when the evidence is factual and persuasive enough that a prudent, informed person would reach the
same conclusion.
Reliable - when the evidence can be verified by others and has been gained through competent and appropriate audit
procedures.
Relevant - when the evidence collected relates directly to the areas being tested.
Useful - when the evidence collected allows the Internal Audit team to form a view on whether the Federal Entity is
meeting its goals and objectives and accomplishing the desired result.
b. Methods for selecting samples

55 | P a g e
Sampling in auditing can be defined as the process of selecting and examining a portion of a group of related items for
the purpose of obtaining information or evaluating some characteristic about the group as a whole. The entire set of
data from which the sample is selected is called the population, and the individual items that constitute the
populations (and are available for selection) are called sampling units.
The audit plan should explain the method used to select samples to be tested, as during fieldwork, the Auditors can
rely on technical means of sampling to record conclusions about the processes under test. Before starting fieldwork, it
is necessary to specify the scope and the amount of evidence to be gathered to meet the objective of the audit or
support the conclusions and observations.
Both judgmental and statistical sampling methods are based on the premise that all evidence in support of a particular
assertion need not be examined to confirm the assertion’s validity. The type of sampling methodology used is a matter
of judgment and as such, this decision should be made by the more experienced members of the engagement team,
i.e. the team leader and / or the Head of Internal Audit.
Obviously, the more critical the results are, the higher the requirement for more extensive testing. With the increasing
use of information technology, the Internal Audit office must decide whether sampling is the most efficient and
effective way to obtain evidence. This increase in the use of information technology raises the fact that there may also
be situations where the entire population can be examined by using file interrogation software, data mining, data
warehouses or other information retrieval approaches.
The Internal Audit team must consider that by selecting some samples, there is a risk that the chosen sample does not
truly represent the population. To further explain, the audit risk in sampling relates to the possibility that a materially
incorrect inference about a population may be reached as a result of sampling. This is due to the following:

 Sampling error
There is a possibility that the sample will provide information that is not representative of the population. The aspect
of this possibility caused purely by random chance in sample selection is the risk of “sampling error”. The sampling
error risk is a possibility in every sample, regardless of how the sample is selected. The Internal Audit office realizes
that the control to reduce the risk is by applying professional judgment and following the appropriate procedures in
choosing the Internal Audit samples.

 Non-sampling error

56 | P a g e
Similar to the sampling error risk, every sample is subject to the risk of non-sampling error. “Non-sampling” errors can
affect the representativeness of the sample, but they also can relate to all other aspects of the sample. They include the
use of inappropriate sampling techniques, improper definition of the population, mistakes in selecting the sample, etc.
In other words, the risk of non-sampling error encompasses all possible mistakes, oversights and misjudgments that
may produce and incorrect inference from the sample.
To mitigate or minimize that risk, the Internal Audit offices should accentuate the importance of adequate planning,
supervision the proper execution of the audit plan.
In all cases, the Internal Audit team must explain these risks to the senior management and auditee.

 Sample size
Whether designed to test attributes or amounts, all samples follow either a statistical or a judgmental (non-
statistical) approach. There is no difference between statistical sampling and judgmental sampling in the
execution of a sampling plan, nor does the approach affect the competence of the evidence obtained or the
Internal Audit office’s response to detected errors. Selection between statistical or judgmental sampling should be
made after careful evaluation of both the pros and cons of each.

 Statistical sampling
Statistical sampling is an objective method of determining the sample size and selecting items to be examined. Unlike
judgmental sampling, it provides a means of quantitatively assessing precision or allowance for sampling risk (how
closely the sample represents the population) and reliability or confidence level (the probability the sample will
represent the population). Furthermore, statistical sampling provides a specific estimate of an occurrence rate or of a
monetary amount.
The advantage of this approach is that the reliability of the results is determined by the probability theory. That is by
following prescribed procedures for selecting the sample and calculating the results, the Internal Audit office can use
a statistical model to measure risk of sampling error.

 Judgmental (non-statistical) sampling

57 | P a g e
Judgmental sampling is a subjective approach to determining the sample size and sample selection. This subjectivity
is not always a weakness. Internal Audit personnel, based on other work, may be able to test most material and risky
transactions and to emphasize the types of transactions subject to high control risk. In judgmental sampling or non-
statistical sampling, the Internal Audit Function relies solely on judgment to assess the risk of sampling error and
evaluate the population. Although the risk of sampling error cannot be measured in a judgmental sample, the Internal
Audit Function can attempt to control it by following certain guidelines and procedures.

