Professional Documents
Culture Documents
(Version 1.5)
Table of Contents
Table of Contents.........................................................................................................................................2
1 INTRODUCTION...................................................................................................................................5
1.1 Purpose...............................................................................................................................................5
1.2 Distribution.........................................................................................................................................5
1.3 Revisions & Updates...........................................................................................................................5
3 PLANNING.........................................................................................................................................16
3.1 The Audit Universe............................................................................................................................17
3.2 Develop Audit Plan............................................................................................................................17
3.2.1 Resource Allocation......................................................................................................................20
3.3 Review and Approval by the Audit Committee.................................................................................21
9 RESOURCES.......................................................................................................................................49
9.1 Human Capital...................................................................................................................................49
9.1.1 Recruitment & Development Guidelines......................................................................................49
9.1.2 Orientation Program.....................................................................................................................49
9.1.3 Roles & Responsibilities................................................................................................................50
9.1.4 Key Performance Indicators..........................................................................................................50
9.1.5 Professional Certification & Organizations...................................................................................50
9.1.6 Development & Training Plans.....................................................................................................50
9.1.7 Staff Rotation................................................................................................................................51
9.1.8 Performance Evaluation...............................................................................................................51
9.2 Technology........................................................................................................................................52
11 ADMINISTRATIVE MATTERS..............................................................................................................54
APPENDICES...............................................................................................................................................56
1.1 Purpose
The purpose of this manual is to communicate the principles, policies and procedures that are essential to guide the
internal audit management and staff in the consistent compliance with the Internal Audit (IA) Department’s standards
for performance and the Internal Audit Charter. The manual generally encompasses the activities of the IA’s
management and staff, while the companywide policies that are included or referred to in this manual govern the
activities of all employees.
1.2 Distribution
The manual is intended to be distributed to Internal Audit personnel and it will be provided to the members of the
Board and Audit Committee, as and when required. Any additional copies of this manual shall only be made and/or
distributed following written approval of the Head of Internal Audit. The Head will be the custodian of the Manual and
will be responsible to maintain complete record of any changes/modifications to the Manual.
The emerging trends and developments in the internal auditing practices will be continuously assessed and the
necessary revisions and updates will be made in this manual as set forth in the IA Charter that is approved by the
COMPANY NAME ( ) Board. The manual will be considered for revisions during the 1 st quarter of every year, as
required.
Page 5 of 75
2. THE INTERNAL AUDIT (IA) ACTIVITY
This section presents the overview of the IA activity including extracts from the IA Charter, key principles, operating
policies, and the IA organization; this section serves as the foundation for the detailed guidelines and procedures
described throughout this Manual.
Mission
The mission of the Internal Audit function (IA) is to provide independent and objective reasonable assurance and
advisory services to the Board of Directors and Senior Management to add value and improve the organization’s
operations and systems of internal control.
The IA function assists the organization in accomplishing its objectives by bringing a systematic and disciplined
approach to evaluate and improve the quality and effectiveness of risk management, internal controls, and
governance processes in order to:
Provide reasonable assurance to the Board of Directors and Senior Management that the processes and
controls put in place by Management are functioning as intended, and will (a) enable the organization to
achieve its objectives, (b) safeguard its assets, (c) comply with laws, regulations and contracts, and (d) provide
relevant, reliable and timely financial and operating information, and;
Provide recommendations for improving the organization’s operations, in terms of both performance
efficiency and effectiveness.
Furthermore, the nature and scope of other advisory-type services are agreed with Senior Management and are
intended to both add value and improve the organization’s risk management, control, and governance processes
without the Internal Auditor assuming Management’s responsibility. All advisory-type assignments will be assessed by
IA Management prior to acceptance, to ensure that the IA function’s independence is not compromised. The
Companies’ Audit Committee will be updated on the acceptance of such assignments during its meetings with the
Head of the IA function.
IA will work closely with the External Auditors and other assurance providing functions within the organization, where
necessary, in order to support the aforementioned objectives in the most effective and efficient manner, and to
ensure a reasonable audit coverage across the organization.
Responsibility
The Head of IA will be responsible for the following, under the supervision/guidance of the Audit Committee:
Develop the Annual Audit Plan using a risk-based methodology, while considering significant risks or controls
that have been identified by Management, and submit the Audit Plan to the respective Audit Committee for
review and approval.
Work in conjunction with External Auditors and other assurance providers, as appropriate, for the purpose of
providing reasonable audit coverage to the organization.
Deliver the Annual Audit Plan, as updated/approved by the Audit Committee, including, and as appropriate,
any special tasks that had been requested by the Audit Committee and Senior Management.
Page 6 of 75
Report significant issues related to the processes for controlling the activities of the organization, including
potential improvements to those processes.
Perform advisory services beyond IA’s assurance services, to assist Management in achieving its objectives.
Provide information periodically to the Audit Committee on the status and results of the Annual Audit plan
and the sufficiency of IA’s resources.
Perform follow-up on the reported audit observations, recommendations, and agreed actions, to monitor and
ensure that either Management actions have been effectively implemented or whether Senior Management
has accepted the risk of not taking the required action.
Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications
to meet the requirements set forth in the Charter.
Establish a quality assurance program by which the IA assures the effectiveness and efficiency of IA operations.
Keep the Audit Committee informed of emerging trends and successful practices in Internal Auditing.
Coordinate with other control and monitoring functions across COMPANY NAME to enhance IA’s
understanding of the control environment and to promote best practices.
Participate in the meetings of the Audit Committee and support its programs/activities designed to carry out
the Audit Committee’s mission.
On a periodic basis, report to the Board on the audit results and activities pertaining to the respective
Company.
The Vice President of Internal Audit (VP-IA) is accountable to the COMPANY NAME ( ) Audit Committee and to the
Boards of Directors of and . The VP-IA Shall ensure and regularly apprise the Audit Committee and Board that
Internal Audit’s mission and responsibilities are performed according to the terms set forth in this Charter.
The Audit Committee shall hereby review and approve the appointment, review performance, replacement, dismissal,
and compensation of the VP-IA according to the terms of the Audit Charter.
Authorization
Gain unrestricted access to all business units/functions, records (manual and electronic), property, personnel,
and information systems;
Allocate resources, set frequencies, select subjects, determine scope(s) of work and apply the techniques
required to accomplish audit objectives, and;
Obtain the necessary assistance of personnel of the units of the organization where they perform audits, as
well as other specialized services from within or outside the organization.
Page 7 of 75
Any material instances where access to records, personnel, or physical properties relevant to an audit are not
provided to IA, in a timely manner, despite request, will be reported to the Companies’ CEO, and to the Audit
Committee(s), as required. Any unresolved matters may be escalated initially to the Chairman of the respective
Companies’ Board and then ultimately to the Chairman of the Board.
Perform any operational duties for the organization, its affiliates, or joint ;
Initiate or approve Accounting transactions that are deemed to be external to the administration of the
Internal Auditing function;
Implement recommendations for improving internal controls or to determine which recommendations should
be implemented;
Direct the activities of any organization employee, not employed by the IA function, except to the extent such
employees have been appropriately assigned to audit projects and teams, to assist the internal auditors, and;
Perform any assignment which will impair their independence & objectivity and does not fall within the scope
of Internal Audit (i.e. establish P&Ps, issue certificates to 3rd parties, dealing with 3rd parties on behalf of
Management, etc.).
Any member of the IA Function who deviates from the above shall not be considered independent with respect to the
respective business unit/function for a period of 1 year from the date of violation.
IA will conduct its activities in conformance with the applicable International Standards for the Professional Practice of
Internal Auditing (i.e. IIA-USA, etc.) and other industry best practices. As such, the Internal Auditors are expected to
follow the IIA’s and Companies’ Code of Ethics.
Management is ultimately responsible and should assume ownership of the internal controls across the enterprise,
and Managements’ overall attitude toward controls sets the “Tone at the Top” that affects integrity and ethics and
other factors of a positive control environment. IA plays a crucial role in the dissemination and implementation of key
corporate governance, risk management and controls policies listed below:
The Corporate Governance Manual developed and approved at sets out the Corporate Governance principles,
structure, roles and responsibilities and authorities for the Boards, Committees and Senior Executives across . The
objective is to ensure a sound Corporate Governance Framework, which will enable efficient decision making,
adequate controls for accountability, and maximization of shareholder value.
The Code of Conduct sets out the fundamental business values, by summarizing the standards underlying the
Company’s business ethics and professional integrity that apply to all employees; all employees are required to
affirmatively acknowledge the receipt of the said manual.
Page 8 of 75
The Code of Conduct obliges all employees, who are suspecting any misconduct that may be inconsistent with the
policies or legal requirements, to report it to either the respective Functional-Head/Line-Manager, Legal and/or HC
Department.
is committed to the “highest degree of honesty and ethical behavior” as outlined in the Code of Conduct. In line
with this commitment, promotes an anti-fraud culture, which requires all staff to act with honesty and integrity at all
times and to take appropriate steps to safeguard company’s assets and resources.
The Corporate Fraud Policy defines fraud and requires employees to report any fraud that is detected or suspected,
consistent with the Ethic Hotline.
The IA Dept. will perform investigation of any reported fraudulent acts, as requested by the Senior Management, to
investigate any suspected fraud discovered during audit fieldwork. If the investigation substantiates that fraudulent
activities have occurred, the Internal Audit Head will issue reports to appropriate designated personnel and, if
appropriate, to the Board of Directors through the Audit Committee (i.e. Investigation Responsibilities, Corporate
Fraud Policy). Internal Audit is also responsible for:
assisting in the deterrence and prevention of fraud by examining and evaluating the effectiveness of controls
ensuring that management has reviewed its risk exposures and identified the possibility of fraud as a business
risk
This section covers the general principles and guidelines applicable to the IA organization and personnel.
Policy
The internal audit activity must be independent, and internal auditors must be objective in performing their work.
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out
internal audit responsibilities in an unbiased manner.
Objectivity is a mental attitude that internal auditors must maintain in performing audits. All department audit
methods and procedures are designed with the objective of fostering objectivity, and Internal auditors should
maintain an independent mental attitude free of partiality or bias when performing audits and should not subordinate
their judgment on audit matters to others.
Guidelines
In conformance with the practices, the following should be considered and implemented by the IA team, Senior
Management and Audit Committee:
The Vice President of Internal Audit (VP-IA) is accountable to the COMPANY NAME ( ) Audit Committee and to
the Boards of Directors of and . The VP-IA Shall ensure and regularly apprise the Audit Committee and
Board that Internal Audit’s mission and responsibilities are performed according to the terms set forth in the
Charter.
Page 9 of 75
The Audit Committee shall hereby review and approve the appointment, review performance, replacement,
dismissal, and compensation of the VP-IA according to the terms of the Audit Charter.
Internal Auditors should design audit programs and perform audits in such a manner that they have
considerable confidence in their work and deliverables and that no significant quality compromises are made.
Internal Auditors should not be placed in situations in which they feel incapable or constrained to make
objective professional judgments, while appropriate supervisory involvement should ensure that audit
objectives are met, and that objectivity is maintained.
On an annual basis, all Internal Auditors are mandated to complete the Internal Audit Annual Declaration form
to disclose absence of or report any conflict of interest. Staff assignments should consider potential conflicts of
interest and biases. Internal Auditors are expected to report conflict of interest situations to their superiors,
while the respective Team Leader will consider the conflict situation and reassign Auditors as appropriate. It is
preferable that the Auditors are rotated among audit subjects and locations to enhance training, career
development and reduce conflict of interest risk.
Internal Auditors should not assume operating responsibilities and if any Internal Auditors performs any non-
audit work, it is understood that they are not functioning as Internal Auditors; the Auditors will not audit any
activity for which they had the authority or responsibility in the prior 12 months.
