Beruflich Dokumente
Kultur Dokumente
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 6 ............................................................................................................................... 39
Financial Audits ............................................................................................................... 39
6.1
Introduction ...................................................................................................... 39
6.2
Definition of Financial Audit.............................................................................. 39
6.3
Objective of a Financial Audit........................................................................... 39
6.4
Financial Audit Procedures, Preparations and Execution ................................. 40
6.5
Review of Financial Processes ........................................................................ 42
Article 7 ............................................................................................................................... 56
Audit Inspection .............................................................................................................. 56
7.1
Introduction ...................................................................................................... 56
7.2
PAF Inspection Procedures Overview ........................................................... 56
7.3
Audit Inspection of Missions Abroad ................................................................ 61
7.4
Compliance & Inspection Checklist .................................................................. 66
7.5
Annual Accounts .............................................................................................. 85
7.6
Inspection of Computerised Accounting Systems ............................................ 85
Article 8 ............................................................................................................................... 87
Performance Audits ......................................................................................................... 87
8.1
Introduction ...................................................................................................... 87
8.2
Definitions ........................................................................................................ 87
8.3
Questions Answered by a Performance Audit .................................................. 87
8.4
Concepts in Performance Auditing ................................................................... 88
8.5
Approaches to Performance Auditing............................................................... 89
8.6
Performance Auditing and the International Auditing Standards ...................... 90
8.7
Performance Audit Methodology ...................................................................... 90
8.8
Understand the entitys activities...................................................................... 94
8.9
Deciding on the main elements of the study..................................................... 94
8.10
Analysing the main study question into sub-questions ..................................... 95
8.11
Identifying criteria............................................................................................. 95
8.12
Identifying the Audit Evidence That Answers the Study Questions................... 96
8.13
Selecting the Methods of Interpreting Audit Evidence ...................................... 99
8.14
The Preliminary Study Report .......................................................................... 99
8.15
Summarising, Analysing and Interpreting Audit Evidence .............................. 100
8.16
Documentation............................................................................................... 101
8.17
Reviewing the Evidence ................................................................................. 101
8.18
Reporting ....................................................................................................... 102
8.19
Criteria Used to Assess Performance ............................................................ 102
Article 9 ............................................................................................................................. 103
Systems Audit ............................................................................................................... 103
9.1
Manual Purpose and Contents ....................................................................... 103
9.2
Basic Terminology ......................................................................................... 103
9.3
System Audit General Description ................................................................. 104
9.4
Assessment Effectiveness of Internal Control System ................................... 106
9.5
Audit of Operations ........................................................................................ 111
Article 10 ........................................................................................................................... 114
Information Technology Audit ........................................................................................ 114
10.0
Introduction .................................................................................................... 114
10.1
Understanding IT Controls ............................................................................. 115
10.2
Internal Auditing Role in relation to IT ............................................................ 121
10.3
Common IT Process Controls ........................................................................ 121
10.4
Risk Considerations in Determining the Adequacy of IT Controls................... 125
10.5
Control Characteristics to Consider................................................................ 125
ii
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
10.6
The IT Audit Procedures ................................................................................ 125
10.7
Planning an IT Audit ...................................................................................... 126
10.8
Risk Scoring System ...................................................................................... 128
10.9
Application Audit Programme ......................................................................... 128
10.10
Other Issues To consider In the Audit Programme......................................... 132
10.11
Audit Methodology and Best Practices: Summary.......................................... 133
10.12
Audit of the Integrated Financial Management System (IFMS) ...................... 136
10.13
Review of IFMS General Controls ................................................................. 143
10.14
Computer-Assisted Audit Techniques (CAATS) ............................................. 144
10.15
Auditor/Inspector Knowledge Considerations ................................................. 144
Article 11 ........................................................................................................................... 146
Fraud and Irre gularities ................................................................................................. 146
11.0
Introduction .................................................................................................... 146
11.1
Fraud Red Flags ............................................................................................ 146
11.2
Understanding the Business and the Risk of Fraud & Irregularities in ............ 147
Each Business Area/Process ......................................................................................... 147
11.3
Assessing the Impact of Each Possible Fraud & Irregularities........................ 148
Based on its Severity and Potential Frequency .............................................................. 148
11.4
The Internal Auditors/Inspectors Role .......................................................... 149
11.5
Conduct of the Investigation........................................................................... 150
11.6
Interviewing ................................................................................................... 151
11.7
Interviewing Techniques for Fraud Investigations .......................................... 152
11.8
Fact Finding Interviews .................................................................................. 152
11.9
Interviews with Suspect(s) ............................................................................. 153
11.10
Interview Notes .............................................................................................. 157
11.11
Voluntary Statements under Caution ............................................................. 159
11.12
Other Relevant Areas .................................................................................... 160
11.13
Components of an Appropriate Anti-Fraud and Irregularities Culture ............. 162
iii
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 1
Purpose and Contents of the Manual
This manual is a handbook for use by the Government of Uganda Internal Audit staff,
departments, agencies, e.t.c. It is tailored to meet the demands of Internal Audit of
adequately discharging its statutory and professional responsibilities towards those being
audited and the people of Uganda.
The manual provides the tools for Internal Audit Service staff to carry out the planning,
monitoring, reporting and execution of internal audit. It offers a number of different audit
approaches, along with the planning tools to decide which approach best fits the local
circumstances.
This manual should be considered as a working document, subject to amendments as new
regulations, rules and working practices are introduced. It is a property of the Government of
Uganda.
1.1
This manual shall be available to all audit personnel and used as guidance in the
conduct of all Internal Audit work within Central Government Ministries, Departments
and Agencies.
1.2
Legal framework
The Internal Auditing Manual makes use of the following laws, regulations, standards,
and directives though direct reference to them is encouraged:
r
r
r
r
r
r
r
r
r
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 2
General Definition of Internal Auditing
2.1
2.2
r
r
r
r
r
r
r
Review and report on proper control over the receipt, custody and utilisation of all
financial resources of the unit;
Review and report on conformity with financial and operational procedures;
Review and report on the correct classification;
Review and report on the reliability and integrity of financial and operational data,
so that information provided allows for the preparation of accurate financial
statements and other reports for the information of the unit and the general public
as required by legislation;
Review and report on the systems in place used to safeguard assets, and as
appropriate, the verification of the existence of such assets;
Review and report on operations or programs to ascertain whether results are
consistent with established objectives and goals;
Review and report on the adequacy of action by management in response to
internal audit reports;
Review and report on the adequacy of controls built into computerised systems in
place within the unit;
Respond to ad hoc requests for audit assistance or advice as may be requested
by the Accounting Officer or the Heads of Departments of a unit;
Check and report shortcomings in connection with the accounts, finances and
related opera tions of the Ministry, Department or Agency;
Be alert to opportunities, such as control weaknesses that could allow fraud and
where fraud is suspected the appropriate authorities within the department will be
informed.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
2.3
2.4
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 3
Internal Audit Service Delivery Process
3.1
3.2
3.3
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Identify the internal audit team and the auditee liaison person
Discuss and agree the role of the auditees liaison, including identifying available
dates and location for the meeting
Obtain, review, and analyze background information by obtaining a copy of the
relevant legislation (laws, directives, and internal regulations), guidelines,
organisational chart, definition of the posts, delegation of powers, etc.
Perform a preliminary review of the accounting environment, the chart of
accounts, the computer systems (the safety and storage of data) to ascertain the
reliability and regularity of accounting and financial data:
Assign roles and responsibilities among the internal audit team.
Confirm attendees and mail correspondence to auditee participants
3.5
this stage, the following information should be maintained in our working papers:
Background information obtained about auditee or organisation
Institutions organization chart
Institutions strategic plan
Correspondence sent to auditee participants
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Reputation
Technology
Likelihood
High
Moderate
Low
Highly Likely
S ystematic
O n-going
Possible
Occasional
U nlikely
3.8
Risk Assessment
Risks are events, actions, or inactions that could cause the business objectives not to
be achieved. To mitigate and manage these risks, an organization typically
implements controls and other risk management activities.
Risk assessment is the identification and analysis of risks to the achievement of the
institutions established objectives.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Corporate Management:
Government Agenda:
Citizen focus
Corporate reputation
Political factors
Public expectations
Stakeholder relations
Industry developments
Changing demographics
Globalization
National security threats
Business continuity
Competitive trends
relationships
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
3.10
Identify both internal and external influences that affect the organizations
business objectives, internal audit focus, and critical success factors
Identify the significant risks inherent in the achievement of the business objectives
and critical success factors
Identify which process owners to meet with in order to complete the Risk
Assessment
Understand the auditees information technology environment
Understand the auditees existing risk management process and reporting
structures
to
managements
explicit
and
implicit
control
3.11
For each objective, identify and discuss the critical success factors and how these
relate to the ma jor processes.
Identify the key performance indicators used to measure the critical success
factors.
Determine how they are used by management to monitor the effectiveness of the
process.
Determine the different factors (internal or external) facing the key processes in
place.
Analyse the influence of each factor on the process.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
A matrix to analyze which processes are relevant to the internal audit focus
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
3.13
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
What must go right in order for the process to achieve its objectives? One answer
might be: Purchased materials must be paid for within the discount period.
What could go wrong with the process that would prevent the entity objectives
from being achieved? One answer might be: Failure to deliver the services within
the stipulated time.
How does IT or human resources enable the process and what significant risks
exist as a result of these enablers?
One answer might be: Unauthorized or uncontrolled access to networks results in
service disruption.
Is the process designed to be properly responsive to public and environmental
forces (i.e., stakeholder influences or external factors)? One answer might be:
Failure to respond to regul atory changes resulting in heavy penalties.
Does the process contain any inherent conditions that may result in a financial or
other loss? (e.g., the risks of theft of cash/goods that exists within retailing
environment).
3.14
Assessing Risks
Risk is defined as any event, action, or inaction that hinders an organizations
achievement of its business (explicit and implicit) objectives. Risk has two attributes:
cause and effect.
Issues to consider when assessing risks
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
3.15
3.16
Audit Plan
It is derived from the developing expectations and risk assessment processes.
Potential processes and areas (e.g. regulatory compliance, system implementation)
that should be considered for inclusion in the audit plan are identified.
Importance of this step
It helps the internal auditors/inspectors to:
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
3.17
Major Processes
1. Risk Assessment. This is used to:
Develop audit work schedules.
Identify potential auditable activities.
Analyse the significance of the relative risk factors.
2. Auditable Activities. These are identified after reviewing the Ministrys Chart of
Accounts and budget.
3. Identification of Relevant Risk Factors. Examples include: competitive
conditions, financial and economic conditions, adequacy and effectiveness of the
system of internal controls, organizational, operational, and technological
changes, competency, adequacy and integrity of personnel e.t.c.
Audit work schedules
The risk assessment process leads the Head of Internal Audit to establish audit work
schedule priorities. The internal auditing department develops audit work schedules
that include the following:
What is included in the audit work schedule
The Head may adjust these priorities after considering other information such as
coordination with external auditors/inspectors, requests by management and/or the
board.
Annual audit plan
The annual audit plan is prepared based on the risk assessment and is presented in
the standardized format established by the Head of Internal Audit. At the beginning
of the fiscal year, the internal audit department presents the annual audit plan to the
audit committee for approval.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
The audit program details each of the audit steps to be performed during the
course of the review.
The Head of Internal Audit or his designee should approve the audit program prior
to beginning the audit work. Any adjustments should also first be approved by
him.
As evidence of work performed, each of the steps in the program should be crossreferenced to the corresponding work paper.
Upon completion of each audit step, the auditor/inspector should initial the audit
program in the appropriate box indicating its completeness. In some cases (when
not readily apparent), the reason for the audit step should be included in the audit
program.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
3.18
Are all expectations and coverage issues noted during the co-develop
expectations process appropriately considered in the audit plan?
3.19
It is important for the engagement team to follow all change request protocols to
ensure the proper allocation of resources.
Information to be maintained in the working papers
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 4
Audit Execution
4.1
When the system design has been documented, evaluated and found to meet the
audit control objectives;
When the control operations to be tested are separately listed on the audit
working papers.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
The population;
The population size;
The sample size;
The method of sample selection.
For as long as the system remains the same, the compliance-testing plan can be reused from year to year.
4.2
Pre-Audit Work
The internal auditor/inspector should prepare for the audit visit before commencing
the audit. This provides time for review of the previous years reports and papers and
such research and information gathering as is necessary to ensure that the team will
be ready to start as soon as they arrive on site.
Typical procedures, which should be included in that process, are suggested below:
4.2.1
Familiarisation
NB: If possible, most of the familiarisation tasks should be made easier by the
maintenance of permanent files of information so this task might be
incorporated within a single procedure: Review and update permanent file
4.3
Analytical Review
4.3.1
Compare current years actual income and expenditure, line by line, with the
current years budget;
Compare current years actual income and expenditure, line by line, with previous
years expenditure;
For all income and expenditure heads, compare monthly income and expenditure
during the current year. Other analytical techniques include:
Ratios
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
4.3.2
Examination of trends
The examination of trends may be seen as an extension of the time comparison over
a period of years and may be valid for ratios as well as specific account figures.
Observed trends must be critically examined. Relatively small changes from year to
year may generate little interest but, over a period of years their cumulative effect
may be significant.
As with the other procedures, the information selected for this type of review needs to
be determined by the auditor/inspector using his / her knowledge of the body.
Explanations of any abnormality must be sought by the auditor/inspector for the
procedure to be effective.
4.3.3
4.3.4
Proof-in-total techniques
Proof-in-total is a predictive test used to gain assurance regarding the correct
statement of a financial figure. It is often considered as a substantive test, and can be
used to complement or even replace tests of detail. It is particularly useful where the
expected value of a figure can be calculated based on the prior year value, and
known changes to the composition of the figure.
Proof-in-total involves estimating the value of a figure based on independently verified
audit evidence. As a guide, if the estimate is within 3% of the actual figure, this
provides reasonable audit assurance that the figure is not materially mis-stated.
4.3.5
4.3.6
Assembly of Information
Examine all intelligence information filed since the last audit visit relating to
allegations and current developments in the ministry or department to be audited;
Discuss with officers in the Ministry of Finance their impression of the
performance of the Head of Department in adhering to financial regulations,
specific instructions or completion of returns or other documents;
Establish whether officials in the Ministry of Finance have experienced problems
with the Accounting Officer;
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
4.4
Pre-audit work: To highlight any specific issues which need to be examined this
audit;
Compliance tests: To form a view about the operation of control. If systems are
not reliable then substantive or weakness tests will be required
Substantive tests: To confirm the correctness of records and documents.
NB:
4.5
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Risk:
Recommendation:
Management Response (Please include the proposed date of implementation or a reason for nonimplementation):
High
Include in Report?
Yes
Moderate
No
Low
Value
Idea
Order in Report
Reviewed by:
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
4.6
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
4.7
4.7.5
Section
Leading Practice
Background
Objectives
Scope
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Section
Period
Findings
Recommendations
Signature
Date
Institute of Internal
Auditor/inspectors
The time and period audited
should be included in the scope
statements
Findings are pertinent
statements of fact. Less
significant findings may be
communicated orally or through
informal correspondence.
Leading Practice
All reports should indicate the period covered by the
auditors/inspectors procedures
Observation and Risk/Implication is the last
section of the report. The heading would include
the client name and area or process audited. The
business risk identified as a result of the finding
should always be listed.
A ppropriate sections of the Issue Summary can be
copied into the audit report. If the Issue Summary is
properly written, the audit report writing process
should be streamlined and be more consistent.
E ach observation and risk should be listed in the
order of importance.
It may enhance the readers experience if like
observations and risks are grouped together under
each
topic.
In
situations
where
the
recommendations for several observations are the
same, consider grouping the findings together
under one topic related to the recommendation.
B ullet points often make it easier for the reader.
Numbering of observations and risks (instead of
bullets) is not recommended since it is often
perceived as a counting of mistakes.
W orking papers should indicate that less significant
findings have been reviewed with management,
noting the date and name of client contact.
The recommendations are actions that management
should consider to address audit findings.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Section
Conclusions/
Summary
Positive
Comments
Managements
Response/Actio
n
Plan
Institute of Internal
Auditor/inspectors
Conclusions are the internal
auditor/inspectors evaluations of
the effects of the findings on the
activities reviewed. They usually
put the findings in perspective
based upon the findings overall
implications.
Auditee accomplishments, in
terms of improvements since the
last audit or the existence of a
well controlled operation, may be
included in the audit report.
Leading Practice
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Title
The titles and headings should be in a larger font than the text.
Table of Contents
Consider using a table of contents when the report is longer than five pages. If
applicable, the index should have the same title as the cover sheet and should
include a list of the headings of each section within the report.
Appendices
Appendices can be used to provide additional information that does not belong to the
body of the report. It may include an overview of the risks examined, ratings
definitions, etc.
Appendices should be used only when needed in order to provide the reader with
required reference material.
Page Numbers
All reports should have page numbers. The report should be consecutively numbered
with the first page number starting after the index.
Unresolved Issues from the Previous Audit Report
Unresolved issues from a previous audit report are treated in the same manner as
other issues identified. Reference should be made to the fact that the issue was
raised previously but remains outstanding.
Issuing a Draft Report
a) Prepare a Draft Report
Prepare a draft report of detailed findings and recommendations. The draft audit
report, including findings and recommendations, typically is only distributed to
process owners. The final report distribution includes executive managemen t and the
Audit Committee. The principal reason for this is that the draft report provides a final
opportunity for:
Management to challenge the accuracy of the issues raised in the report
The engagement team to validate the action plan to address each issue
b) Issue the Draft Report
Issue the draft report in accordance with the agreed-upon distribution.
c) Schedule the Closing Meeting
The closing meeting or exit conference should be held soon after completing the audit
field work.
4.7.6
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
The engagement team member in charge of the audit project should attend.
Additional staff members can also be asked to participate, particularly when those
individuals have specific knowledge of complex or technical matters that may be
discussed.
b) Discuss Draft Audit Report
Discuss the draft audit report to reach agreement on each of its components.
