Beruflich Dokumente
Kultur Dokumente
2
PART 1: INTTRODUCTION
N
This internaal audit man nual aims to
o provide th e Internal Audit
A Unit (IA
AU) of the MMinistry of Finance and
d
Economic M Managementt (MFEM) prractical guidaance, tools and a information for mannaging its in nternal auditt
function. Thhis includes gguidance on planning, peerforming an nd reporting on internal aaudit engage ements.
Guiding Staandards
This manuaal adopts thee International Standardss for Professional Practice of Internall Auditing ass established d
by the Institute of Inteernal Auditors (IIA). Theese standards are laid out in the Intternational Professionall
Practise Fraamework (IPP PF). The internal audit m must follow thhese standarrds to ensuree
a. con nsistency and d better quallity in the au dit work perrformed,
b. the auditors havve the necesssary guidancce when com mpleting audits,
c. the efficient and d effective delivery of auudit services,, and
d. thatt a benchmaark exists from which all aaudit work ccan be measu ured.
In some circcumstances wwhere detailed explanattion is not givven by the IPPPF, guidancee has been takenfrom in
ternational audit and internal controls standardds stipulated by
Thee Internation nal Organisattion of Supreeme Audit Insstitutions (IN
NTOSAI)
Thee Internation nal Federation of Accounttants (IFAC)
Thee Committeee of Sponsoring Organisattions (COSO)) and
Thee Information n System Audit and Conttrol Associatiion (ISACA)
3
Head of Internal Audit Role and Responsibility
The head o of Internal Au udit has ove
erall respons ibility for managing the activities annd resourcess of the IAU..
This involvees providing advice, expeertise and g uidance in the developm ment of the Ministry of Finance and d
Economic MManagementt internal au udit functionn, managing the staff to ensure maxximum outpput and stafff
developmen nt is achieveed and to enssure that thee Ministry beenefits from tthe services of the IAU.
Duties and
d Responsib
bilities:
The main duuties includee
Preparation of tthe internal audit charte r, gain appro oval for the ccharter and uupdate regullarly,
Preparing risk based strate egic and annnual plans for
f IAU focu using audit rresources foor maximum m
bennefit and min nimising the resources coonsumed on non value ad dding activitties,
Preparing the in nternal auditt budget bassed on the audit coverag ge in the annnual plan for approval byy
the Secretary foor MFEM,
Revview and asssist in prepaaring assignmment audit plans
p ensurin
ng adequacyy of audit co
overage and d
auddit programm mes,
Com mplete compliance aud dits, financiaal systems audits, busiiness processs reviews and speciall
inveestigations aas requested by the Secreetary for MFEM,
Where approprriate, make recommend dations for improved
i management
m nd practices,,
controls an
cost reductions and enhancced efficiencyy and effectiveness of op perations,
Proovide advice tto MFEM and line ministtry managem ment as appropriate,
Prepare and qu e audit repoorts prepared by senior internal auuditor(s) prio
uality assure or to issuingg
reports,
Prepare an annual internal a audit report on the activvities comple eted during t he financial year,
Enssure interna al audit ma anual, qualitty assurancce manual and audit working practices and d
pro
ocedures aree up to datee for currentt best practiice and chan
nges to goveernment leggislation and d
regulations,
Com mplete perfo ormance app praisals of thee staff withinn the IAU,
Com mplete otherr assignmentts and perforrm other dutties as reque ested by the SSecretary for MFEM.
Defining Intternal Audits
The purpose of this unitt is to perforrm internal aaudits on the
e MFEM and line ministrries as determ
mined in thee
strategic an
nd annual plaans of the unnit.
Internal Audditing is defined as
4
“an independent, objective assurance and consulting activity designed to add value and
improve an organisations operation. It helps organisations accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance processes.”
Scope of Services:
The scope of services provided by the IAU is expansive. The purpose is to assist the MFEM to achieve its
strategic goals and through a systematic approach evaluate the risk management, internal control systems
and governance process of the Ministry.
The IAD helps ensure that:
Risks have been identified and are being managed,
Financial, managerial and operating information is accurate, reliable and timely,
Resources are adequately safeguarded,
Internal control systems ensure the accurate processing of transactions, and
That the operations of the Ministry are performed through adoption of high ethical standards.
Internal Audit Assignments
The Ministry of Finance and Economic Management Act 1995‐96 requires that Heads of Government
Departments ensure;
sound financial management systems and internal controls exist and these are operated so as to
provide:
i. timely and materially accurate financial information; and
ii. reasonable assurances that the transactions recorded are within statutory authority and
properly disclose the use of all public financial resources administered by the department
on behalf of the Crown;
Where an internal audit function is employed, its responsibilities are generally defined as to review,
appraise and report on:
The soundness, adequacy and application of internal controls,
The extent to which the organisation’s controls secure the achievement of department objectives,
promote operational efficiency and safeguard assets and interests,
The extent of compliance with policies, plans and procedures,
The integrity and reliability of financial and other management information used by the
organisation.
These internal audit assignments to be completed by the IAU include:
Financial audits – an audit of financial information provided by the governments accounting system
and supporting systems (both manual and computerised). These audits are performed to validate
the accuracy and completeness of financial information, and
Compliance audits – an audit of a subject area which ensures compliance with suitable criteria such
as the MFEM Act, government policies and frameworks, procedures, instructions, rules and
regulations have been met.
Financial audits also incorporate compliance issues dealing with respective areas, which include compliance
with the treasury instructions, financial policies and procedures manual and other documents which
control the use of financial resources.
5
In addition separate compliance audits may be required on non financial areas such as health and safety,
time recording and annual leave, personnel management, performance management which are completed
separate from the financial audit.
Steps are being taken to introduce performance and IT audits into the work plan of the IAD in order to keep
pace with reforms in Public Financial Management through computerisation of government systems and
changes in performance management systems.
The audits will be performed under the direction of the senior internal auditor with overall responsibility
resting with the head of the IAU.
Ad Hoc Activities:
The IAD will allocate a proportion of its time during the financial year for completing special ad hoc
activities as requested by the Secretary for MFEM. If no such activities are requested, the allocated time
will be utilised to perform audit assignments which had been deferred until future periods.
Relationship with Management
The IAU provides an important service to management. Its strategies, planning and delivery should aim to
maximize the benefit for management without jeopardizing the units’ responsibilities. Management and
staff at all levels should have complete confidence in the integrity, independence and capability of internal
audit. The relationship between internal auditors and line managers is a privileged one; information gained
in the course of audit work should remain confidential.
Co‐operative relationships with line management enhance the ability of internal audit to achieve its
objectives effectively. Audit work should be planned in conjunction with management as far as possible,
particularly in respect of the timing of audit work (except where unannounced visits are essential to ensure
the achievement of the audit objectives).Regular meetings should be held with line management to discuss
any issues arising from its operations or its ability to meet its objectives.
Relationships with the Cook Islands Audit Office (CIAO)
Internal and external audit activities may be coordinated to help ensure the adequacy of overall audit
coverage and to minimise duplication of effort. Establishing a professional working relationship between
the MFEM IAU and the CIAO will deliver benefits to both parties. The IAU will seek input from the CIAO
when developing the internal audit strategic plan and the annual work plan.