Persons transferred to, or temporarily engaged by the IA Department should not be assigned to audit those
activities they previously performed until a reasonable period has elapsed. Such assignments are presumed to
impair objectivity and should be considered when supervising the audit work and reporting audit results.
The Team Leader is responsible for reviewing all audit work prior to final reporting to ensure that the
objectivity was in place.
Audit personnel will not design, install or operate systems or draft operating procedures. It is however
expected that the IA personnel shall be available to provide control guidance to operating employees; this
process shall be carefully performed, documented, and will be subject to secondary review by IA Management.
Impairment of objectivity
If independence or objectivity is impaired in fact or appearance or when potential impairment is suspected, the
following guidelines shall be observed as applicable:
Internal Auditors should report to the relevant Team Leaders and ultimately to the VP-IA any situations in
which an actual or potential impairment to independence or objectivity may reasonably be inferred, or if they
have any queries as to whether a situation constitutes an impairment to objectivity or independence.
Where, upon the determination of the Audit Team Leader or the VP-IA, impairment exists or may be inferred,
the concerned Internal Auditor should be immediately removed from the engagement in which impairment of
independence has occurred or suspected.
Internal Auditors must not accept fees, gifts, or entertainment from an employee, client, customer, supplier, or
business associate that may create the appearance that the Auditor’s objectivity has been impaired. The
appearance that objectivity has been impaired may apply to current and future engagements conducted by the
auditor. The status of engagements is not to be considered as justification for receiving fees, gifts, or
entertainment. However, the receipt of promotional items (i.e., as pens, calendars, or samples) that are
available to other employees and the general public and have minimal value do not hinder internal auditors’
professional judgments. Internal Auditors should comply with the COMPANY NAME Gifts, Hospitality and
Entertainment (GHE) Policy.
Internal Auditors should report immediately the offer of all material fees or gifts to their immediate Team
Leader and ultimately to the VP-IA.
Page 10 of 75
Objectivity is assumed to be impaired if the Internal Auditor has been involved in the activity being reviewed
during the last 12 months or the period of coverage, whichever is longer.
Scope limitation is an impairment of Auditor’s independence. This is covered by relevant section of this manual.
The VP-IA is responsible for communicating actual and potential impairment of independence or objectivity to
appropriate parties (i.e., Audit Committee, Board).
.
Policy
Internal auditors must apply the care and skill expected of a reasonably prudent and competent Internal Auditor.
Reasonable prudence and competence call for professional judgement such that another professional will arrive at
the same conclusions made by the Internal Auditor given the same or similar circumstances. Due professional care
does not imply infallibility.
Guidelines
Skills: Internal Audit Management including VP-IA and the Team Leaders will be responsible to ensure that only staff
with relevant skills are assigned to specific audit assignments. Where caps are identified the same should be
addressed by looking at (1) providing the required training and developing existing staff, (2) Assessing whether the
gap can be bridged by bring in a Guest Auditor (business expert from the business), and/or (3) Assess external
resources
Audit procedures: All audit procedures should be designed considering the complexity and significance of activity
being reviewed, as well as the prevailing conditions, including the adequacy and effectiveness of governance, risk
management and internal controls; to ensure that the nature, timing and extent of work will meet the objectives of
the audit.
Possibility of fraud or errors: Internal Auditors should be alert to the possibility of intentional wrongdoing, errors and
omissions, inefficiency, waste, ineffectiveness and conflicts of interest. An appropriate degree of testing is to be
performed as part of the audit program in order to validate and gauge exceptions. When an Internal Auditor suspects
wrongdoing, the relevant Audit Team Leader should be notified. The VP-IA will determine whether an audit or
investigation in the suspected areas of wrongdoing is warranted, in consultation with appropriate Senior
Management, as appropriate.
Reasonable assurance: Due professional care calls for reasonable care and competence, not infallibility or
extraordinary performance. Auditors are expected to conduct examinations and verifications to a reasonable extent,
with an appropriate degree of testing. Accordingly, the Internal Auditor cannot give absolute assurance of adequacy
or effectiveness or that non-compliance or irregularities do not exist.
Use of CAATS: Internal Auditors should consider the use of technology-based and other data analysis techniques to
extract and exploit the information stored in the company’s databases, wherever applicable and where other means
of obtaining useful information (i.e. system reports, filtered worksheets, etc.) are not appropriately available; it is
however understood that not all the Internal Auditors will have expert systems’ auditor skills.
Use of authoritative standards: Internal Auditors will consider established industry, corporate, and local operating
standards as a basis for evaluating operating practices; the standards to be used should be suitable and should be
reasonably conversant to the given environment and/or processes. Where applicable, reference will be made to
recognized frameworks and/or best practice models such as Committee of Sponsoring Organization’s (COSO)
Enterprise-wide Risk Management (ERM) and Internal Control integrated frameworks and the Information Technology
Governance Institute’s (ITGI) Control Objectives for Information & Related Technology (COBIT).
Management Input: Consideration of Management concerns is important when auditing systems because local
Operating Management is familiar with system use and potential system problems. When local written procedures
are
Page 11 of 75
not in place, Auditors should solicit management for specific expected standards of performance, and these standards
may be used as the basis for audit evaluation.
Other Assurance Providers: A Combined Assurance Map is currently being developed; which would clearly define the
level of assurance being provided by the different assurance providers both within and outside the organization (Risk,
Compliance, Health & Safety, External Auditors etc.). During the year, Internal Audit will perform high-level
reviews/hold discussions with the different assurance providers to assess whether the work performed by them are
consistent to what was reported in the Combined Assurance Map. Any significant changes should be highlighted in
the Assurance map and reported to the ARC. The level of assurance provided by these assurance providers should be
considered by the IA team when developing both the Annual plan and the engagement program.
Materiality: Internal Audit evaluations should consider materiality, impact, cause, and effect of control concerns.
Audit testing and discussion with Audit customers may be necessary to determine these factors.
Cost-benefit: All planned audit steps should be designed in a manner that includes cost/benefit consideration.
Definition
Scope limitations include situations in which a client is uncooperative, attempts to limit the scope of planned work or
denies access to records, personnel, assets or other information necessary to complete the audit in a timely manner.
Access Limitations
The Audit Charter provides Internal Audit unrestricted access to all assets, information, reports, records, systems, and
personnel required to perform its work. Internal Audit is authorized to have full, free and unrestricted access to
information including records, computer files, property, and personnel of the business units in accordance with the
authority granted by the Board's approvals of the charter.
Except where limited by law, the work of Internal Audit is unrestricted; Internal Audit is free to review and evaluate all
policies, procedures and practices of any Business Unit’s (BU) activity, program, or function.
The audits of the Owner/Organisations’ interest in a Joint Venture will be covered, where deemed necessary by the
Audit Committee, via the Joint Venture Agreements which should include a clause for ‘Right to Audit’ by ; the same
should be formally communicated and agreed with VP Internal Audit and the Audit Committees where such audits are
outsourced.
Resolution Process
The Auditor should bring all matters involving scope limitations to the attention of their Team Leaders. If Team
Leaders are unable to resolve the matter with the client, the VP-IA should be notified and involved in the process to
assist in its resolution. The matter should be brought to the attention of the Audit Committee, as warranted by VP-IA.
All scope limitation discussions should be documented within the respective audit work papers (i.e. TeamMate
Project, etc.).
In the event, a scope limitation significantly impacts the planned scope of the audit and is not resolved to the
satisfaction of Internal Audit, the audit report should state that the audit team was unable to perform the planned
tests and/or assessment of specific processes. Any audit reports with significant limitations on scope will be
distributed to all relevant stakeholders including Audit Committee.
Page 12 of 75
2.3.4 Errors and omissions
Policy
In accordance with the Standards, if the final audit report contains a significant error or omission, the VP-IA will
communicate the corrected information to all parties who received the original communication. The VP-IA office will
either issue a memorandum or an email providing details of the error or omission along with the original report
containing the error or omission not later than three (3) working days from the discovery of such significant error or
omission. A significant error or omission will be understood as those misstatements or omissions in the audit report
that would mislead those who rely on the audit report, while making business decisions or actions leading to material
adverse consequence to the business.
2.3.5 Non-conformance to the Definition of Internal Auditing, Standards, or the Code of Ethics
Overall non-conformance
As required by the IA Charter, the IA will conduct its activities in conformance with the International Standards for the
Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors (IIA). Wherever the results
of external Quality Assessment reveal or where the VP-IA determines that IA’s overall scope of operation does not
conform to the Definition of Internal Auditing, the Code of Ethics, or the Standards, the VP-IA will disclose such non-
conformance to the Audit Committees and to Board. The disclosure will include the reasons for and the impact of
non-conformance and will be maintained in the communications to Board and Audit Committee until conformance
has been achieved.
Upon endorsement of IA’s conformance with the Definition of Internal Auditing, the Code of Ethics and the Standards
by the external Quality Assessor, the relevant engagement communications/report will either include a statement of
conformance or the following:
Principle and/or rule of either the Code of Ethics or Performance/Attribute Standard(s) with which full
conformance was not achieved;
Impact of non-conformance on the respective audit project/engagement and the communicated engagement
results.
Work papers are the Auditors' property and should be maintained under their control. The Auditors should know
exactly where the work papers are during the conduct of the audit. When not in use, they should be secured in a
locked file or otherwise secured so they are not readily available to persons not authorized to use them. Preferably,
all relevant documents should be maintained in Teammate; where relevant confidential documents must have
Teammate confidentiality protection, additional document password protection can also be used. Teammate files will
be maintained for a minimum of 3 years. Hard copies (not scanned into Teammate) will be maintained under lock and
minimum for a period of 18 months subsequent to which the same can be transferred to offsite storage location.
Details of any documentation sent offsite for storage will be maintained with the Department Secretary.
Page 13 of 75
2.3.7 Value Added
Areas where Internal Audit Department can add value have been defined based on feedback obtained from key
stakeholders such as the ARC and Senior Management and based on best practices noted within the Industry.
Generally, the Internal Audit plan will include 10% of the time for such ad hoc projects, which may include but not be
limited to the following:
Proactively participate in the risk management process to facilitate management in identifying and protecting
against traditional and emerging risks. This may involve providing quality inputs both at the risk assessment
workshops and as part of Risk Committee meetings.
Provide value added recommendations to improve the process not only in terms of effectiveness but also
efficiency; such may include recommendations around making the process leaner, automated versus manual,
best practices adopted in other companies/OPCOs etc.
Review of Policies and Procedures and delegation of authority to ensure a robust control environment is in place.
Use Internal Audits broad understanding of the organization, its culture and control environment to review
system implementations, merger & acquisition, new country set-ups, restructuring, regulatory compliance,
system capability assessments etc.
Improve awareness around risks and controls; this may include self-assessment reviews, training and
workshops etc.
Develop talent and business know-how across functions and regions through guest auditor programs.
In all cases where the scope of work is beyond assurance and not specifically mentioned in the Annual Audit plan the
purpose of performing such services will be to improve the organization’s risk management, control, and governance
processes without the Internal Auditor assuming Management’s responsibility (refer consulting section).
The Internal Audit Department is headed by VP-IA who reports directly to the Chairman of the Audit Committee and
Board, and administratively to the CEO. The overall IA function is aligned as per the business companies and
operating units, with specialized team for technical/system areas. An organization chart will be developed annually
and shared with the Audit Committee Chairman for review and approval.
Page 14 of 75
2.5 The Audit Process
As illustrated below, the audit process is a continuous loop of periodic activities, on either per project or ongoing
basis. Following the-risk based methodology, the audit assignments are principally driven by a comprehensive risk
assessment performed on an annual basis to ensure that audit resources are appropriately allocated to priority areas
with higher risk/significance scores.
