Add to collection(s) Add to saved
  1. Business
  2. Finance

Internal Audit Manual - NSW Treasury

advertisement 
NSW TREASURY
CLUSTER
Internal Audit Manual
March 2014
NSW Treasury Cluster Audit Manual
1
CONTENTS
1.0
INTRODUCTION .......................................................................................................................... 4
1.1
1.2
1.3
1.4
2.0
GENERAL POLICIES AND STANDARDS .............................................................................. 6
2.1
2.2
2.3
2.4
3.0
BACKGROUND ................................................................................................................. 4
PURPOSE ....................................................................................................................... 5
SCOPE ........................................................................................................................... 5
AUTHORITY ..................................................................................................................... 5
INTERNAL AUDIT CHARTER .............................................................................................. 6
AUDIT STANDARDS AND GUIDING PRINCIPLES .................................................................. 6
AUDIT & RISK COMMITTEE CHARTERS ............................................................................. 6
LONG SERVICE CORPORATION COMMITTEE CHARTER ...................................................... 6
PERSONNEL ................................................................................................................................ 7
3.1 AUDIT & RISK COMMITTEE ............................................................................................... 7
3.2 CHIEF AUDIT EXECUTIVE (CAE) ...................................................................................... 7
3.3 AN OUTSOURCED SERVICE PROVIDER MODEL ................................................................. 8
3.3.1
Proficiency and Due Professional Care ........................................................... 8
3.4 RESOURCE USE .............................................................................................................. 9
4.0
PLANNING THE INTERNAL AUDIT PROGRAM ................................................................ 10
4.1
4.2
4.3
5.0
STRATEGIC AUDIT PLANNING ......................................................................................... 10
ANNUAL AUDIT PLAN ..................................................................................................... 10
FIELD AUDIT PLAN (DETAILED SCOPE) ........................................................................... 12
AUDIT METHODOLOGY.......................................................................................................... 13
5.1 THE AUDIT CYCLE - SUMMARY....................................................................................... 15
5.2 ENGAGEMENT PLANNING (DETAILED SCOPING)............................................................... 16
5.2.1
Project Approval ............................................................................................ 16
5.2.2
Project Brief ................................................................................................... 16
5.2.3
Planning Meeting ........................................................................................... 16
5.2.4
Audit Criteria .................................................................................................. 16
5.2.5
Detailed Scope (Terms of Engagement) ....................................................... 17
5.3 UNDERTAKING THE AUDIT .............................................................................................. 18
5.3.1
Opening (‘Kick-off’) Meeting .......................................................................... 18
5.3.2
Risk Assessment (Risk and Control Matrix) .................................................. 18
5.3.3
Control Analysis (Risk and Control Matrix) .................................................... 18
5.3.4
Audit Programs (Field Audit Program) .......................................................... 19
5.3.5
Audit Evidence ............................................................................................... 19
5.3.6
Working Papers ............................................................................................. 21
5.3.7
Conclusion and Evaluation ............................................................................ 22
5.3.8
Working Paper Review .................................................................................. 23
5.3.9
Current Working Papers ................................................................................ 23
5.3.10
Exit Interviews (End of Fieldwork Meetings) ................................................. 24
5.4 AUDIT REPORTS ........................................................................................................... 24
5.4.1
Basic Components of an Internal Audit Report ............................................. 24
5.4.2
Report Writing Style ....................................................................................... 28
5.5 DRAFT REPORTS .......................................................................................................... 29
5.6 EXIT MEETING .............................................................................................................. 29
5.7 CLOSE-OUT MEETING.................................................................................................... 30
5.8 FINAL REPORT .............................................................................................................. 30
5.9 AUDIT & RISK COMMITTEE REPORTING .......................................................................... 30
5.10 CLOSING OUT THE AUDIT ............................................................................................... 31
6.0
EXTERNAL AUDIT .................................................................................................................... 32
6.1 LINKING INTERNAL WITH EXTERNAL AUDIT ...................................................................... 32
6.2 THE ANNUAL AUDIT PROCESS: STATUTORY RULES ........................................................ 32
6.2.1
Agencies ........................................................................................................ 32
Treasury Audit Manual
2
6.2.2
Crown ............................................................................................................ 33
6.2.3
Total State Sector Accounts (TSSA): ............................................................ 33
6.3 PRACTICAL ARRANGEMENTS ......................................................................................... 33
6.4 CLIENT SERVICE PLANS (CSPS) (EARLY MAY) ............................................................... 34
6.4.1
Drafting and Finalising the CSP .................................................................... 34
6.4.2
CSP Due Date ............................................................................................... 35
6.4.3
Role of Audit Committee: ............................................................................... 35
6.5 AO COMMENT ON EARLY CLOSE PROCEDURES (LATE MAY) ........................................... 35
6.6 CLIENT SERVICE REPORT (MID SEPTEMBER) ................................................................. 36
6.7 MANAGEMENT REPRESENTATION LETTER (LATE SEPTEMBER) ........................................ 36
6.8 STATEMENT OF ASSURANCE ACCOMPANYING FINANCIAL STATEMENTS ........................... 37
6.9 CHANGES TO THE FINANCIAL STATEMENTS AFTER SUBMISSION FOR AUDIT ...................... 37
6.10 INDEPENDENT AUDITOR’S REPORT (LATE SEPTEMBER) .................................................. 37
6.11 STATUTORY AUDIT REPORT (LATE SEPTEMBER) ............................................................ 37
6.12 MANAGEMENT LETTER (MID – LATE OCTOBER) .............................................................. 38
6.13 AUDITOR-GENERAL’S REPORT TO PARLIAMENT (DRAFT PROVIDED OCTOBER) ................. 38
6.14 RELATIONSHIP BETWEEN EXTERNAL AUDIT AND THE AUDIT & RISK COMMITTEE ............... 39
6.15 EXTERNAL AUDIT ROLE IN INTERNAL AUDIT PLANNING .................................................... 39
7.0
ENGAGEMENT EVALUATIONS & PERFORMANCE REVIEWS ..................................... 40
7.1 QUALITY ASSURANCE AND IMPROVEMENT PROGRAM ...................................................... 40
7.1.1
Internal Assessments .................................................................................... 40
7.1.2
External Assessments ................................................................................... 41
7.1.3
Reporting on the Quality Assurance and Improvement Program .................. 41
ANNEXURE A...................................................................................................................................... 42
ASAE 3000 COMPLIANCE .................................................................................................... 44
QUALITY ASSURANCE IMPROVEMENT CHECKLIST ....................................................... 49
DELIVERABLES CHECKLIST (PROVIDER) ......................................................................... 50
ANNEXURE B ...................................................................................................................................... 52
INTERNAL AUDIT PROVIDER SELECTION .................................................................................. 52
Appointment and Contract .............................................................................................. 53
ANNEXURE C ...................................................................................................................................... 54
Audit Sampling ................................................................................................................ 54
When to Use Statistical Sampling ................................................................................... 55
When to Use Non-Statistical Sampling ........................................................................... 55
Treasury Audit Manual
3
1.0 INTRODUCTION
1.1
Background
Treasury Circular NSW TC 09/08 implements policy and guidelines
paper TPP 09-05, the “Internal Audit and Risk Management Policy”.
The policy draws on the practice of exemplar organisations in the
public and private sectors.
The policy aims to ensure that NSW agencies maintain organisational
arrangements that provide additional assurance, independent of
operational management, on internal audit and risk management.
To achieve consistent application across the sector, the policy
mandates a set of ‘core requirements’ that agencies (i.e.both
departments and statutory bodies) must implement. The six core
requirements are:

Core Requirement 1: Internal Audit Function - the requirement to
establish and maintain an Internal Audit function

Core Requirement 2: Audit & Risk Committee - the requirement to
establish and maintain an Audit & Risk Committee

Core Requirement 3: Independent Chairs and Members Committee composition, and the requirement to appoint an
independent chair and a majority of independent members

Core Requirement 4: Model Charter and Committee Operations –
the requirement to maintain governance arrangements that ensure
(a) the real and perceived independence of the Committee and (b)
the rigour and quality of its oversight and monitoring role

Core Requirement 5: Risk Management Standards - the
requirement to implement a risk management process that is
appropriate to the needs of the agency and consistent with the
current risk standard, i.e. AS/NZS ISO 31000: Risk Management –
Principles and Guidelines

Core Requirement 6: Internal Audit Standards - the requirement to
ensure that operation of the Internal Audit function is consistent with
the relevant standard, i.e. Institute of Internal Auditors’ (IIA)
International Standards for the Professional Practice of Internal
Auditing and any additional practice requirements set by the Policy.
Consistent with better practice corporate governance principles, the
policy requires department heads and governing boards of statutory
bodies to attest compliance with the core requirements annually, and to
provide this information in a new annual report disclosure.
TPP 09-05 provides agencies with the procedures they need to
implement the core requirements. Its Section 6.7 requires the
development and maintenance of a manual for the internal audit
function.
Treasury Audit Manual
4
This NSW Treasury Cluster Internal Audit Manual complies with that
requirement.
1.2
Purpose
The purpose of this Manual is to:
1.3

delineate principles that guide the practice of internal auditing within
the Treasury Cluster

provide a framework for performing and promoting value-added
internal auditing

establish the basis for the evaluation of internal audit performance

foster improved organisational processes and operations.
Scope
This Manual applies across the entire Treasury Cluster, with the
exception of the Treasury Corporation (TCorp), which has its own
arrangements. Unless otherwise specified, “Treasury” should be taken
to mean any or all cluster entities except TCorp.
Refer to Annexures 1 and 2 of the Internal Audit Function Charter for
the list of entities covered by Treasury internal audit.
This Audit Manual addresses both assurance services and consulting
services provided by the Internal Audit function.
These two types of internal audit services have been defined by the IIA
as follows:
Assurance Services – an objective examination of evidence for the
purpose of providing an independent assessment of risk management,
control or governance processes for the organisation.
Consulting Services – advisory and related client activities, the nature
and scope of which are agreed upon with the client and which are
intended to add value and improve an organisation’s operations.
In Treasury these services are used primarily for exercises such as the
review and redevelopment of our Risk Register or for reviews of best
practice in areas important to risk management.
1.4
Authority
This document is consistent with the professional practices set out in
the Institute of Internal Auditors (IIA) Standards 2013. The first
Treasury Internal Audit Manual was endorsed by Treasury’s Audit &
Risk Committee on 27 July 2011. This complete revision was endorsed
by the Committee on 4 December 2013.
Treasury Audit Manual
5
2.0 GENERAL POLICIES AND STANDARDS
Treasury’s internal audit function complies with TPP 09-05 and the
Institute of Internal Auditors’ International Standards for the
Professional Practice of Internal Auditing and International Professional
Practices Framework.
2.1
Internal Audit Charter
Treasury’s Internal Audit Charter can be found here.
2.2
Audit Standards and Guiding Principles
Internal audit activities will be conducted in accordance with relevant
professional standards. (Refer Section 7 of the Internal Audit Charter)
2.3 Audit & Risk Committee Charters
Treasury’s Audit & Risk Committee Charter can be found here, and its
Shared Arrangement Charter here.
2.4 Long Service Corporation Committee Charter
The NSW Long Service Corporation has a separate Audit & Risk
Committee, but it shares Treasury’s Chief Audit Executive and
outsourced internal auditors. Its Committee Charter can be found here
(link to be confirmed).
Treasury Audit Manual
6
3.0 PERSONNEL
Treasury has outsourced its internal audit function by contracting the
services of an external audit provider. The Chief Audit Executive and
the Audit & Risk Committee oversee internal audit on behalf of the
CEO1. The service provider is responsible for undertaking internal
audits on their behalf and in line with this Manual.
3.1
Audit & Risk Committee
The roles and responsibilities of the Treasury Audit & Risk Committee
are outlined in its principal department and shared arrangements
Charters (see previous page for links).
3.2
Chief Audit Executive (CAE)
The Chief Audit Executive is responsible, in consultation with the Audit
& Risk Committee, for:

developing and regularly reviewing an Internal Audit Charter and
the Charters for the Committee

developing and maintaining a Treasury Risk Register, based on a
regular full and proper assessment of Treasury’s risks and on
Treasury’s Risk Framework

developing and implementing 3-year and more detailed 1-year Audit
Plans, prioritised according to the needs identified in the Risk
Register

selecting an audit provider to carry out duties as described in 3.3
below

implementing a risk based audit methodology for assessing and
responding to audit findings, with risk ratings aligning with the rating
system used in the Risk Framework and Risk Register.