Steps in the Internal Audit Process
In order to deliver expected results the IAU will , follow the standards adopted in part 1 of this manual
which include;:
Planning audit engagements to ensure maximum output from the audit resources available,
Evaluating internal controls and assessing compliance with the controls,
Testing controls and transactions,
Reporting audit findings in a concise, accurate, timely and constructive manner.
The audit process can be broken down into 4 major steps as illustrated in table 1:
6
Table 1: The Internal Audit Process
Understandin
Accounting and
Internal Control
System Perform Audit
Determine Procedures :
Materialit
Test of Control ,
Substantiv
Analytica
Procedures Assignment Report
Asses Risk Other Substantiv to
Procedures and Annual Report
Tests of Details to
Secretary
Evaluate
7
PART 2: Preparing and approving the audit plan
The Audit Plan
The internal audit assignment plan will be generated from the annual audit plan for the IAU which is
prepared prior to the start of the financial year by the Head of Internal Audit. The assignment audit plan is a
critical document in the internal audit process. Its primary purpose is to document the planning procedures
completed which includes the purpose, scope the resource requirements of the audit. . The audit plan is a
working document used to guide the audit.
While a standard approach is generally taken when planning an audit assignment it is recognised that the
different types of audits will contain different information specific to that particular type of internal audit
being conducted.
The audit plan may need to be revised and adjusted during the audit. Revisions that modify the original
objectives of the audit, add to the budget cost, or involve substantial changes to the audit methods, must
be approved by both the head of Internal Audit and the Treasury Operations Manager.
The cover sheet of the audit plan must contain the following information:
Purpose – state that the purpose of the proposal is to seek Managements (Financial Secretary and
Treasury Operations Manager) approval for the internal audit to be conducted,
Previous considerations – state any prior work the Unit has done on the topic e.g. “The Internal
Audit Unit previously completed an internal review in September 2005 into …………….”
Summary – provide a short summary of the audit proposal, no more than two paragraphs.
Financial Implications – state how many hours the audit will take, and the cost. Refer the reader to
the full budget, which will be attached as an appendix to the proposal.
Other Implications – state any other implications that the audit may have. E.g. how doing this audit
will affect other audits that may have been already planned and approved for future action.
Timing – state when the report is expected to be ready for review by management.
Consultation – state who has been consulted on the proposal, both internal and external parties.
8
Steps in Assignment Planning
Assignment Planning Steps Planning Outputs
1 Determine initial audit objective Taken from annual plan
Notify appropriate management that
2 Engagement
there section has been selected for audit
3 Hold opening meeting with management Entry interview
(note )
Permanent file opened
Collect and analyse background
4 Draft system notes
information
Risk assessment worksheet
5 Assess risk and materiality
Materiality worksheet
Internal control assessment
6 Assess internal controls
workshee
Determine audit objectives
, scope, Detailed objectives
7
criteria and approach scope
8 Draft preliminary audit programme Draft audit programme
9 Determine time and resource allocation Audit time budget
Audit planning
1 Prepare planning memorandum
memorandum
1 Finalise audit programme Final audit programme
9
Engagement Letter:
Prior to commencing any audit work the auditee should be notified of the pending audit assignment. The
auditee is the most senior manager responsible for the area under review.
The engagement letter should be drafted by the Principal Officer responsible for the audit and issued by
the Head of Internal Audit. The template below should be adjusted accordingly and used for all audit
assignments of the IAU.
The engagement letter should contain;
A brief overview of the system or activity under review,
The type of audit to be performed including the general audit objectives and scope,
Proposed dates of the planned audit assignment,
A request for documentation if required.
Holding an Opening Meeting
The purpose of the opening meeting is to clarify known details of the activity / system under review, and to
reconfirm the contents of the engagement letter. In addition the opening interview will provide the
opportunity for the audit manager to;
Explain the role of the Head of Internal Audit/senior internal auditor,
The need for cooperation from the auditee to any requests made by the auditor,
Request information from management on areas which they deem to be high risk,
Gather additional information about the activity under review including any changes to the system,
management plans for the future and turnover of senior staff,
Confirm the location of operations / documents which may come under the purview of the audit,
Discuss the output from the audit assignment, the audit report, including the reporting process and
planned reporting dates,
Discuss any other applicable issues / concerns raised by management.
Upon completion of the opening meeting the audit manager should ensure that the meeting has been
documented on an audit working paper and placed on the current audit file. A sample working paper for
the entry interview is included below. A number of additional interviews may be required depending on the
size and complexity of the activity / system under review and the amount of prior knowledge and audit
activity which has been completed in the area. Any interviews performed should be documented and
placed on the audit file.
The auditors should prepare for the opening meeting in order to maximise the benefit for them and the use
of the auditees time. They can do this by reviewing previous audit files and other documentation which
may be available for the area under review.
10
IAU Engageement Letterr Template
Internaal Audit Unitt
Ministrry of Financee and Econom mic Managem ment
Insert aaddress and contact deta ails
Governmen nt of the Coo ok islands
Date: {Insertt Date}
Reference: {Insertt Reference}
The {necesssary manager}
Ministry {if outside MFEEM} / Division {If inside M MFEM}
Dear Sir or MMadam,
{Internal Auudit Assignment Title and d Reference ffrom Approvved Audit An nnual Plan}
The above Internal Audit
A Assignnment was approved by b the Secretary for Finance and d Economicc
Management to be carrried out on {{insert the arrea and aud dit period in question}. TTherefore I am writing to o
inform you that the assiignment is about to com mmence.
The generall objectives o of the audit a assignment aare as follow ws:
{Insert shorrt statement of general o objectives as per activity classification n}
The scope o of the assignment is
{Insert propposed scope statement}
The proposed timetablee for the assignment is ass follows:
Pro oposed Start Date: {Inserrt Date}
Durration of Fieldwork: {Insert Number Days or Weeks}
Estiimated Date of Final Rep port: {Insert D Date}
The Team LLeader for the
t assignme ent will be {{Insert Name and Job Title
T of Teamm Leader} and the stafff
members asssigned for tthe duty are:
{Insert Namme and Job Tiitle}
In advance of the start of the asssignment I would like to meet with w you an d the opera ational stafff
responsiblee for the {Inssert area off the assignm ment}. The Audit Team
m will also atttend this meeting.
m Thee
purpose of this Entrance Meeting iss to discuss t he aims, sco ope and processes of the audit with yyou and yourr
staff and to
o respond to any issues w which you or they wish to o raise in con
nnection witth the assignment. In thee
meantime iif you have any questions in respecct of the aud dit assignmeent please coontact me at
a the abovee
address
Yours faithffully,
{Insert Namme and Job TTitle}
11
IAD Entry Interview:
Date:
Venue:
Present:
Subject:
Agenda Item Record of Meeting
Introductions
Record names and job titles of all present at the
meeting. Introduce the members of the internal
audit team to the operational staff
Overview of the Assignment
Outline and explain the nature and subject of
the assignment to management. Explain the
reasons for the assignment being included in the
IAU Plan
Assignment Scope and Objectives
Outline the provisional scope and objectives of
the assignment to the management from the
IAU Plan
Discuss the internal control matters of particular
interest or concern
Identify any possible amendments to the scope
of the assignment
Duration, Resources and Methods
Outline in broad terms the duration of the
assignment, who will be involved from the IAU
side and what procedures will be used
Identify the working arrangements between the
IAU team and management
Issues to be Raised by the IAU Team
Identify any recent changes in management or
major system changes / developments
Raise any other issues which should be
discussed and record them. Some examples
from recent practice include requests for
documents, arrangement of further meetings
and arrangements for access to certain
government offices and sites
Questions and Issues From Management
Ask management for their views on the
assignment and ask them to identify the
operational and control issues in the area of the
assignment.