Specifically, the meeting provides an opportunity to:
Clarify points or issues
Resolve any misunderstandings
Demonstrate the value we have provided
Agree on follow-up activities
Maintain detailed minutes to provide evidence of managements response to the
issues raised. The minutes should be kept in the working papers.
4.7.7
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
4.8
Communicating Results
At a minimum, executive management and the Audit Committee must formally
review, agree and approve the Risk Assessment and the Audit Plan prior to executing
a substantial portion of the Audit Plan.
Throughout the year, we communicate the status of executing the Audit Plan and a
summary of the results of our audit projects, including significant findings.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 5
Working Documentation of an Internal Auditor/Inspector
5.1
Working Documentation
Working documentation is a set of documents prepared/for the internal
auditor/inspector in connection with the conduct of an internal audit. Working
documentation consists of a constant part and a variable part. The constant part
contains usual data, which are of historical and permanent nature. The variable part
contains working documents relating to the current year.
The internal auditor/inspector is obliged to document things that are important as
evidence supporting the auditor/inspector's opinion and documenting that the internal
audit has been carried out in accordance with the auditing standards.
How working papers are stored
1. Paper
2. Films
3. Electronic data media
Purposes & uses of audit working papers
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
5.2
Information about the legal form and organisational chart of the audited
organisation;
Extracts or copies of important legal documents, contracts, records, and plans;
Information about the sector, the economic and legislative environment in which
the organisation operates;
Evidence of the fact that the internal audit was planned, including the programme
of the audit and its changes;
Evidence of the internal auditors/inspector's decision to carry out an audit and of
the conclusions reached;
Analysis of transactions and balances;
Analysis of relations, relationships, and trends;
Records in respect of the nature, time limit, and scope of the audit work
performed;
The name of the person who determined the auditing process, including the date;
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
5.3
Details about the procedures applied during external audit, if an external audit
was conducted in the organisation concerned;
Copies of correspondence between the internal auditor/inspector and other
auditors/inspectors, experts, or third parties;
Letters with statements, made by the management of the audi ted organisation;
A copy of the organisation's financial statement, report of an external
auditor/inspector, report on internal control.
Each working list should contain the name of the area that is audited, the time
limit for the audit, title contents, name of the person who has prepared the
working list, date of elaboration and the index designation of the list;
the working lists are to be indexed marked with cross references enabling rapid
search;
Completed working papers shall clearly document the work of auditors/inspectors.
This can be achieved, for example, by writing a final evaluation of the internal
audit performed (memorandum), with notes on the working list, using symbols
with clear explanations on the working list;
The overall in charge of audit needs to be able to satisfy himself/herself that work
delegated by him/her has been properly performed. He/she can generally only do
this by having available to him/her detailed audit working papers prepared by the
audit staff who performed the work.
The audit working papers provide, for future reference, details of problems
encountered and adequate evidence of work performed and conclusions drawn
there from in arriving at the audit opinion.
Audit working papers should always be sufficiently complete and detailed for an
experienced auditor/inspector with no previous connection with the audit to
subsequently ascertain from them what work was performed and to support the
conclusions reached.
Working papers should be prepared as the audit proceeds so that details and
problems are not omitted.
Audit working papers should include a summary of all significant matters identified
which may require the exercise of judgement, together with the
auditors/inspectors conclusions thereon.
If difficult questions of principle or judgement arise, the auditor/inspector should
record the relevant information received and summarise both the managements
and his conclusion.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
2. Systems File
The systems file can be used to record the way in which the auditees internal
control and accounting systems operate. Typically, this will be in the form of flow
charts recording each of the accounting areas supplemented, where necessary,
by narrative notes.
3. Current files
The current file will contain all the working papers in relation to the current years
audit, and these can be quite extensive. A typical format would be as follows:
Indexing Working Papers
The objective is to make it easy for anyone to retrace the steps we took to complete
the audit, and to make working papers easy to locate.
Use the pyramid system: At the base are detailed working papers. As we proceed
to the top of the pyramid, we need to continue to build a supportive base that
meets our audit objective
Each working paper ha s a unique index
An index is assigned to each audit working paper as soon after its preparation as
is practical. Indexing is used to maintain consistency
Purpose of Cross-Referencing
To indicate where certain numbers or other data originated (i.e. where supporting
detail can be located)
To indicate where various detail amounts have been summarised in the working
papers
How do we Cross-Reference? We cross-reference amounts between two working
papers by placing the other working paper reference next to the number being
cross-referenced. Generally, we try to cross reference our amounts from the detail
working papers up to the summary-level working papers. In this manner,
someone can easi ly follow our process and flow of information.
It is important that working papers are properly identified. Details should include;
auditee name, a title or description, and the audit period to which they apply.
The proper use of headings is imperative to appropriate identification.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Tick marks are used to indicate the procedures performed on data in the working
papers
Tick mark explanations may be customized by the engagement team and will
always have the same meanings when used throughout the engageme nt
Other tick marks may be used on working papers. When creating new tick marks,
their explanations should be clear and concise, specifically describe the work
performed, and be fully explained on the particular working paper where they are
used
Tick mark explanations normally include a description of the following:
Evidence examined, findings, and results
Unusual items noted and how they were resolved
Narrative comments
Audit conclusions
We document overall audit conclusions relating to all audit areas we reviewed.
Signing-off
All audit working papers require the sign-off of the preparer and the detailed reviewer
at a minimum and also should document the date of each sign-off.
An Illustrative example of the general index of working papers
WP
1
2
3
4
5
6
7 and Up
PF
PF
PF
PF
1
2
3
4
PF 5
PF 6
General File
Internal auditors/inspectors report
Exit conference & findings
Entrance conference/notification
Preliminary survey/planning memo
Review & supervision notes
Audit program
Evidence working papers
Permanent File
Organizational chart
Applicable statutes and regulations
Internal control information - narratives, flowcharts, questionnaires, etc
Description of the accounting records, description of the funds, basis of
accounting, etc.
Departmental mission statement
Department budget and othe r strategy documents
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 6
Financial Audits
6.1
Introduction
The purpose of this article is to set procedures for conducting a financial audit and
also to provide an overview on major tools to assist an internal auditor/inspector in
conducting an effective financial audit.
6.2
6.3
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
6.4
6.4.1
6.4.2
6.4.3
6.4.4
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
6.4.5
6.4.6
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
6.5.1
Budgeting
Activities involved
The key areas that an auditor/inspector should focus on include budget;
- Formulation
- Approval
- Execution
- Control
Key Control Objectives:
To ensure that;
1. The ministrys budget is prepared in accordance with the laid down regulations
and instructions,
2. There is effective monitoring of expenditure and revenue against estimates
3. The budgetary control is effective.
Key Risks
- Inadequate monitoring and reporting results into overspending and under
collection
- Governments priority areas may not be catered for as per the set plan.
- Poor quality budget estimates because of the wrong budget estimates being
used.
Important Records needed for the audit
At
1.
2.
3.
4.
the start of the audit, the auditor/inspector should request for the following;
Approved budget
Development Plan
Budget Work Plans
Vote books
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
2
3
4
5
6
the start of the audit, the following should be availed to the auditor/inspector;
A listing of all funds received from the donors;
Copies of agreements with service providers and contractors;
Bank statements;
Copies of receipts for the received funds;
Copies of Accountability Statemen ts;
Copies of the agreements that were signed with the donors.
Suggested Sampling
It is advisable to select 100% of all programmes.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Organizational chart;
Revenue registers;
Cash books;
Daily cash and cheque summaries;
Bank statements;
Register of receipt books;
Register of paying-in books.
Suggested Sampling
It is advisable to select 100% of all the previously issued receipt books.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
PAYMENTS
Salaries, Pensions, and Gratuities
Activities involved
Under salaries and pensions, the following are of emphasis;
- Appointment;
- Gross pay;
- Salary levels;
- Compulsory deductions;
- Employee Training e.t.c
Key Control Objectives
To ensure that;
a) The set procedures are adhered to.
b) The maintained records are adequate and accurate.
c) The right security measures are in place to safeguard monies/ cheques to be paid
out.
Key Risks
1. Failure to comply with the set regulations and guidelines in the recording, paying
and reporting of salaries/pensions.
2. Salaries paid may not be authorised.
3. Incorrect posting of the payments in the ledgers and the cash books.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
7
8
9
10
11
12
13
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Non-Wage Payments
Activities involved
Such an audit would focus on;
1. Requisitions
2. Authorisations
3. Local purchase orders (LPOs)
4. Receipt of goods
5. Payment vouchers
6. Payments (cash or cheques)
7. Postings in the relevant books of accounts
Key Control Objectives
To ensure that;
a. All payments are within the relevant approved budgets.
b. The expenditure incurred was approved.
Key Risks
1. Non-existent budget allocation for the paymen ts made.
2. Payment made to wrong persons.
3. Wrong posting of payment s in the cash book.
4. Payment vouchers may not have supporting documents.
Important records needed for the audit
The auditor/inspector should request for the following documents at the beginning of
the audit;
a)
b)
c)
d)
e)
f)
g)
h)
i)
Cash book;
Requisitions;
Copies of bank payment instructions;
Local purchase orders (LPOs)
Goods received notes;
Accounting records;
Stores records;
Approved signatories lists;
Listing of all the approved suppliers and contractors
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
3
4
5
6
7
8
Personal advances;
Administrative advances.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Advance register;
Cash book;
Payment vouchers for advances;
Advance account ledger.
ASSETS
Non Current (Fixed Assets)
Activities involved
This focuses on assets like;
- Land
- Buildings
- Roads and bridges
- Machinery and Equipment
- Furniture and fixtures
Key Control Objectives
To ensure that there is adequate management of all categories of fixed assets.
Key Risks
1. Poor control over the management of the assets.
2. Poor maintenance of the assets.
3. Breach of policies concerning the acquisition and disposal of assets.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Asset register
Title deeds and registration documents
Cash book
Payment vouchers
Policy concerning acquisitions and disposal of assets
Suggested Sampling
Select all assets acquired during the financial year.
Audit Programme Non Current Assets (Fixed Assets )
Ref
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Treasury managemen t;
Cash and bank balances;
Cash book operation
Suggested Sampling
Select 100% of bank accounts
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
LIABILITIES
Trade Creditors and Accruals
Key Control Objectives
To ensure that there is proper and correct recording of creditors and accruals.
Key Risks
1. The recorded creditors may not represent all the amounts due to third parties.
2. Inaccurate stating of creditors and accruals.
Important records needed for the audit
The auditor/inspector should request for the following records at the sta rt of the audit;
a)
b)
c)
d)
e)
Accounting records
Schedule of trade creditors and accruals
Commitments register
Age Analysis
Annual Accounts
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Borrowings/Loans
Key Control Objectives
To ensure that;
a) Loans have correctly been recorded in the balance sheet.
b) The loans have been obtained in accordance with the relevant laws.
Key Risks
1.
2.
3.
4.
The correct procedure was not used when obtaining the loan.
Under declaration of the loan amounts received.
Wrong postings in the financial statements.
Non compliance with the loan terms.
Loans register
Accounting records
Loan agreement
Commitments register
Loans ledger
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Audit Programme-Loans/Borrowings
Ref
1
2
3
4
5
6
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 7
Audit Inspection
7.1
Introduction
This article provides the Inspector / the Auditor with an overview of the theoretical
assumptions concerning the execution of an inspection in the public administration.
The objective of the audit inspection is to determine how well financial transactions
and/ or operating controls conform to established laws, standards, regulations and
policies and procedures. It is against this background that the inspector MUST first
identify and obtain all the applicable standards, regulations, policies and procedures.
S/he must then read and understand them prior to undertaking an inspection.
7.2
7.2.1
Mandate:
Public Finance and Accountability Act 2003 mandates Ministry of Finance to inspect
Local Governments, Central Governments and other entities to ensure that the funds
released to them are used for the purpose for which they were appropriated and
properly accounted for.
PAF Inspection is carried out to control, monitor and evaluate the performance of
Local Governments. Inspection promotes standardization, uniformity and consistency
in the implementation of Government policies and programmes for improved service
delivery across the Local Governments. It helps in determining adequacy of internal
controls, the accuracy and propriety of transactions, safeguard and accountability of
assets and level of compliance with Government laws, regulations and procedures.
7.2.2
7.2.3
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
f) Reporting to the PS/ST, D/ST, DB, AG, and other relevant authorities of the
findings
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
7.2.4
Health
Education
Roads
Production
7.2.4.4
Staffing levels
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
7.2.4.5
Establish the number of staff on professional training and those who have
completed
Check on staff deployment.
Programme implementation
While at the departments, randomly identify the projects to inspect (Emphasis
should be given to projects far away from the district headquarters)
The following should be inspected (At least 3 sectors should be inspected in a
quarter)
7.2.4.6
A)
Education/UPE Schools
Class room construction
Pupil enrolment levels
Staffing levels
School records
B)
Health Centres
Constructed health centres check whether the buildings are of quality to
match the money budgeted and paid
Availability of heath workers
Availability of records i.e.; inventory records, books of accounts, e.t.c.
C)
D)
Roads
Inspect road constructed
Check whether drainage has been provided for
Maintenance of existing roads
E)
Production
Check whether extension workers are in place
Look at the reports of the extension workers
Look at the projects worked on and their impact on areas where they have
been implemented.
F)
LGDP
Check on LGDP funds received
Check how the LGDP funds have been allocated
Check on LGDP expenditures and accountability
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Confirm whether the above books of accounts have been checked and verified by
CFO and the internal auditor/inspector.
7.2.4.7
Revenue recording
Obtain sources of locally raised revenue and
Confirm if all local revenue estimates are shown in the revenue register in
accordance with Financial Regulations.
Establish if the revenue collections are periodically reconciled or registers
updated
Establish whether the arrears of revenue are recorded and summary submitted
to the Exec utive Council for appropriate action.
7.2.4.8
Cash books
Confirm consistency of opening and closing balances
Confirm whether they are reconciled to bank statements regularly
Check for the arithmetic accuracy of the balances
Check for any unusual items
Confirm that each account has a separate cash book
7.2.4.9
7.2.4.10 Ledgers
Check whether ledgers are in place
Ledgers should be updated monthly
Check for arithmetic accuracy
Check the ledgers against the abstracts to ensure that the figures reconcile
7.2.4.11 Accountability
Check for:
Compliance accounting procedure, guidelines and regulations followed.
Transparency in expenditure framework
Accuracy and completeness in transactions
Audit queries raised and responses to them
whether the figures in the returns submitted tally with the ledgers, cashbooks
and abstracts
7.2.4.12 Expenditure returns
Check whether they are comprehensive and timely prepared
Do they comply with recommended formats?
7.2.4.13 Remittance of taxes to URA
Confirm whether the district deducts PAYE and withholding tax from employees
and suppliers
Check whether all taxes deducted have been remitted to URA
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
7.3.1
Releases (RBCs)
Audit Objectives
v To establish whether releases (RBCs) are receipted and accounted for monthly
(monthly returns)
v To ensure that release are as per the approved budget with the exception of
special and supplementary releases.
v To ensure that amounts released are actually remitted and rec eived.
v To ensure that all payments made were authorized.
v To ensure that funds released were put to the purpose intended and properly
accounted for.
v To ensure that payments for salaries, FSA and other allowances to Mission staff
are at the approved scales/rates.
v To ensure that all home based Foreign Service officers recalled or who retire from
service are deleted from the missions payroll promptly.
v
To ensure that all rent payments for Foreign Service officers are properly
supported with tenancy agreements and acknowledgement receipts from the
landlords.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Assertions
Authorization
Completeness
Occurrence
Measurement
Error Conditions
Audit Tests
a) Obtain copies of the budget, releases, remittance advice and mission bank
statements and reconcile. Note any discrepancies.
b) Vouch / examine the monthly returns to ensure that there is proper accountability
of funds released.
c) Check whether the funds were put to the purpose for which they were
requisitioned and note any reallocations.
d) Check whether salaries, allowances and FSA to home based foreign service
officers were at the authorized rates/ scales
e) Check whether all rent payments were supported with tenancy agreements and
acknowledgement receipts from the landlords.
f) Confirm whether officers recalled or those who retire from service are deleted
from the missions payroll and all their entitlements from the Missions funds
ceases immediately.
g) Confirm whether payments made to facilitate officers at the mission conforms to
the standing orders for Foreign Service.
h) Confirm whether the Missions contracts committee handled all procurements and
disposals at the mission. Minutes and other correspondences should evidence
this.
i) Check whether all payments made were initiated and authorized.
j) Confirm whether there was compliance with the TAI, Public Finance and
Accountability Act, Public Procurement and Disposal Act plus other Government
regulations and guidelines in the processing of transactions.
k) Check whether the engagement of local staff was competitively done and are paid
according to the es tablished local terms of service.
l) Confirm whether funds advanced to officers while on official duties were properly
accounted for.
m) Others (please specify).
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
7.3.2
Completeness
Measurement
Occurrence
Error Conditions
Audit Tests
a) Ascertain details of all sources and rates of revenue to the mission (i.e. visa,
passport, rent etc).
b) Compare revenue returns with the general receipt books, revenue cash books,
revenue abstracts, and mission bank statements.
c) Obtain details of general receipt books issued by the Treasury to the missions
and compare with the serial numbers used. Investigate any discrepancies.
d) For Mission confirm whether visa stickers are in use as opposed to Visa stamps.
e) Ensure that separate bank account (s) for NTR is/are maintained and regularly
reconciled
f) Check whether all collections were banked intact.
g) Ask for proof of remittance to Treasury (i.e. T.T forms and general receipts issued
by the Treasury).
h) Investigate any discrepancies between NTR collected and remitted to the
consolidated account.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
7.3.3
Government Assets
Audit Objectives
v To ensure that all government assets are acquired only with proper authority
v To ensure that all government assets are properly maintained and used only in
the execution of government business
v To ensure that all government assets are accounted for, labeled and recorded
(assets register)
v To ensure that deposals of government assets are properly authorized.
v To ensure that there was adherence to the Public Procurement & Disposal Act in
the acquisition & disposal of Government assets
Assertions
Existence
Completeness
Measurement
Ownership
Error Conditions
Audit Tests
a) Obtain a fixed asset register of all high value government assets
b) Confirm existence by ascertaining the physical location of all high value
government assets
c) Ascertain ownership of high value government assets by inspecting the logbooks,
land titles/leases, purchase agreements, etc.
d) Trace some high value government assets to the fixed asset register
e) Check/ reconcile stores ledgers with physical items in the store.
f) Where there were disposals, scraping, etc. check whether it was subjected to
established government procedures on disposals.
g) Check the physical conditions of the assets and their current state to establish
whether their maintenance, handling and storage are appropriate.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
7.3.4
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
l)
Check whether the figures appearing in the financial statements agree with those
in the already checked ledgers.
m) Check whether the necessary footnotes where included in the final accounts.
n) Check whether the accounting officer signed all the financial statements.