ensuring a course of action is recommended for every significant
audit finding, and ensuring that these actions are referred to
operational management for formal response

monitoring Treasury’s progress in implementing endorsed
management responses to audit recommendations

providing input which assists the Audit & Risk Committee to be in a
position to assure the Chief Financial Officer (CFO) and the
Secretary (as well as the other CEOs) that adequate controls are in
place around all of the annual financial statements which must be
approved, including the Total State Sector Accounts.
The Chief Audit Executive is also responsible for developing and
maintaining an annual meeting schedule for the Committee to ensure it
1
“CEO” in this Manual will usually mean “the Secretary, Treasury Cluster”, but it may also or
alternatively refer to the General Manager, RBMC, and/or the Directors of the Ports Lessor
Companies, who act as CEOs in relation to those cluster entities.
Treasury Audit Manual
7
can meet all its commitments, and for providing the Committee’s
secretariat support functions.
3.3
An Outsourced Service Provider Model
Treasury uses an outsourced service provider model for the conduct of
its internal audit program. Whether they are contracted for a single
audit or for a period of time, service providers are responsible for:

conducting risk-based audits and other projects, as directed by the
CAE and conformant with this Audit Manual

providing advice on their work to the CAE and the Audit & Risk
Committee, and to the Secretary as required.
3.3.1 Proficiency and Due Professional Care
Internal Audit engagements must be performed with proficiency and
due professional care.
(a) Proficiency
The internal audit function collectively must possess or obtain the
knowledge, skills and other competencies needed to perform its
responsibilities effectively.
Internal audit providers are expected to be able to demonstrate their
proficiency through appropriate professional certifications and
qualifications, such as the Certified Internal Auditor designation and
other designations offered by The Institute of Internal Auditors and
other appropriate professional organisations. “Proficiency” includes the
capacity to evaluate the risk of fraud and/or corruption and the manner
in which the risks are managed in Treasury; and sufficient knowledge
of information technology risks and controls to perform their assigned
work. (Specialists will be engaged for IT systems audits.)
If an internal service provider lacks the knowledge, skills, or other
competencies needed to perform all or part of the engagement, s/he
must decline a consulting engagement, or obtain competent advice and
assistance, or advise the Chief Audit Executive to do so.
The Chief Audit Executive must obtain competent advice and
assistance. S/he may terminate the original engagement if the internal
audit providers lack the knowledge, skills, or other competencies
needed to perform all or part of it.
(b) Due Professional Care
Providers must apply the care and skill expected of a reasonably
prudent and competent internal auditor.
Internal audit providers must exercise due professional care by
considering:

Any real or perceived conflicts of interest that may arise as part of
the engagement.
Treasury Audit Manual
8

The extent of work needed to achieve the engagement's objectives

The relative complexity, materiality, or significance of matters to
which assurance procedures are applied

The adequacy and effectiveness of governance, risk management
and control processes

The probability of significant errors, fraud, or non-compliance that
might affect objectives, operations or resources

The cost of assurance in relation to potential benefits
In exercising due professional care, internal audit providers must
consider the use of technology-based audit and other data analysis
techniques.
(c) Continuing Professional Development
Internal audit providers must enhance their knowledge, skills and other
competencies through continuing professional development.
(d) Code of Ethics
Internal audit providers are expected to read and abide by the codes of
ethics and conduct set out in the International Professional Practices
Framework. The Code centres on the principles of:
 Integrity
 Objectivity
 Confidentiality
 Competency
Internal audit providers should also be aware of Treasury’s own codes
and policies in areas such as conduct, ethics and fraud prevention, as
they may be relevant to audit methodology or findings.
3.4
Resource Use
The budgeted hours and price for each assurance and consulting
engagement are agreed with the Chief Audit Executive prior to the
commencement of the engagement. Internal audit providers are then
accountable for time spent. They will be monitored by an Audit
Program manager using appropriate contract management procedures,
and will be required to report on the progress of the Audit Program at
Audit & Risk Committee meetings.
Variations to the budgeted hours or price of any project must be
requested in writing and negotiated with the Chief Audit Executive as
soon as is practicable – and before the budgeted hours of the project
are exceeded. The Chief Audit Executive may authorise or refuse any
variation at his or her discretion.
Treasury Audit Manual
9
4.0 PLANNING THE INTERNAL AUDIT PROGRAM
Planning out the Audit Program on an at-least annual basis is essential to
ensure that internal audit effort is directed to areas that will provide the
most benefit and value to Treasury.
It also helps ensure that internal audits will not overburden the areas
under review by clashing with external audits or with peak business
periods.
The total audit planning process involves the establishment of:
 A Strategic Audit Plan which is the identification and
documentation of auditable areas within the Treasury Cluster, and
the prioritisation of these areas for review based on a
predetermined risk assessment methodology over a period of three
years;
 An Annual Audit Plan which sets out the planning of individual
audit assignments over one financial year; and
 A Field Audit Plan, or Scope, which determines the scope and
parameters for each individual audit.
4.1
Strategic Audit Planning
In consultation with the Audit & Risk Committee, the Chief Audit
Executive should establish long-term, strategic, risk-based plans to
determine the priorities of the internal audit function and how they are
linked to Treasury’s objectives.
The Chief Audit Executive is responsible for providing to the Audit &
Risk Committee a three-year Strategic Audit Plan, the purpose of which
is to ensure that there is reasonable internal audit coverage of all
relevant risk areas and key internal control systems over time.
The Plan should prioritise the areas within Treasury for review, based
on the risk assessment methodology set out in the Treasury Risk
Management Framework, available here, and on Treasury’s Risk
Register.
The three-year Strategic Audit Plan should be reviewed by the
Executive team and provided to the Audit & Risk Committee annually.
The Committee will commend it to the Secretary for endorsement prior
to the approval of the Annual Audit Plan.
4.2
Annual Audit Plan
The Annual Audit Plan, which sets out the Audit Program for the
coming year, should be based on documented risk assessment and
revised at least annually.
The Plan should be in draft form by the end of March for the forward
financial year. There should be consultation with the NSW Audit Office to
Treasury Audit Manual
10
ensure the proposed internal and external audit plans are not duplicated,
that the same area of Treasury is not subjected to internal and external
audit at the same time, and that any efficiencies can be realised.
The input of senior management and the Secretary (as well as the other
CEOs) is vital in the development of an Annual Audit Plan for the cluster.
Also vital is a newly revised Risk Register. This should incorporate the
legislative and regulatory compliance framework and identified fraud and
corruption risks and controls. If it does not, these should also be taken
into account in developing the Annual Audit Plan, as should the findings of
any audit post-dating revision of the Risk Register.
The Audit & Risk Committee will review the Annual Audit Plan each
year after they have considered the Strategic Audit Plan. The Annual
Plan will be submitted for the approval of the Secretary and other
CEOs following the endorsement of the Committee.
Once the Annual Audit Plan has been approved, the Chief Audit
Executive and the internal audit provider’s senior management must
meet with the Treasury senior managers who will be impacted by the
Annual Program to agree the timing of each audit. This should be
consulted with the Audit Office at the time, to ensure internal and
external audit timing is synchronised. It is important that both
managers and service providers comply with the timetable once it is
set, and provide proactive notice of delays or problems.
All stakeholders who will be impacted should be notified of the timetable
at the start of the year. It is considered due professional care that
stakeholders are notified by the service provider again throughout the
year and at least four weeks prior to commencement of fieldwork.
The Chief Audit Executive must communicate to the Audit & Risk
Committee and the Secretary the impact any resource limitations are
projected to have on the effectiveness of the internal audit program.
It is important to note that:

The Strategic and Annual Internal Audit Plans will be weighted
towards areas of higher risk to Treasury. All areas and all risk types
should be covered over a 3-5 year period, but higher risk areas will
be considered more frequently and have more time allocated to
them.

