Add to collection(s) Add to saved
  1. Business
  2. Management

Model Internal Audit Charter - The Australian National Audit Office

advertisement 
Part 2
Model Internal
Audit Charter
Model Internal Audit Charter
Heads of Internal Audit, and external audit service providers where relevant, are
encouraged to review, in consultation with the Chief Executive/Board and the Audit
Committee, their existing charters against this model. In doing so it is important that each
entity carefully consider its particular circumstances, especially the range of responsibilities
outlined in Chapter 2 of this guide.
Introduction
The [Chief Executive/Board] has established the [name of internal audit unit] as a key
component of [entity’s] governance framework.
This charter provides the framework for the conduct of the internal audit function in the [entity]
and has been approved by the [Chief Executive/Board] on the advice of the Audit Committee.
Purpose of internal audit
Internal audit provides an independent and objective review and advisory service to:
•
provide assurance to the [Chief Executive/Board] that [the entity’s] financial and operational
controls designed to manage the organisation’s risks and achieve the entity’s objectives are
operating in an efficient, effective and ethical manner, and
•
assist management in improving the entity’s business performance.
Independence
Independence is essential to the effectiveness of the internal audit function.
Internal audit has no direct authority or responsibility for the activities it reviews. The internal
audit function has no responsibility for developing or implementing procedures or systems and
does not prepare records or engage in original line processing functions or activities [except as
noted below1].
Internal Audit reports functionally to the Audit Committee. The Head of Internal Audit is
accountable to the [Chief Executive2 or Board3] for the efficient and effective operation of the
internal audit function.
The Head of Internal Audit has direct access to the [Chief Executive/Chair of the Board], and
the Chair and other members of the Audit Committee. Periodic ‘in camera’ meetings will be
held between the Head of Internal Audit and the Audit Committee.
Authority and confidentiality
Subject to compliance with [entity] security policies, internal auditors are authorised to have full,
free and unrestricted access to all functions, premises, assets, personnel, records, and other
documentation and information that the Head of Internal Audit considers necessary to enable
internal audit to meet its responsibilities.
1
Delete if not applicable.
For FMA Act entities.
3
For CAC Act entities.
2
All records, documentation and information accessed in the course of undertaking internal audit
activities are to be used solely for the conduct of these activities. The Head of Internal Audit and
individual internal audit staff are responsible and accountable for maintaining the confidentiality
of the information they receive during the course of their work.
Under its legislation, the Australian National Audit Office has access to all relevant [entity]
documents including internal audit reports.
Inter-agency arrangements with other entities also provide for consultation and disclosure of
audit matters affecting other entity programmes and other circumstances4.
Roles and responsibilities5
Internal audit’s responsibilities will be influenced by the governance arrangements established
by the entity and the existence of other separate functions with specific responsibility for some
of these matters. For example, many entities have separate organisational units responsible for
risk management and/or fraud control.
In the conduct of its activities, internal audit will play an active role in:
•
developing and maintaining a culture of accountability and integrity
•
facilitating the integration of risk management into day-to-day business activities and processes,
and
•
promoting a culture of cost-consciousness, self-assessment and adherence to high
ethical standards.
Internal audit activities will encompass the following areas:
Audit activities including audits with the following orientation:
Compliance
•
compliance with legislative requirements, Australian Government and [entity] policies and
procedures including assurance in respect of the Certificate of Compliance
•
the adequacy and effectiveness of internal financial and operational controls including IT
system controls
•
the recording, control and use of entity assets, and
Performance improvement
•
the efficiency, effectiveness, and ethical conduct of the entity’s business systems and
processes.
Advisory services6
Internal audit can advise [entity] management on a range of matters including:
New programmes, systems and processes
•
providing advice on the development of new programmes and processes and/or significant
changes to existing programmes and processes including the design of appropriate controls.
4
Amend as applicable.
Internal audit’s responsibilities will be influenced by the governance arrangements established by the entity and the
existence of other separate functions with specific responsibility for some of these matters. For example, many entities