Identify any operational concerns or any
requests from management
Reassure Management that their views will be
12
Agenda Item Record of Meeting
taken into account
Responses to Management Issues
Make responses as appropriate to management
issues raised. Record responses in the minute of
the meeting
Reporting the Audit
Provide information on the reporting process
with a target reporting date for the assignment
(if Possible)
Issues, Findings, Conclusions (Complete after interview)
Background Information:
The key activities of this phase are to review and analyse:
The structure, reporting relationships and significant locations of the activity, system or issue under
review.
The corporate plan for the Ministry under review or the activities for a specific division including
performance targets if available and applicable to the activity under audit.
The form of the financial records produced through the accounting system and the level of
transaction details available for the auditor from the system. Financial reports produced by the
report writing facility including standard reports such as the monthly statements of expenditure
against budget.
Familiarization with departmental rules, management reports other government rules and
legislation is important. This will include reference to the MFEM Act, the financial policies and
procedures manual, the treasury instructions and employee code of conduct plus other procedural
documents depending on the activity under review.
13
A review of the latest published budgets or estimates of the current year, in order to assist in
determining which systems are most significant and the component parts of the system / activity
under review.
Any significant developments since the last audit e.g. major reports on the organisation,
organisational restructuring or major systems installations/changes.
Study internal procedure manuals concerning the unit’s accounting system and control procedures,
firstly to ensure that such documentation exists and secondly to understand how the system is
intended to operate.
A review of the matters identified for attention from the previous year's audit report from the
external auditor or any previous internal audit assignments, spot checks or investigations.
Reports produced by Technical Assistance projects or overview reports such as the financial
performance assessment (PEFA Assessment report).
In addition to reviewing documentation and financial information the auditor will want to complete some
site visits to observe operations for the activity under review and to have interviews with management and
system operators on the activities that are completed. These interviews should be documented and
retained on the audit file, they will enhance the auditors understanding of the system and will allow for
refinement of any flowcharts or system descriptions that have been developed.
Interviewing:
Interviewing managers and staff members responsible for the activity or system under review should be
completed to gain a full understanding of how the system is operating. Refer to the internal audit resource
manual on how to prepare and perform an interview. An interview recording worksheet is attached below
and should be completed for all interviews performed and filed on the current audit file.
14
Interview Worksheet:
Title of Interview: {Insert Title}
Ministry / Division File Reference
Financial Year: Prepared by Date
Person interviewed: Reviewed by Date
Purpose of Interview: {Insert purpose} e.g. to gain a better understanding of how a system / activity
operates.
SI Question Comments Initial WP
Ref
1 Plan your interview questions in advance
Commence with open questions to get a
broad outline for the system/activity and
follow up with closed questions if required
Example:
Could you describe the role of the IT section
in the payroll system (Open Question)
Some closed questions you may follow up
with
What type of software is used for
payroll?
How many licenses exist for payroll
system?
Are there any planned upgrades for the
future?
What is the total number of users?
Request a list?
What is the total number of stations
where data can be input into the
system?
Risk Assessment
The risk assessment process ensures that audit resources are targeted at the areas most vulnerable to non
compliance or at risk of manipulation. It ensures efficiency in the use of audit resources.
A detailed risk assessment is undertaken in the planning phase to ensure that the initial assessment has
identified the main system risk areas. The initial audit objectives may need to be amended if the detailed
risk assessment reveals additional risks or assigns higher or lower risk scores to the risks identified. The
steps in the risk assessment process can be summarised as;
15
Risk Assessment Steps Examples from Payroll System
What is the chance of the event occurring
2 High – history of occurrence
(high/medium/lo )
What would the impact be if the event
3 Medium – budget constraints
occurred (high/medium/lo )
Authorisation of overtime,
What internal controls are in place to
4 prevent the event from occurring segregation of , validation
of overtime
Plan to focus audit objectives on the To ensure all overtime payments
5 identified internal controls to ensure they are properly authorised and
are operating have been calculated correctly
The senior internal auditor should discuss the high risk areas with the auditee when completing the entry
interview; however s/he should make the final decision on which areas they consider being of highest risk
for the audit assignment.
The assessment process can categorise risk into two types;
Inherent Risk – Inherent risk depends upon the nature of the system, transaction or item audited and
whether it is susceptible to error e.g. cash, inventory or assets. It indicates the amount of assurance
required from audit tests. The higher the risk, the greater the extent of audit tests required in order to
increase the likelihood of detecting errors if they exist.
Control Risk ‐ Control risk depends on the strength of the audited body's control environment and the
systems of internal controls, and whether there are effective controls operating to reduce the risk of the
organisation failing to achieve its objectives.
Some situations may increase the risk of an error occurring e.g.
System complexity – the more complex the system, the more likely that an error will occur and go
undetected.
Internal control systems – not working as intended due to disregard for authorisations or
inappropriate design of controls.
Economic factors – difficult economic conditions may force staff to boost income through
inappropriate means.
Changes in working practices – failure to train staff and to document all changes to systems may
lead to inconsistencies and controls being bypassed.
16
Staffing issues ‐ staff may lack motivation and do not perform duties with due diligence required,
also there is the possibility that important staffing positions have not been filled or have been filled
with unqualified candidates.
Attached below are an inherent risk assessment worksheet, a materiality assessment worksheet and an
internal control assessment worksheet which should be completed for all audit assignments and may be
tailored for individual assignments to identify specific areas of focus. Each assessment will form part of the
assignment planning decision process to determine the extent of audit work performed in specific areas.
Each working paper should be filed in the relevant section of the current audit file as evidence of the work
performed while planning the audit.
17
Inherent Risk Assessment Worksheet:
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Assessment of Inherent Risk Reviewed by Date
(Name system / Activity)
Result
Objective Comments / Reference2
(H/M/L)1
Have there been allegations of fraud /
1 misappropriation in the processing of transactions
within the system?
Is management excessively involved in the day to
2
day operation of the system?
Are staffing levels and competencies adequate to
3 ensure transactions are properly processed in
accordance with set procedures?
Does the system involve manual collection of
4
revenue without a known total of revenue due?
Does the system involve handling large volumes of
5
cash?
Does the system involve moveable stocks and
6
assets which could be susceptible to theft?
Is the system so complicated that there is a risk of
7
transactions being incorrectly processed?
Did prior year audit work reveal major errors or
8
weaknesses in the system?
Has there been a high turnover of staff in the
9
section for the period under review?
Have senior management positions been filled
10
throughout the period?
Materiality Assessment:
Materiality is the concept of developing a level of significance above which certain areas of activity are
sufficiently important to ensure audit attention and subsequently deciding what degree of control
weakness will trigger management action. Materiality is related to
The number and value of transactions processed through a system, i.e. large number of
transactions, with large value is material e.g. the payroll system.
The need for particular staff to demonstrate that they meet the highest standards of probity e.g.
where risk is considered high, e.g. dealing with cash collection and lodgements.
The need for particular processes to be error free and, i.e. some processes should not contain any
errors as they are so well regulated e.g. tendering process.
