THE UNITED REPUBLIC OF TANZANIA
MINISTRY OF FINANCE AND PLANNING
INTERNAL AUDIT GUIDE FOR PUBLIC SECTOR ENTITIES
(PSEs)
REVI SED EDI TI ON
JUNE, 2019
Internal Audit Manual for PSEs
2019
CONTENTS
FOREWORD ........................................................................................................iv
PREFACE ............................................................................................................. v
LIST OF TEMPLATES.......................................................................................... viii
LIST OF ABBREVIATIONS .................................................................................... x
DEFINITION OF TERMS ...................................................................................... xii
CHAPTER 1 ......................................................................................................... 1
1.
INTRODUCTION .......................................................................................... 1
1.1 BACKGROUND ............................................................................................. 1
1.2 PURPOSE OF THE GUIDE ............................................................................. 2
1.3 ORGANIZATIONAL STRUCTURE OF THE GUIDE ............................................ 3
1.4 REVIEW OF THE GUIDE ............................................................................... 4
CHAPTER 2 ......................................................................................................... 4
2.0 Context of Internal Audit Function in PSEs .................................................... 4
2.1 Establishing Internal Audit Function .............................................................. 4
2.2 Definition of Internal Auditing....................................................................... 5
2.3 Mission of Internal Audit .............................................................................. 5
2.4 Core Principles for the Professional Practice of Internal Auditing ..................... 5
2.5 Code of Ethics for Internal Auditors .............................................................. 6
2.6 Declaration of Conflict of Interest ................................................................. 7
2.7 Internal Auditing Standards .......................................................................... 7
2.8 Independence of Internal Audit Function....................................................... 9
2.9 Objectivity of Internal Auditors ................................................................... 10
2.10 Internal Audit Charter ................................................................................ 10
2.11 Legal and regulatory framework of internal audit in PSEs ............................. 11
CHAPTER 3 ....................................................................................................... 12
i
Internal Audit Manual for PSEs
3.
2019
Organizing and Managing the Internal Audit Function in PSEs ...................... 12
3.1 Organizational of Internal Audit Function .................................................... 12
3.2 The Internal Auditor General ...................................................................... 13
3.3 The Audit Committees................................................................................ 14
3.4 Internal Audit Units (IAUs) ......................................................................... 15
3.5 Managing the Internal Audit Function ......................................................... 16
CHAPTER 4 ....................................................................................................... 19
4.
Governance, Risk Management, Internal Control and Fraud.......................... 19
4.1 Introduction .............................................................................................. 19
4.2 Governance ............................................................................................... 20
4.3 Risk Management and Risk Assessment ...................................................... 25
4.4 Internal Control ......................................................................................... 29
4.5 Fraud Management .................................................................................... 32
CHAPTER 5 ....................................................................................................... 41
5.1 Fundamentals of Internal Audit Planning ..................................................... 41
5.2 Overview of Risk-Based Audit Planning Process ........................................... 42
5.3 Developing Annual Risk Based Internal Audit Plan ....................................... 43
5.4 Developing Strategic Risk Based Internal Audit Plan..................................... 46
5.5 Communication and Approval for the Internal Audit Plans ............................ 47
5.6 Quality Review of the Internal Audit Plans ................................................... 47
CHAPTER 6 ....................................................................................................... 48
6.
Conducting a Reporting on the Audit Engagement ....................................... 48
6.1 Introduction .............................................................................................. 48
6.2 Relevant IIA Standards in conducting of audit engagements are: ................. 48
6.3 Overview process on conducting Assurance Engagement ............................. 51
CHAPTER 7 ....................................................................................................... 65
7.
Applying Internal Audit Tools and Techniques ............................................. 65
ii
Internal Audit Manual for PSEs
2019
7.1 Introduction. ............................................................................................. 65
7.2 Audit Evidence .......................................................................................... 66
7.3 Control and Risk Self-Assessments .............................................................. 72
7.4 Methods of Documenting Audit Evidence (Working Papers) .......................... 73
CHAPTER 8 ....................................................................................................... 76
8.
Monitoring Progress and Periodic Internal Audit Reporting ........................... 76
8.1 Introduction .............................................................................................. 76
8.2 Monitoring Progress ................................................................................... 76
8.3 Considerations for Implementation ............................................................. 77
8.4 Periodic Reporting ..................................................................................... 78
8.5 Types of Periodic Reports ........................................................................... 80
CHAPTER 9 ....................................................................................................... 82
9.
Quality Assurance and Improvement Program (QAIP) .................................. 82
9.1 Introduction .............................................................................................. 82
9.2 IIA Quality Standards ................................................................................. 82
9.3 Internal Assessments ................................................................................. 83
9.4 External Assessments ................................................................................ 85
9.5 Assessor Qualifications ............................................................................... 86
9.6 Frequency of Conducting External Assessment ............................................ 88
9.7 Procurement of External Assessment Services in PSEs ................................. 88
9.8 Pre-requisites for effective quality assurance and improvement program in
PSEs ........................................................................................................ …..
CHAPTER 10 ....................................................................................................102
TEMPLATES .....................................................................................................102
iii
88
Internal Audit Manual for PSEs
FOREWORD
This revised Internal Audit Guide is developed and issued by the Ministry
of Finance and Planning to provide appropriate guidelines to internal audit
functions in the Public Sector. The Guide has been developed with the
assistance of the Public Financial Management Reform Program (PFMRP).
In the absence of this Guide, internal audit functions in the Public Sector
would face lot of challenges in terms of consistency, efficiency and
effectiveness. Therefore, this guide is essential to ensure consistency,
efficiency and effectiveness of internal audit services in the Public Sector.
The Guide contains comprehensive framework and structure for internal
audit service including internal audit procedures along with the roles and
responsibilities of internal auditors at different levels. It also explains
management’s roles and responsibilities related to the internal audit
functions. The framework and structure as described in the Guide are
modeled on the International Professional Practices Framework (IPPF) and
other best practices to suit the internal audit functions in the Public Sector.
The internal auditing practices based on this Guide will also enhance the
professional capacity of internal auditors. The Guide is designed to be
flexible and unrestrictive which shall be revised as and when necessary.
All users of this Guide are expected to have basic knowledge and
understanding of management frameworks including governance, risk
management and control processes and be capable of exercising
professional judgment.
The Ministry of Finance and Planning, therefore, urges all users of this
Guide to carefully use it as a practical guide book.
Doto M. James
PERMANENT SECRETARY- TREASURY
iv
2019
Internal Audit Manual for PSEs
PREFACE
This Internal Audit Guide is issued by the Ministry of Finance and Planning
in accordance with the requirements of Section 38(1) of the Public Finance
Act, 2001 as revised 2004 and amended 2010.
The Internal Audit Manual is intended to:
i.
Provide members of the Internal Audit Service in the PSEs in
Tanzania with practical professional guidance, tools and information
for managing the internal audit activity and for planning, conducting
and reporting on internal audit work. The use of the Guide should
help bring a systematic and disciplined approach to the audit of
governance, risk management and control processes and assist
internal auditors meet the goal of adding value to their respective
organizations
ii.
Enhance the quality and effectiveness of the Internal Audit Service
by paving the way to put into practice procedures and processes
that would help it conform to professional standards and best
practices.
iii.
Describe the generic guidance for establishing risk based annual
audit plans, planning and conducting audit engagements and
reporting the results of the audit work. The Guide also provides
perspectives on Governance, Risk Management, Internal Control and
Fraud that underpin almost all audit work. Similarly, the Guide also
provides methods for collecting and documenting relevant audit
evidence. Procedures and processes for maintaining a quality
internal audit service are also provided.
iv.
Provide for development of the Internal Audit Charter, which
establishes the Internal Audit Services in the PSEs;
v.
Prescribe criteria for Internal Audit Service’s conformance to the
Definition of Internal Audit, the Code of Conduct and the Auditing
Standards, which forms part of the IPPF established by the Institute
of Internal Auditors (the world-wide professional organization for
v
2019
Internal Audit Manual for PSEs
internal auditing). The IPPF also contains the Mission, core principles
and supplemental guidance issued by the IIA from time to time to
better understand and conform to the IIA Standards.
vi.
Outline the key internal audit processes and activities. It is intended
to serve as an efficient resource to explain the main principles and
identify the relevant standards underlying the conduct of internal
audit activities.
Throughout the Guide, the Internal Auditing Standards directly applicable
or relevant to the subject or particular procedures under consideration
have been provided. References are also made to IIA Implementation
Guidance and Supplemental Guidance where appropriate. In many
instances, Internal Auditors are encouraged to exercise professional
judgment, particularly in determining levels of risk, adequacy of internal
control processes and the choice of appropriate audit methodology.
Auditors and users of the Guide will do well to review and familiarize
themselves with the IPPF and refer to these when using this Guide and
performing internal audit work.
The Guide is designed to be flexible and unrestrictive. In particular, it is
not intended to constrict any initiative that internal auditors can bring to
their work based on prior work experience, knowledge and skills. Neither is
the Guide intended to constrain the internal auditors from excising their
professional judgment.
Users of the Guide are expected to have at least basic knowledge and
understanding of management frameworks including governance, risk
management and control processes and be capable of exercising
professional judgment. In addition to the IPPF, internal auditors should
also have a comprehensive understanding of the policies, regulations, rules
and directives established by the various Authorities of the Government
and their own organization in order to be able to apply the Guide
effectively.
There is an expectation that the framework for conducting audits within
the IAF, as outlined in this Guide, will be followed by all internal auditors.
It is recognized that it may be difficult to conform to the Guide in all
circumstances. However, conformance should be the norm rather than the
vi
2019
Internal Audit Manual for PSEs
exception. Where an internal auditor or CAE faces difficulties in
understanding the Guide, then appropriate clarifications and/or assistance
should be obtained from CAEs of other IAUs and the IAGD.
I wish to acknowledge the dedication and commitment of all individuals
and organs that were involved in the review process, preparation and
finalization of this Guide.
The invaluable assistance, encouragement and support to the whole
process by the Permanent Secretary- Treasury are highly acknowledged.
Eng. Amin N. Mcharo
Ag. INTERNAL AUDITOR GENERAL
vii
2019
Internal Audit Manual for PSEs
2019
LIST OF TEMPLATES
Template 1: Sample Internal Auditor Code of Ethics Form ..................... 103
Template 2: Conflict of Interest Declaration Form ................................. 104
Template 3: Sample of Structure and Contents of an Internal Audit
Charter. ............................................................................................ 105
Template 4: Sample of Annual Risk Based Internal Audit Plan ............... 111
Template 4. a: Sample of a Three Years Internal Audit Strategic Plan .... 113
Template 5: A sample of Engagement risk assessment ......................... 114
Template 6: Risk and Control Assessment Report ................................. 118
Template 7: Engagement Plan ........................................................... 120
Template 8: Engagement Work Program ............................................ 122
Template 9: Internal Audit Process Checklist for Quality Achievement ... 124
Template 10: Summary of Findings and Recommendations (SOFR) ........ 130
Template 11: Matters on next audit / Follow-up for Recommendations .. 132
Template 12: Exit Meeting Minutes ..................................................... 134
Template 13: Sample of an Internal Audit Engagement Report ............. 136
Template 14: Sample of working papers .............................................. 139
Template 14. A:Team Meeting Minutes ................................................ 139
Template 14. B: Folder Cover for Current Audit File .............................. 141
Template 14. C: Audit Project Reminder List ........................................ 141
Template 14. D: Specimen of Engagement Objectives ......................... 146
Template 14. E: Sample of Engagement Letter ..................................... 147
Template 14. F: Example of Agenda for Entrance Meeting ..................... 148
viii
Internal Audit Manual for PSEs
2019
Template 14. G: Entrance Conference Minutes ..................................... 150
Template 14. H: Risk Control Matrix .................................................... 151
Template 14. I: Process Narrative Notes .............................................. 153
Template 14. J: Example of an Internal Control Questionnaire (ICQ) ...... 153
Template 14. K: Testing Sheet ............................................................ 154
Template 14. L: Five Attribute Sheet ................................................... 155
Template 14. M: Memorandum/ Transmittal Letter ............................... 157
Template 14. N: Follow-up Audit Documentation .................................. 158
Template 15: Format of Internal Audit Quarterly .................................. 159
Template 16: Format of Internal Audit Annual Report ........................... 162
Template 17: Checklist and rating for QAIP .......................................... 165
ix
Internal Audit Manual for PSEs
LIST OF ABBREVIATIONS
AIC
AO
AR
CAATs
CAE
CAF
CAG
COSO
CR
CRSA
DR
ERM
GRN
HR
HRM
IA
IAF
IAG
ICQ
IFMS
IIA
IPPF
IPSAS
IR
ISO
IT
IS
KPIs
LAWSON
LAFM
LGA
LPO
PSEs
MoF
Audit in Charge
Accounting Officer
Audit Risk
Computer Assisted Audit Techniques
Chief Audit Executive
Current Audit File
Controller and Auditor General
Committee for Sponsoring Organizations
Control Risk
Control Risk Self-Assessment
Detection Risk
Enterprise Risk Management
Goods Received Note
Human Resources
Human Resource Management
Internal Audit
Internal Audit Function
Internal Auditor General
Internal Control Questionnaire
Integrated Financial Management System
The Institute of Internal Auditors
International Professional Practices Framework
International Public Sector Accounting Standards
Inherent Risk
International Standard Organization
Information Technology
Information System
Key Performance Indicators
Human resources software
Local Authority Financial Memorandum
Local Government Authority
Local Purchase Order
Public Sector Organisations
Ministry of Finance
x
2019
Internal Audit Manual for PSEs
MTEF
NAO
NBAA
PA
PAF
PCs
PEs
PFA
PFR
PFMRP
PMU
PO-PSM
PPA
PS
RSs
SOFR
TNA
ToR
TRA
VAT
VFM
W/Ps
Medium Term Expenditure Framework
National Audit Office
National Board of Accountants and Auditors
Performance Attribute
Permanent Audit File
Personal computers
Procuring Entity
Public Finance Act
Public Finance Regulations
Public Finance Management Reform Programme
Procurement Management Unit
President’s Office-Public Service Management
Public Procurement Act
Permanent Secretary
Regional Secretariats
Summaries of audit findings and recommendations
Training Needs Assessment
Terms of Reference
Tanzania Revenue Authority
Value Added Tax
Value for Money
Working paper (s)
xi
2019
Internal Audit Manual for PSEs
DEFINITION OF TERMS
Term
Definition
“Add Value”
The internal audit function adds value to the
organization (and its stakeholders) when it
provides objective and relevant assurance,
and contributes to the effectiveness and
efficiency of governance, risk management
and control processes
“Assurance Services”
An objective examination of evidence for the
purpose of providing an independent
assessment on governance, risk management
and control processes for the organization
“Team Leader”
A senior person, appointed by the CAE
Functions amongst the internal audit staff, and
charged with task of leading the audit
assignment or engagement.
“Audit Risk”
The risk that audit procedures will fail to
detect an absent, inappropriately designed or
ineffectively implemented internal control or
management arrangement, which could result
in an unacceptable level of business risk.
Audit Universe
A range of all potential audit activities and is
comprised of a number of auditable entities
including programs, activities, functions,
structures and initiatives which collectively
contribute to the achievement of the
organization’s strategic objectives.”
“Consulting Services”
Advisory and related client service activities,
the nature and scope of which are agreed with
the client, are intended to add value and
improve an organization’s governance, risk
management and control processes without
the internal auditor assuming management
xii
2019
Internal Audit Manual for PSEs
responsibility
“Control”
Any action taken by management, the Board,
and other parties to manage risk and increase
likelihood that established objectives and goals
will be achieved
“Fraud”
Any illegal act characterized by
concealment, or violation of trust.
“Governance”
The combination of processes and structures
implemented by the board to inform, direct,
manage, and monitor the activities of the
organization toward the achievement of its
objectives
“Independence”
The freedom from conditions that threaten the
ability of the internal audit activity to carry out
internal audit responsibilities in an unbiased
manner
“Internal Audit”
An independent, objective assurance and
consulting activity designed to add value and
improve an organization’s operations. It helps
an organization accomplish its objectives by
bringing systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management,
control
and
governance
processes
“Internal Audit Service/
Function”
A department, division, unit, team of
consultants or other practitioner(s) that
provides independent, objective assurance and
consulting services designed to add value and
improve an organization’s operations
“Internal Control”
A process effected by entity’s board of
directors, management and other personnel,
designed to provide reasonable assurance of
the achievement of objectives in the following
xiii
deceit,
2019
Internal Audit Manual for PSEs
categories: effectiveness and efficiency of
operation”
“Materiality”
The degree of relevance or significance of an
absent, inappropriately designed or ineffective
control or management arrangement, in
relation to the business risk of the
organization
“Risk”
The possibility of an event occurring that will
have an impact on the achievement of
objectives. Risk is measured in terms of impact
and likelihood
“Risk Assessment”
A process to identify, assess,
control potential events or
provide reasonable assurance
achievement of the organization
“Risk-Based Audit”
A methodology that links internal audit to an
organization’s
overall
risk
management
framework. It allows internal audit to provide
assurance to the board that risk management
processes are ma managing risk effectively, in
relation to the risk appetite.
“Sampling”
A process of selecting few items representing
the entire big number of units (population).
The selected items is called sample.
“Standard”
A professional pronouncement promulgated by
the International Internal Audit Standards
Board that delineates the requirements for
performing a broad range of internal audit
activities, and for evaluating internal audit
performance
“Systems”
The procedures and operations by means of
which an organization’s transactions and
events are affected and recorded.
xiv
manage, and
situations to
regarding the
objectives
2019
Internal Audit Manual for PSEs
“Value for Money”
The economy, efficiency and effectiveness of
an organization’s operations.
“Public Sector Entity
(PSE)”
In this guide the term Public Entity includes
Ministries, Departments, Agencies, Regional
Secretariats, Local Government Authorities
Parastatals organizations, Public Corporations,
Regulatory Authorities, and Government
Business Entities.
Also the term stands for Public Sector
Organisation, Public Sector Enterprises and
Public Sector Institutions.
Inherent Risk
Residual Risk
Control Risk
The probability of material errors and incorrect
information, entering the accounting and
management systems that could result in
misrepresentation or misstatement of financial
and other results, based on the assumption
that there are no effective controls.
The risk remaining after management takes
action through various measures; including
establishing control activities, to reduce the
likelihood of adverse events occurring and
their impact should they occur. Management
actions would reduce inherent risks, but may
not
completely
eliminate
the
risks.
Management should be aware of such residual
risks. Where Management has not done an
evaluation of the residual risk, Internal
Auditors should evaluate the risk and report
their findings to Management, if necessary.
The probability that the client’s internal
control system will fail to detect material
misstatements due to its own structural
weakness. Where controls are not properly
xv
2019
Internal Audit Manual for PSEs
designed or not properly executed as
designed, the probability of control failures
are higher. For example, a major defalcation
is more probable under a weak internal
control structure than under a well-designed
one. Reliance on a control system alone
without other supporting audit work exposes
an Auditor to control risk.
Detection Risk
The chance that the auditor will not detect a
material problem. This mostly would arise as
a result of poorly designed audit procedures
or that the Auditors executing an audit
programme do not fully understand the
nature and importance of the planned audit
tests.
Audit Risk
The risks that may affect the credibility,
reputation, and usefulness of the internal
audit function. These risks have been
classified into Audit failure, false assurance
and reputation.
xvi
2019
Internal Audit Manual for PSEs
2019
CHAPTER 1
1.
INTRODUCTION
1.1
BACKGROUND
The Paymaster General through Internal Auditor General developed the
internal Audit Manual during the financial year 2012/2013. The Manual
derived its Mandate from the Public Finance Act, (Act no. 6 of 2001 as
amended in 2004 and revised in 2010). Specifically, section 38 (1) (a) and
(b) and (2) (f) and (g) requires the Internal Auditor General (IAG) to be
responsible to the Paymaster General for:
(i)
Developing Internal Audit Policies, rules, standards, manual, circulars
and guidelines;
(ii)
Reviewing and appraising compliance to laid down laws, regulations,
standards, systems and procedures in Ministries, Departments,
Government Institutions, Local Government Authorities, Executive
Agencies and Donor Funded Projects;
(iii) Managing and controlling the quality of operations of the audit cadre
and enhancing capacity of Audit Committees and;
(iv) Evaluating the effectiveness of Audit Committees in Ministries,
Departments, Government Institutions, Regions and Executive
Agencies.
Recently, the Internal Auditor General received requests from internal
auditors in the Public Sector Entities for the Manual to be updated. The
revised Guide therefore is intended to:
a)
Increase its relevance and user friendliness in general;
b)
Reflect new developments in the discipline of internal auditing;
c)
To address practical implementation factors that relate to the
different spheres of government such as Local Government
Authorities and Public Authorities; and
d)
To include identified best practices and guidelines.
1
Internal Audit Manual for PSEs
2019
In view of the foregoing, therefore, the revised Guide has been designed to
be:
(i)
Simple for users to understand;
(ii)
Easily applicable to meet the varied internal audit requirements of
Public Sector Entities; and
(iii)
Well-structured and easy to navigate
1.2
PURPOSE OF THE GUIDE
The purpose of this Guide is to establish a minimum requirements for the
development and operation of the internal audit function in the Public
Sector Entities. It serves as the primary source of reference and guidance
for internal auditing in the Public Sector. It is intended to ensure that the
Internal Audit Functions (IAF) comply with the requirements of:
(i)
Public Finance Act No. 6 of 2001 and its amendments;
(ii)
The Local Government Act of 1982 and its amendment;
(iii) Local Authority Financial Memorandum of 2009 and its amendments
and;
(iv) The Institute of Internal Auditors’ (IIA) International Standards for
the Professional Practice of Internal Auditing.
Against this background, the Guide provides a standard set of principles
governing internal auditing practices and internal audit practitioners in the
Public Sector. Research and findings of assessments conducted in the past
indicated varied levels of internal auditing practices within all facets of
Public Sector and therefore, the Paymaster General believes that the Guide
will set the tone and create the necessary impetus for a sustainable and
effective internal auditing mechanism in Public Sector Entities. This Guide is
not meant to be prescriptive and should enhance the quality and standard
of public sector auditing.
This Guide is a work-in-progress and stakeholders are welcome to provide
input on an ongoing basis. The Guide is principle based and therefore it can
be customized by CAEs in developing their detailed Internal Audit Procedure
Manual to suit unique Entities’ environments in accordance to IPPF.
2
Internal Audit Manual for PSEs
1.3
ORGANIZATIONAL STRUCTURE OF THE GUIDE
This Guide is divided into nine chapters as summarized in Table 1 below:
Table 1: Organizational Structure and Summary of the Guide
S/N
1.0
2.0
3.0
4.0
CHAPTER
Introduction
DESCRIPTION
Describes
the
background,
purpose,
Organizational Structure and procedures for
review of the Guide.
Context of Internal Audit in Discusses the context of internal audit functions
PSEs
in PSEs, establishing internal audit function
definition of internal auditing, mission of
internal audit, core principles for the
professional practice of internal auditing, code
of ethics, code of conduct, declaration of
conflict of interest, independence, objectivity,
internal audit charter and various legislations
governing internal audit in PSEs.
Organizing and managing the Describes the organizational of internal audit
internal audit function in PSEs function, the Internal Auditor General, Audit
Committee; Internal Audit Units, the Principal
Internal Auditor, Team Leaders, Training and
Development, Internal Audit budget, Staffing,
Outsourcing and Co-sourcing.
Governance,
Risk Describes roles and responsibilities of Internal
Management, Internal Control Auditors and Management in relation to
Governance, Risk Management, Internal Control
and Fraud
and Fraud Prevention and Detection
5.0
Developing
strategic
and Describes the fundamentals of internal audit
annual risk based audit plan planning; overview of risk-based audit planning
at PSEs.
process; developing annual risk based internal
audit plan; developing strategic risk based
internal audit plan; communication and
approval for the internal audit plans; and
quality review of the internal audit plans.
6.0
Conducting
engagements
7.0
Applying internal audit tools Discusses the internal audit tools and
and techniques
techniques including Audit Evidence; Control
and Risk Self-Assessments; and Methods of
Documenting Audit Evidence (Working Papers).
the
audit Discusses the overview of the assurance audit
process; Planning the engagement; Performing
the
engagement;
Communicating
the
engagement results; and Guidelines for
Conducting consulting engagements.
3
2019
Internal Audit Manual for PSEs
S/N
8.0
9.0
10.0
CHAPTER
Monitoring
Progress
periodic
internal
reporting
Quality
assurance
improvement program
Templates
2019
DESCRIPTION
and It describes monitoring progress standards and
audit processes; quarterly internal audit reports;
annual internal audit reports.
and Discusses objectives of QAIP, internal
assessments processes; external assessments
processes; assessor qualifications; procurement
of external assessment services in PSEs; prerequisites for effective quality assurance and
improvement program in PSEs; and Reporting
on the Quality Assurance and Improvement
Program.
Provides the templates for use in internal audit
works. They follow the layout of the chapters in
this Guide.
1.4 REVIEW OF THE GUIDE
Review of the Guide will be necessitated by the occurrence of the following
three conditions whichever happens earlier:
(i)
Changes in applicable standards;
(ii)
Laws and regulations;
(iii) After five (5) years.
Any suggestion for amendments, additions and improvements to this Guide
should be submitted to the Internal Auditor General.
CHAPTER 2
2.0
Context of Internal Audit Function in PSEs
2.1
Establishing Internal Audit Function
Regulation 28 of the Public Finance Regulation (2001) requires every
Accounting Officer to establish an effective Internal Audit functions (also
know n as I nternal Audit Activity –I AA) throughout the Public Sector
Entities. Internal Audit Function is an important component of internal
control, risk management and corporate governance and provides the
necessary assurance and advisory services to the organization.
4
Internal Audit Manual for PSEs
2019
Internal Audit Function is one of the most significant management tool and
can provide value-added services to the organization. When adequately and
sufficiently resourced, an IAF should be in a position to provide
management with much of the assurance regarding the effectiveness of the
system of internal control, risk management and governance processes.
The IAF must be well planned, organized, staffed, trained, directed and
monitored. Internal audit must be conducted in accordance with the
standards set by the IIA.
These standards, together with the mission, principles, code of ethics,
implementation guides and supplemental guides issued by the IIA provide
much of guidance required by Internal Audit Function to perform its work
effectively.
2.2
Definition of Internal Auditing
Internal Auditing is an independent, objective assurance and consulting
activity designed to add value and improve organization’s operations. It
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve effectiveness of risk
management, control and governance processes.
2.3 Mission of Internal Audit
The mission of internal auditing in the Public Sector Entities in Tanzania is
to enhance and protect organizational value by providing risk-based and
objective assurance, advice and insight.
2.4
Core Principles for the Professional Practice of Internal
Auditing
The core principles for the professional practice of internal auditing
articulate internal audit effectiveness. For an internal audit function to be
effective, all principles should be present and operating effectively. How
internal auditors as well as internal audit function demonstrate achievement
of the core principles may be quite different from organization to
organization, but failure to achieve any of the Principle would imply that an
5
Internal Audit Manual for PSEs
2019
internal audit function was not as effective as it could be in achieving
internal audit’s mission. The Principles which should be adopted by all PSEs
are:
(i)
(ii)
(iii)
(iv)
(v)
(vi)
(vii)
(viii)
(ix)
(x)
2.5
Demonstrate integrity;
Demonstrates competence and due professional care;
Is objective and free from undue influence (independent);
Aligns with the strategies, objectives and risks of the organization;
Is appropriately positioned and adequately resourced;
Demonstrates quality and continuous improvement;
Communicates effectively;
Provides risk-based assurance;
Is insightful, proactive, and future-focused and;
Promotes organizational improvements.
Code of Ethics for Internal Auditors
2.5.1 As the profession of internal auditing is based on the trust placed in
its independent and objective assurance, opinions and reports about
governance, risk management and control, it is necessary that it be
governed by Code of Ethics.
2.5.2 The Code of Ethics for Internal Auditors in Public Sectors as adopted
by the Government consists of a set of Principles relating to Integrity,
Objectivity, Confidentiality and Competency. In addition, the code
contains Rules of Conduct that describe the behaviour norms
expected of professional internal auditors, assist in the interpretation
and practical applications of the principles and guide the ethical
conduct of internal auditors.