Review Internal Audit Charter, Perform Project-level Risk Supervise Audit Projects (i.e
Policies & Procedures Assessment Planning, Fieldworks, etc.)
Obtain Management's
Develop Engagement Plan Assess and Improve Quality
Feedback (Surveys)
Perform Follow up
Page 15 of 75
3 PLANNING
Management Interaction
Quarterly reassess & revise plan based on risks & criticality and present change
Approved Plan is subdivided into quarterlyIdentify
plans for
new
execution.
areas of risk/concern through regular interaction with Management.
Update
to
The Annual Internal Audit Plan is intended to demonstrate the breadth and depth of audit activities addressing
financial, operational and compliance risks of the ; it also encompasses accountability for our resources; and
highlights the progress in our efforts to continually improve the overall control environment. The objective of the
model is to optimize the assignment of audit resources through a comprehensive understanding of the audit universe
and the risks associated with each business/activity/process. The aforementioned diagram summarizes the audit
planning process and details are listed below.
Given the diversity of businesses at and the complexity of assessing the overall impact of the various businesses and
functions on , Internal Audit takes a number of considerations when assessing prioritization of the Audit projects:
Planning Consideration
The Audit Universe is the aggregate of all areas that are available to be audited and it translates the overall scope of
the internal audit activities as defined in the Charter into manageable, auditable entities (activities).
The existing Audit Universe of the was developed and is being maintained based on detailed analysis of business
processes and projects that drive the individual Business Units (BUs) and overall ’ risk profile. Starting with the prior
year’s audit plan, all key processes/functions are documented and circulated to the BU via Survey forms for their
input; the Survey forms also provide the opportunity for Management to provide their feedback into the planning
process regarding key risks, new developments, areas of concerns etc.
The Audit Universe is a dynamic database and is expected to evolve, consistent with the nature of the business and its
operating environment. The IA Management will continually monitor the sources, evaluate the appropriateness and
update the existing Audit Universe on either annual or more frequent basis as required.
Assigning a score (1-5 One being the lowest and five the highest) to every significant process/function within a
department and / or a BU identified in the Audit Universe (e.g. Film Hiring in Cinema, or Logistics at Fashion, or Safety
at L&E etc.) based on the following:
Process Risk & Complexity; the inherit risk of the process/function, complexity of process specific to the region,
our experience of the process in the same business or in other businesses in , feedback from the Management on
high risks/areas of concern in their businesses from the survey, areas that impact the strategy of the company or
projects considered as strategic initiatives and risks reported to the Board, etc.); the greater the perceived risk, the
higher the score.
Criticality/materiality; the more critical/material the process is to the BU, the higher the score assigned.
Combination of score given by BU and by Internal Audit.
Audit coverage; the number of times previously covered, the depth of the audit coverage, the period from last
coverage; the better the coverage, the lower the score.
Audit results; the conclusion from our most recent review of the process/function, concerns raised by External
Auditor, and / or Senior Management/Board; the more satisfactory the results, the lower the score assigned.
A weighted average of the stage 1 allows us to calculate the overall score for a given process/function within the
individual BU.
Although the above exercise provides a basis for scoring the processes based on the residual risk, a key element was
the impact of these processes/function to Group. To address this, we perform a second stage of scoring the
individual Bus.
Assigning a score (1-5 One being the lowest and five the highest) to each BU (e.g. Cinema, L&E, Fashion, Venture HO,
etc.), based on the perceived impact of the following factors:
Regional; the wider the exposure to different regions, the higher the score.
Regulatory; the greater the regulatory exposure, the higher the score.
Audit History/Control Environment; IA / External Audit concerns on the entity, reported anomalies, incident of
whistle blowing, quality of the governance process, Policies and procedures, Tone at the Top, Qualification and
Quality of Management; The greater the concern, the higher the rating,
Financial Impact; revenue/turnover, capital commitment, etc.; the bigger the financial impact of the entity, the
higher the rating.
Maturity & Stability; more mature the business, the lower the score.
User Base / Human Dependency; the wider the user base and dependency on human resources, the higher the
score.
System Complexity / Dependency; the more complex the systems in place and/or the higher the dependence on
systems, the higher the score.
Market Factors & Competition; the more competitive/saturated the market, the higher the score.
External Party Involvement / Dependencies; the more significant the third-party involvement and/or the greater
the dependencies on outside vendors, the higher the score.
A weighted average of the stage 2 factors allows us to score the impact that individual BU has to as a Group. A
combination of stage 1 & 2 scores allows us to rate individual processes/functions within each BU as follows:
Based on the aforementioned assessment 100% of High scored processes/functions are selected, majority of Medium
rated processes are selected, and Low scored processes/functions are only selected if they are directly connected to
one of the selected High or Medium scored processes or are due for follow up.
All selected processes are then combined / consolidated into Audit Projects (mainly based on the Process Owner) and
then are assigned audit hours based on our experience as to the number of audit hours required for similar projects.
One of the key factors to note here is the level of reliance, if any, that can be placed on other assurance providers
within the Organization that may be providing coverage of these areas. Such considerations should be taken into
account when deciding the depth and scope of audit to be performed. This may include but not be limited to the
following:
Meeting with Risk team at HO on the level of assurance being provided for next year, areas of concern and
their expectations from Internal Audit.
Obtain a listing of all site visits planned by Compliance team at BUs and discuss the scope of work being
performed. Consider whether instead of comprehensive audits reliance can be placed on the Control Self-
Assessments being performed by the Sites and the Internal Control Questionnaire being completed by the HO
functions.
Meet with Compliance team at to understand the level of assurance being provided for and their specific
concerns if any.
Meet with the External Auditors team to discuss the scope of works, emerging risks (changed in standards etc.)
and any other concerns noted by them. Discuss the audit approach for the next year.
Meet with the Health & Safety team to discuss their audit plan for the next year including the sites being
covered and the scope of work.
Meet with any other assurance provider (not mentioned above) to discuss their audit plan for the next year
including the sites being covered and the scope of work.
At this stage ensure that all Strategic initiatives reported by Management (as per strategy document or IA planning
form) and key risks reported to the Board (top risks reported by Risk team and others risks captured through IA
planning form) are then mapped to these projects; any initiatives or key risks not covered are then converted into
specific audit projects and added to the audit universe and as part of the audit plan for next year.
The individual BU Draft Audit Plan, is distributed to, presented to and discussed in detail with the individual BU
CEO/CFO. Any feedback is incorporated in the plan, prior to being consolidated for Group.
Consolidated overall plan including a summary of the individual BU audit plan is then presented to the CEO & CFO
for their feedback.
The VP-IA must ensure that Internal Audit resources are appropriate, sufficient, and effectively deployed to achieve
the approved plan (Standard 2030). Staffing plans and financial budgets, including the existing/required number of
allocated Auditors, should be determined from engagement work schedules, administrative activities and staff
development requirements.
This section covers allocation of resources to complement the Engagement Work Schedule, while detailed Internal
Audit resource management guidelines are provided in Section 9 of this manual.
Staff Assignments
Appropriate resources to achieve the engagement objectives should be provided to each of the planned
engagements. The following should be carefully considered in the assignment of Internal Audit staff to carry out the
planned engagements:
The number and experience-level of the required Internal Auditing staff should be based upon an evaluation of
the nature and complexity of the audit assignment, time constraints and available resources.
Functional expertise and other competencies of the Internal Audit staff should be considered in selecting
Internal Auditors for the engagement.
Training needs of Internal Auditors should be considered, since each assignment serves as a basis for meeting
developmental needs of the Internal Auditing activity.
The use of external resources including guest auditors should be considered in instances where additional
knowledge, skills and other competencies are needed.
External Resource
Internal Audit's services are designed to fulfil the varying needs of its diverse customers and the Internal Audit Plan is
prepared annually to align these services across all operating companies. As part of the annual audit planning
exercise, the audit assignments and resource constraints are analysed to identify any gaps and to decide whether any
additional resources/expertise (i.e. permanent staff, guest auditors, 3 rd-party) will be required. Preference should be
given to obtain services of Guest Auditor to bridge any gaps noted and then consider using the work of 3rd party
specialists.
Guest Auditors:
Internal Audit management in coordination with Management will identify potential business experts which can be
utilized by Internal Audit for specific projects. The purpose would be to to help improve the overall quality of audits
as well as efficiency as to how we perform them. In the end, accommodating to the fast pace of growth of the
COMPANY NAME business. Guest auditors will be utilized in one of the two ways described below:
Sharing of audit programs; specific audit programs will be shared with the business expert for their insights and
expert advice. In such cases the revised audit programs will be used by the audit team to improve the quality
and effectiveness of audits being performed.
Guest auditor; for specific projects (whilst ensuring objectivity and independence) business experts will be
asked to accompany the audit team on specific projects to perform specific audit procedures. All work
performed by
the business expert will be subject to review by the Team Leader consistent with the regular practice on other
projects.
Internal Audit Management may consider using the work of 3 rd party specialists in the presence of constraints that
could impair the audit work to be performed or potential gains in the quality of the audit. Using the services of
external specialist could be the only viable option when the Internal Audit staff lacks the required skills or other
competencies to perform a mandatory engagement and the business expert within the businesses cannot be used.
Whenever external specialist will be involved, the nature of their services and effect on the audit objectives should be
carefully considered including but not limited to the following:
10% of the total available (or projected) resources for the year can be ad hoc projects, which includes consulting
engagements, fraud investigations, or other special services, which cannot be identified during the annual planning.
To ensure a robust planning process, it will be up to the Head of Audit to approve any deviation to the Audit Plan
which may result from change in the risk profile, new unexpected developments, resource constraints etc. Any
significant deviation or change to the Audit plan will have to be presented to and ratified by the Audit Committee in
the third quarter of the year.
4 CONDUCTING AUDIT ENGAGEMENTS
A complete planning document consists of the results of any pre-fieldwork analysis of the audit entity, project level
High risks identified (including fraud), scope and objectives, assessment criteria, the work program and the resources
allocated.
Based on the Quarter-wise audit plan, an audit project is initiated by the Team Leader of the project which includes
the following, as applicable.
Team Leader will be responsible for creating a ‘shell’ project in the by using the standard naming convention ( Refer
Appendix C).
Project team
Confirm the availability of Internal Auditors allocated to the project; the team will perform the pre-fieldwork analysis
of audit entity discussed below.
Client contact
Establish initial contact with the client to identify the process owner, audit liaison, other key personnel, logistics and
other administrative matters.
The pre-fieldwork analysis is a systematic collection of vital process and related information, without detailed
verification, and is designed to understand the significant activities within the relevant process (or subject), to validate
the risk assessment and key assumptions that had been identified during the annual risk assessment and planning,
and obtain information for use in performing the engagement (i.e., key personnel, locations, timing constraints, etc.).
Majority of the below activities will be performed by the Audit team during the planning stage and through a Planning
meeting with the key personnel in the client if required.
The Internal Auditor must obtain an understanding of the following areas (Standard 2201):
The objectives of the activity being reviewed and the means by which the activity controls its performance and
achievement of those objectives and constraints.
The significant risks to the activity, its objectives, resources, and operations and the means by which the
potential impact and/or likelihood of risk is kept to an acceptable level.
The adequacy and effectiveness of the activity’s risk management, control, and governance systems
considering relevant control framework/model.
The opportunities for making significant improvements to the risk management, control and governance
systems.
The scope of work and the time requirements of the analysis will vary depending on the Internal Auditor’s training
and experience, knowledge of the activity being examined, and the type of engagement being performed. The
standard procedures performed during pre-fieldwork analysis are as follows:
Previous audit reports of the entity or closely related process should be reviewed to leverage information that is
available with IA, and previous experience with the audit client should be carefully considered during engagement
planning. The Internal Auditor should use the read-only Auditor account on TeamMate EWP to access audit files to
ensure that the data is not inadvertently altered.