The risk of the Ministry’s reputation for even a small lapse in standards, e.g. system failure due to
poor backup procedures means that fortnightly payroll cannot be produced, would be a significant
embarrassment for the MFEM. Theft of Funds from MFEM due to control weakness would be a
significant embarrassment.
Materiality is a relative value, i.e. if it is based on a monetary amount it will be calculated as a monetary
amount.
1 The risk is categorised as H = High, M = Medium, L = Low
2 This will include the impact that result has on the amount of audit work to be completed and may refer to the working papers to
justify the assessment reached
18
Materiality is expressed in percentage terms e.g. ¼ to 2 per cent based on the degree of sensitivity in the
area under consideration. The percentage selected represents the level of error which the auditor is
prepared to accept within a particular system or account balance.
Worked example
Gross expenditure on payroll for financial year NZ$ 1,000,000
Materiality Basis ¼ %
Materiality value NZ$ 2,500
This calculation basically means that the auditor may be prepared to accept errors amounting to NZ$ 2,500
in the system, depending on the type and extent if the errors uncovered.
The materiality basis is selected based on auditor judgement, in this case it is selected at ¼ % as the payroll
system is a highly regulated (no reasons why errors should occur) and sensitive (personnel don’t like errors
in their pay) system that the auditor would only tolerate a low incidence of error.
The worksheet below should be used when determining planning materiality levels, when more than one
account balance is relevant to a particular audit, the auditor should determine which account balances they
should select for extended testing, applying the materiality concept.
19
Planning Materiality Worksheet
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Materiality Assessment (Name Reviewed by Date
system / Activity)
Population
Total number of transactions processed through system in period
Total value of transactions processed in period NZ$
Materiality Basis Guideline % Used Total NZ$ value Material Amount
Gross Income ¼ ‐ 2 %
Gross Expenditure ¼ ‐ 2 %
Total Assets ¼ ‐ 2 %
Reason for materiality basis and justification of % used
Qualitative factors influencing materiality3
Account balances specifically selected for audit based on material significance
3 Qualitative factors include specific legislation which must be adhered to or certain standards which must be met regardless of the
value
20
Internal Control Assessment (planning):
There are 2 stages in the internal control assessment. The assessment of the control environment and the
assessment of the internal control activities employed in a system. An effective control environment is an
environment where well trained staff understand;
Their responsibilities,
Limits to their authority,
The right things to do and the right way to do them.
Internal control systems are operated to ensure what is meant to happen actually happens. A control is any
action taken by management or staff that enhances the achievement of system objectives mitigating the
impact of risks and ensuring the security of assets. Controls are commonly thought of as 2 types
Preventive, and
Detective.
Preventive controls attempt to deter or prevent undesirable events from occurring as they are proactive
controls that help prevent loss through ensuring:
Separation of duties,
Proper authorizations,
Adequate supporting documentation,
Physical control over assets.
Detective controls attempt to detect undesirable acts, they provide evidence that a loss has occurred but
does not prevent it from occurring examples of detective controls include
Reviews,
Exception reports,
Variance analyses,
Reconciliations,
Physical inventory counts.
The senior internal auditor should assess the control environment using the worksheet below. In light of
this assessment and the risk assessment already completed the senior internal auditor is then in a position
to assess the internal control activities in place and their likely effectiveness in preventing the identified
risks. The auditor will do this by;
Documenting the system (through flowchart) clearly identifying the key controls,
Assessing the adequacy of the control to mitigate the risk, and
Test that the control is operating.
The auditor should complete the internal control worksheet below as evidence of this assessment and
place on the audit file.
21
Control Environment Worksheet:
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Assessment of control Reviewed by Date
environment (Name system /
Activity)
Result
Objective Comments / Reference
(Y/N)
Are there defined and authorised procedures for
1
processing (Insert System Name) transactions?
Are all transactions required to be authorised?
2
Is there adequate separation of duties between the
3 initiating, authorising and processing phases of the
system?
Are there procedures to ensure completeness of
4
processing?
Is there periodic bank or other reconciliations to
5
ensure completeness of processing?
Are there supervisory checks to ensure the accuracy of
6 processing (e.g. management check of accuracy of
invoices)?
Are cheques, receipt vouchers, and other stationery
7
adequately controlled? (Physically secure)
8 Is there an adequate audit trail4?
4 An audit trail exists when a document can be easily traced from an output e.g. financial report, back to the source documents
which created the output, and vice versa.
22
Internal Control Assessment Worksheet
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Assessment of internal control Reviewed by Date
for (System / Activity)
Objective Result Comments / Reference
Organizational Controls (H/M/L)
1 Do the checks which are performed before
authorization conform to those expected?
2 Are all the transactions subject to the same
authorization procedure?
3 Does someone check that all transactions are properly
authorized before processing?
Completeness and Measurement
4 Are standard forms relating to each type of transaction
clear, enabling easy processing?
5 Do procedures involve extracting information from a
form and writing data onto another form for later
processing?
If so, is it possible to redesign the form so that
transcription is avoided (if so, highlight this fact)?
6 Where documents are pre‐numbered, are sequence
checks performed to ensure that each is processed?
7 Are control totals used,
If yes, are they manual or computerized?
8 Are transactions processed in batches,
If yes are batch totals used, are they manual or
computerised?
9 Are re‐performance calculations performed by
someone independent of the transaction processor?
Security
10 Are transactions secure against unauthorized access
during processing?
11 Are transactions processed through the system,
posted as a permanent record by the same person?
23
Audit Objectives
Once an understanding of the system or activity has been acquired and the assessment of risks has been
completed including limited control testing, the senior internal auditor should develop the audit objective
and the audit scope.
The audit objective is often seen as the question that the audit seeks to answer. The audit objective forms
the basis of the audit and hence should be carefully formed and clearly stated to enable conclusions to be
drawn at the reporting stage of the audit.
Audit objectives may be generic in nature to focus on key internal audit outcomes e.g. are internal controls
operating as intended, or they may be very specific and targeted at specific issues on high risk areas
identified by the auditor e.g. that overtime payments were properly calculated.
Audit Scope:
The scope should be sufficient to satisfy the objectives of the engagement. It should state the work the
auditor intends to do and how it will be completed.
The scope of the engagement should include:
Consideration of relevant systems including compliance with legislation and procedures,
Records to be examined,
Timing of the engagement,
Personnel numbers and skills,
Physical properties including those under control of third parties, and
Geographical spread of activities.
If the internal auditor develops reservations about the scope during the assignment these reservations
should be discussed with management to determine whether to continue with the assignment.
Audit Criteria
Audit criteria are reasonable and attainable standards of performance and control. They provide the basis
for developing audit observations and forming conclusions. As the majority of audits completed will be
financial audits the audit criteria will generally be determined by the appropriate financial legislation, rules,
regulations or procedures, it will be up to the auditor to determine the most appropriate criteria. They may
be selected from;
The MFEM Act,
The Public Service Regulations,
Financial Policies and Procedures,
Treasury Circulars,
The Public Service Commission Policy Manual,
Public Procurement Regulations,
Employee code of conduct,
Memos circulated on operational procedures,
Ministry corporate plans.
Audit Approach:
The audit approach is designed to ensure that the audit is completed in the most efficient and effective way
possible and that adequate evidence is collected to support all audit conclusions.