2.5.3 Conducting audit work in accordance with ethical principles is the
responsibility of both the CAE and the staff of an IAF. The credibility
of the internal auditors and the internal audit reports, among others,
is gauged on compliance with the code of ethics. The Code also
enables internal auditors to foster a culture of ethics, an important
cornerstone of good governance, within their organization.
2.5.4
The users of this Guide should study and familiarize themselves with
the principles and the rules contained in the Code of Ethics in the
6
Internal Audit Manual for PSEs
2019
IPPF as adopted and issued by Government. Civil service regulations
and rules also contain various elements that relate to the ethical
conduct of civil service staff. Adherence to the Code of Ethics does
not absolve the internal auditors from compliance with the rules and
regulations of the civil service. In the event of any conflict between
the two, appropriate guidance should be obtained from the IAG.
Template 1 provides sample of code of ethics.
2.6 Declaration of Conflict of Interest
2.6.1 Internal auditors must have impartial, unbiased attitude and avoid
any conflict of interest. Conflict of interest is a situation in which an
internal auditor who is in a position of trust has a competing
professional or personal interest. Such completing interest can make
it difficult to fulfill his or her duties impartially. Conflict of interest
exists even if no unethical or improper act results. A conflict of
interest can create an appearance of impropriate that can undermine
confidence in the internal auditor, the internal audit function and the
profession. A conflict of interest could impair an individual ability to
perform his or her duties and responsibilities objectively.
2.6.2
CAE are required to observe standard 1120 of the IPPF in ensuring
that auditors have an impartial, unbiased attitude and avoid any
conflict of interest. Conflict of interest is properly managed by
making sure that internal auditors sign annual statement indicating
that no potential threat exists or acknowledging any potential
threat. Moreover, before starting any audit engagement, internal
auditors must complete and sign Conflict of Interest Declaration
Form. Template 2 provides sample of conflict of interest
declaration form.
2.7 Internal Auditing Standards
2.7.1 The purpose of the International Standards for the Professional
Practice of Internal Auditing, issued by the IIA, and adopted by the
Government through the Ministry of Finance and Planning is to:
(i)
Outline basic principles that represent the professional practice
of internal auditing;
7
Internal Audit Manual for PSEs
2.7.2
2019
(ii)
Provide a framework for performing and promoting a broad
range of value-added internal auditing services;
(iii)
Ensure its relevance in Bhutanese context;
(iv)
Establish the basis for the evaluation of internal audit
performance and;
(v)
Foster improved organizational processes and operations.
The Standards are divided into Attribute and Performance
Standards. Attribute Standards (1000) address the attributes of
internal audit functions and individuals performing internal
auditing. The Performance Standards (2000) describe the nature
of internal auditing and provide quality criteria against which the
performance of these services can be measured.
2.7.3
The IIA also from time to time issues implementation guidance
and supplemental guidance related to specific standards to
provide clarification on particular issues. These guidelines deal
with most aspects of planning, conducting and reporting the
internal auditing engagement, as well as the management aspects
of the internal audit function. These standards are listed and
referred to in the relevant Chapters of this Guide, where
appropriate and necessary.
2.7.4
All Internal Auditors must comply with the Auditing Standards.
Internal Auditors therefore need to thoroughly familiarize
themselves with and obtain a good understanding of the Auditing
Standards, including the interrelationships between different
Standards. Implementation guidelines should also be reviewed
together with the Standards.
2.7.5
The Auditing Standards directly relevant to the specific subjects
under discussion in the various Chapters of this Guide have been
reproduced in for easy reference and for better understanding of
the audit processes.
8
Internal Audit Manual for PSEs
2019
2.8 Independence of Internal Audit Function
2.8.1 The CAE must report at a level within the organisation that allows the
Internal Audit Function to fulfill its responsibilities. This level must
have sufficient authority to promote independence and to ensure
broad
coverage,
adequate
consideration
of
engagement
communication
and
appropriate
action
on
engagement
recommendations.
2.8.2 The CAE must report functionally to the Audit Committee and
administratively to the Accounting Officer of the Entity. Independence
is achieved through the organisational status and the objectivity of
Internal Audit Function. Internal Audit Function is independent when
it can carry out its work freely and objectively. Internal Audit Function
should have the support of senior management and of the Audit
Committee so that it can gain the co-operation of the audit clients
and perform its work free from interference.
2.8.3 The CAE should have direct communication with the relevant AO, AC
or other appropriate governing authorities. Direct communication
occurs when the CAE regularly attends and participates in meetings
of the relevant AO, AC and appropriate governing authorities which
relate to its oversight responsibilities for auditing, financial reporting,
corporate governance and control.
2.8.4
The attendance and participation of CAE at these meetings provide
an opportunity to exchange information concerning the plans and
activities of the Internal Audit Function. Independence is
enhanced when the AC concurs in the appointment or removal of
the CAE where appropriate.
2.8.5
Additionally, the Internal Audit Function should:
(i)
Have no direct operational responsibility or authority over any
of the activities reviewed;
(ii)
Neither develops nor installs systems or procedures, prepare
records, or engage in any other activity that would normally be
audited;
9
Internal Audit Manual for PSEs
2019
(iii) Not initiate or approve accounting transactions external to the
Internal Audit Function and;
(iv) Avoid conflict of interest.
2.9 Objectivity of Internal Auditors
Each internal auditor should have an objective attitude and should be in a
sufficiently independent position to be able to exercise judgment, express
opinions and present recommendations with impartiality. Specifically:
(a)
An Internal Auditor should be free from any conflict of interest
arising from professional or personal relationships or other
interests which he/she may be subjected to audit and;
(b)
An Internal Auditor should be free from undue influence which
restricts or modifies the scope or conduct of the audit work, or
significantly affects judgement regarding the content of any
audit report.
2.10 Internal Audit Charter
An IA charter serves as the IAF statement of purpose, authority and
responsibility, and must be in writing. At minimum it must address the
following:
(i)
The definition of internal auditing;
(j)
The IAF’s purpose, authority and responsibilities;
(k)
The independence and Objectivity of IAF;
(ii)
The standards to be complied with;
(iii) The scope of work to be undertaken;
(iv) The position of the IAF within the organization;
(v)
A description of assurance and nature of consulting services;
(vi) The period of review of the charter;
(vii) The reporting of CAE; and
(viii) Access to information, properties and people.
Template 3 provides a sample of Internal Audit Charter for PSEs
10
Internal Audit Manual for PSEs
2019
2.11 Legal and regulatory framework of internal audit in PSEs
This Guide complies and refers to various laws, regulations, standards and
circulars as listed below:
(i)
Public Finance Act (2001) and its Regulations as revised in 2004 and
amended in 2010;
(ii)
Public Procurement Act (2011) and its Regulations of 2013 and its
amendments;
(iii)
Local Government Finance Act (1982);
(iv)
Local Authority Financial Memorandum (2009);
(v)
Public Service Act (2002);
(vi)
Standing Orders (2009);
(vii)
The International Professional Practices Framework (IPPF) 2017
issued by the IIA;
(viii)
Code of Ethics for Internal Auditors 2012 issued by the Internal
Auditor General;
(ix)
Circulars issued from time to time by the Permanent SecretaryTreasury;
(x)
Circulars issued from time to time by the Permanent Secretary PORALG;
(xi)
Circulars issued from time to time by the Permanent Secretary,
President’s Office-Public Service Management and Good Governance
(PO-PSMGG) and;
(xii)
Other relevant Laws and Regulations governing PSEs.
11
Internal Audit Manual for PSEs
2019
CHAPTER 3
3. Organizing and Managing the Internal Audit Function in PSEs
3.1
(i)
Organizational of Internal Audit Function
Proper organization and management of internal audit function is
essential for helping the Public Entities achieve their objectives. In
strengthening internal audit function, it is important to ensure that
internal audit functions are properly positioned, its work is aligned
to support organization objectives, it cooperates with management
and it maximizes the use of available resource.
(ii)
IIA Standards which are relevant in respect of organizing and
managing internal audit function are:
(a) 1210 – Proficiency - Internal auditors must possess the
knowledge, skills, and other competencies needed to perform
their individual responsibilities. The internal audit function
collectively must possess or obtain the knowledge, skills, and
other competencies needed to perform its responsibilities.
(b) 1230 – Continuing Professional Development: Internal
auditors must enhance their knowledge, skills, and other
competencies through continuing professional development;
(c) 2000 – Managing the Internal Audit function: The chief
audit executive must effectively manage the internal audit
function to ensure it adds value to the organization;
(d) 2030 – Resource Management - The chief audit executive
must ensure that internal audit resources are appropriate,
sufficient, and effectively deployed to achieve the approved
plan.
(iii) The IAG, the Audit committee and IAF though CAE play a critical
role in responding to above demand and need to develop a broad
tool kit of technical and soft skills.
12
Internal Audit Manual for PSEs
3.2
2019
The Internal Auditor General
For proper organization and management of internal audit function in PSEs,
the Government established the Office of Internal Auditor General under
the Ministry responsible for Finance. This Office act as a central
coordinating Division for Internal Audit Services in Public Sector and section
38 (1) of the Public Finance Act (2001) as revised 2004 and amended 2010
mandated the Paymaster General through the Internal Auditor General to
perform the following:
(a) Develop internal audit policies, rules, standards, manual, circulars
and guidelines;
(b) Review and appraise compliance to laid down laws, regulations,
standards, systems and procedures in Ministries, Departments,
Government Institutions, Local Government Authorities, Executive
Agencies and Donor Funded Project;
(c) Scrutinize and compile audit reports for Ministries, Department,
Government Institutions, Regions, Local Government Authorities,
Executive Agencies and Donor funded projects and shall prepare a
summary of major audit observations and recommendations and
submit to the Paymaster General for further action;
(d) Undertake continuous Audit Risk Management;
(e) Develop and supervise the implementation of Internal Audit
Strategy;
(f) Develop, implement and review annual audit programme;
(g) Liaise with the Controller and Auditor General, Accountant General,
Accounting Officers and Professional Standards Setting Authorities
on audit matters;
(h) Manage and control the quality of operations of the audit cadre
and enhance capacity of Audit Committees;
(i) Evaluate the effectiveness of Audit Committees in Ministries,
Departments, Government Institutions, Regions, Local Government
Authorities and Executive Agencies;
(j) Facilitate the development of internal audit cadre;
(k) Review and appraise budget planning and implementation with a
view to promoting compliance with national goals and objectives;
technical reports on development initiatives; works, goods offered
and services supplied to the Government from development and
recurrent budgets and determine their value for money;
13
Internal Audit Manual for PSEs
2019
(l) Prepare audit reports and advise the Government on intervention
measures towards ensuring value for money on public expenditure;
(m) Make follow ups on the agreed audit recommendations and
required corrective actions;
(n) Undertake special and investigative audits;
(o) Review, monitor, evaluate and recommend on systems of
Government revenue collections for proper accountability;
(p) Participate in the hearings and render advice to the relevant
Parliamentary Oversight Committees.
3.3
The Audit Committees
The Audit Committee shall be responsible for: (i)
Reviewing all internal and external audit report involving matters of
concern to senior management;
(ii) Providing advice/oversight to the Accounting Officers/Board (if
applicable) on action to be taken on matters of concern raised in the
report of the internal auditor or in a report of Controller and Auditor
General;
(iii) Provide advice/oversight to the Accounting Officers on the preparation
and review of the financial statement of the PSEs;
(iv) Prepare an annual report on its function copy of which shall be send to
the Internal Auditor General and Controller and Auditor General;
(v) Review quarterly and annual internal audit reports;
(vi) Advise/oversee the Accounting Officer on implementation of internal
audit recommendations and coordinate audit programmes between
internal and external audit;
(vii) Approving the internal audit charter;
(viii) Approving the risk-based internal audit plan;
(ix)
Approving the internal audit budget and resource plan;
14
Internal Audit Manual for PSEs
2019
(x)
Receiving communications from the chief audit executive on the
internal audit activity’s performance relative to its plan and other
matters;
(xi)
Approving decisions regarding the appointment and removal of the
chief audit executive (where applicable);
(xii)
Approving the remuneration of the chief audit executive (where
applicable);
(xiii)
Making appropriate inquiries of management and the chief audit
executive to determine whether there is inappropriate scope or
resource limitations.
3.4
Internal Audit Units (IAUs)
These are required by law to be established in all PSEs. PSEs include those
which receive and manage budget allocations through the government
budget and those established by law with their own sources of revenues. An
IAU shall be headed by a Chief Audit Executive (CAE) and shall consist of a
team of Internal Auditors and support staff. The IAU is responsible for
providing internal audit services in accordance with the Internal Audit
Charter and in compliance with the Code of Ethics for Internal Auditors,
Standards for Internal Auditing and other guidelines issued by the Ministry
of Finance. The CAE reports functionally to the Audit Committee and
administratively to the Chief Executive of the entity. The Chief Audit
Executive shall be responsible for:
(i)
Establishing appropriate policies and procedures to guide the
internal audit function;
(ii)
Establishing risk-based audit plans to set out the priorities of the
internal audit function;
(iii)
Coordinating internal audit plans and activities with other
internal and external providers of assurance activities;
(iv)
Communicating internal audit plans of engagements and the
related resource requirements (including the impact of resource
limitations) to the Accounting Officer and Audit Committee;
15
Internal Audit Manual for PSEs
2019
(v)
Ensuring that internal audit resources are appropriate (i.e.
professional qualifications and skills), sufficient and effectively
deployed to achieve the approved plan;
(vi)
Ensuring timely completion of and reporting on individual
internal audit engagements in accordance with professional
standards;
(vii)
Supporting and conducting special audits as requested by
competent Authority;
(viii)
Reporting quarterly to the Audit Committee on whether
management’s action plans have been implemented and
whether the actions taken have been effective;
(ix)
Maintaining a quality assurance and improvement program that
covers all aspects of the internal audit function;
(x)
Reporting annually to the Audit Committee on the internal audit
function’s conformance with professional internal auditing
standards;
(xi)
Providing annually a holistic opinion to the Accounting Officer
and the Audit Committee on the effectiveness and adequacy of
PSE’s risk management, control, and governance processes;
(xii)
Maintaining unfettered access to the Audit Committee through
the Committee Chair.
3.5 Managing the Internal Audit Function
3.5.1 Training and Development for Internal Auditors
As professionals, internal auditors must demonstrate proficiency in terms of
the key knowledge, skills and abilities required to effectively conduct
internal audit assurance and consulting engagements. In addition, they
must stay abreast of recent developments in their profession.
To ensure that it collectively possesses the required skills and abilities to
provide superior service, CAE should prepare an annual Training Plan.
16
Internal Audit Manual for PSEs
2019
Training should be provided, either formally or on-the-job, when a need or
opportunity is identified to acquire additional skills or knowledge that can be
applied directly to the conduct of internal audit engagements or to the
performance of supporting activities, e.g. risk assessment, audit planning.
Development opportunities are provided to meet the interests of
employees, e.g. acquisition of additional skills or knowledge towards
promotion, and to meet the future needs of the organization e.g. acquisition
of knowledge of a new auditing tool or technique.
3.5.2 Internal Audit Budget
The AO and the AC are responsible for ensuring that the IAF is adequately
resourced for effective functioning. The CAE should control and have
responsibility over the development and execution of the IAF’s budget.
The IAF’s budget should at least cover the following items:
(i)
(ii)
(iii)
(iv)
(v)
Infrastructure including computers and related software’s;
Audit software expenses;
Training and development;
IIA’s membership fees; and
Quality assurance Program
3.5.3 Staffing of Internal Audit Unit
(i)
(ii)
The CAE in conjunction with the AO should develop an IAF
organizational structure taking cognisance of the organisation’s
needs including risk and complexity of the operations. Provision
should be made for levels of supervision and review of audit
work in line with due professional care as provided for in the
IPPF. Where necessary, consultation should be made to the
Authority responsible for staffing in the Government to ensure
that staffing of the Internal Audit Function is not compromised.
The CAE should develop a recruitment, placement, training and
staff retention programme (where practicable) to ensure that
appropriate skills are available. To achieve this, emphasis
should be placed on qualifications, skills and experience. To
improve effectiveness of the IAA, staff at all levels should have
well-documented job descriptions, clear goal setting,
performance evaluations and training programmes.
17
Internal Audit Manual for PSEs
2019
3.5.4 Outsourcing or Co-sourcing of IAF Staff
(i)
Outsourcing is where the certain internal audit engagement is
conducted by an external service provider (Internal Auditors
from another Public Sector Entity);
Where the IAF is outsourced, oversight and responsibility for
the IAF cannot be outsourced; the CAE should manage the
outsourced function and own the report.
(ii)
Co-sourcing is where the external service provider (Internal
Auditors from another Public Sector Entity) works together with
in-house IAF resources. This method is preferable where the
Entity requires to develop its internal capacity and is deemed to
be more cost effective and
(iii) Consideration for evaluating sourcing alternatives:
(a) Available resources: the organization may not have
sufficient resources (financial, physical, human etc.) to
establish an in-house IAA. Outsourcing should be considered
when it is cost effective for the organization;
(b) Size of the organization: both large and small
organisations may need to take advantage of outsourcing
alternatives. Common reasons include temporary staff
shortages, specialty skills, special audit project work and
supplementary staff to meet deadlines; and
(c) Skills transfer: skills transfer implementation plan should
be developed to ensure that the IA staff members are
capacitated and their skills enhanced throughout the process.
18
Internal Audit Manual for PSEs
2019
CHAPTER 4
4. Governance, Risk Management, Internal Control and Fraud
4.1 Introduction
Governance, risk management and internal controls are core elements in
the practice of internal auditing and encompass all phases of an audit. I I A
Standard 2100 (Nature of W ork) requires the internal audit
activity m ust evaluate and contribute to the im provem ent of
governance, risk m anagem ent, and control processes using a
system atic and disciplined approach.
This Chapter discusses the nature of each of these elements and how they
are dealt with in internal auditing. An understanding of these elements
together with fraud related issues is considered as imperative to the
effective performance of internal auditing.
Even though governance, risk management and internal controls are
discussed under separate Sections within this Chapter, it should be noted
that these three elements are closely interrelated and linked to each other.
Effective governance activities consider risks when establishing
organizational goals, objectives and implementation strategies and the
related operational plans. Controls are the corollary of risks in the sense
that controls represent the actions that are taken to manage risks and
increase the likelihood of achieving the established goals and objectives.
Effective governance mechanisms rely on the effectiveness of the internal
controls. These linkages and their impact on the organization should be
clearly understood and appreciated throughout the audit process from
planning to final reporting.
In the PSEs, responsibilities for the administrative and management
functions subject to the laws enacted by the Parliament and regulations and
procedures established by central agencies, rests with the respective Board
or Accounting Officers. Internal Auditors must use their judgment when
interpreting the standards and making conclusions with respect to the
responsibilities of the Board and Accounting Officer.
19
Internal Audit Manual for PSEs
2019
4.2 Governance
4.2.1 I I A Standards 2110 (Governance) requires the internal audit
activity to assess and make appropriate recommendations for
improving the governance process in its accomplishment of the
following objectives:
(a) Promoting appropriate ethics and values within the organization;
(b) Ensuring effective organizational performance management and
accountability;
(c) Communicating risk and control information to appropriate areas
of the organization; and coordinating the activities of and
communicating information among the board, external and
internal auditors, and management.
4.2.2 I I A Standards 2110.A1 –require the internal audit activity to
evaluate the design, implementation, and effectiveness of the
organization’s ethics-related objectives, programs, and activities. I I A
Standards 2110.A2 – The internal audit activity must assess
whether the information technology governance of the organization
sustains and supports the organization’s strategies and objectives.
4.2.3 Public sector governance encompasses the policies and procedures
used to direct an organization’s activities to provide reasonable
assurance that objectives are met and that operations are carried out
in an ethical and accountable manner. It also includes activities that
ensure a government’s credibility, establish equitable provision of
services, and assure appropriate behavior of government officials so
as to reduce the risk of corruption.
4.2.4 The Government has established broad national goals, strategic plans
and policies through legislation, resolutions and also allocates
resources through the national budget processes. Central agencies
provide further guidance through policy directives and establish
regulations and procedures to provide the framework for the
implementation of these polices. Boards and Accounting Officers have
responsibility to establish appropriate governance processes within
their organizations to ensure that their mandates are properly
interpreted and implemented and the goals and objectives set for
20
Internal Audit Manual for PSEs
2019
their respective organizations are achieved. As much of internal audit
work is focused on governance, where necessary, CAEs must discuss
with their respective Board and Accounting Officers and agree with
them the essential elements of governance at the entity level to avoid
misconceptions and differences in view.
4.2.5 Principles and Attributes of Good Governance
The following are some important principles that contribute to good
governance:
(i)
Strategic – Policies, directions and performance
expectations are established in a transparent manner,
documented and communicated to guide the operations at
all levels of the organization. Care should be taken to
ensure that these are properly aligned to national policies,
plans, budgets and performance goals and objectives
established by the Parliament and relevant central
agencies.
(ii)
Risks and controls – Risks to the achievement of the
organization’s goals and objectives are identified, assessed
and where necessary, appropriate control and mitigation
measures are established. These are also properly
communicated to relevant operational areas.
(iii) Ethics and integrity – Ethical and integrity values
enshrined in government policies and civil service codes are
regularly emphasized and promoted at all levels of the
organization. Programmes are established to regularly
promote and reinforce ethical conduct. Management should
reinforce ethical values by setting proper “tone at the top”
and establish an adequate system of internal controls. This
should include enforcing clear lines of accountability that
hold people responsible for not only doing the right thing,
but also doing it right.
21
Internal Audit Manual for PSEs
2019
(iv) Monitoring – Processes are in put in place to regularly
assess and ensure that policy is implemented as planned
and is in compliance with established policies, laws and
regulations and that resources are deployed efficiently.
Where the overall performance does not meet plans,
expectations or not in compliance with regulations and
procedures, the underlying causes are quickly identified
and corrective actions are implemented to remove the
causes.
(v)
Reporting -A financial and performance reporting system
that is validated should be in place at every level of the
organization to regularly report on the accomplishment of
goals and objectives against resources used. This system
should be aggregated to ultimately provide performance
reports to both the central agencies and the Parliament at
periodic intervals and annually, as required.
(vi) Accountability – Is the process whereby public sector
entities and the individuals within them are responsible for
their decisions and actions including their stewardship of
public funds and all aspects of performance and submit
themselves to appropriate internal and external scrutiny.
Accountability will be better achieved when all the parties
concerned have a clear understanding of their respective
responsibilities and have clearly defined roles established
through a robust organizational structure. In effect,
accountability is the obligation to answer for responsibility
conferred.
(vii) Transparency - Good governance includes appropriate
disclosure of key information to stakeholders so that they
have the necessary facts about the entity’s performance
and operations. This would mean that reliable and timely
information about existing conditions, decisions and actions
relating to the activities of the organization is made
accessible, visible and understandable to the relevant
22
Internal Audit Manual for PSEs
2019
stakeholders and parties. Transparency is increased when
Auditors perform audits and provide assurance that
government actions are ethical and legal and that financial
and performance reports accurately reflect the true
measure of operations.
(viii) Probity - The principle of probity calls for public officials to
act with integrity and honesty. This relates to management
of resources and also to disclosure of information that is
reliable and correct.
(ix) Equity - The principle of equity relates to how fairly
government officials exercise the power entrusted to them.
Citizens are concerned with the misuse of government
power, waste of government resources and any other
issues involving corruption or poor management that could
negatively impact the government’s obligations and service
delivery to its citizens. Governmental equity can be
measured and evaluated across the service costs, service
delivery and the exchange of information.
4.2.6 The Role of Internal Audit in Governance
(a)
Internal Auditors provide independent objective assessments of
the design and the operating effectiveness of the organization’s
governance processes. As governance plays a significant role in
the achievement of an organization’s goals and objectives, CAEs
should plan to regularly review and report on governance
processes.
(b)
CAEs should carefully document key aspects of the governance
processes in the organization, if Management has not already
adequately documented the processes. It is possible that
Management itself may not have formalized process and
practices, which may have evolved over a period of time. When
the processes are documented, CAEs should have Management
confirm the accuracy of the documentation and the Auditor
understands of the processes. This process in itself is likely to
contribute to the governance process, as Management is made
23
Internal Audit Manual for PSEs
(c)
2019
aware of the importance of certain practices and also possibly
the lack of certain processes. The CAE should ensure that the
documentation of the existing governance processes is kept up
to date. Knowledge of these processes assists the CAE in
preparing the Annual Audit Plan.
CAEs should conduct a preliminary evaluation of the documented
governance processes and the risks associated with the
processes. Based on a preliminary evaluation of the processes
mentioned in the above paragraph, the CAE could take one of
three approaches to auditing governance processes:
(i) Conduct audits at the macro level - such audits would
include the entire governance framework, including ethics,
planning, monitoring and reporting.
(ii) Conduct audits at the micro level – considering specific
risks, processes such as monitoring, or activities such as
those related to promotion of organizational ethics or some
combination of these elements.
(iii) In addition to the above, it should be noted that audit
engagements that are not focused on governance, for
example an audit of a particular programme or activity such
as procurement, would nevertheless include some elements
of governance issues. Therefore, CAEs could also collect the
necessary information and evidence on governance
processes systematically across several audits and
aggregate all the governance related findings for inclusion in
a periodic audit report on governance issues.
(d)
The CAE should use the evaluations mentioned in the above
paragraph as input into to the overall annual planning process
(Strategic and Annual Plan). The audit engagements relating to
governance should be prioritized on the basis of assessed risks
within the audit-planning framework and included within the
Annual Audit Plan, if appropriate.
(e)
The methodology for evaluating and reporting on an entity’s
governance processes needs to be logical and appropriate.
Internal Auditors, in conducting an assessment of governance
processes in a specific subject area that is included in the Annual
24
Internal Audit Manual for PSEs
2019
Audit Plan should follow the auditing process and procedures
including:
(i) Obtaining adequate and relevant evidence by conducting
audits guided by comprehensive audit plans which clearly
establish audit objectives, scope of the work and the audit
steps required to achieve the audit objectives.
(ii) Evaluating evidence against established criteria, identify
causes of any deficiency that is identified, and the likely
impact of the findings on the Organization.
(iii) Reporting the results of the audit together with
recommendations.
(iv) Properly documenting the evaluation process.
4.3 Risk Management and Risk Assessment
4.3.1 Risk is defined as the possibility of an event occurring that will have
an impact on the achievement of objectives. Risk is measured in
terms of the likelihood of an adverse event occurring and the impact
of that event in case it does occur. Management is responsible for
risk management. Internal Audit is responsible for assessing whether
the risk management system has identified all key risks faced by the
organization and appropriate measures and controls have been
established to minimize the impact of the risk should it occur.
4.3.2 Risk management is a key responsibility of management. To achieve
its business objectives, management should ensure that sound risk
management processes are in-place and functioning. Persons
responsible for risk management within the organization should be
clearly identified and assigned responsibilities for both identifying risk
exposures and implementing measures to mitigate those risks.
4.3.3 Risk management may vary from organization to organization due to
various factors such as the stage of the development of management
culture and processes in the organization, management style, the size
of the organization and the complexity of its business. Large and
complex organizations may have specific organizational units
dedicated to the management of risk through formal structures and
25
Internal Audit Manual for PSEs
2019
systems. Smaller and less complex organizations may manage risks
through less formal processes. Nevertheless, modern approach to
management requires managers to be aware of and recognize risks,
and address those risks in ways that are appropriate to the nature of
the organization’s activities. For instance, the risk management
structure in the small PSEs does not have to be as sophisticated as
found in large PSEs that deal with much larger amounts of funds and
are involved in complex programmes and projects.
4.3.4 Role of Internal Audit in Risk Management
(i)
I I A Standard 2120 (Risk M anagem ent) states that the
internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management
processes. Also, I I A Standard 2120.A1 requires the
internal audit activity must evaluate risk exposures relating to
the organization’s governance, operations, and information
systems regarding the:
(a)Reliability and integrity of financial and operational
information.
(b) Effectiveness and efficiency of operations.
(c)Safeguarding of assets; and
(d) Compliance with laws, regulations, policies, procedures
and contracts.