7.4
7.4.1
Revenue
The objective of inspecting revenue is to ensure that all moneys due to the
government are properly and promptly collected, recorded, safely kept and bank ed as
soon as possible so as to minimise losses. It is the duty of accounting officers to
ensure that the above is implemented through instituting the necessary procedures
and controls.
This checklist provides guidelines in inspecting revenue collections in general and
can be easily adopted to help the inspector in checking the appropriation-in-aid (AIA).
Remember that it should serve as a general guideline. Inspectors will have to modify
their inquiries depending on preliminary findings and the nature of the institution that
they are inspecting. They do not have to follow the check list in its entirety but should
pick those areas that are crucial depending on the institution's controls and
experiences of the previous inspections.
Any unusual answers or findings to questions in the above checklist should call for
further investigation and satisfactory explanations thereto should be sought.
Inspection Reviews
Bank account s
For each ministry, agency or institution, check the
following:
Number of bank accounts maintained
for each of the accounts find out the following:
current balance
Matters
Arising
Implication Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Are the collections banked intact
Matters
Arising
Implication Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication Management
Response
Internal control
Check to ensure that the following functions
are carried out by different officers -where
possible
opening of mails
recording of collections
banking of collections
bank reconciliations
7.4.2
Matters
Arising
Implication Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication Management
Response
7.4.3
Bank Reconciliation
The purpose of bank reconciliation is to agree the balances of cash in the cash book
and at the bank and to ensure that all transactions relating to cash are captured and
appropriately recorded. In this process it is therefore necessary to compare the
transactions in the ministry cash book with those of the bank account at Bank of
Uganda or any other bank where the account is kept and make sure that they are in
order. It is necessary to investigate the nature and content of those transactions that
appear at the ministry and not at the bank and vice-versa. After establishing the
authenticity of the transactions, necessary accounting entries should be made.
Bank reconciliation is one of the control measure used to ensure that cash is not lost.
It has to be carried out regularly, preferably monthly. The exercise should not be
turned into a mechanical one; all transactions should be examined and any unusual
circumstances should be followed up immediately to ensure that if there are errors,
their nature and causes are established and remedial action is taken immediately.
This is necessary because cash is a fluid asset which is easy to pilfer.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication
Management
Response
Direct Credits:
these also originate from the bank
is the bank contacted immediately for their details
nature
origin
authority
etc.
are they due to errors, if so, has the bank been
approached to .correct them
are they recorded immediately in the cash book
is supporting documentation obtained and filed
Un-presented cheques:
Are they listed each month
is the list checked for accuracy
are those that have taken long to clear
investigated
do they include those that have not been collected
are uncollected cheques re-banked
Outstanding deposits:
are the details of these regularly examined
are they followed up to make sure that they are
subsequently banked
is there a mechanism to ensure speedy banking of
collections
are the delays in bankings intentional, are there
any ascertainable trends
Any unusual answers to any of the questions in the above checklist should be
thoroughly investigated and relevant explanations and information obtained if it is to
be assumed that there is nothing amiss. Any identified problem areas should be
discussed with the accounting officer and remedial action should be agreed with him
and be implemented.
7.4.4
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
An inspector will therefore check the budget lines of each vote to ensure that what
has been expended is in line with the Appropriation Act details. Budget control
concerns itself with the management of budget allocations. To ensure that this is in
order an inspector will check the following:
Inspection Reviews
Vote books:
does the ministry maintain a vote book
are the postings to it up to date
is it accurately posted
is it checked regularly by a senior officer
Budget lines:
are these specified
are they given the right codes
are their appropriations reconciled with those
posted to the vote book
are they moni tored
has there been a reallocation of funds - has it
been authorised
are they updated with any supplementary
are any budget lines over committed, and if so
have they been reported to the proper authority
Payment vouchers:
are they properl y
dated
authorised
coded
filled in
are they accompanied by proper supporting
documents
are some of the supporting documents
photocopies
how is their authenticity established
are suppliers obliged to pledge indemnity to the
ministry in cases where photocopies are accepted
as supporting documents
are payment vouchers bearing a date later than
purchase orders and/or invoices
are payment vouchers properly posted to the vote
book and ledgers
are they properl y filed for future reference
Appropriation-in-aid (AlA):
has it been authorised in the budget
has it been properly recorded
is it monitored
has it been overspent
Prepayments:
are any payment s made in advance
are they posted to a register opened for this
purpose
who approves these payments - does he have
that authority
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication
Management
Response
7.4.5
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication
Management
Response
7.4.6
Payroll
This is another of the problematic areas in the quest to control public funds. It is
common to be told that there are ghost staffs on the payroll of ministries and
departments. It is therefore imperative that inspectors thoroughly review all
transactions associated with the payroll.
These are basically to ensure that staff are paid the correct salaries, on time and that
proper deductions are exacted from those salaries and are remitted to the
beneficiaries on time. The check list below should assist an inspector in this regard:
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
How are staff put on or off the payroll
who has that authority
are staff numbers properly controlled for issuance
is his authority free from corruption when it is
transmitted
does he get feedback by way of report to cross
check and ensure that staff put onto or off the
payroll agree with his original authority.
Staff cards
are these maintained
are they regularly updated
are they kept safely to ensure no unauthorised
amendments
do they contain relevant and crucial data e.g.
name of staff
staff number
date employed
date promoted
basic pay
allowances
permanent deductions
Are staff on payroll compared with the relevant
establishment positions
Are salary payments in agreement with appropriations, if
not what are the reasons
Are the right codes used to classify and post salaries
Are computations checked for accuracy
are unusual payments investigated for accuracy
and authority
are leave payments/entitlements approved and
monitored
are any changes to pay checked for accuracy and
authority
are differences in total salary payments between
different months investigated
Are staff advances properly authorised and followed up
for recovery
Are non acquitted advances recovered from staff
entitlements/ salaries
Is a payroll register produced as an offshoot of salary
processing
is it checked for accuracy
filed for future reference and comparison with
payrolls of previous or subsequent months
Are salaries paid promptly and to the right staff or their
bank accounts
do staff sign for all salaries collected in person
(cash or cheques)
is their identity verified
Are uncollected salaries kept safely and re-banked if not
collected by staff within a reasonable time.
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication
Management
Response
7.4.7
Project Accounts
Projects are common in all ministries and departments in Uganda. It is important to
ensure that the accounting records of these projects are appropriately maintained to
the expected standards of government, donors and other stakeholders.
Projects are usually set up as a result of some agreement. The operation of the
project and its accounting records should be guided by the contract. An inspector
should always make sure that before he carries out an inspection, he is fully
conversant with the terms of the contract.
The inspector should use the following check list when planning an inspection of a
project:
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
7.4.8
Public Debt
The government of Ugandas public debt accounting records are maintained in the
treasury department. One of the divisions of the treasury department is charged with
the responsibility of maintaining accounting records of the government public debt,
loans and grants. Public debt, loans and grants are a major component of the
government annual budget. It is therefore imperative that their records are properly
maintained.
Inspectors should therefore once in a while check the accounting records of the
public debt division within the treasury department. A distinction should be made
between loans, public debt and grants. Public debt refers to government borrowing
within the economy; loans usually refer to money borrowed from overseas; and
grants are donations, usually from overseas.
An inspector should use the under mentioned check-list whilst planning an inspection
of the public debt division.
Inspection Reviews
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
7.4.9
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
For purposes of this manual" stores do not include fixed assets. The fixed assets
have been handled in the next module.
In planning an inspection of stores, an inspector should refer to the following check
list. The check list looks at the procurement, receipt and storage, issuance and record
keeping and reporting for stores. In all these steps it should be ensured that stores
are safeguarded and losses thereof are rninimised.
Inspection Reviews
Stores procurement
Who places the orders
are they in conformity with regulations in terms
of
size of the order
where to order from -suppliers
Who initiates the order .is it cross checked
is the budget line checked for availability of
funds
is the store checked to find out stock levels
Once goods are received
are they checked against the order
is their condition established
is a receipt issued
are the stock records updated
Are purchases made on time
Are they made through the relevant specialist
agencies
Is there an officer responsible for procurement
how does he relate to other staff
What is the procedure for handling overseas
purchases
Are local purchase orders utilised
to whom are copies of these forms sent
Is there a file of financial delegates
Are tenders advertised -if they are within the
required values
Is the tenders board i n place
Are purchases for outstations properly handled
Are staff availed guidelines to assist them in
purchasing
where to buy from
who should authorise what amounts
list of approved suppliers
purchases from overseas or f rom in country
If tendering is involved - were
tenders properly advertised
were applications properly received and
evaluated
was a meeting appropriately held
were the results communicated
Stores Issuance
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication
Management
Response
authorising payments
Stores Records
Does the store keep records
are the records up to date
are they checked regularly
Are stores receipts and issues posted immediately
and balances determined
Are corrections appropriately initialled
Ensure all procedures are properly recorded
If contracts-are involved
are they properl y tendered
registered
payments certified
necessary guarantees obtained
retention moneys held until the completion and
review of the contract for quality of work
certification
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Inspection Reviews
Matters
Arising
Implication
Management
Response
The above check list should assist an inspector to plan the inspection of fixed assets.
It is imperative that a fixed assets register is maintained as a basis for monitoring and
safeguarding the fixed assets.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Annual Accounts
All ministries and institutions that receive government funding are supposed to lodge
their annual accounts with the Treasury Department. All Accounting Officers are
meant to submit to the Commissioner, Treasury Officer of Accounts and the
Auditor/Inspector General signed statements which include: a balance sheet,
summary of revenue and expenditure and a statement of contingent liabilities. More
statements which are to be lodged at year end are specified in the Treasury
Accounting Instructions. In order to be able to produce the above accounts and
statements accounts, books, ledgers and bank accounts are closed, the necessary
reconciliations carried out and trial balances are extracted.
It is the duty of the inspectors to ensure that the records and books are properly kept
throughout the year to enable extraction of trial balances which will be used to
compile the accounts and statements. The format of the accounts and statements is
specified in the Treasury Accounting Instructions and this should strictly be adhered
to.
The accounts and statements on being received by the Commissioner, Treasury
Officer of Accounts should be checked for accuracy and completeness before they
are consolidated and submitted to the Auditor/inspector General's office.
7.6
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
The inspector will need to be familiar with the accounting system. He will have to
know its component parts; the source documents; the processing and the reports it
produces. The source documents and the reports are generally not problematic
because these can be seen. However the processing of the data takes place within
the machine and it is not visible. The inspector should therefore seek assurance that
what comes out of the machine is what he expects.
He will be able to get that reassurance if he knows the various components of the
accounting system. The system will usually consist of a general ledger, cash book
and several other, sub-components e.g. payroll, inventory, fixed assets etc. The
system should be documented and it should have user manuals. The inspector ought
to be able to understand them. He should request the accounts and data processing
staff to help him understand the system and how it operates. It is only after he has
acquired this understanding that he can carry out meaningful inspections.
Inspection Reviews
Matters
Arising
Implication
Management
Response
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 8
Performance Audits
8.1
Introduction
8.2
Definitions
The INTOSAI auditing standards define performance audit as an audit of the
economy, efficiency and effectiveness with which the audited entity uses its
resources in carrying out its responsibilities.
INTOSAI standards state that performance audit is an:
a) Audit of the economy of administrative activities in accordance with sound
administrative principles and practices, and management pol icies;
b) audit of the efficiency of using human, financial and other resources, including
examining information systems, performance measures and monitoring
arrangements, and procedures followed by audited entities for remedying
identified deficiencies;
c) Audit of the effectiveness of performance in relation to the achievement of the
objectives of the audited entity, and audit of the actual impact of activities
compared with the intended impact.
Performance auditing is an independent examination of the efficiency and
effectiveness of government undertakings, programs organizations, with due regard
to economy, and the aim of leading to improvements.
It does not have its roots in the form of auditing common to the private sector. Its
roots lie in the need for independent, wide-ranging analyses of the economy,
efficiency, and effectiveness of government programs and agencies made on a nonrecurring basis.
8.3
8.3.1
8.3.2
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.4
8.4.1
8.4.2
Could the project have been implemented in another way which could have
resulted in lower production costs?
Are the working methods the most rational ones?
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.4.3
8.5
Has the goal been achieved at a reasonable cost and within the set time limit?
Was the target group defined correctly?
Are the objectives of managerial policy being achieved with the means used, i.e.
are the predicted results being obtained?
Are the means used and the results obtained compatible with the objectives of the
managerial policy?
Does the predicted impact represents direct results of the managerial policy rather
than one due to ot her circumstances
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.6
8.6.1
Common Provisions
There are common provisions related to:
-
8.7
8.7.1
Even though these steps constitute the performance audit methodology, it must be
stated that a performance audit must also always be based on such issues like
individual insight, experience, imagination and creativity.
8.7.2
This defines the departments performance audit programme and priorities and
the necessary personnel and resources.
It is founded on a good knowledge of audited fields, the changing environment
and the opportunities presented to the department.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.7.3
It needs to be flexible enough to allow new topics that emerge during the year to
be introduced.
Unlike a financial audit, which aims to reach an opinion on the completeness and
accuracy of financial statements and the legality and regularity of underlying
transactions, with performance audit the audit institution is free to choose the
audit topics and audit objectives.
The auditors/inspectors must also seek to identify the main sources of audit
evidence.
To obtain the information and understand the entity/activity/project, the
auditors/inspectors will refer to the financial audit reports and working papers, the
static plans of the entity, the business plan, the government and entity
publications, reports of previous audits, and any research from the academic
world.
The information obtained may be summarised in a standard document called a
programme analysis*. The programme analysis includes the following rubrics:
objectives, inputs, processes, outputs, va riables, and outcomes.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.7.4
Selecting topics
To better deal with this, the auditor/inspector should ask the following questions;
Was the programme well implemented?
Were the objectives achieved?
Are the economy, efficiency and effectiveness at risk?
Will the study give something new on performance improving?
Is there the appropriate moment to perform the audit?
Is it possible to perform the study?
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.7.5
Setting priorities
The main criteria that underlay the matter priority are:
The responsibility towards the parliament and the citizens
Improving performance auditing.
Provide a balanced programme of performance audit.
8.7.6
8.7.7
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.8
8.8.1
8.9
The auditor/inspector formulates the audit objectives, i.e. the stated results of
effects of the study and may revise the main questions formulated in the
selection stage.
The audit objectives should improve the performance,
Questions are determined by the nature of topic and by the audit objectives.
The situation-complication technique is used to clarify the main questions of
the audit.
The term situation defines a brief description of the main study topic, including
the objectives of the audited programme or activity.
The term complication defines the problem or the problems arising out of the
situation, and is the reason for the study.
Example 1:
Situation
Complication
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.10
Hints
It is necessary:
to formulate questions in a logic and strict succession:
in a logic order Were the acquisitions well planned?, Were they well done?,
Was the contract executed?
in a structured order Is the department A efficient?, Is the department B
efficient, Is the section C efficient?, etc;
to abandon uness ential questions;
depending on objectives Are social indemnities paid to the right people? Are the
stated quantum paid?
Example
Main question can the purchasing of a new informatics system, assure the
performance?
There are three secondary questions:
1. Did the entity done the acquisition according to the regulations in force?
2. Does the informatics system satisfy the needs of the users at a reasonable cost?
3. Did the entity survey the observance of the contractual clauses by the supplier?
Secondary question (level 2) Does the informatics system satisfy the user needs
at a reasonable cost? may be divided in other three secondary questions.
2.1. Were the requirements for the system clearly formulated from the beginning?
2.2. Does the contractual clauses concerning the service comply with the
requirements?
2.3. Was a good price obtained?
The secondary question (level 2.3) Was a good price obtained? Is divided in
other three secondary questions:
2.3.1. Was there a correct competition for the contract adjustment?
2.3.2. Was the competitions maintained during all the contracting process?
2.3.3. Were the different forms of public acquisitions taken into consideration?
8.11
Identifying criteria
These are the standards used to judge (evaluate) the performance achievement.
Auditors/inspectors should verify that the criteria is:
Reliable
Reasonable
Tangible
Valid, and
Based on authorised sources
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
The auditor/inspector should consider both the quantitative criteria (numeral) and
the qualitative criteria (good practice in a certain field).
8.12
Identify, collect and analyse audit evidence related to the inputs, process
description, outputs and effects, and to the public perceptions or opinions (for
instance public opinion about public services).
Collect audit evidence to answer the lowest level questions,
Take into account any limits that they can find in formulating conclusions.
Audit evidence is only reliable if the information and data obtained by the
auditors/inspectors is:
Sufficient
Appropriate (in order to achieve the audit objectives)
Objectives
Reliable
Audit evidence from sources external to the audited entity are much more
consistent than ones placed inside the entity;
The audit evidence obtained as documents are more consistent than verbal (oral)
ones;
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
The audit evidence directly obtained by the auditor/inspector are more consistent
than those indirectly obtained;
Oral audit evidence corroborated with written evidence are much more consistent
that isolate oral audit evidence;
The corroboration of obtained is a secure technique to consolidate their reliability;
The original documents are more consistent than copies, but if the original
documents are copied by the auditor/inspector, then he must note the source and
the date of photocop y.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
d) Analytic evidence
Obtained by verifying the explanation and the analysis of data related to the
activities on implementing a programme by the audited entity.
