INTERNAL AUDITING GUIDELINES

for East and Southern Africa Association of Accountants General

February 2001

E

S

A

A

G

INTERNAL AUDITING GUIDELINES
for The East and Southern African Association of Accountants General

CONTENTS PAGE 1. Introduction 2. Nature, Objectives and Scope of Internal Audit 3. Internal Audit Independence 4. Managing Internal Audit 5. Professional Proficiency 6. Relationships 7. Internal Audit Planning 8. Approaches to Internal Audit 9. Reporting, Monitoring and Follow-up Glossary of Technical Internal Audit Terms 32 1 7 12 15 20 23 26 28 1

1.
1.0

INTRODUCTION
These Internal Auditing Guidelines are recommended to all government institutions in member countries. These may include Ministries, Departments, Regions, and other public sector organisations or entities, where appropriate. The Guidelines are prepared in compliance with the “Standards for the Professional Practice of Internal Auditing” developed by the Institute of Internal Auditors and international best practice in public sector Internal Audit.

1.1

The guidelines are intended to provide best practice principals rather than specific guidance on Internal Audit procedures and techniques. Each professional Internal Auditor should hold the general skills and knowledge of Internal Audit practice.

1.2

A brief explanatory note to facilitate a clear understanding of the guidelines is included before each guideline.

1.3

These guidelines provide criteria by which Internal Auditing in the Public Sector in member countries should be measured and evaluated.

1.4

Any standards or guidelines should be dynamic to keep up to date and these guidelines will be revised from time to time as necessary.

2.

NATURE, OBJECTIVES AND SCOPE OF INTERNAL AUDIT Explanatory Notes:
This guideline explains the nature, objectives and scope of Internal Auditing and indicates the range of responsibilities that Internal Audit should cover. The Head of Internal Audit should ensure that each Accounting Officer (see Glossary of Technical Internal Audit Terms at the end of these Guidelines) in the public sector organisations for which they are responsible are aware of the full range of activities that fall within the scope of Internal Audit.

2.0

2.1

2.2

Nature: The Institute of Internal Auditors defines Internal Auditing as "an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."

Internal Auditing Guidelines

February 2001

Page 1 of 33

2.3

Internal Audit should be an independent function or division within the public sector organisation. It assists management by reviewing, assessing and helping to improve the internal control system. Internal Auditors work with Accounting Officers and other managers to help to improve internal controls within their public sector organisation and so reduce the risks the Government faces in achieving its objectives to an acceptable level. Internal Audit undertakes reviews of individual systems and processes. As a result, recommendations are made to the relevant Accounting Officer on how internal controls could be improved.

2.4

Scope: The scope of internal audit needs to cover the systematic review, appraisal and reporting of the adequacy of the systems of managerial, financial, operational and budgetary control and their reliability in practice, including: • • • • the relevance of established policies, plans and procedures, the extent of compliance with the appropriateness of organisational, personnel and supervision arrangements the extent to which assets and interests are accounted for and safeguarded from losses of the appropriateness, reliability and integrity of financial and other management these

all kinds arising from waste, extravagance, inefficient administration, fraud or other causes information and the means used to identify, measure, classify, report and act upon that information • • 2.5 the integrity of computer systems, including systems under development the follow-up action taken to remedy previously identified weaknesses.

The actual areas reviewed by Internal Audit should be determined by a risk assessment that guides Internal Audit planning (see Guideline Seven).

2.6

There should be an Internal Audit service for all public sector and government organisations including the armed and secret services.

2.7

Objectives: Internal Audit should operate in partnership with management by helping to enhance their accountability, transparency and corporate governance. This is achieved by identifying and evaluating their internal control systems and making recommendations for improvements and refinements to these systems.

2.8

Internal Audit assists Accounting Officers by evaluating and reporting on the elements of the internal control system for which the Accounting Officer is responsible. It is not, however, an extension of, or a substitute for, effective internal controls. Responsibility for internal control rests fully with the Accounting Officer, who should ensure that appropriate and adequate arrangements for internal control exist in addition to any Internal Audit activity in their public

Internal Auditing Guidelines

February 2001

Page 2 of 33

sector organisation. It is for the Accounting Officer to decide whether or not to accept and implement Internal Audit findings and recommendations. However, the Accounting Officer should be responsible to an Audit Committee and the Public Accounts Committee for ensuring that prompt and effective action is taken to address Internal Audit's findings. An Audit Committee may assist in ensuring that prompt and effective action is taken in response to audit recommendations. 2.9 Internal Audit may undertake checks that individual items of expenditure are necessary and have been authorised as required. This may be undertaken before the payment is made (pre-audit) or may be undertaken later (post-audit). Internal Audit may also be required to undertake independent checks on stores and fixed assets. However, international best practice suggests that the core element of Internal Audit work should be systems audit. The objective of systems audit is to improve the controls operated by management rather than Internal Audit acting as a control itself. 2.10 If Internal Auditors undertake pre-audit, they should not also undertake system reviews of the same transactions or systems. Advantages and Disadvantages of Pre-Audit Advantages Could help to ensure that expenditure is necessary and appropriate. Disadvantages May reduce officers' responsibilities for internal control. Managers may not check payments properly, but rely on Internal Audit to do these checks. Payments may be delayed until Internal Audit has completed their checks. It may be an inefficient use of valuable Internal Audit time. Could provide an opportunity for unethical Internal Auditors to seek bribes. Could relax Internal Audit objectivity when doing systems audit work. Could put Internal Audit security at risk.

Could help to ensure that expenditure is properly authorised before payment is made. Could help to prevent management fraud. Could help to reduce the incidence of fraud or irregularity. Could help to confirm the existence of projects, supplies and stores.

2.11

In some countries, Internal Audit may be required to undertake pre-audit. Where this is the case consideration should be given to reducing this role. This could be achieved by only undertaking pre-audit on larger payments or those that are particularly vulnerable to fraud or irregularity. Public sector organisations with good internal controls could be rewarded with a reduced requirement to have their expenditure subject to pre-audit.

Internal Auditing Guidelines

February 2001

Page 3 of 33

2.12

Internal Audit is not necessarily best suited to under take investigations into suspected fraud, corruption or irregularity. This is a specialised function that requires expert knowledge and experience. The approach to fraud investigation is different to that used in routine Internal Audit work. For these reasons, where possible, fraud investigations should be undertaken by a special unit.