(ii) Furthermore, I I A Standard 2120.A2 states that the
internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud
risk.
(iii) Internal Audit is responsible for the assessment of adequacy
of risk management process within an entity. In particular,
the Internal Auditor needs to assess whether the risk
management methodology and processes adopted by
Management is sufficiently comprehensive and appropriate
for the scale and nature of the organization’s activities.
Internal Auditors determine this by undertaking special audits
or engagements with clearly defined audit objectives and
26
Internal Audit Manual for PSEs
2019
audit steps to collect sufficient evidence to assess whether
risks have been managed adequately.
(iv) It is possible that Management in some entities may not have
established or implemented risk management policies or the
risk management process may still be in a development stage
or the system may be rather informal in nature. In such
situations, the CAE should discuss with the Board and AO of
the entity, their obligation with respect to risk management.
Management needs to understand, manage and monitor risks
to ensure that the probability of achieving its organizational
objectives is not reduced by events that could be foreseen
and managed. Management has responsibility to ensure that
the processes within the organization are properly required to
identify key risk areas and to manage those identified risks
adequately with appropriate mitigation measures and
controls.
(v) Where risk management has not been developed or is still in
an early developmental stage, the Board or AO may require
Internal Auditors to play an active role in risk management.
Subject to the specific direction provided by the Board/AO,
the CAE should take a proactive role in Risk Management
within the entity. This proactive role could be in the form of
providing continuous support to Management in developing
and maintaining a risk management system. Alternatively,
such support may only include periodic participation in
various management committees, monitoring activities or
reporting on the progress being made in implementing the
risk management processes in the organization. On the other
hand, in some instances, the CAE could be given the
complete responsibility for the development and maintenance
of a risk management system for a period of time until the
Board/AO is able to make different arrangements. Such a
proactive role could, in the mid to long-term, help the
organization manage risks more purposefully and improve the
likelihood of achieving its goals and objectives.
27
Internal Audit Manual for PSEs
2019
(vi) When taking on any responsibility for the risk management
function, and given that resources allotted to the internal
audit function in Entity are rather limited, the CAE should
inform the Board/AO about the impact of such additional
responsibilities on internal audit work. Further, the
involvement of the CAE in such activities should be clearly
reflected in the CAE’s audit activity reports.
(vii) By assuming responsibilities for risk management, which is
essentially a management function, the independence of the
CAE and the IAU may be adversely affected. These concerns
should be properly recorded and discussed with the Board/AO
and also reflected in the CAE’s audit activity report, where
necessary and appropriate.
4.3.5 Risk Assessment in Internal Auditing.
(a)
The CAE is responsible for developing a risk-based plan. The CAE
takes into account the organization’s risk management
framework, including using risk appetite levels set by
management for the different activities or parts of the
organization. If a framework does not exist, the CAE uses
his/her own judgment of risks after consultation with senior
management and the board. Moreover, the internal audit
activity’s plan of engagements must be based on a documented
risk assessment undertaken at least annually. The input of senior
management and the board must be considered in this process.
Furthermore, internal auditors must conduct a preliminary
assessment of the risks relevant to the activity under review.
Engagement objectives must reflect the results of this
assessment.
(b) Internal Auditors are required to conduct risk assessments and
make conclusions about the adequacy of risk management in an
entity for the purpose of establishing both the Strategic and
Annual Audit Plan and the Engagement Plans for the conduct of
audits in individual areas.
28
Internal Audit Manual for PSEs
2019
4.3.6 Risk Assessment and Annual Audit Planning
CAEs should use risk assessments in preparing the IAU’s Strategic and the
Annual plans. The operational processes that constitute the audit universe
helps the CAE identify and prioritize those programmes, activities,
organizational units and operations that should be included as potential
audit engagements in the Annual Audit Plan. Such systematic prioritization
based on risks as well as other pertinent factors is essential to ensure that
scarce resources are allocated to conduct audits of areas that bear the
highest risk to achieving organizational goals and objectives. Detailed
guidance on the use of risk assessment in the planning process is provided
in Chapter V.
4.3.7 Risk Assessment and Audit Engagements
Risk assessment is an important part of planning and conducting audit
engagements (audit work) of the areas or subjects identified and included
in the Annual Audit Plan. Detailed assessments of risks at the micro level –
i.e. at the level of the subject area, helps the CAE and the Internal Auditors
establish and refine the objectives of conducting the audit (Audit Objective).
It is also instrumental in determining the audit programme or steps i.e. the
lines of enquiry, so as to ensure that efforts are focused on the most
important risks associated with the subject being audited. Detailed guidance
on the use of risk assessment in Engagement Planning is provided in
Chapter VI.
4.4 Internal Control
4.4.1 Establish and maintaining an effective internal control system is a
legal requirement in PSEs Management. For both MDAs and LGAs, the
requirement for establishing and maintaining effective control
systems is enshrined in Public Finance Act (2001) and it’s Regulations
and the Local Authorities Finances Act (1989) and it’s Memorandum
(2009), respectively.
At the national level, Regulations 10 (40) (b) of the Public Finance
Regulations (2001) as amended in 2010, charges the Accountant
General with the responsibility of ensuring that the system of internal
control in every MDA is appropriate to the need of that organization
29
Internal Audit Manual for PSEs
2019
and conforms to internationally recognized standards in respect to
status and procedures. Moreover, at the institutional levels,
Regulation 11 (2) (d) of the Public Finance Act (2001) as amended in
2010, requires MDAs Accounting Officers to establish and maintain an
effective system of internal control over financial and related
operations, whereas section 11 of the LAFM (2009) charges LGA
Directors and the Treasurers with responsibility to support the system
of internal controls.
4.4.2 IIA Standard 2130 (Control) states that, the internal audit activity
must assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting
continuous improvement. Moreover, IIA Standard 2130.A1 states
that the internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the
organization’s governance, operations, and information systems
regarding the:
(a)
(b)
(c)
(d)
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations;
Safeguarding of assets; and
Compliance with laws, regulations, and contracts.
4.4.3 The purpose of the control processes is to make sure that what
happens in the organization is what is supposed to happen and that,
to the extent practical undesirable results do not occur. Adequate
Control is present if management has planned and organized controls
(designed) in a manner that provides reasonable assurance that the
organization’s risks have been managed effectively and that the
organization’s goals and objectives will be achieved efficiently and
economically.
4.4.4 Internal control relates to more than just financial transactions. It
involves almost all operations of the entity. Internal controls help the
organization manage its risks by:
(a) Promoting orderly, economical, efficient and effective
operations, and producing quality products and services
consistent with the organization’s mission.
30
Internal Audit Manual for PSEs
2019
(b) Safeguarding resources against loss due to waste, abuse,
mismanagement, errors and fraud.
(c) Promoting adherence to laws, regulations, contracts and
management directives.
(d) Developing and maintaining reliable financial and
management data presenting accurate, reliable and
timely information and reports.
4.4.5 Role of Internal Audit in Internal Control
(e) Internal Auditors should assess the effectiveness of internal
controls established by Management. As enshrined in the Audit
Charter and Standards, Internal Auditors are required to
examine internal controls to ensure that firstly the controls
have been properly designed to achieve the specific control
objective of managing identified risks and secondly, that the
controls are functioning effectively as designed by
Management.
(f) The effectiveness of the system of internal controls of an
organization is a critical factor that needs to be taken into
account in preparing the Annual Audit Plan. The effectiveness
of the organization’s risk management system is largely
dependent on the effectiveness of the control systems that are
implemented to manage the key risks. Hence the effectiveness
or otherwise of the internal control system is in itself a key risk
factor that needs to be taken into account when planning audit
work for the year. The importance of key internal controls
systems at the macro level and those control systems that have
been identified to be potentially inadequate or weak help
determine what audit work the IAU should undertake and how
audit resources should be allocated.
(g)
When conducting audit engagements of selected subject
areas, internal auditors are required to assess the risks to the
organization at the micro level - i.e. the risks faced by the
organization at that particular operational level. Following this,
it will be necessary to determine if adequate controls have
31
Internal Audit Manual for PSEs
2019
been established to address the risks. The review of internal
control is an integral part of any audit engagement.
(h)
Internal Auditors need to understand the nature of internal
controls and how different controls should be established for
different risks within the overall internal control framework of
the organization. Internal auditors should plan the audit
engagement by establishing clear Audit Objectives and
determine criteria for the measurement of the Audit Objective.
In order to achieve most Audit Objectives, the Internal Auditor
would have to devise audit programmes to determine the
existence of internal controls and then determine if they are
both effective and efficient.
4.5 Fraud Management
4.5.1.1
The primary responsibility for the prevention and detection
of fraud rests with both those charged with governance of the
entity and management.
4.5.1.2
IIA Standard 1210.A2 states that Internal auditors must have
sufficient knowledge to evaluate the risk of fraud and the manner
in which it is managed by the organization, but are not expected
to have the expertise of a person whose primary responsibility is
detecting and investigating fraud. Moreover, IIA Standard 2120.A2
states that the internal audit activity must evaluate the potential
for the occurrence of fraud and how the organization manages
fraud risk and IIA Standard 2210.A2 states that Internal auditors
must consider the probability of significant errors, fraud,
noncompliance, and other exposures when developing the
engagement objectives.
4.5.1.3
Fraud is generally used to describe such acts as deception,
bribery, forgery, extortion, corruption, theft, conspiracy,
embezzlement,
misappropriation,
false
representation,
concealment of material facts and collusion. Fraud deprives
someone or an entity of something by deceit through blatant
theft, misuse of funds or other resources, or through more
32
Internal Audit Manual for PSEs
2019
complicated acts like false accounting and the supply of false
information.
4.5.1.4
Fraud and corruption (the misuse of entrusted power for private
gain) have adverse impact on organizations. Fraud losses that are
known and confirmed indicate that the costs can be high. The true
cost of fraud, however, is even higher than just the loss of money,
given its impact on time, productivity, reputation, relationships
with service providers and most of all the trust and perception of
ordinary citizens.
4.5.1.5
Most frauds begin small and continue to grow, as the scheme
remains undetected. Very often perpetrators view initial stealing
as a temporary or even one-time event. However, when fraudsters
see that their offence was not detected and opportunities continue
to exist, the fraudsters accelerate their activities and even actively
begin to take measures to conceal the fraud. As the fraud
continues to grow, concealment becomes difficult. It is likely that
a fellow employee, management, or an internal or external auditor
will help detect it.
4.5.1.6
Fraud can range from minor employee theft and unproductive
behavior to large-scale misappropriation of assets and resources
by managers. Studies indicate that members of management
commit most frauds. Managers generally have access to
confidential information, enabling them to override or circumvent
internal controls and inflict greater damage to the organization
than lower level staff members. Fraud perpetrators tend to be in
positions of trust in the organization. They are motivated by a
personal need and are able to rationalize their actions, albeit
through illusion.
4.5.1.7
Good governance, risk management and internal controls can help
establish a combination of prevention, detection and deterrence
measures to minimize opportunities for fraud. Most fraudulent
schemes can be avoided with basic internal controls and effective
audits and oversight. Unfortunately, some types of fraud can also
be difficult to detect because it often involves concealment
33
Internal Audit Manual for PSEs
2019
through falsification of documents or collusion among members of
management, employees, or third parties. Managers and Internal
Auditors therefore need to have sufficient knowledge and insight
about the operations of the entity, the particular vulnerabilities of
the organizations and always exercise due professional care in
performing their responsibilities.
4.5.2 Types of Frauds
The range of fraud activities and schemes affects all aspects of
government operations though some activities like procurement are
more susceptible to fraud, particularly because substantial amounts
are involved and there is always an element of discretion to be
exercised. Fraud is possible or prevalent in the collection of revenues,
payment of expenses, and in the management of assets, including
movable and immovable assets. The following are some examples of
common frauds:
(a) Misappropriation or stealing - of cash or assets of any
value (supplies, inventory, equipment, and information)
mainly by adjusting or falsifying relevant records.
(b) Skimming – stealing cash and assets from an
organization before it is recorded on the organization’s
books and records. For example, an employee collecting
taxes, fees or charges does not record the receipt in the
records.
(c) Disbursement against falsified and fictitious
documents – mainly for goods and services that were not
received. This would include invoices that are inflated by
manipulation of quantities, quality and prices. This could
also include falsified claims purportedly submitted by third
parties for all kinds of entitlements approved by the
government for its citizens.
(d) Fraudulent expense claims by staff and others – for
travel or activities that did not occur and sometimes using
falsified bills to inflate expenses for food, facilities and
hospitality functions.
(e) Payroll– claims for hours not worked and adding nonexistent (ghost employees) to the payroll or improperly
34
Internal Audit Manual for PSEs
(f)
2019
claiming certain allowances for which there was no
entitlement.
Procurement of goods and services – this can occur at
any stage of a procurement cycle:
(i) Specifications for requirements are manipulated and
not professionally prepared.
(ii) Tenders or bidding processes, including evaluations
of tenders and bids, are subverted and not
conducted in a transparent manner that promotes
effective competition among suppliers.
(iii) Using sole source procurement without proper
justification or approval.
(iv) Overstating quantities of good or levels of service
received or the quantity and quality of work
performed by contractors. This also applies to
disposal of government assets.
(g)
Misuse of entrusted power for private gain – such
abuse normally tantamount to corruption. Corruption is
often an off-book fraud, meaning that there is little
financial physical evidence available to prove that the
crime occurred. Very often the corrupt employees simply
receive cash payments under the table. In most cases,
such crimes are uncovered through tips or complaints from
third parties, often through a complaints bureau or a fraud
hotline. Corruption often involves the purchasing function.
Any employee authorized to spend an organization’s
money is a possible candidate for corruption.
(h)
Bribery - the offering, giving, receiving, or soliciting of
anything of value to influence an outcome. Bribes may be
offered to key employees or managers such as purchasing
agents who have discretion in awarding business to
vendors. In the typical case, staff responsible for
purchasing accepts kickbacks to favor a particular outside
vendor in buying goods or services.
35
Internal Audit Manual for PSEs
(i)
(j)
2019
Conflict of interest - an employee, manager, or
executive of an organization has an undisclosed personal
economic interest in a transaction that adversely affects
the organization. This could involve the award of contracts
at favorable terms to related persons or a company in
which the employee has an interest.
Tax evasion - intentional reporting of false information
on a tax return to reduce taxes owed and employees
responsible for verifying the tax return do not perform the
stipulated verifications to detect such misstatements.
4.5.3 Fraud Indicators (Red flags)
Incidence of fraud is often, but not always, marked by some warning
signals or red flags. People who perpetrate fraud display certain
behaviors or characteristics that may serve as warning signs or red flags.
Red flags may relate to time, frequency, place, amount or personality
and include, but not limited to the following:
(a) Red flags include overrides of controls by management or
officers, irregular or poorly explained management
activities,
consistently
exceeding
goals/objectives
regardless of changing business conditions, preponderance
of non-routine transactions or journal entries, problems or
delays in providing requested information, and significant
or unusual changes in customers or suppliers. Red flags
also include transactions that lack documentation or
normal approval and employees or management handdelivering checks or payments.
(b)
Personal red flags include living beyond one’s means;
conveying dissatisfaction with the job to fellow employees;
unusually close association with suppliers; severe personal
financial stress due to debts or losses; addiction to drugs,
alcohol or gambling; changes in personal circumstances;
and developing outside business interests. In addition,
there are fraudsters who consistently rationalize poor
performance, perceive beating the system to be an
intellectual challenge, provide unreliable communications
36
Internal Audit Manual for PSEs
2019
and reports, and rarely take vacations or sick time (and
when they are absent, no one performs their work).
4.5.4
Role of Management in Fraud Management
Prevention and detection of fraud in an entity is one of the core objectives
of good Governance, Risk Management and Internal Control. Both
Management and the Internal Auditors, while undertaking their respective
roles and activities under these three fields, need to be cognizant of the
vulnerabilities of the organization to fraud that may be perpetrated both
internally by the staff and externally by others. Notwithstanding these
actions, frauds do occur and Management is responsible for prevention
measures. Management therefore needs to:
(a)
(b)
(c)
(d)
Establish clear policies, mechanisms and procedures to
investigate and resolve alleged or suspected frauds. This
may include involving the Anti-Corruption Commission,
Legal officers and the Internal Auditors in all stages of
the process.
Take appropriate measures to recover the financial and
other losses from the illegal beneficiaries of the fraud
and appropriate action on all those involved in the fraud
in accordance with the relevant civil service regulations
and other laws. This may also include staff whose
negligence provided opportunity for the fraud to occur.
Communicate the results of the investigations to the
appropriate authorities.
Based on lessons learnt, reassess risks to the
organization and take corrective actions to strengthen
appropriate internal controls to prevent recurrence of the
fraud.
4.5.5 Role of Internal Audit in Fraud Management
Although Internal Auditors normally do not have direct responsibility for the
incidence of fraud, the credibility of the internal audit function hinges on the
quality of the work performed by the CAE and IAU, both when preparing
the Annual Audit Plan and planning and conducting individual audit
engagements. Internal Auditors have to be able to demonstrate that they
37
Internal Audit Manual for PSEs
2019
have exercised due professional care and diligence in performing the work.
Therefore, internal auditors need to be alert to control weaknesses as well
as signs and possibilities of fraud within an organization, particularly given
their continual presence in the organization that provides them with a good
understanding of the organization and its control systems.
Internal Auditors, when assessing the adequacy and effectiveness of
internal controls should take note that the existence of opportunities is one
of the primary reasons for the occurrence of frauds. In addition to the
regular tasks, the CAE should assist Management efforts to improve
prevention and deterrence of fraud by:
(a) Providing consulting expertise (advice) in establishing effective
fraud prevention measures.
(b) Reviewing and analyzing reports prepared by others on specific
fraud incidents to identify root causes of fraud and propose
remedial measures.
(c) Promoting fraud awareness within the organization by
providing training on ethics, risks and controls.
(d) Managing a hotline, where necessary, to receive reports from
whistleblowers (staff and others) on possible fraud within the
organization and investigating those reports.
(e) Conducting, where there is sufficient evidence or where there
are other valid reasons to do so, proactive auditing to search
for misappropriation of assets and other possible wrongdoings.
4.5.6 Role of Internal Audit in Fraud Investigations
(a)
Investigation and internal auditing are two distinct professions.
An auditor whose primary responsibility is to conduct
investigation must undergo special training on investigation
and acquire relevant certification such as Certified Fraud
Examiner (CFE).
(b)
The CAE can take on different roles with respect to fraud
investigations. For example, an Internal Auditor may have the
primary responsibility for fraud investigations, may act as a
resource for investigations, or may refrain from involvement in
investigations. The role of the internal audit activity in
38
Internal Audit Manual for PSEs
2019
investigations needs to be clearly defined, preferably in the
Internal Audit Charter or in a separate and well-publicized
document issued by the AO or a higher authority. Care should
be taken to ensure that the involvement in investigations does
not impair the independence of the CAE and IAU. Where an
IAU takes any active role in investigations, the CAE has to
ensure than there is sufficient proficiency among the Internal
Auditors within IAU to undertake the assigned role. The
Internal Auditors in this case would have to obtain sufficient
knowledge of fraudulent schemes, investigation techniques and
applicable laws.
(c) Where the CAE is of the view that there is inadequate internal
capacity to undertake an investigation, the CAE should
communicate with the Board/AO to seek other options,
including seeking external assistance.
(d)
Where primary responsibility for the investigation function is
not assigned to the CAE, the CAE may still be requested to
assist in the investigations in such roles as gathering
information and analyzing particular types of transactions and
providing advice on those transactions. Management may also
require the CAE to review reports on fraud investigations that
have been performed by others and make recommendations for
internal control improvements. In all such cases, the CAE
should have clear written terms on the specific responsibilities
assigned to and agreed by him so as to safeguard against
misunderstanding and impairment of independence
(e) Where the CAE undertakes responsibility for the whole of an
investigation or parts of an investigation, the CAE should, where
appropriate in consultation with Management and legal officers,
establish a protocol for undertaking the responsibility. The
following elements may form part of such a protocol:
(i) Gathering evidence through surveillance, interviews, or
written statements.
(ii) Documenting and preserving evidence;
39
Internal Audit Manual for PSEs
2019
(iii) Considering legal rules of evidence, and the business
uses of the evidence.
(iv) Determining the extent of the fraud.
(v) Determining the techniques used to perpetrate the fraud.
(vi) Evaluating the cause of the fraud.
(vii) Identifying the perpetrators.
(viii) Form and periodicity of reporting on the findings of the
investigations.
4.5.7 Analysis of Lessons Learnt from Fraud Incidents
(a)
After a fraud has been investigated either by the Internal Auditor
or other parties, and communicated to the Board/AO and other
relevant authorities, it is important for Management and the CAE
to step back and review the lessons learned. Such a review may
include the following:
(i) How did the fraud occur?
(ii) What controls failed and why?
(iii) What controls were overridden?
(iv) Why wasn’t the fraud detected earlier?
(v) What red flags were missed by Management and the
Internal Auditors?
(vi) How can future frauds be prevented or more easily
detected?
(vii) What controls need strengthening?
(viii) What internal audit plans and audit steps need to be
enhanced?
(ix) What additional training is needed?
(b) Based on the review, both Management and the CAE need to
implement a plan of action to remedy identified deficiencies and
prevent and deter its recurrence.
40
Internal Audit Manual for PSEs
2019
CHAPTER 5
5. Developing Strategic and Annual Risk Based Audit Plan at PSEs.
5.1
Fundamentals of Internal Audit Planning
5.1.1 Audit Planning helps to focus audit activities on the risks that prevent
an organization from achieving its objectives and to align audit
activities with management’s strategic priorities. Two types of audit
plans should be prepared:
(i) Strategic Risk Based Internal Audit Plan,
(ii) Risk Based Internal Audit Annual Plan.
5.1.2 These plans serve the purpose of setting out in strategic and
operational
terms, the broad roles and responsibilities that are
articulated in the internal audit charter.
5.1.3 IIA standards relevant for planning includes:
(i) IIA Standard 2010 – Planning: The chief audit executive
must establish a risk-based plan to determine the priorities of
the internal audit activity, consistent with the organization’s
goals.
(ii) IIA Standard 2010.A1 - The internal audit activity’s plan of
engagements must be based on a risk assessment,
undertaken at least annually.
The input of senior
management and the board should be considered in this
process.
(iii) IIA Standard 2110 – Risk Management: The internal
audit activity must assist the organization by identifying and
evaluating significant exposures to risk and contributing to the
improvement of risk management and control systems.
(iv) IIA Standard 2110.A1 - The internal audit activity must
monitor and evaluate the effectiveness of the organization's
risk management system.
(v) IIA Standard 2110.A2 - The internal audit activity must
evaluate risk exposures relating to the organization's
41
Internal Audit Manual for PSEs
2019
governance, operations, and information systems regarding
the
(a) Reliability and integrity of financial and operational
(b) Effectiveness and efficiency of operations.
(c) Safeguarding of assets.
(d) Compliance with laws, regulations, and contracts.
(vi) IIA Standard 2120 – Control: The internal audit activity
must assist the organization in maintaining effective controls
by evaluating their effectiveness and efficiency and by
promoting continuous improvement.
(vii)
5.2
IIA Standard 2060 – Reporting to the Board and Senior
Management: The chief audit executive must report
periodically to the board and senior management on the
internal audit activity’s purpose, authority, responsibility and
performance relative to its plan. Reporting should also include
significant risk exposures and control issues, corporate
governance issues, and other matters needed or requested by
the board and senior management.
Overview of Risk-Based Audit Planning Process
To be consistent with the IIA Standards, CAE undertakes an annual riskbased planning process to determine the internal audit priorities for the
upcoming year and notionally, for an additional two years. The sections
that follow describe the steps in the planning process and identify some of
the key factors that must be taken into consideration in developing effective
plans.
The audit planning process in the Entities should employ a collaborative and
consultative risk-based approach relying heavily on the internal audit staffs’
professional judgment and experience to identify areas of greatest audit
priority.
42
Internal Audit Manual for PSEs
5.3
2019
Developing Annual Risk Based Internal Audit Plan
The annual plan is a schedule that gives, in a more detail the audit activities
in a given year. It provides more information about the exact nature of
internal audit work that will be undertaken in the next year and it is broken
down into quarters and months. The risk based annual plan must be
sufficiently detailed to enable Accounting Officer, management and audit
committee to be satisfied that the proposed coverage is adequate.
The stages for developing the annual risk based internal Audit Planning are
provided in figure 1 below.
Figure 1: Stages in the Annual Risk based Internal Audit Plan
Stage 1: Define the Audit Universe
Stage 2: Group the Audit Universe into Manageable Auditable Unit
Stage 3: Conduct Risk Assessment of the Manageable Auditable Units
Stage 4: Select the Significant Audit Engagements
Stage 5: Develop One year Plan of Significant Audit Engagements
5.3.1 Stage 1- Define the Audit Universe
The audit universe may be identified by the following methods:(i)
By the organizational structure:
Divide the organization by function as identified in the organization chart.
This should be extended to lower levels as seen feasible by the auditors
(e.g. in each function – directorate, department, unit, section etc.)
43
Internal Audit Manual for PSEs
(ii)
2019
By business processes:
Divide the Entity by main business processes or programs (e.g.
procurement process, payment process etc).
(iii)
By coordinating with management- defined risk universe:
If the Entity has a well-developed ERM (with a risk register), you may use
the risk identified by management as possible audit universe (However, for
PSE with less matured Enterprise Risk Management, this part may be done
in combination with any of the above methods, e.g. when the organization
is divided by functions, the auditor may also use the management risk
register to identify risks falling in each of the functions).
5.3.2 Stage 2 - Grouping of Universe into Manageable Auditable
Units
All the potential universe entities and elements are grouped into units that
would likely produce meaningful findings for senior management and that
would be of such size and scope that an audit engagement could be
practically conducted within a reasonable timeframe or cycle of coverage.
5.3.3 Stage 3 - Risk Assessment of Manageable Auditable Units
Each auditable unit is assessed, using a scale of 1 to 5 where 1 is low and 5
is high, in terms of risk related to its significance to achievement of PSEs
objectives, its complexity in terms of ensuring that intended outcomes are
achieved, and its sensitivity in terms of the public or the intended
beneficiaries. Auditor may use risk factors applicable to their environment
which may include: - Impact on Revenue, Impact on expenditure, Impact to
Operations, Political Sensitivity, Level of process automation, susceptibility
to fraud and corruption, Compliance with laws, management change, public
perception, and time since last audit
5.3.4 Stage 4 - Selection of Significant Audit Engagements
Audit projects are proposed that would be most appropriate to address the
highest risk areas of the manageable audit units on a priority basis.
5.3.5 Stage 5: - Develop one-year risk audit plan
44
Internal Audit Manual for PSEs
2019
As a minimum the plan should outline for each proposed audit engagement
as follows:
(a)
Audit title
(b)
Responsible area
(c)
Type of audit (financial, performance, etc)
(d)
Summary description of the audit
(e)
Priority and resources to be used to conduct the audit (e.g.
outsources or in-house)
(f)
Estimated duration and cost
(g)
Proposed timing of the audit including the month/quarter and
when it is expected to be completed.
Template 4 provides a sample of Annual Risk-based Internal Audit
Plan.
45
Internal Audit Manual for PSEs
5.4
2019
Developing Strategic Risk Based Internal Audit Plan
5.4.1 Strategic risk-based plans are designed to ensure that audit resources
are allocated to areas that will help achieve strategic outcomes and
reduce the possibility that the Entity will be exposed to significant
risks. Internal auditors must produce a strategic risk based internal
audit plan that ensures that the key risks are covered over an
extended period of time (usually three years).
5.4.2 Strategic Risk Based internal audit plan should outline the broad
strategic direction of internal audit over the medium terms (usually 3
or 5 years) depending on the respective Entitys’ Strategic Plan. After
preparing annual risk- based planning process to determine the
internal audit priorities for upcoming year CAE is to hypothetically
extend for additional two years so as to have a strategic risk-based
audit plan for three years.
5.4.3 The stages for developing the annual risk based internal Audit
Planning are provided in figure 1 below.