 Sample selection
The following factors should be considered, which reduce the risk of selecting samples:
1. Identify and know the population, subject to the examination process and analyze its units in a proper way as
audit conclusions may be based only on the sample taken from that population.
2. Link the selected samples to the objectives of the audit.
3. Allow every sampling unit in the population have an equal chance of being selected.

 Sample selection techniques

Sample selection techniques include:

 Random selection
 Systematic selection
 Cluster selection
 Haphazard selection
 Judgmental selection

The first three selections are generally referred to as random selection techniques. These techniques provide
reasonable assurance that each sampling unit has a predetermined probability of being selected, and prevent any
unintentional bias in the selection. Haphazard and judgmental selections are considered as non-random selection
techniques. The random selection techniques must be used in statistical sampling. These techniques are further
described below:

58 | P a g e
  Random selection
Random selection eliminates subjective factors from the selection process, including any conscious or unconscious
bias that might affect the likelihood of certain sampling units being selected or not. Although there is always some risk
that a sample will not be representative of the population, random selection, by eliminating bias, entails less sampling
error risk than other selection techniques. It therefore should be considered whenever the risk is of significant concern.

There are many ways of selecting random samples, including:

 Random selection software routines, which are selection routines in audit software that can extract random
samples from the auditee’s records.
 Computerized random number generators which can provide lists of random numbers from the selected
population.

 Systematic selection
Systematic selection is the selection of sampling units at fixed intervals within the population. This technique usually
produces a close approximation of a random selection technique. A fixed factor is chosen from each item, which is
repeated in all other items, for example a society can be divided into ten items, then the last ten transactions are chosen
from each item representing the community. Systematic selection, while it could be widely used, is not as conceptually
sound as random selection because of the possibility that a systematically drawn sample might be biased due to the
manner in which the sampling units are arranged.
 Cluster selection
Cluster samples are used when a population is so dispersed that systematic selection would be burdensome. Cluster
sampling is the method of sampling whereby the population is formed into groups or “clusters” of items. Cluster
sampling is done in several stages:
First stage: classifying the population into subgroups or similar items.
Second stage: selecting a sample from the sub-groups or items in a random manner so that the chosen sample should
represent the population as a whole.
Third stage: random selection from each sub-group or item for the sampling units representing the sub-group or item
that was chosen to represent the population as a whole.

59 | P a g e
This is called multi-stage sampling. Cluster sampling is commonly used to get the most precise results from a fixed
budget for example, yet it is not as precise as random selection.

 Haphazard selection
Haphazard selection is the selection of a sample without following any organized or structured approach. Further,
haphazard selection involves selecting items that are readily at hand, taking the easy approach rather than the
reasoned approach; e.g. the haphazard sampling of purchase orders would include choosing a sample of purchase
orders that are readily available not taking into account such factors such as the items on the purchase order, the
amount of the purchase order, the date of the purchase order, etc.
The objective is to obtain an approximation of a random based sample. Its advantage is that it may be easier to apply
than other techniques, especially if audit software is not available and sampling units are not numbered or ordered in
a way that facilitates random selection.
When using this technique, the Internal Audit team should be careful not to consciously introduce bias into the
selection such as the unconscious avoidance of the first or last page of a document / register / list.

 Judgmental selection (non-statistical)

In applying judgmental selection, the Internal Audit team would select the audit samples based on their personal
judgment and reasoning. Although this is seen as a weak sampling method, it can still be used to support this
management in selecting examples of deficiencies to support the auditors claim that the system is weak.
Judgmental selection can be used when the set is the same, such as an information system in which case each item is
treated in the same manner specified under the relevant information system.
3) Analysis and assessment
The Internal Audit team should base conclusions and audit results on appropriate analysis and evaluations. Audit
procedures should be used during the audit to examine and evaluate information to support audit results.

The Internal Audit team should consider the factors listed below in determining the extent to which analytical auditing
procedures should be used:

60 | P a g e
  Availability and reliability of information.
 Precision with which the results of analytical auditing procedures can be predicted.
 Availability and comparability of information.
 Significance of the area being audited.
 Adequacy of the system of the applied internal control.
 Extent to which other audit procedures provide support for results.
After evaluating these factors, the Internal Audit team should consider and use additional auditing procedures, as
necessary, to achieve the audit objective.