2.13

Internal Audit can: • • • • • • • • independently review and appraise the systems of control throughout the public sector recommend improvements to internal controls; ascertain the extent of compliance with procedures, policies, regulations and legislation; provide reassurance to management that their policies are being carried out with facilitate good practice in managing risks; save money by identifying waste and inefficiency, and by facilitating the spread of good avoid duplication of effort by an effective partnership with the Auditor-General and other by its activities help to ensure that assets and interests are safeguarded from fraud, deter organisation (not just the financial controls);

adequate control of the associated risks;

practice; review agencies; fraudsters and possibly identify fraud. 2.14 The existence of Internal Audit in a public sector organisation should not cause a general relaxation or vigilance on the responsibility of the line managers. It is not the responsibility of Internal Audit to detect and/or prevent fraudulent activities and irregularities. This is the responsibility of all officers, managers and the Accounting Officer.

GUIDELINE ONE: NATURE, OBJECTIVES AND SCOPE OF INTERNAL AUDIT
NATURE OF INTERNAL AUDIT 1 Internal Auditing is an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The effect of Internal Audit should be continual improvements and refinements to the internal control system as a contribution to proper, economic, efficient and effective use of government resources. OBJECTIVES OF INTERNAL AUDIT
Internal Auditing Guidelines February 2001 Page 4 of 33

2

Internal Audit has two main objectives. These are to: a) ensure that internal control and risk management systems are continually being improved and optimised in response to an ever changing environment; b) provide reasonable assurance to the relevant Accounting Officer and the Audit Committee that significant risks in the public sector organisation are being appropriately

3

managed, with an emphasis on the role of internal controls. The way that these objectives are achieved will vary between countries and organisations. This leads to a variety of different approaches to Internal Audit. This subject is covered in the Guideline below on Approaches to Internal Audit. The Head of Internal Audit should be consulted when the Accounting Officer wishes to change the system of internal control. The Head of Internal Audit should be required to co-ordinate inter-ministerial or departmental issues concerning control. If Internal Auditors are used to investigate potential fraud or irregularity they will need specialist knowledge and experience. An expert team should be created to investigate cases of actual or potential fraud and irregularity. INTERNAL CONTROL

4

5

6

Internal control has been defined by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in Internal Control – Integrated Framework, as: 'A process, effected by an entity’s board of directors, management and other personnel(people), designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • • Effectiveness and efficiency of operations; (basic operational objectives, performance goals and safeguarding resources) reliability of financial reporting • compliance with applicable laws and regulations.' Internal control is a management tool used to provide reasonable assurance that the public sector organisation's objectives are being achieved efficiently. Internal control covers the whole system of controls, policies and procedures established by management to meet their targets and objectives. The responsibility for the adequacy and reliability of internal controls rests with management. The relevant Accounting Officer has overall responsibility for the establishment and maintenance of internal controls within their area of responsibility. The Accounting Officer of each public sector organisation should ensure that proper internal controls are introduced, reviewed, and updated to keep them effective. An Audit Committee can assist with this role. SCOPE OF INTERNAL AUDIT

7

8

9

The potential scope of Internal Audit is the whole system of internal control established
February 2001 Page 5 of 33

Internal Auditing Guidelines

by a public sector organisation. This may include controls over all the organisation's activities, not just controls over financial accounting and reporting. Internal Audit should review all significant operational and management controls, including policies and procedures for the management of risk. However, Internal Audit should concentrate its 10 efforts on the high risk areas and the most important internal controls. The Accounting Officer and Audit Committee should not restrict Internal Audit to work on financial systems or checking that assets are safeguarded. Internal Audit work should go beyond the accounts to check that public officials and others entrusted with public resources are: a) complying with applicable laws and regulations b) achieving government objectives and desired services or benefits established by the 11 public sector organisation. The Audit Committee and the Accounting Officers should ensure that Internal Audit has the widest scope to ensure that internal controls across the whole public sector 12 organisation may be subject to review by Internal Audit. Internal Audit should have unrestricted access to all the people, systems, documents and property it considers necessary for the proper fulfilment of its responsibilities.

Internal Auditing Guidelines

February 2001

Page 6 of 33

3
3.0

INTERNAL AUDIT INDEPENDENCE Explanatory Notes:
Internal Audit should be sufficiently independent from line management to ensure that Internal Audit's professional judgements and recommendations are objective and impartial. To be effective, Internal Audit needs to have adequate authority and report at a sufficiently senior level within the public sector organisation. As a result, the Head of Internal Audit should report (for pay and rations) at a level at least equivalent to the Accountant-General in the Ministry of Finance or the Permanent Secretary in other ministries. Internal Audit should also report to an Audit Committee and have a direct reporting line to the Accounting Officer.

3.1

3.2

It is generally considered that Internal Audit should not report to a manager if Internal Audit regularly reviews systems that this manager is directly responsible for. For this reason, in some countries it is considered inappropriate for the Accountant-General to be responsible for Internal Audit. The reason for this is that the Accountant-General is the accounting advisor to the Permanent Secretary in the Ministry of Finance and is also in charge of the treasury and the national accounts. The Head of Internal Audit regularly reviews systems that the AccountantGeneral is responsible for and so should not report on these systems to the same officer.

3.3

Internal Audit will achieve respect through the status it is given in a public sector organisation. For the individual Internal Auditor, objectivity is essential to ensure an attitude of mind characterised by integrity, steadfastness and an impartial approach to work. Objectivity may be impaired through familiarity both with systems and non-audit staff. This may occur if Internal Audit staff are involved with the same work assignments and ministerial officers for several years.

3.4

Internal Audit should take its authority and terms of reference from the Audit Committee and Accounting Officer to whom the Head of Internal Audit should report and have the right of direct access. Internal Audit's terms of reference (or charter) should clearly outline the nature, objectives, responsibilities and scope of Internal Audit. Internal Audit’s terms of reference should be approved by the Audit Committee subject to applicable legislation.

Internal Auditing Guidelines

February 2001

Page 7 of 33

3.5

The written terms of reference for Internal Audit should clearly: a) establish Internal Audit's position within the organisation b) establish Internal Audit's right of access to all records (both electronic or otherwise), assets, personnel and premises, and its authority to obtain such information and explanations, as it considers necessary to fulfil its responsibilities c) define the scope of Internal Auditing activities.

3.6

Objectivity is an independent attitude of mind that Internal Auditors should maintain when performing Internal Audit work. It is important that Internal Auditors always retain a critical edge in undertaking their work. Internal Auditors need to be sceptical in discussions with officers and to obtain an adequate level of proof from Audit testing.

3.7

Objectivity requires Internal Auditors to carry out Audits in such a way that the quality of their work or their honest belief in the results of that work is not compromised. Internal Auditors should not be placed in situations in which they feel unable to make objective professional judgements.