The analyses mainly suppose: assessments (evaluations) of indices and
trends obtained from the audited entity and from other sources. Logically
these indices and/or trends are compared to the recommendations of
standards applicable in the field or of certain technical guides (if the case
stands).
Usually numeral (i.e. assessment of the result of using resources or the ratios
of budged e xpended), but they may also be not numeral (i.e. noting a growing
trend of a certain type of contestations in the audited entity).
Visiting the locations of the audited entity in order to analyse the different
documents existing in files or to perform interviews with key persons.
Sending letters or addressing questionnaires that include a list of questions on the
audited matter.
Analysing a representative sample.
Analysis of files
The auditor/inspector should use professional reasoning when choosing the most
appropriate methods and techniques to obtain audit evidence.
Analysis can be by:
Observation
By studying the general behaviour of the entity personnel one can obtain
information related to:
sensitive problems,
the management ethics and
the relationship between the entity personnel and the public/beneficiaries of
public services.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Using Questionnaires
8.13
8.14
This shows the motivation and the procedure that the auditor/inspector intends to
use to perform the study.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.15
Entity
Were tenders invited to send offe rs?
Was the specification drafted?
Contract
A
B
C
X
X
E
X
The auditors/inspectors start their interpretation using a procedure that takes into
consideration four main elements:
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
The auditors/inspectors must identify and analyse the most important effects,
which will compare to costs and benefits of programmes of with other unintended
effects.
The auditor/inspector can phrase a conclusion if he finds out that the cause and
the effect appears recurrently while implementing a process or carrying out an
activity.
Usually, one or more findings can sustain one conclusion, and one or more
conclusions ground a recommendation.
If auditor/inspectors find out that the cause and the effect are recurrent, they must
formulate conclusions and recommendations. Generally, the findings sustain
conclusions, and one or more conclusions are the basis to formulate a
recommendation.
8.16
Documentation
The auditors/inspectors have to appropriately document audit evidence (the results of
the analysis) in order to sustain conclusions and to confirm that the audit was
performed according to the standards of performance audit.
An appropriate documentation is important if we take into account that it:
assure the recording of the activity carried out for further references;
8.17
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
8.18
Reporting
Audit findings considered relevant for the report consignees and users;
Conclusions on the audit objectives;
The recommendations, logically based on the conclusions.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 9
Systems Audit
9.1
9.2
Basic Terminology
Adequate control and management mechanisms are in place if the management
plans and organises in a way that would provide an adequate certainty that goals and
objectives of an organisation shall be achieved in an effective and economic way.
The process of establishing the systems starts by setting goals and objectives.
Mutual links of the concepts or people operating together follow so that the goals and
objectives set are achieved. If the system project is correct, activities should be
implemented according to the plan and the results envisaged should be achieved.
Adequate certainty is in place if the adequate measures are adopted to limit biases
and deviations down to the tolerance level. That means that while projecting the
systems the management shall consider the ratio of the resources spent to the
benefit to be achieved. The term adequate certainty shall mean that the absolute
certainty can not be ensured by internal control, yet the procedures are in place that
are as efficient as possible, to handle the risks adequately.
Performance shall indicate that the scope of internal control is very broad and that it
refers not only to financial aspects but also to the quality of financial information,
organisation's growth, improving its profitability or efficiency at the costs as low as
possible, improvement of social environment, etc. In such a case, it is not a mere
adherence to legislation or internal rules of organisation but specific measures
adopted to ensure protection of organisation against any impact, threat or hazard of
any type.
Potential loss associated with any demonstration of risk; measured by costs needed
to make the risk under control.
Effective performance shall mean to achieve goals and objectives accurately and
on time with minimal resource spending.
Economic performance shall mean to achieve goals and objectives at costs
proportional to the risks. Economic performance aspect also shall be included in the
term effective.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
internal standards for measuring the economy and effectiveness have been set
internal management acts established have been understood correctly and are
followed, whether or not any deviations have been identified, analysed and
communicated to people responsible for their remedy
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
r
r
r
r
r
9.4
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Objective of the internal control system is to detect any deviations from the goals set
by organisation and minimise any potential surprise. Furthermore, control enables
management to face any potential risks within speedy development of economic
environment and competition, guarantee stability (reliability) of financial conditions
and adherence to legislation. In the framework of internal control system anybody in
the organisation has responsibilities. All employees play some role in activities
control, resource spending and way of how their particular work is carried out. Staff,
at large, has to be responsible for any of the problems at work, any non-permitted
deviations from standard or breach of legislation or activities concept to be
communicated.
Within the overall system audit execution one of the crucial aspects is to evaluate
internal control system. Following should be taken into account by the
Auditor/inspector:
r
r
r
r
r
Since internal control system is a process, its efficiency shall mean a state in a given
moment in time. The role of an Internal Auditor/inspector is to asses all components
of internal control as follows:
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
r
r
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
planning
performance
monitoring
Internal control shall be a part of the processes above and shall be integrated in
them, assisting to their adequate operation, monitoring and applicability at any time. It
shall mean a helpful management tool, however it shall not replace it.
Internal control system is linked with operative activities of an organisation. Internal
control shall be much more efficient if included into the infrastructure of an
organisation and constituting thus part of its heart of the matter. It must be
incorporated not only by its formal inclusion. Internal control inclusion may affect
directly the ability of an organisation to achieve its objectives and at the same time
support its initiatives from the quality perspective.
Considering the control concept the objectives are classified as follows:
1. Efficiency and effectiveness of operations - shall mean that resources to protect
property (assets) shall be assessed and economy and efficiency of resource
spending evaluated.
2. Reliability of financial statements shall mean assessment of reliability and
integrity of financial and operational information.
3. Compliance with valid legislation and regulations shall mean that systems to
ensure compliance with main principles, regulations, etc. shall be assessed.
Internal Control Assessment
Justification of assessment by an internal auditor/inspector
r
r
r
no audit of operations that would be really detail one can be conducted neither
sufficiently representative sample of such operations can be taken, except for
very small organisational units
opinion that all entries have been made in the accounting books can not be
made without relaying on internal control procedures
some of the verification tests of operations can only be conducted if an Internal
auditor/inspector adopts procedures enabling him/her to asses correctness of
documents demonstrated which may be presented to him/her managerial
employees can not verify by themselves that relevant procedures and decisions
have been applied
many of the procedures which are not of a strict accounting nature, contribute to
reliability of financial statements
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
r
r
r
Assessment Criteria
Assessment has to be conducted in phases:
r
delivery
invoicing
payment
reliable partners for discussions have to be selected, who are familiar with
procedures to be verified
to much details have to be avoided. However, more time shall be needed to
produce such description which may become a barrier for acquiring sufficient
overview on the matter
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
r
r
r
r
9.5
Audit of Operations
This type of audit action can be described as a formal and systematic verification
conducted by qualified professionals to identify to what extend an auditee
accomplishes particular objectives set by management and to find out room for
improvement. Therefore within the audit of operations an in-depth study of an auditee
is to be conducted focused either on a particular department and function or on
activity, methods, systems and utilisation of equipment and human resources.
Objective is to assist management to achieve more efficiency through detecting
defects or irregularities and recommending appropriate measures which must be
feasible in the context of organisation's objectives and policy.
Audit of operations must be an independent and objective exercise implemented by
staff specialised in the field of audit, and according to the goals set before. It may be
a survey of sets of auditee's activities or functions, and/or part of them, while the
current level of internal control and adequacy of procedures and systems applied in
an audited area are being verified.
Comparison of audit of operations with financial audit
There is whole bunch of similarities between financial audit and that of operations. In
the essence, one can say that both of them represent a need to say some opinion
backed duly and based on facts detected and formulated from the position which
does not depend on auditee's functional structure. Within an Internal Audit methods
and procedures are assessed from the perspective of compliance with some
requirements and principles, however not from a perspective of person concerned.
Financial audit and that of operations meet frequently in using accounting as an
information and verification resource. Anyway, what distinguishes these two audits is
the objective.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
any resource wasting and whether or not control mechanisms are in place to
prevent from the wasting
whether or not unnecessary expensive equipment is used
any labour force wasting in units or at operations
To expand the audit of operations would mean that the following factors that become
subject of auditor/inspector's interests are reflected:
r
r
r
Core of the internal audit is related to the audit of operations where the objective is to
enhance efficiency of organisations. Audit of operations is to verify whether or not an
auditee carries out the activities properly, using a proper way, in a cost-effective
manner, whether or not an auditee behaves in an ethic way and has responsible
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 10
Information Technology Audit
10.0
Introduction
Information and technology that supports it represent the organisations most
valuable assets. In todays rapidly changing environment, management have
heightened expectations regarding IT delivery functions management requires
increased quality, functionality and ease of use, decreased delivery time and
continuously improving service levels while demanding that this be accomplished at
lower costs.
There are numerous changes in IT and its operating environment that emphasise the
need to better manage IT related risks. Dependence on electronic information and IT
systems is essential to support critical business processes. Additionally, the
regulatory environment a nd best practices call for stricter control over information and
IT due to the increasing disclosures of information system disasters and increasing
electronic fraud. The management of IT related risks is now considered as a key part
of an organisations governance. The onus is on the internal auditor/inspector, to plan
and adequately review IT systems in use and report to management on IT risks and
how to mitigate them.
Many Ministries, Government departments and processes, etc are increasingly
becoming computerised. The Ministry of Finance, for example, has implemented the
Integrated Financial Management System (IFMS) to improve on the quality of
financial management and decision making. Automation, however good, comes with
specific risks. Specifically, it replaces manual processes and controls (checks and
balances) with programmed ones. These risks place a great responsibility on
management, internal and external auditor/inspectors and staff to continuously
monitor automated processes and manage such risks
The major concern that all auditor/inspectors must bear in mind before undertaking
any audit assignment is that of risk. All audit findings must take into account the level
of risk to the business associated with the finding/s. The issue is therefore to consider
the risk to the organisation associated with the use of Information Technology (IT).
If the organisations core business processes are automated, then it is as good as its
IT, since failure of its IT system may result into failure of the business as a whole.
Consequently, the Internal Auditor/inspector must understand the organisations
business environment and plan the audit accordingly. The Integrated Financial
Management system is a good example of process automation. Conversely, the
success of the Ministry is more and more dependant on its IT system/s. This chapter
discusses a simple approach for auditing in an IT environment, covering key areas of
audit planning, step-by-step IT audit procedures, risk assessment and reporting.
The key issue is to understand IT best practices and the organisations business
environment, pro cesses and controls.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Understanding IT Controls
Internal control is defined as: A process, effected by an organizations board of
directors, management, and other personnel designed to provide reasonable
assurance regarding the achievement of objectives in the categories below;
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
IT controls include those processes that provide assurance for information and
information services and help mitigate the risks associated with an organizations use
of technology.
The controls range from written corporate policies to their
implementation within coded instructions; from physical access protection to the
ability to trace actions and transactions to the individuals who are responsible for
them; and from automatic edits to reasonability analysis for large bodies of data.
key
Are the detective controls adequate to identify errors that may get past the
preventive controls?
Are corrective controls sufficient to fix the detected errors?
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
(e.g.
transaction
initiation
versus
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
c) Corrective Controls
These correct errors, omissions, or incidents that have been detected.
They include;
simple correction of data entry errors ,
Identifying and removing unauthorized users or software from systems or
networks
Recovery from disruptions or disasters
To simplify correction, it is more efficient to prevent errors or detect them as
close as possible to their source.
The controls should also be subject to detective and preventive controls,
because they represent another opportunity for errors, omissions, or
falsification.
10.1.2.1 IT Controls
1) Policies
Clear policy statements regarding all aspects of IT should be devised and
approved by management, and communicated to all staff.
Examples of IT policy statements include;
A general policy on the level of security and privacy throughout Ministry of
Finance. This should be consistent with all relevant national and
international legislation and should specify the level of control and security
required depending on the sensitivity of the system and data processed.
A statement on the classification of information and the rights of access at
each level. The policy should also define any limitations on the use of this
information by those approved for access.
Clear distinction of the parties with the authority to originate, modifies, or
delete information.
Personnel policies that define and enforce conditions for staff in sensitive
areas. This includes having employees sign agreements accepting
responsibilities for the required levels of control, security, and confidentiality.
This policy also includes related disciplinary procedures.
Definitions of overall business continuity planning requirements. The policy
should ensure that all aspects of the business are considered in the event of
a disruption or a disaster.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
2) Standards
Standards enable the organization to maintain the whole operating environment
more efficiently.
There should be standards on issues like:
Systems Development Process
This looks at the processes for designing, developing, testing, implementing,
and maintaining systems and programs.
Systems Software Configuration
Systems software provides a large element of control in the IT environment.
The way operating systems, networking software, and database
management systems are configured can either enhance security or create
weaknesses that can be exploited.
Applications Controls
All applications that support business activities should be controlled.
Documentation
Standard s should specify the minimum level of documentation required for
each application system or IT installation, as well as for different classes of
applications, processes, and processing centres.
3) Organization and Management
Issues to look at include;
Separation of duties
This is a vital element of many controls. The structure should not allow
responsibility for all aspects of processing data to rest upon one individual or
department.
The functions of initiating, authorising, inputting, processing, and checking
data should be separated so that no individual can both create an error,
omission, or other irregularity and authorize it or obscure the evidence.
4) Physical and Environmental Control
All equipment must be protected. This includes servers and workstations that
allow staff access to the applications.
Some physical controls include;
Locating servers in locked rooms to which access is restricted.
Restricting server access to specific individuals.
Providing fire detection and suppression equipment.
Housing sensitive equipment, applications, and data away from
environmental hazards like low lying- flood plains or flammable liquid stores.
Under this, serious consideration should be put on contingency planning.
Questions to ask include;
What will the organization do if there is a fire or flood, or if any other threat
manifests itself?
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
How will the organization restore the business and related IT services to
ensure normal processing continues with minimum effect on regular
operations?
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Input Controls - These check the integrity of the data entered into the
IFMS application. Input is checked to ensure that it remains within the
specified parameters.
Processing Controls - These provide automated means to ensure
processing is complete, accurate and authorized.
Integrity Controls - These monitor data in process and/ or in storage to
ensure that data remains consistent and correct.
Management Trail (Processing History Controls) - These enable the
tracking of transactions from the source to the ultimate result and to trace
backward from results to identify the transactions and events they record.
These controls should be adequate to monitor the effectiveness of overall
controls and identify errors as close as possible to their sources.
8) Baseline IT Controls
These are the basic set of controls that need to be in place in order to provide a
fundamental level of IT security. Baseline controls are most widely applicable to
all IT infrastructures.
Some of the questions to be considered when selecting a suitable set of
baseline controls include;
Do IT policies exist?
Have responsibilities for IT and IT controls been defined, assigned, and
accepted?
Are IT infrastructure equipment and tools logically and physically secured?
Are access and authentication control mechanisms used?
Is antivirus software implemented and maintained?
Is firewall technology implemented in accordance with policy?
Are change and configuration management and quality assurance
processes in place?
Are structured monitoring and service measurement processes in place?
Are specialist IT audit skills available (either internally or outsourced)?
10.1.2.2 Control Weaknesses In IT Systems
Lack of formal IT planning mechanisms with the result that IT does not serve the
ministrys pressing needs or does not do so in a timely and secure manner.
Lack of formal security policies resulting in a piecemeal or after-an-incident
approach to security
Inadequate program change control leaving software vulnerable to unauthorized
changes
Little or no awareness of key security issues and inadequate staff to address
the issues
Failure to take full advantage of all security software features like selective
monitoring capabilities, enforcement of stringent password rules, and review of
key security reports.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
10.3
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
an IT process is considered within the context of all of the controls in place over that
process.
10.3.1 Acquisition, Implementation, and Maintenance of IT Solutions
Below is a listing of common controls over the IT process of Acquisition,
Implementation, and Maintenance of IT Solutions.
The auditee has formal policies and procedures in place that define its approach
to systems acquisition and change management (e.g., a formal systems
development methodol ogy).
User department and IT department management approval is required before
systems acquisition and/or change projects are undertaken.
Project documentation that includes systems requirements definitions, risk
analyses, and cost-benefit analyses is maintained.
There is a mechanism in place for the periodic review of the service organizations
operational and control effectiveness.
The auditees systems acquisition and change approach addresses security risks.
The auditees systems acquisition and change approach addresses data
conversion.
Environments (either logical or physical) separate from production systems exist
for development (or modification) and testing of IT solutions.
Management must review and approve IT solutions prior to their implementation.
End users are actively involved in the test process.
Development personnel are prohibited from migrating applications and data from
the test environment to production.
Post-implementation review procedures
modifications made during an emergency.
are
performed
for
any
system
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Users are limited to one session per account (e.g., concurrent sessions or
logons are not allowed).
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
These controls may be identified while we gain an understanding of the other IT processes.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
10.4
10.5
10.6
(ii)
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
and procedures indicates a weak control environment and high control risk]
this helps the Auditor/inspector to plan and select the appropriate CAATs
(computer assisted audit techniques), BEASTs (beneficial electronic
analysis and support tools) and audit tools to use i.e. Audit Software (used
for substantive procedures) or Test Data (used for testing controls).
If the policies and procedures exist, the Auditor/inspector must ensure that
they are up-to-date. The Auditor/inspector must thereafter benchmark the
policies and procedures against best practices. Report any inconsistency
and advise accordingly
(iii)
(iv)
(v)
(vi)
Planning an IT Audit
In planning an IT audit, the auditor/inspector shall obtain an understanding of the
significance and complexity of the IT activities and the availability of data for use in
the audit.