Figure 2: Stages in the Strategic Risk based Internal Audit Plan
Stage 1: Define the Audit Universe
Stage 2: Group the Audit Universe into Manageable Auditable Unit
Stage 3: Conduct Risk Assessment of the Manageable Auditable Units
Stage 4: Select the Significant Audit Engagements
Stage 5: Develop a Three years Plan of Significant Audit Engagements
Year 1
Year 2
Year 3
Practically, from the annual risk based audit plan, take the information
about the organization and its functional areas and turn these into a
strategic plan (these depends on the choice of how to arrange the audit
46
Internal Audit Manual for PSEs
2019
universe i.e. by functions or processes). The areas that are ranked as high
priority are to be audited with a frequency, usually annually whereas
auditable units with a low priority could be planned to be audited rarely
within the three- year plan phase. See Template 4. a for possible contents
and structure of a Strategic Internal Plan.
5.5
Communication and Approval for the Internal Audit Plans
Internal audit provides assurance to the management of an organization
and therefore, it is important for both the strategic and annual plans to be
discussed and communicated to:
(i)
The management so as to get management views and buy in.
(ii)
The Audit Committee for their review and/or approval audit coverage
of risky/crucial areas and resource requirements.
(iii)
The Accounting Officer/Board for review and approval of both the
plans and resource requirements.
(iv)
Other external stakeholders as required by the law.
5.6 Quality Review of the Internal Audit Plans
The strategic and annual risk based audit plans should be submitted to the
Internal Auditor General by 15th June of every year for quality review,
comments and further guidance.
47
Internal Audit Manual for PSEs
2019
CHAPTER 6
6. Conducting a Reporting on the Audit Engagement
6.1
Introduction
This chapter describes standard approach for undertaking internal audit
engagements i.e. the internal audit process.
The audit procedures and techniques discussed in this chapter are generic
and thus can be used in any audit engagement (e.g. procurement, payroll
system, budgetary management and control, human resources etc).
6.2
Relevant IIA Standards in conducting of audit engagements
are:
(i) IIA Standard 1200 – Proficiency and Due Professional Care:
Engagements must be performed with proficiency and due
professional care.
(ii) IIA Standard 1220 - Due Professional Care: Internal auditors
must apply the care and skill expected of a reasonably prudent and
competent internal auditor. Due professional care does not imply
infallibility.
(iii) IIA Standard 1220.A1 - The internal auditor must exercise due
professional care by considering the:
(a)
Extent of work needed to achieve the engagement's
objectives.
(b)
Relative complexity, materiality, or significance of matters to
which assurance procedures are applied.
(c)
Adequacy and effectiveness of risk management, control,
and governance processes.
(d)
Probability
of
noncompliance.
significant
48
errors,
irregularities,
or
Internal Audit Manual for PSEs
2019
(e) Cost of assurance in relation to potential benefits.
(iv)
IIA Standard 2200 – Engagement Planning: Internal auditors
must develop and record a plan for each engagement, including
the scope, objectives, and timing and resource allocations.
(v)
IIA Standard 2201 - Planning Considerations: In planning the
engagement, internal auditors must consider:
(a)
The strategies and objectives of the activity being reviewed and
the means by which the activity controls its performance.
(b)
The significant risks to the activity, its objectives, resources,
and operations and the means by which the potential impact of
risk is kept to an acceptable level.
(c)
The adequacy and effectiveness of the activity’s governance,
risk management and control systems compared to a relevant
control framework or model.
(d)
The opportunities for making significant improvements to the
activity’s governance, risk management and control systems.
(vi)
IIA Standard 2210 – Engagement Objectives: Objectives
must be established for each engagement.
(vii) IIA Standard 2210.A1 – Internal auditors must conduct a
preliminary assessment of the risks relevant to the activity under
review. Engagement objectives must reflect the results of this
assessment.
(viii) IIA Standard 2220 – Engagement Scope: The established
scope must be sufficient to satisfy the objectives of the
engagement.
(ix)
IIA Standard 2240 – Engagement Work Program: Internal
auditors must develop and document work programs that achieve
the engagement objectives.
(x)
IIA Standard 2240.A1 - Work programs must include
procedures for identifying, analyzing, evaluating, and recording
49
Internal Audit Manual for PSEs
2019
information during the engagement. The work program must be
approved prior to its implementation, and any adjustments
approved promptly.
(xi)
IIA Standard 2240.C1 – work programs for consulting
engagements may vary in form and content depending upon the
nature of the engagement.
(xii) IIA Standard 2300 – Performing the Engagement: Internal
auditors must identify, analyze, evaluate, and document sufficient
information to achieve the engagement's objectives.
(xiii) IIA Standard 2320 – Analysis and Evaluation: Internal
auditors must base conclusions and engagement results on
appropriate analyses and evaluations.
(xiv) IIA Standard 2330 – Documenting Information: Internal
auditors must document relevant and useful information to
support the engagement results and conclusion.
(xv) IIA Standard 2400 – Communicating Results: Internal
auditors must communicate the results of engagement.
(xvi) IIA Standard 2410 – Criteria for communicating:
communication must include the engagement’s objectives, scope
and results.
(xvii) IIA Standard 2420 – Quality of Communications:
Communications must be accurate, objective, clear, concise,
constructive, complete, and timely.
50
Internal Audit Manual for PSEs
6.3
2019
Overview process on conducting Assurance Engagement
While different internal audit organizations may identify a number of
steps using a variety of terminology, the internal auditing process is
essentially comprised of three main phases namely; Planning,
Performing and Communicating.
At the most fundamental level, the CAE must establish what is going to
be audited (planning), ensure that the approved plan is implemented
(performing), and communicate the results achieved (Communicating).
6.3.1 Planning the Audit Engagement
The planning phase normally consists of three distinct, but often
overlapping, activities, i.e. gaining an understanding of the nature of
the program, activity, organization or initiative being audited,
determining and assessing risks, and determining the most appropriate
audit objectives, scope and criteria to be employed.
(i)
Understanding the Audit Entity
The team leader needs to develop a sound understanding of the
program, activity, organization or initiative being audited, including its
management practices, business processes, policies and procedures,
and external and internal environments.
Specifically, to be compliant with the IIA Standards, the team leader
needs to be focused on all important aspects of risk management,
control, and governance processes for the program, activity,
organization or initiative being audited.
Some of the key documents and information to be used by the team
leader to gain a good understanding include:
(a) Applicable Laws, Regulations, Policy, Directives, Procedures and
Standards Manuals,
(b) Results of previous audits or evaluations by the Internal or
External auditor
(c) Organization charts
51
Internal Audit Manual for PSEs
2019
(d) Job descriptions, delegation instruments and listings of key
personnel
(e) Process and system maps or flowcharts
(f) Operational, financial data, Planning and performance reports
(g) Management meeting reports or minutes
(h) Risk Management frameworks and risk register
(i) Any other documents as case may be.
The team leader must consider visiting sites and observing operations,
interviewing management, subject matter experts and reviewing any
available internal controls documentation.
(ii)
Assessing Risks
The risk assessment process provides a structured means of evaluating
information and applying professional judgment as to the most
important areas for audit examination.
A detailed risk assessment should be undertaken during the planning
phase of the engagement to confirm that the lines of enquiry and the
initial objectives have indeed focused on the most important risks
associated with the program or activity being audited.
The objective statements for the audit, as outlined in the Risk-based
Audit Plan, may need to be amended if the more detailed risk
assessment reveals additional risks or assigns higher or lower risk
scores to those risks already identified. The steps involved in performing
a detailed risk assessment are:
(a)
(b)
(c)
Identify the risks associated with the achievement of the
auditee’s objectives and expected results
Assess the relative significance of the risks in terms of the
likelihood of each risk occurring and the impact should it occur
Determine on a preliminary basis whether management’s
assertions on controls are likely to prevent or mitigate the
occurrence of the risks of greatest concern and
52
Internal Audit Manual for PSEs
(d)
2019
Plan to focus audit objectives and scope on testing the
existence or adequacy and effectiveness of key controls over
areas of greatest risk. Template 5 provides a format for
documenting engagement risk assessment.
Team Leader must complete the risk assessment alone or with the
participation of auditee representatives. For detailed process, refer
Internal Audit Hand Book Aid.
(iii) Determining Audit Objectives
Once an understanding of the program or activity has been acquired
and the assessment of risks has been completed, including any limited
testing of controls, the team leader recommends the specific objectives
and scope for the audit. Objectives must be carefully considered and
clearly stated in such a way that a conclusion with respect to each is
possible. Objectives may be focused on key generic internal auditing
outcomes, e.g. assurance on risk management, on controls, or on
governance, or may be focused on specific high-risk issues or concerns
identified during the planning phase.
(iv) Determining Audit Scope
The scope statement clearly describes the areas, processes, activities or
systems that will be the subject of the audit and to which the
conclusions will apply. If there are numerical or geographic limitations
to the scope of the audit, these should be specified.
The scope should also describe the time period covered by the audit,
for example, the period or fiscal year during which files or transactions
to be examined were originally prepared.
(v)
Determining the Audit Criteria
Criteria suitable for audit purposes must be appropriate to the nature of
the audit. The failure to identify and obtain acceptance by the auditee
of criteria suitable to the audit may result in inappropriate or highly
contested conclusions being drawn by the internal auditor. Good audit
criteria statements should be relevant, reliable, neutral, and complete.
(vi) Determining the Audit Approach
53
Internal Audit Manual for PSEs
2019
Once the audit objectives, scope and criteria have been clearly
established, the team leader needs to design an approach to carrying
out the audit that will provide the most meaningful result in the most
cost-effective manner.
The audit approach aims to ensure that sufficient appropriate audit
evidence is collected to enable the drawing of a conclusion with respect
to each of the audit objectives.
Using professional judgment, the team leader develops the approach
and methodology based on the nature and extent of evidence needed
to reach a conclusion with a high degree of assurance and the most
appropriate and cost-effective mix of audit tests and procedures to
gather that evidence.
(vii) Ascertain and Document the Internal Control System
(a) The Audit team should ascertain existing internal controls which
provide assurance for: reliability and integrity of information,
Compliance with policies, plans, procedures, laws, and
regulations; the safeguarding of assets, the economical and
efficient use of resources, the accomplishment of established
objectives and goals for the activity under audit.
(b) Ascertainment of the internal control system should result into
suitable record of the system being audited.
(c) The techniques to ascertain the internal controls shall include
but not limited to interview with management and business
process owners to identify the process flow and embedded
controls, observation of the working practices will further clarify
what the management has provided, review of documents,
Document understanding of the existing internal control system
using either narratives notes or flow chart. For more
details refer to internal audit Hand book Aid.
(viii) Evaluate the Internal Control System
Evaluation means to compare what is with what should be; this includes
identification of areas in which essential risk-based controls appear to
be weak, not functioning or missing. Then to work out what needs to be
done as a result of this judgment.
54
Internal Audit Manual for PSEs
2019
The evaluation should include identification of areas in which essential
risk-based controls appear to be weak, not functioning or missing. The
following points need to be noted in the evaluation:
(a) Evaluation should depend on the criterion which is used by
management or best practice (e.g. procedure manuals for the
activity under audit etc).
(b) The criteria used by management (e.g. the procedure manual)
need to be assessed for adequacy.
(c) Internal Control Questionnaires (ICQ) to assess/evaluate the
presence and adequacy of controls in the activity may be used.
See Hand Book Aid for Template on example of an Internal
Control Questionnaire (ICQ).
(ix) Hold a Team Meeting after the Preliminary Survey
(a) The team leader must hold a meeting after the preliminary
survey. The meeting must include the CAE (if at the base
office) and other team members (but without the client). In
meeting, the audit team should review and discuss the
results of the preliminary survey and assessment of risks.
(b) Based on the results of the preliminary survey, the audit
team must make a Go or No-decision. (Refer HBS for more
details).
(c) If CAE agrees with a No-Go decision, the audit team should
produce a “Risk and Control Assessment Report” (See
Template 6) and If the Go-decision is reached the team
will prepare audit engagement plan. (See Template 7).
(x)
Developing an Engagement Work Program
After CAE approving the Engagement Plan the audit team should
prepare Audit Program (also known as an engagement program, or
audit work program).
55
Internal Audit Manual for PSEs
2019
The audit program provides directions for the examination and
evaluation of the information needed to meet audit objectives within the
scope of the audit assignment.
The following points need to be taken into account when preparing an
engagement work program:
(a) Start from the process /operating objectives followed by
operating procedures.
(b) Include procedures to assess if keys risks identified in the risk
assessment are controlled.
(c) Consider to include steps for assessing and ascertaining Value for
Money (VFM) issues.
(d) Provide precise instructions by using instructive words so as to
obtain precise audit information.
(e) The CAE should approve all programs, and all significant changes
to them.
(f) Audit programs should be up-dated periodically as the work
progresses.
See Template 8 for a specimen of an engagement audit program and
for more details refers to HBS.
6.3.2 Performing the Engagement
i.
Hold an Entrance meeting with Auditee
The Audit team should meet with the audit client's management and key
supervisory personnel of the audited activity at the entrance meeting (or
opening conference) prior to commencing the audit assignment (Refer
HBS).
In this meeting, the scope and objectives of the audit is discussed and
provide opportunity to share any concerns of the team.
56
Internal Audit Manual for PSEs
2019
Performing the engagement involves implementing the audit steps/tests as
outlined in the Engagement Work Program. The audit team should ensure
the following before starting the fieldwork:
(a)
The audit program is in place and each member of the audit team
has a copy.
(b)
The responsibilities amongst members of the audit team are
clearly known.
(c)
The auditee is aware in advance of the fieldwork and its expected
duration.
(d)
Adequacy of the working tools during fieldwork e.g working
papers’ folders
(e)
Copies of relevant Laws and its Regulations, Standards and other
operating procedures relating to the audit area.
(f)
Fieldwork audit checklist (see audit project reminder checklist in
Template 9.
ii. Gathering Audit Evidence
During fieldwork, auditors should systematically and objectively gather
and evaluate evidence about an audited activity and find out whether
the activity meets acceptable standards and criteria set during
preliminary survey.
Evidence consists of all those matters that tend to support a point or
position that is assumed by an auditor. Much of this evidence comes
from testing routines from preliminary survey to fieldwork. IIA’s
Performance Standard 2310 states that for information to qualify as
evidence should be:
(a)
(b)
Sufficient
Competent
-
-
(c)
Relevant
-
factual, adequate, and convincing.
reliable
and
best
attainable
using
engagement techniques.
supports observations and recommendations
and consistent with objectives.
57
Internal Audit Manual for PSEs
(d)
Useful
-
2019
helps the organization meet its objectives.
For tools on Audit evidence Auditors may be refer chapter VII.
iii. Develop and Record an Audit Finding
i.
Audit findings as a result of the evaluation of the
collected audit evidence against audit criteria can indicate
either conformity or nonconformity with audit criteria or
opportunities for improvement. An audit finding could be
in any of the following forms: Action not taken at all;
unsatisfactory system; Action taken improperly, or
Prohibited action taken.
ii.
When developing audit findings, the audit team should
consider all circumstances surrounding the systems. The
team should objectively analyze all possible problems
around the system. The audit team should also consider
the degree of damage a deficient condition can cause or
has caused before communicating that condition to
management (i.e. consider materiality). This can be
analyzed into possible three categories:
clerical misstep that all organizations
• Insignificant:
experience. It does not warrant formal action. Should not
be hidden/ overlooked but: (a) discuss with the
responsible person, (b) see that the error is corrected
and, (c) note the matter in the working papers.
• Minor Findings: Require reporting because it is more than
a random human error. It will continue to have adverse
effects if it is not corrected e.g. an employee mixing
personal and organization petty cash of Tshs 500,000.
• Major Findings: The one that would prevent an
organization or department within the organization from
meeting a major objective e.g. a defective system of
control that resulted or could result in payment errors
totaling Tshs 100m or 0.5% of the total expenditure vote,
this should be reported.
58
Internal Audit Manual for PSEs
iv.
2019
Attributes of Audit Findings
An audit finding is not complete for reporting unless it has five attributes as
exhibited in Figure 3 below:
Figure 3: The Five Attribute of an Audit Finding
(a) Criteria: Are applicable laws, regulations, standards, policies,
circulars, procedures and practices used as reference against
which audit evidence is compared.
(b) Condition: Are problems or opportunities plus evidence found
during audit. What the operation is actually accomplishing (e.g.
there is no evidence that the Head of PMU checked description in
a request letter and compared it to the annual procurement plan).
(c) Cause: Explanation of the root cause of deviations from the
criteria occurred. Causes should be deduced from the proximate,
intermediate up to the root causes. E.g. From the example above,
causes were established as follows:
• Head of PMU failure to assign staff for performing the
comparison (actual purchase and procurement plan);
• The Head of PMU has not established a checklist for
performing comparison.
(d) Effect/ Risk: Cost, exposure, risk or timeliness issues that are the
actual or potential effects of what was observed. This can be
shown either quantitatively or qualitatively. They can also be
59
Internal Audit Manual for PSEs
2019
further analyzed at both functional (systemic) and organizational
levels. for example in our above example, the effects or risks
could be:
• Items procured could be of low quality compared to what
was intended.
• Misallocated of resources
(e) Recommendation: What needs to be done to fix the problems
(causes and condition) and what will the benefits be.
Recommendations can be stated in either actionable (imperative)
or modal verbs e.g. “put in place, assign” (Actionable), “should,
must…” (Modal). In our above example, recommendations can be:
• Adherence to procurement plan is recommended.
• Checks and balances should be in place to ensure adequate
control.
(f) All audit findings from the five attribute sheets are recorded into
the Summary of Findings and Recommendations form. See
Template 10 for a sample of a Summary of Findings and
Recommendations Form.
(g) In case the auditor comes across with other significant issues/
matters requiring remedies but is outside the scope of the current
audit, such matters should be documented as Matters for Next
Audit. See Template 11 for Matters for Next Audit Form.
v.
Hold an Exit Meeting with Auditee
At the end of the field work, auditors should conduct exit meeting (interim
and final) with client’s management to discuss and share the key findings
obtained during the audit work. See Template 12 for a record for Exit
Meeting Minutes.
6.3.3 Communicating the Engagement Results
(i)
The primary purpose of internal audit reports is to provide
management with an opinion on the adequacy and effectiveness of
the internal control system, risk management and governance
60
Internal Audit Manual for PSEs
2019
processes and to inform management of significant audit findings,
conclusions and recommendations.
(ii) In summary, the aim of every internal audit report should be to:
: Tell what we have found.
: Convince management of the worth and validity of
audit findings.
(c) Get results
:
Move management towards change and
improvement.
(a) Inform
(b) Persuade
(iii) The following guidelines should be observed in communicating
engagement results:
(iv) Engagement results must be disseminated to those who are in a
position to take corrective action or ensure that corrective action is
taken. This may be:
(a) The responsible Head of Department;
(b) Accounting Officer;
(c) Executive management (including Heads of Sections);
(d) Audit Committees; and
(e) Other governance and oversight committees (where
appropriate).
(v) The internal auditors must solicit comments from management
timely.
(vi) Management must provide comments in accordance with the terms
agreed upon in the engagement letter.
(vii) The IAU should record all attempts to obtain management comments.
(viii) The internal auditors should analyse the management comments
received. The following should be considered:
(a) The adequacy and relevance of management’s response to
findings and recommendations;
(b) Any disagreements raised by management on the findings;
(c) Proposed actions by management; and
(d) The impact of management’s actions on the report.
(ix) Dissemination of results is subject to the policies of the organization
and/or terms of engagement for a specific engagement.
61
Internal Audit Manual for PSEs
2019
(x) Prior to releasing results to parties outside the organization, the CAE
should:
(a) Assess the potential risk to the organisation;
(b) Consult with senior management and/or legal counsel as
appropriate; and
(c) Control dissemination by restricting the use of the results.
(xi)
Depending on the nature of the assignment, the draft audit report
should be developed and completed within 15 days upon
completion of the field work. Where report writing takes more than
15 days reasons for the delay should be thoroughly explained.
(xii)
Management response to the draft report should be submitted to
the CAE within 14 days from the date of issuance of draft report;
(xiii)
Where management response is not received within the allocated
timeframe (14 days), the CAE will remind in writing, requiring the
management to submit their response within 3 more days and if
not submitted, the report shall be released without management
response.
For more detailed procedures on preparation of RBIA reporting writing
process refer to HBS and Template 13 for format of Internal Audit
Engagement Report.
6.3.4 Conducting consulting engagements
i.
Consulting services should focus on assisting management in problem
solving activities, achieving the entity’s objectives and add value to
line and senior management. The charter should include the authority
and responsibilities of consulting services.
ii.
Types of Consulting Engagements
The types of consulting work may include the following:
(a) Formal consulting engagements – those that are planned and
subject to written agreement;
(b) Informal consulting engagements – routine activities such as
participation on standing committees, limited-life audit projects,
ad-hoc meetings and routine information exchange;
62
Internal Audit Manual for PSEs
2019
Special consulting engagements – participation on dedicated
teams such as a verification team or system conversion team;
and
(d) Emergency consulting engagements – participation on a team
established for recovery or maintenance of operations after a
disaster or other extraordinary business event, or a team
assembled to supply temporary help to meet a special request
or unusual deadline.
Guidelines for conducting of Consulting Engagements.
(c)
iii.
(a)
(b)
(c)
(d)
(e)
(f)
(g)
(h)
(i)
Planning, performing and communicating results of the
engagement should be done in the same way as
assurance engagement.
Objectives, scope and limitations of the consulting
assignment should be confirmed in writing in an
engagement letter.
The responsibilities of both management and the IAU
should be defined and documented in the engagement
letter that should be signed by both parties.
The IAU should obtain an understanding of the nature
of the engagement to clearly articulate the terms of
reference.
Agreed upon procedures should be documented in the
engagement letter and agreed upon with the client.
In the conduct of the assignment, the IAU should
perform the procedures as outlined in the engagement
letter. All working papers prepared during the execution
of the consulting engagement should be kept as
evidence of conducting the procedures.
The IAU should communicate issues and preliminary
results of the consulting engagement with line
management during the conduct of the assignment.
Report to management may either be oral by conducting
a meeting session with line management or written
updates can be provided to management.
As agreed upon in the engagement letter, the IAU
should report results of the consulting activity.
63
Internal Audit Manual for PSEs
•
2019
Consideration for Acceptance of Consulting Activities
The following guidelines are provided for assisting the IAUs in
accepting consulting activities:
(a) Some consulting activities are specifically identified in the
approved internal audit annual plan;
(b) Other consulting activities are initiated by managers
communicating directly with the CAE as activities happen
within the organisation;
(c) The CAE should request the Audit Committees’ approval
for consulting activities that significantly affect the
approved internal audit’s annual plan;
(d) The CAE should consider the impact of independence
and objectivity on the IAU before acceptance of the
consulting activities;
(e) The CAE should consider whether the internal auditors
have the requisite skills, knowledge, time and
competencies to perform the proposed consulting
activities; and
(f) The CAE should consider the risks associated with the
proposed consulting activities.
64
Internal Audit Manual for PSEs
2019
CHAPTER 7
7. Applying Internal Audit Tools and Techniques
7.1
Introduction.
The use of audit Tools and Techniques (TTs) are essential to any Internal
Audit Function (IAF), as it could help internal auditors achieve their
engagement objectives. Based on the Institute of Internal Auditors (IIA)
International Standards for the Professional Practice of Internal Auditing
(Standards), the audit TTs are crucial dimensions of any internal audit
function. Relevant standards in application of Tools and Techniques are:
(i)
IIA Standard 1200 – Proficiency and Due Professional Care Engagements must be performed with proficiency and due
professional care.
(ii)
IIA Standard 1220 - Due Professional Care - Internal auditors
must apply the care and skill expected of a reasonably prudent
and competent internal auditor. Due professional care does not
imply infallibility.
(iii)
IIA Standard 2100 – Nature of Work - The internal audit activity
must evaluate and contribute to the improvement of risk
management, control, and governance processes using a
systematic and disciplined approach.
(iv)
IIA Standard 2300 – Performing the Engagement - Internal
auditors must identify, analyze, evaluate, and record sufficient
information to achieve the engagement's objectives.
(v)
IIA Standard 2310 – Identifying Information - Internal auditors
must identify sufficient, reliable, relevant, and useful information
to achieve the engagement’s objectives.
(vi)
IIA Standard 2320 – Analysis and Evaluation - Internal auditors
must base conclusions and engagement results on appropriate
analyses and evaluations.
65
Internal Audit Manual for PSEs
(vii)
7.2
2019
IIA Standard 2330 – Documenting Information - Internal
auditors must document sufficient, reliable, relevant and useful
information to support engagement results and conclusions.
Audit Evidence
7.2.1 Audit evidence is collected to enable the drawing of conclusions with
respect to each of the engagement objectives. Audit evidence is the
information collected, analyzed and evaluated to support an audit
finding or conclusion. The decisions on which type of evidence to
seek and on how much evidence is enough require professional
judgment. To support the exercise of that judgment, knowledge of
the concepts underlying evidence is necessary.
7.2.2 Attributes of Audit evidence
(i) When considering the adequacy of evidence, the internal auditor
should keep in mind:
(a)
The audit is
conclusions
seeking
reasonable,
but
not
absolute,
(b)
Incomplete data may result in the inability to reach
reasonable conclusions
(c)
Examination of extensive evidence may be uneconomical,
inefficient and ineffective
(d)
Evidence shall be reasonably representative of the population
being reviewed or addressed.
(ii) Therefore, there are a number of attributes that are normally
associated with good audit evidence, i.e.:
Sufficiency - the measure of the quantity of evidence –
enough evidence should be collected and evaluated so that
a reasonably informed unbiased person would agree with
the auditor’s findings and conclusions
7.2.1.1 Reliability – the measure of the appropriateness and
trustworthiness of sources and techniques – generally evidence is
66
Internal Audit Manual for PSEs
more reliable
auditee, if
observation,
documentary
source.
2019
if from a credible independent source than from the
obtained through direct physical examination,
computation and inspection than indirectly,
rather than oral, and confirmed rather than sole
7.2.1.2 Relevance – the measure of the pertinence of the evidence evidence shall have a logical relationship to what it purports to
prove.
7.2.3 Types of Audit Evidence
(i)
(ii)
Evidence used to support audit conclusions may be categorized into
different types:
(a)
Physical - consists of direct observation and inspection of
people, property and events.
(b)
Testimonial - is provided in statements of auditee personnel
and others. Examples of testimonial evidence include letters
in response to audit enquiries and interview notes. If
possible, testimonial evidence should be supported by
documentary evidence.
(c)
Documentary - is that which exists in some permanent form
such as records, purchase orders, invoices, memoranda,
and procedure manuals.
(d)
Analytical - stems from analysis, verification, and
assessment of compliance-non-compliance, consistencyinconsistency, or cause-effect
In general, evidence accumulated from different sources and of
different types is strongest. The determination of when it is
necessary to gather corroborating evidence from different sources or
of a different nature is a matter of professional judgment. Factors
that may be taken into consideration when deciding whether or not
to seek additional evidence include:
(a) Is there a high degree of consistency among the evidence
already collected (i.e. the lack of contradictory evidence)? If so,
67
Internal Audit Manual for PSEs
2019
the need for additional evidence is decreased; if not, the need
is increased.
(b) Is there a high degree of risk, significance or sensitivity
associated with the matter to be reported? If so, additional
evidence may reinforce the internal auditor’s conclusion; if not,
existing evidence may be sufficient to gain acceptance of the
conclusion.
(c) Is the cost of obtaining additional evidence worth the benefits
to be obtained in terms of supporting the finding? If not, don’t
bother; if so, proceed.
7.2.4 Methods of Obtaining Audit evidence
An effective approach to gathering audit evidence will normally incorporate
a variety of auditing tools and techniques. Different tools and techniques
have various strengths and weaknesses. For example, one may require a
high degree of technical skill while another high degree of interpersonal
skill; one may be expensive but reliable, another inexpensive but less
reliable.
The following sections describe some common methods of creating or
gathering audit evidence.
(i)
Interviews
Interviewing is a frequently used technique to gather evidence and
opinions. Interviews can help to define the issues, furnish evidence to
support audit findings, and clarify positions between the auditor and the
auditee on audit observations and recommendations. Interviews can also be
used to solicit the opinions and experiences of stakeholders or recipients of
the auditee’s products or services. Adequate preparation and good skills are
needed to use interviews effectively in building or confirming audit
evidence.