Using professional judgement the senior internal auditor will determine the audit approach which is
influenced by the degree of assurance and the type of evidence required. It will normally entail a
combination of testing and evidence collection techniques. This will involve testing some of the key
controls in the system activity under review to determine the effectiveness of the controls and will also
entail the testing of details in account code balances to determine if any transactions have been processed
in error. The type and amount of testing will be determined by the risks involved and will be documented in
the audit programme.
24
Audit Timing and Resources:
Appropriate audit resources should be deployed to meet the objectives of the audit assignment. This will
require an evaluation of
The number and experience of the internal audit staff available,
The knowledge skills and other competencies required,
Training needs of the internal auditors prior to competing the assignment, and
Whether additional external resources maybe required to complete the assignment.
Along with the complexity of the area under review, the degree of assurance required and therefore the
volume of the work involved.
The timing of the assignment should include the start date and the proposed finish date of the audit along
with a date for producing the draft report. The worksheet below should be used to complete the resourced
allocated to a particular audit assignment.
Audit Timing and Resources Worksheet
Ministry / Division File Reference
Financial Year: Prepared by Date
Subject: Prepare time budget for audit Reviewed by Date
SI Description HoIA Senior Auditor Total
1 Planning
Understand System / Activities
Understand Control Environment
Perform analytical review procedures
Calculate planning materiality
Perform risk assessment
Plan reliance on internal control
Plan substantive testing
Draft audit programme
Complete audit planning memorandum
2 Execution
Complete audit programme
Control Tests
Substantive Tests
Analytical Review Tests
Update audit files
3 Reporting
Prepare draft report
Hold exit meeting
Incorporate management comment
Finalise audit report
4 Audit Management
Complete final review
Audit administration
Total
25
Audit Planning Memorandum:
The planning memorandum is the main output from the audit planning process and should clearly
document the results of the work performed during the preliminary assessment and planning stages. It
should include the audit objectives, scope, risks identified along with the outputs from the audit which will
include an audit report and a planned reporting date for the auditee. The planning memorandum template
attached below should be utilised for all audit assignments.
Audit Programmes:
The preparation of the audit programme is an important part of the audit process as it will decide what
work the auditor will perform, which areas they will focus their attention and what audit procedures they
will adopt in the process. The audit programme will;
Provide a guide for performing the audit work,
Enable the assignment of audit work to members of the audit team,
Enable better supervision of the audit, and
Provide a mechanism for ensuring adequate audit coverage.
The audit programme will identify a number of tests (control and substantive) for the auditor to complete
during the audit assignment. Audit programmes should be prepared in a consistent format for all audit
areas as they are a prime source of evidence of audit work performed.
Separate audit programmes are required for each assignment and should be completed during the audit
fieldwork as evidence of work completed. There are audit programme templates included under the field
work section of this guide.
26
IAU Audit Planning Memorandum Template
Audit Planning Memorandum (to be completed by the Senior Internal Auditor)
Name of audited System: Financial year:
Date and nature of last audit (if applicable): N/A
Audit Manager:
Ref.
Audit Planning Memorandum WP Ref
No.
Audit Background:
Audit Approach:
Audit Objective(s):
Audit Scope:
Appropriate Legislation (Compliance):
Policies and Procedures:
Names and designation of staff assigned for the preliminary review of systems and
1 WP Ref
procedures:
(1)
Matters arising from preliminary visit to the audited unit
(Give date(s) and details)
2
Weaknesses identified in system and their audit implications during preliminary survey
3
Weaknesses identified during previous audits
4
27
Ref.
Audit Planning Memorandum WP Ref
No.
Significant issues discussed with management including areas of risk during the
preliminary interviews
5
What specific matters are to be investigated during the audit as a result of the risk
assessment?
6
Planning Materiality (Acceptable error rates)
Account balances to be examined in depth (Give, in each case, the amount above
which this procedure should be adopted)
7
8 Estimates of population and sample sizes: How many people on the payroll system
Total Estimated Transactions in Population Sample size
Steps to be taken if actual errors found to be above acceptable rates
9
10 Any additional or special work to be performed
11 Audit programmes attached and completed by senior internal audit officer
12 Estimated time for the audit (in days)
13 Date for commencement of audit
14 Target date for completion of the audit: (Draft Report)
15 List of Documentation included in audit file to date
16 Any significant matters arising from the interim review which need to be reported in
the draft report.
17 Any other matters to ensure satisfactory completion of audit by target date
Senior Internal Audit Officer Date:
28
PART 4: UNDERTAKING FIELDWORK
Process for undertaking fieldwork
Begin the visit by briefing the relevant manger and reviewing with him/her the information provided about
the visit. Arrange and confirm with the audit entity party of the day and time of when you are making the
visit to conduct the fieldwork.
Capture the required evidence by photocopying, recording, taking photos, making notes or obtaining
original documentation. Use the worksheets developed during the planning phase to check that all required
evidence has been collected. Mark all evidence with details of such as source, which member of the team
collected it, and when it was collected.
Hold an exit meeting with the relevant manager at the completion of visit. Provide initial feedback on the
results, but emphasise that the information provided is provisional and will be subject to more detailed
analysis.
Maintain contact with the audit entity at all times during the audit. (It is always good to provide the
relevant manager with contact details such as an email so that they are able to contact the audit team
should further information become available)
Sometimes promising lines of enquiry may emerge during fieldwork that, if pursued, could substantially
change the scope, cost, timeframe or risks of the audit. The team must seek approval from the Chief
Internal Auditor before undertaking any new work that differs substantially from the work set out in the
approved audit plan.
Collecting evidence – standards and risk
All statements in audit reports must be thoroughly evidenced – the strength of argument used to support
conclusions depends on the validity of facts gathered.
Auditors need to make judgements about the reliability of evidence gathered, and will need to determine
whether the evidence is:
Relevant,
Reliable,
Sufficient,
Representative, and/or
Verifiable,
Logical
The auditor will need to ask such questions as:
How significant is the comment being made?
How reasonable or self‐evident is the comment?
How persuasive is the evidence? Persuasive is not conclusive – does it need to be corroborated?
Is there a likelihood of conflicting expert opinion?
The are a number of ways in which evidence can be collected. Each has different strengths and drawbacks,
and generally facts are best confirmed through more than one type of evidence. Remember, people’s
perceptions are not necessarily the truth!
29
Relevant
Verifiable
Types of Evidence
Physical Evidence
Sufficient Observations, photo, video,
+ corroboration by another staff
Representative member.
+
Logical Documentary
External (independent of the
audit entity) is preferred. If
using internal evidence
(documentation prepared by
Findings the audit entity) you must be
satisfied as to the integrity of
the system producing it.
30
Audit Files:
The audit files are were all audit work papers relating to a particular audit assignment are filed. There are 2
files maintained a;
Permanent file – a list of documents that are relatively permanent in nature, organisation structure,
legislation, rules and regulations
Current file – Information pertaining to a specific audit assignment, a current file index for a payroll audit
work papers is included below.
File Review
File review is a common method of collecting evidence. The auditor should:
obtain a list of the relevant files for review,
look through the documents on the files and photocopy documents that provide evidence relevant
to the audit,
record relevant details or data if source documents are not copied,
note any documents or processes that appear to be absent from the files or documents, and
check to see if absent information is held elsewhere or confirm that it does not exist.