The auditor/inspector may consider the following issues at this stage of the
audit:
(a)
(b)
Identify the standards and best practices against which the organisations IT
systems can be benchmarked. These are quiet a number and they include:
accounting, auditing and IT standards for example, International Standards on
Auditing (ISAs). a code of practice for information security management, the
Organisations own IT policy, ISO 17799 the international standards on
security, the Basel Accord on IT operational risk management guidelines, CoBIT
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
4th Edition Control Objectives for IT Strategic Management and any other
known best practice in IT management and control.
(c)
The volume of transactions is such that users would find it difficult to identify
and correct errors in processing
The computer automatically generates material transactions or entries
directly to another application
The computer performs complicated computations of financial information
and or automatically generates material transactions or entries that can not
be (or are not) validated independen tly
Transactions are exchanged electronically with other organisations (as the
case with EDI systems) without manual review for propriety or
reasonableness
(d)
(e)
(iii)
(iv)
(v)
(vi)
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
(vii) Lack of source documentation and audit trail (computers do not show
handwriting, so as to indicate who authorised what and when. Other
controls (like access rights show this, however, passwords can be cracked
or copied a policy is needed here too)
(viii) Ease of access to data and programs (it could be easier to tap into a
network, or access the server from within in case of lack of security
controls. Virus and other spy ware(s) from the internet can easily find their
way in)
(ix) Multiple files update (incorrect data input may incorrectly update all other
accounts in the system)
(x) Vulnerability of storage media (Computer diskettes, memory chips and
floppy disks may be vulnerable to risks of theft and loss in absence of a
policy and proper access controls).
10.8
1.
2.
Working
Paper
Reference
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Procedure
3.
4.
5.
6.
7.
Working
Paper
Reference
As well as preventing users from executing a transaction independently from initiation to reporting, there are
also elements within a transaction or process that should be segregated. For example, it is recommended that
users with the ability to create or amend vendor details not be involved in processing purchase orders, invoices
or receiving goods to reduce the risk of fraud.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Procedure
8.
9.
10.
Working
Paper
Reference
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Procedure
11.
12.
13.
14.
Working
Paper
Reference
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Procedure
15.
Working
Paper
Reference
Controls over data input, output and processing (including transaction audit trails);
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
o
o
o
o
o
Anti-virus procedures;
Data privacy considerations;
Software licenses;
Operational controls (including batch processing); and
Change control (including application selection,
maintenance).
implementation
and
Action
1. Define the
audit
subject
Explanation
Example
2. Determine
the audit
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Action
Explanation
Example
objective/s
3. Audit scope
or extent
This involves
identification of
specific functions,
processes or systems
of the organisation to
be included in the
review.
4. Pre-audit
planning
The auditor/inspector
shall obtain an
understanding of how
the entity responds or
has responded to the
risks arising from IT.
The auditor/inspector
must:
-Identify processes/
assets/ facilities to
be audited
-Identify technical
skills and resources
needed.
-Identify the
appropriate CAAT
tool/s to use, based
on the organisations
IT platform, and
-Identify the sources
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Action
Explanation
Example
of information for
test or review.
Depending on the
results of the risk
assessment, the
auditor/inspector has
to identify and select
the audit approach to
verify and test the
controls or to
undertake detailed
tests of account
balances and
transactions relevant
to the entitys
financial reporting
objective/s (which are
material).
6. Evaluate
and review
results
The auditor/inspector
must review all the
working papers and
document fi ndings.
This is important for
audit work quality
control in line with
ISA 220.
7. Prepare draft
report and
communicate
with
managemen t
A draft report
detailing potential
areas of risk has to
be prepared, which
must then be
discussed with the
auditee management
before a final audit
report is written.
8. Prepare final
audit report
5. Design audit
procedures
and steps of
information
gathering
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Action
9. Review and
follow up
Explanation
Example
Yes/No
Remarks
WP
Ref
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Yes/No
Remarks
WP
Ref
Review documentation regarding the GL set up, segment qualifiers and cross
validation rules.
Ascertain that no unauthorised changes to the set up parameters have been
made.
Review the set of books documentation and also the options.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Before any alteration/ addition is made to the COA, a valid request from an
MALG and approved by the Accountant General should be got. A paper trail
of the request should be in existence.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Yes/
No
Remarks WP
ref
WP
Ref
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Yes/No Remarks
WP
Ref
Done
by
WP
Ref
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
10.12.8.0
Get a print out of the purchase orders and review for appropriateness of
charge account
Check whether the documented procedures require a hard copy trail to be
kept for each transaction in the form of a voucher.
The following reports should be printed and reviewed;
Cancelled Requisitions Report
Cancelled Purchase Orders Report
Encumbrance Detail Report
There should be assurance that the receipts are only entered into the IFMS
system after ensuring that the description and quantity of the items agree with
the details on the pu rchase order.
Yes/No
Remarks WP
Ref
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
10.13
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
10.14
10.15
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Article 11
Fraud and Irregularities
11.0
Introduction
The profile of fraud and corruption in both the public and private sectors continues to
be high.
Fraud can be defined as any illegal acts characterised by deceit, concealment or
violation of trust. These acts are not dependant upon the application of threat of
violence or physical force. Frauds are perpetrated by individuals and organisations to
obtain money, property or services; to avoid payment or loss of services; or to secure
personal or business advantage.
Internal auditors/inspectors do not have all the expertise to deal with cases of
suspected fraud, corruption or other irregularity. When such a case is found or
suspected, the Internal Auditor/inspector must contact the Commissioner Internal
Auditor/Inspector, who will contact the Head of Internal Audit. The Chief Internal
Auditor/Inspector will decide what steps need to be taken and when to contact other
institutions, for example, the Prevention of Corruption Bureau.
11.1
11.1.1 People
11.1.2 Processes
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
No checks to ensure that only appropriate suppliers are used by, for example,
checking for connections with company employees or officers.
Lack of appropriate response to queries from management, suppliers,
auditors/inspectors, bankers, or lawyers.
Suggestions that internal controls have been overridden by management.
Rumours and tipoffs relating to fraud & irregularities not dealt with.
Indications that internal financial information is unreliable.
Continuing failure to correct major weaknesses in internal control where such
corrections are practicable and cost-effective.
No enforcement of holidays and procedures during absence and work always left
until the employee returns.
Accounts office not keeping up with operations and the books apparently in a
mess, for example key reconciliations not completed.
Loss of records or other information.
Overly complex corporate and/or reporting structure.
Control of the business, especially internal control, given low priority and little
management time.
11.1.3 Surplus/Deficit
11.2
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
11.3
Who within each area could produce a comprehensive list of the critical risk
areas?
Who could check that list for completeness and accuracy?
Are understanding and control of any process solely or principally in the hands of
one individual?
How is this individual monitored and controlled and is this appropriate?
Are any such key individuals demonstrating fraud & irregularities warning signs?
Is the culture of the business conducive to fraud & irregularities, for example, is it
overly secretive/complicated?
How would you perpetrate a fraud & irregularities in each business area/process?
How would you be found out?
What are the key controls on which the business is relying?
Repeat the exercise, assuming that a key employee is involved in the fraud &
irregularities, to highlight the key controls and individuals on which the business is
relying.
How big would the fraud & irregularities get before it was noticed?
Could cost-effective controls be introduced to mitigate the risks?
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
11.4
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
r
r
r
r
r
r
r
r
r
r
r
r
11.5
employees who never take annual leave; also staff who constantly work outside
normal working hours
employees personal financial problems
employees whose lifestyle is more extravagant than their salary would warrant
unusual concerns about visits by auditor/inspectors
someone who often breaks the rules and regulations - cutting corners may be a
way of concealing fraud
complaints about member of staff from customers or employers
people who rule their subordinates with a rod of iron, and unnecessary anger,
sarcasm or criticism, so they become too frightened to question anything
lack of effective internal controls
failure of management information systems
undocumented procedures
general laxity of attitude by management and employees towards security.
Once an investigation is completed internal audit may have responsibilities in
relation to:
o recommending improvements to systems
o attendance at disciplinary proceedings
o attendance at Court
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Interviewing
Interviews can be of two types:
r to seek more information
r Interviewing suspects.
11.6.1
11.6.2
One auditor/inspector should ask questions - and another person should take
notes
Ensure that nothing is done that can be construed as duress by the interviewee
Begin by asking the interviewee to outline their understanding of their duties and
responsibilities of the matter under review
Ask supplementary questions where necessary
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
r
r
If at any time the auditor/inspector forms the opinion that they have reasonable
grounds for believing that the interviewee has committed an offence, the caution
should be administered
The auditor/inspectors notes should be agreed, signed and dated by all present
at the interview.
11.8
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
pass which will be shown on arrival. If the interviewee is an aged person it is sensible
for the auditor/inspector to be accompanied by a social/welfare worker, who is known
to the person. This is also important when the interviewee is female and lives alone
and in these circumstances it is preferable that the interview be conducted by a
female auditor/inspector where possible.
11.9
Interviews with potential suspects should be conducted towards the end of the
investigation when the auditor/inspector has assimilated the available evidence
and the examination of records and interviews with third parties and others has
established, as far as possible, the veracity of the facts of the case.
If the interview is carried out at an early stage where the auditor/inspector is
working largely on personal suspicions then the interview becomes a fact finding
interview with the possibility of a further interview being necessary. This could
however enable the suspect to gain considerable insight into areas being covered
by the investigation and be given an early opportunity to frustrate the investigation
as previously mentioned.
Understand and be fully conversant with all the details of the case.
Have sufficient knowledge to introduce supplementary questions spontaneously, if
appropriate, during the interview.
Study the evidence thoroughly and draw upon the strongest aspects of the case
and with all the necessary supporting evidence.
Formulate the areas to be covered and the sequence in which those areas should
be dealt with in a logical structure.
Be methodical in approach.
Ensure that documents connected with the suspected fraud and those that will be
subsequently be relied on in proving that fraud has occurred, are shown to the
suspect at interview and accepted as valid, accurate and complete documents.
Seek confirmation of such documents in total from the suspect in the initial stages
of an interview when the suspect is not aware of the detailed suspicions of the
auditor/inspector or the direction which the interview will take.
Give all such documentary evidence produced at interviews unique references
which will clearly identify individual documents and which will be recorded in the
question asked, for example Would you examine this time-sheet dated 10/12/06
which I have referenced ABI. Is this the time-sheet which you completed for the
week ended 10/12/06? A positive answer to such a question, contemporaneously
recorded, would be difficult for the suspect to refute at a later date.
Predetermine and write down the questions to be asked at the interview.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
the questions are asked in the most beneficial sequence and in the most
appropriate form
the auditor/inspector taking notes of the answers given can concentrate on writing
down the answers only
no area of the investigation is missed from the interview as a result of the
auditor/inspector being side-tracked by the interviewee, and
the overall interview time is reduced as the process is speeded-up.
r
r
r
Future disputes as to the conduct of the audit interview can be forestalled to some
extent if a final question is included, as a matter of course to the effect, Are you
satisfied with the way in which this interview has been conducted? An affirmative
answer to such a question should preclude any complaints of duress, unfair
treatment or denial of natural justice by the auditor/inspectors being made by the
interviewee at a later date.
There should be no leading questions. These are questions which contain the
answer the questioner is looking for, e.g. You do open the post on your own,
dont you?
Questions should be kept simple. It is better to use several short questions
rather than long involved ones.
If a question is not understood, repeat it.
Avoid multiple questions as these allow the suspect to choose which individual
aspect of the question to answer and can be confusing, especially when a yes
or no answer is given, as it is impossible to determine whether it is yes or no
to all aspects, or one, or more.
Ask a question the correct answer to which is already known to the
auditor/inspector. This type of question allows the auditor/inspector to determine
whether the suspect is telling the truth.
Where questions are asked about two related documents, for example, a
correct one and an identical fictitious one, the fictitious document should be
questioned first as the suspect will not be aware that the auditor/inspector
possesses the correct one and will have committed an answer before the
correct document is produced and therefore be unable to easily retract it.
Ensure that the questions are constructed to elicit all information otherwise the
auditor/inspector will find that only specific responses are made and these may
not reflect the whole truth.
Use either Open questions or closed questions ,depending on the situation.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
a) Open Questions
b) Closed Questions
Ensure that adequate safeguards are adopted, both from the point of view of the
interviewee and the interviewer.
Arrange the interview at a reasonable time of day (having taken into account the
estimated time which will be required to carry out the full interview).
Breaks from interviewing shall be made at recognised meal times.
Short breaks for refreshment shall also be provided at intervals of approximately
two hours, subject to the interviewing officers discretion to delay a break if there
are reasonable grounds.
As far as practicable interviews should take place in interview rooms which must
be adequately heated, ventilated and lit.
The interviewee should be given the opportunity to be accompanied if requested
so advance warning will be necessary so that the requisite arrangements can be
made.
A person who wants legal advice may not be interviewed or continue to be
interviewed until they have received it.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
The prefix sheet should incorporate a paragraph which sets out the
auditors/inspectors authority to conduct the interview and seek explanations and
information from the interviewee. This can be read out to the interviewee and will
assist in precluding any dispute and consequent delay which might otherwise
arise over the right of the auditor/inspector to carry out the interview.
Before, during and after the interview nothing should be done in any way
whatsoever which could be construed as duress to force the interviewee to
answer in a specific way or even confess to an offence. An auditor/inspector
tapping fingers on the desk could be interpreted as an act of duress and could
bring the interview into question in any future court hearing.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
11.12
If during the course of an interview the interviewee offers to resign then the
auditor/inspector should not accept it but should refer the individual to the
manager/personnel officer and record the offer in the interview notes.
Auditor/inspectors should not accept money in restitution of an offence at
interview as it may be construed as being obtained under duress and legal
advice should be taken afterwards.
Any offer of restitution should be incorporated in the interview notes.
The auditor/inspector should not enter into any discussion on doing a deal
whereby the employee will pay restitution in order for the matter not to be
referred to the police etc.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
Such notes are also generally accepted by the courts for use by a witness when
giving evidence but the courts may, on occasion, rule that only the rough notes
made contemporaneously may be used. It is therefore important that these notes be
as detailed as possible and are retained intact.
11.12.3 Conclusion of the investigation
Having conducted the interviews necessary to complete the auditor/inspectors
knowledge of the situation disclosed by the investigation the auditor/inspector must
draw together all the evidence obtained from the investigations and formulate the
conclusions based on all the evidence so that the audit report can be pre pared.
At this stage the auditor/inspector must take full account of all their investigations in
reaching their conclusions.
It is also important that conclusions are only based on fact. It may well be prudent to
obtain legal advice from within the organisation before finally determining the
conclusions of the investigation.
The need to obtain legal advice on the evidence resulting from the
investigation
In almost every fraud investigation some legal advice on the strength of the
evidence obtained will be required. This may be:
r informal - an off the record discussion with a member of the organisations legal
staff
r a referral of a draft report for specific examination as to whether the evidence
disclosed is strong enough to warrant referral to the police
r a formal referral to outside counsel for advice both on the case and perhaps
proper procedures for investigation/reporting when the culprit is covered by a
detailed and specific nationally laid down disciplinary code.
It must always be remembered that the legal opinion obtained is purely that, an
expression of opinion, and must not ever be regarded as definite and infallible
prediction of the outcome of any investigation/criminal action. The opinion given can
only be formed from the information available. Therefore any omissions or errors in
that information, or subsequent discoveries (unforeseen when the information was
provided) will effect the validity of the opinion which is drawn from the information
supplied.
The following expressions are those generally used by the legal profession when
giving an opinion on the strength of evidence, and can be interpreted as shown
below:
The evidence should be sufficient to support successful proceedings
This can be taken as legal opinion that the evidence obtained should be more likely
to result in conviction of the culprit than in the acquittal.
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
GOVERNMENT OF UGANDA
INTERNAL AUDIT & INSPECTION MANUAL
APPENDIX 1
ESAAG INTERNAL AUDITING GUIDELINES
for
East and Southern Africa Association of Accountants General
February 2001
CONTENTS
PAGE
1. Introduction
12
5. Professional Proficiency
15
6. Relationships
20
23
26
28
32
1.
INTRODUC TION
1.0
These Internal Auditing Guidelines are recommended to all government institutions in member countries.
These may include Ministries, Departments, Regions, and other public sector organisations or entities,
where appropriate. The Guidelines are prepared in compliance with the Standards for the Professional
Practice of Internal Auditing developed by the Institute of Internal Auditors and international best
practice in public sector Internal Audit.
1.1
The guidelines are intended to provide best practice principals rather than specific guidance on Internal
Audit procedures and techniques. Each professional Internal Auditor should hold the general skills and
knowledge of Internal Audit practice.
1.2
A brief explanatory note to facilitate a clear understanding of the guidelines is included before each
guideline.
1.3
These guidelines provide criteria by which Internal Auditing in the Public Sector in member countries
should be measured and evaluated.
1.4
Any standards or guidelines should be dynamic to keep up to date and these guidelines will be revised
from time to time as necessary.
2.
2.0
Explanatory Notes:
2.1
This guideline explains the nature, objectives and scope of Internal Auditing and indicates the range of
responsibilities that Internal Audit should cover. The Head of Internal Audit should ensure that each
Accounting Officer (see Glossary of Technical Internal Audit Terms at the end of these Guidelines) in the
public sector organisations for which they are responsible are aware of the full range of activities that fall
within the scope of Internal Audit.
2.2
Nature: The Institute of Internal Auditors defines Internal Auditing as "an independent objective
assurance and consulting activity designed to add value and improve an organisation's operations. It
helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control and governance processes."
2.3
Internal Audit should be an independent function or division within the public sector organisation. It
assists management by reviewing, assessing and helping to improve the internal control system. Internal
Auditors work with Accounting Officers and other managers to help to improve internal controls within
their public sector organisation and so reduce the risks the Government faces in achieving its objectives
to an acceptable level. Internal Audit undertakes reviews of individual systems and processes. As a
result, recommendations are made to the relevant Accounting Officer on how internal controls could be
improved.