4) Fieldwork documentation
According to the “International Standards on Internal Auditing, Standard No. 2230 on information documentation”,
the documentation process should be done in full efficiency, so that all the stages of the audit that took place from the
beginning of the planning process and correspondence with the concerned departments until the stage of issuing and
approving the report are documented. The documentation process should cover the following:

 Understanding the activity.

 Evaluating the design of internal control systems.
 Tests results.
 Summary of important matters.
 Documenting control procedures.
The Internal Audit team should document the information necessary to support the findings and results of the audit
mission, so that the Internal Audit team prepares and documents the audit documents, while the Internal Auditor
responsible for the task or the Director of the Internal Audit office reviews them.
The audit documents should contain the information obtained and the analysis performed, which are the basis for
endorsing the findings and recommendations of the audit report.
5) Audit supervision

61 | P a g e
Audits should be properly supervised to ensure objectives are achieved, quality is assured, and staff are developed.
Supervision begins with planning and continues throughout the examination, evaluation, communicating and follow-
up stages of the audit.
Supervision includes:

 ensuring that the Internal Audit team assigned to the engagement possess the requisite knowledge, skills and
other competencies to perform the audit;
 providing appropriate instructions during the planning of the audit and approving the audit program;
 ensuring that the approved audit program is carried out as approved unless changes are both justified and
authorized;
 determining that audit working papers adequately support the audit observations, conclusions, and
recommendations;
 ensuring that the audit report is accurate, objective, clear, concise, constructive and timely;
 ensuring that audit objectives are met;
 providing opportunities for developing auditors’ knowledge, skills and other competencies.

Appropriate evidence of supervision should be documented and retained. The extent of supervision required will
depend on the proficiency and experience of the assigned auditors and the complexity of the audit.
Appropriate supervision also allows for resolution of differences in professional judgment over significant issues
relating to the audit. Furthermore, it allows for the documentation and disposition of differing viewpoints in the audit
working papers. The objectives of documenting the supervision work are to:

 Ensure that there are documents supporting the audit report and that all audit procedures have been
implemented.
 Provide evidence of supervisory review. This would consist of the reviewer initialing and dating each working
paper after it is reviewed.
 Reflect any other review techniques that provide evidence of supervisory review including completing an
audit working paper review checklist or preparing a memorandum specifying the nature, extent, and results
of the review.

62 | P a g e
Responsibility for supervising audit work
“Standard No. 2340 of the Auditing Standards” indicates that the responsibility for supervising audit work is the
responsibility of the Director of the Internal Audit Office. However, he can delegate auditors with experience to
supervise audit work. In all cases, it is necessary to ensure that this authority is delegated correctly and to those who
have experience and professional competence as this has a direct reflection on the quality of the implementation and
deliverables of the audit mission.
Stage (3) : Preparing and issuing the report

Stage Procedure description Key deliverables

Preparing and  Preparing the initial Internal Audit report  Initial Internal Audit report.
issuing reports and sending it to the concerned department  Final Internal Audit report
and a copy to the relevant entity. including management
 Receiving the management responses and responses.
implementation plan.
 Preparing the final Internal Audit report and
sending it to the senior management.

Introduction
The main objective of the reporting process according to the “International Standards on Internal Auditing, Standard
No. 2400 concerning reporting results”, and the “Internal Audit Standard No. 2410 concerning Reporting Standards”
is to submit the audit results to the appropriate administrative levels that are able to make decisions related to the
audit observations. It is also the main approved means of adding value to the auditee. The Internal Audit report must
be objective, accurate, clear, concise and constructive, and be completed in a timely manner. The Internal Audit report
should also contain:

1. The scope and objectives of the agreed Internal Audit mission.

2. The methodology followed during the audit process.

63 | P a g e
 3. The observations found during the audit process and the financial, operational or strategic impact related
thereto, with examples as far as possible to support the observation.
4. Internal Audit recommendation to establish corrective measures for the discovered observation or to improve
the weaknesses raised in the observation.
5. Management response, work plan, and corrective actions to the observations in the report. The management
response must be included as is, whether by agreeing to or objecting to the report's report.

In addition, a closing meeting should be held with the concerned department to discuss the results of the audit
fieldwork . That meeting should be arranged in advance, but should be after the completion of all fieldwork. There
should also be appropriate time given for the management to review and respond to the results of the audit fieldwork.

The following steps in the process of preparing and issuing the Internal Audit report should be followed after
completing the fieldwork of the audit mission.