Observation
Observation provides a firsthand understanding of the work of the audit entity staff, and how processes or
systems work. It involves gathering of evidence by observing facilities and work, and enables the audit team
to compare activities with policies, manuals, statements made in interviews, and presentations made by
the audit entity. This is among the strongest forms of audit evidence.
The auditor should document evidence through photographs, video, notes, recordings, charts, maps, etc.
Re‐performance or Walk throughs
Re‐performance is a technique whereby the auditor carries out the same processes as the audit entity to
see if the same result is achieved. It tests systems and provides evidence of the extent to which the audited
entity has been effective in undertaking a task.
Verification of Data
Audits typically rely on data collected and supplied by others. The audit team should verify that the data
itself and the systems producing the data are reliable. It should also ensure that any samples are extracted
according to the stated methodology, and information is recorded accurately.
31
PART 5: PREPARING A SUMMARY OF FINDINGS
The Summary of findings should cover:
expectations/audit criteria used in the audit,
key findings and the proposed structure of the final report,
preliminary conclusions, and
any substantial variations or departures from the expectations or objectives in the audit plan.
The process for producing the Summary of Findings
As fieldwork is undertaken, the evidence collected should be analysed. The results of the analysis should
then be compared with the audit expectations, and an assessment made of the extent to which the entity
has met them, and the implications of any shortfall. Any residual findings should also be assessed and their
significance evaluated.
The auditor should then review all findings and identify the most important. These should be used to form
the basis of the report. Some auditors prefer to produce an initial draft report at this stage, but a more
concise summary of findings is preferable because it avoids the risk of investing time and effort in drafting a
which may be later disputed.
The audit team should seek management’s agreement on:
key findings (and how they are to be expressed and interpreted),
risks (an update on the risks identified at the proposal stage and agreement on what new risks, if
any, have emerged during fieldwork),
any additional fieldwork or analysis identified as necessary (taking account the cost and time of the
audit to date),
the proposed structure and format of the final report, and
any changes required to the summary of findings to take account of managements views.
Communicating findings to the audit entity – Exit meeting arrangement
The Internal Audit Unit has a policy of “no surprises”, meaning that, wherever possible, the audit team
should discuss all important findings with the audit entity in the exit meetings. The team should seek the
entity’s reaction and incorporate its views in making the assessment.
The summary of findings offers one of the best opportunities during an audit to communicate findings in an
unthreatening and coherent way, and to seek input and responses before the formal draft report is
produced. The team should provide a clear and detailed summary of findings.
32
SUMMARY OF MAIN FINDINGS AND RECOMMENDATIONS
TEST AREA: DATE: WP REF:
OFFICE:
AUDIT PERIOD UNDER REVIEW: AUDITOR:
REVIEWED BY:
FINDINGS:
1.
2.
3.
4.
RECOMMEDNATIONS:
33
AUDIT TEST RESULTS
AUDIT PERIOD UNDER REVIEW: AUDITOR:
REVIEWED BY:
OBJECTIVE:
TESTS: A
B
C
D
FINDINGS:
CAUSE:
IMPLICATIONS:
RECOMMENDATION(S):
Auditor’s Signature: _______________________________ Date: ______/_________/________
34
AUDIT TESTS
AUDIT PROGRAMME TESTING: OFFICE:
OBJECTIVE: AUDITOR:
TESTS: REVIEWED BY:
1.
2.
3.
4.
Wp
No Details of Test Documents Test Results Comments
Ref
1
2
3
4
5
6
7
8
9
10
PART 6: PREPARING THE AUDIT REPORT
Report Structure
Reports usually contain the following elements:
Executive Summary. An overview of the audit as a whole, including the main findings,
conclusions, and recommendations.
Introduction and Background. Why and how the audit was done, what it covers, background
to the topic, organisations involved, and structure of the report.
Audit Scope and Objective. What does the Audit aim to find out, what information will the
audit/review be based on. This must be clearly and fully described in more detail.
Findings and discussions. Findings should relate to the expectations and lead to the
conclusions. It should detail the main findings.
Conclusions and recommendations. The conclusions should flow from findings and the
recommendations from the conclusions. It should also be detailed. The report should also
recognise the difficulties faced by the entity and any significant actions taken by them which
have improved performance and overcome deficiencies. The tone of the report should be
positive and constructive. Facts should be clearly distinguished from opinions. The report
should identify evidence to support the findings and recommendations.
This section should also explain how the Audit recommendations were developed. It should
identify the cause of problems in the entity’s operations and note causes outside
management’s influence or control. Where possible, recommendations should specify
necessary remedial action by the entity. It is essential that the report make
recommendations wherever audit findings require action by the entity.
Finally, this section should identify any issues that require further study and investigation.
These will be issues that do not fall within the objective of the Audit but which are significant
enough to be pursued elsewhere or at a later date.
When finalizing the report structure, the auditor must take into consideration the best possible
format that clearly conveys to the reader the main audit findings. Avoid repetition and unnecessary
long words.
Once the fieldwork has been completed the audit team should decide the structure of the draft
report in consultation with colleagues and management and should take account of the following:
1. Accuracy
Reports must be accurate and findings supported by sufficient evidence. Matters of fact should be
reported accurately. Errors of fact in a report will damage the credibility of the entire report and the
Internal Audit Unit.
2. Audience
The report should be written to suit the capabilities, interests and time constraints of the audience.
Short, sharp everyday words are the best means of getting the audience’s attention and
understanding, particularly when the issues are complex.
3. Balance
Both sides of an argument should be presented. A balance of praise and criticism should be
apparent. The entity’s view should be properly and adequately reflected where appropriate.
4. Clarity
Reports are to be written in a clear, easily understood fashion. The language should be simple. Steer
clear of complex terminologies which a lay person may not understand.
5. Language
avoid clichés and slang,
never use a long word where a short word can be found,
never use the passive where the active can be used instead,
never use a foreign phrase, scientific word or jargon if a straight forward everyday English
word can be used,
avoid affection and desires to “impress” readers,
make the best effort to be simple through the use of short paragraphs and simple sentences,
write in third person.
6. Logic
Reports are to present arguments that are logical. Errors will also be very damaging to the credibility
of the report and the Internal Audit Unit.
7. Purpose
Reports are to identify their purpose clearly.
8. Structure
It is important to start sections and paragraphs with a statement of the main topic or idea to be
developed. The remainder of the section or paragraph should develop that topic in a logical and
coherent fashion. The key feature that should be incorporated in this approach is the need to
identify the main idea at the start and not to bury it in the middle of your piece of writing.
9. Timeliness
Reports are to be issued in a timely manner. This means producing a quality product within the time
constrains of the Audit Plan.
10. Usefulness
For the report to be useful it must have value in terms of providing information and assurances to
management and specify where improvements can be made and the likely impact.
Audit Report Template:
Title Page – Internal audit assignment on {insert name of audit assignment} completed by the IAU on
{Insert Date}
Introduction / Background:
identifies the organisational units and activities reviewed and the reason the unit exists,
Information of previous reports and the status of prior recommendations,
Statistical information on the area in question e.g. total value of expenditure,
Information on the staffing structure, volume and value of transactions processed.
37
Objectives:
Overall objective – reason that the audit assignment was performed e.g. to ensure that all payroll
payments were made to bona fide employees, were paid at the correct rate and at the correct time.