3.8

Internal Auditors should not be placed in situations in which they feel unable to make objective and impartial professional judgements. If any of the situations referred to below arise, Internal Auditors should inform their Head of Internal Audit so that alternative arrangements for the Internal Audit assignment may be made: (a) Internal Auditors, notwithstanding their employment by the organisation, should be free

from any conflict of interest arising either from professional or personal relationships or from pecuniary or other interests in an organisation or activity that is subject to Audit. (b) Internal Auditors should be free from undue influences, which either restrict or modify the

scope or conduct of his work or over-rule or significantly affect judgement as to the content of the Internal Audit report. (c) Internal Auditors should not allow their objectivity to be impaired when Auditing an

activity for which they have had authority or responsibility in the past. (d) Internal Audit should be consulted about significant proposed changes to the internal

control system or the implementation of new systems. Internal Audit may make recommendations on the standards of control to be applied without prejudicing Internal Audit's objectivity in reviewing those systems at a later date.

Internal Auditing Guidelines

February 2001

Page 8 of 33

(e)

Internal Auditors should not normally undertake non-Audit duties, but if they do,

exceptionally, they should ensure that management understands that they are not then functioning as Internal Auditors. 3.9 International best practice suggests that Audit Committees should be established. Audit Committees are generally considered to improve the independence of Internal Audit. Audit Committees should be established for each public sector organisation. Members of an Audit Committee, especially the chair, should be chosen so that they are sufficiently independent from the senior managers of the public sector organisation and so they are suitably experienced. An Audit Committee may deal with more than one organisation. 3.10 • • • The role an Audit Committee with regard to Internal Audit is that it should: approve Internal Audit's strategic and operational plans and review performance against them discuss with Internal Audit its findings and the responses of management to its major recommendations; and, periodically, its views on the overall quality of internal control consider the objectives and scope of any additional ( non-audit work) work undertaken by the Internal Auditors to ensure there are no conflicts of interest and that independence is not compromised • review the adequacy of the Internal Audit function, its adherence to professional standards, particularly independence, standing, scope, resourcing, its liaison with the Auditor-General and other review agencies and its reporting arrangements • • • • meet regularly two or three times a year and meet with the Internal Auditors at their request as they deem necessary through its Chair represent the concerns of Internal Audit to the relevant Accounting Officer, Permanent Secretary or Minister be involved in the process of appointment or dismissal of the Head of Internal Audit periodically review the Internal Audit terms of reference.

Internal Auditing Guidelines

February 2001

Page 9 of 33

GUIDELINE TWO: INTERNAL AUDIT INDEPENDENCE
13 14 Internal Auditors should be objective, and, as far as possible, operationally independent of the management of the public sector organisation. Internal Audit independence should permit it to provide impartial and unbiased judgements that are essential for its proper function. Internal Audit independence should also ensure that the Head of Internal Audit can report without 'fear or favour' to all levels within the public sector organisation. Internal Audit independence can be ensured through status and objectivity. 15 It is the responsibility of the Accounting Officer and the Audit Committee to ensure that conflicts of interest do not arise and that Internal Audit’s objectivity and independence are not compromised. If the independence or objectivity of Internal Audit is impaired, in fact or appearance, the details of the impairment should be disclosed to the Accounting Officer and the Audit Committee. STATUS 16 The Head of Internal Audit should be responsible to an individual with sufficient authority to promote Internal Audit independence and to ensure the broadest Internal Audit coverage, adequate consideration of Internal Audit reports and appropriate action on Internal Audit recommendations. Internal Audit needs the support of top management officials so that they can gain the co-operation of officers and perform their work without interference. Internal Audit should have a direct reporting line to the Accounting Officer 17 and the Audit Committee. The Head Internal Auditor should report to the Accounting Officer and an Audit Committee. TERMS OF REFERENCE 18 Internal Audit should have written terms of reference (or charter) that are agreed by the Accounting Officer and the Audit Committee. These should clearly outline the nature, objectives, responsibilities and scope of Internal Audit. The Head of Internal Audit should actively seek to develop and obtain approval of such terms of reference. The terms of reference should be reviewed and revised, if necessary, at least every three 19 years. The terms of reference for Internal Audit should include the requirement for Internal Audit to have the access, to all personnel, records, assets and property that Internal Audit 20 considers necessary for it to undertake its work effectively. The terms of reference for Internal Audit should be supported by a law, by-law or regulation that specifies the position of the Internal Auditor in the government hierarchy. OBJECTIVITY

Internal Auditing Guidelines

February 2001

Page 10 of 33

21

The term objectivity includes the requirement on the part of Internal Auditors to have an independent mental attitude to the performance of their work. Objectivity should ensure that Internal Auditors have an honest belief in their work product and that no significant quality compromises are made. Internal Auditors should not be placed in any situation where they feel unable to make objective professional judgements. Objectivity may be impaired through familiarity, with both systems and officers. This may be created by Internal Audit staff being involved with work assignments for too long a period of time. In order to maintain maximum awareness and motivation amongst Internal Audit staff, work assignments should be rotated on a planned basis. Transfers of Internal Audit staff between public sector organisations are to be recommended, every few years, where possible. Internal Audit assignments should be undertaken in such a way that there is no potential or actual conflict of interest. Internal Audit staff should not undertake Audits of systems if they worked in this area in the last year. Internal Audit staff should declare any conflict of interest that may arise. Recommending standards of control for new systems or reviewing procedures before they are implemented is part of Internal Audit work. However, designing, installing and operating systems is not an Internal Audit function. Performing such work is presumed to impair Internal Audit objectivity. POSITION

22

23

24

25

The position of Internal Audit should be categorised specifically as a Staff function as opposed to all Line Functions. Internal Auditors should not supervise or manage other sections or activities. If Internal Auditors perform non-audit work they are not functioning as Internal Auditors. Performance of such activities is presumed to impair Internal Audit objectivity. Therefore, the Internal Auditor should not undertake executive functions outside their divisional activities. The position of Internal Audit within the public sector organisation should be high enough to ensure that there is no impairment of Internal Audit scope.

26

Internal Auditing Guidelines

February 2001

Page 11 of 33

4
4.0 4.1

MANAGING INTERNAL AUDIT
Explanatory notes: The appointment of appropriate staff is important to the success of Internal Audit. Internal Auditors must be able to develop good working relationships with all officers. Internal Auditors must also be able to quickly understand how systems work and be able to identify suitable improvements. The Head of Internal Audit should ensure that all their staff are appropriately trained and receive suitable guidance.

4.2

Controlling: Internal Audit work should be controlled at all levels of operation to achieve objectives and ensure the economic and efficient use of resources.