First: preparing the initial report

During the preparation process, the Internal Audit team should take the following steps:
 Gather and review the audit findings for reportable items during the audit process that were discovered through
the implementation of the audit program.
 Classifying the observations according to their importance and determining the points that should be included in
the report.
 Reviewing all documents and reports supporting the observations before inclusion and ensuring the adequacy of
documents supporting the observations contained in the report.
 Referring to those responsible for implementing all procedures in the department concerned to ensure the
correctness of the information that will be included in the report.
 Potentially discussing with any other parties related to the implementation of the activity being audited inside or
outside the concerned department.
 Ensuring that all data, documents, information and meetings that have been conducted with the auditee personnel
are documented.
 Considering the use of a standard template for initial reporting.

64 | P a g e
Second: reviewing the initial report

The Director of the Internal Audit office should review the initial report and sign it, as the completion of the audit
process is a documentation of his approval and reflects the completion of the review. The Director of the Internal
Investigation Office must also make the necessary inquiries and see the essential data that enable him to verify the
authenticity of the observations included in the report. Following this, the Director of the Internal Audit office should
send the initial report to the audited department and a copy of the relevant entity to review the observations in the
report. The audited department should then provide a response in order to reach an agreement concerning the
implementation plan of the proposed recommendations to address the observations contained in the report.

Third: closing meeting

The Internal Audit team should meet with the director of the department and those responsible for the activity being
audited to discuss the observations that were included in the initial report of the Internal Audit, with a view to
unanimously validating its contents before sending it, as this meeting provides an opportunity to do the following:

 Discussing the observations in the initial report and the focus on reviewing the audit results.
 Finding solutions to any difference of views.
 Presentation of benefits from the services provided by the Internal Audit team.
 Agreeing on the implementation plan and follow-up activities of the observations contained in the report,
provided that they are consistent with the protocols that were developed during planning process.
 The main objective of holding the closing meeting to discuss the report before sending a final copy of it is to ensure
that all the observations, information and analysis included in the report are correct. The management may not
agree with the impact of some observations, but there must be full approval of the existence of the observation
itself. In other words, it is incumbent on the Internal Audit office to verify the full validity of the contents and
conclusions in the Internal Audit report before it is issued. The Director of the Internal Audit office should ensure
that detailed meeting records are kept to document the auditee’s response to the discussed observations and the
report as a whole.

65 | P a g e
Fourth: issuing the Internal Audit report
After completing all required report reviews, the Internal Audit team should issue the Internal Audit report with
detailed results and recommendations according to the protocols agreed with the director and those responsible for
the activity being audited. The distribution of the Internal Audit report is usually limited in nature and may include the
director of the administration, those responsible for the audited activity and some members of the administration for
the purpose of obtaining the response and the proposed plan to address the observations in the report.

Fifth: the agreed implementation plan

The department responses may differ in terms of form and content, but these responses must be reviewed to
determine whether there is a need to return to department for clarification. The Internal Audit office should advise on
the responses and effectiveness of the department's work plans. If these responses and plans are not in line with the
observation, the administration should be discussed again to clarify and amend the responses, if possible.
In the event that the department insists on responding negatively or does not develop plans to address the
observations, the Director of the Internal Audit office must submit this case to the Audit Committee after receiving the
responses and proposed action plans by the department. In this case, the report is reviewed with indicating if there is
a need to return to the department for clarification. The implementation plan must also indicate the expected
implementation date and identify who is responsible for implementation.

Sixth: the final report and presenting the results

The Internal Audit team, when confirming the feasibility of the responses, issues the report. The final Internal Audit
report is distributed to both the senior management, the investigation committee, and the executive management. A
summary of the results of the audit mission is presented in the meetings of the Audit Committee and Executive
Management as agreed with the management during the planning stage.

Reports progress map

66 | P a g e
 The entity to which
Report Report type the report is Content
addressed
The concerned It includes all the observations that attracted
Initial Internal department director the attention of the team during the fieldwork
Administrative
Audit report and a copy to the and are reviewed by the Director of the
relevant entity Internal Audit office.
It includes the responses of the concerned
Final Internal
Technical Senior management department to the observations in the initial
Audit report
report.
- The concerned - Issuing the follow-up report on the status
department of observations and recommendations.
director and a - Repeated follow up on the
Follow-up
Technical copy to the implementation of the recommendations
report
relevant entity of the Internal Audit report until
- Senior verification of full implementation.
management
- Issuing the report periodically.
Periodic - The report includes a summary of all the
Technical Senior management
reports significant observations that appeared
during the period.