Specific objectives – the areas that you focused your attention on e.g.
to ensure that all overtime processed has been paid at the correct rate,
to ensure that all starters have been properly authorised and entered onto the payroll
system,
to ensure that leavers have been removed from the system promptly so that no
overpayments have occurred,
to ensure that all allowances paid have been properly authorised, correctly calculated and
classified in the payroll system,
To ensure that all outputs from the payroll have been correctly input into the accounting
system,
Scope:
Context of the subject matter, description of the system or activity under review,
The audit period under review,
Geographical information / sites visited,
Any exclusions.
Audit Approach:
Audit criteria identified against which audit conclusions were drawn e.g. MFEM act, financial policies
and procedures manual or the treasury circulars.
A description of how the work was performed, e.g. the types of testing that was performed, how
samples were selected etc.
Standards adopted, to what standard was the audit performed, e.g. in conjunction with the IAU
internal audit manual or professional body standards.
Timing of the audit work, any specific reason e.g. to attend a stock take, or to ensure no impact from
school holidays if auditing the Ministry of Education.
Observations:
Observations should be objective statements of fact, which need to be accurate and evidence based
to support the auditors conclusions, they should compare what should be, with what is actually
happening. Observations should be based on the following attributes:
Criteria – The standards, measures or expectations used in making an evaluation – what
should be?
Condition – The factual evidence the internal audit found during the examination – what is
happening?
Cause – The reason for the difference between the expected and actual conditions ‐ why
does the difference exist?
Effect – The risk encountered because the condition does not meet the criteria. In
determining the degree of risk the internal auditor should consider the effect that their
observations and recommendations would have on the operations and financial statements
of the organisation.
38
In a situation where there are several audit observations the auditor should decide if some of the
observations can be aggregated, and then determine which ones are reportable and those that are
relatively minor and should not be included in the audit report.
Conclusions:
Conclusions should be clear and concise, they should include;
o Conclusions on the objectives set – are internal controls working,
o Compliance with relevant laws regulations and other procedures,
o Statement on whether the system/activity is functioning as intended,
o Quantify and aggregate any losses identified during the audit.
Recommendations:
Suggest approaches to enhance performance of internal controls in areas identified in observations
and conclusions, suggestions for action by management.
Recommendations should be ranked as high, medium or low.
Grading Definition
High Major risk, requiring action by the time the final report is issued
Medium Medium risk, requiring action within 6 months of the report being issued
Low Change to achieve best practice by a date agreed with the section manager
Action Plan:
The action plan identifies the action which management will take to resolve issues
{System / Activity} Action Plan – Short Term Response
Action Responsibility Time scale Audit Comments
{System / Activity} Action Plan – Medium Term Response
Action Responsibility Time scale Audit Comments
39
PART 7: QUALITY CONTROL AND FINALISATION
Peer Review
Peer Review is a key element of the Internal Audit Units quality assurance process.
The purpose of peer review is to provide an independent check on the quality of all key products
relating to the audit. These are the proposal, plan, and draft report. The peer reviewer can also
provide ad hoc advice to the audit team at any time, but must remain independent and should
therefore not be drawn into undertaking fieldwork or analysis. If this should occur, a new reviewer
should be appointed.
The peer reviewer should ensure:
all the products of the audit reflect a consistent purpose and focus that link transparently to
the objectives of the audit;
that all reporting is consistent with the audit plan (or any divergence explained);
arguments, inference, and conclusions are clear, logical, fair, and free from bias; and
presentation, structure, and writing style of documents are appropriate, of good quality, and
appropriate to the intended audience (making suggestions for improvement as required).
Peer review takes time and effort to do well, and the audit team should therefore give the reviewer
sufficient time (at least one week) to do it. The peer reviewer should discuss issues with the audit
team and provide comments in writing. Minor comments can be noted on the document. The audit
team should record in writing any reasons for not addressing concerns that the peer reviewer has
raised. Any significant disagreements should be discussed with the peer reviewer and management.
Substantiating the report
Audit evidence is information collected and used to support audit findings i.e. to arrive at an
assessment of whether normal audit procedures are being met. The relationship between Audit
criteria, programme and evidence is that without good criteria you cannot design an effective audit
programme, and without an effective audit programme you cannot obtain convincing evidence to
support your findings in an economic, efficient and effective manner. Evidence can be in physical,
oral documentary or analytical forms and must be relevant, reliable and sufficient.
Relevancy requires that the evidence bears a clear and logical relationship to the audit objectives. It
is important to ensure that they are consistent with and relate directly to the audit objectives that
have been established. Evidence is reliable if it actually represents what it imply to represent, while
sufficient is when there is enough relevant and reliable evidence to convince a reasonable person,
beyond reasonable doubt, that the performance audit findings, conclusions and recommendations
are warranted and supported.
Finalization and Issuing of the Report
Once quality assurance of the audit report is completed a final draft copy is prepared and forwarded
to the Head of Internal Audit to sign. The report is then issued to Management following the exit
meeting.
AUDITS FOLLOW UP:
Recommendations which have identified high risk areas for immediate action should be reviewed
prior to issuing the final report.
Medium risk items will be verified within the 7th month after the final report is issued at the auditor’s
discretion to determine if adequate measures have been taken by management.
40
The implementation of low risk recommendations will be reviewed at the auditor’s discretion or at
the next audit of the system/activity whichever comes first.
The IAU will maintain a register of recommendations from all audit sources including those
recommended by the audit office.
Progress on the implementation of audit recommendations of all medium and high risk
recommendations will be reported in the monthly management meeting until the action has been
completed.
41
PART 9: RECORDS MANAGEMENT
Record keeping is an important aspect of project management because:
Audit evidence should be easily identifiable and retrievable;
it provides evidence that the audit team has followed due process (because there should be
files containing evidence on all important issues), and
it ensures only those documents relevant to the audit are archived.
Internal Audit files are kept in two forms:
1. Electronic working paper copy kept on the MFEM server,
2. Working paper hardcopy files, which are located in the audit team’s space during the audit,
and are archived after the audit’s completion.
Electronic Working Papers
All electronic files are kept on the “H:\Internal Audit\Audit Reviews” folder and filed according to the
financial year the review was completed in.
Example:
If a review is completed and issued on August 2009, then it will be filed in the folder labelled 2009‐
2010 as it falls within the year July 2009 to June 2010. A folder is then created in “H:\Internal
Audit\Audit Reviews\2009‐2010”and the work papers saved in it.
Note:
All soft copies of work papers, correspondences and reports must be clearly labelled and dated. All
correspondences must be dated on the day they were delivered to the recipient. It is recommended
that subfolders clearly identifying correspondences, interviews, reports and other work papers be
created within the folder to enable easy access to relevant documents by anyone needing the
information.
Working paper hardcopy files
Working papers are the link between the fieldwork and the Audit report. It should contain:
An adequate and valid basis for the Audit opinions expressed in a report,
A basis for support for the auditors opinion,
An effective link between successive audits and,
The basis for quality assurance review,
The evidence accumulated in support of the Audit findings, conclusions and
recommendations
Copies of issue papers and draft Audit reports.
It should be fully indexed and cross referenced to the issues papers and the final report.
Once a review is completed and the final report issued to stakeholders, all work papers and other
audit documentation must be transferred into a manila folder. The folder should be labelled and
filed into one of two four drawer cabinets kept in the SPR division side of the office.