(ii)
Audit Tests
7.2.4.1
Testing implies placing selected activities or transactions “on trial”
to reveal inherent qualities or characteristics. Audit tests are
68
Internal Audit Manual for PSEs
2019
developed and conducted for either compliance or substantive
verification purposes.
7.2.4.2
Compliance oriented tests are designed to assess the adequacy
and effectiveness of controls, e.g. if a transaction exceeding a set
limit is submitted into a system or process, will it be pulled out for
special consideration, or, if a funded project has a risk score
warranting a special monitoring plan, will it be implemented?
7.2.4.3
Substantive test procedures include the detailed examination
of selected transactions, e.g. a sample of pay transactions could
be reviewed against collective agreements to ensure correct
processing or a sample of contribution files could be examined to
ensure terms and conditions have been respected.
7.2.4.4
In practice, many tests fall into the category of “dual purpose”
tests. The checking of calculations may show that an internal
control checking function is being properly executed (compliance)
and may provide assurance as to the accuracy of the amount
recorded in the system (substantive).
7.2.4.5
Many tests may include the re-performance or mathematical
checking of source documents and other records.
7.2.4.6
Once the appropriate test has been selected, it is important to
determine how it will be applied, either as a:
• Specific Item (or “judgmental”) Test where individual items
are selected for examination because of their size or other
characteristic and reliable conclusions can only be drawn
relative to the items tested; or
• Representative Item Test where the objective is to examine
a random selection of items, usually accomplished through
statistical sampling techniques, to support the formulation of
conclusions with respect to the entire population based on
the sample examined
(iii) Sampling
Sampling is the process of selecting part of a population to determine
parameters and characteristics of the whole population. The objective of
69
Internal Audit Manual for PSEs
2019
sampling is to gather data on a limited number of observations (people,
things, processes, documents, etc.) that represent the larger group about
which more descriptive, normative or cause-and-effect statements need to
be made. Since it is rarely feasible to study an entire population (i.e. do a
census), sampling must suffice. Unless the sample represents the
population, however, sampling accomplishes little.
Two common sampling techniques mostly recommended are random or
purposeful sampling. The major difference between the two is that random
sampling is more confirmatory while purposeful sampling is more
exploratory. In the context of testing, specific item tests would more likely
be applied on the basis of purpose whereas representative item tests would
be applied on a random basis. Both types of sampling may be applied to
attributes, to reach a conclusion about a population in terms of the
proportion, percentage, or total number of items that possess some
characteristic (attribute) or fall into some defined classification, or to
variables, to draw conclusions about a population in terms of numbers, such
as dollar amounts.
(iv) Surveys
Surveys are structured approaches to gathering information from a large
population. Examples of survey use would include efforts to obtain input
from all the members of the auditee on the perceived opportunities for
training and development or to obtain opinions from recipients of services
(either internal or external) on the quality and timeliness of services
provided. Whether the survey is administered in person, by telephone, by
internet, or by mail, the key element is the existence of a structured, tested
questionnaire.
(v)
Inspection
Inspection consists of confirming the existence or status of records,
documents or physical assets. Inspection of physical assets provides highly
reliable evidence of their existence or condition. Inspection of records could
confirm the existence of source documents for data entry, e.g. program
participant questionnaires or evaluations.
70
Internal Audit Manual for PSEs
(vi)
2019
Flowcharting
Flowcharting is the graphic representation of a process or system and
provides a means for analyzing complex operations, e.g. key control points,
redundant activities. A system flowchart would provide an overall view of
the inputs, processes and outputs while a document flowchart would depict
value adding activities and critical controls.
(vii) Modeling
Modeling includes the field of quantitative techniques, often referred to as
operations research. It makes use of mathematical and statistical models
designed to simulate real processes and help in decision-making. Models
are identified in terms of their intended uses, i.e. descriptive, which classify
variables and explain their relationships, predictive, which forecast on the
basis of variable relationships how the variables will behave if one of more
of them is changed, and planning, which decide the best way of combining
or changing relationships to achieve some result.
(viii) Observation
Similar to inspection, observation entails personally verifying or attesting to
a process or procedure, e.g. the application of controls by members of the
auditee’s staff or the manner in which clients are treated. Many service
transactions and internal control routines can only be evaluated by seeing
the auditee perform them.
Whenever possible, two or more auditors should be present to make
observations in order to provide additional support to the observations.
(ix) Confirmation
Confirmation involves a request, usually provided in writing, seeking
corroboration of information obtained from the auditee’s records or from
other less reliable sources, e.g. anecdotal information from a client of the
auditee.
(x)
Analysis
Analysis consists of examining information obtained and using it to
corroborate other findings or to compare auditee performance against
71
Internal Audit Manual for PSEs
2019
performance indicators and policies, past operations, similar operations in
other organizations, and legislation.
7.3 Control and Risk Self-Assessments
Facilitated processes is one of auditor’s tool kit which helps many internal
audit organizations to be able to operate with fewer resources through the
use of facilitated group sessions with auditees as a means to more
efficiently identify potential risks or control weaknesses. Common to any
facilitated process is carrying out the process using a facilitator who is not
necessarily an expert on a specific issue (but can be) but who is an expert
on process. A facilitator is trained and effective in communication (verbal
and non-verbal), working with people, resistance, group dynamics, effective
meetings, decision-making, workshop design and implementation, and
dealing with crises.
7.3.1 Control Self-Assessment
Control self-assessment is normally focused on having the members of a
working
group identify and assess the controls that govern their
activities. The process is usually an iterative one wherein an effort is made
to identify all controls and then focus on the ones that are most important
or may be questionable in terms of their effectiveness. In many instances,
the process of control self-assessment can be a learning opportunity for the
group and can lead to the taking of immediate action by management to
address the identified areas of concern.
In terms of the conduct of an audit, control self-assessment can be a very
efficient and helpful process during the planning phase of the audit by
identifying potential control weaknesses. The auditor cannot rely upon the
self-assessment alone but must always conduct sufficient testing to provide
assurance as to whether a control is working as intended or not.
7.3.2 Risk Self-Assessment
Risk self-assessment is similar to control self-assessment in terms of the
process but may often be focused on having peer groups or knowledgeable
stakeholders identify the risks associated with one or a group of programs,
activities, or initiatives. For example, senior management may participate in
risk self-assessment to identify the key risks facing the organization while a
group of officers in the individual department may come together to identify
the risks associated with a new initiative in the department.
72
Internal Audit Manual for PSEs
2019
Risk self-assessment is frequently employed when a new program or
initiative is required to prepare a Risk Management Framework and Risk
Register.
In terms of the conduct of an audit, risk self-assessment can be a valuable
tool to identify potential risks but the auditor must be satisfied that the
process has been as complete and independent as possible. The auditor
must ensure that all potential risks have been identified and evaluated. The
auditor cannot abdicate that responsibility.
7.4
Methods of Documenting Audit Evidence (Working Papers)
7.4.1 Working papers are the supporting documentation for the entire
audit – they are the repository for the accumulated audit evidence.
Working papers provide a complete audit trail and demonstrate in
detail, how the engagement was performed. They contain the
evidence to support the report and any related products. More
specifically, working papers provide a demonstrable link between
reports issued and the work performed and supports the findings,
conclusions and recommendations. Working papers can also be used
to:
(i) Justify and provide proof of work carried out
(ii) Help auditors respond to questions about coverage or results
(iii) Facilitate supervisory quality assurance reviews and
(iv) Provide supporting evidence when external auditors or other
reviewers want to rely on the results.
7.4.2
A completed set of working papers is normally prepared in the form
of either paper or computer files, however, the set may be later
stored in the form of tapes, diskettes, films or other media. The
organization, design and content of a set of internal audit working
papers will depend on the nature of the audit; however, the set
should document all aspects of the audit process including all
meetings and discussions with the auditee and should be
consistently and efficiently prepared to facilitate review and
control.
73
Internal Audit Manual for PSEs
7.4.3
2019
A completed set of working papers should be neat and uniform in
size and appearance and include:
(i)
An index to contents
(ii)
A legend of symbols and abbreviations used
(iii) A statement of the purpose of the working papers
(iv) Evidence of the application of the audit program
(v) The results of the audit, e.g. debriefings, reports, action plans
7.4.4
Within the set of working papers, each page should include a
descriptive heading (e.g. Interview Summary, Test Result,
Document Examined), the auditor’s name or initials and dates of
preparation, appropriate cross-references and evidence of
supervisory review and comments.
7.4.5
Each audit working paper file should have an indexing system to
assist future users to easily consult the information it contains.
Although there is no set format for the indexing system, common
practice is an alphanumeric system whereby alpha identifies the
section within the working paper file and numeric identifies the
items within a section.
7.4.6
As previously noted, working papers should be properly crossreferenced. Cross-references should stand out clearly and provide
direct and prompt access to information so that a reviewer can
trace conclusions back to the original audit tests and the evidence
gathered and vice versa. Cross-referencing of documents should
follow the system established for the working paper file index. The
extent of cross-referencing required may vary depending on the
engagement; good practice indicates, however, that, at a minimum,
the following items should be cross-referenced:
(i) Specific items in the audit report to the pertinent audit
observation worksheet;
(ii) Audit observation worksheets to the supporting evidence;
74
Internal Audit Manual for PSEs
(iii)
Evidence that relates to other evidence and;
(iv)
Audit program steps to the supporting evidence.
2019
7.4.7 All audit working papers should be reviewed to ensure that all
information contained is relevant and supports the report and that all
necessary auditing procedures have been performed. Evidence of
supervisory review (i.e. review of the working papers by at least one
more senior member of Audit Unit should consist of the reviewer’s
initialing and dating each working paper after it has been reviewed.
7.4.8 Working papers are formal records belonging to PSE and their
retention follows PSE’s records retention policy.
Template 14 provides various samples of working papers.
75
Internal Audit Manual for PSEs
2019
CHAPTER 8
8. Monitoring Progress and Periodic Internal Audit Reporting
8.1 Introduction
Monitoring is the systematic process of collecting, analyzing and using
information to track a programme’s progress toward reaching its objectives
and to guide management decisions. Monitoring usually focuses on
processes, such as when and where activities occur, who delivers them and
how many people or entities they reach.
IIA Standard 2500 – Monitoring Progress requires the chief audit executive
to establish and maintain a system to monitor the disposition of results
communicated to management.
8.2
Monitoring Progress
8.2.1 The chief audit executive (CAE) should have a clear understanding of
the type of information and level of detail the board and senior
management expect with regard to the internal audit activity’s
monitoring of the results of engagements. Results typically refer to
the observations developed in assurance and consulting
engagements that have been communicated to management for
corrective action.
8.2.2 Periodic interactions will be required with the management
responsible for implementing corrective actions; it is generally
helpful to solicit management’s input on ways to create an effective
and efficient monitoring process.
8.2.3 The CAE may benchmark with other CAEs or compliance functions
that monitor outstanding issues to identify leading practices that
have proven effectiveness. These discussions may address areas
such as:
(i)
The levels of automation and detail.
76
Internal Audit Manual for PSEs
(ii)
(iii)
(iv)
(v)
8.3
2019
The types of observations monitored (i.e., all or just
higher risk observations).
How and with what frequency the status of outstanding
corrective actions is determined
When internal audit independently confirms the
effectiveness of corrective actions.
The frequency, style, and level of reporting performed.
Considerations for Implementation
(i)
Monitoring processes can be sophisticated or rather simple,
depending on a number of factors, including the size and
complexity of the audit organization and the availability of
exception tracking software.
(ii)
Whether sophisticated or simple, it is important for the CAE to
develop a process that captures the relevant observations,
agreed corrective action, and current status.
(iii) For outstanding observations, the information tracked and
captured typically includes:
(a) The observations communicated to management and their
relative risk rating
(b) The nature of the agreed corrective actions.
(c) The timing/deadlines/age of the corrective actions and
changes in target dates.
(d) The management/process owner responsible for each
corrective action.
(e) The current status of corrective actions, and whether
internal audit has confirmed the status.
(f) Observations and recommendations requiring immediate
action should be monitored by IAA until corrected. IAA
should ensure that actions taken by management address
the identified deficiencies.
(g) Responsibility for follow-up should be defined in the IA
Charter.
(h) Follow-up audits must be incorporated in the annual audit
plans.
77
Internal Audit Manual for PSEs
8.4
2019
Periodic Reporting
8.4.1
IIA Standard 2060 (Reporting to Senior Management and the
Board) states that the Chief Internal Audit (CAE) must report
periodically to senior management and the board on the internal
audit activity’s purpose, authority, responsibility, and performance
relative to its plan. Reporting must also include significant risk
exposures and control issues, including fraud risks, governance
issues, and other matters needed or requested by senior
management and the board.
8.4.2
The frequency and content of reporting are determined in
discussion with senior management and the board and depend on
the importance of the information to be communicated and the
urgency of the related actions to be taken by senior management
or the board.
8.4.3
The purpose of reporting is to provide assurance to the
Board/AC/AO regarding governance processes (Standard 2110),
risk management (Standard 2120, and Control (Standard 2111).
8.4.4
Such reports are normally made quarterly and also yearly. This
requirement should be prescribed in the Internal Audit Charter.
8.4.5 The basis for preparing the periodic Report are;
(i) In order to be able to prepare such a comprehensive report to
the Board, AC and AO, as envisaged in the auditing standards,
the CAE needs to obtain sufficient and relevant evidence.
Normally the report on the overall status of the organization’s
governance, risk and control processes is prepared by
amalgamating issues identified in the various audit engagements
that were undertaken and completed during the period under
review. These could also include one or two engagements
specifically designed to collect evidence with respect to key risks
and related governance and control processes. The CAE can and
should also use reports issued by other reviewers if any and also
available Management’s own self-assessment reviews.
(ii) In order to be able to achieve the objective, the CAE should
ensure that while preparing the Annual Audit Plan, key risks to
78
Internal Audit Manual for PSEs
2019
the organizations are identified and included as engagements in
the annual Audit Plan.
(iii) The CAE should include in the Annual Audit Plan a specific
assignment or engagement for accomplishing all the tasks
related to the issue of this annual report. This will assist the CAE
in preparing the report systematically and ensure that it is
supported by adequate and relevant evidence.
(iv) The scope of work undertaken by the CAE and the IAU in the
course of the year, given the current level of resources
dedicated to the IAUs, may not cover all critical areas and
operations of the organizations. Therefore, it will be a challenge
for the CAE to issue an opinion or provide an assurance together
with a report on the overall risk management and control
processes as a whole. Sufficient evidence may not be collected
to provide the assurance as required by the Auditing Standards.
Nevertheless, CAEs should prepare the reports and provide
limited assurance based on the extent of work completed. If
pertinent and necessary, the limitation on the scope of the work
undertaken, particularly due to lack of adequate resources
should also be mentioned in the report. Such reports will serve
to raise Management’s awareness of risks and the importance of
managing risks through appropriate measures and controls and
the impact on the organization.
(v) In evaluating the evidence collected on the overall effectiveness
of the organization’s control processes, the CAE should consider
whether:
(a) Significant deficiencies or weaknesses were identified.
(b) Whether the Management has taken corrective action on
the deficiencies or weaknesses since it was identified and
reported by both the IAU and others.
(c) The deficiencies or weaknesses that were identified have
exposed the organization to an unacceptable level of risk
as a whole.
79
Internal Audit Manual for PSEs
2019
8.4.6 In the past, Internal Auditors have not expressed opinions on the
adequacy of risk management, controls and governance processes.
Instead, only specific weaknesses in internal control have been
reported. This left the reader with the responsibility to interpret the
importance of the issues reported and the reader may not obtain a
holistic perspective of the state of risk management and the
effectiveness of internal controls or ask the question – “so what?”
In order to avoid such perceptions or incompleteness, the CAE should
report the results of their findings and conclusions reached and at the
same time issue an opinion that will assign a rating of:
(i)
Satisfactory – where all key risks have been identified and
controls have been properly designed and implemented;
(ii)
Partially satisfactory – some important risks have either not
been identified and/ or the required controls have either not
been established or are not functioning effectively; or
(iii) Not satisfactory – key risks have not been identified and/or
related controls have not been implemented or are not
functioning in accordance with the plan.
8.5
Types of Periodic Reports
8.5.1 Quarterly Internal Audit Report
(i)
(ii)
CAE is required to prepare and submit quarterly internal audit reports
to the Accounting Officer or Audit Committee within 15 days after the
end of the quarter for discussion, guidance and directives. This is a
report prepared other than engagement reports and summarizes their
activities quarterly.
In preparing quarterly internal audit report, the internal auditor
should summarize audit findings from individual engagement reports
which remain outstanding at the end of the quarter under review. In
addition to the outstanding recommendations from the engagements
for the period under review, the quarterly report should indicate
status of implementation of previous internal and external audit
recommendations.
80
Internal Audit Manual for PSEs
2019
(iii)
For entities with oversight Board, the CAE should submit the report to
AO prior to submission to AC whereas for entities which have no
oversight Boards, the reports are submitted to the AC prior to
submission to the AO.
(iv)
The quarterly reports should also be submitted to the IAG within 30
days from the end of the quarter through GARIITS under covering
letter signed by AO. The submission to IAG may have or may have
no Board/AC comments depending on whether the Board/AC
meetings have already been held at that time. Template 15
provides sample quarterly internal audit report.
8.5.2 Annual Internal Audit Report
(i)
CAE is required to prepare and submit annual internal audit reports
to the Board or AO within 30 days after end of the year and to IAG
through GARI-ITS within two months after the end of financial
year.
(ii)
In preparing Annual Internal Audit Report, the CAE should:-
(a) Summarize the audit activities or services that were planned and
undertaken by the Internal Audit function during the year.
(b) Status
of
recommendations
implementation
indicating
recommendations issued, implemented and outstanding.
(c) Outline of outstanding findings and recommendations at the end
of financial year.
(d) Status of implementation previous years internal and external
audit recommendations.
(e) Status of implementation
assurance providers.
(iii)
of
recommendations
from
other
The summary should also clearly indicate activities implemented
against annual internal audit plan.
Template 16 provides sample annual internal audit report.
81
Internal Audit Manual for PSEs
2019
CHAPTER 9
9. Quality Assurance and Improvement Program (QAIP)
9.1 Introduction
Quality Assurance and Improvement Program (QAIP) is designed to
evaluate internal audit function conformance with the Standards, Code of
Ethics and other policy and statutory requirements. An effective QAIP helps
internal audit units achieve quality internal audits that effectively and
consistently result in a value-added services for senior management and
also assesses the efficiency and effectiveness of the internal audit function
and identifies opportunities for improvement.
9.2
IIA Quality Standards
Relevant standards in ensuring quality and improving internal auditing in
PSEs are:
(i) IIA Standard 1300 – Quality Assurance and Improvement
Program: The chief audit executive must develop and maintain a
quality assurance and improvement program that covers all aspects
of the internal audit activity
(ii) IIA Standard 1310 – Quality Program Assessments: The quality
assurance and improvement program must include both internal
and external assessments.
(iii)
IIA Standard 1311 – Internal Assessments: Internal assessments
must include:
(a) Ongoing monitoring of the internal audit activity; and
(b) Periodic assessment or assessments by other persons within
the organization, with knowledge of internal audit practices.
(iv) IIA Standard 1312 – External Assessments – External
assessments must be conducted at least once every five years by a
qualified, independent assessor or assessment team from outside
the organization.
82
Internal Audit Manual for PSEs
(v)
9.3
2019
IIA Standard 2340 – Engagement Supervision - Engagements
must be properly supervised to ensure objectives are achieved,
quality is assured, and staff is developed.
Internal Assessments
Internal Assessments consist of ongoing monitoring and periodic self–
assessments or assessment by other persons within the organization with
sufficient knowledge of internal audit practices. Internal assessments
validate that the internal audit function continues to conform to the
Standards and an evaluation of whether internal auditors apply the Code of
Ethics. The program also assesses the efficiency and effectiveness of the
internal audit activity and identifies opportunities for improvement. The
chief audit executive should encourage board oversight in the quality
assurance and improvement program.
9.3.1 Ongoing Monitoring
(i)
CAE shall implement Ongoing Monitoring as an integral part of the
day-to-day supervision, review, and measurement of the internal
audit activity.
(ii) On-going monitoring should be incorporated into the routine policies
and practices used to manage the internal audit activity through
processes, tools, and information considered necessary to evaluate
conformance with the Code of Ethics and the Standards.
(iii) Ongoing monitoring enables CAE to determine whether internal audit
processes are delivering quality on an engagement-by-engagement
basis and is achieved through:
(a) Planning and supervision of engagements;
(b) Standardization of work practices;
(c) Work-papers procedures and signoffs;
(d) Report reviews;
(e) Feedback from audit clients survey on individual engagements;
(f) Checklist or automation tools to provide assurance on Internal
Auditors’ compliance with established practices and procedures
83
Internal Audit Manual for PSEs
2019
and to ensure consistency in the application of Performance
standards;
(g) Audit staff and engagement key performance indicators, such
as number of certified auditors, years of experience in auditing,
timeliness of engagements, number of Continuous Professional
Development (CPD) hours earned during the year and
stakeholders’ satisfactions; and
(h) Identification of any weaknesses or areas
improvement and action plans to address them.
requiring
(iv) The CAE shall ensure that adequate supervision is provided as a
fundamental element of any QAIP. Supervision shall begin with
planning and continue throughout the performance and
communication phases of the engagement.
9.3.2 Periodic Self-Assessment
(i)
Periodic self-assessments have a different focus than ongoing
monitoring in that they generally provide a more holistic,
comprehensive review of the Standards and the internal audit
activity.
(ii) It is the responsibility of CAE to ensure that this assessment is
conducted at a certain interval of time (e.g. Quarterly/ semi-annually/
annually) to ensure that Internal audit function and internal auditors
conforms to the Standard and Code of ethics. It validates operational
effectiveness of ongoing monitoring.
(iii) Periodic Self-Assessment shall be conducted by Senior Members of
the internal audit function, dedicated quality assurance team, or
individuals within Internal audit function that have extensive
experience with IPPF, Certified Internal Auditor (CIA) or other
competent Internal Audit Professionals. In evaluating internal audit
function conformance with the mission and mandatory guidance of
IPPF the assessor will review:-
(a)
The quality and supervision of work performed;
(b)
The adequacy and appropriateness of Internal Audit Policies and
Procedures;
84
Internal Audit Manual for PSEs
(c)
The ways in which the Internal audit function adds value to the
PSO;
(d)
The achievement of key performance indicators; and
(e)
The degree to which stakeholders’ expectations are met.
(iv)
9.4
2019
The individual or team conducting the periodic self-assessment
typically assesses each standard to determine whether the internal
audit activity is operating in conformance. This may include indepth interviews and surveys of stakeholders. The frequency of
periodic assessment will depend on the size of internal audit
function but it should be undertaken at least annually.
External Assessments
External Assessment is conducted to appraise and express opinion about
internal audit function’s conformance with the Standard and Code of Ethics.
It also identifies opportunities, offer recommendations for improvement;
provide counsel to the CAE and staff for improving their performance,
services and promoting the image and credibility of the internal audit
function. Approaches for conducting External Assessment are:
(i)
Full External Assessment; and
(ii)
Self – Assessment with an Independent External Validation (SAIV).
9.4.1 Full External Assessment
This is conducted by a qualified, independent assessor, or assessment team
under the leadership of experienced team leader. This assessment will
cover level of conformance with the Standards and Code of Ethics;
Efficiency and Effectiveness of Internal audit function; and Extent to which
internal audit function meets its expectation of the Board, Senior
Management and Operations Management and adds value to the entity.
Some of Procedures of Performing Full External Assessment includes:
(i) Review of Internal Audit Charter, Plans, Policies, Procedures and
Practices;
(ii) Review applicable legislatives and regulatory requirements;
(iii) Review Internal audit function process and infrastructure
85
Internal Audit Manual for PSEs
2019
(iv) Review the staffing level, knowledge, experience and expertise;
(v) Impactful recommendations that provide insights to the PSE; and
(vi) Alignment of Internal audit function vision and mission to those of
overall PSE mission and vision.
Details of procedures for external quality assessment are covered in IIA
Quality Assurance Manual issued in 2017.
9.4.2 Self – Assessment with an Independent External Validation
(SAIV)
This is assessment conducted by an internal audit function and then
validated by a qualified, independent external assessor. The scope of this
assessment includes the following:
(i) Reviewing whether there is a proper documentation of the selfassessment process that aligns with full external assessment process;
(ii)
Onsite validation by a qualified, independent external assessor; and
(iii) Limited attention to other areas such as benchmarking; review,
consultation, and employment of leading practices; interview with
senior and operational management.
9.5
Assessor Qualifications
9.5.1 Internal Assessor Qualifications and competences of undertaking
periodic internal assessment include:
(i)
Key competencies:
(a) Internal staff of the PSE
(b) Professional Practice of Internal Auditing or any other related
discipline;
(c) Certification as an Audit Professional (e.g. CIA, CCSA, CGAP);
ii.
Additional competencies:
(a) Knowledge of leading internal auditing practices;
86
Internal Audit Manual for PSEs
2019
(b) Sufficient recent experience in the practice of internal auditing at
a Management level, which demonstrates a working knowledge
and application of the IPPF;
(c) Experience gained from previous quality assessment;
(d) Completion of the IIA’s quality assessment training course or
similar training;
(e) Experience as CAE
management; and
or
comparable
senior
internal
audit
(f) Technical expertise and industry experience.
9.5.2 External Assessor Qualifications and competences of undertaking
external assessment include:
(i) Key competencies
(a) Professional Practice of Internal Auditing or any other related
discipline;
(b) External Quality Assessment process;
(c) Certification as an Audit Professional (e.g. CIA, CCSA, CGAP);
(ii) Additional competencies:
(a) Knowledge of leading internal auditing practices;
(b) Sufficient recent experience in the practice of internal auditing at a
Management level, which demonstrates a working knowledge and
application of the IPPF;
(c) Experience gained from previous external assessment;
(d) Completion of the IIA’s quality assessment training course or
similar training;
(e) Experience as CAE
management; and
(f)
or
comparable
senior
Technical expertise and industry experience.
87
internal
audit
Internal Audit Manual for PSEs
2019
9.6 Frequency of Conducting External Assessment
External assessments must be conducted at least once every five years.
CAE must discuss with the Board/ Audit Committee:
(i)
The form and frequency of external assessment; and
(ii) The qualification and independence of the external assessor or
assessment team, including any potential conflict of interest.
9.7 Procurement of External Assessment Services in PSEs
CAE should discuss with the Board/Audit Committee and AO on issues
concerning with how procurement for assessment services will be carried
out and allocation of funds to respective activities. Moreover, CAE will
consult IAG on the best option to carry out the valid external assessment.
Two options may be recommended depending on the quality maturity level
of the PSEs:
(i)
For PSEs which are at progressive or advanced level quality as per IIA
quality maturity model, the entity will undertake self-assessment on
their own and engage IAGD to perform external validation.
(ii)
For PSEs which are at introductory, emerging or established level of
quality as per IIA quality maturity model, the entity will engage IAGD
to undertake External Assessment.
9.8 Pre-requisites
for
effective
improvement program in PSEs
quality
assurance
and
CAE is ultimately responsible for implementing structured QAIP, which
covers all aspects of the internal audit function management and
operations outlined in the Standards and best practices of the
profession. A fundamental concept of the QAIP is that the internal audit
function operations should be in alignment with the IIA Standards,
guidelines issued by the Internal Auditor General (IAG) and the relevant
laws and legislations governing Public Sector in Tanzania.
The guidelines detailed below will enable CAEs to systematically
implement the Standards and enhance the quality of their internal audit
88
Internal Audit Manual for PSEs
2019
activities for a comprehensive internal and external assessment.
Template 17 should be used as a checklist to determine the overall
preparedness of the internal audit function for the formal assessment
under the broad categories of governance, professional practice and
communication. The areas covered in the checklist include:
9.8.1 Internal Audit Governance
(i) Purpose, Authority and Responsibility
In order to ensure that the purpose, authority and responsibility of
the internal audit function in the Public Sector are documented,
approved and effectively implemented:
(a) The CAE should ensure that the internal audit function charter
recognizes the mandatory guidance of the IPPF is in place and is
effectively implemented;
(b) The CAE should ensure that Internal audit strategic plan is
aligned with the organizational strategy;
(c) The CAE should ensure that Activities performed by the internal
audit function conform with those outlined in the Internal Audit
Charter; and
(d) The CAE should ensure that each internal auditor complies with
the Code of Ethics
.