2.4
Scope: The scope of internal audit needs to cover the systematic review, appraisal and reporting of the
adequacy of the systems of managerial, financial, operational and budgetary control and their reliability
in practice, including:
the relevance of established policies, plans and procedures, the extent of compliance with these
the extent to which assets and interests are accounted for and safeguarded from losses of all kinds
arising from waste, extravagance, inefficient administration, fraud or other causes
the appropriateness, reliability and integrity of financial and other management information and the
means used to identify, measure, classify, report and act upon that information
2.5
The actual areas reviewed by Internal Audit should be determined by a risk assessment that guides
Internal Audit planning (see Guideline Seven).
2.6
There should be an Internal Audit service for all public sector and government organisations including
the armed and secret services.
2.7
Objectives: Internal Audit should operate in partnership with management by helping to enhance their
accountability, transparency and corporate governance. This is achieved by identifying and evaluating
their internal control systems and making recommendations for improvements and refinements to these
systems.
2.8
Internal Audit assists Accounting Officers by evaluating and reporting on the elements of the internal
control system for which the Accounting Officer is responsible. It is not, however, an extension of, or a
substitute for, effective internal controls. Responsibility for internal control rests fully with the
Accounting Officer, who should ensure that appropriate and adequate arrangements for internal control
exist in addition to any Internal Audit activity in their public sector organisation. It is for the Accounting
Officer to decide whether or not to accept and implement Internal Audit findings and recommendations.
However, the Accounting Officer should be responsible to an Audit Committee and the Public Accounts
Committee for ensuring that prompt and effective action is taken to address Internal Audit's findings. An
Audit Committee may assist in ensuring that prompt and effective action is taken in response to audit
recommendations.
2.9
Internal Audit may undertake checks that individual items of expenditure are necessary and have been
authorised as required. This may be undertaken before the payment is made (pre-audit) or may be
undertaken later (post-audit). Internal Audit may also be required to undertake independent checks on
stores and fixed assets. However, international best practice suggests that the core element of Internal
Audit work should be systems audit. The objective of systems audit is to improve the controls operated by
management rather than Internal Audit acting as a control itself.
2.10
If Internal Auditors undertake pre-audit, they should not also undertake system reviews of the same
transactions or systems.
Advantages and Disadvantages of Pre-Audit
Advantages
Disadvantages
2.11
In some countries, Internal Audit may be required to undertake pre-audit. Where this is the case
consideration should be given to reducing this role. This could be achieved by only undertaking pre-audit
on larger payments or those that are particularly vulnerable to fraud or irregularity. Public sector
organisations with good internal controls could be rewarded with a reduced requirement to have their
expenditure subject to pre-audit.
2.12
Internal Audit is not necessarily best suited to under take investigations into suspected fraud, corruption
or irregularity. This is a specialised function that requires expert knowledge and experience. The
approach to fraud investigation is different to that used in routine Internal Audit work. For these reasons,
where possible, fraud investigations should be undertaken by a special unit.
2.13
independently review and appraise the systems of control throughout the public sector organisation
(not just the financial controls);
ascertain the extent of compliance with procedures, policies, regulations and legislation;
provide reassurance to management that their policies are being carried out with adequate control of
the associated risks;
save money by identifying waste and inefficiency, and by facilitating the spread of good practice;
avoid duplication of effort by an effective partnership with the Auditor-General and other review
agencies;
by its activities help to ensure that assets and interests are safeguarded from fraud, deter fraudsters
and possibly identify fraud.
2.14
The existence of Internal Audit in a public sector organisation should not cause a general relaxation or
vigilance on the responsibility of the line managers. It is not the responsibility of Internal Audit to detect
and/or prevent fraudulent activities and irregularities. This is the responsibility of all officers, managers
and the Accounting Officer.
The way that these objectives are achieved will vary between countries and
organisations. This leads to a variety of different approaches to Internal Audit. This
subject is covered in the Guideline below on Approaches to Internal Audit.
The Head of Internal Audit should be consulted when the Accounting Officer wishes to
change the system of internal control. The Head of Internal Audit should be required
to co-ordinate inter-ministerial or departmental issues concerning control.
If Internal Auditors are used to investigate potential fraud or irregularity they will need
specialist knowledge and experience. An expert team should be created to investigate
cases of actual or potential fraud and irregularity.
INTERNAL CONTROL
Internal control has been defined by the Committee of Sponsoring Organisations of the
Treadway Commission (COSO) in Internal Control Integrated Framework, as:
'A process, effected by an entitys board of directors, management and other
personnel(people), designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
Internal control is a management tool used to provide reasonable assurance that the
public sector organisation's objectives are being achieved efficiently. Internal control
covers the whole system of controls, policies and procedures established by
management to meet their targets and objectives.
The responsibility for the adequacy and reliability of internal controls rests with
management. The relevant Accounting Officer has overall responsibility for the
establishment and maintenance of internal controls within their area of responsibility.
The Accounting Officer of each public sector organisation should ensure that proper
internal controls are introduced, reviewed, and updated to keep them effective. An
Audit Committee can assist with this role.
SCOPE OF INTERNAL AUDIT
The potential scope of Internal Audit is the whole system of internal control established
by a public sector organisation. This may include controls over all the organisation's
activities, not just controls over financial accounting and reporting. Internal Audit
should review all significant operational and management controls, including policies
and procedures for the management of risk. However, Internal Audit should
concentrate its efforts on the high risk areas and the most important internal controls.
10
The Accounting Officer and Audit Committee should not restrict Internal Audit to
work on financial systems or checking that assets are safeguarded. Internal Audit work
should go beyond the accounts to check that public officials and others entrusted with
public resources are:
a) complying with applicable laws and regulations
b) achieving government objectives and desired services or benefits established by the
public sector organisation.
11
The Audit Committee and the Accounting Officers should ensure that Internal Audit
has the widest scope to ensure that internal controls across the whole public sector
organisation may be subject to review by Internal Audit.
12
Internal Audit should have unrestricted access to all the people, systems, documents
and property it considers necessary for the proper fulfilment of its responsibilities.
3.0
Explanatory Notes:
3.1
Internal Audit should be sufficiently independent from line management to ensure that Internal Audit's
professional judgements and recommendations are objective and impartial. To be effective, Internal
Audit needs to have adequate authority and report at a sufficiently senior level within the public sector
organisation. As a result, the Head of Internal Audit should report (for pay and rations) at a level at least
equivalent to the Accountant-General in the Ministry of Finance or the Permanent Secretary in other
ministries. Internal Audit should also report to an Audit Committee and have a direct reporting line to
the Accounting Officer.
3.2
It is generally considered that Internal Audit should not report to a manager if Internal Audit regularly
reviews systems that this manager is directly responsible for. For this reason, in some countries it is
considered inappropriate for the Accountant-General to be responsible for Internal Audit. The reason for
this is that the Accountant-General is the accounting advisor to the Permanent Secretary in the Ministry
of Finance and is also in charge of the treasury and the national accounts. The Head of Internal Audit
regularly reviews systems that the Accountant-General is responsible for and so should not report on
these systems to the same officer.
3.3
Internal Audit will achieve respect through the status it is given in a public sector organisation. For the
individual Internal Auditor, objectivity is essential to ensure an attitude of mind characterised by
integrity, steadfastness and an impartial approach to work. Objectivity may be impaired through
familiarity both with systems and non-audit staff. This may occur if Internal Audit staff are involved with
the same work assignments and ministerial officers for several years.
3.4
Internal Audit should take its authority and terms of reference from the Audit Committee and Accounting
Officer to whom the Head of Internal Audit should report and have the right of direct access. Internal
Audit's terms of reference (or charter) should clearly outline the nature, objectives, responsibilities and
scope of Internal Audit. Internal Audits terms of reference should be approved by the Audit Committee
subject to applicable legislation.
3.5
3.6
Objectivity is an independent attitude of mind that Internal Auditors should maintain when performing
Internal Audit work. It is important that Internal Auditors always retain a critical edge in undertaking
their work. Internal Auditors need to be sceptical in discussions with officers and to obtain an adequate
level of proof from Audit testing.
3.7
Objectivity requires Internal Auditors to carry out Audits in such a way that the quality of their work or
their honest belief in the results of that work is not compromised. Internal Auditors should not be placed
in situations in which they feel unable to make objective professional judgements.
3.8
Internal Auditors should not be placed in situations in which they feel unable to make objective and
impartial professional judgements. If any of the situations referred to below arise, Internal Auditors
should inform their Head of Internal Audit so that alternative arrangements for the Internal Audit
assignment may be made:
(a)
Internal Auditors, notwithstanding their employment by the organisation, should be free from any
conflict of interest arising either from professional or personal relationships or from pecuniary or other
interests in an organisation or activity that is subject to Audit.
(b)
Internal Auditors should be free from undue influences, which either restrict or modify the scope
or conduct of his work or over-rule or significantly affect judgement as to the content of the Internal Audit
report.
(c)
Internal Auditors should not allow their objectivity to be impaired when Auditing an activity for
Internal Audit should be consulted about significant proposed changes to the internal control
system or the implementation of new systems. Internal Audit may make recommendations on the
standards of control to be applied without prejudicing Internal Audit's objectivity in reviewing those
systems at a later date.
(e)
Internal Auditors should not normally undertake non-Audit duties, but if they do, exceptionally,
they should ensure that management understands that they are not then functioning as Internal Auditors.
3.9
International best practice suggests that Audit Committees should be established. Audit Committees are
generally considered to improve the independence of Internal Audit. Audit Committees should be
established for each public sector organisation. Members of an Audit Committee, especially the chair,
should be chosen so that they are sufficiently independent from the senior managers of the public sector
organisation and so they are suitably experienced. An Audit Committee may deal with more than one
organisation.
3.10
The role an Audit Committee with regard to Internal Audit is that it should:
approve Internal Audit's strategic and operational plans and review performance against them
discuss with Internal Audit its findings and the responses of management to its major
recommendations; and, periodically, its views on the overall quality of internal control
consider the objectives and scope of any additional ( non-audit work) work undertaken by the Internal
Auditors to ensure there are no conflicts of interest and that independence is not compromised
review the adequacy of the Internal Audit function, its adherence to professional standards,
particularly independence, standing, scope, resourcing, its liaison with the Auditor-General and other
review agencies and its reporting arrangements
meet regularly two or three times a year and meet with the Internal Auditors at their request as they
deem necessary
through its Chair represent the concerns of Internal Audit to the relevant Accounting Officer,
Permanent Secretary or Minister
14
15
It is the responsibility of the Accounting Officer and the Audit Committee to ensure
that conflicts of interest do not arise and that Internal Audits objectivity and
independence are not compromised. If the independence or objectivity of Internal
Audit is impaired, in fact or appearance, the details of the impairment should be
disclosed to the Accounting Officer and the Audit Committee.
STATUS
16
17
The Head Internal Auditor should report to the Accounting Officer and an Audit
Committee.
TERMS OF REFERENCE
18
Internal Audit should have written terms of reference (or charter) that are agreed by the
Accounting Officer and the Audit Committee. These should clearly outline the nature,
objectives, responsibilities and scope of Internal Audit. The Head of Internal Audit
should actively seek to develop and obtain approval of such terms of reference. The
terms of reference should be reviewed and revised, if necessary, at least every three
years.
10
19
The terms of reference for Internal Audit should include the requirement for Internal
Audit to have the access, to all personnel, records, assets and property that Internal
Audit considers necessary for it to undertake its work effectively.
20
The terms of reference for Internal Audit should be supported by a law, by-law or
regulation that specifies the position of the Internal Auditor in the government
hierarchy.
OBJECTIVITY
21
The term objectivity includes the requirement on the part of Internal Auditors to have
an independent mental attitude to the performance of their work. Objectivity should
ensure that Internal Auditors have an honest belief in their work product and that no
significant quality compromises are made.
22
Internal Auditors should not be placed in any situation where they feel unable to make
objective professional judgements. Objectivity may be impaired through familiarity,
with both systems and officers. This may be created by Internal Audit staff being
involved with work assignments for too long a period of time. In order to maintain
maximum awareness and motivation amongst Internal Audit staff, work assignments
should be rotated on a planned basis. Transfers of Internal Audit staff between public
sector organisations are to be recommended, every few years, where possible.
23
24
25
11
26
The position of Internal Audit within the public sector organisation should be high
enough to ensure that there is no impairment of Internal Audit scope.
12
4.0
Explanatory notes:
4.1
The appointment of appropriate staff is important to the success of Internal Audit. Internal Auditors must
be able to develop good working relationships with all officers. Internal Auditors must also be able to
quickly understand how systems work and be able to identify suitable improvements. The Head of
Internal Audit should ensure that all their staff are appropriately trained and receive suitable guidance.
4.2
Controlling: Internal Audit work should be controlled at all levels of operation to achieve objectives and
ensure the economic and efficient use of resources.
4.3
The Head of Internal Audit should continually monitor Internal Auditors' performance. Any significant
variations from work plans should be investigated and dealt with appropriately. The results of each
Internal Audit assignment or groups of Audit assignments should be reviewed against Internal Audit
plans. Efficiency should be assessed and any necessary revisions made to subsequent planned work.
4.4
Recording: The Head of Internal Audit should specify standards of Audit documentation, ensure that
those standards are maintained and monitor compliance with the standards.
4.5
Appraisal: Like any other department, Internal Audit should be constantly appraised to ensure that its
performance and value to the management of the public sector organisation is maximised. The Internal
Audit function is subject to budgetary constraints, in common with all other elements of the public sector,
therefore its value should continually be re-assessed. This appraisal or assessment should be undertaken
by Internal Audit managers and also periodically by independent suitably experienced external assessors.
The assessment should consider the views of the Accounting Officer and other senior managers on the
success of Internal Audit. It may also consider Internal Audits effectiveness and any appropriate
directional changes.
4.6
An Internal Audit management unit in the Ministry of Finance may assist in maintaining the quality of
internal audit across all public sector organisations and can assist with ensuring the independence of
Internal Audit. The Internal Audit management unit may have responsibility for the staffing, planning,
organisation and co-ordination of Internal Audit units in all public sector organisations. The
management unit may provide guidance to Internal Audit units in other public sector organisations,
monitor all Internal Audit reports, and co-ordinate training across the public sector. In some countries
Internal Audit units in all public sector organisations are managed by a central Controller of Internal
Audit in the Ministry of Finance.
13
The Head of Internal Audit should effectively manage Internal Audit to ensure it adds
value to the public sector organisation and to ensure that:
(a) Internal Audit work fulfils its terms of reference
(b) resources for Internal Audit are used efficiently and effectively
(c) Internal Audit staff undergo suitable professional development
(d) Internal Audit work conforms to approved standards
(e) the morale of Internal Audit staff is developed and maintained.
28
The Head of Internal Audit should submit periodic activity reports to the Accounting
Officer and the Audit Committee. These reports should compare:
(a) actual performance with goals and Internal Audit plans
(b) actual expenditures with financial budgets.
The Head of Internal Audit should explain major variances (positive or negative) together
with action taken to address these.
29
The Head of Internal Audit should ensure that Internal Audit staff are provided with a
suitable Audit Manual including written policies and procedures to guide them with their
work. This guidance should also include programmes for particular Internal Audit
assignments. The Internal Audit programmes should specify reporting lines at each level
of management.
30
The Head of Internal Audit should ensure that the work of all levels of Internal Audit staff
is effectively supervised from planning to conclusion. This supervision should include:
(a) provision of suitable instructions and guidance at the outset of an Internal Audit
assignment and approving the Audit programme
(b) seeing that the approved Audit programme is carried out unless deviations are both
justified and authorised
(c) ensuring that Internal Audit staff understand the work to be undertaken and obtain and
document sufficient relevant and reliable audit evidence
(d) determining that Internal Audit objectives are being met.
14
MANAGEMENT REVIEW
31
All Internal Audit working papers and reports should be reviewed by Internal Audit
managers before the reports are released. This review should include:
(a) determining that Audit working papers adequately support the Audit findings,
conclusions and report
(b) making sure that Audit reports are accurate, objective, clear, concise, constructive and
timely.
32
Internal Audit working papers should show clear evidence of this management review.
QUALITY ASSURANCE APPRAISALS
33
There should be periodical reviews of Internal Audit performance to ensure that its
performance and value to the management of the public sector organisation is maximised
and to ensure compliance with appropriate standards and guidance.
34
The Head of Internal Audit should establish and maintain a quality assurance programme
to evaluate the operations of Internal Audit. This programme should provide reasonable
assurance that Internal Audit work conforms to relevant standards and these Internal
Auditing Guidelines. It should also ensure that Internal Audit adds value by improving
internal control. This quality programme should include:
(a) supervision
Supervision of Internal Audit work should continuously ensure conformance with the
Institute of Internal Auditors Standards, these Internal Auditing Guidelines, department
policies and Audit programmes.
36
37
External reviews should be performed to assess the quality of Internal Audit work against
these Guidelines. These reviews should be performed by suitably qualified Internal
Auditors who are independent of the organisation and who do not have either a real or an
apparent conflict of interest. The external reviews should be undertaken at least once
every five years.
38
On completion of such reviews, formal written reports should be issued to the relevant
Accounting Officer and the Audit Committee. These reports should express an opinion on
Internal Audit's compliance with these Internal Auditing Guidelines and, where necessary,
should include recommendations for improvement.
15
5.
PROFESSIONAL PROFICIENCY
5.0
Explanatory notes:
5.1
In carrying out their duties Internal Auditors should exercise due professional care, that is competence
based on appropriate experience, training, ability, integrity and objectivity.
5.2
Due professional care is defined as carrying out Internal Audit work with competence and diligence. Due
care does not mean infallibility. Consequently Internal Auditors cannot provide absolute assurance that
non-compliance or irregularities do not exist. However, it will be incumbent upon the Internal Auditor to
consider the effect of significant weaknesses in the systems under review and evaluate the possibility of
material irregularity or non-compliance with the legislation and regulations when undertaking Internal
Audit.
5.3
Professional care requires the use of Audit skills and judgements based on appropriate experience,
training, ability, integrity and objectivity. The level of professional care to be exercised should be
appropriate to the objective and complexity of the Internal Audit work being performed.