Internal Audit reports - general guidelines

Internal Audit reports should include the objectives and scope of the audit mission in addition to observations and
effects related to it as well as recommendations and agreed department work plans. The form and content of the report
may vary according to the type of audit or management subject to audit, but the report should contain, at least, the
purpose, scope, and results of the audit mission.

67 | P a g e
The Internal Audit report may include a summary, including a balanced presentation of the report’s content, and
general information. This information identifies the entities and activities that were audited and some other
explanatory information. It may also include clarifications on the status of observations, conclusions and
recommendations contained in previous reports, in addition to indicating the reasons that let to performing the audit
either according to the audit plan or according to a special request.

The purpose of the audit also explains the objectives of the audit. It is also permissible, when necessary, to clarify the
reasons for carrying out the audit mission and the expected results.

The scope of audit indicates the work activities being audited and the nature and extent of the audited work performed.
It may also contain additional information such as the period covered by the audit mission.

The results should also include the following:

 Risk.
 Observation and recommendation to improve the audited process.
 Classifying the observations according to their importance.
 The department’s work plan.
 Schedule of classification of control procedures.

Observations are pertinent statements of fact. Those observations necessary to support Internal Audit conclusions or
prevent misunderstandings of those conclusions should be included in the final audit communications. Less significant
observations may be communicated informally.

Audit observations emerge by a process of comparing what should be with what is. Where there is a difference, the
Internal Audit team has a foundation on which to build the report. However, when conditions meet the criteria,
acknowledgment in the audit communications of satisfactory performance may be appropriate.

Observations should be based on:

68 | P a g e
 Criteria - the standards, measures, or expectations used in making an evaluation and/or verification (what should
exist);
 Condition - the factual evidence that the Internal Audit team found in the course of the examination (what does
exist);
 Cause - the reason for the difference between the expected and actual conditions (why the difference exists);
 Effect - the risk or exposure to the process, function, department and/or the Subject Entity as a whole because the
condition is not consistent with the criteria;
 Recommendation - the clarification of how to address the subject of the observation and avoid its repetition in the
future, i.e. address the difference.

In determining the degree of risk or exposure, Internal Audit team should consider the effect their audit observations
may have on the Subject Entity’s operations and financial statements. Observations may also include management’s
accomplishments, related issues and supportive information if not included elsewhere.

Criticality rating of
Definition
the observation
High The observation is critical and deserves immediate attention by the director. This
observation should be reported to the audit committee immediately.

Medium The observation affects the accomplishment of process objectives. Management’s

action plan and related corrective action should be implemented as a matter of priority.
If not resolved, the finding could result in an inefficient use of entity resources and or
potentially cause disruption. The observation is reported to the Audit Committee at least
quarterly.

Low The observation is reported to the Process Manager but is of a minor risk to the Federal
Entity.

69 | P a g e
 The observation will not be reported to the Audit Committee unless the finding remains
open after the follow up audit.

It should be noted that at this stage, the Internal Audit office is testing and reporting on the operating effectiveness of
mitigating controls identified during the Risk Assessment stage and during the planning stage for this review.

The table below illustrates the rating system used:

Rating Definition

Effective control The rules and regulations of the Federal Entity contain effective and appropriate
procedures procedures for its activities, and there is no weakness or deficiency in the rules and
regulations of the Federal Entity.
Adequate control There are certain procedures that need to be improved in the Federal Entity’s
procedures regulations and systems. There are weaknesses and limitations in a limited number
of procedures.
Inadequate control There are significant weaknesses and shortcomings in the procedures in the Federal
procedures Entity’s rules and regulations.

The Internal Audit team should assess the compliance of the auditee with the approved control procedures.

The Internal Audit reports and Internal Audit correspondence should be accurate, objective, clear, constructive, brief,
and complete, and be submitted in a timely manner. The following is an explanation of these characteristics:

 Accuracy
The information mentioned in the observation should be accurate. The Internal Audit team should not generalize by
simply saying that a practice “weakens control procedures” or “does not provide adequate control”. They must explain
how the practice weakens control procedures or does not provide adequate control. Observations should be discussed

70 | P a g e
with parties who have been audited to ensure that all necessary information has been obtained, and the results of this
discussion must be documented in the fieldwork note.

 Objectivity
The information in the note must be fair, impartial, and unbiased. It should be the result of a balanced assessment of
all facts and related circumstances. Observations, conclusions and recommendations should be formulated without
any unwarranted influence from other parties or without any personal interest.

 Clarity
The information in the note must be understandable and logical by avoiding complex technical vocabulary and listing
all important and relevant information.