(ii)
Independence and Objectivity
In order to ensure that the internal audit function is free from
conditions threatening its ability to carry out internal audit
responsibilities and internal auditors maintain an unbiased mental
attitude:
(a) The CAE should assist the Audit Committee in developing
appropriate structure, roles and responsibilities and key
governance processes for managing the internal audit function;
(b) The Audit Committee must ensure that the organizational
independence of the internal audit function is guaranteed by
having dual reporting arrangements (i.e. administratively to the
89
Internal Audit Manual for PSEs
2019
Accounting Officer/Chief Executive Officer (CEO) and functionally
to the Audit Committee and IAG for public entities;
(c) The CAE should provide assurance to the Audit Committee on
the independence of the internal audit function and on how
threats, if any, are managed. The CAE must disclose to the Audit
Committee where there is interference in determining the scope
of internal auditing, performing the work and communicating
results and the implications thereof;
(d) The CAE must report to the Audit Committee, at least annually,
to confirm whether internal audit function has direct and
unrestricted access to senior management and the Audit
Committee;
(e) The CAE should determine how threats to internal auditors’
objectivity are managed at the individual auditor and
engagement levels (assignment rotation program, close
supervision, declaration of conflict of interest, etc.);
(iii) Direct Interaction with the Board/Audit Committee
In order to enable the Audit Committee, exercise its oversight
mandate and operationalize the CAE’s functional reporting
relationship with the Board/Audit Committee:
(a) The CAE should participate in the audit committee and/or full
Board meetings;
(b) The internal audit function should communicate on a quarterly
basis such things as the proposed internal audit plan, budget,
progress and any challenges;
(c) The CAE to contact the chairman or any member of the board to
communicate sensitive matters or issues facing internal audit or
the organization at large;
90
Internal Audit Manual for PSEs
2019
(d) At least annually the CAE should have a private meeting with the
Board/Audit Committee (without senior management present) to
discuss such sensitive matters or issues
(iv) Chief Executive Roles Beyond Internal Auditing
In order to prevent likelihood of impairment to independence of the
internal audit function and objectivity of CAEs resulting from the
conflict of interest arising from the CAE having performed roles that
are subject to audit assurance:
(a) The Audit Committee should revise the internal audit charter to
clearly define the nature of such responsibilities if such non-audit
roles and responsibilities will be ongoing;
(b) If such non-audit roles and responsibilities will be short term, a
plan to transition these responsibilities to management shall be
implemented to safeguard the CAEs independence and
objectivity;
(c) The CAE shall disclose the details of any impairment to
independence and objectivity, whether in fact or in appearance
during the Audit Committee meeting;
(d) Where the CAE is performing roles beyond internal auditing, the
Audit Committee should monitor the CAEs objectivity by
increasing the level of scrutiny to the CAE’s risk assessment,
internal audit plan and engagement communications considering
any potential bias the CAE may have related to an area for which
he or she performed duties beyond internal auditing;
(e) The Audit Committee shall engage an objective, competent
assurance provider from outside the internal audit function to
oversee assurance engagements for functions over which the
CAE has responsibility.
91
Internal Audit Manual for PSEs
(v)
2019
Impairment to Independence or Objectivity
In order to prevent and/or manage real or perceived impairment to
internal audit activity’s independence and internal auditor’s objectivity
and provide for a reporting mechanism for impairment incidences:
(a)
The internal audit manual shall contain policies for effective
management of independence and objectivity including related
expectations and requirements;
(b)
Situations that could create or appear to create impairments
should be identified and described in the manual including
expected actions the internal auditor should undertake if faced
with a potential impairment.
(vi) Continuing Professional Development
In order to ensure that internal auditors enhance their knowledge,
skills and other competencies through continuous professional
development:
(a)
The CAE in liaison with the internal auditors may use a selfassessment tool, such as the Competency Framework, as a
basis for creating a professional development plan;
(b)
The CAE may use the professional development plan agreed
with auditor as a basis for developing measures of the internal
auditor’s performance (i.e. KPIs).
(c)
Internal auditors may make use of the available opportunities
for professional development to enhance auditors’ proficiency
including conferences, seminars, training programs, online
courses and webinars, self-study programs or classroom
courses; volunteering with professional organizations; and
pursuing professional certifications such as the IIA’s Certified
Internal Auditor (CIA);
(d)
The CAE should develop comprehensive annual Continuous
Professional Development (CPD) programs to enhance internal
auditors’ proficiency and address skills gaps identified in the
92
Internal Audit Manual for PSEs
2019
Job analysis. The training program will be approved by the
oversight organ.
(vii) Proficiency and due professional care
In order to ensure that internal audit function collectively possesses
knowledge, skills and other competencies needed to discharge its
responsibilities and internal auditors develop necessary proficiency to
effective perform internal audit engagements:
(a)
The CAE may use the IIA’s Global Internal Audit Competency
Framework or a similar benchmark to establish the criteria by
which to assess the proficiency of internal auditors;
(b)
The CAE should perform job analysis to ascertain diversity of
skill sets and competencies of individual internal auditors
required by the internal audit function and seek approval of the
Audit Committee;
(c)
The CAE should develop a strategy for training, and
professionally developing staff in order to establish a proficient
internal audit activity and ensure that its competencies remain
current and sufficient;
(d)
The Audit Committee should approve policies and procedures
for hiring external expertise in situations where there are gaps
in skills and competencies;
(e)
In developing the internal audit plan, the CAE should generally
consider alignment between knowledge, skills and other
competencies needed to complete the plan and the resources
available among the internal audit activity;
(f)
The CAE and internal audit supervisors should compare the
skills needed to accomplish each engagement’s scope and
objectives with the proficiency of each available internal
auditor;
93
Internal Audit Manual for PSEs
2019
(g)
The CAE should put in place internal systems to assess overall
quality of work performed by internal auditors at each audit
cycle; and
(h)
The CAE should ensure that Management and leadership
development is embedded within the internal audit function.
9.8.2 Managing the Internal audit function.
In order to ensure that the internal audit function is effectively
managed to ensure it add values to the entity.
(a) The CAE should document an internal audit charter that
clearly state the internal audit activity’s purpose and
responsibility which agreed upon by the CAE, Senior
Management and the Board;
(b) The CAE should study and understand the organization’s
strategies, objectives and risks facing the organization. The
CAE may gather additional input by speaking with senior
management and the board about the strategic plan;
(c) The risks considered should include trends and emerging
issues, such as those involving the organization’s industry,
the internal audit profession itself, regulatory requirements,
political and economic situation;
(d) The CAE should develop an internal audit strategy and
approach that aligns with the goals and expectations of the
organization’s leadership. In addition, the CAE creates a riskbased internal audit plan to determine the priorities of the
internal audit activity’s assurance and consulting
engagements;
(e) The CAE should communicate the plan, resource
requirements and receiving their approval. Significant interim
changes to the plan must also be communicated and
approved;
94
Internal Audit Manual for PSEs
(f)
2019
The CAE should ensure that internal audit resources are
appropriate, sufficient, and effectively deployed to achieve
approved plan;
(g) The CAE should develop, for board’s approval, internal audit
policy and procedure documents and oversee their
implementation to guide the day-to-day internal audit
activities;
(h) The CAE should share information and coordinate activities
with other internal and external providers of assurance and
consulting services to minimize duplication of efforts. These
may include but are not limited to external auditors,
regulators and external assessors; and
(i)
The CAE should report periodically (at least quarterly)
significant risk exposures, control and governance issues to
senior management and the Audit Committee.
(j)
The CAE must evaluate the internal audit activity’s
effectiveness by developing and monitoring pre-determined
performance metrics including soliciting feedback through
post audit client survey, completing annual performance
reviews of internal auditors and implementing QAIP.
9.8.3 Nature of work
In order to ensure that internal audit function evaluates and
contributes to the improvement of the organization’s governance, risk
management and control processes using a systematic disciplined
and risk based approach.
(a) The CAE must ensure that the internal audit function plans
(and programs) include procedures for evaluating the
design, implementation and effectiveness of the entity’s
ethics related objectives, programs, and activities;
(b) Depending on risk maturity of an entity, the CAE should
ensure that internal audit function assesses the
effectiveness of the risk management processes;
(c)
Where risk management framework is not in place, the CAE
should advise management on the need for the framework
95
Internal Audit Manual for PSEs
2019
as part of consulting responsibilities done by the internal
audit function;
(d)
Where risk maturity is low, the CAE should ensure that the
internal audit function has developed relevant risk registers
to facilitate risk assessment when developing risk-based
audit plans; and
(e)
In case of risk matured entity, the CAE will assess the
adequacy and effectiveness of risk registers developed by
management before deciding whether or not to place
reliance on them in developing risk-based auditing audit.
9.8.4 Engagement planning
To ensure that internal auditors develop and document risk based audit
plan for each engagement, including the engagement’s objectives, scope,
timing and resource allocations;
(a) Internal auditors must study and understand the
organization’s annual internal audit plan and any significant
changes affecting the organization.
(b) Internal auditors should familiarise themselves with the
strategies, objectives, risks and controls related to the
department, area, project, activity or process under review.
As part of familiarization, the internal auditors should
review any recent risk assessment conducted by
management, as well as the internal audit risk assessment
completed during the annual audit planning.
(c)
The CAE should ensure that internal audit function plans of
engagements are based on a documented risk assessment
undertaken at least annually;
(d) The CAE must ensure that IA function strategic, annual and
engagement plans are aligned with the entity’s overall
objectives;
(e) The engagement objectives should be clearly spelt and
should reflect the results of risk assessment relevant to the
activity under review;
(f)
The CAE should determine appropriate and sufficient
human, financial and other resources to achieve
96
Internal Audit Manual for PSEs
(g)
(h)
(i)
2019
engagement objectives based on the nature and complexity
of each engagement.
The CAE should identify and consider expectations of senior
management, the Audit Committee and other stakeholders
when preparing annual audit plans;
The CAE should ensure that consulting engagements, if
any, performed by the internal audit function are included
in the annual plan and designed to improve management
of risk and add value;
The CAE should ensure that the IA function develops
engagement scope sufficient to satisfy the objectives of
each engagement;
9.8.5 Performing the Engagement
In order to put in place audit processes and procedures which ensure that
internal auditors identify, analyse, evaluate and document sufficient
information (evidence) to support audit conclusions and achieve
engagement‘s objectives;
(a) The CAE must ensure that engagement processes are
documented in workpapers and referenced in the work program
including:
(b) a risk and control matrix, which links risks and controls with the
testing approach. Results, observations and conclusions;
(c) Process maps, flowcharts and/or narrative descriptions of control
processes
(d) The results of evaluation the adequacy of control design;
(e) A plan and approach for testing the effectiveness of key controls.
(f) The CAE should make sure that audit techniques are used as
appropriate to provide assurance that work is performed
efficiently and effectively;
(g) The CAE should ensure that audit conclusions and engagement
results are based on appropriate analyses and evaluations;
(h) All relevant supporting engagement information should be
documented and access to such information should be
appropriately controlled;
(i) The CAE should develop a policy governing custody, retention and
confidentiality of assurance and consulting engagement records,
97
Internal Audit Manual for PSEs
(j)
2019
regardless of the medium in which each record is stored and seek
its approval from the Audit Committee; and
The CAE must document evidence of proper supervision of all
engagements designed to meet engagement objectives, assure
quality and provide staff professional development.
9.8.6 Communicating engagement results
In order to ensure that engagement results are duly communicated and
reports include all pertinent features.
(a) The CAE should ensure that an effective process is in place to
timely present audit results to the appropriate level of management
for discussion and response;
(b) The final engagement communication/report should contain
internal auditors’ opinion and/or conclusion;
(c) The CAE must ensure that internal auditors’ opinions and/or
conclusions are fully supported by sufficient, reliable, relevant and
useful information;
(d) An engagement observation must adequately address the five
attributes of audit findings;
(e) The CAE should obtain management action plan for the
observation alongside implementation timeframe;
(f) The CAE should carry out periodic stakeholders’ survey to establish
whether form and content of audit communications meet
stakeholders’ expectations;
(g) The CAE should encourage internal auditors to acknowledge
satisfactory performance in engagement communications;
(h) The CAE should put in place mechanisms to control quality of audit
communications; and
(i)
The use of the phrase “Conducted in Conformance with the
International Standards for the Professional Practice of
Internal Auditing” in internal audit communications should
be supported by positive results of QAIP in External
Assessment.
9.8.7 Monitoring progress
In order to enable the CAE to establish and maintain a system to monitor
disposition of results communicated to management and implementation of
98
Internal Audit Manual for PSEs
2019
audit recommendations, agreed management action plans; and determining
whether causes of observed conditions are addressed:
(i) The CAE must establish follow-up mechanism that ensures
Management action plans are effectively implemented and
maintained; The information tracked and captured during follow-up
typically includes: the observations communicated to management
and their relative risk rating; the nature of the agreed corrective
action; the timing/deadlines/age of the corrective actions and
changes in target dates; the management/process owner
responsible for each corrective action; the current status of
corrective actions, and whether internal audit has confirmed the
status.
(ii) Based on professional judgment as well as expectations set by the
board and senior management, the CAE shall determine frequency
and approach (i.e. the extent of audit staff-work to verify that
corrective action was taken).
(iii) The follow-up process should have communication mechanism that
escalates unsatisfactory responses/actions, including the assumption
of risk, to the appropriate levels of senior management or the Audit
Committee;
(iv) If certain reported observations are significant enough to require
immediate action by Management or the Audit Committee, the CAE
should monitor and keep the Audit Committee informed until the
observation is corrected; and
(v)
The internal audit function may effectively monitor progress by:
(a)
Addressing
engagement
observations
and
recommendations to appropriate levels of management
responsible for taking action;
(b)
Receiving and evaluating Management responses and
proposed action plan to engagement observations;
(c)
Receiving periodic updates from Management to evaluate
the status of its efforts to address observations and/or
implement recommendations; and
99
Internal Audit Manual for PSEs
2019
Reporting to Senior Management and Audit Committee on
the status of responses to engagement observations and
recommendations.
The CAE should report audit follow-up results on a quarterly basis to
Senior Management and Audit Committee.
(d)
(vi)
9.8.8 Communicating the Acceptance of Risks
In order to outline a protocol for the CAE to communicate to the Board,
Management’s acceptance of a level of risks that in the CAE’s conclusion,
may be unacceptable to the organization:
(a) The CAE must understand the organization’s view of and
tolerance for various types of organizational risk;
(b) If the organization has a formal risk management policy,
the CAE and the Internal Audit Activity must understand it
and how the higher risk issues are communicated within
the organization.
(c)
If, during the follow-up reviews, the CAE becomes aware of
high risk observations that are not timely and fully
corrected or may represent more risk than the organization
tolerance level, he may, upon consultation with senior
management, conclude that the higher than acceptable risk
has been accepted by management.
9.9 Reporting
Program
on
the
Quality
Assurance
and
Improvement
9.9.1 The chief audit executive must communicate the results of the quality
assurance and improvement program to senior management and the
board. Disclosure should include: the scope and frequency of the
internal and external assessments, the qualifications and
independence of the assessor(s) or assessment team, including
potential conflicts of interest; conclusions of assessors and corrective
action plans.
9.9.2 The form, content, and frequency of communicating the results of the
quality assurance and improvement program should be established
through discussions with senior management and the board and
considers the responsibilities of the internal audit activity and chief
audit executive as contained in the internal audit charter.
100
Internal Audit Manual for PSEs
2019
9.9.3 To demonstrate conformance with the Code of Ethics and the
Standards, CAE must ensure that the results of external and periodic
internal assessments are communicated upon completion of such
assessments and the results of ongoing monitoring are
communicated at least annually. The results include the assessor’s or
assessment team’s assessment with respect to the degree of
conformance
101
Internal Audit Manual for PSEs
2019
CHAPTER 10
TEMPLATES
This chapter presents exhibits and formats of different documentations
appearing at each stage of an audit engagement and on other
administrative issues for internal auditing in PSEs.
It should be noted that the templates are designed to be indicative.
Therefore, individual audit units should develop and customize the
documents to fit their context and make reference to the previous manuals.
102
Internal Audit Manual for PSEs
2019
Template 1: Sample Internal Auditor Code of Ethics Form
I……………………………………………………………………………declares that I have
read and will observe the code of ethics of the Institute of Internal Auditors
and abide by the following components:
(i) The principles that are relevant to the profession and practice of internal
auditing
(ii) Rules of Conduct that describe behavior norms expected of internal
auditors.
Name…………………………………………………………………………………
Signature……………………………………………………………………………
Date:……………………………………………………………………………………
103
Internal Audit Manual for PSEs
2019
Template 2: Conflict of Interest Declaration Form
CONFLICT OF INTEREST DECLARATION FORM
I ____________________________________ Internal Auditor appointed to
the audit assignment of: ______________________________________ by
letter dated: ________________________ competed this declaration.
No. Relationship with the Auditee Impacting on
Independence
Yes
No
1. Do you have any financial relationship with the
auditee that can limit the range or weaken the
audit?
2. Do you have any prejudice towards the staff of the
audited organization/area that could influence your
opinion by exerting his/her authority or otherwise
influence you?
3. Did you have any management position or were
involved in some way with the activity of the
auditee in the last three years?
4. Are you husband/wife or relative up to three
generations with the auditees’ manager, or
directors or heads of departments?
5. Do you have any political, social or friendly
connection with the members of the directorate,
head of department, units or sections under audit?
6. Were you employed in the audited section during
the last three as part-time or full-time or conducted
services on its behalf?
7. Do you have directly or indirectly any financial
interest in the audited area?
If there is any disagreement during the audit that is not declared above, or
other disagreement, I will immediately notify the Head of Audit Functions.
Name of the Auditor: __________________________ Date: ____________
104
Internal Audit Manual for PSEs
2019
[For Head of Audit Function Use] Approval of the Auditor to continue
with the assignment, and any further guidance or action in relation to
declaration above:
_____________________________________________________________
_____________________________________________________________
Name and Signature of CAE function: ______________________________
Date: _________________
Template 3: Sample of Structure and Contents of an Internal Audit
Charter
The Internal Audit Charter should have, at least, the following key contents:
1. INTRODUCTION:
Internal Auditing is an independent and objective assurance and consulting
activity that is guided by a philosophy of adding value to improve the
operations of the <organization>. It assists <organization> in
accomplishing its objectives by bringing a systematic and disciplined
approach to evaluate and improve the effectiveness of the organization's
governance, risk management, internal control.
2. ROLE:
The internal audit function is established by the Board of Directors, Audit
Committee, or highest level of governing body (hereafter referred to as the
Board). The internal audit activity’s responsibilities are defined by the
Board as part of their oversight role.
3. PROFESSIONALISM:
3.1 The internal audit activity will govern itself by adherence to The
Institute of Internal Auditors' mandatory guidance including the
Mission, Principles and the Definition of Internal Auditing, the Code of
Ethics, and the International Standards for the Professional Practice of
Internal Auditing (Standards). This mandatory guidance constitutes
principles of the fundamental requirements for the professional
practice of internal auditing and for evaluating the effectiveness of the
internal audit activity’s performance.
105
Internal Audit Manual for PSEs
2019
3.2 The Institute of Internal Auditors' implementation and supplemental
Guides, and Position Papers will also be adhered to as applicable to
guide operations. In addition, the internal audit activity will adhere to
the Public Sector and <organization> relevant policies and procedures
and the internal audit activity's standard operating procedures manual.
4. AUTHORITY:
4.1 The internal audit activity, with strict accountability for confidentiality
and safeguarding records and information, is authorized full, free,
and unrestricted access to any and all of <organization> records,
physical properties, and personnel pertinent to carrying out any
engagement.
4.2 All employees are requested to assist the internal audit activity in
fulfilling its roles and responsibilities.
4.3
The internal audit activity will also have free and unrestricted access to
the Board
5. ORGANIZATION:
5.1
The Chief Audit Executive will report functionally to the Board and
administratively (i.e. day to day operations) to the Accounting Officer.
5.2
The Board will
(i)
Approve the internal audit charter.
(ii)
Approve the risk based internal audit plan.
(iii) Approve the internal audit budget and resource plan.
(iv) Receive communications from the Chief Audit Executive on
the internal audit activity’s performance relative to its plan
and other matters.
(v)
Approve decisions regarding the appointment and removal of
the Chief Audit Executive.
(vi) Approve the remuneration of the Chief Audit Executive.
106
Internal Audit Manual for PSEs
2019
(vii) Make appropriate inquiries of management and the Chief
Audit Executive to determine whether there is inappropriate
scope or resource limitations.
5.3
The Chief Audit Executive will communicate and interact directly
with the Board, including in executive sessions and between Board
meetings as appropriate.
6. INDEPENDENCE AND OBJECTIVITY:
6.1
The internal audit activity will remain free from interference by any
element in the organization, including matters of audit selection,
scope, procedures, frequency, timing, or report content to permit
maintenance of a necessary independent and objective mental
attitude.
6.2
Internal auditors will have no direct operational responsibility or
authority over any of the activities audited. Accordingly, they will not
implement internal controls, develop procedures, install systems,
prepare records, or engage in any other activity that may impair
internal auditor’s judgment.
6.3
Internal auditors will exhibit the highest level of professional objectivity
in gathering, evaluating, and communicating information about the
activity or process being examined. Internal auditors will make a
balanced assessment of all the relevant circumstances and not be
unduly influenced by their own interests or by others in forming
judgments.
6.4
The Chief Audit Executive will confirm to the board, at least annually,
the organizational independence of the internal audit activity.
7. RESPONSIBILITY:
The scope of internal auditing encompasses, but is not limited to, the
examination and evaluation of the adequacy and effectiveness of the
organization's governance, risk management, and internal controls as well
as the quality of performance in carrying out assigned responsibilities to
achieve the organization’s stated goals and objectives. This includes:
107
Internal Audit Manual for PSEs
i.
Evaluating risk exposure relating
organization’s strategic objectives.
ii.
Evaluating the reliability and integrity of information and the means
used to identify, measure, classify, and report such information.
iii.
Evaluating the systems established to ensure compliance with those
policies, plans, procedures, laws, and regulations which could have
a significant impact on the organization.
iv.
Evaluating the means of safeguarding assets and, as appropriate,
verifying the existence of such assets.
v.
Evaluating the effectiveness and efficiency with which resources are
employed.
vi.
Evaluating operations or programs to ascertain whether results are
consistent with established objectives and goals and whether the
operations or programs are being carried out as planned.
vii.
Monitoring and evaluating governance processes.
viii.
Monitoring and evaluating the effectiveness of the organization's
risk management processes.
ix.
Evaluating the quality of performance of external auditors and the
degree of coordination with internal audit.
x.
Performing consulting and advisory services related to governance,
risk management and control as appropriate for the organization.
xi.
Reporting periodically on the internal audit activity’s purpose,
authority, responsibility, and performance relative to its plan
xii.
Reporting significant risk exposures and control issues, including
fraud risks, governance issues, and other matters needed or
requested by the Board.
xiii.
Evaluating specific operations at the request of the Board or
management, as appropriate.
108
to
achievement
of
the
2019
Internal Audit Manual for PSEs
2019
8. INTERNAL AUDIT PLAN:
8.1
At least annually, the Chief Audit Executive will submit to senior
management and the Board an internal audit plan for review and
approval. The internal audit plan will consist of a work schedule as
well as budget and resource requirements for the next fiscal/calendar
year. The Chief Audit Executive will communicate the impact of
resource limitations and significant interim changes to senior
management and the Board.
8.2
The internal audit plan will be developed based on a prioritization of
the audit universe using a risk-based methodology, including input of
senior management and the Board.
8.3
The Chief Audit Executive will review and adjust the plan, as
necessary, in response to changes in the organization’s business,
risks, operations, programs, systems, and controls.
8.4
Any significant deviation from the approved internal audit plan will be
communicated to senior management and the Board through periodic
activity reports.
9. REPORTING AND MONITORING:
9.1
A written report will be prepared and issued by the Chief Audit
Executive or designee following the conclusion of each internal audit
engagement and will be distributed as appropriate. Internal audit
results will also be communicated to the AO.
9.2
The internal audit report may include management’s response and
corrective action taken or to be taken in regard to the specific findings
and recommendations.
9.3
Management's response, whether included within the original audit
report or provided thereafter (i.e. within thirty days) by management
of the audited area should include a timetable for anticipated
completion of action to be taken and an explanation for any corrective
action that will not be implemented.
9.4
The internal audit activity will be responsible for appropriate follow-up
109
Internal Audit Manual for PSEs
2019
on engagement findings and recommendations. All significant findings
will remain in an open issues file until cleared.
9.5
The Chief Audit Executive will periodically report to senior
management and the Board on the internal audit activity’s purpose,
authority, and responsibility, as well as performance relative to its
plan.
9.6 Reporting will also include significant risk exposures and control
issues, including fraud risks, governance issues, and other matters
needed or requested by senior management and the Board.
10.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM:
10.1 The internal audit activity will maintain a quality assurance and
improvement program that covers all aspects of the internal audit
activity. The program will include an evaluation of the internal audit
activity’s conformance with the Definition of Internal Auditing and
the Standards and an evaluation of whether internal auditors apply
the Code of Ethics. The program also assesses the efficiency and
effectiveness of the internal audit activity and identifies
opportunities for improvement.
10.2 The Chief Audit Executive will communicate to senior management
and the Board on the internal audit activity’s quality assurance and
improvement program, including results of ongoing internal
assessments and external assessments conducted at least every
five years.
11.
Approvals:
The charter shall be approved by the Audit committee/ board and shall be
signed by the CAE function, the Accounting Officer and the chairman of
the audit committee/ board/ council. This section includes the date,
names, and tittles of signatories.
12.
Review of charter:
Provides for the periodic review of the Charter by the CAE and approval of
any changes by the Audit Committee or Board Implementation
110
Internal Audit Manual for PSEs
2019
This Internal Audit Activity charter Approved this ______ day of _________,
___________________________
Chief Audit Executive
___________________________________
Chairman of the Board / Audit Committee
______________________
Chief Executive Officer
Template 4: Sample of Annual Risk Based Internal Audit Plan
Title
1. Background
2. Purpose and Objectives
3. Methodology and Risk Assessment
4. Internal Audit Resources
4.1 Internal Audit Staff (names and position) and audit hours/days
available for each
4.2 Financial Resources
111
Internal Audit Manual for PSEs
Annual Risk Based Internal Audit Plan Schedule
Perman Aud Departm Audit Overall
ent File it
ent
Objective/Descr
ID.
Are
iption
a
Risk
Assessm
ent
Score
(Ranked
)
112
Estimat
ed
Total
Audit
Days
Quarter Quarter Quarter Quarter
1
2
3
4
(Estima
ted
start
date)
(Estima
ted
start
date)
(Estima
ted
start
date)
(Estima
ted
start
date)
2019
Internal Audit Manual for PSEs
2019
Template 4. a: Sample of a Three Years Internal Audit Strategic Plan
Title:
1. Background
2. Purpose and Objectives
3. Methodology and Risk Assessment
4. Internal Audit Resources
Internal Audit Strategic Plan for 2019 – 2023
Audit Area
Rank by Risk
Assessment Score
2019/20 2020/21 2022/23 Frequency
Indicator 1
Days
Days
Days
Finance and Accounting
Debtors
15
15
2
Payroll
15
15
2
Banking
Arrangements/Reconciliations
10
Insurance
2
15
15
2
5
20
2
Administration
Vehicle Maintenance
Personnel, Recruitment and
Training
15
2
Estates Management
15
3
Housing Repairs
15
1
15
2
The Frequency Indicator shows the frequency with which audits should be carried out as identified by the risk
analysis: 1 = Every year; 2 = Every other year; 3 =No more than once every three years
113
Internal Audit Manual for PSEs
Computer Audit
Implementation of New
Systems
30
30
Internet/Intranet
30
2
15
IT Security
2
5
15
Networks
2
15
3
Procurement and
Contract Audit
Contract Management
10
5
5
1
Tendering Arrangements
5
5
5
1
Template 5: A sample of Engagement risk assessment
OVERALL
SCORE
RANKING
Financial
Materiality
Impact to
O
ti
Political
S
iti it
Controls
Eff ti
Time since last
dit
Weight
Financial
M t i lit
Impact to
O
i
Political
S
iti it
Controls
Effectiveness
Time Since
(Using Risk Factors-Standard 2010-Planning)
AUDITA
RISK FACTORS
RISK
BLE
FACTORS×WEIGHT
AREA
20
25
20
25
10
Procurem
ent and
contract
5
3
2
4
1
10
0
75
40
10
0
10
315
2
Payroll
3
2
3
2
1
60
50
60
50
10
230
4
Travel
Expenses
4
2
5
3
2
80
50
10
0
75
20
325
1
Utilities
3
5
4
2
1
60
80
80
50
10
280
3
114
2019
Internal Audit Manual for PSEs
2019
Etc
Etc
Etc
NOTE: Procedures for preparing the assessment of Risk Based Internal
Audit Plan
1.