The latest available Financial and Management reports should be reviewed to understand unusual trends; any
significant variances (i.e., budget/actual) and anomalies should be considered, while developing the audit program.
Fraud Incidents
Enquire from Management any fraud incidents reported in the period under coverage and review the investigation
report, if any.
Process mapping is one of the key procedures that are utilized to obtain and demonstrate the Internal Auditor’s
understanding of the current processes. A process map may be utilized to define the input, activities and output of
the process and a flowchart is the most common tool used for process mapping; a narrative description can be
sufficient for less complex processes. The flowcharts highlight segregation of duties, bottlenecks, redundant activities
and control points. However, the Auditor should define the level of detail that will be required considering the overall
budget/time.
For the processes that are heavily dependent or critically dependent on computer applications, the system level
process mapping should preferably be performed by the Internal Auditor; the system inputs, process, output,
storage and
interfaces should be identified in addition to understanding the system architecture, platform (OS, databases,
hardware, networks, etc.) and security.
The Internal Auditor should identify and understand the impact of non-compliance to significant contracts, laws and
regulations and Business Code of Conduct; the Internal Auditor may need to consult the Legal Department to assess
the Compliance risk in cases when critical Compliance issues have been identified. Any reports for Ethics Hotline
should be reviewed.
Coordination with other assurance providers or internal and/or external oversight bodies
The scope of work of other assurance providers (such as Risk, Asset Protection, Loss Prevention, Compliance, External
Auditors etc.) within and outside the organization should be understood and in appropriate cases, coordinated within
the context of the planned audit work. Objective should be to assess the level of reliance Internal Audit can have on
the work performed by these assurance providers in order to limit duplication of efforts.
The most important activities during the pre-fieldwork analysis are the identification and understanding of the
process (entity) objectives, risks to the achievement of those objectives and controls to address those risks as well as
the issues that drive those objectives, risks and controls. Fraud risks should be considered as part of this exercise.
Risks identified at the annual planning stage should be reconfirmed at this stage.
The planning document should clearly demonstrate the top risks considered (including fraud) and the connection to
the audit program/work to be performed.
Internal Audit team should ensure that any strategic initiatives being taken by the business and form part of the audit
plan.
Document conclusion
The outcome of the pre-fieldwork analysis should drive the utilization of resources and support the progression or
discontinuation of the audit project or any part thereof.
In cases where the Team Leader determines that the scheduled engagement should be discontinued, or its scope
should be extended/reduced, the decision should be documented and escalated to the VP-IA.
The engagement objectives should address the risks and opportunities for improvements of the specific process or
authenticity that is being audited while at the same time form part of an overall assessment of the organization’s Risk
Management, Internal Control and Governance framework.
The Internal Auditor should be aware of “…the probability of significant errors, irregularities, non-compliance, and
other exposures when developing the engagement objectives” (Standard 2210.A2) and audit clients can be consulted
in order to enhance the overall audit process.
The audit objectives should be properly documented in appropriate section (Project\Profile\Objective) of the
TeamMate EWP Project file.
4.1.4 Engagement Scope
The scope of work should be sufficient to achieve the engagement’s objectives, while engagement procedures should
focus on relevant activities, systems, records, personnel, and physical Assets. The audit scope should clearly identify
the audited activities and expected review time. Any specific exclusion from a given area/function should be indicated
in the scope. The audit scope should be properly documented in the appropriate section (Project\Profile\Objective) of
the TeamMate EWP Project file.
Internal Auditors should ascertain the extent to which business or Operational Management has established adequate
criteria to determine whether its objectives and goals have been accomplished. If adequate, Internal Auditors should
use such criteria in their assessment. If inadequate, Internal Auditors should consult with Management to identify
appropriate evaluation criteria (Standard 2210.A3).
Internal Auditors should similarly identify the level of risk that Management is willing to accept as reflected by the
established control criteria in order to appropriately evaluate the effectiveness of the controls being implemented, to
mitigate the risks to the desired level.
The absence of Management-established criteria and the level of acceptable risk does not preclude the Internal
Auditor from identifying other relevant standards (e.g., best practices) which may be used in assessing the clients’
activities. The Internal Auditor should apply sound professional judgement as to the use of suitable criteria.
The Internal Audit Team Leader should identify, plan, and allocate appropriate resources to achieve the engagement’s
objectives; this should be based on an evaluation of the nature and complexity of each engagement, time constraints,
and available staff and expertise (Standard 2230).
In determining the resources necessary to perform the engagement, the following maybe considered (PA 2230-1):
The use of external resources may be required where additional knowledge, skills and other competencies are needed
(refer relevant section under 3.2.1 Resource Allocation).
The composition of the engagement team, as originally envisaged, should be evaluated, any required adjustments
should be made prior to advancing to fieldwork phase.
The Internal Auditor should develop a work program specifying the procedures for identifying, analysing, evaluating
and recording information during the engagement; the engagement work program should identify:
Audit Objectives. The objective for performing audit steps or a set of audit steps (component groups) in the work
program. This is mainly driven by coverage of a specific risk (all key risks identified should have audit steps
assigned and linked.
Team member & work assignments. Schedule of key audit steps assigned to engagement team members (from
resource allocation).
Test Procedures/Steps. Procedures for collecting, analysing, interpreting, and documenting information during the
engagement; the nature, timing and extent of testing required should be specified. Sampling methodology should
be specified where applicable
Other Information. Any other relevant information (e.g., test location, technical aspects, etc.) that the Internal
Auditor may require to effectively and efficiently implement the work program.
The work program should be prepared by the Team leader and approved by the VP-IA through the Planning
document, prior to the commencement of field work, and any adjustments should also be timely approved. Initially,
the approval may be obtained verbally, if factors preclude obtaining written approval prior to commencing field work
(Standard 2240.A1).
The work programs are prepared/imported to the current TeamMate project either from a previous similar project
and/or the central store.
Upon review and finalization of the engagement work program, the Team Leader will be responsible for preparing the
Audit Notification and forwarding the same to VP-IA for issuance. The Audit Notification Memo is formally issued to
the client for the planned audit engagement. The memo specifies the nature of the engagement, team members,
expected start and other milestone dates, key contact personnel/coordinator, and any other special arrangements.
Refer to a sample Audit Notification Memo attached in Appendix D. Subsequent to issuance of the Audit Notification a
detailed Request for Information (RFI) will be forwarded to key client personnel.
An entrance conference should be held to meet and communicate with key personnel relevant to the engagement.
The attendees should include the engagement team and members of client Management owner/responsible for the
activity being examined. A summary of the topics discussed during the entrance meeting, the date of the meeting,
and attendees (name and title) should be documented in the TM engagement working papers. The topics of
discussion should include the following:
Reconfirm key risks, areas of concerns, fraud incidents and any other major changes informed/identified by IA
during the planning stage.
Logistics
The kick off meeting should be properly documented in the working papers. See attached Opening Meeting notes
format in Appendix E.
4.2 Fieldwork
As the audit engagement advances to the execution phase, the Internal Auditor focuses on obtaining and
documenting reliable, relevant and useful information as planned, by using effective auditing techniques and tools to
accurately identify, analyze and present information that will support audit conclusions and recommendations; the
sufficiency of
evidence required to achieve the engagement’s objectives should be evaluated considering the accuracy and
timeliness of the information.
Pre-fieldwork considerations
The Internal Auditor should coordinate with the appropriate personnel within or outside the organization and should
accomplish the necessary administrative formalities.
The Internal Auditor should execute the audit program with the intent of completing the procedures as planned and
without significant change to the scope/coverage. All engagements should be appropriately supervised to ensure
objectives are achieved, quality is assured, and the staff is developed (Standard 2340).
Audit team should give preference to use of Data Analytics when performing audit steps (where applicable).
Information should be collected on all matters related to the engagement objectives and scope of work as specified in
the work program, and analytical auditing procedures should be utilized when identifying and examining information,
while the analytical auditing procedures should be performed by studying and comparing relationships among both
financial and non-financial information.
Information should be sufficient, competent, relevant, and useful to provide a sound basis for the auditor’s
observations and recommendations. Based on the assessed level of risk, the Internal Auditor should devise
procedures to achieve the objectives of the audit; the following are the typical audit procedures that are utilized for
information collection purposes:
Interviews
Interviews involve structured or free flowing conversation with personnel that are knowledgeable or responsible for
the process to obtain relevant information. Interviewing is the most prevalent audit procedure as it does not only
provide the information sought by the Internal Auditor, it can also be used as opportunity to assess the knowledge
and ability of personnel responsible for critical control-related activities.
Observation
Observations, used as audit evidence, are the Internal Auditor’s first hand impression of activities or objects of
interest to the audit. Depending on the nature of the event or object being observed and the relevance of the
observed fact to the audit, the Auditor’s observation should be supported by some physical evidence (e.g.,
photograph, documents, reports, etc.) due to susceptibility to subsequent questions and challenges. In some cases,
however, when observation provides the most reliable information but cannot be documented physically, as in the
case of testing the actual performance of critical activities, the Internal Auditor should obtain corroborative evidence
(e.g., interviews, documents, etc.).
Documents Gathering
Following sound understanding of the process and leveraging on existing internal controls, the Internal Auditor
identifies and obtains document copies, manual logs, and input forms relevant to the audit.
Database Extraction
Using appropriate database extraction utility (i.e., Audit Command Language (ACL) software, DB query analyzers, MS
Excel, MS-Access, Query-Builder, etc.), the Internal Auditor, having authorized access and knowledge of the database
schema (data organization), may obtain relevant data stored in organization’s databases. However, at the DB level,
data is “normalized” or stored as data units which are not readily comprehensible (as information). The Internal
Auditor should obtain the data dictionary to properly reconstruct information from the raw data.
The Internal Auditor may utilize ACL for data analysis, and seek the assistance of experienced IT practitioners, if
needed, to extract the relevant data.
Re-performance
Re-performance is an evidence gathering activity performed to obtain evidence as to the adequacy of design of a
control procedure; it is the performance by the Auditor of a procedure that had been previously performed by the
client personnel.
Re-performance can provide evidence that the theoretical design of the control is effective (i.e., the control is capable
of being performed in the manner in which it was intended to be performed). Where the control procedure is
computerized, re-performance of the control may be performed using CAATs such as program code analysis, parallel
simulation, test data, etc.
Sampling
Sampling is the process of obtaining information about an entire population by examining only a part of it. There are
different approaches to audit sampling, the statistical sampling and non-statistical (judgmental) sampling. Sampling
may be conducted to evaluate controls (attribute sampling) or applied to evaluate balances (monetary unit sampling).
The statistical sampling involves the use of techniques from which mathematically constructed conclusions regarding
the population can be drawn, while non-statistical sampling involves selecting sample items based on Internal
Auditor’s personal reasoning or queries. Although non-statistical sampling is acceptable, statistical sampling using ACL
or any similar tool (i.e. spreadsheets, etc.) may be utilized as applicable, and size and type of sampling should be
documented in the work done section.
Sampling methodology used should be documented as part of the work done within Teammate. See Appendix F.
Documentation
The audit procedures performed, and the results of those procedures should be properly documented in the work
papers. All fieldwork phase documentation should be attached in the appropriate TeamMate EWP Project file folder
and in the appropriate section of the working paper (Scope/Work Done).
Internal Auditors must base conclusions and engagement results on appropriate analyses and evaluations (Standard
2320).
Analytical audit procedures provide the Internal Auditors with an efficient and effective means of assessing and
evaluating information collected in an engagement; the assessment is performed by comparing information with
expected results identified or developed by the Internal Auditor.