4.3

The Head of Internal Audit should continually monitor Internal Auditors' performance. Any significant variations from work plans should be investigated and dealt with appropriately. The results of each Internal Audit assignment or groups of Audit assignments should be reviewed against Internal Audit plans. Efficiency should be assessed and any necessary revisions made to subsequent planned work.

4.4

Recording: The Head of Internal Audit should specify standards of Audit documentation, ensure that those standards are maintained and monitor compliance with the standards.

4.5

Appraisal: Like any other department, Internal Audit should be constantly appraised to ensure that its performance and value to the management of the public sector organisation is maximised. The Internal Audit function is subject to budgetary constraints, in common with all other elements of the public sector, therefore its value should continually be re-assessed. This appraisal or assessment should be undertaken by Internal Audit managers and also periodically by independent suitably experienced external assessors. The assessment should consider the views of the Accounting Officer and other senior managers on the success of Internal Audit. It may also consider Internal Audit’s effectiveness and any appropriate directional changes.

4.6

An Internal Audit management unit in the Ministry of Finance may assist in maintaining the quality of internal audit across all public sector organisations and can assist with ensuring the independence of Internal Audit. The Internal Audit management unit may have responsibility for the staffing, planning, organisation and co-ordination of Internal Audit units in all public sector organisations. The management unit may provide guidance to Internal Audit units in other public sector organisations, monitor all Internal Audit reports, and co-ordinate training across the public sector. In some countries Internal Audit units in all public sector organisations are managed by a central Controller of Internal Audit in the Ministry of Finance.

Internal Auditing Guidelines

February 2001

Page 12 of 33

GUIDELINE FOUR: MANAGING INTERNAL AUDIT
27 The Head of Internal Audit should effectively manage Internal Audit to ensure it adds value to the public sector organisation and to ensure that: (a) Internal Audit work fulfils its terms of reference (b) resources for Internal Audit are used efficiently and effectively (c) Internal Audit staff undergo suitable professional development (d) Internal Audit work conforms to approved standards 28 (e) the morale of Internal Audit staff is developed and maintained. The Head of Internal Audit should submit periodic activity reports to the Accounting Officer and the Audit Committee. These reports should compare: (a) actual performance with goals and Internal Audit plans (b) actual expenditures with financial budgets. The Head of Internal Audit should explain major variances (positive or negative) together 29 with action taken to address these. The Head of Internal Audit should ensure that Internal Audit staff are provided with a suitable Audit Manual including written policies and procedures to guide them with their work. This guidance should also include programmes for particular Internal Audit assignments. The Internal Audit programmes should specify reporting lines at each level of 30 management. The Head of Internal Audit should ensure that the work of all levels of Internal Audit staff is effectively supervised from planning to conclusion. This supervision should include: (a) provision of suitable instructions and guidance at the outset of an Internal Audit assignment and approving the Audit programme (b) seeing that the approved Audit programme is carried out unless deviations are both justified and authorised (c) ensuring that Internal Audit staff understand the work to be undertaken and obtain and document sufficient relevant and reliable audit evidence (d) determining that Internal Audit objectives are being met. MANAGEMENT REVIEW 31 All Internal Audit working papers and reports should be reviewed by Internal Audit managers before the reports are released. This review should include: (a) determining that Audit working papers adequately support the Audit findings, conclusions and report (b) making sure that Audit reports are accurate, objective, clear, concise, constructive and 32 timely. Internal Audit working papers should show clear evidence of this management review. QUALITY ASSURANCE APPRAISALS
February 2001 Page 13 of 33

Internal Auditing Guidelines

33

There should be periodical reviews of Internal Audit performance to ensure that its performance and value to the management of the public sector organisation is maximised and to ensure compliance with appropriate standards and guidance. The Head of Internal Audit should establish and maintain a quality assurance programme to evaluate the operations of Internal Audit. This programme should provide reasonable assurance that Internal Audit work conforms to relevant standards and these Internal Auditing Guidelines. It should also ensure that Internal Audit adds value by improving internal control. This quality programme should include: (a) supervision (b) internal review (c) external review. Supervision of Internal Audit work should continuously ensure conformance with the Institute of Internal Auditors Standards, these Internal Auditing Guidelines, department policies and Audit programmes. Internal reviews should be performed periodically by senior Internal Audit staff to appraise the quality of the Internal Audit work that is undertaken in all public sector organisations. External reviews should be performed to assess the quality of Internal Audit work against these Guidelines. These reviews should be performed by suitably qualified Internal Auditors who are independent of the organisation and who do not have either a real or an apparent conflict of interest. The external reviews should be undertaken at least once every five years. On completion of such reviews, formal written reports should be issued to the relevant Accounting Officer and the Audit Committee. These reports should express an opinion on Internal Audit's compliance with these Internal Auditing Guidelines and, where necessary, should include recommendations for improvement.

34

35

36 37

38

5. 5.0
5.1

PROFESSIONAL PROFICIENCY Explanatory notes:
In carrying out their duties Internal Auditors should exercise due professional care, that is competence based on appropriate experience, training, ability, integrity and objectivity.

5.2

Due professional care is defined as carrying out Internal Audit work with competence and diligence. Due care does not mean infallibility. Consequently Internal Auditors cannot provide absolute assurance that non-compliance or irregularities do not exist. However, it will be incumbent upon the Internal Auditor to consider the effect of significant weaknesses in the systems under review and evaluate the possibility of material irregularity or non-compliance with the

Internal Auditing Guidelines

February 2001

Page 14 of 33

legislation and regulations when undertaking Internal Audit. 5.3 Professional care requires the use of Audit skills and judgements based on appropriate experience, training, ability, integrity and objectivity. The level of professional care to be exercised should be appropriate to the objective and complexity of the Internal Audit work being performed. 5.4 In order to demonstrate due professional care, Internal Auditors should be able to show that their work has been performed in the manner which meets the criteria set by these Internal Auditing Guidelines or specific departmental policies. 5.5 Internal Audits should be performed by, or supervised and controlled by, Audit staff who have the technical skills, experience and perspective which will enable them to comply with these Guidelines. This is necessary to maintain Internal Audit's credibility as a dependable instrument of management. 5.6 The Head of Internal Audit should therefore ensure that Audit staff have the capacity to meet the responsibilities identified by the terms of reference agreed with the Audit Committee and the Accounting Officer. 5.7 The Head of Audit should ensure that all Internal Audit staff are reminded of their ethical responsibilities and also ensure that their declarations of interest are reviewed, and where appropriate, updated at least once a year.