 Concise
The information in the observation should be aimed at the core of the topic, excluding unimportant and redundant
details or repetition. These reports should be the result of continuous reviewing and editing, and the goal is to reach
reports with innovative and creative ideas in a clear and concise manner.

 Structure
The information in the observation should be useful and helpful to the concerned authority and stakeholders and it
should lead to development. The content presenting the report should be useful and positive and contribute to
achieving the goals of the Federal Entity.

 Completeness
The observation should not lack anything that is necessary for the reader to understand. It should contain all important
and relevant information that supports the conclusions and recommendations.

 Logically arranged

71 | P a g e
The observation should be first clarified, and then any necessary additional information should be clarified. Where
there are many exceptions or outstanding issues, it is important that the comments are properly organized and in a
logical order. Recommendations should be introduced in in the same sequence as the observations in the report.

 Errors
An error is defined as an unintentional misstatement or omission of significant information. If it is determined that an
Internal Audit Report contained a significant error or omission, then the Director of the Internal Audit office should
consider the need to issue an amended report which identifies the information being corrected. The amended audit
communication should be distributed to all parties who received the initial audit communication subject to correction.

 Legal considerations in audit reports

The Internal Audit team are required to gather evidence, make analytical judgments, report their results and ensure
corrective action is taken. The Internal Audit team should exercise caution when including such results and issuing
opinions in Internal Audit reports, communications and working papers regarding regulatory violations and other
related issues. Established policies and procedures regarding the handling of these matters and a close working
relationship with other departments, such as the legal team are strongly encouraged.

Stage 4: monitoring & follow-up

Stage Procedure description Key deliverables
Monitoring &  Follow-up on the implementation of the department's  Follow up Report
follow-up work plans according to the timing of implementation
included in the department's response in the Internal Audit
report.
 Preparing the follow-up report and sending it to the
concerned department with a copy of the relevant entity.

The Internal Audit office is developing a follow-up mechanism with the concerned department related to its
commitment to implement plans to address the comments received in the audit reports and to submit periodic reports
on the results of the follow-up work.

72 | P a g e
The concerned department is responsible for implementing corrective actions. In addition, the degree of effort and
cost required to correct the observations in the report must also be taken into account, and the difficulty of corrective
actions and their applicability must be measured.
Internal Audit reports and department action plans are monitored through:

 a time frame within which management’s response to the audit observations is required;
 an evaluation of department’s response;
 a verification of the response (if appropriate);
 follow up the audit process;
 a communication procedure that escalates unsatisfactory responses/actions, including the assumption of risk,
to the appropriate levels of management;
 send the follow-up report to both the senior management, the concerned department, and the relevant sector
of the Federal Entity; and
 the issuance of periodic reports to the Audit Committee on the level of implementation of management’s
action plans.

Quality assurance and improvement processes

The office director should develop and maintain a program to ensure and improve quality, covering all aspects of the
Internal Audit activity. In this context, the following can be done:
 Periodic evaluation of the quality and the continuous internal control thereof as per “Internal Auditing
standard No. 1300 concerning the quality assurance and improvement program."
 A continuous review of the performance of the Internal Audit activity, and a periodic review carried out by
persons who have knowledge of the principles of Internal Audit practice and international professional
standards for the practice of Internal Audit.
 Both internal and external evaluation as per "Internal Auditing Standard No. 1300 concerning Quality
Assurance and Improvement Program". Internal evaluation can also be done by distributing questionnaires
to the audited departments to evaluate the performance of the auditors.

73 | P a g e
  Conducting an external evaluation at least once every five years by a qualified independent auditor or an
audit team from outside the Federal Entity.

74 | P a g e
Section 3: Internal Audit personnel

Chapter 1: Personal traits

The Internal Audit personnel in the Federal Government must have the following:
Personal traits and characteristics:
1. Honesty, frankness, integrity, decency and having the capacity to accept alternative ideas and perspectives,
in addition to the power of observation and the ability to understand the nature of work and the circumstances
of the entity that is audited. They should be able to deal with different situations and to have perseverance
and focus on accomplishing the targeted actions, and the ability to resolve and make decisions and self-
reliance when dealing effectively with others.

2. Scientific qualification:
The auditor must have obtained a minimum level of education, which is a bachelor’s degree with sufficient skills to
qualify him to acquire the knowledge and skills necessary for the work. Further details in the knowledge and skills item
shown below.