Analytical audit procedures are useful in identifying, among other data:
Whenever analytical audit procedures identify unexpected results or relationships, Internal Auditors should examine
and evaluate such results or relationships. This examination and evaluation should include making inquiries, and
application of other engagement procedures until Internal Auditors are satisfied that the results or relationships are
appropriately justified. Any unexplained results or relationships that have been noted from applying analytical audit
procedures may be indicative of a significant condition such as a potential error, irregularity, or illegal act, which
should be escalated to the appropriate levels of management. Internal Auditors may recommend appropriate courses
of action, depending on the circumstances, and expand the scope of the review.
The audit procedures performed, and the results of those procedures should be properly documented in the work
papers and all of the fieldwork-phase documentation should be attached in the appropriate TeamMate EWP Project
file folder and in the appropriate section of the working paper (Scope\Work Done).
As a standard practice, “Internal Auditors should record relevant information to support the conclusions and
engagement results...” (Standard 2330). The work papers that document the engagement should be prepared by the
Field Auditor and should be reviewed by the respective Team Leader.
Each audit work paper should identify the engagement and identify the contents or purpose of the working
paper.
Each audit work paper should be signed and dated by the Internal Auditor performing the work.
Each audit work paper should be properly referred in relevant audit step (work done) or conclusion.
Engagements should be properly supervised to ensure that the objectives are achieved, the quality is assured, and
staff is developed (Standard 2340). The Team Leader, as delegated by the VP-IA, is responsible for assuring that
appropriate engagement supervision is provided, considering the following supervisory controls:
The Auditors assigned possess the requisite knowledge, skills and other competencies to perform the audit.
Appropriate instructions are provided during the planning of the audit and that the audit program is approved.
The approved audit program is carried out, unless changes are both justified and agreed with the Team Leader.
The audit work papers support the audit observations, conclusions, and recommendations and vice versa.
The audit communications are accurate, objective, clear, concise, constructive and timely.
The audit objectives are met.
Providing opportunities for developing Internal Auditor’s knowledge, skills and other competencies.
The extent of supervision required will depend on the proficiency and experience of Internal Auditors and the
complexity of the engagement. The VP-IA has the overall responsibility for review but may designate appropriately
experienced members of the Internal Audit activity to perform the review, while appropriately experienced Internal
Auditors may be utilized to review the work of other less experienced Internal Auditors.
All Internal Audit assignments, whether performed by IA staff (in-house) or external consultant, remain the
responsibility of the VP-IA; the VP-IA is responsible for all significant professional judgments made in the planning,
examination, evaluation, report, and follow-up phases of the engagement.
All engagement working papers should be reviewed by the Team Leader to ensure that all necessary audit procedures
have been performed; the supervisory review should consist of the reviewer signing-off each working paper and
procedures (audit step) within TeamMate, after they were reviewed.
Reviewers may make a written record (Coaching Notes) of questions arising from the review process, send emails,
write review notes on hard copy working paper and/or verbally discuss the concerns and resolve the same. All review
notes (documented within Teammate) should be addressed and signed off by the respective Internal Auditors prior to
sending the final audit report and closing the audit project file.
The details of the observations noted, and the root cause should be discussed with the relevant auditee personnel
responsible for the process (entity) and/or other appropriate parties, during the fieldwork. The process owners should
be given the opportunity to present their comments on the gaps noted including their own analysis and evaluation,
provide details to any incomplete or incorrect information, and discuss the required corrective actions.
The Audit team should properly document and prepare the ‘List of Observation’ which should be reviewed by the
Team Leader and shared with the client personnel within a reasonable time prior to the Exit meeting.
The fieldwork phase ends with an Exit meeting with the Management of audited process (or entity) to discuss the ‘List
of Observations’. The participants in the exit conference may vary according to the nature of the report, but they will
generally include individuals who are directly involved in the operations and those individuals who can authorize the
implementation of corrective action.
The discussion is intended to ensure that there are no misunderstandings or misinterpretations of fact by providing
the opportunity for the client Management to clarify specific items and to express views on the observations.
The Internal Auditor should provide an interim report (i.e. email, internal memo) at the earliest time after the
discovery of events or conditions that, if not acted upon immediately, threaten or are actually producing damage to
the organization’s personnel, assets and processes. Appropriate parties should be advised to take actions on these
issues promptly and should not be delayed until the completion of the fieldwork. In some cases, immediate reporting
to the Audit Committee may also be required.
The Internal Auditor may recommend that, based on the information obtained, an investigation of any suspected
fraud be conducted. The Internal Auditor must be aware of the relevant Corporate policies (i.e. Fraud, Whistle
blowing) and any legal implications of reporting and handling information involving allegations of fraud.
Change/limitation in scope
Any significant changes and any limitation in audit scope must be justified and escalated/reported to the VP-IA, so
that the respective Management may be notified, as applicable. The interim report may be utilized to identify the
reasons for the change/limitation in scope, the audit status (progress) and results based on the original scope, the
modified scope and the revised deliverables and timelines.
An audit engagement that extends over a long period of time may be divided into reportable phases and generally, an
interim report should be provided if the completion of planned engagement work extends more than three (3)
months from the time the project was initiated.
The interim report for a phase of an engagement may include observations, recommendations, Management’s
(process owners) comments and action plans, or audit opinion, if applicable to the segment of the process (entity)
already covered.
The final audit report should include statement of the engagement’s objectives, scope, audit opinion and the detailed
audit observations, root cause and an agreed action plan by management.
The final audit report is composed of three components, (1) the Executive Summary, (2) the Detailed Audit Findings,
Root Causes and Management Action Plan and (3) Appendix.
Executive Summary will be a brief, high level report that is designed to provide an overview of the objective, scope,
history and the results of the engagement including the audit opinion.
Statement of Scope & Objective
The scope statements identify the audited activities and include, where appropriate, supportive information such as
the time period reviewed. The related activities that had not been reviewed maybe identified, if necessary, to
delineate the boundaries of the engagement and the nature and extent of audit work performed.
The purpose statement describes the engagement objectives and may, where necessary, inform the reader why the
engagement was conducted and what it was expected to achieve.
Background information may be included to further clarify or support the Statement of Purpose. Background
information should be provided when the readers are not expected to be familiar with the subject matter (process) or
to include information readers must know, but cannot be placed elsewhere in the report; it may also include the
status of observations, conclusions, and recommendations from prior reports and an indication of whether the report
covers a scheduled engagement or is responding to a Management request, key risks covered etc. Where applicable
good practices noted in the business should be highlighted in this section.
Opinion
The audit opinion is the IA management’s evaluations of the collective impact of the observations and
recommendations on the activities reviewed, keeping in perspective, the overall implications of the audit
observations and recommendations.
The opinion states the level of modifications required to a process/entity so as to address the control weaknesses
noted by IA on the controls/procedures/systems in place. The opinion is limited to the specific processes/systems
reviewed and the audit coverage period.
The audit opinion is primarily based on: (1) the nature and number of audit observations, (2) the perceived impact of
the process, (3) the audit history and (4) the overall control environment. The types of audit opinions and the general
guidelines used to formulate the overall opinion are presented in the table below.
Perceived Impact 10% * Resources Constraints Minimal Impact on Possible impact on Moderate impact Significant impact
of the processes * Life/Safety Hazards Business Unit the Company on the Business on the Business
to the Business / * Business interruption Unit and / or Unit and / or
* Legal / regulatory Company Company.
Company implication Possible impact on
* Branding / Reputation
* Financial Implication
IA Assessment Scoring Range
% Underlying Criterion
Factors 0 1 2 3
Audit History 10% * Reported Anomalies No Reported No Reported Minor Anomalies Significant issues /
* Overdue recommendations Anomalies, Anomalies, reported, fraud had been
* Repeat control weaknesses Minor concerns Minor overdue High number of noted for the
noted previously, recommendations, previous concerns process under
Effective actions Limited repeat issues but no significant review,
taken to reduce / concerns noted for issues, No effective actions
future incidents. the same process. High number of taken to prevent
repeat concerns. repeat incident
Control 20% * Policies and Procedures P&P requires minor Minor number of Informal P&P, Absence of Policy
Environment * DoA amendments, gaps / amendments Occasional and Procedures
* Line compliance Minor and to the P&P/DoA, breaches to P&P / and poor overall
* Management Turnover infrequent Frequent DoA. governance
breaches to P&P / Management practices,
DoA. Turnover Material Breach of
DoA, Unauthorised
sub-delegation of
authority.
0 - 0.5 No Modification
0.6 - 1.5 Minor Modification
1.6 - 2.3 Moderate Modification
2.4 - 3 Significant Modifications
The ‘Analysis of Audit Observations’ provides a graphical presentation of the reported audit exceptions according to
assigned category (non-compliances, control failures, absence of control and efficiency and effectiveness); this section
of the audit report is designed to highlight the overall representation of the exceptions noted.
Category Definition
Non-compliances to Policies and Issue represents non-compliance or deviation to the established Policies and Procedures,
Procedures and DoA DoA
Control Failures Issue represents break-down or inconsistent implementation or operation of established
controls, control deficiencies and weaknesses
Absence of Control Issue represents the lack of defined controls to govern the process or the non-
implementation of established controls
Efficiency and Effectiveness Issue represents controls which did not facilitate achievement of the best or desired result
or objectives with the least time and resources
Analysis of Recommendations
The ‘Analysis of Audit Recommendations’ provides a graphical presentation of the recommendations as to the timing
of implementation by Management; this section is designed to highlight the commitment of Management to
implement the recommendations.
Detailed Audit Findings & Recommendations
The detailed findings section includes (a) Observations, (b) Root Causes, (c) Rating, (d) Management’s Response, (e)
Responsibility and (f) Applicable Implementation Date
Observations are pertinent statements of fact and emerge by comparing what ‘should be’ with ‘what is’. Whether or
not there is a difference, the Internal Auditor has a foundation to build the exception.
The observations and recommendations should be on the following attributes:
Criteria. The standards, measures, or expectations used in making an evaluation and/or verification (what should
exist).
Condition. The factual evidence that the Internal Auditor found in the course of the examination (what does exist).
Cause. The reason for the difference between the expected and actual conditions (why the difference exists).
Audit observations are classified according to relative significance or observation rating. The main objective of
introducing observation ratings is to provide Management with an independent assessment of the overall impact a
specific control lapse/gap may have on the process under review.
For the purpose of enhancing clarity, the following primary considerations may individually or collectively determine
the observations and recommendation rating:
Nature of risk/impact (i.e. Potential for fraud/irregularities, segregation of duties, violation of P&P/DoA,
reputation).
Nature of the process being reviewed (e.g. strategic, cash, purchase/procurement, data
integrity/confidentiality, systems).
Overall control environment: Management’s understanding of the risk & controls for the particular process,
elementary controls, Management/staff turnover, country conditions, age of business, budgetary pressures,
repeat violations, etc.
Probability & frequency of control failure resulting in losses and/or control gaps.
Materiality: existing & potential impact to the business unit (i.e., what is considered significant for a smaller
business may have a different rating for a larger business). Furthermore, the impact is considered in terms of
both financial terms as well as non-financial (impact on reputation, employees, etc.).
Root Cause
Root cause is the condition or factor which caused the non-conformance, control failure, inefficiency, ineffectiveness
or absence of control. It is the originating cause of the concern, which can be eliminated through process
improvement and/or compliance to designed internal controls. Root cause should be identified for all significant or
repetitive issues noted during the audit.
The Internal Auditor should include recommendations for improvements based on the Internal Auditor’s observations
and conclusions. The recommendations call for improvement of operations and may suggest approaches to enhancing
performance as a guide for Management in achieving desired results. Recommendations can be general or specific;
the Internal Auditor may recommend a general course of action and specific suggestions for implementation under
different circumstances.