have separate organisational units responsible for risk management and/or fraud control. As a consequence, the roles
and responsibilities listed are illustrative only.
In providing advisory services, internal audit needs to maintain operational independence. It is the responsibility of
entity management to accept or reject advice provided by internal audit, to implement the advice where considered
appropriate and be accountable for decisions taken.
5
6
Risk management
•
assisting management to identify risks and develop risk mitigation and monitoring strategies
as part of the risk management framework
•
co-ordinating the annual [entity] Risk Management Plan
•
monitoring and reporting on the implementation of risk mitigation strategies
Fraud control
•
assisting management to identify the risks of fraud and develop fraud prevention and
monitoring strategies
•
co-ordinating the [entity] Fraud Control Plan
Audit support activities
Internal audit is also responsible for:
•
assisting the Audit Committee to discharge its responsibilities
•
providing secretarial support to the Audit Committee
•
monitoring the implementation of agreed recommendations7
•
disseminating across the entity better practice and lessons learnt arising from
its audit activities, and
•
managing the audit function.
Non-audit activities8
Internal audit has management responsibility for the following areas:
[insert non-audit responsibilities if any]
Scope of internal audit activity
Internal audit reviews cover all programmes and activities of the [entity] together with associated
entities as provided for in relevant business agreements, memorandum of understanding or
contracts. Internal audit activity encompasses the review of all financial and non-financial
policies and operations.
Standards
Internal audit activities will be conducted in accordance with the Australian Public Service and
supporting [entity] values, policies and procedures.
Audit activities will also be conducted in accordance with relevant professional standards
including9:
•
Standards for the Professional Practice of Internal Auditing issued by the Institute of
Internal Auditors
•
Standards relevant to internal audit issued by the Australian Society of Certified Practising
Accountants and the Institute of Chartered Accountants in Australia
7
Arising from internal and external audit reports, Parliamentary Committee reports and other external bodies such as
the Management Advisory Committee, the Australian Public Service Commission and the Ombudsman.
Delete if not applicable.
Specify applicable Standards.
8
9
•
The Statement on Information Systems Auditing Standards issued by the Information
Systems and Control Association, and
•
Standards issued by Standards Australian and the International Standards Organisation.
In the conduct of internal audit work, internal audit staff will:
•
comply with relevant professional standards of conduct
•
possess the knowledge, skills and technical proficiency relevant to the performance of their
duties
•
be skilled in dealing with people and communicating audit, risk management and related
issues effectively
•
their technical competence through a programme of professional development, and
•
exercise due professional care in performing their duties.
Relationship with external audit
Internal and external audit activities will be coordinated to help ensure the adequacy of overall
audit coverage and to minimise duplication of effort.
Periodic meetings and contact between internal and external audit shall be held to discuss
matters of mutual interest.
External audit will have full and free access to all internal audit plans, working papers and
reports.
Planning
The Head of Internal Audit will prepare, for the Audit Committee’s consideration, an internal
audit strategic business plan and an internal audit annual audit work plan in a form agreed with
the Committee.
Reporting
The Head of Internal Audit will report to each meeting of the Audit Committee on:
•
audits completed
•
progress in implementing the strategic business plan and audit work plan, and
•
the status of the implementation of agreed internal and external audit, Parliamentary
Committee and other relevant external body recommendations.
Internal audit will also report to the Audit Committee at least once annually on the overall state
of internal controls in the [entity] and any systemic issues requiring management attention
based on the work of internal audit [and other assurance providers10].
Administrative arrangements
Any change to the position of the Head of Internal Audit, or an external service provider, will
be approved by the [Chief Executive or Board11]. The Audit Committee will be consulted as part
of the process.
The Head of Internal Audit will arrange for a periodic, independent review of the efficiency and
10
11
Amend as appropriate.
Amend as applicable.
effectiveness of the operations of the internal audit function at least every five years.
Review of the charter
This charter will be reviewed at least annually by the Audit Committee. Any substantive changes
will be formally approved by the [Chief Executive or Board 12] on the recommendation of the
Audit Committee.
12
Amend as applicable.
Part 3
Toolkit