Determine the Risk Factors and agree with Senior Management
and Audit Committee. Below is an example of factors which can be
used
o e.g
Financial Materiality
 Impact to Operations
 Political Sensitivity
 Controls Effectiveness
 Time since last audit
 Reputational sensitivity
 Inherent risk
 Confidence in management
 Complexity of activities.
 Enterprise Risk Management (ERM) (Case of Matured Risk)
2. Define the scoring criteria using a scale of either 1-5 or 1-3 as
applicable. Below is an example
Materiality of operations
Overall annual budget for a unit, from any source for example from the
government and other funding sources. If there was misuse of funds
or something went wrong financially, what would be the impact to the
organization financial perspective?
115
Internal Audit Manual for PSEs
Scenario
Audit area
Audit area
Audit area
Audit area
Audit area
with
with
with
with
with
financial
financial
financial
financial
financial
budget
budget
budget
budget
budget
over 75% of total budget
over 50% but not exceeding 75% of total budget
over 30% but exceeding 50% of the total budget
over 10% but exceeding 30% of the total budget
not exceeding 10%
2019
Score
5
4
3
2
1
Impact to Operations
It expresses the extent to which operations can be affected as a result of
occurrence of a certain risk.
Scenario
Accounts for over 80% of the business
Accounts for over 60% but less than 80% of the business
Accounts for 40% to 60% of the business
Accounts for 20% to 40% of the business
Account for than 5% but less than 20% of the business
Accounts for less than 5% of the business
Score
5
4
3
4
2
1
Political Sensitivity
This is about the sensitivity of the unit to public/press exposure of any internal
issues, and the level of public embarrassment that could be caused to the
organization as a whole.
Scenarios
Very likely to result in public or political interest
Likely to result in public or political interest
May result in public or political interest
Unlikely to result in public or political interest
Completely not related to political interest
Effectiveness of controls to mitigate risks
Score
5
4
3
2
1
Risk that material misstatement / lapses will not be prevented or detected by
the accounting and internal control systems.
Scenarios
Very Inadequate control
Inadequate controls
Moderate controls
Good controls
Very good controls
Score
5
4
3
2
1
116
Internal Audit Manual for PSEs
3. Determine the weight for each risk factor and agree with Senior
Management and Audit Committee
Risk Factors
Financial Materiality
Impact to Operations
Political Sensitivity
Controls Effectiveness
Time since last audit
Total Weightage
Weightage
20
25
20
25
10
100
4. Determine threshold for rating overall scores e.g High-Medium-Low
501-625
301-500
101-300
50-100
<50
Very High
High
Medium
Low
Very Low
117
2019
Internal Audit Manual for PSEs
2019
Template 6: Risk and Control Assessment Report
Ministry of Finance and Economic Affairs,
No.
C1
Prepare
d by:
Prepare
d on:
Review
ed by:
Review
ed on:
S.O.
Government of Tanzania
Client:
Procurement Management Unit
Title:
Risk and Control Assessment Report
Period
Objectives/
To clearly explain the basis for decision to suspend the audit
07/ 10/ 201
5
H.T.
08/ 10/ 201
5
Must be in
handwriting
Work performed/
1.
Obtained the documentation from the procurement management unit and reviewed the
documentation provided and previous report.
2.
Interviewed ……
Results/
(1) There is absence of even the basic controls in order to achieve the engagement
objective(s)
Refer to C5
Refer to the related working
papers as needed.
(3) Auditee lacks of awareness for the necessity of designing effective internal control
system.
In the final stage of the preliminary survey, feedback meeting with clients
should be held to share and feedback the information based on this report.
118
Internal Audit Manual for PSEs
2019
Conclusion
▪
The audit team decided to stop continuing with the remaining phases of
the audit engagement because there is absence of even the basic
controls. Therefore, the audit team writes a recommendation that the
auditee seek assistance to establish a control framework in its activity.
119
Internal Audit Manual for PSEs
2019
Template 7: Engagement Plan
No.
CA
Prepared by:
S.O.
Prepared on:
0 7/ 10/ 2015
The United Republic of Tanzania
Ministry of Finance and Planning
Client:
Procurement Management
Title:
Engagement Plan
Must be in
handwriting
Period:
Objectives/
Reviewed by:
Reviewed on:
H. K
08/ 10/ 2015
Copied from Refined Engagement Objective (BA-2).
1. To determine as to whether the tender documents are properly prepared
and approved.
2. To determine as to whether advertisement of bid opportunities is done
properly.
Audit Scope/
Area: Procurement
Sub-Process: Procurement through Tender - Goods, works, services…
System: N/A
Audit Criteria/
Public Procurement Act, 2011
Public Procurement Regulations, 2013
Audit Approach/
Test of control effectiveness based on risk based audit approach.
Significant Risks Identified/
Copied from Risk Assessment Document.
e.g C4 Engagement Objective and Risk Mapping, C5 RCM
Risk 1-1 Request is not reviewed and unauthorized procurement is proceeded.
120
Internal Audit Manual for PSEs
2019
Risk 1-2 Tendering procedure with incomplete tender documents.
Resource Allocation and Assignment/
Name and Title
Assignment
Commencing on
Completing by
Shiro Otomo, IA-1
Conduct all
programs,
Preparer of WP
11/10/2015
12/10/2015
Hisako Kajikawa,
AIC
Reviewer of WP
13/10/2015
14/10/2015
Communication/
Key findings will be discussed with the auditee at interim exit meeting at the
end of the field work. The date for the meeting will be informed later.
121
Internal Audit Manual for PSEs
2019
Template 8: Engagement Work Program
No.
B1
Ministry of Finance and Planning,
Government of Tanzania
Client:
Procurement Management Unit
Period:
Title:
Engagement Work Program
(Procurement through Tender - Goods, works,
services)
Engagement Objective
Objective 1
To determine as to whether the tender documents are
properly prepared and approved.
Date
Engagement Work Program
Done by
Ref to
Planned
W/P
Ref
Completed
1.
2.
Obtain request letter on a sample S.O.
basis and annual procurement plan
and verify whether there is an
id
f h letter
ki
Obtain
request
on a sample S.O.
Planned:
B1-1
Completed:
Planned:
B1-2
7/ 10/ 2015
basis and verify whether there is an
evidence of confirming of funds by
A
i Offi
(Plan)
7/ 10/ 2015
Auditor in charge
Chief Internal Auditor
Signature: S.O.
Signature:
Date:
7/ 10/ 2015
Date:
122
H.T.
7/ 10/ 2015
FA
sheet
Internal Audit Manual for PSEs
(Com plete)
Auditor in charge
Signature:
Date:
S.O.
14/ 10/ 2015
Chief Internal Auditor
Signature:
Date:
123
H.T.
14/ 10/ 2015
2019
Internal Audit Manual for PSEs
2019
Template 9: Internal Audit Process Checklist for Quality
Achievement
Instruction: Tick the box (☑) of either “OK (OK / good)” or “No (not good / not
applicable)”for each item.
Initiating the Engagement
1
Step
Appointment of
Audit Team
Output /WP
Team Meeting
Minutes
OK
No
☐
☐
☐
☐
☐
☐
☐
☐
2
3
☐
1 Engagement ☐
Objectives
☐
(tentative)
☐
Contact
and Engagement
☐
meeting with the Letter
☐
client
☐
Setting
Engagement
Objectives
☐
☐
☐
4
Entrance
Meeting
Entrance
Meeting
Minutes
☐
Check items per HBS
Indexed
☐
Client, Period, Title
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Preparer / Reviewer Signed-Off
Date of Meeting
Nature of the Audit
Audit Team Members and Their Signatures
Division of Tasks and Timeframe
Deadline for Each Output
Indexed
Client, Period, Title
Signed by AIC, and Reviewed by CIA
Indexed
Addressee
Date of Writing the Letter
Source of the Audit
General Objective of the Engagement
☐
☐
Name of the Audit Team Members and
Team Leader
Official Contacts of the Team Leader
☐
☐
Indexed
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
124
Date of Meeting with the Auditee
Preparer / Reviewer Signed-Off
Client, Period, Title
Attendees
Contents of the Minutes (Scope, Objective,
audit findings / areas of concern, etc.
where applicable)
Signed by Auditee and AIC with Their
Titles and Date
Key Contact Personnel Specified
Internal Audit Manual for PSEs
Planning the Engagement
5
Step
Documentation of
Internal Control
System
Output /WP
OK No
Narratives Notes ☐
☐
or C3-Flowcharts ☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Engagement
☐
Objective
and ☐
Risk Mapping
☐
☐
☐
Check items per HBS
Indexed
Preparer / Reviewer Signed-Off
Client, Period, Title Process Flow
(Steps)
Related Criteria Identified for Each
Step
Internal Control Identified (e.g by
highlighting)
Document/Evidence Identified (e.g by
underlined)
Referenced
from
Walkthrough
Evidences (C6)
Indexed
☐
☐
Client, Period, Title Engagement
Objectives
Preparer / Reviewer Signed-Off
☐
☐
Risk number
☐
Risk
Control ☐
Matrix (RCM)
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Walkthrough
Evidence
☐
2019
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
125
☐
Risks
Risk Rating
Indexed
Client, Period, Title
Preparer / Reviewer Signed-Off
Narrative Step No
Control Description
Control Owner
Related Criteria
Frequency of the Control
Control Evidence
Engagement Objective No
Risk Description
Key Control Identified
Design Adequacy Concluded (result of
walkthrough test)
Indexed
Sampled from the Audit Period
Control Evidence Identified (e.g.
highlighting approver’s signature on
the document)
Internal Audit Manual for PSEs
6
7
Step
Output /WP
OK No
Documentation
of Risk
Control ☐
☐
Internal
Control Matrix (RCM)
☐
☐
System
Refining
2Engagement
Engagement
Objectives
Objectives
(final)
&Preparing Program
☐
☐
☐
☐
Client, Period, Title
☐
☐
☐
☐
☐
☐
☐
Client, Period, Title
☐
☐
☐
☐
☐
Indexed
Reviewed by AIC approved by CIA
Indexed
Client, Period, Title
Preparer / Reviewer Signed-Off
Engagement Objectives
☐
Audit Approach
☐
☐
☐
☐
9
☐
☐
☐
Team meeting after Risk
and ☐
the survey
Control
☐
Assessment
☐
Report
☐
Output /WP
Supporting
Documents
(for findings)
☐
Referenced to Engagement Work
Program, B1, B2
Reviewed by AIC, Approved by CIA
Audit Scope (Area, system, etc.)
☐
Step
Gathering of
evidence
☐
Indexed
☐
☐
Performing the Engagement
☐
☐
☐
8
Check items per HBS
Testing sheet working paper reference
Operational Effectiveness (result of
test of control)
Necessity of Follow-up (Yes/No)
Engagement
☐
Work Program ☐
(for Fieldwork) ☐
Engagement
Plan
2019
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Audit Criteria
Significant Risks Identified
Resource Allocation and Assignment
Indexed
Client, Period, Title
Preparer / Reviewer Signed-Off
Objectives of the Preliminary Survey
Work Performed
Results of the Work Performed
Cross-Referenced to Evidences
Conclusion
OK No Check items per HBS
☐
☐ Evidence Identified
☐
☐
☐
☐
☐
126
☐
Evidence Cross-Referenced
Sufficient – factual, adequate, and
convincing
Competent – reliable and best
attainable
using
engagement
techniques.
Internal Audit Manual for PSEs
10 Conduct Testing
Testing Sheet
☐
☐
Relevant – support observations and
recommendations and consistent with
Objectives.
☐
☐
Indexed
☐
☐
Preparer / Reviewer Signed-Off
☐
☐
☐
☐
11 Summarize
Audit Summary Of
Findings
& Findings
&
Recommendations Recommend
ations
(SOFR)
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Client, Period, Title
Objective, Procedure, Criteria
Work Done
Results
Tested Samples
Indexed
Client, Period, Title
Preparer / Reviewer Signed-Off
Summary of Value of errors and/or
Summary of Non compliance
Referenced to Audit Report
☐
☐
Attribute ☐
☐
Referenced from ALL Five Attribute
Sheets (FA-1~xx)
Indexed
☐
☐
Preparer / Reviewer Signed-Off
☐
12 Summarize Audit Five
Findings
& Sheet
Recommendations
2019
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
13 Completion
of Engagement
Engagement Work Work Program
Program (Fieldwork) & Fieldwork
W/P (signedoff
&
reviewed)
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Client, Period, Title
Engagement Objective
Condition
Criteria
Referenced to/from Testing Sheet
Cause
Risk
Recommendations
Comment by Client
☐
☐
Categorization of Action
Compliance Plan
Referenced to Testing Sheet
☐
☐
Reviewed by AIC, Signed by CIA
☐
127
☐
Plan
Done by, Completion date
/
Internal Audit Manual for PSEs
2019
Communicating the Engagement Results
☐
Step
Compliance
Statement
Output /WP
Draft
Audit
Report
OK No Check items per HBS
☐ ☐ Indexed
☐ ☐ Dated
☐
☐
Reviewed and Signed by CIA
☐
☐
Objectives
☐
☐
☐
☐
☐
14 Processing
the
draft audit report
15 Processing final
audit report
Audit Report
Checklist
Final
Report
Audit
☐
☐
☐
☐
☐
Introduction
Scope
Compliance Statement
Approach or Methodology
☐
☐
☐
☐
Findings and Recommendations (Not
Applicable in case of “No Findings”)
Action Plan / Compliance Plan (Not
Applicable in case of “No Findings”)
Conclusion/Remarks
☐
☐
Indexed
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Acknowledgement
Client, Period, Title
Preparer / Reviewer Signed Off
Indexed
Dated
☐
☐
Signature(Reviewed by CAE or Auditor
In-charge)
Introduction
☐
☐
Scope
☐
☐
☐
☐
☐
☐
☐
☐
Objectives
Compliance Statement
Approach or Methodology
☐
☐
☐
☐
Findings and Recommendations (Not
Applicable in case of “No Findings”)
Action Plan / Compliance Plan(Not
Applicable in case of “No Findings”)
Conclusion/Remarks
16 Issuing the final Transmittal Letter ☐
audit report to all
☐
relevant
☐
authorities
☐
☐
Indexed
☐
☐
128
☐
☐
☐
☐
☐
Acknowledgement
Dated
Signed by CIA
Addressee
Key Conclusions and Overall Opinion
Internal Audit Manual for PSEs
17 Exit Meeting
Exit
Minutes
☐
☐
Copied to Relevant Authorities
Meeting ☐
☐
Indexed
☐
☐
Reviewed by AIC, Signed by CIA
☐
☐
Output /WP
Index
☐
☐
☐
☐
☐
☐
Archive W/P
Step
18 Archive W/P
☐
☐
OK No
☐ ☐
☐
☐
☐
☐
☐
☐
☐
☐
Client, Period, Title
Key Findings (Not Applicable in case of
“No Findings”)
Action Plan by client management(Not
Applicable in case of “No Findings”)
Conclusion and Agreement
Signed by both parties
Check items per HBS
Preparer / Reviewer Signed-Off on
Index
Audit Folder Cover
Page Dividers
[Practical Test] Filed W/Ps are listed
with reference
[Practical Test] Listed W/Ps are filed
Follow-up and Communicating Unacceptable Residual Risks
Step
Output /WP
OK No Check items per HBS
19 Follow-up
Any Form
Responsible Person
☐ ☐
implementation (Matters on next ☐ ☐
Recommendation
audit / Follow-up ☐ ☐
Action taken
for
Timeframe
☐ ☐
Recommendations)
☐
129
☐
2019
Status
Internal Audit Manual for PSEs
2019
Template 10: Summary of Findings and Recommendations (SOFR)
Ministry of Finance and Economic Affairs,
No.
FA
Prepared
by:
Prepared
on:
Reviewed
by:
Reviewed
on:
S.O.
Government of Tanzania
Client:
Title:
Period
Procurement Management
Summary of Findings and Recommendations
(SOFR)
(Procurement through Tender - Goods, works, services)
2015/07 - 2015/09
(Form Reference: 241 / modified)
16101/ 2015
H.T.
16/ 10/ 2015
Must be in
handwriting
Summary of findings - values of errors
Five
attribute
sheet
Description
FA-2
Items not been issued to user
Dept.
A1(6.2)
FA-4
Not in Ledger Book
A1(6.4)
FA-5
Overstock of Stores
N/ A
……
No. errors
found
Report
Total value in
shillings
Must be referenced FROM
EACH Five attribute sheet.
Summary of findings - non-compliance with Regulations:
Five
attribute
sheet
Description
Must be referenced TO
(draft) REPORT.
Impact on assurance opinion
130
Report
Internal Audit Manual for PSEs
2019
FA-1
Request not reviewed by
HPMU
A1(6.1)
FA-3
Fund availability not checked
A1(6.3)
FA-6
Tender document not
approved
N/ A
……
Audit Conclusion:
Auditor in charge
Chief Internal Auditor
Signature:..................... Signature:.................
Date:...........................
131
Date:........................
Internal Audit Manual for PSEs
2019
Template 11: Matters on next audit / Follow-up for
Recommendations
Ministry of Finance and Economic Affairs,
Government of Tanzania
Client:
Procurement Management Unit
Title:
Matters on next audit / Follow-up for
Recommendations
A10
No.
Must be in
handwriting
Prepared
S.O.
by:
Prepared
14/ 10/ 2015
on:
Reviewed H.T.
by:
Reviewed 14/ 10/ 2015
on:
Period
The internal auditors who will make auditing in the next time at the Procurement
Management Unit are advised to consider the following:
1.
Obsolete properties were identified to be increased during the current audit. Number of
locations of stock taking should be increased in the succeeding year’s internal audit.
2.
Internal auditors could arrange the schedule with Store Keepers in order to jointly
conduct the stock taking in several locations.
Describe the matters that should be noted in
the succeeding works. ex)Outstanding issues,
Status of recommendation, expected change
in regulations, etc.
The internal auditors will be requested to follow up the implementation regarding to the
following issues:
Recommendation
1 Monitoring of
outstanding
Purchase Order
could be conducted
in order to receive
the goods ordered
in a timely manner.
Action Taken
status
Action
by
time
Prepare a monthly
monitoring sheet to
grasp the
outstanding order
and the delivery
due, and check the
delay of delivery.
Store
Keepers
By **/20**
132
Work in process.
Store Keeper is
requesting to
produce the
information from
the computer
system.
Internal Audit Manual for PSEs
(**/**/20**)
2
3
To monitor the implementation of the
recommended issues, current status might be
updated as necessary.
133
2019
Internal Audit Manual for PSEs
Template 12: Exit Meeting Minutes
Ministry of Finance
W/P Ref
Government of Tanzania
Client:
Title:
Prepared
by:
Prepared
on:
Reviewed
by:
Reviewed
on:
Exit Meeting Minutes
Period
Date and Venue:
I. Attendees:
Name
Title
Org./Dept
1. __________
_________
_______________
____________________
2. ___________
__________
_______________
____________________
3. ___________
__________
4. ___________
__________
_______________
_______________
II. Opening Remarks:
•
•
III. Key issues/findings observed:
•
•
134
Telephone/E-mail
____________________
____________________
2019
Internal Audit Manual for PSEs
IV. Reaction/Comments from the auditee’s members:
•
•
V. Compliance/ Action plan
•
•
•VI. Conclusion and Agreement on the way forward:
•
•
Auditee
Signed by
Date
Auditors
Title
Signed by
Date
135
Title
2019
Internal Audit Manual for PSEs
2019
Template 13: Sample of an Internal Audit Engagement Report
MINISTRY OF XYZ
SUBJECT:
EXECUTIVE SUMMARY
Executive summary enables the management to readily focus on and understand the
important issues being reported. It May not be required for short reports.
The executive summary should include:
•
General objective and scope of the engagement and include brief descriptions of the
audit entity,
•
The rationale for the audit, and the criteria and approach employed, including
references to professional standards.
•
Key findings and recommendation sand a summative conclusion may be provided.
•
A statement of assurance should be included or referenced, if it is located in the
conclusions section or provided in a covering memorandum.
•
Above all, management should be able to readily focus on and understand the
important issues being reported.
INTRODUCTION
•
May cover general information on the area being audited e.g. a project, organization
etc
•
Also its establishment law, objectives and functions.
OBJECTIVE
136
Internal Audit Manual for PSEs
•
2019
Reason for the engagement and the specific objectives
SCOPE
Context of the subject matter (e.g. a description of the program, activity, issue,
organization, or system examined, its place within the department or agency, and its
importance or a description of exclusions) Timing (the period covered by the evidence
examined)
APPROACH OR METHODOLOGY
•
Criteria (against which the observations and assessments were made and conclusions
were drawn)
•
Work conducted
•
Standards used (any professional standards, e.g. IIA, governing how the work was
done)
•
Timing (the period during which the work was done)
FINDINGS AND RECOMMENDATIONS
•
For each area of observation/finding:
o
(A paragraph(s) may be employed to introduce the essence of the observation)
o
Condition; Criteria; Cause and Effect/ Impact and Exposure to risk
o
Recommendation (action required and responsibility) = sub-heading
o
Management (Auditee/ Head of Unit/Department) Response and Action Plan
(or as a separate section as below) = Sub- heading

Action to be taken for each recommendation

Timing
CONCLUSIONS
•
Conclusions on objectives and any qualifications
•
Compliance with relevant laws, regulations, policies, and standards
•
A summative conclusion may be desirable
•
A statement of assurance may be included or may be referenced if it is addressed in a
covering memorandum
•
Other higher level results relative to engagement objectives
COMPLIANCE /ACTION PLAN
137
Internal Audit Manual for PSEs
•
In the final conclusion of the audit, the following compliance plan was agreed between
the auditors and management
P erson
Responsible
Actionable Area
•
2019
Action P lan
Due Date
We have no further comments and agree to the action plan as committed above
Auditor
Auditee
Signed in original
Signed in original
Name
Signature
ACKNOWLEDGEMENT
APPENDICES
138
Internal Audit Manual for PSEs
Template 14:
2019
Sample of working papers
Template 14. A: Team Meeting Minutes
No.
E10
Procurement Management Unit
Prepared by:
S.O.
Team Meeting Minutes
Prepared on:
25/ 09/ 2015
Reviewed by:
H.T.
Reviewed on:
26109/ 2015
Ministry of Finance and Economic Affairs,
Government of Tanzania
Client:
Title:
Period
Must be in
handwriting
I. Date: **/**/2015, 10:00-11:00
II. Venue: Meeting Room
III. Audit Team members / Attendees:
Name
Title
1. ***** ****
CAE
2. ***** ****
AIC
3. ***** ****
IA
4. ***** ****
IA
5. ***** ****
IA
Attendance
IV. Minutes:
(1)
Nature of the audit
Operational audit for;
139
Chief Audit Executive should
call a meeting of all staff who
will be involved in the
engagement.
Internal Audit Manual for PSEs
2019
Ascertaining whether the procurement procedure is compliance with Regulations,
stocks procured are kept in records properly,
fuel consumption is kept in records appropriately.
………
(8)
For staff planning meeting, refer to MAN of “4.4
PLANNING THE AUDIT ENGAGEMENT”.
Examples of agenda are provided.
Importance of meeting deadlines for completion of the audit
Meeting/Deliverable
Date
Entrance meeting
dd/mm/yyyy
Engagement Plan
dd/mm/yyyy
Fieldwork
dd/mm/yyyy
Interim exit meeting
dd/mm/yyyy
Due for Draft Report
dd/mm/yyyy
Exit meeting
dd/mm/yyyy
Due for Final Report
dd/mm/yyyy
140
Internal Audit Manual for PSEs
Template 14. B: Folder Cover for Current Audit File
THE UNITED REPUBLIC OF TANZANIA
MINISTRY OF:_____________
AUDIT FOLDER COVER
AUDIT PROJECT/FOLDER NUMBER:
ASSIGNMENT TITLE:
AUDIT PERIOD:
CLIENT NAME/ADDRESS:
OFFICE/LOCATION:
AUDIT TEAM LEADER:
AUDIT STAFF:
Project Approval by CAE/Audit Manager
Signature/stamp:
Date:
WARNING- CAUTION REQUIRED
This file contains information which has restricted access for all unauthorized
persons. Special safeguarding measures should be followed at all times.
Template 14. C: Audit Project Reminder List
141
2019
Internal Audit Manual for PSEs
Planning
Completed
(Date)
Held an audit team meeting and discussed on:
-
Nature of the assignment
-
Where the activity stands in the organization
-
The unit’s monetary significance
-
The unit’s objectives and nature of operations
-
The relevant laws, rule, regulations and policies
-
Tentative engagement objectives
Conducted an in-office review/or a permanent file is reviewed for:
-
Permanent file reviewed for:
-
Activity rules, laws and regulations
-
Material on the organization & chart
-
Nature and location of physical assets and accounting records
-
Financial information [budgets, actual, cash flow etc]
-
Internal policies & operating manuals
-
Prior period internal audit and external audit reports and related
replies
-
Prepared a summary the prior deficiencies and suggestions
-
Opened a current file for the engagement
-
Reviewed related internal auditing literature on the subject to be
reviewed
First Contact with the Auditee on the assignment:
-
2019
Sent engagement letter at least 5 working days before entrance
conference
142
(Name)
Internal Audit Manual for PSEs
-
Copy of engagement letter filed in the current file
-
Conducted an entrance meeting
-
Proper notes taken during the meeting
-
Document every aspect of the above and put in the current file
2019
Conducted preliminary survey:
-
Made a physical tour of the office/premises
-
Reviewed all legally required documents
-
Reviewed their financial profile
-
Interviewed managers and key personnel to be audited
-
Identified key problems/ risky areas and their related controls
-
Formulated engagement objectives as a result of the review
-
Documented every aspect of the above and file in the current
file
-
Produced a preliminary survey report/ engagement plan
document
Prepared the audit program:
Prepared the audit program
Reviewed the audit program and this check list with the CAE:
Date of review :
CAE/ Audit Supervisor:
Fieldwork
Completed
(Date)
143
(Name)
Internal Audit Manual for PSEs
-
Posted project time record each day and reported time each
week to the CAE/ Audit supervisor.
-
Forecasted calendar date of fieldwork completion at mid-point of
the field work.
-
Made sure to follow the procedures in the audit program and
required CAE’s authorization on each departure.
-
Kept proper work papers and proper evidence and put in current
file
-
Maintained the 5 attribute format for every audit finding.
-
Discussed with client management personnel their availability for
review of findings and draft reports so as to anticipate vacations
and other absences.
-
Reviewed fieldwork notes and all necessary procedures by
CAE/Supervisor:
2019
Date of review :
CAE/ Audit Supervisor:
Final
Completed
(Date)
-
Completed record of audit findings and report outline, and
reviewed them with the CAE/ Supervisor.
-
Prepared audit report draft and cross-referenced it to the
working-papers.
-
Transferred appropriate records to the permanent file
-
Described matters to be considered in other audit projects in
writing and placed notes of such matters in the appropriate
permanent files
-
Scheduled reviews of draft the report with client’s personnel
-
Confirmed status of completed and open deficiency findings
either by test of by review with client personnel
144
(Name)
Internal Audit Manual for PSEs
-
Performed final verification of the draft report, as modified by
review with client or otherwise, before submitting it for final
typing
-
Examined prior working papers and suggested to the
CAE/superior which should be retained and which destroyed
-
Completed current audit working papers and submitted them to
the CAE/ supervisor before filing them
-
Placed record of the open findings in a follow-up file so that they
would be monitored until considered closed
-
Returned all documents taken from office files to those files
Date of review :
CAE/ Audit Supervisor:
145
2019
Internal Audit Manual for PSEs
2019
Template 14. D: Specimen of Engagement Objectives
No.