Recommendations are rated to prioritize Management’s action towards the implementation of the recommendations.
For the purpose of enhancing clarity, the following primary considerations may individually or collectively determine
the observations and recommendation rating:
The impact of the recommendation in bridging the gap noted in the observation.
Complexity of implementing the recommendation.
Priority in implementing the audit recommendation.
Management Response
As part of the Internal Auditor’s discussions with the engagement client, the Internal Auditor obtains agreement on
the results of the engagement and on any necessary plans to address the control weakness or opportunities for
improvements. If the Internal Auditor and engagement client disagree about the engagement results, the
engagement report provides both positions and the reasons for the disagreement. The client’s written comments are
usually included in this section of the report.
Responsible Employee
The individual Management personnel and/or the functional Head, directly responsible and accountable for the
implementation of recommendation are identified in this column.
The agreed date of completion and/or implementation of the Internal Audit recommendation is referred for the
purpose of follow-up timing and Management accountability.
Internal Audit reports are generally intended for internal recipients only, and as a matter of policy, audit reports
and/or related information should not be released by Management personnel to external parties without the express
written approval of the CEO/CFO.
When releasing engagement results to parties outside the organization, the VP-IA should:
While the ultimate purpose of all assurance activities (i.e. regular Internal Audits) is to improve the organization’s
Governance, Risk Management and Control processes by delivering value-added assurance and consulting services,
the clear distinction between the two is very important to facilitate appropriate application standards and fulfilment
of expectations to provide optimal value of audit services.
The main objective of a consulting engagement is to directly assist the clients in achieving their objectives or
recommending a course of action. In an assurance engagement, the main stakeholders are the top Management and
the Board, and the main focus is to provide an objective and independent assurance about the organization’s Risk
Management, Control and Governance systems. Internal Auditors invariably provide advice to improve sub-optimal
conditions that were observed during the course of evaluating a process which benefits the audit clients. Assurance
engagements therefore always include a consulting component.
Consulting type services are considered in the development of the Annual Audit Plan and sufficient resources are
provided for both planned and unplanned consulting engagements. Classifications of consulting services provided by
Internal Audit are follows:
Formal consulting engagements. Subject to written agreement and a formal engagement plan. Included in the
Annual Plan or requested by and agreed with Management anytime during the year.
Informal consulting engagements. Routine activities, such as participation on standing committees, limited-life
projects, ad hoc meetings, and routine information exchange.
Note that this section is dedicated to formal consulting engagements. However, the guidelines contained in this
section may be followed when considering/performing informal and other services.
Auditors generally should not agree to conduct a consulting engagement simply to circumvent, or to allow others to
circumvent requirements that would normally apply to an assurance engagement, if the service in question is more
appropriately conducted as an assurance engagement. This does not preclude adjusting methodologies where
services, once conducted as assurance engagements, are deemed more suitable than being performed as a consulting
engagement.
As stated in the Audit Charter only those consulting activities can be accepted that adds value and improves the
organization’s operations and systems of internal control.
Internal Auditors should maintain their objectivity when drawing conclusions and offering advice to Management. If
impairments to independence or objectivity exist prior to commencement of the consulting engagement, or
subsequently develop during the engagement, disclosure should be made immediately to Management.
Independence and objectivity may be impaired if assurance services are provided within one year following a formal
consulting engagement. Steps can be taken to minimize the effects of impairment by assigning different Auditors to
perform each of the services, establishing independent Management and supervision, defining separate
accountability for the results of the projects, and disclosing the presumed impairment.
The Internal Auditor should exercise due professional care in conducting a formal consulting engagement by
understanding the following:
Defining the needs of Management personnel, including the nature, timing and communication of engagement
results.
Possible motivations and reasons of those requesting the service.
Extent of work needed to achieve the engagement s objectives.
Effect on the scope of the Audit Plan previously approved by the Audit Committee.
Potential impact on future audit assignments and engagements.
Potential organizational benefits to be derived from the engagement.
In addition to the independence and objectivity evaluation and due professional care considerations described above,
the Internal Auditor should:
Conduct appropriate meetings and gather necessary information to assess the nature and extent of the service
to be provided.
Confirm that those receiving the service understand and agree with the relevant guidance contained in the
Internal Audit Charter, Internal Audit department’s Policies and Procedures, and other related guidance
governing the conduct of consulting engagements. The Internal Auditor should decline to perform consulting
engagements that are prohibited by the terms of the Internal Audit Charter, conflict with the Policies and
Procedures of the Internal Audit activity, or do not add value and promote the best interests of the
organization.
Evaluate the consulting engagement for compatibility with the Internal Audit activity’s overall plan of
engagements. The Internal Audit activity’s risk-based plan of engagements may incorporate and rely on
consulting engagements, to the extent deemed appropriate, to provide necessary audit coverage to the
organization.
Document general terms, understanding, deliverables and other key factors of the formal consulting
engagement in a written agreement or plan. It is essential that both the Internal Auditor and those receiving
the consulting engagement understand and agree with the reporting and communication requirements.
Scope
As observed above, Internal Auditors should reach an understanding about the objectives and scope of the consulting
engagement with those receiving the service. Any reservations about the value, benefit, or possible negative
implications of the consulting engagement should be communicated to those receiving the service. Internal Auditors
should design and propose the scope of work that will ensure professionalism, integrity, credibility and reputation of
the Internal Audit activity will be maintained.
Resource availability
As a matter of professional responsibility, Internal Auditors should only engage in those services for which they have
the necessary knowledge, skills and experience. The VP-IA may decline the consulting engagement or obtain
competent advice and assistance if the Internal Audit staff lacks the knowledge, skills, or other competencies needed
to perform all or part of the engagement (Code of Ethics/Standards). Hours allocated for any Consultancy services can
be utilized
from the Ad hoc hours assigned to the BU within the plan, the Audit plan should be updated accordingly and notified
to the Audit Committee.
Acceptance
Upon the determination by the VP-IA that the requested consulting engagement is acceptable based on the above
parameters, the client should be informed about the Internal Audit’s agreement to provide the services. The terms of
the consulting services agreement should be formally communicated (via email/memo). Guidelines and procedures
are covered in the next section of this manual.
On the other hand, if the requested service is not accepted, the client should likewise be notified stating the reasons
of non-acceptance.
The VP-IA may consider the following actions if he believes that the objectives being pursued go beyond those being
requested by Management:
Document the fact that the objectives were not pursued and disclose that observation in the final
communication of consulting engagement results; and
Based on common understanding of the issues, Internal Audit and the client should reach an agreement on the scope,
limitations (if any), resources, timelines etc. The agreement between the Internal Audit (provider) and the client
should be formally agreed via an email or memo issued by the VP-IA.
5.2.2 Methodology
The consulting services are provided to help clients achieve their objectives or solve their problems. Clients’ needs for
advisory services may vary greatly and engagements may be completely different from one another in terms of
deliverables, thus no standard approach or set of tools will be applicable to all. The Internal Auditor should design and
communicate to the client the general approach that will be followed to achieve the engagement objectives.
Generally, there are five (5) loosely coupled tasks that are included in a consulting engagement. The Internal Auditor
will design specific approach that will be applicable to the engagement by varying or combining the following tasks:
Understand. The Internal Auditor performing the engagement should obtain a complete understanding of relevant
technical and business issues necessary to carry out the engagement.
Define. In most cases, definition of the problem or the critical aspects of the problem will be carried out. The
Auditor should be knowledgeable in the application of tools and structured techniques to define a problem.
Develop. This is the value creation portion/aspect of the engagement. The Internal Auditor will recommend
solutions to address the problem or condition.
Support. The Internal Auditor works/partners with the client in implementing the solution without assuming
Management responsibilities.
Follow up. Internal Auditors assist clients to measure the benefits of implementing the solutions. Follow up may
be conducted together with the client, as needed through post-implementation review. All consulting
engagements’ recommendations are included in the Audit follow up database for appropriate monitoring.
In most cases, the exact procedures will not be specified during engagement planning phase due to inherent lack of
information. A well designed, rolling work program will guide the efficient accomplishment of engagement
deliverables considering that information from or the results of predecessor activities influence the succeeding ones
without necessitating adjustments and towards the achievement of the overall objectives.
The form and content of the work programs vary depending on the nature of the engagement. Work programs should
be reviewed and approved by the VP/GM-IA or his designate prior to commencement of field work.
Define the problem: For engagements designed to solve complex problems, a methodical approach should be
used to precisely identify the root cause and extent of a given condition. Problems should be identified, addressed
at the right level where “global” view of conditions may never identify the exact problem to be addressed.
Specialized tools (e.g., Ishikawa Diagram, CATWOE, Simplex, etc.) may be used to facilitate accurate and efficient
root cause analysis.
Develop solutions: With a good appreciation of the problem or the task, the Internal Auditor can proceed to the
development of solutions to address the problem or conditions. Solutions and/or implementation plans are the
core deliverables of consulting engagements. The Internal Auditor may utilize technical creativity tools (e.g.,
Attribute Listing, Brainstorming, Morphological Analysis) to generate possible solutions.
Obtain commitment and support implementation: Engagements may be conducted to design a specific solution
to a particular condition or a number of alternative solutions may be generated for engagement client’s
consideration. The engagement client is responsible for accepting and implementing the agreed solution(s). The
Internal Auditor’s role is to provide technical assistance in choosing and implementing the solution.
Follow up: A post-project review may be conducted, if requested by the client, to verify that the project was
carried out according to plan or standards, identify lessons learned and ensure that significant issues (loose ends)
are acted upon prior to closure of the implementation phase.
Formal written report or reports are usually part of the engagement deliverables. Interim and/or final engagement
report should be provided to the engagement client or other parties according to the agreed timetables. Quality and
other report preparation guidelines for assurance-type engagements may not be applicable to consulting
engagement.
5.4.1 Interim reporting
Progress, status or segment report should be provided as agreed. The Internal Auditor should consider providing an
interim report when conditions for issuing interim report for assurance engagement occur.
When the engagement agreement calls for a formal report at the end of the project, the Internal Auditor should
prepare the report as prescribed in the agreement. As the nature and objectives of consulting engagements widely
differ, a standard format cannot be devised to apply to all engagements. Nevertheless, the basic contents of a
consulting engagement report will generally but not definitively include the (1) Executive Summary (2) Statement of
Objectives,
(3) Scope (4) Methodology and the (5) Engagement Results.
Executive Summary
Executive summary is prepared to give a brief but complete overview of the purpose, scope, methodology and the
results of the engagement. Typically, a shorter version of the full engagement report, the executive summary contains
enough information for the readers to become acquainted with the full document without reading it.
Statement of Objectives
Statement of Objectives informs the reader, where appropriate, why the engagement was conducted and what it was
expected to achieve as agreed by the client and the Internal Auditor, at the outset of the engagement (or as
appropriately revised). The background information may be included to further clarify or support the Statement of
Objectives. Background information should be provided when the readers are not expected to be familiar with the
subject matter (process) or to include information readers must know but cannot be placed elsewhere in the report.
Statement of Scope
Scope Statements should identify the activities or issues covered by the review and include, where appropriate,
supportive information such as time period reviewed. The statements of scope and objectives may need to be
supplemented with statement of limitations or exceptions to appropriately delineate the boundaries of the
engagement. Statement of limitation is particularly important when the engagement is designed to address a specific
condition and/or based on agreed upon standards or procedures applicable only to a specific condition. In some
cases, disclaimer statement may be appropriate.
Methodology
The methodology employed, including nature and extent of engagement work performed may be described to inform
the readers of the report on how the results were produced. The overview of the process followed will help the
readers understand and analyze the results in a proper context as well as provide some assurance that all findings,
conclusions and/or recommendations were generated with reasonable diligence and proficiency. The Internal Auditor
however should refrain from including superfluous details so as not to unnecessarily direct the readers’ attention to
the process rather the results of the review.