The extent of the strategic and annual internal audit programs will
be limited by the available resources and by the scope of external
audit work.
The Audit & Risk Committee will report periodically on the status of the
Internal Audit Program via the Chief Audit Executive and the ARC
Minutes, which are submitted to the Secretary and to the other CEOs
where relevant.
Treasury Audit Manual
11
The members may discuss any concerns about the plans or the
Program directly with the Secretary at any time.
4.3
Field Audit Plan (Detailed Scope)
The Field Audit Plan determines the scope and parameters for each
individual audit. In Treasury this is included in the Detailed Scope
(Terms of Engagement). See 5.2.5 below
Treasury Audit Manual
12
5.0 AUDIT METHODOLOGY
NSW Treasury currently engages with a single service provider for internal audit services (multiple reviews/audits under a three year contract). The
following flowchart summarises the process of each internal audit project. (See overleaf for process of selecting an audit provider where an audit provider is
engaged outside of this contract)
Internal audit approved by the
Secretary as part of the
Treasury Annual Internal Audit
Plan.
Planning/Scoping meeting is
held between CAE and audit
provider to discuss scope and
objectives of project. Where
appropriate, the representatives
from the audited area will attend
this meeting. Normally a project
brief will be drafted and
circulated for discussion at this
meeting.
Audit provider prepares
Detailed Scope (Terms of
Engagement). Detailed Scope
must be approved by the CAE
and signed as reviewed by
senior management from the
area to be audited.
The service provider will
conduct a “kick off” meeting to
signal the start of fieldwork. The
meeting will be attended by the
CAE, Project Manager, senior
management from audited area
and any other relevant Treasury
officers.
NSW Treasury Cluster Audit Manual
The audit provider should hold
exit interviews with all
Treasury officers who have
responsibility over an area
where exceptions have been
noted. This is to ensure that (a)
the audit provider has a full
understanding of the processes
they are reporting on (b)
Treasury officers are aware of
findings and recommendations
that relate to them.
Fieldwork: The service
provider will liaise with the
Treasury Project Manager
regularly and at least weekly on
progress of review. Where
delays are expected or
significant issues are identified
they should be brought to the
Project Manager’s attention as
soon as practicable.
Any issues identified with an
Extreme risk rating should be
brought to the Secretary’s
attention as soon as
practicable.
The audit provider will create a
Risk and Control Matrix as the
basis for defining the audit
procedures to be tested.
The audit provider will circulate a draft report to the
CAE and stakeholders of the audited area for
discussion at the exit meeting. Report to be issued
at least two days prior to meeting.
The audit provider will conduct an exit meeting with
stakeholders from the audited area and the CAE to check
the draft report is factually correct and agree wording.
The audit provider will issue a formal draft audit
report to the director of the audited area to who
will provide management responses. Under
normal circumstances management will be given
10 working days to provide responses.
Audit provider working papers will be subject to a
detailed and primary review by the relevant manager
and partner within the audit provider respectively.
Working papers will then be provided to Treasury for
its records. The Project Manager will check them for
reasonableness and completeness.
The audit provider will conduct a “close-out”
meeting with the CAE, Project Manager, director of
the audited area and project reference group (and
area staff as appropriate). The purpose of this
meeting is to discuss and agree on management
responses and the timeframes for their completion.
Evaluation Surveys are sent to all stakeholders
by the Program Manager
13
The Finalisation of Internal Audit
Checklist is completed and the final report
is put on file and registered in Objective
When the final report is approved by the
Secretary the recommendations are entered
into the Register of Internal Audit
Recommendations by the program manager,
to be monitored by the ARC.
On ARC recommendation the report will be
submitted to the Secretary for
endorsement and sign off. Should the
Secretary or ARC request further changes,
the report will be returned to the service
provider to make amendments.
The audit provider will attend the next
Audit and Risk Committee meeting to
present the report.
The service provider will finalise the audit
report and issue to the NSW Treasury ARC
(care of the CAE). Once a report has been
finalised, only the service provider will be
entitled to edit the report (in response to
ARC or Secretary’s comments).
For assurance engagements the
program manager completes the ASAE
compliance checklist.
The following flowchart summarises the process of engaging an audit provider for a single project outside the current internal audit contract (e.g.
because of a conflict of interest or need for a technical specialist)
Internal audit is
approved by the
Secretary as part of the
Treasury Annual Internal
Audit Plan.
Program manager prepares
project brief in consultation
with senior management
from the Treasury area to
be audited/reviewed.
Project brief approved by
CAE and Project Liaison
Executive/Director of
audited area (whichever is
appropriate).
NSW Treasury Cluster Audit Manual
Interested service providers
are issued with a Request for
Proposal, project brief and
Standard Form of Agreement
(i.e. Contract).
Three to six Audit service
providers are selected from
the Department of Finance
and Services
prequalification list and
contacted.
14
Audit provider selected in line
with Treasury procurement
policy. Selection approved and
contract signed by CAE if
contract less than $50,000 and
by the Secretary if greater than
$50,000.
Once the audit provider is
selected, follow audit
methodology set out in
the flow chart on the
previous page.
5.1
The Audit Cycle - Summary
Implement
change
(monitored by
ARC)
Identify risks,
appetite and
current
controls
Develop 3 year
Strategic Audit
Plan and
1 year detailed
Audit Plan
Plan dnecessary
Change
(recommendations + mgt
responses)
Collect data
on current
practices
Select
provider
and commence
the next audit on
the Plan *
* See flowcharts on pages 13 and 14
15
Treasury Audit Manual
5.2
Engagement Planning (Detailed scoping)
5.2.1 Project Approval
The Secretary must give his approval to all internal audit projects. In most
cases this will occur when he endorses the Annual Internal Audit Plan.
Requests for any projects to be undertaken outside the approved Plan will be
put to the Audit & Risk Committee for evaluation and to the Secretary for
approval.
5.2.2 Project Brief
For each planned audit, Treasury will provide a Project Brief which sets out
issues and risks of which it is already aware in relation to the area to be
audited and its preliminary views about what should be in and out of scope.
The Brief will usually give the service provider guidance on the amount of
resourcing envisaged for the audit. This may be subject to negotiation
during the scoping phase.
The client for each audit in the Internal Audit Program is the Chief Audit
Executive.
5.2.3 Planning Meeting
The purpose of the planning meeting is to give the internal audit provider the
opportunity to meet relevant managers, gain an overview and understanding
of the audited area and agree timing.
The internal audit provider must establish an understanding with senior
management within the area to be audited regarding objectives, scope, audit
criteria, respective responsibilities and other client expectations. These points
should be discussed at a planning meeting between the audit provider,
Treasury CAE (client), the project sponsor and project reference group.
These points will then be documented in the Detailed Scope.
5.2.4 Audit Criteria
The audit provider should clarify the specific explicit and implicit criteria
against which evidence collected will be evaluated.
Criteria are explicit when they are clearly set out in policies, manuals,
standard operating procedures, standards, laws and/or regulations.
Where management has not yet established goals and objectives or
determined the controls needed in a particular area, it may be necessary to
develop implicit criteria based on industry best practice or what management
considers to be satisfactory performance standards. The accuracy of implicit
criteria should always be confirmed with the audited area.
16
Treasury Audit Manual
Some examples might include:

Treasury’s internal policies, procedures and management directives;

better practice guidance or industry benchmarks;

legislation or regulation; or

accounting or ISO Standards.
If no specific criteria can be identified, the audit opinion should describe the
benefits of implementing the recommendations.
Conducting an audit without agreeing the criteria may result in wasted audit
effort and fruitless argument, when conclusions and recommendations are not
accepted by management.
The audit criteria should be referred to in the audit opinion and in the
Independent Auditor’s Report.
5.2.5 Detailed Scope (Terms of Engagement)
The Detailed Scope will normally include:
 A title/subtitle for the audit which clearly indicates the topic of the audit,
the areas of the Treasury Cluster to which it will apply, the type of
assurance the audit will offer (e.g. reasonable assurance) and the
Standard with which it will comply (if applicable)
 An overview of the area to be audited
 Background on why the audit is taking place
 The objectives of the audit
 A preliminary risk assessment
 A list of stakeholders and stakeholders’ expectations for the audit
 The audit criteria
 The scope of the audit i.e. the processes the audit will include and
exclude
 The audit standards that will be followed including the type of
engagement
 The audit approach to be taken
 The key deliverables of the project
 The resources that will be used on the audit and the cost, and
 The timetable for delivery of milestones.
The Detailed Scope must be approved and signed by both the Treasury Chief
Audit Executive and the audit provider’s Engagement Partner before the
commencement of field work. The Detailed Scope is also signed by the most
senior member of the project reference group to indicate s/he has reviewed it.
17
Treasury Audit Manual
5.3
Undertaking the Audit
5.3.1 Opening (‘Kick-off’) Meeting
The purposes of the ‘kick off’ meeting are:
 to ensure all relevant staff of the audited area are aware that the audit
is taking place and know who the auditors are;
 to confirm the project timetable; and
 signal the commencement of fieldwork.
The ‘kick-off’ meeting will be attended by the Chief Audit Executive, project
manager, the project reference group, senior management (and often all staff)
from the area to be audited. It will be chaired by the audit service provider.
5.3.2 Risk Assessment (Risk and Control Matrix)
As part of scoping an audit, a risk assessment is conducted at the activity level
to identify and evaluate risk exposures and determine audit objectives. It
involves considering business process risks, quality of management and
individual performance in different situations. As part of the planning activities,
the risks that threaten the objectives of each process to be audited should be
identified and classified.
The audit will concentrate on those processes which are assessed as moderate
or higher risk. The risk categories of these processes indicate the types of
objectives that should be included in the audit project plan. For example where
residual compliance risks are rated as moderate or high, the audit objectives
should include a review of compliance with the procedures/policies related to
the activity. If residual operational risks are high, the objectives should include a
review of the efficiency and effectiveness of the procedures and policies.
The processes identified should also be a determinant of the type of audit to
be conducted (performance, financial, IT, etc).
5.3.3 Control Analysis (Risk and Control Matrix)
All audits, regardless of their nature, involve providing assurance on the
design and effectiveness of a system of internal control.
After obtaining an understanding of the internal control system by way of
interviews, documents and records, questionnaires, systems documentation,
walk-throughs and/or performing some initial analytical procedures or data
analysis, audit providers should make a preliminary assessment of the
internal control system to determine whether identified controls are designed
to meet the control objectives and mitigate risks.
18
Treasury Audit Manual
5.3.4 Audit Programs (Field Audit Program)
The audit program establishes the procedures necessary to complete an
efficient and effective audit. It includes a detailed plan of the work to be
performed as well as the steps required to achieve the audit objectives.
The structure of the audit program should be made up of the following
sections:
 Audit Objective - the primary (and perhaps secondary) objective for the
audit as a whole. Any summary assessment of the audit will be based
on the achievement of this objective.
 Audit Scope - the scope of activities to be included or excluded.
 Risk and Control Analysis/Matrix (RACA or RACM) - This is the
outcome of the analysis explained under 5.3.1 and 5.3.2.
 Audit Criteria – see section 5.2.4 above.
 Previous Audit Recommendations – in cases where previous audits are
relevant, this section requires the audit provider to list the relevant
recommendations relating to significant (or higher) rated findings from
both previous internal audits and Audit Office management letters. The
audit provider will then verify that the matters have been addressed or
are being addressed.
For audit sampling see Annex C
5.3.5 Audit Evidence
Audit evidence is obtained through procedures such as observing conditions,
interviewing people, examining records and analysing data. Provided the
methodology is documented, sampling approaches and other means of
selecting information may be used if useful conclusions can be drawn by
those means. Audit evidence is cumulative in nature and is usually
persuasive rather than conclusive. Audit inferences are drawn from the body
of evidence collected.
Audit evidence refers to all the information used by the audit provider in
arriving at the recommendations. It should be sufficient, competent, relevant
and useful.
a. Sufficient information is factual, adequate, and convincing so that a
prudent, informed person would reach the same conclusions as the audit
provider2. There should be enough of it to support the audit provider’s
findings. In determining the sufficiency of evidence it may be helpful to ask
such questions as: Is there enough evidence to persuade a reasonable
person of the validity of the findings? When should appropriate statistical
sampling methods be used to establish sufficiency?
b. Competent information is reliable and is the best attainable through the
use of appropriate engagement techniques3 such as statistical sampling
and analytical audit procedures. Information is more competent if it is (i)
obtained from an independent source, (ii) corroborated by other
2 IIA Practice Advisory – 2310-1
3 Ibid.
19
Treasury Audit Manual
information, (iii) obtained directly by the audit provider, such as through
personal observation, (iv) documented, and (v) an original document
rather than a copy.
c. Relevant information supports engagement observations and
recommendations and is consistent with the objectives for the
engagement4. Relevant information should have a logical, sensible
relationship with the key risk/s and the associated audit finding.
d. Useful information will help Treasury meet its goals5.
Evidence collected by audit providers should possess all of these qualities.
For example, it is not enough merely to interview staff members without using
other sources to corroborate any important information obtained. Sample
sizes should be representative i.e. sufficient that conclusions reached may be
validly extrapolated from the data.
Evidence may be categorised as physical, documentary, testimonial or
analytical and is obtained by using various procedures:
a. Physical evidence
Physical evidence is obtained by direct inspection or observation of people,
property or events. Inspection of tangible assets provides reliable audit
evidence about their existence, but not necessarily about their ownership or
value. Observation consists of watching a process or procedure being
performed by others, for example, physically counting inventory and making
observations. Observation of certain procedures is important, particularly
those that do not leave an audit trail.
b. Documentary evidence
Documentary evidence consists of information that exists in some permanent
form such as letters, contracts, accounting records, invoices and management
information on performance. It is the most common form of evidence; it may
be internal, external or a combination of both. The source of documentary
evidence affects its reliability, as may its context.
c. Testimonial evidence
Testimonial evidence is obtained through inquiries, interviews, or
questionnaires. Inquiry and confirmation consist of seeking information from
knowledgeable persons inside or outside Treasury. Responses to inquiries
may provide audit providers with new information or with corroborative audit
evidence. Testimonial evidence should be supported by other forms of
information where possible and not regarded as conclusive by itself.
d. Analytical evidence
Analytical evidence arises from the application of analytical procedures, which
produce information in the form of inferences or conclusions based on
examining data for inconsistencies, anomalies, cause-effect relationships and
so on.
4 Ibid.
5 Ibid.
20
Treasury Audit Manual
5.3.6 Working Papers
Working papers that document the engagement should be prepared by the
internal audit provider and reviewed by management within the internal audit
provider and by the Treasury internal audit function.
This section of the manual contains characteristics of well-organised and
documented working papers and should be used in evaluating the adequacy
of working papers. Proper working papers document the work that was done
from the preliminary scoping stages through to the final report. Audit working
papers show whether due professional care was exercised and illustrate
compliance with professional auditing standards. Careful documentation of
work performed is necessary to support the findings, recommendations and
opinions contained in the final audit report. Generally working papers should
provide:

documentation of information obtained about the area being audited;

support for findings and recommendations contained in the audit report;

a summary of documents reviewed;

details of persons interviewed;

detail of any control failures or exceptions noted;

a means of evaluation - both in performance reviews and quality
assurance reviews;

evidence of consistency to the audit process;

a guide for subsequent audits; and

communication with the audited area – during the course of field work, the
auditor will query all exceptions that have been noted and other matters of
significance to the audited area. Where satisfactory responses are
provided by management these should be recorded in the working papers
with justification as to why the matter can be closed. Supporting evidence
should be retained.
Working papers should include the following:
 notes of meetings;
 correspondence (including emails);
 planning memos;
 testing documentation; and
 draft reports and final report.
In preparing working papers, the following guidelines apply:

each working paper should identify the engagement and describe the
contents or purpose of the working paper
21
Treasury Audit Manual

each working paper should be signed (or initialled) and dated by the
internal audit provider/s performing and reviewing the work

each working paper should contain an index or reference number, part of
which should identify the audit

audit verification symbols (tick marks) should be explained

sources of data should be clearly identified

information should be provided regarding how information that contradicts
or is inconsistent with the final conclusion was addressed

conclusions reached should be stated, along with the basis for them

an informed reviewer should be able to replicate any test mentioned and
obtain the same result.
General requirements for the preparation of working papers are:

Completeness and Accuracy – working papers should be complete,
accurate, and support observations, testing, conclusions, and
recommendations. They should also show the nature and scope of the
work performed;

Clarity and Understanding - working papers should be clear and
understandable without supplementary oral explanations. With the
information the working papers reveal, a reviewer should be readily able to
determine their purpose, the nature and scope of the work done and the
preparer's conclusions;

Pertinence - Information contained in working papers should be limited to
matters that are important and necessary to support the objectives and
scope established for the audit;

Logical Arrangement - working papers should follow a logical order;

Legibility and Neatness - working papers should be legible and as neat as
practicable. Sloppy working papers may lose their worth as evidence. For
handwritten papers, crowding and writing between lines should be avoided
by anticipating space needs before writing.
5.3.7 Conclusion and Evaluation
Evaluation is a means of arriving at a professional judgment. As audit
providers compare circumstances observed against relevant audit criteria,
they evaluate the significance of any variance and determine whether
corrective action is necessary. The analysis and evaluation of evidence
obtained should give rise to issues (positive and negative), which internal
audit may report to management.
Internal audit providers should draw conclusions – ie logical inferences from
the findings - for each audit objective. Conclusions should be specified and
not left to be inferred by readers.
22
Treasury Audit Manual
The strength of a conclusion depends on the persuasiveness of the evidence
supporting the findings, and how convincing the logic is which was used to
formulate the conclusions. It should be free from personal biases or
prejudices, and be objective. The conclusion reached by an internal audit
provider should be the same as would have been reached by a similar
experienced professional reviewing the same evidence.
5.3.8 Working Paper Review
Working papers are reviewed by the audit provider’s management to ensure
that:

there is sufficient and appropriate evidence to support conclusions;

issues identified in working papers have been solved and/or reported on;

there is a clear trail from the terms of engagement (detailed scope) to the
risk & controls analysis and testing summary, to the detailed work, and to
the report; and

all queries have been cleared;
There are generally three types of review that should be performed by the
internal audit provider on the working papers:
Detailed
Review
Primary
Review
Overriding
Review
Detailed review should be performed by someone at
least one level above the preparer and who is
independent of performing the work.
Primary review should be performed by a
Manager/Director or equivalent. The reviewer must
review the entire audit provider working paper file prior
to the draft report being issued.
This is a quality review, the purpose of which is to
ensure that the report is appropriately worded, the
conclusion/opinion is correct and in line with findings, it
is correctly dated and complies with policy.
5.3.9 Current Working Papers
As required by Treasury Circular NSWTC 07/14 Ownership of Internal Audit
Documentation, all internal audit documentation is to remain the property of
the audited department or statutory body, including where the internal audit
services are performed by an external third party provider. Working papers
are therefore the property of Treasury, but will generally be retained by the
internal audit provider, who will provide them to the Chief Audit Executive at
issuing of the draft audit report. (Copies are acceptable)
Treasury management may request access to engagement working papers.
Such access may be necessary to substantiate or explain engagement
observations and recommendations or to utilise engagement documentation
for other business purposes. These requests for access are subject to the
approval of the Chief Audit Executive.
23
Treasury Audit Manual
In some circumstances internal and external auditors may request access to
each other’s audit working papers. The Chief Audit Executive should be
notified of any such requests.
The Chief Audit Executive will control access to engagement records.
The Chief Audit Executive should apply NSW State Records retention
requirements for engagement records, regardless of the medium in which
each record is stored. These retention requirements shall be consistent with
Treasury’s Records Management Policy.
The Chief Audit Executive should apply due diligence in governing the
custody and retention of audit records, as well as their release to internal and
external parties. These policies must be consistent with Treasury's guidelines
and any pertinent regulatory or other requirements.
5.3.10
Exit Interviews (End of Fieldwork Meetings)
The purpose of exit interviews is to confirm the facts and to allow the
management and (usually) staff of the audited area to hear and comment on
the auditor’s interpretation. The exit interview may also provide the auditor
with input on proposed (or new) options for corrective action.
During the course of audit work, the auditor will communicate matters of
significance with the audited area to minimise the possibility of "surprises" at
the end of the audit. This may be done informally (e.g. emails, discussions) or
via formal meetings.
5.4
Audit Reports
This section sets out the basic components of a report and report writing, as
well the consultation processes to be followed in completing reports. Reports
should:
 meet the purpose and objectives set out in the Terms of Engagement
(Detailed Scope)
 comply with appropriate Professional Standards and with the standards of
accuracy, clarity and ethics reflected in this Manual
 clearly communicate their findings to management and the Audit & Risk
Committee
 add value by alerting management to matters requiring attention, including
advice on best practice in such matters, and by giving assurance
regarding those controls which are functioning well.
5.4.1 Basic Components of an Internal Audit Report
The basic components of a Treasury internal audit report are:
a. Executive Summary, including Summary Statement;
b. Independent Auditor’s Assurance Report;
c. Introduction;
d. Scope and Objectives;
e. Risk Assessment;
f. Summary of Recommendations;
g. Audit Opinion/Conclusion;
24
Treasury Audit Manual
h.
i.
j.
k.
Observations / Issues (optional);
Detailed Findings, with a risk rating for each;
Recommendations; and
Management responses.
a. Executive Summary
The Executive Summary is intended to provide an overview of the report to
the Chief Audit Executive, Audit & Risk Committee, senior management and
Secretary.
The reader should gain a general understanding of the audited area as well
as the objectives, key issues, risk implications and recommendations of the
audit. The Executive Summary should draw attention to positive findings as
well as improvement opportunities (e.g. examples of better practice, controls
in place and actions in progress).
Individual findings more relevant to operational management should be
explained in detail in the body of the report.
The Summary Statement should be of no more than two sentences and is
used to describe the overall risk landscape of the area reviewed by an internal
audit.
b. Introduction
The introduction provides any background information and acknowledgments
the audit provider considers relevant. It may include contextual information
about the audited area and/or the type of audit undertaken.
The introduction also states the reason for the audit, for example making
reference to the risk register or the audit plan.
c. Scope and Objectives
Components normally include:

Objectives;

Scope;

Exclusions;