5.4
In order to demonstrate due professional care, Internal Auditors should be able to show that their work
has been performed in the manner which meets the criteria set by these Internal Auditing Guidelines or
specific departmental policies.
5.5
Internal Audits should be performed by, or supervised and controlled by, Audit staff who have the
technical skills, experience and perspective which will enable them to comply with these Guidelines. This
is necessary to maintain Internal Audit's credibility as a dependable instrument of management.
5.6
The Head of Internal Audit should therefore ensure that Audit staff have the capacity to meet the
responsibilities identified by the terms of reference agreed with the Audit Committee and the Accounting
Officer.
5.7
The Head of Audit should ensure that all Internal Audit staff are reminded of their ethical responsibilities
and also ensure that their declarations of interest are reviewed, and where appropriate, updated at least
once a year.
16
5.8
Internal Auditors should not accept any gift or inducement from an officer, worker, supplier or other third
party. Information acquired by Auditors in the course of their work should not be used for unauthorised
purposes or for personal benefit or gain. Internal Auditors should only accept hospitality when this is
consistent with the public sector organisations documented arrangements.
5.9
The most important source of information for Internal Auditors is the staff working within the area subject
to Audit. These officers know how the system actually operates and should have a reasonable idea of how
practical any improvements may be. Thus interviewing skills are essential for all Internal Auditors.
Internal Auditors need to be able to understand what may be a complex system. Internal Auditors also
need to be able to critically assess each stage of the process. Why is its performed? Could it be
undertaken more efficiently?
5.10
Staff who operate the system will know what they do, but not necessarily why they do it. They may also
try and explain the system in the most positive light. The skill of Internal Auditors is to enable all the staff
they interview to open up and describe what they actually do (not just what they think they should do) and
to identify any aspects they think could be improved. Understanding why each step is taken is more
difficult. Staff may just do it because weve always done it that way or even worse because the
Auditors told us to!
5.11
An experienced Internal Auditor will ensure that the staff they talk to are relaxed and so describe the
system, its bad points as well as the good points. They will also challenge the staff to ensure that they
describe what actually happens and through discussion ascertain whether any improvements are possible
and practical.
17
Internal Auditors should be appointed through free and open competition on the basis
of merit. The criteria used to fill Internal Audit posts should be suitable and clearly
documented. They should be developed after considering the level of required scope
and responsibility. Deliberate attempts should be made to ensure the proficiency and
qualifications of each prospective Auditor.
Compliance with Codes of Conduct
40
Internal Audit staff should follow existing codes of conduct and ethics for their
organisation. All professional Internal Audit staff should be members of the relevant
accounting or Internal Auditing professional body and follow their code of conduct or
ethics. All Internal Auditors should follow a professional code of conduct which calls
for:
a) high standards of honesty
b) high standards of diligence
c) high standards of loyalty.
Knowledge Skills and Discipline
41
Internal Auditors should be required to (individually) possess the knowledge, skills and
competencies essential to the performance of effective Internal Audit. Internal Audit
staff should be required to possess the following skills:
a) proficiency in applying Internal Auditing Guidelines
b) knowledge of techniques required to perform Internal Audit
c) proficiency in accounting principles and techniques (especially government
accounting)
d) an understanding of management principles and administrative procedures to
enable recognition and evaluation of the materiality and significance of deviations from
good and acceptable practice.
Human Relation and Communication
42
Internal Auditors should possess the skills required to deal with people and to
communicate effectively. They should cultivate harmonious relationships with officers
and managers. Internal Auditors should be proficient in oral and written
communication to enable effective reporting.
18
Continuing Education
43
Training of Internal Auditors should be a planned and continuous process at all levels
and should be designed to cover:
a) basic training providing the minimum level of skills and knowledge which all
Internal Auditors should possess
b) development training in Audit skills, techniques and behavioural aspects to
improve the effectiveness of those staff currently engaged as Internal Auditors
c) management training for those Auditors with responsibility for managing and
directing Audit teams, together with those staff members who show the potential for
management positions
d) specialist training for those Auditors responsible for a special field of Audit work
which requires specialist skills and knowledge, for example, computer auditing or
performance auditing.
44
45
If there is an Internal Audit management unit in the Ministry of Finance, this unit
should be responsible for the co-ordination of training requirements for all government
Internal Auditors. The foundation, from which the assessment of training requirements
of Internal Audit will be derived, should be the database of Internal Audit staff in all
public sector organisations.
46
Internal Auditors should be aware of their responsibility for continuing their education
on order to maintain their proficiency through participation in professional societies,
conferences and seminars, college courses, in-house training and engage in research to
identify new Internal Auditing developments.
Due Professional Care
47
The term due professional care means and includes the application of the care and skill
expected of a reasonable, prudent and competent Internal Auditor in the same or
similar circumstances.
19
48
In exercising due professional care, Internal Auditors should be alert to the following:
a) the possibility of intentional wrong doing
b) errors and omissions
c) inefficiency, waste, ineffectiveness
d) conflicts of interest
e) conditions and activities likely to give rise to irregularities
f) inadequate control situations.
49
In exercising due professional care the Head of Internal Audit is required to consider
the following:
a) the extent of Internal Audit work needed to achieve the Audit objectives
b) the relative complexity, materiality or significance of matters to which Audit
procedures are applied
c) adequacy and reliability of risk management and control processes
d) likelihood of material irregularities or non-compliance
e) the cost of Internal Audit work compared to potential benefits or the risk of poor
internal controls.
20
6.
RELATIONSHIPS
6.0
Explanatory notes:
6.1
Management and staff at all levels should have confidence in the integrity, independence and capacity of
Internal Audit. This should be reflected and maintained in good working relationships between Internal
Auditors and the staff in the sections that they review.
6.2
The Head of Internal Audit should seek to foster and maintain constructive working relationships with
stock verifiers, fraud investigators, inspectors and any other review staff. Consultations between Internal
Audit and review staff should lead to effective co-ordination and minimise duplication of work.
6.3
Internal Audit should not improperly disclose any information obtained during the course of their work.
Permission should be provided by senior management before any information is passed outside the
organisation. Internal Audit will, quite properly, reveal to appropriate responsible parties (for example,
police or Auditor-General) all material facts they have established which, if not so revealed, may prevent
the uncovering of unlawful acts or could distort Audit reports. The passing of this information should be
treated as confidential and legally privileged. That is the Internal Auditor will be exempt from any legal
liability from the passing of such information.
6.4
It is important for Internal Audit to market the services it can provide to managers. This could include
producing leaflets and making presentations to Accounting Officers and other senior officers on the
services, assistance and role that Internal Audit can play.
6.5
The relationship between Internal Audit and the Auditor-General's Office needs to take account of their
differing roles and responsibilities. Internal Audit is an independent appraisal function within the
organisation and Internal Auditors are direct employees. It is the Auditor-General's role to ensure that
the financial statements, operating performance and related statements are properly stated in all material
respects. Internal Audit and the Auditor-General may also have responsibility for performance audit to
ensure that economy, efficiency and effectiveness are improved.
6.6
The aim should be to achieve mutual recognition and respect, leading to a joint improvement in
performance and the avoidance of unnecessary overlapping of work. It should be possible for the
Auditor-General and the Head of Internal Audit to rely on each other's work, subject to limits determined
by their different responsibilities, respective strengths and special abilities. Consultations should be held
and consideration given to whether any work of either Auditor is adequate for the purpose of the other.
Internal Audit does not automatically have a right of access to the records of the Auditor-General.
21
However, the relationship between the Head of Internal Audit and the Auditor-General should be such
that the Auditor-General will allow access to the necessary records.
6.7
The Head of Internal Audit should seek, where appropriate, co-ordination of the plans of Internal Audit
with those of the Auditor-General's Office and the programme of, for example, stock verifiers. This cooperation should promote the most effective total audit coverage and should avoid duplication of work.
The Auditor-General's Office will have to decide if they can place reliance on the work of Internal Audit
and so reduce the amount of work undertaken by their own staff.
6.8
The Head of Internal Audit should meet regularly with staff from the Auditor-General's Office to:
discuss work plans for Internal Audit and the Auditor-General's Office
evaluate the relationships with the Auditor-General's Office and report as required to the
Accounting Officer and Audit Committee on this relationship
Internal Audits relations with other staff in the public sector organisation, the AuditorGeneral, stock verifies and other review agencies should be based on mutual
confidence, understanding of each others needs and a reciprocal desire for cooperation. Management, at all levels should have complete confidence in the integrity,
independence and capability of the Internal Audit unit.
51
There should not be any form of rivalry or conflict between the Internal Auditors and
staff in the Auditor-General's Office. Similarly, there should be a constructive
relationship between Internal Auditors, stock verifiers and other review agencies.
22
52
The Head of Internal Audit should initiate action to ensure the development of coordination, effective working relationships and the avoidance of duplication of work
with other review agencies. This could include:
a) liaison meetings to discuss matters of mutual interest
b) arranging for access to each others plans, system notes and findings
c) arranging for consultation on plans and proposed visits
d) reviewing training proposals to arrange joint training sessions where possible
e) dissemination of literature for discussion to promote understanding of techniques,
methods and terminology.
53
Copies of Internal Audit reports should be made available to the Auditor-General for
information and co-ordination.
54
Internal Auditors should be familiar with the legislation that defines the statutory
responsibility, duty and rights of access of the Auditor-General. The Head of Internal
Audit should recognise the differences between the roles of Internal Audit and that of
the Auditor-General.
55
The staff of the Auditor-General's Office may review the effectiveness of Internal
Audit as part of their evaluation of management control arrangements. This review
should determine the extent that the Auditor General's Office is able to rely on Internal
Audit work. Internal Audit should not necessarily undertake special tasks at the request
of the Auditor General's Office. However, routine, planned Internal Audit work may
be used by the Auditor General's Office for their own purposes.
56
The relationship between the Internal Auditor and the public sector organisation should
be considered legally privileged. That is the Internal Auditor will be exempt from any
legal liability from the proper undertaking of their work.
Internal Auditors should not release Audit findings or other information outside the
normal reporting arrangements without the knowledge and permission of those
concerned.
57
Internal Auditors should normally consult and advise managers when arranging Audit
visits to their department. The exception to this rule would be for unannounced
surprise visits.
23
7.
7.0
Explanatory notes:
7.1
Internal Audit work should be planned at all levels of operation in order to establish priorities, achieve
objectives and ensure the efficient and effective use of Audit resources. Planning should be based on
Internal Audit's terms of reference and allow for coverage of all significant systems, operations, staff and
sites within the public sector organisation.
7.2
Internal Audit plans should be based on a comprehensive understanding of the public sector organisation
and the way in which it operates. High-risk systems or transactions and any known problem areas should
be clearly identified. The emphasis of the Internal Audit plan should be directed towards these systems.
7.3
Internal Audit plans should be developed in consultation with senior staff and the relevant Accounting
Officer. The appropriate Audit Committee should then approve the Internal Audit plans.
7.4
identify all auditable activities within the agreed scope of Internal Audit
carry out a risk assessment on these activities in conjunction with management, identifying categories
such as high, medium, low
develop an overall strategic plan from the audit needs assessment to cover these risks, over, say, a
three-year period
bring to the Accounting Officer and/or the Audit Committee's attention any mismatch between Audit
needs and actual Audit resources
identify systems to be covered in the first year of the strategic plan and prepare an annual Internal
Audit plan
discuss the strategic and annual plans with appropriate senior managers, Accounting Officers and the
Auditor-General's Office and amend as necessary
7.5
present the plans to the Accounting Officer and/or the Audit Committee for approval.
Internal Audit plans should be amended as necessary to take account of changing circumstances. The
Accounting Officer and the Audit Committee should formally approve all significant changes to the
Internal Audit plans.
24
58
The Head of Internal Audit should establish plans to carry out the responsibilities of
Internal Audit consistent with the public sector organisation's goals and objectives.
59
60
61
62
Internal Audit plans should be based on a risk assessment. The risk assessment process, to
be conducted at least annually, includes an assessment of:
a) relevant risks and their significance
b) consideration of senior management, the Accounting Officer and the Audit
Committee's professional judgement
c) identification of activities to be audited.
25
63
Internal Audit strategic plans should take into account the following factors:
(a) the date and results of the last Internal Audit assignment
(b) the estimated time required, taking into account the scope of the planned work and the
nature and extent of audit work to be performed by others.
(c) requests by management
(d) major changes in operations, programs systems, and controls
(e) staffing, planning and effective utilisation of financial budgets
(f) Internal Audit priorities
(g) flexibility to cover unanticipated demands on the department.
64
Internal Audit plans and staffing and financial budgets should be developed from strategic
plans, administrative activities, education and training requirements and research and
development efforts.
65
The Head of Internal Audit should submit annually to the Accounting Officer and Audit
Committee for approval a summary of Internal Audit's strategic plans, staffing plans and
financial budgets. All significant amendments to these plans should similarly be approved
by the Accounting Officer and Audit Committee.
66
The Head of Internal Audit should explain, if necessary, why the Audit needs are not
being met. This should prompt the relevant Accounting Officer to take action to ensure
that their public sector organisation is provided with sufficient Internal Audit resources.
26
8.0
Explanatory notes:
8.1
There are several different approaches to Internal Audit. International best practice suggests that
systems audit is the most effective way that Internal Audit can add value to an organisation. However, in
many countries it is considered necessary for Internal Audit to complement systems audit with a pre-audit
approach. If a pre-audit approach is adopted the Head of Internal Audit, the Audit Committee and the
Accounting Officer should discuss the extent that this is necessary. They should also consider suitable
means of reducing the proportion of time that Internal Auditors spend on pre-audit work.
8.2
The systems approach to Internal Audit seeks to assess and improve the effectiveness of the public sector
organisations internal control system. The prime purpose of a systems Audit should be to evaluate the
extent to which the system may be relied upon to ensure that the objectives of the system are met. Where
internal controls are not adequate and reliable Internal Audit should make practical recommendations to
ensure that these controls are improved.
8.3
Internal Audit evidence should be adequate to meet the objectives of Audit assignments. Internal Auditors
should be satisfied with the nature, adequacy and relevance of Audit evidence before placing reliance on
that evidence. Information should be collected analysed and documented by the use of appropriate Audit
techniques.
8.4
The production of Audit evidence should be supervised and reviewed by the Head of Internal Audit. To
meet an acceptable standard the evidence should be sufficiently adequate and convincing to the extent
that a prudent, informed person would be able to appreciate how the Auditor's conclusions were reached.
8.5
Internal Audit may also complement its systems approach with other techniques, for example:
performance auditing
27
67
Internal Auditors should ensure that their approach and methods enable them to discharge
their responsibilities effectively. This will involve careful thought and discussion with the
Accounting Officer, the Audit Committee and others on the most effective approach to
Internal Audit given the particular circumstances of the public sector organisation.
68
Internal Audit should assess and improve the public sector organisation's risk
management, control, and governance processes. The internal auditing activity should
assist the public sector organisation in maintaining effective controls. Assistance can be
provided by evaluating the public sector organisation's controls to determine their
effectiveness and efficiency and by developing recommendations for improvement.
Internal Auditors should ensure that the costs of maintaining controls balances the
potential benefits.
SYSTEM APPROACH
69
Internal Audit should, where possible, adopt a systems approach. The systems approach
aims to asses and helps to improve the control features that govern the system. This
approach should provide reasonable assurance that existing controls will ensure that each
systems objective is achieved.
70
71
The use of the systems approach should enable Internal Audit to confirm the following:
a) the official system
b) whether it is operating according to agreed guidance and regulations
c) whether the system is adequate
d) whether the controls are reliable.
28
72
9.0
Explanatory notes:
9.1
The findings and recommendations arising from each Internal Audit assignment should be promptly
reported to management. The recommendations should then be followed up to check that agreed action
has been implemented. A summary of Internal Audit findings, recommendations and activities should be
submitted periodically to the Accounting Officer and the Audit Committee.
9.2
state the scope, purpose, extent and conclusions of the Internal Audit assignment, including Internal
Audit's opinion on the adequacy of controls
make recommendations that are appropriate and relevant, that call for action to correct identified
weaknesses or improve the efficiency of operations
9.3
be sufficiently detailed to act as a guide for action and facilitate the efficient achievement of the
organisations objectives
29
9.4
Conclusions are the Internal Auditor's evaluations of the effects of the findings on the particular system
reviewed. They should:
put the findings in perspective based on the overall implications and significance of the weaknesses
identified
identify the extent to which the system's control objectives are being achieved and the degree to
which the internal control systems should ensure that the goals and objectives of the public sector
organisation are accomplished efficiently.
9.5
Management should be required to respond in writing to each Internal Audit report. Management and
Internal Audit should agree officer responsibility and target dates for implementation of agreed
recommendations. The responsibility for final editing of Audit reports should remain with the Head of
Internal Audit who should always retain the right to issue reports without further editing.
9.6
Follow-up activity is the process by which Internal Audit confirms that agreed recommendations have
been implemented by line managers. Internal Audit should periodically follow up Audit reports to review
and test the implementation of agreed Internal Audit recommendations.
9.7
The Head of the Internal Audit should submit to the Accounting Officer and Audit Committee, at agreed
intervals, a report of Internal Audit activity and results. The report should compare actual Internal Audit
activity against the annual Internal Audit plan and should clearly indicate the extent to which the total
Internal Audit needs of the public sector organisation have been met.
9.8
In the annual Internal Audit report the Head of the Internal Audit should give a formal opinion to the
Accounting Officer and Audit Committee on the extent to which reliance can be placed on the public
sector organisations internal control system. The attention of the Accounting Officer and Audit
Committee should be drawn to any major Internal Audit findings where action appears to be necessary
but has not been undertaken.
30
73
The Head of Internal Audit should report periodically to the Accounting Officer and the
Audit Committee on Internal Audit's purpose, authority, responsibility, and performance
relative to its plan. Reporting should also include significant risks and control issues,
corporate governance issues, and other matters needed or requested by the Accounting
Officer and the Audit Committee.
74
The findings and recommendations arising from each Internal Audit assignment should be
promptly reported to the Accounting Officer and others who are affected by the report.