3. Work experience in the field of Internal Audit:

This is the experience that leads to the development of knowledge and skills for a person. This experience must be in
the same field and with a minimum number of years determined by the job that will be assigned to them. The
experience must be acquired from agencies known for their professionalism and competence in this field .

4. Audit training:
It must be ensured that the audit work team has completed adequate training in Internal Auditing that enables it to
develop its knowledge and skills, and the entity can train its own employees by its experts or assign the training task
to an external party. The director of the office must maintain an integrated training program and ensure that
specialized training is provided to the office staff periodically.

5. Knowledge and skills:

75 | P a g e
Auditors should generally have sufficient knowledge and skills in the following areas:
a. Audit basics, procedures and arts including: planning and organizing work efficiently, carrying out audits
according to the timetable set for it, choosing priorities and focusing on critical matters, collecting necessary
information efficiently through personal interviews and listening to those involved, observing and reviewing
documents, records and data and verifying the accuracy of the information. It is necessary that there is
sufficient evidence when documenting observations that may be discovered, compiled and classified
according to their importance, preparing audit reports, maintaining the confidentiality and security of the
information that is viewed during the audits, and the ability to communicate with others professionally,
efficiently and fluently.
b. Management system and reference documents that are being audited according to them, with permanent
reference, measuring and comparison:
Understanding the field to be audited and how to apply management systems to various entities, small or
large, industrial or service, and familiarity with what is required for the full application of the terms of the
standard specifications or the necessary documents that the auditor will deal with. It will be the reference on
which he relies throughout the entire audit process such as the International standard "ISO" or any other
international standard.
c. The ability to understand the status of the audited department, i.e. the auditor has the ability to deal with
different conditions in the audit process such as the size of the audited department and its different sections,
the nature of the performance of the operations within it and the linguistic terms used and specific to these
operations in addition to understanding the customs and traditions or the general cultural and social
atmosphere.
d. Awareness and familiarity with laws, legislations and regulations that will be audited and familiarity with local
and international contracts and agreements and any mandatory requirements that the entity adheres to.

Chapter 2: Tasks and competencies

Tasks and competencies of the Director of the Internal Audit office:
 Developing the strategic audit plan and submitting it to the audit committee for approval.

76 | P a g e
  Reviewing the strategic audit plan at the beginning of each year to ensure the risks and that there have been
no changes in the systems that may affect the risk assessment and obtain the approval of the audit
committee on the changes in the strategic audit plan.
 Developing and submitting the annual audit plan for the current year to the senior management for
approval.
 Monitoring the implementation of the annual audit plan and suggestions for amendments to it as needed
and then approving these amendments.
 Attending meetings related to the department's activities, including holding workshops and meetings to
raise awareness of the importance of Internal Audit services in the entity.
 Analyzing and preparing a risk assessment schedule for management activities and processes which are
audited.
 Preparing the annual budget for the Internal Audit office.
 Controlling the recruitment process for Internal Audit to facilitate the selection of employees with the
necessary expertise and knowledge.
 Ensuring that the Internal Audit team adheres to the Internal Audit manual.
 Providing the necessary technical expertise for the assigned tasks, and updating the information base and
skills necessary to carry out the audit missions periodically.
 Distributing the audit missions included in the audit plan to the Internal Auditors, according to experience
and competence.
 Verifying the efficiency and effectiveness of the applied policies, regulations, and controls and the extent of
compliance with them.
 Preparing periodic reports and submitting them to the Audit Committee.
 Issuing the initial report for review and comment by the management in question.
 Reviewing the obtained management observations and taking actions on them.
 Issuing the final report of the director of the audited department with a copy to the audit committee.
 Planning audit follow-up tasks for operations completed during the year.
 Submitting reports to the Audit Committee on follow-up cases.

77 | P a g e
  Studying the reports received from other regulatory authorities in the Federal Government and defining the
necessary procedures to avoid observations and follow up their implementation by the various
departments of the Federal Entity.
 Ensuring appropriate professional development for Internal Audit personnel including appropriate training,
advice and direction, and a transparent performance evaluation system.
 Participating in the preparation of the professional development plan for each employee that includes
obtaining the necessary professional qualifications, appropriate training programs, and identifying
weaknesses to be improved upon.
 Reviewing and approving employees’ evaluations after each audit mission, discussing them with
employees and approving development plans.