5.8

Internal Auditors should not accept any gift or inducement from an officer, worker, supplier or other third party. Information acquired by Auditors in the course of their work should not be used for unauthorised purposes or for personal benefit or gain. Internal Auditors should only accept hospitality when this is consistent with the public sector organisation’s documented arrangements.

5.9

The most important source of information for Internal Auditors is the staff working within the area subject to Audit. These officers know how the system actually operates and should have a reasonable idea of how practical any improvements may be. Thus interviewing skills are essential for all Internal Auditors. Internal Auditors need to be able to understand what may be a complex system. Internal Auditors also need to be able to critically assess each stage of the process. Why is its performed? Could it be undertaken more efficiently?

Internal Auditing Guidelines

February 2001

Page 15 of 33

5.10

Staff who operate the system will know what they do, but not necessarily why they do it. They may also try and explain the system in the most positive light. The skill of Internal Auditors is to enable all the staff they interview to open up and describe what they actually do (not just what they think they should do) and to identify any aspects they think could be improved. Understanding why each step is taken is more difficult. Staff may just do it “because we’ve always done it that way” or even worse “because the Auditors told us to”!

5.11

An experienced Internal Auditor will ensure that the staff they talk to are relaxed and so describe the system, its bad points as well as the good points. They will also challenge the staff to ensure that they describe what actually happens and through discussion ascertain whether any improvements are possible and practical.

Internal Auditing Guidelines

February 2001

Page 16 of 33

GUIDELINE FIVE: PROFESSIONAL PROFICIENCY
Staffing 39 Internal Auditors should be appointed through free and open competition on the basis of merit. The criteria used to fill Internal Audit posts should be suitable and clearly documented. They should be developed after considering the level of required scope and responsibility. Deliberate attempts should be made to ensure the proficiency and qualifications of each prospective Auditor. Compliance with Codes of Conduct 40 Internal Audit staff should follow existing codes of conduct and ethics for their organisation. All professional Internal Audit staff should be members of the relevant accounting or Internal Auditing professional body and follow their code of conduct or ethics. All Internal Auditors should follow a professional code of conduct which calls for: a) high standards of honesty b) high standards of diligence c) high standards of loyalty. Knowledge Skills and Discipline 41 Internal Auditors should be required to (individually) possess the knowledge, skills and competencies essential to the performance of effective Internal Audit. Internal Audit staff should be required to possess the following skills: a) proficiency in applying Internal Auditing Guidelines b) knowledge of techniques required to perform Internal Audit c) proficiency in accounting principles and techniques (especially government accounting) d) an understanding of management principles and administrative procedures to enable recognition and evaluation of the materiality and significance of deviations from good and acceptable practice. Human Relation and Communication 42 Internal Auditors should possess the skills required to deal with people and to communicate effectively. They should cultivate harmonious relationships with officers and managers. Internal Auditors should be proficient in oral and written communication to enable effective reporting. Continuing Education 43 Training of Internal Auditors should be a planned and continuous process at all levels and should be designed to cover: a) basic training providing the minimum level of skills and knowledge which all
Internal Auditing Guidelines February 2001 Page 17 of 33

Internal Auditors should possess b) development training in Audit skills, techniques and behavioural aspects to improve the effectiveness of those staff currently engaged as Internal Auditors c) management training for those Auditors with responsibility for managing and directing Audit teams, together with those staff members who show the potential for management positions d) specialist training for those Auditors responsible for a special field of Audit work which requires specialist skills and knowledge, for example, computer auditing or 44 performance auditing. Internal Auditors, as responsible Government officers, should be responsible for continuing their education in order that they maintain their knowledge, skills and proficiency. They should keep themselves informed on changes and developments in their public sector organisation's activities and other Government developments. Internal 45 Auditors also need to be aware of developments across the Internal Auditing profession. If there is an Internal Audit management unit in the Ministry of Finance, this unit should be responsible for the co-ordination of training requirements for all government Internal Auditors. The foundation, from which the assessment of training requirements of Internal Audit will be derived, should be the database of Internal Audit staff in all public 46 sector organisations. Internal Auditors should be aware of their responsibility for continuing their education on order to maintain their proficiency through participation in professional societies, conferences and seminars, college courses, in-house training and engage in research to identify new Internal Auditing developments. Due Professional Care 47 The term due professional care means and includes the application of the care and skill expected of a reasonable, prudent and competent Internal Auditor in the same or similar 48 circumstances. In exercising due professional care, Internal Auditors should be alert to the following: a) the possibility of intentional wrong doing b) errors and omissions c) inefficiency, waste, ineffectiveness d) conflicts of interest e) conditions and activities likely to give rise to irregularities 49 f) inadequate control situations. In exercising due professional care the Head of Internal Audit is required to consider the following: a) the extent of Internal Audit work needed to achieve the Audit objectives
Internal Auditing Guidelines February 2001 Page 18 of 33

b) the relative complexity, materiality or significance of matters to which Audit procedures are applied c) adequacy and reliability of risk management and control processes d) likelihood of material irregularities or non-compliance e) the cost of Internal Audit work compared to potential benefits or the risk of poor internal controls.

6. 6.0
6.1

RELATIONSHIPS Explanatory notes:
Management and staff at all levels should have confidence in the integrity, independence and capacity of Internal Audit. This should be reflected and maintained in good working relationships between Internal Auditors and the staff in the sections that they review.

6.2

The Head of Internal Audit should seek to foster and maintain constructive working relationships with stock verifiers, fraud investigators, inspectors and any other review staff. Consultations between Internal Audit and review staff should lead to effective co-ordination and minimise