Part 3 Contents
Example internal audit strategic business plan and annual work plan
58
Example list of contents – internal audit manual
74
Example internal audit protocol
76
Pro-forma internal audit annual work plan progress report
79
Pro-forma Implementation of recommendations progress report
80
Example key performance indicators
81
Example client survey questionnaire
82
Example Audit Committee internal audit questionnaire
83
Example internal audit self-review questionnaire
85
Example internal audit strategic business plan and
annual work plan
The format and content of internal audit’s strategic business plan and annual work plan is a
matter for agreement between the Audit Committee and the Head of Internal Audit. This
example contains the major elements that could be expected in a comprehensive strategic
business plan and audit work plan.
It is intended as a guide only and entities should consider their own circumstances in
developing their strategic business plan and annual work plan that best suits their own
environment and governance arrangements.
Introduction
Part A of this business plan outlines the strategic direction of [Entity’s] internal audit function
over a three year period [insert date] to [insert date].
It describes in broad terms the operations, programmes and business units that will be given
priority for audit coverage and the types of audits that will be conducted in those areas.
Part A also describes the management strategies that will be implemented over the period
covered by the plan, aimed at enabling internal audit to achieve its objectives.
Part B contains the [Entity] internal audit annual work plan for [insert date] and details the
specific audit activity that will be undertaken in [insert date].
This strategic business plan is available on the [Entity’s] intranet at [insert intranet address].
PART A: Strategic Directions
Internal audit objectives
This section will provide a statement of the broad business objectives and directions for internal
audit over the period of the plan. It will focus on both audit and management goals and be
consistent with the internal audit charter.
Methodology
This section will briefly outline the approach followed in developing the plan and the key
stakeholders consulted.
Entity strategic environment
This section will summarise the goals, objectives and major initiatives of the entity. This will be
derived from a review of key strategic and other planning documents and discussions with the
Chief Executive, members of the Audit Committee and senior managers.
The aim of this section is to demonstrate that internal audit has a good understanding of the
entity’s business, what is planned for the future and how the work undertaken by internal audit
assists the entity to achieve its objectives.
Entity key business risks
This section will describe the major high level risks identified as part of the entity’s risk
management framework and discussions with key stakeholders. Where there is a less than
mature risk management framework, it will be necessary for internal audit to conduct its own
risk analysis.
The aim of this section is to identify those risks that arise out of the entity’s environment and
future direction that may be addressed by internal audit and to provide a link between the
proposed direction and priorities of internal audit and the risks of the entity
Examples of risks could include:
•
being unable to deliver core services and maintain key financial and operational controls in
a period of rapid change
•
an inability to generate sufficient revenue
•
difficulties in recruiting and retaining sufficient numbers of skilled staff to deliver entity
programmes in a time of strong labour market conditions
•
a lack of co-ordination of service delivery with other government entities at the Australian,
state and local government levels and non-government organisations.
•
delays and cost blow-outs in major projects, and
•
security and business continuity.
For ease of presentation the risks could be consolidated into strategic audit themes and audits
that address the theme grouped together.
External environment
This section will identify issues and trends relevant to the entity that arise from the external
environment that may impact on the achievement of the entity’s objectives. Such issues could
come from a number of sources including:
•
parliamentary and government accountability requirements
•
regulatory changes
•
governance trends, and
•
professional internal and external audit and accounting trends.
Other assurance and review providers
This section maps the identified business risks to the various assurance processes and
providers such as management monitoring, internal quality assurance, regulators, external audit
as well as internal audit. The aim of this mapping is to identify, for the benefit of the Chief
Executive and the Audit Committee, any risks that are not being addressed by either internal
audit or another assurance or review activities or functions or risks where assurance is being
provided by one or more such activities.
The following example illustrates one version of an assurance map.
Business
Risk
Assurance and review activities
Management
Monitoring
A