Findings
The findings should be supported by sufficient and relevant information (evidence) and should be described in
sufficient detail in the audit report in order that a reasonable reader will reach the same conclusion as the Internal
Auditor.
Conclusions
Conclusions are the Internal Auditor’s final judgment on the critical issues, which were arrived at after the
consideration of the engagement findings and other relevant facts taken in the context of overall implications to the
organization.
Recommendations
Recommendations are proposed solutions or alternative courses of actions given the findings and conclusions. The
engagement report should unambiguously describe the solutions or alternative solutions, benefits and costs in order
that those who will make the decisions can rely on the report.
Distribution
Report Recipients. Reports will be distributed as per the agreed terms of engagement. Final reports should be
reviewed and approved by the VP-IA prior to distribution.
Parties other than those who requested the service. In some circumstances, the Internal Auditor may conclude that
the results should be communicated beyond those who received or requested the service. In such cases, the Internal
Auditor should expand the reporting so that results are communicated to the appropriate parties. When expanding
the reporting to other parties, the Auditor should conduct the following steps until satisfied with the resolution of the
matter:
First, determine what direction is provided in the agreement concerning the consulting-type engagement and
related communications.
Second, attempt to convince those receiving or requesting the service to expand voluntarily the
communication to the appropriate parties.
Fourth, determine what guidance is provided in the organization’s Code of Conduct, Code of Ethics, and other
relative Policies, Administrative Directives, or Procedures.
Fifth, determine what guidance is provided by The IIA Standards and Code of Ethics, other standards or codes
applicable to the Auditor, and any legal or regulatory requirements that relate to the matter under
consideration.
6 OTHER NON-AUDIT SERVICES
The Internal Audit Department will not accept responsibility for performing non audit-related functions or duties that
are subject to periodic internal audit assessments. If they have any responsibility, then they are not functioning as
Internal Auditors (PA- 1130.A2-1).
Any non-audit related services can only be performed subject to prior approval of VP-IA and the ARC Chairman.
Facilitated meetings (workshops). Work teams that represent multiple levels within an organization gather and
analyze internal control information.
Questionnaire. This technique uses a survey instrument that offers opportunities for simple yes/no or have/have
not format. Process owners use the survey results to assess their overall control environment.
Management-developed analysis. Management develops a staff study of the business process and controls.
The respective Management personnel performs and owns the CSA process. The CSA exercise allows functional
business Management to assess the risks that may impede the achievement of objectives and evaluate the controls
that address the identified risks.
IA’s role in CSA process will vary with the technique employed by Management and the maturity of the process. IA
advocates and assists Management in the establishment of CSA process and can subsequently act as an independent
validator after the process has been successfully established. Similar role can be performed by Compliance.
IA can act as the Internal Control specialist in the development of the CSA questionnaire to be used by management.
CSA questionnaires can be initially prepared by IA and jointly reviewed by IA and the Business Management for
approval by the relevant Management personnel.
Irrespective if CSA results are validated by Internal Audit or internally by Management through Compliance. All efforts
should be made by Internal Audit to use the CSA results for future audit planning.
Inventory observation
Asset disposals/condemnation observation
Attendance to opening of bids
Temporary staff augmentation
Staff secondment
The Audit Committee will be updated on such activities during quarterly updates. Refer to the section on Consulting
Assignments for further details of the execution of the aforementioned assignments.
7 CONDUCTING FOLLOW-UP ACTIVITIES
This section identifies the guidelines for performing follow ups (implementation tests) and for ensuring that the
minimum documentation is maintained for all follow-up projects. The process flowchart on the execution of follow-up
assignments is included in Appendix H.
The purpose is to timely assess and periodically conclude on whether Audit recommendations are being implemented
by Management to address the gaps noted and if not the same are being reported to Senior Management and the
ARC.
Given the number of Internal Audit reports that are issued across the businesses, IA requires a significant amount of
resources to perform a comprehensive follow up on all of the audit recommendations. As an alternative, and to
ensure effective and efficient utilization of limited audit resources, we have implemented a single unified System to:
act as a database for all audit activities (reports issued, observations and recommendations raised)
to automate reminders to management for timely implementation of recommendations,
allow Responsible Manager to close recommendations with relevant document as evidence
Senior Management to track, monitor and report status to the ARC, and
allow Internal Audit to timely validate closure of audit recommendations.
Auditors are expected to apply the same quality standards which are followed for regular audits. As such, the auditor
must critically assess the quality of implementation of Internal Audit’s recommendation and obtain evidence that
support Client Management’s assertions and his/her own assessment. The same should be subject to review by the
Team Leader.
Reminder emails are sent automatically by the system to the respective personnel.
When the recommendation is “Closed” (Implemented, No longer Applicable, or Management Accepts Risk),
responsible HOD/Manager should change the status in IA system and attach the documents evidencing the same.
System will inform IA team of change in status and it will be then be the Team Leaders’ responsibility to assign a
resource to validate the status. Note to maximize limited audit resources 100% of all High, 70% of Medium and
30% of Low & BP should have been validated in the system. This will be monitored by Team leader by obtaining
the relevant monthly reports from the IA system.
Assigned auditor to access the system to review all relevant supporting documents attached to assess whether the
implemented recommendation has been closed properly, consistently and address the gap noted, prior to
accepting the status change. In case auditor does not accept the documentation or has any follow up queries the
same should be recorded within the IA system. Management will have 3 days to come back with additional
documents or information for the auditor to close the recommendation failing which the status will be reopened
by the Team Leader.
In case of partial implementation or significant delays, the Auditor should reassess whether there is any change in
the rating based on the prevailing level of risks.
In case of extension to implementation date, the same should be initiated by the relevant manager, coordinated
with the Venture HO Controller and approved by COMPANY NAME CEO/CFO. All such extensions should be
reported to Internal Audit for update in the system and to the ARC on an annual basis.
For any recommendation/s where Management has decided not to implement because the recommended action
plan is no longer applicable, or management accepts the risk; justifications should be obtained from Management,
which should be properly documented in the IA system. The Auditor should then ascertain the following:
o If Management justification is reasonable (such as due to system limitation or where proper analysis has been
done to establish that the cost of implementation is greater than the cost of risk being managed etc.) AND the
recommendation was rated low; the same should be marked as N/A (Not Applicable).
o If Management justification is reasonable however the rating was moderate to high then alternative
recommendations should be discussed and agreed with the management (the team leader should be involved
at this stage). A new recommendation should be agreed with management and specifically highlighted to the
Audit Department Administrator for update to the IA system (Note: the original recommendation will be
considered as N/A in this case).
o In case justification provided is not reasonable, and/or the alternative recommendation cannot be agreed
then the same should be marked as MAR (Management Accepts Risk) and Managements remarks should be
captured in the system along with any additional comments from IA, where applicable.
In case there is disagreement between auditor and management on the closure of the point, and/or on MAR
status the same will be escalated to Team Leader and then to Head of Audit and CEO for resolution. If still
unresolved the same will be reported to ARC for final decision.
Once a status is concluded by auditor the Team Leader will assess the quality of work performed by the auditor
and accept the status change in the system.
On a semi-annual basis (end of Jan and July each year), Audit admin. should generate a status summary from IA
system, forward it to the responsible Team Leader for review. Team Leader will then prepare the Executive Summary
and forward the same to VP-IA for review and issuance.
8 REPORTING TO THE BOARD & THE AUDIT COMMITTEE
The Audit Charter states that the “The Head of the Internal Audit function is accountable to the Group Board of
Directors and to Boards of Directors of the Operating Companies through their respective Audit Committees. The VP-
IA shall ensure and regularly apprise the Board and the Committees that the IA’s mission and responsibilities are
carried out according to the terms set forth in this Charter.” Furthermore, the Charter enumerates the following
responsibilities:
Develop a flexible Annual Audit Plan using appropriate risk-based methodology, including any risks or control
concerns identified by Management, and submit that plan to the Committees for review and approval.
When requested by Management perform investigation of significant suspected fraudulent activities within the
organization and notify Management and the Committees, as appropriate, of the results.
Validate that all identified frauds are reported to the Committees by Management.
Provide information periodically to the Committees on the status and results of the Annual Audit Plan and the
sufficiency of IA’s resources.
Provide annually an assessment on the adequacy and effectiveness of the organization’s processes for
controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
Keep the Committees informed of emerging trends and successful practices in Internal Auditing.
Participate in the meetings of the Committees and support its programs/activities designed to carry out its
mission.
In view of the above, the VP-IA provides regular (i.e., Quarterly, Annual) as well as unscheduled reports to the Group
Board and the respective Audit Committees of the operating companies as outlined in this section.
Summary of Audit Reports issued. Summarizes the Audit Reports issued from the previous meeting providing details
of the scope (business unit/process) of the audit and IA’s overall opinion on the internal control (refer to section
on Types of Audit Opinion).
Key Observations. This section included significant audit observations which require Audit Committees’ attention;
such will also include issues submitted for Audit Committees’ resolution.
Update to the IA Annual Plan. This section provides update of IA’s performance of audit work relative to the
Annual Plan. The report shows the total number of planned audits for the year, planned audit projects
discontinued, and the justification for discontinuing such planned audits, and audit projects added to the Annual
Plan (e.g., Management’s request, ad-hoc assignments, etc.).
Any Scope Limitations / potential conflict of interest or any impact on the independence of Internal Audit
function.
8.2 Annual Reporting
The VP-IA provides annual report to Board and Audit Committees during Q1 of next year.
The VP-IA’s annual report include the annualized scope of the quarterly report items with the addition of the IA’s
annual assessment of the adequacy and effectiveness of the organization’s controls, the proposed Annual Audit Plan
for the coming year, and the update on the IA function as follows:
Annual Audit Results. The overall scope of “Summary of Audit Reports issued” section of the quarterly report with
additional analysis of audit reports as to the types of audit opinions. This section highlights IA’s overall assessment
on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its
risks as required by the Charter.
Update of the IA function. This section includes any material information concerning the IA function (e.g.,
recruitment, best practices, etc.).
Compliance statement with IIA standards; potential impact on independence, scope limitation (see periodic
reporting)
Concerns from QAR reviews performed internal & external and status on resolution of the same.
The Annual Plan (presented in Q4 for next year’s plan). The proposed Annual Audit plan for the next year is
presented for the Audit Committee’s review and approval; the Annual Plan is comprised of the Audit Methodology
followed, Engagement Work Schedule (list of engagements) and required resources to complete those
engagements (i.e., staffing plan, financial budget, etc.).
The VP-IA shall meet with the Chairman privately at least once a year.
9 RESOURCES
The VP-IA would ensure that the Internal Audit Department is appropriately resourced, and the resources are
effectively deployed to achieve the approved plan (Standard 2030). This section will focus on guidelines related to IA’s
resource requirements, the HC issues, Technology needs and Financial Budgeting.
All Internal Audit recruitments are processed through the HC department, wherein the resource requirements along
with criteria, minimum skills qualifications, etc. are recommended by VP-IA based on the Annual Audit Plan. HC
coordinates with the candidates for interview and assessment consistent with the HC Policies & Procedures. All
candidates external / internal have to go through a process of interviews with the HC and Internal Audit Management
(i.e., Team Leader/VP) and need to appear for an internal test / assessment workshop designed by Internal Audit.
All aspects of appointment and confirmation are performed consistent with the HC Policies and Procedures.
Newly inducted IA staff will be provided with preliminary orientation, which will provide a comprehensive overview of
, its operations, and the IA Department, and will include:
General orientation. The general orientation will cover the facility where employees will be headquartered and
introduction to Department personnel. This part of the orientation process will begin immediately after a
representative of the Human Capital Department brings new employees to the Audit department.