Internal Auditing Guidelines

February 2001

Page 19 of 33

duplication of work. 6.3 Internal Audit should not improperly disclose any information obtained during the course of their work. Permission should be provided by senior management before any information is passed outside the organisation. Internal Audit will, quite properly, reveal to appropriate responsible parties (for example, police or Auditor-General) all material facts they have established which, if not so revealed, may prevent the uncovering of unlawful acts or could distort Audit reports. The passing of this information should be treated as confidential and legally privileged. That is the Internal Auditor will be exempt from any legal liability from the passing of such information. 6.4 It is important for Internal Audit to market the services it can provide to managers. This could include producing leaflets and making presentations to Accounting Officers and other senior officers on the services, assistance and role that Internal Audit can play. 6.5 The relationship between Internal Audit and the Auditor-General's Office needs to take account of their differing roles and responsibilities. Internal Audit is an independent appraisal function within the organisation and Internal Auditors are direct employees. It is the Auditor-General's role to ensure that the financial statements, operating performance and related statements are properly stated in all material respects. Internal Audit and the Auditor-General may also have responsibility for performance audit to ensure that economy, efficiency and effectiveness are improved. 6.6 The aim should be to achieve mutual recognition and respect, leading to a joint improvement in performance and the avoidance of unnecessary overlapping of work. It should be possible for the Auditor-General and the Head of Internal Audit to rely on each other's work, subject to limits determined by their different responsibilities, respective strengths and special abilities. Consultations should be held and consideration given to whether any work of either Auditor is adequate for the purpose of the other. Internal Audit does not automatically have a right of access to the records of the Auditor-General. However, the relationship between the Head of Internal Audit and the Auditor-General should be such that the Auditor-General will allow access to the necessary records. 6.7 The Head of Internal Audit should seek, where appropriate, co-ordination of the plans of Internal Audit with those of the Auditor-General's Office and the programme of, for example, stock verifiers. This co-operation should promote the most effective total audit coverage and should avoid duplication of work. The Auditor-General's Office will have to decide if they can place reliance on the work of Internal Audit and so reduce the amount of work undertaken by their own

Internal Auditing Guidelines

February 2001

Page 20 of 33

staff. 6.8 • • • The Head of Internal Audit should meet regularly with staff from the Auditor-General's Office to: discuss work plans for Internal Audit and the Auditor-General's Office agree and review the performance of the work relied on evaluate the relationships with the Auditor-General's Office and report as required to the Accounting Officer and Audit Committee on this relationship • • • • agree access to each other's audit programmes and working papers exchange audit reports and management letters enhance understanding of each other's audit techniques and methods discuss any other matters of mutual interest.

GUIDELINE SIX: RELATIONSHIPS
50 Internal Audit’s relations with other staff in the public sector organisation, the AuditorGeneral, stock verifies and other review agencies should be based on mutual confidence, understanding of each others needs and a reciprocal desire for co-operation. Management, at all levels should have complete confidence in the integrity, 51 independence and capability of the Internal Audit unit. There should not be any form of rivalry or conflict between the Internal Auditors and staff in the Auditor-General's Office. Similarly, there should be a constructive 52 relationship between Internal Auditors, stock verifiers and other review agencies. The Head of Internal Audit should initiate action to ensure the development of coordination, effective working relationships and the avoidance of duplication of work with other review agencies. This could include: a) liaison meetings to discuss matters of mutual interest b) arranging for access to each other’s plans, system notes and findings c) arranging for consultation on plans and proposed visits d) reviewing training proposals to arrange joint training sessions where possible e) dissemination of literature for discussion to promote understanding of techniques, 53 54 methods and terminology. Copies of Internal Audit reports should be made available to the Auditor-General for information and co-ordination. Internal Auditors should be familiar with the legislation that defines the statutory responsibility, duty and rights of access of the Auditor-General. The Head of Internal Audit should recognise the differences between the roles of Internal Audit and that of the
Internal Auditing Guidelines February 2001 Page 21 of 33

55

Auditor-General. The staff of the Auditor-General's Office may review the effectiveness of Internal Audit as part of their evaluation of management control arrangements. This review should determine the extent that the Auditor General's Office is able to rely on Internal Audit work. Internal Audit should not necessarily undertake special tasks at the request of the Auditor General's Office. However, routine, planned Internal Audit work may be used by the Auditor General's Office for their own purposes. The relationship between the Internal Auditor and the public sector organisation should be considered legally privileged. That is the Internal Auditor will be exempt from any legal liability from the proper undertaking of their work. Internal Auditors should not release Audit findings or other information outside the normal reporting arrangements without the knowledge and permission of those concerned. Internal Auditors should normally consult and advise managers when arranging Audit visits to their department. The exception to this rule would be for unannounced surprise visits.

56

57

7.
7.0

INTERNAL AUDIT PLANNING Explanatory notes:
Internal Audit work should be planned at all levels of operation in order to establish priorities, achieve objectives and ensure the efficient and effective use of Audit resources. Planning should be based on Internal Audit's terms of reference and allow for coverage of all significant systems, operations, staff and sites within the public sector organisation.

7.1

7.2

Internal Audit plans should be based on a comprehensive understanding of the public sector organisation and the way in which it operates. High-risk systems or transactions and any known problem areas should be clearly identified. The emphasis of the Internal Audit plan should be directed towards these systems.

7.3

Internal Audit plans should be developed in consultation with senior staff and the relevant Accounting Officer. The appropriate Audit Committee should then approve the Internal Audit plans.

Internal Auditing Guidelines

February 2001

Page 22 of 33

7.4 • • • • • • • • 7.5

Internal Audit planning should include the following steps: identify all auditable activities within the agreed scope of Internal Audit carry out a risk assessment on these activities in conjunction with management, identifying categories such as high, medium, low prepare an audit needs assessment based on the risk assessment develop an overall strategic plan from the audit needs assessment to cover these risks, over, say, a three-year period bring to the Accounting Officer and/or the Audit Committee's attention any mismatch between Audit needs and actual Audit resources identify systems to be covered in the first year of the strategic plan and prepare an annual Internal Audit plan discuss the strategic and annual plans with appropriate senior managers, Accounting Officers and the Auditor-General's Office and amend as necessary present the plans to the Accounting Officer and/or the Audit Committee for approval. Internal Audit plans should be amended as necessary to take account of changing circumstances. The Accounting Officer and the Audit Committee should formally approve all significant changes to the Internal Audit plans.

GUIDELINE SEVEN: INTERNAL AUDIT PLANNING
58 59 The Head of Internal Audit should establish plans to carry out the responsibilities of Internal Audit consistent with the public sector organisation's goals and objectives. The Internal Audit planning process should include the following: (a) identifying goals (b) preparation of strategic Internal Audit plans (c) establishing proper staffing plans and financial budgets 60 (d) preparation of activity reports. Internal Audit plans should: (a) establish a list of systems that could be Audited and prescribe a period within which it is desirable that each significant system should be examined (b) define the tasks to be performed (c) assist in the direction and control of work by identifying critical areas, setting target 61 dates and allocating resources. To be effective, the Head of Internal Audit should: (a) define audit needs taking into account the Internal Audit's terms of reference (b) identify the staff and other resources needed and reconcile these with available, resources
Internal Auditing Guidelines February 2001 Page 23 of 33