Filing Audit Working Papers
Auditing working papers are usually maintained in two separate files:
Permanent File
Current File
42
The Permanent Audit File
Information about a client/system that is relevant to more than one year is placed in the permanent
audit file and this will be referred to from year to year and provide continuity in the planning and
carrying out of the audit. Before starting each new audit however, you should ensure that all
relevant details in the permanent audit file are up to date e.g. a change in organisational structure
will mean a change to the permanent audit file.
The purpose of the Permanent Audit File is:
To document information of recurring value regarding items appearing in the financial
statements
To document information of a permanent nature regarding the clients business
To give audit staff new to the audit, information regarding the organisation or process to be
reviewed.
The main contents of the permanent file are:
A brief description of the audited organisation, organisation charts, lists of senior officials
and their job descriptions
Systems notes, internal control questionnaires, flow charts(if any), details of compliance
tests (if carried out), and results of control evaluations ( e.g. weaknesses or breakdowns in
internal controls)
Information about managerial and financial policies
Ministerial directives, notes of internal rules and procedures, important management
reports
Copies of important contracts and agreements
Notes of the composition and activities of management committees.
The Current Audit File
Information specific to a particular client and period is kept in the current audit file
The purpose of the current audit file is to provide a profile of work planned:
Current Audit File Index Template:
Planning Section Initials
P.1 Audit planning memorandum
P.2 Audit engagement letter
P.3 Knowledge of the system
P.3.1 List of documents reviewed
P.3.2 Important papers on file, e.g. latest pay rates
P.3.3 Minutes of relevant meetings
P.3.4 External audit queries – List of key points raised
P.3.5 Other audit queries
P.4 Identification of main system components
P.5 Interview notes
P.5.1 IT Section MFEM
P.5.2 Payroll Section MFEM
P.5.3 Public Service Commission
P.5.4 Ministry of Education Payroll
P.5.5 Ministry of Health Payroll
P.5.6 Audit Office
P.6 Control environment worksheet
43
P.7 Risk analysis work sheet
P.8 Planning materiality
P.9 Analytical review work sheet
P.10 Staff resources and timing
P.11 System description (flowchart(s))
P.12 Identification of Key Controls
P.13 Audit programme (Control and Substantive Tests)
Execution (Fieldwork)
E.1 Completed audit programme
E.2 Sampling procedures performed
E.3 Tests and evidence on payroll processing
E.4 Tests and evidence on starters and leavers
Tests and evidence on time recording and leave entitlements
E.5
(includes overtime)
E.6 Tests and evidence on payroll allowances
E.7 Tests and evidence on payroll deductions
E.8 Tests and evidence on payroll payments
E.9 Tests and evidence on general IT controls and data security
Reporting WP
R.1 Final Audit Report
R.2 Draft Audit Report
R.3 Quantify audit errors discovered
R.4 Summary of main findings
R.5 Follow‐up of prior year report
R.6 Final review checklist
44
APPENDICES: AUDIT PROGRAMMES
Auditee: WP Ref
Period Under Review: Prepared by Date
System: Reviewed by Date
Objective Expected Internal Controls Audit Test WP Ref
New staff induction and training Check for existence of staff training on payroll procedures
General:
Staff training for system changes Check that procedures are up to date
Documented payroll
Procedures up to date Check that supervisors aware of the procedures
procedures with adequately
Supervisors/managers ensure that Check for evidence that management ensure procedures
trained staff
procedures implemented are being implemented
Written confirmation required for new Identify all new personnel during the period in question
employees prior to payroll processing and check that all new starts were properly authorised.
Check if the new start received their first pay by cash, and
the date processed.
Review procedures for checking new employee’s details
after they have been entered on to the payroll system.
Assess adequacy of review.
Preparation, recording and payment Document the payroll system, clearly identifying
functions are adequately segregated responsibility for preparing, recording and making payroll
Payments are made only to payments.
valid employees In the absence of adequate segregation of duties check for
compensating controls.
Unique ID numbers are assigned to each Check that payroll IDs are sequential and cannot be re‐used
employee. Review procedures for allocation of payroll IDs to new
employees and assess adequacy for prevention of
duplicate payments
Check for evidence of exception reports each time a new
start is entered onto the system
Salaries/Wages are paid based on Select a sample of timesheets from respective ministries
weekly/fortnightly timesheets submitted and check that they have been
Objective Expected Internal Controls Audit Test WP Ref
Payments are made only to valid employees Properly prepared
by line ministries. Properly authorised and
Are for bona fide employees
Removal from payroll system only occurs Select a sample of leavers entitlement payments entered
upon receipt of an appropriately authorised on system and test whether:
notification. leave balances agree to leave cards and attendance
books;
Calculations by LM are accurate
All forms are properly approved
All documents were date stamped when received by MFEM
payroll section to prevent duplicate payments
For the sample, test the date submitted from LM with the
date of removal from Payroll system, check for payments
after the leave date.
Changes to employee payroll details (e.g. Review system exception reports for all changes made to
Bank details) are processed only on receipt payroll during the period in question.
of written notification Check the extent to which monthly payroll reports are
reviewed by management.
Cash payments (loose vouchers) only Select a sample of cash payments made to salary staff and
issued on production of valid identification check if;
and when a signature of receipt is The payment should have been made at in cash,
obtained. The payment was properly authorised,
The payment was for the correct amount,
The employee signed for receipt of the cash salary
All data input to the payroll Access controls to payroll software Review procedures over access control and determine if
system is correct and they are documented and understood by staff
properly authorised Authorisation procedures for changes Check access rights for approved users for the Payroll
made to payroll data system
Check for existence of usernames and passwords including
Monitoring of payroll system through evidence of regular password changes and password
exception reports and monthly strength
46
Objective Expected Internal Controls Audit Test WP Ref
management reports Check for existence of password sharing in payroll section
e.g. large volumes of transactions processed by one user.
Check for appropriate filing and referencing of personnel
records and that
they are securely held,
they are only accessible by authorised personnel
Check management procedures for examining changes to
permanent records,
Examine exception reports reviewed prior to each pay run
Select a sample of changes that have been made to
standing data and check that these have been properly
authorised and the change has been made by an
appropriate member of staff.
Check that the database administrator has not processed
any transactions on the payroll system.
Payments are correctly Verification of payment amounts by MFEM Check for any changes to the number of staff on the payroll
calculated in accordance compared with the last pay period.
with approved pay scales Check the number of staff paid is reconciled with the
previous fortnight and any changes are included within
authorised data input.
Check the number of payments made to a Ministry against
the approved staffing structure for the Ministry
Select a sample of employees and test that
Each employee has supporting documentation on file,
All documentation has been properly authorised,
The personal data has been correctly entered on to the
Payroll system.
That the data has been only entered once
That the salary amount is correct as per the most
recent government pay‐scale
That all allowances paid have been properly calculated
Payroll costs are correctly Reconciliations between the Payroll and Reconcile payroll outputs to payroll figures recorded in
47
Objective Expected Internal Controls Audit Test WP Ref
recorded in the financial the Accounting (Solomons) System general ledger and bank statements
accounting system
Payroll data is adequately Backups are taken and physically secure Check that regular backups are taken of the system
protected and is securely Identify where the backups are stored, and physically inspect
stored if storage facilities are fire and water proof with restricted
access.
Check procedures to re‐create payroll information in the
event of system failure
Check for evidence that the procedures have been tested
48