Approach - methodology and procedures followed; and

Details of testing.
For the most part, this section should align with the Terms of Engagement
(Detailed Scope) agreed and signed prior to commencement of the audit. Any
variations to the Scope should have been made and signed off by the CAE
and Engagement Partner during the audit, and should be outlined in the Final
Report.
The Detailed Scope will normally be appended to the Final Report.
d. Risk Assessment
The risk section describes how the risks have been assessed and usually
includes a copy of the Treasury risk matrix. The key risks identified during
25
Treasury Audit Manual
scoping and then during fieldwork will be outlined and given inherent and
residual risk ratings. Where possible these risks will refer back to the
Treasury, Long Service Corporation or Branch risk registers. If there is a
recommendation made in the report relating to a risk the link will be clear.
The risk assessment will show how each risk rating was calculated i.e. the
value assigned to “consequence” and “likelihood”.
e. Summary of Recommendations
This section provides a table summarising each issue identified in the detailed
findings section and its associated risk.
f. Audit Opinion/Conclusion
The audit opinion should make clear the criteria against which the subject was
evaluated or assessed. (The key criteria should have been agreed in the
Detailed Scope.)
For assurance engagements see (j) Independent Assurance Report
g. (Other) Observations/Issues
This section presents the audit provider’s key observations, identified during the
course of their fieldwork. This section is different from the Detailed Findings
section, which presents findings and recommendations based on the audit
criteria agreed at scoping stage.
Observations may represent key themes that the audit provider has identified
and believes important to bring to senior management’s attention, particularly
where the observation was not explicit in the scope of the audit.
This section may be omitted if the service provider considers that the findings
speak for themselves. Alternatively it may be emphasised - for example,
where a cultural problem is perceived which appears greater than the sum of
the findings.
h. Detailed findings, with risk rating for each
Findings are specific observations which relate to each recommendation.
Ideally, the format would be:
 Risk Rating
 Observation
 Root Cause
 Implication/Impact
 Recommendation
 Management Response
The risk rating should include the scoring used to ascertain the rating i.e. the
likelihood and consequence rating. The following is an example of the
expected layout:
26
Treasury Audit Manual
Finding Title: …
Risk Rating: Significant Risk: Senior management attention needed
 Consequence: Moderate (3)
 Likelihood: Likely (4)
Observation:
Each finding should make clear the type of risk exposure perceived, and
should be assigned a risk rating as per the Treasury chart below:
Extreme risk: Immediate action required; for Secretary’s attention
High risk: Executive management attention needed
Significant risk: Senior management attention needed
Moderate to Low: Manage by Standard Procedures
i. Recommendations
These cover corrective actions to rectify an issue and/or identified
improvement opportunities.
Recommendations should be based on the issues raised in the finding,
implementable within a foreseeable period, and practicable taking into
account the size of the risk and the size of the agency budget.
Because it will be used by the Audit and Risk Committee to monitor progress
later, the Recommendations table should be standalone, i.e. it should not
refer to findings in a way which requires the rest of the report to be consulted.
j. Management Response
Management responses which question the facts presented, or how audit
findings were drawn from them, should be aired at the exit meeting (see 5.6)
so that factual errors can be corrected while the report is still in draft. They
should never appear in the draft report unless there is an insuperable
disagreement.
All management responses which appear in the Report must commence with:
ACCEPTED; REJECTED or PARTIALLY ACCEPTED. The response should
then concisely detail the action management intends to take in response to
the recommendation, stating who will take action and when it will be
completed. If the recommendation is wholly or partially rejected the response
must say why.
The recommendation should include the person responsible for implementing
the agreed action as well as the date by which the action is expected to be
completed by. When considering the date by which the action will be
27
Treasury Audit Manual
completed by, management should weigh the risk against the resources
available for action, to arrive at a realistic date for completion.
Management responses should be written in such a way that allows for the
recommendation to be marked complete once an outcome has been reached.
Actions which are “ongoing” should be avoided where possible. The
Committee has requested that the ‘Action Owner’ column include the
responsible Director as well as the officer.
k. Independent Auditor’s Assurance Report
Where an assurance engagement has been requested an Independent
Assurance Report will be appended to the report. The assurance report
should include:
 A title that clearly indicates the report is an independent assurance
report
 The addressee
 An identification and description of the subject matter information
 Identification of the audit criteria
 Where appropriate, a description of any significant, inherent limitation
associated with the evaluation or measurement of the subject matter
against the audit criteria
 When the audit criteria used to evaluate or measure the subject matter
are available only to specific intended users, or are relevant only to a
specific purpose, a statement restricting the use of the assurance
report to those intended users or that purpose
 A statement to describe the responsibilities of each party
 A statement that the assurance engagement was performed in
accordance with ASAEs and the level of assurance provided;
 A summary of the work performed
 The assurance/audit provider's conclusion (this should also be
repeated In the main body of the report under audit opinion)
 Where appropriate, the conclusion should inform intended users of the
context in which the assurance practitioner’s conclusion is to be read
 In a reasonable assurance engagement, the conclusion should be
expressed in the positive form
 In a limited assurance engagement, the conclusion should be
expressed in the negative form, and
 Where the assurance practitioner expresses a conclusion that is in any
way qualified, the assurance report should contain a clear description
of all the reasons.
5.4.2 Report Writing Style
Treasury internal audit reports should be written using the following basic
principles:

All wording should be in Arial font, with size 11 the minimum except in
tables, graphs and diagrams

All reports must be “spell checked” and proofed
28
Treasury Audit Manual
5.5

Use plain language, short sentences and avoid technical jargon as much
as possible

Use of graphs, tables or flow charts is encouraged if they convey the
findings more clearly than words.
Draft Reports
As soon as the draft report is ready, the internal audit provider should contact
the Audit Branch to schedule an exit meeting (see 5.6). The draft report should
be circulated to management at least two days prior to the exit meeting. This
version is to be marked “draft for discussion purposes only”.
Subsequent to the exit meeting a new, formal draft report (marked “draft”) will be
issued for management responses. Under normal circumstances management
will be given ten working days to provide responses to recommendations outlined
in the draft report.
The formal draft report is addressed to the Audit & Risk Committee, care of
the Chief Audit Executive.
5.6
Exit Meeting
An exit meeting should always be held to discuss the draft report and formally
end the fieldwork phase.
The exit meeting will be attended by the audit provider, Chief Audit Executive,
project sponsor, project manager and senior management from the audited
area. The draft audit report will be circulated to the Chief Audit Executive and
the meeting invitees long enough beforehand to allow them to read and
consider it (minimum of two days prior). If the report is not circulated prior to
the exit meeting the meeting will be postponed.
The exit meeting should be documented by the audit provider. Its purpose is
to:

discuss the draft audit report and ensure there is a common understanding
of its findings and recommendations

resolve any misunderstandings or misinterpretations of facts on either side

ensure that any recommendations that the senior management wishes to
challenge or reject are discussed, to minimise the risk of conflict between
senior management and the service provider when the service provider is
asked to finalise the report, incorporating the management responses.

agree on the wording of observations and recommendations.

Discuss and explain the audit opinion or independent assurance report (for
assurance engagements)
29
Treasury Audit Manual
5.7
Close-out Meeting
The director of the audited area should ensure management responses are
prepared, including responsibility and a realistic timeframe for completion,
ensure they are approved by the Executive Director, where one is in place
and forward them to the audit provider cc the Treasury project manager.
Once management responses have been provided a close-out meeting
should be held between the audit provider, the Chief Audit Executive and
representatives from the audited area. The purpose of the close-out meeting
is to discuss and agree on the management responses. This is particularly
important where the audit provider believes that the responses provided do
not sufficiently address the recommendations made.
If there is full agreement and understanding on the recommendations and the
management responses, both parties may agree to waive the need for the
close-out meeting.
5.8
Final Report
Following the close-out meeting and on receiving any further amendments to
the management responses, the internal audit provider should issue the final
report within one week, or as stipulated in the signed project scope. The final
report should be addressed to the Audit & Risk Committee care of the Chief
Audit Executive.
The finalised report will be tabled at the next available Audit & Risk
Committee meeting. The service provider and a representative from the
audited area will usually be requested to attend the meeting to answer any
questions the Committee may have.
On the Committee’s recommendation the report will be submitted to the
Secretary for endorsement and sign-off.
Should the Secretary or the Committee request further changes, this will be
made known to the audited area. The report will be returned to the service
provider to make the amendments, as once a final report has been submitted
to Treasury, only the internal audit provider is entitled to edit it.
5.9
Audit & Risk Committee Reporting
The Chief Audit Executive will report to the Audit & Risk Committee at every
second 6meeting on the following:
 current progress through the Internal Audit Annual Plan, highlighting
anywhere that progress has been delayed;
 implementation status of any existing internal audit recommendations, with
the exception of recommendations with a Low-to-Moderate risk rating,
which will be followed up by the Internal Audit function, but reported on
6
At alternative meetings the CAE will report on progress against the recommendations in the Audit Office
Management Letters
30
Treasury Audit Manual
only if the Committee has requested it or if progress on implementation is
unduly delayed.
5.10 Closing out the Audit administratively
5.10.1 Invoicing
Invoices should be directed c/- the Chief Audit Executive, but should be
addressed to Treasury, the NSW Long Service Corporation or to the Crown
Finance Entity, depending on the subject of the audit. Audit expenditure
relating to Long Service Corporation will be paid directly by Long Service
Corporation. In these cases the invoice will be signed by the Chief Audit
Executive as proof of service and forwarded to Long Service Corporation for
approval and payment.
Invoices should list the deliverables completed. Invoices will not be paid
against incomplete milestones.
5.10.2 File Completion
In order to close off an internal audit as complete, the following must be
finalised and placed on top of the internal audit file:
 File Completion Checklist
 ASAE 3000 Compliance
 Quality Assurance Improvement Checklist
 Deliverables Checklist
 Deliverable Timetable
These forms are annexed to this document.
31
Treasury Audit Manual
6.0 EXTERNAL AUDIT
6.1
Linking Internal with External Audit
External audit services to the Treasury Cluster are primarily provided by the
Audit Office of New South Wales (the office of the Auditor-General).
The Audit Office (AO) offers two main types of audit:
1. Financial Statements Audit
2. Performance Audit
A financial statement audit results in an independent audit opinion being
expressed on the annual financial statements of an agency. This opinion
expresses whether the financial statements comply with accounting
standards, laws, regulations and Treasurer's directions. A performance audit
assesses whether government agencies are carrying out their activities
effectively, economically and efficiently and in compliance with all relevant
laws.
Financial Statements Audits are the main focus of the interactions between
Treasury and the AO. The rest of this section discusses the process followed
for the auditing of the financial statements of the Treasury cluster and the
Total State Sector Accounts.
It is important that internal and external audit align their work programs for
greater risk coverage and resource conservation. Every year in March (later in
an election year), internal and external audit will meet to discuss the draft
Internal Audit Plan and whether it could be amended to assist external audit
and/or reduce the external audit charge. The Audit Office will also advise at
this point of any performance audits planned which may duplicate or otherwise
affect the Internal Audit Plan.
The Audit Office Director responsible for auditing the financial statements of
the Treasury cluster has observer status at all Audit & Risk Committee
meetings, by request of the Chair.
6.2
The Annual Audit Process: Statutory Rules
The financial reporting framework and audit requirements for NSW
government agencies are set out in the Public Finance and Audit Act 1983
(PFAA).
6.2.1 Agencies
The Public Finance & Audit Act 1983 requires an agency’s financial
statements to be submitted to the Audit Office (AO) by 11 August (6 weeks
after financial year end). However, to co-ordinate the preparation of the Total
State Sector Accounts, the Treasury will usually prescribe a separate
timetable with earlier dates for preparation and submission of its own financial
32
Treasury Audit Manual
statements. If the instruction from Treasury is issued as a direction from the
Treasurer, then the statutory date is as per the Treasury’s issued timetable.
Under the PFAA, the AO must return agencies’ statements, together with its
Independent Auditor’s Report, within 10 weeks of the date of receipt.
In Treasury’s case, the following agencies produce financial statements:










Treasury
Long Service Corporation7
State Rail Authority Residual Holding Corporation
Liability Management Ministerial Corporation
Residual Business Management Corporation
Lotteries Assets Ministerial Holding Corporation
Electricity Assets Ministerial Holding Corporation
Ports Assets Ministerial Holding Corporation
Port Botany Lessor Company
Port Kembla Lessor Company
Crown and TSSA produce statements but are not agencies (see 6.2.2 and
6.2.3)
TCorp, the other member of the Treasury Cluster, also produces financial
statements, but it has its own audit and risk arrangements.
6.2.2 Crown
The Crown Entity is not an agency, therefore it is not subject to the
requirements applicable to agencies under the PFAA, but its statements must
be prepared in sufficient time to enable preparation of the Total State Sector
Accounts. This generally means the Crown Entity’s financial statements are
submitted to the AO by 11 August.
6.2.3 Total State Sector Accounts (TSSA):
Under the PFAA, the Total State Sector Accounts must be submitted to the
AO for audit by 15 September.
The AO must provide its Independent Auditor’s Report on the TSSA to the
Treasurer by 22 October so that the accounts may be tabled in Parliament.
6.3
Practical Arrangements
The AO assigns each agency’s audit engagement to a Director, Financial
Audit Services. The Director assigned to review the financial statements of the
agencies in the Treasury Cluster also reviews the Total State Sector
Accounts.
7
Long Service Corporation reports to its own Audit & Risk Committee, however it shares its Chief Audit
Executive and outsourced service provider with Treasury and is part of the Treasury risk management process,
thus it is covered by this manual.
33
Treasury Audit Manual
A number of regular items of correspondence are exchanged during the year
between the AO, the agencies and the Committee. Details of these appear
below.
6.4
Client Service Plans (CSPs) (Early May8)
A Client Service Plan:

is issued by the AO and sets out matters relevant to preparation of the
financial statements and the impact on the audit for that year

should be read in conjunction with the Permanent Client Service Plan,
which applies to all agencies and can be found on the AO website

reminds those responsible for preparation of financial statements of their
obligations

talks about developments in the accounting framework that could be
relevant to the preparation of statements

seeks approval, which is considered granted when the Plan is signed, to
approach such experts as may be required within or contracted by the
agency

sets out the approach the AO will take to the audit, including where they
will have reference to actuaries or to internal audit

talks about the Auditor-General’s Report to Parliament and what types of
items it might report in relation to the agency

includes a timetable that shows when the AO expects to receive the
statements, when it expects to report back on them and other key dates

shows estimated fee

provides contact information
The TSSA CSP is a more detailed and lengthier document than these of the
regular, agencies due to the complexity of these financial statements.
6.4.1 Drafting and Finalising the CSP
The CSP is issued in two phases:
1. Draft CSP
The Audit Office sends the draft CSP to the Treasury officer who will do most
of the hands-on preparation of the statements and will liaise with the AO from
day to day). At present this is the Chief Financial Officer, except for the TSSA
which is attended to by the Executive Director, Fiscal Estimates and Financial
Reporting.
8
Dates are likely to vary annually. The dates provided are based on the 2013 Client Service Plan of Treasury
(the agency) and are given to help the reader understand the broad sequencing. The TSSA sequence is
influenced by legislative deadlines prescribed in the PFAA.
34
Treasury Audit Manual
2. Final CSP
The Final CSP is issued to the Secretary by the AO once management has
agreed with its contents. The AO usually sends an electronic version to the
CAE to enable her to advise the ARC.
The Secretary’s9 signature on the final CSP indicates that the agency has
agreed to the terms of the audit engagement.
6.4.2 CSP Due Date
The AO has a self-imposed target date of 31 March for sending the draft CSP.
This date can be impacted by various matters, including agency
developments and staff movements. The process for agreeing the draft with
management can take varying lengths of time.
There is no target date for issuing the final CSP to the Head of the Agency.
6.4.3 Role of Audit Committee:
The AO does not prescribe whether the Audit & Risk Committee should see
CSPs before the Secretary signs them, but TPP 09-05 (in its Model Charter)
requires that the ARC “provide input and feedback on the financial
statements…and on the audit services provided, and review all external plans
and reports in respect of planned or completed audits”.
Treasury’s ARC reviews the CSP for each set of financial statements within its
area of oversight, including Crown and the TSSA.
6.5
AO Comment on Early Close Procedures (Late May)
Agencies conduct an early close of their annual financial reporting in March or
April as required by Treasury Circular10 . These early procedures involve the
preparation of certain aspects of their financial statements prior to 30 June.
Draft financial statements are provided by the agency to the Audit & Risk
Committee and to the Audit Office, for review and comment. The exercise is
designed to assist in the identification of issues that may arise during the
compilation of the year-end accounts, allowing these matters to be resolved or
mitigated in a timely manner.
Following its review of early close documents, the AO will issue a formal letter
of observations to the Secretary, which is also provided to the ARC, so that
these observations may be addressed in the year end reporting process.
9
This task may be delegated to the Deputy Secretary, Fiscal and Economic Group
For the 2013 Financial Year the relevant Treasury Circular was NSW TC 13/01 Mandatory Early Close
Procedures for 2013
10
35
Treasury Audit Manual
6.6
Client Service Report (Mid September)
The AO issues the Client Service Report at the completion of its audit of the
year-end financial statements and prior to its issue of the Independent Audit
Report.
A Client Service Report:

sets out findings from the AO’s audit of the financial statements

advises the AO’s intentions with regard to reporting

is provided to management before they are required to sign off on the
Statements for Annual Report purposes

records any changes in the financial statements between when the AO
first saw them and when the report is written

includes details of corrected and uncorrected misstatements identified

details any significant matters (e.g. matters in the context of PFAA, which
will go into the Statutory Audit Report, and those matters that must be
reported under the AO’s applicable Auditing Standards)

contains only information that is also covered in either the Independent
Auditor’s Report or one of the other reports.
The Client Service Report accompanies the audited statements when they are
returned to the agency. It identifies the type of opinion the AO anticipates
issuing, so that the Secretary is aware prior to signing the financial statements
whether they are likely to be unqualified or not. He usually signs the
statements within two days of their return from the AO11.
6.7
Management Representation Letter (Late September)
This is the formal letter, prepared on the agency letterhead, that is provided
by management to the AO after receipt of the Client Service Report. This
letter, usually prepared by the CFO and signed by the Secretary,
accompanies the signed audited financial statements when they are returned
to the AO prior to its issue of the Independent Audit Report (IAR).
The management representation letter provides the AO with written
confirmation of matters that were verbally advised during the course of the
audit engagement. It forms part of the AO’s audit evidence.
A model letter is provided on the AO website. The model is subject to
amendment to meet the individual agency’s circumstances; amendments are
often advised by the AO.
11
The TSSA is also signed by the Treasurer and the Senior Director Financial Reporting and Systems Branch
36
Treasury Audit Manual
6.8
Statement of Assurance Accompanying Financial Statements
Under the PFAA the AO cannot issue its Independent Auditor’s Report until it
receives a statement of assurance from the entity. This Statement attests that
the statements exhibit a true and fair view of the financial position and
transactions of the agency.
The statement of assurance for most Treasury Cluster entities is signed by
the Secretary on the advice of the Chief Financial Officer and the Audit & Risk
Committee. It accompanies the audited financial statements when they are
returned to the AO prior to its issue of the IAR. It also appears in the agency’s
Annual Report12, where it prefaces the financial statements.
6.9
Changes to the Financial Statements after Submission for
Audit
The PFAA permits changes to the financial statements after they have been
received by the AO and before they are submitted to the portfolio Minister.
Treasury management must make this request in writing; email format is
acceptable. The request is usually made by the Chief Financial Officer.
Treasury officers should be aware that material changes are likely to be
recorded as corrected errors or misstatements.
6.10 Independent Auditor’s Report (Late September)
Sent to the Secretary but addressed to the Parliament, this is the opinion from
the Audit Office which is included in the Annual Report alongside the financial
statements. Every agency’s goal is to receive an unmodified opinion,
meaning that the statements are without qualification.
The IAR accompanies the statutory accounts when they are returned with the
AG’s seal. The AO must issue the IAR by 10 weeks after the date of receipt,
except for the TSSA, which must, under the PFAA, be returned by 22
October.
6.11 Statutory Audit Report (Late September)
The PFAA requires the Auditor-General to report to the Treasurer, the
Minister and the agency head, the results of his review of each agency’s
financial statements. The AO meets this requirement by issuing a ‘Statutory
Audit Report’.
This letter includes details of corrected and uncorrected misstatements in the
financial statements13. It is issued at the same time as the Independent
Auditor’s Report but is not a public document.
12
13
or in the case of the TSSA, in the Report on State Finances
“Corrected misstatements” includes agreed changes that were made during the course of the audit.
37
Treasury Audit Manual
6.12 Management Letter (Mid – Late October)
These are lengthy documents that provide details of matters that have been
identified during the current audit, as well as unresolved matters identified in
previous years, and value adding recommendations. Management letters
report only by exception and include management responses to the matters
identified.
They are normally issued after the independent audit reports on each set of
financial statements. If they contained information that the Secretary and/or
Government needed to know about before signing off on the Statements, the
AO would ensure it was included in the Client Service Report.
Progress in implementing these responses is followed up by the Audit & Risk
Committee through the ‘Register of AO Management Letter
Recommendations’. The AO also follows up during the next year’s audit, and
will report in that year’s Management Letter if progress in addressing the
recommendations has been unsatisfactory. Matters that remain unresolved
for some time may be escalated to inclusion in the Statutory Audit Report and
so brought to the Treasurer’s attention.
6.13 Auditor-General’s Report to Parliament (draft provided
October)
A draft is forwarded to a relevant Treasury Officer (e.g. the Chief Financial
Officer or the Finance Manager), who will collate a response and forward it to
the AO. AO asks for comment within 3 days of receipt of the draft. Comment
should be restricted to the facts. There is no obligation to show agencies the
content before publication, but it is customary for the AO to do so.
The Report to Parliament:

is a public document

comprises several volumes, which are tabled throughout the year
The TSSA is reported on its own, usually in Volume 3. It has a different
process and content from the others and there is a statutory obligation for the
AO to table before 31 October.
There are no statutory obligations on the Auditor-General around any of the
other volumes.
A volume is usually released once a week through November and December.
The allocation of agencies to various volumes is largely determined by the
cluster to which they belong.
The AO does not provide full commentary on small agencies; they may
receive a mention in an Appendix.
38
Treasury Audit Manual
6.14 Relationship between External Audit and the Audit & Risk
Committee
To facilitate its work, the Audit & Risk Committee will receive copies of all
correspondence detailed in the agency client service plan.
The AO has observer status at all Treasury Cluster Audit & Risk Committee
meetings under the present Chair. There is a standing agenda item to allow
its representatives to report on all matters relevant to their role.
The Committee monitors progress against Management Letter
recommendations through its registers, as discussed in 6.12 above.
6.15 External Audit role in Internal Audit Planning
During the development of the Internal Audit Plan each year (usually around
April/May), the Chief Audit Executive will meet with the AO Director, Financial
Audit Services assigned to Treasury, and with any other AO personnel
considered relevant, to discuss:

Whether the draft Internal Audit Plan is likely to duplicate any AO activity,
and if so to negotiate how the proposed review can be best done and at
what price

Whether there are key areas of concern to the AO in regard to risks and
controls around any of the financial statements which might be included in
an Internal Audit.
39
Treasury Audit Manual
7.0 ENGAGEMENT EVALUATIONS & PERFORMANCE
REVIEWS
7.1
Quality Assurance and Improvement Program
The Chief Audit Executive must ensure that there is in place a quality
assurance and improvement program that applies systematic and rational
measurement methods covering all aspects of the internal audit function. This
program must include both internal and external assessments.
Performance should be reviewed:
1. at the completion of an individual audit
2. annually, for the overall performance of the internal audit function
3. externally, at least every five years.
7.1.1 Internal Assessments
The following audit evaluation forms/questionnaires are used following
individual audits:

Chief Audit Executive review of performances of audit provider and
audited area during the audit

Senior Management (usually, but not necessarily limited to, the audited
area) review of audit provider’s and Treasury internal audit function’s
performance

Audit provider review of Treasury’s cooperation and responsiveness.
The annual review is an assessment conducted to evaluate compliance with
the NSW Treasury Policy & Guidelines Paper TPP 09-05, the IIA Code of
Ethics, and the IIA Standards.
The following evaluation forms/surveys are used for the annual review:

Audit & Risk Committee self-assessment

Review of Chair’s performance by the Secretary

Review of Committee members’ performance by the Chair

Reviews of the internal audit function (by Audit & Risk Committee, senior
management and the year’s project sponsors). The Chair may consult
with the audit providers for their views.
The Secretary reviews the performance of the Chief Audit Executive twice a
year as part of Treasury’s performance management system. The Secretary
is encouraged to consult with the Chair and/or the internal members of the
Audit & Risk Committee before doing so.
40
Treasury Audit Manual
7.1.2 External Assessments
External assessment of the IA function should be conducted at least once
every five years by a qualified, independent reviewer or review team from
outside Treasury.
In this context “independent reviewer or review team” means one which has
no real or an apparent conflict of interest and is not a part of, or under the
control of, Treasury or the outsourced service provider.
Treasury’s last independent external review was conducted by the Institute of
Internal Auditors in May 2011. The next review is scheduled for May 2016.
7.1.3 Reporting on the Quality Assurance and Improvement Program
The Chief Audit Executive must communicate the results of the quality
assurance and improvement program to the Audit & Risk Committee and the
Secretary. A summary should be included in the Annual Report to the
Secretary from the Audit & Risk Committee.
The Secretary should provide feedback to help the program improve. In
particular, he should highlight any areas of risk which still concern him.
Review History: Treasury Internal Audit Manual
Prepared/
Reviewed by
Audit & Risk
Branch
Review Date
Complete revision Oct 2013,
with review February 2014.
First published Aug 2011;
reviewed April 2012.
Approved by
Nadia Fletcher,
Chief Audit
Executive
Approval Date
23/12/2013 for
posting March
2014
Next Review due: February 2015
41
Treasury Audit Manual
Annexure A
[Name of Audit]
[Name of Audit Provider]
Finalisation of Internal Audit - Checklist
Contents
FILE COMPLETION CHECKLIST ........................................................................................................ 43
ASAE 3000 COMPLIANCE .................................................................................................................. 44
QUALITY ASSURANCE IMPROVEMENT CHECKLIST ..................................................................... 49
DELIVERABLES CHECKLIST ............................................................................................................. 50
DELIVERABLE TIMETABLE ............................................................................................................... 51
SUGGESTED ACTIONS TO IMPROVE INTERNAL AUDIT ...................................................................
42
Treasury Audit Manual
File Completion Checklist
File No.
Document
On File
Project Brief
Detailed Scope (engagement terms) –
Signed by CAE and audit service provider
Final Internal Audit Report (approved by
Secretary)
Audit working papers (approved by
service provider Partner), including ASAE
Compliance form if required
CAE Post Audit Survey
Survey Template here.
Client Post Audit Survey
Survey Template here.
Service Provider Post Audit Survey
Survey Template here.
Finalisation of Internal Audit - Checklist
Copies of Payment Records (Invoices
showing full payment of this audit)
Completed by: ……………………………… Date: …………………
43
Treasury Audit Manual
ASAE 3000 Compliance
(Assurance Engagements other than Review of Historical Information)
Working papers and report reviewed for conformance with ASAE 3000 and IA Manual
Note: All internal audit working papers are checked:
 for reasonableness;
 that identified risks have been investigated by the field audit plan;
 that there is evidence of completion of the field audit (by substantive, control or walkthrough testing);
 that testing samples and sizes are in line with standard internal audit methodology; and
 that issues identified have been noted and satisfactorily addressed or raised in the final report.
A random sample of internal audit working papers and reports are selected and tested for compliance with ASAE 3000. This sample is selected at the
beginning of each year when the Annual Audit Plan is finalised. For these selected internal audits, the ASAE Compliance Checklist below must be completed.
Name of Audit:
Name of Service Provider:
Standard
Section
Inability to Comply
with Mandatory
Requirements
Ethical
Requirements
Quality Control
Number
……………………
…………………….
Checklist Activity Description
Assessment Notes
Compliance
Yes/No
Where the service provider has been unable to comply with the
ASAEs due to factors outside their control, the Service Provider
has:
 if possible, performed appropriate alternative evidencegathering procedures; and
3000.8  documented in the working papers:
(a) the circumstances surrounding the inability to comply;
(b) the reasons for the inability to comply; and
(c) justification of how alternative evidence-gathering
procedures achieve as nearly as possible the
objectives of the mandatory requirement.
Is there any evidence to suggest that the service provider has not
complied with the fundamental ethical principles in the Code?
3000.9
(integrity; objectivity; professional competence and due care;
confidentiality and professional behaviour.)
Has the service provider implemented procedures to address the
3000.12 following elements of a quality control system?
 leadership responsibilities for quality on the assurance
44
Treasury Audit Manual
Standard
Section
Number
Checklist Activity Description





Assurance
Engagement
Acceptance and
Continuance
Agreeing on the
Terms of the
Assurance
Engagement
Planning and
Performing the
Assurance
Engagement
Assessment Notes
Compliance
Yes/No
engagement;
ethical requirements;
acceptance and continuance of client relationships and
specific assurance engagements;
assignment of assurance engagement teams;
assurance engagement performance; and
monitoring.
Was the subject matter the responsibility of a party other than the
3000.14 intended users or the assurance practitioner? (The responsible
party can be one of the intended users, but not the only one.)
Have the terms of the engagement been agreed in writing and
signed by Treasury and the service provider?
Where Treasury requests to change the assurance engagement
to a non-assurance engagement or from a reasonable assurance
3000.22
engagement to a limited assurance engagement, has reasonable
justification has been provided?
Is there evidence (on file and in the working papers) that the
service provider:
 Planned the audit so that it would be performed effectively;
and
 Planned and performed the audit with an attitude of
professional scepticism?
3000.28
(An attitude of professional scepticism means the service provider
makes a critical assessment, with a questioning mind, of the
validity of evidence obtained and is alert to evidence that
contradicts or brings into question the reliability of documents and
responses to enquiries and other information obtained from
management and those charged with governance)
3000.20
Planning and
Performing the
Assurance
Engagement
Did the service provider obtain an understanding of the subject
matter and other assurance engagement circumstances, sufficient
3000.30 to identify and assess the risks of the subject matter information
being materially misstated, and sufficient to design and perform
further evidence-gathering procedures?
Planning and
Performing the
3000.33
Did the service provider assess:
 The appropriateness of the subject matter (e.g. ability to
45
Treasury Audit Manual
Standard
Section
Assurance
Engagement
Materiality and
Assurance
Engagement Risk
Using the Work of
an Expert
Obtaining Evidence
Representations by
the Responsible
Party
Considering
Subsequent Events
Number
Checklist Activity Description
Assessment Notes
Compliance
Yes/No
identify and measure); and
The suitability of the criteria to evaluate or measure the
subject matter?
Did the service provider:
 Consider materiality and engagement risk when planning and
3000.40
performing the audit; and
 Reduce engagement risk to an acceptable level in the
circumstance of the audit(i.e. the type of assurance given)
Where the work of an expert was used (by the service provider):
 Was the combined skill and knowledge of the service provider
and expert adequate for the service provider to determine that
sufficient appropriate evidence had been obtained;
3000.47  Did the service provider obtain a sufficient working knowledge
to enable the service provider to accept responsibility for its
conclusions; and
 Did the service provider obtain sufficient appropriate evidence that
the expert’s work was adequate for the purposes of the audit?
Has the service provider:
 Obtained sufficient evidence on which to base a conclusion;
3000.56
and
 Determined whether sufficient appropriate evidence has been
obtained to support the conclusion?
Has the service provider obtained or endeavoured to obtain
written representations from the responsible party, as
appropriate?