The final Internal Audit report including any comments from the Accounting Officer
should be reported to the Audit Committee.
75
The Head of Internal Audit should have complete freedom in the way in which Internal
Audit findings are reported and to whom each report is issued. The Head of Internal
Audit should review and approve each final Internal Audit report before it is issued.
76
Internal Audit reports should contain all material facts known to the Auditor concerning
the system under review to avoid distortion or concealment of any unlawful or improper
practice.
77
Internal Audit reports should be regarded as confidential and exclusive to the public sector
organisation concerned except for privileged external reviews by the Auditor-General and
Permanent Secretary to the Treasury.
78
The Head of Internal Audit should submit monthly or periodic progress reports to the
Accounting Officer and the Audit Committee and explain significant deviations from
approved strategic plans, staffing plans and financial budgets.
79
The Head of Internal Audit should provide an annual report to the Accounting Officer and
the Audit Committee. This report should include:
a) the Head of Internal Audit's opinion on the adequacy and reliability of the whole
internal control system
b) the extent that the Internal Audit needs of the public sector organisation have been met
c) any significant Internal Audit findings where action appears necessary but has not
been taken
d) any systems within the public sector organisation where the internal controls are not
adequate and reliable
e) a comparison of actual Internal Audit activity against the agreed annual plan.
31
COMMUNICATING RESULTS
80
81
Internal Auditors should follow up their reports to ascertain that appropriate action is
taken on agreed Internal Audit recommendations. Internal Audit should determine, with
appropriate Audit testing, that corrective actin has been taken and is having the desired
effect.
82
If the Accounting Officer does not agree with an Internal Audit recommendation or does
not ensure that agreed recommendations are implemented they should accept the
associated risks. The Audit Committee may advice the Accounting Officer to implement
an Internal Audit recommendation if it considers necessary to achieve sound internal
control.
83
The Auditor-General may review and report on the extent that Internal Audit
recommendations have been implemented. Internal Audit may also review the extent that
recommendations made by the Auditor-General have been implemented.
32
33
Reliability of Internal Control an assessment of the extent that internal controls are applied
consistently by all staff, at all times and in all circumstances.
Risk the chance (or probability) that one or more of the organisations objectives will not be achieved.
It may refer to the failure to achieve objectives efficiently or the occurrence of unwanted outcomes. It
may also refer to the inability to exploit possible opportunities.
Risk management - the formal identification, assessment and planned management of significant risks
facing the organisation.
Systems Audit - systems audit is the structured analysis of internal control in relation to the objectives
of the organisation. Systems audit should enable internal audit to make practical recommendations to
address any weaknesses that have been identified within the context of risks to the achievement of the
systems objectives. It should also enable internal audit to form an opinion on the adequacy and
reliability of the organisations internal control system.
34
APPENDIX 2
1. Delineate basic principles that represent the practice of internal auditing as it should
be.
2. Provide a framework for performing and promoting a broad range of value-added
internal audit activities.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards consist of Attribute Standards, Performance Standards, and Implementation
Standards. The Attribute Standards address the characteristics of organizations and parties performing
internal audit activities. The Performance Standards describe the nature of internal audit activities and
35
provide quality criteria against which the performance of these services can be evaluated. While the
Attribute and Performance Standards apply to all internal audit services, the Implementation
Standards apply to specific types of engagements.
There is one set of Attribute and Performance Standards, however, there are multiple sets of
Implementation Standards: a set for each of the major types of internal audit activity. The
Implementation Standards have been established for assurance (A) and consulting (C) activities.
The Standards are part of the Professional Practices Framework. The Professional Practices
Framework includes the Definition of Internal Auditing, the Code of Ethics, the Standards, and other
guidance. Guidance regarding how the Standards might be applied is included in Practice Advisories
that are issued by the Professional Issues Committee.
The Standards employ terms that have been given specific meanings that are included in the Glossary.
The development and issuance of the Standards is an ongoing process. The Internal Auditing
Standards Board engages in extensive consultation and discussion prior to the issuance of the
Standards. This includes worldwide solicitation for public comment through the exposure draft
process.
All exposure drafts are posted on The IIAs Web site as well as being distributed to all IIA Affiliates.
Suggestions and comments regarding the Standards can be sent to:
The Institute of Internal Auditors
Global Practices Center, Professional Practices Group
247 Maitland Avenue
Altamonte Springs, FL 32701-4201, USA
E-mail: standards@theiia.org
Web: http://www.theiia.org
ATTRIBUTE STANDARDS
36
The chief audit executive should report to a level within the organization that allows the internal audit
activity to fulfill its responsibilities.
1110.A1 - The internal audit activity should be free from interference in determining the scope of
internal auditing, performing work, and communicating results.
1120 Individual Objectivity
Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.
1130 Impairments to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment should be
disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.
1130.A1 Internal auditors should refrain from assessing specific operations for which they were
previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance
services for an activity for which the internal auditor had responsibility within the previous year.
1130.A2 Assurance engagements for functions over which the chief audit executive has responsibility
should be overseen by a party outside the internal audit activity.
1130.C1 - Internal auditors may provide consulting services relating to operations for which they had
previous responsibilities.
1130.C2 - If internal auditors have potential impairments to independence or objectivity relating to
proposed consulting services, disclosure should be made to the engagement client prior to accepting the
engagement.
37
1210.C1 - The chief audit executive should decline the consulting engagement or obtain competent
advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed
to perform all or part of the engagement.
1220 - Due Professional Care
Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal
auditor. Due professional care does not imply infallibility.
1220.A1 - The internal auditor should exercise due professional care by considering the:
1220.A2 - In exercising due professional care the internal auditor should consider the use of
computer-assisted audit tools and other data analysis techniques.
1220.A3 The internal auditor should be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with due
professional care, do not guarantee that all significant risks will be identified.
1220.C1 - The internal auditor should exercise due professional care during a consulting engagement by
considering the:
38
External assessments, such as quality assurance reviews, should be conducted at least once
every five years by a qualified, independent reviewer or review team from outside the
organization.
1320 Reporting on the Quality Program
The chief audit executive should communicate the results of external assessments to the board.
1330 Use of "Conducted in Accordance with the Standards"
Internal auditors are encouraged to report that their activities are "conducted in accordance with the
International Standards for the Professional Practice of Internal Auditing." However, internal auditors
may use the statement only if assessments of the quality improvement program demonstrate that the
internal audit activity is in compliance with the Standards.
1340 Disclosure of Noncompliance
Although the internal audit activity should achieve full compliance with the Standards and internal
auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When
noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be
made to senior management and the board.
PERFORMANCE STANDARDS
2000 Managing the Internal Audit Activity
The chief audit executive should effectively manage the internal audit activity to ensure it adds value to
the organization.
2010 Planning
The chief audit executive should establish risk-based plans to determine the priorities of the internal
audit activity, consistent with the organization's goals.
39
2010.A1 - The internal audit activity's plan of engagements should be based on a risk assessment,
undertaken at least annually. The input of senior management and the board should be considered in this
process.
2010.C1 - The chief audit executive should consider accepting proposed consulting engagements based
on the engagement's potential to improve management of risks, add value, and improve the
organizations operations. Those engagements that have been accepted should be included in the plan.
2020 Communication and Approval
The chief audit executive should communicate the internal audit activitys plans and resource
requirements, including significant interim changes, to senior management and to the board for review
and approval. The chief audit executive should also communicate the impact of resource limitations.
2030 Resource Management
The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and
effectively deployed to achieve the approved plan.
2040 Policies and Procedures
The chief audit executive should establish policies and procedures to guide the internal audit activity.
2050 Coordination
The chief audit executive should share information and coordinate activities with other internal and
external providers of relevant assurance and consulting services to ensure proper coverage and minimize
duplication of efforts.
2060 Reporting to the Board and Senior Management
The chief audit executive should report periodically to the board and senior management on the internal
audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting should
also include significant risk exposures and control issues, corporate governance issues, and other matters
needed or requested by the board and senior management.
2100 Nature of Work
The internal audit activity should evaluate and contribute to the improvement of risk management,
control, and governance processes using a systematic and disciplined approach.
2110 Risk Management
The internal audit activity should assist the organization by identifying and evaluating
significant exposures to risk and contributing to the improvement of risk management and
control systems.
2110.A1 - The internal audit activity should monitor and evaluate the effectiveness of the organization's
risk management system.
40
2110.A2 - The internal audit activity should evaluate risk exposures relating to the organization's
governance, operations, and information systems regarding the
2110.C1 - During consulting engagements, internal auditors should address risk consistent with the
engagements objectives and be alert to the existence of other significant risks.
2110.C2 Internal auditors should incorporate knowledge of risks gained from consulting engagements
into the process of identifying and evaluating significant risk exposures of the organization.
2120 Control
The internal audit activity should assist the organization in maintaining effective controls by evaluating
their effectiveness and efficiency and by promoting continuous improvement.
2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the
adequacy and effectiveness of controls encompassing the organization's governance, operations, and
information systems. This should include:
2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and
objectives have been established and conform to those of the organization.
2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which
results are consistent with established goals and objectives to determine whether operations and
programs are being implemented or performed as intended.
2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent
to which management has established adequate criteria to determine whether objectives and goals have
been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If
inadequate, internal auditors should work with management to develop appropriate evaluation criteria.
2120.C1 - During consulting engagements, internal auditors should address controls consistent with the
engagements objectives and be alert to the existence of any significant control weaknesses.
2120.C2 Internal auditors should incorporate knowledge of controls gained from consulting
engagements into the process of identifying and evaluating significant risk exposures of the
organization.
2130 Governance
41
The internal audit activity should assess and make appropriate recommendations for improving the
governance process in its accomplishment of the following objectives:
2130.A1 The internal audit activity should evaluate the design, implementation, and effectiveness of
the organizations ethics-related objectives, programs and activities.
2130.C1 Consulting engagement objectives should be consistent with the overall values and goals of
the organization.
The objectives of the activity being reviewed and the means by which the
activity controls its performance.
The significant risks to the activity, its objectives, resources, and operations and
the means by which the potential impact of risk is kept to an acceptable level.
The adequacy and effectiveness of the activitys risk management and control
systems compared to a relevant control framework or model.
The opportunities for making significant improvements to the activitys risk
management and control systems.
2201.A1 When planning an engagement for parties outside the organization, internal auditors
should establish a written understanding with them about objectives, scope, respective responsibilities
and other expectations, including restrictions on distribution of the results of the engagement and
access to engagement records.
2201.C1 - Internal auditors should establish an understanding with consulting engagement clients about
objectives, scope, respective responsibilities, and other client expectations. For significant engagements,
this understanding should be documented.
2210 Engagement Objectives
Objectives should be established for each engagement.
42
2210.A1 Internal auditors should conduct a preliminary assessment of the risks relevant to the
activity under review. Engagement objectives should reflect the results of this assessment.
2210.A2 - The internal auditor should consider the probability of significant errors, irregularities,
noncompliance, and other exposures when developing the engagement objectives.
2210.C1 Consulting engagement objectives should address risks, controls, and governance processes
to the extent agreed upon with the client.
2220 Engagement Scope
The established scope should be sufficient to satisfy the objectives of the engagement.
2220.A1 - The scope of the engagement should include consideration of relevant systems, records,
personnel, and physical properties, including those under the control of third parties.
2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific
written understanding as to the objectives, scope, respective responsibilities and other expectations
should be reached and the results of the consulting engagement communicated in accordance with
consulting standards.
2220.C1 In performing consulting engagements, internal auditors should ensure that the scope of the
engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations
about the scope during the engagement, these reservations should be discussed with the client to
determine whether to continue with the engagement.
2230 Engagement Resource Allocation
Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing
should be based on an evaluation of the nature and complexity of each engagement, time constraints, and
available resources.
2240 Engagement Work Program
Internal auditors should develop work programs that achieve the engagement objectives. These work
programs should be recorded.
2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating, and
recording information during the engagement. The work program should be approved prior to its
implementation, and any adjustments approved promptly.
2240.C1 - Work programs for consulting engagements may vary in form and content depending upon
the nature of the engagement.
43
Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the
engagements objectives.
2320 Analysis and Evaluation
Internal auditors should base conclusions and engagement results on appropriate analyses and
evaluations.
2330 Recording Information
Internal auditors should record relevant information to support the conclusions and engagement results.
2330.A1 - The chief audit executive should control access to engagement records. The chief audit
executive should obtain the approval of senior management and/or legal counsel prior to releasing such
records to external parties, as appropriate.
2330.A2 - The chief audit executive should develop retention requirements for engagement records.
These retention requirements should be consistent with the organizations guidelines and any pertinent
regulatory or other requirements.
2330.C1 - The chief audit executive should develop policies governing the custody and retention of
engagement records, as well as their release to internal and external parties. These policies should be
consistent with the organizations guidelines and any pertinent regulatory or other requirements.
2340 Engagement Supervision
Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and
staff is developed.
2400 Communicating Results
Internal auditors should communicate the engagement results.
2410 Criteria for Communicating
Communications should include the engagements objectives and scope as well as applicable
conclusions, recommendations, and action plans.
2410.A1 Final communication of engagement results should, where appropriate, contain the
internal auditors overall opinion and or conclusions.
2410.A2 Internal auditors are encouraged to acknowledge satisfactory performance in engagement
communications.
2410.A3 When releasing engagement results to parties outside the organization, the communication
should include limitations on distribution and use of the results.
2410.C1 Communication of the progress and results of consulting engagements will vary in form and
content depending upon the nature of the engagement and the needs of the client.
2420 Quality of Communications
44
Communications should be accurate, objective, clear, concise, constructive, complete, and timely.
2421 Errors and Omissions
If a final communication contains a significant error or omission, the chief audit executive should
communicate corrected information to all parties who received the original communication.
2430 Engagement Disclosure of Noncompliance with the Standards
When noncompliance with the Standards impacts a specific engagement, communication of the results
should disclose the:
2440.C1 - The chief audit executive is responsible for communicating the final results of consulting
engagements to clients.
2440.C2 During consulting engagements, risk management, control, and governance issues may be
identified. Whenever these issues are significant to the organization, they should be communicated to
senior management and the board.
When the chief audit executive believes that senior management has accepted a level of residual risk that
may be unacceptable to the organization, the chief audit executive should discuss the matter with senior
management. If the decision regarding residual risk is not resolved, the chief audit executive and senior
management should report the matter to the board for resolution.
Glossary
Add Value Value is provided by improving opportunities to achieve organizational objectives,
identifying operational improvement, and/or reducing risk exposure through both assurance and
consulting services.
Adequate Control - Present if management has planned and organized (designed) in a manner that
provides reasonable assurance that the organization's risks have been managed effectively and that the
organizations goals and objectives will be achieved efficiently and economically.
Assurance Services - An objective examination of evidence for the purpose of providing an independent
assessment on risk management, control, or governance processes for the organization. Examples may
include financial, performance, compliance, system security, and due diligence engagements.
Board A board is an organizations governing body, such as a board of directors, supervisory board,
head of an agency or legislative body, board of governors or trustees of a non profit organization, or
any other designated body of the organization, including the audit committee, to whom the chief audit
executive may functionally report.
Charter - The charter of the internal audit activity is a formal written document that defines the
activitys purpose, authority, and responsibility. The charter should (a) establish the internal audit
activitys position within the organization; (b) authorize access to records, personnel, and physical
properties relevant to the performance of engagements; and (c) define the scope of internal audit
activities.
Chief Audit Executive - Top position within the organization responsible for internal audit activities.
Normally, this would be the internal audit director. In the case where internal audit activities are
obtained from outside service providers, the chief audit executive is the person responsible for
overseeing the service contract and the overall quality assurance of these activities, reporting to senior
management and the board regarding internal audit activities, and followup of engagement results. The
term also includes such titles as general auditor, chief internal auditor, and inspector general.
Code of Ethics The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant
to the profession and practice of internal auditing, and Rules of Conduct that describe behavior
expected of internal auditors. The Code of Ethics applies to both parties and entities that provide
internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the
global profession of internal auditing.
Compliance Conformity and adherence to policies, plans, procedures, laws, regulations, contracts,
or other requirements.
Conflict of Interest - Any relationship that is or appears to be not in the best interest of the
organization. A conflict of interest would prejudice an individuals ability to perform his or her duties
and responsibilities objectively.
46
Consulting Services Advisory and related client service activities, the nature and scope of which are
agreed with the client and which are intended to add value and improve an organizations
governance, risk management, and control processes without the internal auditor assuming
management responsibility. Examples include counsel, advice, facilitation and training.
Control - Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes, and
directs the performance of sufficient actions to provide reasonable assurance that objectives and goals
will be achieved.
Control Environment - The attitude and actions of the board and management regarding the
significance of control within the organization. The control environment provides the discipline and
structure for the achievement of the primary objectives of the system of internal control. The control
environment includes the following elements:
Control Processes - The policies, procedures, and activities that are part of a control framework,
designed to ensure that risks are contained within the risk tolerances established by the risk management
process.
Engagement A specific internal audit assignment, task, or review activity, such as an internal audit,
Control Self-Assessment review, fraud examination, or consultancy. An engagement may include
multiple tasks or activities designed to accomplish a specific set of related objectives.
Engagement Objectives - Broad statements developed by internal auditors that define intended
engagement accomplishments.
Engagement Work Program - A document that lists the procedures to be followed during an
engagement, designed to achieve the engagement plan.
External Service Provider - A person or firm, outside of the organization, who has special
knowledge, skill, and experience in a particular discipline.
Fraud - Any illegal acts characterized by deceit, concealment or violation of trust. These acts are not
dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by
parties and organizations to obtain money, property or services; to avoid payment or loss of services; or
to secure personal or business advantage.
Governance The combination of processes and structures implemented by the board in order to
inform, direct, manage and monitor the activities of the organization toward the achievement of its
objectives.
47
48
Appendix II
Monday, June 15, 2009
4:16 PM
49
50
51
52
53
54
55
56
57
58
59
60
61
62