Tasks and competencies of the Main Internal Auditor:

 Participating in preparing the strategic audit plan.
 Reviewing the strategic audit plan at the beginning of each year to ensure the risks and that there have been
no changes in the systems that may affect the risk assessment.
 Participating in preparing the annual audit plan for financial and operational audit missions, compliance,
performance, and information technology, and submitting it to the office director for review and approval.
 Managing Internal Audits and verifying their implementation according to the relevant standards.
 Implementing annual audit plans in accordance with the timetable.
 Collecting, analyzing, assessing risk and preparing a draft risk assessment record for the purpose of carrying
out the audit mission.
 Preparing Internal Audit programs for the audited activities.
 Implementing Internal Audit work and supervising the work of the auditors working within his team and
evaluating their performance.
 Reviewing the worksheets prepared by the auditors and providing them with the necessary technical
support.
 Ensuring that all data and documents supporting the observations included in the initial Internal Audit
report are obtained.
 Preparing Internal Audit reports and submitting them to the office director.

78 | P a g e
  Contributing to developing and updating Internal Audit policies and procedures and working in accordance
with them.
 Participating in developing and modernizing the Internal Audit system in order to improve the efficiency of
Internal Audit.
 Contributing to the processes of assessing the efficiency and effectiveness of the Internal Audit system and
internal controls and proposing measures to improve them.
 Suggesting work models to be worked with at the Internal Audit office in accordance with the Internal Audit
methodology of the Federal Government and in the light of Internal Audit standards.
 Preparing files and worksheets and organizing them in a way that suits the requirements of each of the
audited activities and making sure to keep them in the appropriate file - "permanent” or “temporary".
 Carrying out special tasks as requested by the audit Director.

Tasks and competencies of the Internal Auditor:

 Submitting reports regularly to the main auditor on the status of each audit mission.
 Participating in the implementation of special tasks at the request of the office manager or the Main Internal
Auditor.
 Attending the Internal Audit team meeting.
 Attending inaugural planning meetings.
 Participating in risk assessment process.
 Participating in preparing the Internal Audit program, which includes the testing strategy.
 Carrying out tests to check the internal control systems that were identified during the planning stage, and
to conclude its effectiveness.
 Determining adequate information that depends on reliable, useful and relevant facts to achieve the audit
objectives.
 Documenting the work done during the process of understanding the nature of the activity or department
being audited.
 Ensuring that sufficient documents are prepared and kept with files, whether permanent or ongoing, to
understand the activities that will be audited.

79 | P a g e
  Documenting and confirming the discovered notes and the department’s response to them.
 Preparing the internal checklist for deficiencies.
 Participating in preparing the initial Internal Audit report.
 Attending the closing meetings to discuss the submitted notes and the proposed recommendations.
 Participating in the observations, recommendations and follow-up tasks to ensure the implementation of
corrective actions properly and ensuring that they conform with what was stated in the report.
Chapter 3: Basic principles of professional practice of Internal Audit
When performing his duties, the Internal Audit employee working in the Federal Government must adhere to the basic
principles of Internal Audit as stipulated in the International Professional Practices Framework of Internal Audit work
issued by the Institute of Internal Auditors, as follows:
 Performing his work with integrity.
 Possessing the necessary competence and exerting the necessary professional care.
 Objectivity and freedom from any influences on its independence "that is, he should be independent".
 Alignment with the strategies, objectives and risks of the entity he works with.
 His position should fit the tasks assigned to him and he should have the sufficient resources.
 Quality and continuous improvement in work performance.
 He should communicate effectively using all available communication channels.
 Providing risk-based confirmation.
 He should have insight and a vision of the future and taking future matters into consideration.
 Supporting the development and improvement of the organization he works for.

General regulatory provisions:

 All concerned employees must study this manual and any amendments that may occur later on.
 The manual should be reviewed once a year or more, updated and developed based on the proposals of the
Federal Entities. It should include amendments and updates on professional standards and practices,
provided that any amendments are approved by the authority that approved this manual.
 Internal Audit offices in Federal Entities may develop their own work procedures and detailed forms to
assist the office’s staff in the performance of their tasks, with the need to take into account that the

80 | P a g e
 procedures are within the general framework of the Internal Audit charter and methodology approved in
this manual.
 The office manager, as is common practice in the Internal Audit profession, must keep a permanent and a
current file for the present year.
 Work documents and records must be kept in accordance with the relevant federal legislation.
 Flexibility and speed must be taken into account in the process of appointing Internal Auditors or temporary
outsourcing of some auditors' services to ensure the availability of expertise and skills necessary to perform
the work and implement the annual audit plan.

81 | P a g e