(c) choose an appropriate time period for the Audit plans (d) record all plans in writing 62 (e) monitor work against planned activity and revise plans as appropriate. Internal Audit plans should be based on a risk assessment. The risk assessment process, to be conducted at least annually, includes an assessment of: a) relevant risks and their significance b) consideration of senior management, the Accounting Officer and the Audit Committee's professional judgement 63 c) identification of activities to be audited. Internal Audit strategic plans should take into account the following factors: (a) the date and results of the last Internal Audit assignment (b) the estimated time required, taking into account the scope of the planned work and the nature and extent of audit work to be performed by others. (c) requests by management (d) major changes in operations, programs systems, and controls (e) staffing, planning and effective utilisation of financial budgets (f) Internal Audit priorities 64 (g) flexibility to cover unanticipated demands on the department. Internal Audit plans and staffing and financial budgets should be developed from strategic plans, administrative activities, education and training requirements and research and 65 development efforts. The Head of Internal Audit should submit annually to the Accounting Officer and Audit Committee for approval a summary of Internal Audit's strategic plans, staffing plans and financial budgets. All significant amendments to these plans should similarly be approved 66 by the Accounting Officer and Audit Committee. The Head of Internal Audit should explain, if necessary, why the Audit needs are not being met. This should prompt the relevant Accounting Officer to take action to ensure that their public sector organisation is provided with sufficient Internal Audit resources.

Internal Auditing Guidelines

February 2001

Page 24 of 33

8 8.0
8.1

APPROACHES TO INTERNAL AUDIT Explanatory notes:
There are several different approaches to Internal Audit. International best practice suggests that systems audit is the most effective way that Internal Audit can add value to an organisation. However, in many countries it is considered necessary for Internal Audit to complement systems audit with a pre-audit approach. If a pre-audit approach is adopted the Head of Internal Audit, the Audit Committee and the Accounting Officer should discuss the extent that this is necessary. They should also consider suitable means of reducing the proportion of time that Internal Auditors spend on pre-audit work.

8.2

The systems approach to Internal Audit seeks to assess and improve the effectiveness of the public sector organisation’s internal control system. The prime purpose of a systems Audit should be to evaluate the extent to which the system may be relied upon to ensure that the objectives of the system are met. Where internal controls are not adequate and reliable Internal Audit should make practical recommendations to ensure that these controls are improved.

8.3

Internal Audit evidence should be adequate to meet the objectives of Audit assignments. Internal Auditors should be satisfied with the nature, adequacy and relevance of Audit evidence before placing reliance on that evidence. Information should be collected analysed and documented by the use of appropriate Audit techniques.

8.4

The production of Audit evidence should be supervised and reviewed by the Head of Internal Audit. To meet an acceptable standard the evidence should be sufficiently adequate and convincing to the extent that a prudent, informed person would be able to appreciate how the Auditor's conclusions were reached.

8.5

Internal Audit may also complement its systems approach with other techniques, for example: • • • • performance auditing control self assessment advice and assistance on control issues helping with risk management.

Internal Auditing Guidelines

February 2001

Page 25 of 33

GUIDELINE EIGHT: AUDIT APPROACH
67 Internal Auditors should ensure that their approach and methods enable them to discharge their responsibilities effectively. This will involve careful thought and discussion with the Accounting Officer, the Audit Committee and others on the most effective approach to 68 Internal Audit given the particular circumstances of the public sector organisation. Internal Audit should assess and improve the public sector organisation's risk management, control, and governance processes. The internal auditing activity should assist the public sector organisation in maintaining effective controls. Assistance can be provided by evaluating the public sector organisation's controls to determine their effectiveness and efficiency and by developing recommendations for improvement. Internal Auditors should ensure that the costs of maintaining controls balances the potential benefits. SYSTEM APPROACH 69 Internal Audit should, where possible, adopt a systems approach. The systems approach aims to asses and helps to improve the control features that govern the system. This approach should provide reasonable assurance that existing controls will ensure that each 70 system’s objective is achieved. When undertaking systems audit an Internal Auditor should: a) document and analyse the internal control system across all public sector organisations and establish Internal Audit plans b) identify and evaluate the controls that are established in individual systems to achieve the public sector organisation's objectives in the most economic and efficient manner c) obtain and record relevant, reliable and sufficient audit evidence to support their findings and recommendations d) report findings and recommendations for each individual system that is Audited e) provide an opinion on the adequacy and reliability of the controls in the individual system under review f) provide periodic assurance based on an evaluation of the whole internal control system 71 across all public sector organisations. The use of the systems approach should enable Internal Audit to confirm the following: a) the official system b) whether it is operating according to agreed guidance and regulations c) whether the system is adequate 72 d) whether the controls are reliable. The system's adequacy should be used to ascertain the following: a) what should happen to achieve the system’s objectives b) what could go wrong in view of the system's design c) what has been done to stop things going wrong.
Internal Auditing Guidelines February 2001 Page 26 of 33

9
9.0 9.1

REPORTING, MONITORING AND FOLLOW UP
Explanatory notes: The findings and recommendations arising from each Internal Audit assignment should be promptly reported to management. The recommendations should then be followed up to check that agreed action has been implemented. A summary of Internal Audit findings, recommendations and activities should be submitted periodically to the Accounting Officer and the Audit Committee.

9.2 • • • 9.3 • • • 9.4 • •

In general Internal Audit reports should: state the scope, purpose, extent and conclusions of the Internal Audit assignment, including Internal Audit's opinion on the adequacy of controls make recommendations that are appropriate and relevant, that call for action to correct identified weaknesses or improve the efficiency of operations acknowledge the action taken, or proposed, by management. Recommendations included in the Internal Audit reports should: be practical and provide constructive solutions to problems identified be sufficiently detailed to act as a guide for action and facilitate the efficient achievement of the organisations objectives be prioritised based on the significance of the weakness identified. Conclusions are the Internal Auditor's evaluations of the effects of the findings on the particular system reviewed. They should: put the findings in perspective based on the overall implications and significance of the weaknesses identified identify the extent to which the system's control objectives are being achieved and the degree to
February 2001 Page 27 of 33

Internal Auditing Guidelines

which the internal control systems should ensure that the goals and objectives of the public sector organisation are accomplished efficiently. 9.5 Management should be required to respond in writing to each Internal Audit report. Management and Internal Audit should agree officer responsibility and target dates for implementation of agreed recommendations. The responsibility for final editing of Audit reports should remain with the Head of Internal Audit who should always retain the right to issue reports without further editing. 9.6 Follow-up activity is the process by which Internal Audit confirms that agreed recommendations have been implemented by line managers. Internal Audit should periodically follow up Audit reports to review and test the implementation of agreed Internal Audit recommendations. 9.7 The Head of the Internal Audit should submit to the Accounting Officer and Audit Committee, at agreed intervals, a report of Internal Audit activity and results. The report should compare actual Internal Audit activity against the annual Internal Audit plan and should clearly indicate the extent to which the total Internal Audit needs of the public sector organisation have been met. 9.8 In the annual Internal Audit report the Head of the Internal Audit should give a formal opinion to the Accounting Officer and Audit Committee on the extent to which reliance can be placed on the public sector organisation’s internal control system. The attention of the Accounting Officer and Audit Committee should be drawn to any major Internal Audit findings where action appears to be necessary but has not been undertaken.