BA
Ministry of Finance and Economic Affairs,
Government of Tanzania
Client:
Period:
Title:
Procurement Management Unit
FY 2015 (Jul. 1,2015 – Sept. 30, 2015)
Procurement through Tender - Goods, works,
services
Engagement Objectives
BA-1: Tentative
Engagement
Objectives
BA-2: Final (Refined)
Ref. To
(Program)
Engagement Objectives
1. To determine as to whether the tender documents are
B1
2. To ascertain as to whether advertisement of bid opportunities
B2
properly prepared and approved.
is done properly.
Ref. To
(FA
sheet/SOF)
FA-1
FA-2
Engagement Work Program should
be created for each objective.
Fill in the reference to the Program.
3. To ascertain as to whether tenders properly received and
opened.
B3
N/ A
Fill in the reference to the Five
Attribute Sheet, if any.
4. To ascertain as to whether tenders are evaluated and award
decision is made properly.
B4
Must be in
handwriting
Auditor in charge
CAE
Signature:
S.O.
Date:
07/ 10/ 2015
Must be in
handwriting
Signature:
H.T.
Date:
07/ 10/ 2015
At the Initiating the Engagement phase, objectives are set
tentatively. After the preliminary survey (Planning the
Engagement phase) and before the fieldwork, the
objectives are fixed. AIC and CIA should sign-off when
the objectives are finalized.
146
N/ A
Internal Audit Manual for PSEs
2019
HANDBOOK-AID
Template 14. E: Sample of Engagement Letter
THE UNITED REPUBLIC OF TANZANIA
MINISTRY OF *********
Telegrams : "XXX” DODOMA
Telephone : VYYY
Fax: XXCXCNM, ZZZ.
P. O. BOX *****,
DODOMA
(All official communications should be
addressed to the Permanent Secretary
XXX and not to individuals).
In reply please quote:
Ref. No:
DATE:
Engagement letter (sample)
To: *************
From: CAE
SUBJECT:
In accordance with our Financial Year 2012/13 Audit plan, we will conduct an operational
audit of [audit area] in the near future. The audit will be approached in the same manner as
that of any other activity. The audit will examine if it is fulfilling its obligations in an effective
and efficient manner.
We will contact you in order to arrange an entrance conference to discuss the various
aspects of our audit. [Auditor’s name] will conduct the audit and [audit supervisor’s name]
will supervise the engagement. Should you have any question regarding this, please feel
free to contact [auditor’s name] [supervisor’s name], or me. We can be reached at
extensions [auditor’s #] [supervisor’s #], or #.
CAE
Cc: **********
147
Internal Audit Manual for PSEs
2019
Template 14. F: Example of Agenda for Entrance Meeting
During the Entrance Meeting the following may be discussed:
a) Introduction, scope and objectives:
•
The audit team, the activity management to introduce to each other.
•
The client should describe the unit, its resources etc.
•
Share the basic scope and objectives planned for the audit.
•
Emphasize that the purpose of the audit is to add value to the organization
and assist management by providing analysis, appraisals, recommendations,
and information concerning the activities reviewed — all designed to assist
management in the attainment of their objectives.
•
Determine who will be the contact person from the client (note: it should not
be the director or a person too high, should be a person who will be able to
open doors for you, be available and knowledgeable about the activity).
b) Audit process and progress:
•
Give a brief overview of the audit process (i.e. from preliminary survey to
reporting). This will help client to understand what you are doing.
•
Establish a clear understanding with audited management about keeping their
personnel advised of the audit progress and findings.
•
Provide the client with a tentative audit event timeline (i.e. estimated dates of
fieldwork, interim meetings, exit meeting, audit report issuance, and follow-up
audits).
c) Internal Audit Findings (i.e. explain how audit findings will be handled) e.g.:
•
Resolution of minor findings,
•
That there will be a discussion of all findings on a current basis to permit the
audit client to assist in developing the improvement actions and take timely
improvement action,
•
That there will be an exit conference at the completion of the fieldwork to
reconfirm all findings and improvement actions planned,
•
That there will be a collective review of the draft report,
•
And the methods of distribution of the final audit report.
d) Areas of special concern and consulting Activities:
•
It is important that the client identifies issues or areas of special concern that
148
Internal Audit Manual for PSEs
2019
should be checked
•
Auditors also should ask for suggestions of problem areas where the auditors
can be of assistance to the activity management.
•
Careful consideration must be given to any suggestions and requests to
ensure that there is need of audit attention. Do not become involved in
functional or operating activities).
e) Cooperative Administration:
•
Inquire about working hours, access to records, available work area for
participating internal auditors, the audit client's various work deadline
requirements, and any other information that will help schedule the audit
activities to fit into the office routine with minimal disruption to the audit
client's personnel.
f) Tour of the facility for familiarization:
•
Arrange to meet other personnel the auditor will be working with during the
audit.
•
Also arrange for a familiarization tour of the physical facilities, necessary
security clearances, and a safety orientation where appropriate.
149
Internal Audit Manual for PSEs
Template 14. G: Entrance Conference Minutes
Date and Venue: **/**/20**
I. Attendees:
Name
Title Org./Dept
Telephone/E-mail
1. __________ _________ _______________ ____________________
2. ___________ __________ _______________ ____________________
3. ___________ __________ _______________ ____________________
4. ___________ __________ _______________ ____________________
5. ___________ __________ _______________ ____________________
II. Opening Remarks/ Introduction:
•
•
III. Objectives and Plan of the Whole Audit:
•
•
IV. Other Issues From the Client to be Considered:
•
•
•
V. Logistical Arrangement and Conclusion:
•
•
Auditee
Signed by
Date
Title
Auditors
Signed by
Date
150
Title
2019
Internal Audit Manual for PSEs
2019
Template 14. H: Risk Control Matrix
Ministry of xxxx
Engagement Title : Procurement through Tender - Goods, works, services
Date:
Period : 2015/07 - 2015/09
Reviewed by:
copied from
Narrative Notes (C2)
C5
Prepared by:
Date:
C5 Risk Control Matrix (RCM)
Can be deleted → Sub proces s nam e
Narrative Step No.
P
r
e
l
i
m
i
n
a
r
y
S
u
r
v
e
y
Engagemen
t Objective
No. ,Risk
Description
s and
Ratings are
copied
from C4
Goods , work, s ervice
2
PMU checks des cription in a
reques t letter and com pare to
the annual procurem ent plan
and s end reques t letter to
Accounting Officer
Goods , work, s ervice
3
Accounting officer confirm s
funds availability or budget and
authorizes the reques t letter and
s end it back to PMU.
Goods , work, s ervice
5
HPMU reviews text of invitation
(tender notice) and tender
docum ent, and s end them to
Tender Board for approval.
Goods , work, s ervice
6
Tender Board approves the text
of invitation and tender
docum ent (approval can be
m ade through circular
res olution).
Control carried out by role (Res pons ible)
PMU
Accounting Officer
HPMU
Tendar board.
Related Criteria
PPA 2011, Sec. 38
PPA 2011, Sec. 36
Frequency of Control
At a tim e
At a tim e
Control Evidence
1.reques t letter
2.annual procurem ent plan
1.reques t letter
Control Des cription
Ris k Rating
OBJECTIVE No.
1
1
2
Ris k Des cription
Reques t is not reviewed
and unauthorized
R1-1
procurem ent is
proceeded.
Tendering procedure
R1-2 with incom plete tender
docum ents
Invitation is not properly
R2-1
reviewed and approved.
3
R3-1
4
R4-1
4
・ ・ ・ Key Cont r ol
Im pact Likelifood Rate
◎
◎
When there is finding,
related risk(s) is copied to
Five Attribute Sheet (FA-xx)
Tenders are not properly
received and opened.
Tenders are not properly
evaluated.
Recom m endations of
R4-2 the evaluation team is
not properly approved.
Confirm ed unders tanding of the control s ys tem
(Yes = Sam e as narratied, No = not as narrated)
Walkthrough
Conclus ion for Control Adequecy
(Yes /No)
F
i
e
l
d
w
o
r
k
PPA 2011, Sec. 33
PPR 2013, s ec. 57(1), 58, 181,
185 (2)
At a tim e
At a tim e
1.text of invitation
1.text of invitation (tender notice)
2.tender docum ent
2.tender docum ent
(3.circular res olution)
PPR 2013, Sec. 55, 181, 185
Audit Procedure
Population
Sam ple s ize
Workpaper Ref
Operational
Effectivenes s
Need Follow-up?
○
◎
○
◎
If control is not adequately
placed, prepare
Five Attribute Sheet (FAxx)
Copied to Engagement Work
Program (B1, B2, ...)
Yes
Yes
Yes
No (FA-1)
Obtain reques t letter on a
s am ple bas is and verify whether
there is an evidence of
confirm ing of funds by
Accounting Officer.
N/A (not key control)
N/A (not confirm ed as narrated)
Yes
Obtain reques t letter on a
s am ple bas is and annual
procurem ent plan and verify
whether there is an evidence of
checking.
Lis t of procured goods ,work,s ervic
Lis t of procured goods ,work,s ervic
Depends on the Population above and profes s ional judgem ent
No need
to test
because this is
not a key
control
-
Impossible
to test
this control is not
confirmed as
narrated
B1-1
B1-2
Effective
Effective
-
-
No
No
No
Yes
NB: see next page for explanations on the template
Note on the Risk Control Matrix:
i. The starting point for assessing risks is the “operating objectives” of the area
being audited.
ii. Then identify risks that are inherent to impact on the objectives or the activity.
iii. Impact and Likelihood can also be expressed in numbers as in the table below:
Number
5
4
3
2
1
Impact
Catastrophic
Major
Moderate
Minor
Insignificant
Likelihood
Almost certain
Likely
Possible
Unlikely
Rare
iv. Total risk is the product of Impact (I) multiplied by Likelihood (L). The highest
product is 25 and the lowest product is 1.
v. Decisions on severity of total risk is made based on the following band levels:
151
Internal Audit Manual for PSEs
Total Risk
(Band Level)
15-25
10-14
5-9
1-4
vi.
Expression in Colour
Extreme or severe
High
Moderate
Low
Red
Light brown
Yellow
Green
Possible risk response and auditors’ action
Total Risk
(Band
Level)
15-25
10-14
5-9
1-4
vii.
Description
2019
Description
Risk Responses
Internal Auditor’s
Action
Extreme or
severe
High
Moderate
Low
Reduce, Share or
Avoid
Share or Reduce
Reduce
Accept
Continue
Continue
Continue
Stop
Risk criteria: control effectiveness
Rating
Good (1)
Description
Nothing more to be done except review and monitor the existing
controls. Controls are well designed for the risk, address the root
causes and management believes that they are effective and
reliable at all times.
Satisfactory
(2)
Controls are designed correctly and are in place and effective.
Some more work to be done to improve operating effectiveness
or management has doubts about operational effectiveness and
reliability.
Poor (3)
While the design of the controls may be largely correct in that
they treat most of the root causes of the risk, they are not
currently very effective. Or some of the controls do not seem
correctly designed in that they do not operate at all effectively.
Very poor
(4)
Significant control gaps. Either controls do not treat
root causes or they do not operate at all effectively.
Uncontrolled Virtually no credible control. Management has no
(5)
confidence that any degree of control is being achieved
due to poor control design and/ or very limited
operational effectiveness.
152
Internal Audit Manual for PSEs
2019
Template 14. I: Process Narrative Notes
C2
Ministry of xxxx
Engagement Title : Procurement through Tender - Goods, works, services
Period: 2015/07 - 2015/09
C2 Narrative Notes
Prepared by:
Date:
Reviewed by:
Date:
※ Highlighted cells are "INTERNAL CONTROLs" and documents (evidences) are UNDERLINED.
Step
NO.
WT Ref
User Department.
prepares reques t
letter and
s pecification
requirem ents .
1
PMU
Accounting officer
Evaluation
Committee
Tendar Board
Bidder
Legal Department
Attorney General
Fill in WP reference of Walkthrough
evidences in this column. WT reference
PPA 2011, Sec.
38
When the Narrative has been already
created, maintain and improve the
documentation by updating the
information.
Accounting officer
confirm s funds
availability or
budget and
authorizes the
reques t letter and
s end it back to
PMU.
3
Criteria
PPA 2011, Sec.
39
PMU checks
des cription in a
reques t letter and
com pare to the
annual
procurem ent plan
and s end reques t
letter to Accounting
Officer.
2
Negotiation Team
PPA 2011, Sec.
36
4
PMU officer drafts
text of invitation
(tender notice) and
tender docum ent.
PPR 2013, Sec.
55, 181
5
HPMU reviews text
of invitation (tender
notice) and tender
docum ent, and
s end them to
Tender Board for
approval
PPR 2013, Sec.
55, 181, 185
Template 14. J: Example of an Internal Control Questionnaire
(ICQ)
No.
Question on Expected Controls
1.
Is there inadequate segregation of duties?
Separation of authorization and payment procedures?
2.
Are approved imprest procedures contravened?
a) Imprest drawn against properly authorized
warrant and not exceeded?
b) Replenishment and retirement procedures
correctly carried out?
c) Cash book, vouchers, supporting documents
submitted for replenishment and retirement?
d) Imprest cash book posted daily and regular
balanced?
e) Regular departmental cash checks carried out?
3.
Can unauthorized or improperly supported
payments be made?
153
W/ P
R ef:
YES NO
Auditor’s
Comments
Internal Audit Manual for PSEs
No.
W/ P
R ef:
Question on Expected Controls
YES NO
a) Imprest Cash Vouchers properly authorized
and supported by receipts, invoices etc?
b) Is Vote Book entered and initialed?
c) Correct budget codes shown?
d) Payments made within authorized budget
allocations?
4.
Etc.
5.
Etc.
Template 14. K: Testing Sheet
154
Auditor’s
Comments
2019
Internal Audit Manual for PSEs
Ministry of Finance and Economic Affairs,
Government of Tanzania
No.
Referenced Unit
from Engagement Work Program.
Procurement Management
Prepared by:
Client:
Title:
Procurement t through Tender - Goods, works, services
Testing Sheet
2015/07-2015/09
Period:
Objective/
Prepared on:
Reviewed by:
Reviewed on:
B1-1
S.O.
14/10/2015
H.T.
14/10/2015
Copied from Engagement Work
To determine as to whether the tender documents are properly prepared and
approved.
Must be in
1.
handwriting
Procedure
Copied from Engagement Work
Obtain request letter on a sample basis and annual procurement plan and verify
whether there is an evidence of checking.
1.1
Criteria, Basis/
Copied from RCM.
PPA 2011, Sec. 36
Work done/
Document detailed test performed for each procedure described
above.
1.1.1 Checked whether the requested goods/item/service is in the annual procurement plan.
1.1.2 Checked whether there is a evidence of checking (comments/signature) of HPMU.
Describe the samples selected and results of testing of each samples.
Sample information MUST contain UNIQUE information so that third
person can identify what you tested later (if necessary).
Results/
No Request Letter No. 1.1.1
1
xxxx1
OK
2
xxxx3
OK
See FA-1
3
xxx10
1.1.2
OK
OK
OK
Any findings should be referred to Five Attribute Sheet.
Five Attribute Sheet should be prepared for each finding.
Details of finding are described on Five Attribute Sheet.
Findings/
Basing on the results of the testing, here is the finding:
Ref to
Findings
FA-1
No evidence of reviewing by HPMU.
Conclusion should be description that tells whether or not
engagement objective is achieved.
Conclusion/
No exception noted except the finding above.
Template 14. L: Five Attribute Sheet
155
2019
Internal Audit Manual for PSEs
No.
Ministry of Finance and Economic Affairs,
2019
FA-1
Government
of referenced
Tanzania TO Summary of
Must be
Findings & Recommendations (SOFR).
Client:
Title:
Procurement Management Unit
FIVE ATTRIBUTE SHEET/
(Procurement Procedure
- through Tender - Goods, works, services)
Period
2015/07 - 2015/09
Prepared by:
Prepared on:
S.O.
16/10/2015
Reviewed by:
Reviewed on:
H.T.
16/10/2015
Must be in
handwriting
Engagement
Objective:
Condition:
To determine as to whether the tender documents are properly
prepared and approved.
There is no evidence that the head of PMU checked description in a
request letter and compare it to the annual procurement plan.
Refer to FA-1-1
Criteria:
Same finding disclosed in the last audit?: Yes ____ No ____
✔
PPA 2011, Sec. 36
Test Performed:
Refer to B1-1
Cause (s):
PMU failed to keep the evidence because they did not know the
consequences of not keeping the evidence of review.
Risk (s):
Request is not reviewed and
unauthorized procurement is
proceeded.
Reference number should be from
relevant workingpaper.
Risk(s) should be from
C4 or C5
Recommendation (s):
PMU staff should maintain the evidence of all internal controls. PMU
staff should have training(s) about effects of not maintaining the
internal control
Fill in the form based on the result on the
evidences.
testing sheet & supporting documents.
Comments and
Action Plan(s) by
responsible official:
Categorization of
Action Plan
Training will be provided to PMU staff. Also, all the evidence of
internal controls will be maintained properly on HPMU’s own
responsibility.
HIGH
156
MEDIUM
LOW
Internal Audit Manual for PSEs
Template 14. M: Memorandum/ Transmittal Letter
THE UNITED REPUBLIC OF TANZANIA
MINISTRY OF *********
Telegrams : "XXX” DAR ES SALAAM
Telephone : VYYY
P. O. BOX *****,
DAR ES SALAAM
Fax: XXCXCNM, ZZZ.
(All official communications should be
addressed to the Permanent Secretary
XXX and not to individuals).
In reply please quote:
Ref. No:
DATE: **/**/20**
MEMORANDUM/ TRANSMITTAL LETTER
To: *************
Note:
Modify the contents when use this format.
From: CAE
SUBJECT:
We have completed an audit of human resources management. Our audit
covered the reviews of recruitment procedures; training needs assessment and training
provision to staff; and procedures for monitoring, improving and rewarding
performance in the organization.
Controls were generally adequate and effective except for some shortcomings
especially lack of succession plan, lack of clear guidance for carrying out training needs
assessment (TNA) and lack of systematic records of human resources (HR) in the
organization. The details of these findings will be found in the attached report. Overall,
however, the human resources department appears to be meeting its major objectives.
Corrective action has been initiated and the department is continuing to correct
all reported findings.
CAE
Cc: **********
157
2019
Internal Audit Manual for PSEs
Template 14. N: Follow-up Audit Documentation
Ministry of Finance
W/P Ref
Government of Tanzania
Client:
Title:
Prepared
by:
Prepared
on:
Reviewed
by:
Reviewed
on:
Follow-up Audit
Period
Subject
Ref.
No.
Recommendation
From
Report
Agreed Action Implementation Auditor’s
Plan
Status
Comments or
Remarks
158
2019
Internal Audit Manual for PSEs
Template 15: Format of Internal Audit Quarterly
PR ELIM INAR IES
•
COVER PAGE
•
TABLE OF CONTENT
•
ACKNOWLEDGEMENT
•
LIST OF ABBREVIATIONS AND ACRONOMY
•
LIST OF FIGURES & TABLES
•
EXECUTIVE SUMMARY
M AIN DOCUM ENT
1.0
INTRODUCTION AND BACKGROUND INFORMATION
May cover the following:
•
Internal Audit Function- mandate and key functions
•
Internal audit staff at the organization
•
Vision, mission and key functions of the organisation
2.0
PROGRESS ON IMPLEMENTATION OF THE ANNUAL AUDIT PLAN
This chapter should highlight the following:
•
Planned audit activities/ services during the quarter.
•
Activities/ Services implemented during the quarter (can also quantify in
percentage)
•
Successes and challenges encountered so far in implementing the annual
audit plan
STATUS OF PREVIOUS QUARTER’S AUDIT RECOMMENDATIONS
List the recommendations which were outstanding during the previous quarter and
indicate their status of implementation
159
2019
Internal Audit Manual for PSEs
Audit Recommendation(s)
Status of
Any Other
Report Report High Level
Audit
Title
Issue(s)
Implementation Remark(s)
Date
Objective(s)
3.0
AUDIT ACTIVITIES/SERVICES PERFORMED DURING THE QUARTER
The key chapter showing summary of the following:
Audit activities/ services performed by the Internal Audit Unit during the quarter. The
audit activities/ services should be grouped into two categories viz Audit Services
(Assurance & Consulting Services) and Non-Audit Activities/ Services
3.1
Audit Services (Assurance & Consulting Services)
3.1.1 Assurance Activities/ Services
(i)
Payroll Audit
(ii)
Human Resources Audit
(iii)
Procurement Audit
(iv)
Budgeting Audit
(v)
etc
NB. Provide summary audit issues, recommendations, management response and
agreed action plans for each audit assignment either using narratives or tabular form
3.1.2 Consulting Services
Detail other consulting services that were performed by the Unit (i.e special audits
requested by management and other consulting services)
Examples:
(i)
Special Audit on ……
(ii)
Risk Management and Development Risk Register Training
(iii)
Facilitate training in preparation of final accounts to finance staff
etc
160
2019
Internal Audit Manual for PSEs
3.2
Non- Audit Activities
List all non-audit activities that were performed by the Unit during the quarter (e.g.
attending non-audit meetings etc)
4.0
CONCLUSION AND RECOMMENDATIONS
Conclusion and proposed recommendations for overcoming the obstacles that were
encountered by the IAU during the period (i.e. improvement of audit services in the
next quarter).
APPENDICES
161
2019
Internal Audit Manual for PSEs
Template 16: Format of Internal Audit Annual Report
PR ELIM INAR IES
•
COVER PAGE
•
TABLE OF CONTENT
•
ACKNOWLEDGEMENT
•
LIST OF ABBREVIATIONS AND ACRONOMY
•
LIST OF FIGURES & TABLES
•
EXECUTIVE SUMMARY
M AIN DOCUM ENT
5.0
INTRODUCTION AND BACKGROUND INFORMATION
May cover the following:
•
Internal Audit Function- mandate and key functions
•
Internal audit staff at the organization
•
Vision, mission and key functions of the organisation
6.0
PROGRESS ON IMPLEMENTATION OF THE ANNUAL AUDIT PLAN
This chapter should highlight the following:
7.0
•
Planned audit activities/ services during the quarter or year
•
Activities/ Services implemented during the quarter (can also quantify in
percentage)
•
Successes and challenges encountered so far in implementing the annual
audit plan
STATUS OF PREVIOUS QUARTER’S AUDIT RECOMMENDATIONS
List the recommendations which were outstanding during the previous quarter and
indicate their status of implementation
162
2019
Internal Audit Manual for PSEs
Repor Repor Audit
Audit Recommendation(sStatus of
Any Other
t
t Title Objective(s Issue(s )
Implementatio Remark(s
)
)
n
)
Date
8.0
AUDIT ACTIVITIES/SERVICES PERFORMED DURING THE YEAR
The key chapter showing summary of the following:
Audit activities/ services performed by the Internal Audit Unit during the year. The
audit activities/ services should be grouped into two categories viz Audit Services
(Assurance & Consulting Services) and Non-Audit Activities/ Services
8.1
Audit Services (Assurance & Consulting Services)
8.1.1 Assurance Activities/ Services
(vi)
Payroll Audit
(vii)
Human Resources Audit
(viii)
Procurement Audit
(ix)
Budgeting Audit
(x)
etc
NB. Provide summary audit issues, recommendations, management response and
agreed action plans for each audit assignment either using narratives or tabular form
8.1.2 Consulting Services
Detail other consulting services that were performed by the Unit (i.e special audits
requested by management and other consulting services)
Examples:
(iv)
Special Audit on ……
163
2019
Internal Audit Manual for PSEs
8.2
(v)
Risk Management and Development Risk Register Training
(vi)
Facilitate training in preparation of final accounts to finance staff
etc
Non- Audit Activities
List all non-audit activities that were performed by the Unit during the year (e.g.
attending non-audit meetings etc)
9.0
CONCLUSION AND RECOMMENDATIONS
Conclusion and proposed recommendations for overcoming the obstacles that were
encountered by the IAU during the period (i.e. improvement of audit services in the
next quarter).
APPENDICES
164
2019
Internal Audit Manual for PSEs
2019
Template 17: Checklist and rating for QAIP
GC
PC
DNC
GC
PC
DNC
Overall Evaluation
Attribute Standards (1000 through 1300)
1000
Purpose authority and Responsibility
1010
Recognizing Mandatory Guidance in the Internal Audit
Charter
1100
Independence and Objectivity
1110
Organizational Independence
1111
Direct Interaction with the Board
1112
Chief Audit Executive Roles Beyond Internal Auditing
1120
Individual Objectivity
1130
Impairment to Independence or Objectivity
1210
Proficiency
1220
Due Professional Care
1230
Continuing Professional Development
1310
Requirements of the Quality Assurance and Improvement
Program
1311
Internal Assessments
1312
External Assessments
1320
Reporting on the Quality Assurance and Improvement
Program
1321
Use of “Conforms with the Internal Standards for the
Professional Practice of Internal Auditing”
1322
Disclosure of Nonconformance
165
Internal Audit Manual for PSEs
Performance Standards (2000 through 2600)
GC
2000
Managing the Internal audit function
2010
Planning
2020
Communication and Approval
2030
Resource Management
2040
Policies and Procedures
2050
Coordination and Reliance
2060
Reporting to Senior Management and the Board
2070
External
Service
Provider
and
Responsibility for Internal Auditing
2100
Nature of Work
2110
Governance
2120
Risk Management
2130
Control
2200
Engagement Planning
2201
Planning Considerations
2210
Engagement Objectives
2220
Engagement Scope
2230
Engagement Resource Allocation
2240
Engagement Work Program
2300
Performing the Engagement
2310
Identifying information
2320
Analysis and Evaluation
2330
Documenting Information
166
Organizational
PC
DNC
2019
Internal Audit Manual for PSEs
2340
Engagement Supervision
2410
Criteria for Communicating
2420
Quality of Communications
2421
Errors and Omissions
2430
Use
2431
Engagement Disclosure of Nonconformance
2440
Disseminating Results
2450
Overall Opinions
of
“Conducted
in
Conformance
with
the
International Standards for the Professional Practice of
Internal Auditing”
Code of Ethics
GC
PC
DNC
[These rating definitions must be included in each report to describe the opinion used]
RATING DEFINITIONS
GC – “Generally Conforms” means that the assessor or the assessment team has
concluded that the relevant structure, policies, and procedures of the activity, as well
as the processes by which they are applied, comply with the requirements of the
individual standard or elements of the Code of Ethics in all material respects. For the
sections and major categories, this means that there is general conformity to a majority
of the individual Standard or element of the Code of Ethics and at least partial
conformity to the other within the section/category. There may be significant
opportunities for improvement, but these should not represent situations where the
activity has not implemented the Standards or the Code of Ethics and has not applied
them effectively or achieved their stated objectives. As indicated above, general
conformance does not require complete or perfect conformance, the idea situation, or
successful practice, etc.
PC – “Partially Conforms” means that the assessor or assessment team has
concluded that the activity is making good-faith efforts to comply with the requirement
of the individual standard or elements of the Code of Ethics or a section or major
category, but falls short of achieving some major objectives. These will usually
represent significant opportunities for improvement in effectively applying the
Standards or the Code of Ethics and/or achieving their objectives; some deficiencies
167
2019
Internal Audit Manual for PSEs
may be beyond the control of the internal audit function and may result in
recommendations to senior management or the board of the organization.
DNC – “Does Not Conform” means that the assessor or assessment team has concluded
that the internal audit function is not aware of, is not making good-faith efforts to
comply with, or is falling to achieve many or all of the objectives of the individual
standard or element of the Code of Ethics or a section or major category. These
deficiencies will usually have a significantly negative impact on the internal audit
function effectiveness and its potential to add value to the organization. These may
also represent significant opportunities for improvement, including actions by senior
management or the board.
168
2019