(Representations by the responsible party cannot replace other
evidence the service provider could reasonably expect to be
3000.64
available. An inability to obtain sufficient appropriate evidence
regarding a matter that has, or may have, a material effect on the
evaluation or measurement of the subject matter, when such
evidence would ordinarily be available, constitutes a limitation on
the scope of the assurance engagement, even if a representation
from the responsible party has been received on the matter.)
Have there been any events subsequent to the completion of
fieldwork (testing period) that may impact the service provider’s
3000.68
assurance opinion? And if so, is there evidence that these have
been considered by the service provider?
46
Treasury Audit Manual
Standard
Section
Documentation
Preparing the
Assurance Report
Number
Checklist Activity Description
Assessment Notes
Compliance
Yes/No
Has the service provider prepared documentation that is sufficient
and appropriate to support the conclusion and recommendations?
3000.70
Does this documentation provide evidence that the audit was
performed in accordance with the ASAEs?
Does the written report contain a clear expression of the service
3000.75 provider’s assurance conclusion about the subject matter
information?
Does the assurance report include the following:
(a) a title that clearly indicates the report is an independent
assurance report;
(b) an addressee;
(c) an identification and description of the subject matter
information and, when appropriate, the subject matter;
(d) for compliance engagements, the period being reported;
(e) identification of the criteria;
Assurance Report
Content
(f) where appropriate, a description of any significant, inherent
limitation associated with the evaluation or measurement of the
subject matter against the criteria;
(g) when the criteria used to evaluate or measure the subject
3000.78 matter are available only to specific intended users, or are
relevant only to a specific purpose, a statement restricting the use
of the assurance report to those intended users or that purpose;
(h) a statement to identify the responsible party and to describe
the responsible party’s and the assurance practitioner’s
responsibilities;
(i) a statement that the assurance engagement was performed in
accordance with ASAEs and the level of assurance provided;
(j) a summary of the work performed;
(k) the service provider’s conclusion:
(i) the context in which the conclusion is to be read;
(ii) in a reasonable assurance engagement, expressed in
the positive form;
(iii) in a limited assurance engagement, expressed in the
negative form; and
(iv) where other than unqualified, a clear description of all
the reasons.
47
Treasury Audit Manual
Standard
Section
Number
Checklist Activity Description
Assessment Notes
Compliance
Yes/No
(l) the assurance report date; and
(m) the name of the service provider or the assurance practitioner,
and a specific location.
On the basis of the engagement (agreed scope) has the service
provider stated an appropriate conclusion and issued and
appropriate level of assurance (unqualified; qualified; adverse; or
disclaimer)?
Other Reporting
Responsibilities
3000.86
Has the service provider considered other reporting
responsibilities and obligations, including the appropriateness of
communicating relevant matters of governance interest arising
from the audit to the person responsible for governance of the
audited area? (issues identified/documented in working papers)
Completed by: ……………………………… Date: …………………
48
Treasury Audit Manual
Quality Assurance Improvement Checklist
Name of Audit:
…………………
Name of Service Provider:
…………………
#
Action
1
2
3
4
5
6
7
8
9
10
11
12
12a
13
Completed/Comments
Service provider quality assurance sign-off table provided with Detailed
Scope (ToR)
Service provider quality assurance sign off table provided with Final
Report
Quality assurance sign off table completed by Engagement Director,
Engagement Partner and Quality Assurance Partner
Was a draft report for discussion circulated to management prior to the
time set for the exit meeting (or did exit meeting need to be
postponed)?
Were management responses provided to CAE and Audit Provider
prior to close out meeting?
Reasonable assurance opinion given or explanation as to why it is not
appropriate/possible to give an assurance opinion
Have the objectives and client expectations set out in the Detailed
Scope been met.
Were there any delays in meeting audit deliverable timetable? Explain
on whose side – see Deliverable timetable on page 9.
Detailed Scope includes list of indicative interviewees
Final report contains a risk assessment which includes preliminary
risks identified and other risk exposures identified throughout the audit
The assurance opinion was explained to senior management. This is
usually done at the exit meeting and is more important if qualified.
Detailed findings in the final report include risk rating and
consequence/likelihood scoring
Were there any actions for improvement of IA approach? (Comments
normally made in Post Audit Surveys by CAE, Service Provider or
Management. However if surveys are not returned management
comments should be noted from closing meeting)
List issues identified and suggested improvements/agreed actions to
remedy issues identified.
Has the Audit Manual and/or this Checklist Template been updated to
reflect suggested improvements?
Treasury Audit Manual
49
Deliverables Checklist (provider)
Name of Audit:
…………………….
Name of Service Provider:
…………………….
Deliverable
Scoping
Meeting
Kick Off
Meeting
Exit Interviews
Exit Meeting
Draft Audit
Report
Internal Audit
Working
Papers
Close-out
Meeting
Internal Audit
Report
Finalisation of
Internal Audit
Report
Description
This will be conducted with the Project
Sponsor and Project Reference Group to
identify the scope objectives, stakeholder
expectations and timing of the review.
This will be conducted with the key
personnel who will be interviewed during the
audit to introduce the audit team, confirm
project timetable and commence fieldwork.
Assessment
This will be conducted with stakeholders to
ensure that service provider has understood
the processes correctly and the findings
observed are factually accurate. This
meeting will also discuss the risk status
allocated to each issue. A draft audit report
will be presented at the meeting for
discussion purposes.
After the exit meeting the service provider
will issue a formal draft audit report for
management responses.
Internal audit working papers will document
the internal audit procedures and will be
supplied with the formal draft audit report.
To discuss and finalise management
responses and answer any outstanding
questions management have. This is also to
gain CAE and service provider agreement
to management responses. If not present,
the Director of the audited area must have
signed off on all management responses
before close-out.
The final report will be provided to the CAE
for inclusion in the Audit and Risk
Committee Papers and Audit Provider will
be available to present it to the Committee.
A representative of the audited area will
also be invited to attend the Committee.
Secretary approves internal audit report and
it is filed.
Completed by: ……………………………… Date: …………………
Treasury Audit Manual
50
Deliverable Timetable
Name of Audit:
……………………..
Name of Service Provider:
……………………..
Deliverable
Agreed or
expected
date
Actual
completion
date
Reason for Variance
Date the audit is
started/conducted compared to
the annual audit plan
Project Brief provided to Audit
Provider
Planning Meeting
Draft Detailed Scope
Detailed Scope signed by CAE
Detailed Scope signed by Audit
Provider Partner
Detailed Scope signed by
management
Fieldwork commenced
Fieldwork completed
Draft for discussion report
received
Exit meeting
Formal draft report for
management responses is
issued
Management responses are
received
Close out meeting
Further documentation/info
request by Audit Provider
received from management
Final report issued
Circulation to Tsy ARC
ARC meeting
Final report sent to Secretary
Final approval from Secretary
Surveys sent out and received
back
Audit Documentation put on file
Agreed recommendations
transferred to ARC Register of
Recommendations
Completed by: ……………………………… Date: …………………
Treasury Audit Manual
51
Annexure B
Internal Audit Provider Selection
When tendering for a new single service provider, at least half a dozen audit
providers – selected from the Department of Finance and Services’
Prequalification Scheme: Performance and Management Services – are
requested to submit Expressions of Interest to Treasury based on either the
three year Strategic Audit Plan or the Annual Audit Plan, whichever
management considers will provide the most informative basis for responses.
A formal tender evaluation process is used to aid the Chief Audit Executive
(who will advise the Secretary) in selecting a new single audit provider. The
tender evaluation process rates each audit provider according to value for
money, with weightings reflecting those areas considered most important.
Where a single audit provider has been engaged for the program, Treasury
will retain the right to contract other audit providers as deemed necessary.
Use of other audit providers may include but is not limited to: projects where
the current single audit provider does not possess the level of technical
expertise to advise Treasury; or where a conflict of interest is held to exist.
Tender Evaluation Process
Each Expression of Interest submitted is evaluated using a pre-developed
evaluation table. The scoring of each tender is broken down into the following:

Proposal Technical & Quality
70%

Proposal Price
30%
Technical & Quality Criteria (70%)
The technical and quality criteria section is based on questions under the
following sections:

Approach and Methodology

Experience of Service Provider

Experience of Team Members

Availability to Commence

References

Overall Quality of Proposal

Conflicts of Interest
An overall technical quality threshold has been set at 60 (out of 100). Audit
providers who do not at least meet this minimum requirement will not be
further considered.
Treasury Audit Manual
52
Where a conflict of interest arises and the audit provider has not satisfactorily
mitigated the conflict, the minimum scoring threshold will not be met and the
audit provider will not be considered.
An individual threshold has also been set for audit provider references. Where
the threshold is not met the audit provider will not be considered.
Price (30%)
The price is converted to a score out of 100. The lowest price is awarded a
score of 100. All other proposals are scored using the following formula:
Bid's Score = 100 x (lowest total price / bid price)
Appointment and Contract
The selected single service provider will be contacted by telephone and
advised of their successful tender. This call will be followed immediately by a
confirming email or letter including the contract Treasury uses for audit, which
is the Department of Finance and Services standard form of agreement, with
appropriate appendices. This contract should be signed by both parties, with
a copy kept by each, before further work commences.
One of these appendices will include the original tender. In signing the
contract, both parties will take into account that this appendix may require
revision following the development and agreement of the Internal Audit Client
Service Protocols and Performance Measures.
If the Internal Audit Client Service Protocols and Performance Measures
suggests any revisions which affect the price, an appendix detailing the
variation must be appended to the contract. Service providers should be
made aware during the tender process that post-hoc requirements for
significant adjustments to price may cause the outcome of the tender process
to be revised.
Treasury Audit Manual
53
Annexure C
Audit Sampling
Audit sampling is the testing of less than 100 percent detection risk of the
items within a population to obtain and evaluate evidence about some
characteristic of that population, in order to form a conclusion concerning the
population.
Detection risk is the probability that the audit procedures may fail to detect
existence of a material error or fraud. Detection risk = Non-sampling risk +
sampling risk.
Non-sampling risk is the component of detection risk that is not due to sample
selection. Examples of sources of non-sampling risk include:
 failure to investigate significant fluctuations in relationships when
placing reliance on analytical procedures; and
 placing reliance on management representations as a substitute for
other audit evidence that could reasonably be expected to be available.
Sampling risk is the risk that the sample is not representative of the population
from which it is drawn and therefore the auditor’s conclusion is different from
that which would be reached if the whole population was examined. Sampling
risk can be lowered by increasing the sampling size.
Sampling risk is frequently expressed as a percentage. For example, 5%
means that there is a 1 in 20 chance of material error going undetected. Risk
can also be expressed in terms of confidence levels or assurance required.
A confidence level is the degree of assurance that material error does not
exist; it is the converse of risk i.e. 5% risk = 95% confidence level.
For reasonable assurance audits in Treasury a 95% confidence level is
expected (i.e. the sample size selected should be sufficient to reduce
sampling risk to an acceptably low level – 5%).
Sample sizes should take account of the objectives of the audit, the attributes
to be tested, materiality, population size and complexity and system reliability.
The rationale for the sample size selected and the methodology applied to
select items for testing should be properly documented and retained in the
working papers.
Once a decision has been made to use audit sampling, the audit provider
must choose between statistical (e.g. interval selection) and non-statistical
(e.g. random selection) or judgment sampling. Judgment sampling is sampling
without particular regard to the parameters of a statistical sample.
Treasury Audit Manual
54
A procedure calling for an audit sample with the objective of making a
judgment on the whole population would require a statistical sample rather
than a judgment sample. Another factor to consider would be the lost
effectiveness of using statistical rather than judgment sampling. Statistical
sampling would not be feasible when sampling a relatively small population.
Ultimately, the audit provider should rely on sound audit judgment in
determining which method to use.
When to Use Statistical Sampling
Statistical sampling methods should be used when any of the following criteria
apply:

Cost-benefit analyses support the additional costs and time required

The sample errors or exceptions must be extrapolated to quantify for the
population or a defensible expression of the test results is required

The objective of the audit is to state an opinion on the reliability of the
balances reported

With the availability of computer software for sampling, they would be
simpler to apply, and/or

The risk of a sampling error must be quantified.
Attribute sampling
Attribute sampling is typically used by the audit provider to determine
whether the rate of occurrence of a characteristic or attribute (usually
errors) in a population is small enough to assume that procedures/controls
are working effectively or is indicative of an issue which needs to be
included in the audit report. It is applied to testing items that can have only
two possible values (e.g., 0 or 1) or attributes (e.g., correct or incorrect, or
yes or no). An example would be sampling to determine if a particular
transaction had appropriate authorisation.
Attribute sampling can be based on statistical or non-statistical methods,
but statistical is preferred.
When to Use Non-Statistical Sampling
Non-statistical sampling methods may be used when any of the following
criteria apply:

They are designed to be as or more effective than statistical sampling,
while being less costly

The audit provider encounters a well-designed, well-controlled system,
good management, well-trained employees and a feedback mechanism
that highlights errors. It would therefore be extravagant to spend a great
deal of time performing extensive substantive tests;

The audit provider encounters a system that is so weak (e.g. inadequate
controls and/or procedures, insufficiently trained personnel) that no
reliance can be placed on the system of internal controls and it would
therefore be extravagant to spend a great deal of time performing
extensive substantive tests
Treasury Audit Manual
55

The audit objectives are fully met by a non-statistical sample

It is known that the population has no variability

Examples of deficiencies are needed to support the audit provider’s
contention that the system is weak; and/or

Clues are needed to indicate whether to proceed with a statistical sample.
Treasury Audit Manual
56
Related documents
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Basic Clinical Audit MHC Workshop
Basic Clinical Audit MHC Workshop
Waste Reduction Work Plan
Waste Reduction Work Plan
Clinical audit application
Clinical audit application
Job Title: IT Audit Senior
Job Title: IT Audit Senior
Download
advertisement