GUIDELINE NINE: INTERNAL AUDIT REPORTING
73 The Head of Internal Audit should report periodically to the Accounting Officer and the Audit Committee on Internal Audit's purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risks and control issues, corporate governance issues, and other matters needed or requested by the Accounting 74 Officer and the Audit Committee. The findings and recommendations arising from each Internal Audit assignment should be
February 2001 Page 28 of 33

Internal Auditing Guidelines

promptly reported to the Accounting Officer and others who are affected by the report. The final Internal Audit report including any comments from the Accounting Officer should be 75 reported to the Audit Committee. The Head of Internal Audit should have complete freedom in the way in which Internal Audit findings are reported and to whom each report is issued. The Head of Internal Audit 76 should review and approve each final Internal Audit report before it is issued. Internal Audit reports should contain all material facts known to the Auditor concerning the system under review to avoid distortion or concealment of any unlawful or improper 77 practice. Internal Audit reports should be regarded as confidential and exclusive to the public sector organisation concerned except for privileged external reviews by the Auditor-General and 78 Permanent Secretary to the Treasury. The Head of Internal Audit should submit monthly or periodic progress reports to the Accounting Officer and the Audit Committee and explain significant deviations from 79 approved strategic plans, staffing plans and financial budgets. The Head of Internal Audit should provide an annual report to the Accounting Officer and the Audit Committee. This report should include: a) the Head of Internal Audit's opinion on the adequacy and reliability of the whole internal control system b) the extent that the Internal Audit needs of the public sector organisation have been met c) any significant Internal Audit findings where action appears necessary but has not been taken d) any systems within the public sector organisation where the internal controls are not adequate and reliable e) a comparison of actual Internal Audit activity against the agreed annual plan. COMMUNICATING RESULTS 80 When communicating results of their work Internal Audit should: a) oral reports may be issued and should be confirmed in writing b) discuss conclusions and recommendations at appropriate ministerial, departmental or regional levels before issuing final written reports c) issue a signed written report after each Internal Audit assignment that is objective clear, concise, constructive and timely. d) give reports which clearly present the purpose, scope and results of the Audit e) give reports with recommendations for potential improvement, suggestions of corrective action and acknowledgement of satisfactory performance f) obtain and include in the report the system managers' views about the conclusions or recommendations
Internal Auditing Guidelines February 2001 Page 29 of 33

g) include the officer who is to implement each agreed recommendation and a target dates for its implementation. MONITORING AND FOLLOW-UP 81 Internal Auditors should follow up their reports to ascertain that appropriate action is taken on agreed Internal Audit recommendations. Internal Audit should determine, with appropriate Audit testing, that corrective actin has been taken and is having the desired 82 effect. If the Accounting Officer does not agree with an Internal Audit recommendation or does not ensure that agreed recommendations are implemented they should accept the associated risks. The Audit Committee may advice the Accounting Officer to implement an Internal 83 Audit recommendation if it considers necessary to achieve sound internal control. The Auditor-General may review and report on the extent that Internal Audit recommendations have been implemented. Internal Audit may also review the extent that recommendations made by the Auditor-General have been implemented.

Internal Auditing Guidelines

February 2001

Page 30 of 33

Glossary of Technical Internal Audit Terms
Accounting Officer – the head of a government ministry or department who is personally responsible for the management and internal controls of the ministry or department and any fraud or irregularity that may occur. Adequacy of internal control – an assessment of the quality of internal control. Controls may be considered to be adequate if, when applied consistently, the controls should help to provide reasonable assurance that a control objective will be achieved. Auditor-General – the head of the government’s external audit service. The Auditor-General is responsible for certifying that the government accounts show a true and fair view, there has been a proper use of public funds and often for undertaking value for money reviews. Audit Committee – a high level committee, comprising, where possible, independent, nonexecutive members, with responsibility for overseeing the independent review of the framework of internal control, monitoring the Internal Audit function and the external audit processes. Audit Needs Assessment - an assessment undertaken by Internal Audit in consultation with managment to determine the extent of Internal Audit that is needed within an organisation and the frequency that particular systems should be reviewed. Control objectives – the objectives of a control system. Used by Internal auditors as a framework for undertaking systems auditing and so assessing the overall quality of the internal control system. Control Self Assessment – an approach to risk management, that may be facilitated by Internal Audit, that enables management to assess the risks and controls to the achievement of the organisation’s objectives. It may include the development of a risk register that lists the main risks the organisation faces and an action plan for improvements to internal control. Head of Internal Audit - is a generic title for Chief Internal Auditor or Director of Internal Audit or any other equivalent title. Internal Audit - is an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal Control - is a process, effected by an entity’s board of directors, management and other personnel (people), designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • effectiveness and efficiency of operations; (basic operational objectives, performance goals and safeguarding resources) • reliability of financial reporting • compliance with applicable laws and regulations. Management - implies the Permanent Secretary and Accounting Officers in Ministries, or Controlling officers in Regions or other responsible officers in a public sector organisation. Performance Audit – an approach to Audit that aims to improve the economy, efficiency and effectiveness of operations. The objective of Performance Audit is to improve the value for money provided by a public sector organisation. Public Sector Organisation – types of public sector entities, for example, ministries, departments, regions or districts, as examples of the range of possible governmental entities that may exist.
Internal Auditing Guidelines February 2001 Page 31 of 33

Reliability of Internal Control – an assessment of the extent that internal controls are applied consistently by all staff, at all times and in all circumstances. Risk – the chance (or probability) that one or more of the organisation’s objectives will not be achieved. It may refer to the failure to achieve objectives efficiently or the occurrence of unwanted outcomes. It may also refer to the inability to exploit possible opportunities. Risk management - the formal identification, assessment and planned management of significant risks facing the organisation. Systems Audit - systems audit is the structured analysis of internal control in relation to the objectives of the organisation. Systems audit should enable internal audit to make practical recommendations to address any weaknesses that have been identified within the context of risks to the achievement of the system’s objectives. It should also enable internal audit to form an opinion on the adequacy and reliability of the organisation’s internal control system.

Internal Auditing Guidelines

February 2001

Page 32 of 33

Sign up to vote on this title
UsefulNot useful