Audit department orientation. The Audit department orientation will focus on the organization, responsibilities
and administration of the Audit department; this Manual will serve as the foundation for such orientation.
Orientation. orientation will include organizational structure, Group-wide Governance framework and
Corporate Policies & Procedures.
Systems & Automation Environment Orientation. The orientation of Systems Auditors will include steps to
acquaint the new staff member with the information systems and automation environment (i.e. audit workflow
automation, etc.).
The relevant Team Leader will be responsible for overall orientation and will coordinate the various orientation
activities.
9.1.3 Roles & Responsibilities
The IA Department hierarchy consists of several level positions, each having varying responsibilities for carrying out
the Audit function consistent with the department structure agreed with the ARC Chairman. Responsibilities
associated to each position are outlined in the Job descriptions and Key Performance Indicators.
Job descriptions outlining the primary roles and responsibilities for each staff level position will be developed, and the
job descriptions will be signed by both the employee and the immediate supervisor. The job descriptions reflect all of
the activities and expectations for the particular position, in addition to the knowledge and experience required to
perform the related duties.
Study leave will be considered on a case-to-case basis by the respective Team Leader to be endorsed by VP-IA.
Given the diversity and size of business it is critical that team members understand the nature of business and/or
function being reviewed to add value. For this purpose at the start of each year as part of the audit planning process;
gaps in skills and training programs to bridge the gaps will be identified and included in the annual training plan
including sessions at ‘know your business’ as part of which individual team members will be assigned to specific
business functions for short term periods (1-3 days) to gain a better understanding of the process. Team Leaders will
also identify along with management training courses specific to certain business processes which can be extended to
the auditors. The training plans will be approved by VP-IA.
The responsibility of development lies with the individual auditor, as such, KPIs will be established and each individual
person along with the Team Leader will be responsible to ensure training and development plans are being met
consistent with the training plan.
As part of the performance evaluation, each staff member will receive development and career counselling during the
year in order to continuously enhance his/her knowledge and expertise, and to ensure that they commensurate with
his or her assigned roles/responsibilities and long-term career objectives.
In addition to the semi-annual performance evaluation, staff members will receive assessment feedback on an interim
basis, and project-level appraisal will be carried out for the team by the Team Leader. For IA Management (i.e., Team
Leader), such assessment is performed during periodic meetings with the VP-IA, while VP-IA’s performance appraisal
will be performed in accordance with the Audit Charter.
Appraisals will be documented consistent with the Venture HC Policies and Procedures.
9.2 Technology
IA believes in utilizing automated tools for maintaining a high level of work performance and to standardize the audit
process. IA is consistently searching/exploring applications/systems that would facilitate an efficient and effective
performance of audit work. The following are the application systems/tool currently utilized by IA, along with
functional details:
TeamMate – EWP
Bring efficiencies into the documentation and review process of the audit fieldwork.
Timely update of all important audit information (i.e. program steps, findings, etc.).
Allow team members to work on different steps within the same work program.
Electronic sign-off of audit steps for later review and feedback.
Effective maintenance of audit evidence by attaching such document to relevant audit steps.
Automatic real-time drafting of issues, findings and work programs.
Streamline and standardize the audit planning process by viewing prior audit programs/findings.
Navigate through current and archived working papers with ease.
Allow auditors to coordinate current audits and consider findings from prior or related projects.
IA System
Accumulate project findings from individual projects to track the implementation status of recommendations.
Facilitates issue follow-up, trend analysis, prior audit review and committee reporting.
Extracts and forwards reports to key stakeholders, allowing Management to focus on the overall objectives and
management of audit results.
General conformance with the IIA definition of Internal Auditing, the Code of Ethics, and the key attribute and
performance standards.
Assessment and implementation of any corrective actions to remedy any significant instances of non-
conformance.
Analysis of the adequacy of the IA activity’s charter, goals, objectives, policies, and procedures.
The QA mechanism will include (1) VP-IA review of sample engagements and continuous performance measurements,
(2) periodic peer reviews of sample projects (refer Appendix G), and (3) annual assessment of the audit procedures in
place and the audit programs. The aforementioned requirements will form part of the key performance indicators.
The external QA recommendations are intended to be focused on opportunities for improvement and on enhancing IA
activity’s ability to add value, and should:
Assess the efficiency and effectiveness of the IA activity in light of its charter, the expectations of the Board,
Executive Management, and the key stakeholders.
Provide an opinion on the IA activity’s conformance to the spirit and intent of the definition of Internal
Auditing, Code of Ethics and key IIA-PPF Standards.
Identify opportunities and offer ideas to VP-IA and Team Leader for improving their performance and that of
the IA function overall.
Considering the overall requirements, the objectives and the process to be followed for the external QA, the key tasks
for embarking upon the QA exercise are outlined below.
Employment
Induction, probation & confirmation
Remuneration
Leave
Air Passage
Working hours & Time-in-lieu
Business travel
Performance and professional development.
Discipline & grievances
Health & safety
Leaving employment
Personnel administration
Furthermore, all employees, are provided with ‘Code of Conduct’ and ‘Conflict of Interest’ Policies and all employees
are expected to abide by such corporate policies. Annual declaration on the same will have to be completed by all
audit staff.
The overall departmental budgets for the Internal Audit function will be consolidated with the Budget and presented
to the Board for approval. The budget will be developed for separate heads (i.e. Payroll, Travelling, Training,
Equipment/Systems, etc.) and the cost centre reports will be reviewed by the Internal Audit Management on semi-
annual basis, to analyze and monitor budgeted vs. actual figures for the aforementioned heads.
Internal Auditors should notify the IA Administrator of the planned travel, providing details such as the purpose and
itinerary etc.). The IA Administrator will then raise a Purchase Requisition in the KDS, supported with multiple
quotations, for the approval of the relevant Team Leader And VP-IA.
Internal Auditors are entitled for reimbursement of expenses incurred during fieldwork and other audit related travel,
consistent with the corporate policies of .
All Internal Auditors have been provided with Corporate Credit Cards for use during business travel. Upon return from
business travel, all expenses charged to the Corporate Credit Card should be liquidated, supported with official
receipts. A summary of expenses and personal charges for deduction should be provided to the IA Administrator for
review. Approvals will be made by the relevant Team Leader and the VP-IA in KDS.
Key Process (please rate every line item by Operations) Magic Planet Ski Dubai Wahoo Orbi Lego American
Operations* Waterpark Girl
Sales and Cashiering (including shift closing, refunds, discounts, manual invoices etc.)
Cash Safe / room (inlcuding security, CCTV, deposit to bank etc.)
Asset Management (including transfer, maintenance etc.)
Inventory Management (including storage, access control, transfer etc.)
Consumable Inventory (shoes etc)
Customer Service
Health, Safety and Security
Marketing & Promotions
Others
* Includes Bowling & Aqua play where applicable
(Ifly & Little Explorer have been ignored for the rating purposes)
Engagement Plan
Budget hours
Collect other
relevant
Project Naming
To:
From:
Subject:
In accordance with the annual audit plan, Internal Audit will perform a review of Leisure & Entertainment at
COMPANY NAME . The following information is a summary of the audit plan provided for informational purposes and
is subject to change as circumstances warrant.
Our audit approach will primarily consist of inquiry of key operating management and staff, observation and review of
processes, functions and documentation, as well as specific tests of procedures and transactions as warranted.
To facilitate the audit process, we have identified Key Contact personnel (see below) who will be responsible to
address all audit requests, queries, and audit concerns will be discussed with them during and at the end of audit
fieldwork. Please inform us, within two business days, of any changes to the Audit Coordinator identified by us.
An initial Request for Information (RFI) will be forwarded to you shortly and it is expected that all documents will be
provided to Internal Audit at the fieldwork commencement date, documents received subsequent to the exit meeting
(i.e. after leaving the audit site), will not be considered for finalizing the audit report.
After the end of fieldwork, we will issue you an initial draft report, the purpose of which is to discuss and agree the
audit concerns noted, root cause for the issues noted and recommended action plan during the exit meeting. The
draft report will be revised based on the discussion during the exit meeting. Any concerns Management has on the
revised draft report will be discussed and finalized at the close-out meeting before the issuance of Final Audit Report.
Key Personnel:
Thank you.
Venue : XXXX
Meeting Agenda
1. Brief introduction about the Internal Audit Department and the team members.
2. Audit scope, approach, and audit timing / schedule for the current project
3. Reporting process
STEP 1 Determine the control test objective, population and sampling unit
STEP 3 Once you have estbalished the sample size the following should be considered when selecting what sample to choose
(1) Frequency of control (example monthly reconciliations should be tested over multiple months)
(2) Outliers based on clustering (example unusal void)
(3) Top and Bottom 5/10 (example based on revenue, waste etc.)
(4) Manual / Automated controls
(5) How suspectible is the control to change because of different owners , geographical constraints etc.
(6) Highest Impact of failure (example critical contracts versus day to day contracts)
Follow-up Report
Executive Summary
Date: MM-DD-YYYY
Subject:
Internal Audit has concluded its review of the most recent status of Internal Audit recommendations pertaining to Egypt Country
Office. The objective of this review was to verify the status of implementation provided by Management, report discrepancies, if
any, and assess the progress of implementation as of our review date. The report has been finalized subsequent to the receipt of
Management’s confirmation on the final implementation status on MM-DD-YYYY.
Table 1 summarizes a break-up of the total recommendations by rating, status of recommendations as reported by Management,
recommendations re-opened by Internal Audit after testing, if any, and the total number of Open Recommendations as of the
audit report date.
Table 2 provides a break-up of Open Recommendations that are Overdue as of the audit report date.
Table 1
Audit Conclusion
Although strict application of the standard report rating matrix would have resulted in a ‘Less than Satisfactory’ rating, we have
considered the number of outstanding recommendations and the overall rate of progress for our final rating of ‘Satisfactory’ (For
the standard report rating matrix, refer to Appendix #). Management needs to ensure that audit recommendations are closed
properly with relevant documentation and evidence prior to reporting the same as implemented. Management should ensure all
recommendations are closed in line with the proposed new timelines (refer to Appendix #).
We would like to take this opportunity to thank you and your Management team for the cooperation extended to us during this
audit review. If you have questions or concerns in relation to this audit, please do not hesitate to contact me at your convenience.
Sincerely,
Murtaza Muhammad
Appendix I
Recommendations reported as “Management Accepts Risk” (MAR) and “Not Applicable” (NA)
Recommendations that are “Management Accepts Risk” which have been approved by CEO: -
Obs.
Rating Recommendation
No.
Management Comments:
Obs.
Rating Recommendation
No.
Management Comments:
Appendix II
Overdue recommendations reported as “In Progress” by Management:
Revised dates
Originally agreed
Obs. No. Rating Recommendation Management Comments proposed by
due date
Management
Appendix III
Discrepancies noted:
Originally agreed
Obs. No. Rating Recommendation due date Management Comments
Appendix IV
Standard Report Rating
Matrix
High Observation represents a significant control gap, potential for irregularities/fraud and/or a significant breakdown of
control and/or excessive number of non-compliance with established Policies and Procedures, DoA, or regulatory
requirement, which may result in disruption of the process, loss of asset, income, funds and/or have an adverse
effect on the ability to achieve the process/business objectives.
Recommendation has a major impact on addressing the issue and requires urgent Management action.
Medium Observation represents a control weakness or non-compliance with procedures, DoA, which could and/or is resulting
in loss of asset, income, funds or is having some adverse effect on the ability to achieve the process objectives.
Recommendation has mediocre impact in addressing the issue and requires near-term Management action.
Low Issue represents a minor control weakness or a minor non-compliance with procedures or regulations with minimal
but reportable impact.
Management should consider implementation within a reasonable time period.