Quality
Assurance
External audit
Evaluations/
reviews

Regulators
Internal Audit
programme

B

C

D






E

F


Key:  indicates adequate coverage of risk
Details can be provided of the specific coverage provided by each of the assurance and review
providers against the relevant business risk.
Internal audit work strategies and priorities
This section will describe the major focus of audit activities including advisory services, audit
support and any non-audit activity over the life of the plan and any changes that are required to
help ensure that the audit plan and other activities remain relevant to the strategic direction of
the entity. The purpose of the section is to broadly demonstrate how the proposed work of
internal audit will assist the entity to manage its current and emerging strategic, operational and
financial risks.
The section could usefully discuss issues such as:
•
what audit topics will be undertaken over the period of the plan and how they address the
risks facing the entity, including risks that might otherwise remain undetected
•
any rebalancing of the proportion of the different types of audit, or
•
the proposed introduction of any new audit advisory or audit support activities.
Audit Coverage
This section will describe where the major audit effort will be concentrated and the areas that
will receive little, or no, audit attention. It could describe not only the subject matter that will be
addressed but also the types of audits and the business units and/or geographical location of
audit coverage. The aim of the section is to be able to demonstrate that the planned audit
programme is relevant to the identified risks, and to identify where gaps exist. In the light of this
information the Audit Committee is then in a position to make an informed decision on the
proposed audit coverage.
For ease of presentation, the proposed audit coverage could be summarised as shown in the
following example. It shows which audits are proposed to be conducted over a three year
period:
•
audit theme
•
audit title
•
area responsible
•
type of audit
•
priority.
Year 1
Audit theme*
Audit Title
Area Responsible
Type of audit
Year 2
Priority
Audit Title
Area Responsible
Type of audit
Year 3
Priority
Audit Title
Area Responsible
Priority
Type of audit
Cyclical13
Governance
Programme performance
Strategy/planning
Human resources
Financial
*
13
These themes should be aligned with the entity’s main business risks.
Cyclical audits are reviews that are primarily of a compliance nature and are conducted as part of a regular annual cycle to examine key risks such as financial, human resource, legal, contractual and project
management risks.
Previous audits and planned audits
To assist the Audit Committee and other stakeholders to place the planned audit coverage in
context, this section lists the audits completed over, for example, the last two years as well
as those planned over the life of the plan. An example of how this might be presented is
illustrated below.
Audit Title
Year -2
Year -1
Year 1
A


B

C

D


G
Year 3




E
F

Year 2






Key:  indicates extent of internal aduit coverage
Allocation of resources
This section details the relative allocation of internal audit resources between audit, including
advisory, audit support and any non-audit activities. Other options include showing the
allocation of resources between the different types of audit, business units and/or geographical
locations. Details can be provided in tabular or graphic form. The following examples illustrate
graphic representations of the allocation of resources.
Audit resources
This section details the financial and human resource budgets for audit activities over the life of
the plan including the previous year for comparative purposes.
Budget
Year -1
$
Year 1
$
Year 2
$
Year 3
$
Year -1
Days
Year 1 Days
Year 2 Days
Year 3 Days
Staff (including overheads)
Travel & Accommodation
External Service Provider
Total
Human resources
Available days:
In-house staff
External service provider(s)
Total available days
Less days applied to non‑ audit activities14
Total available internal audit days
Internal audit support activities
Development of the internal audit strategic business
plan and annual work plan
Monitor audit and other report recommendations
Prepare annual assessment report
Service the Audit Committee
Manage audit programme
Staff recruitment/training
External auditor liaison
Other internal audit support activities
Total internal audit support activity days
Total available for annual work plan
Internal audit management strategies
This section will describe the management strategies that will be adopted to achieve the internal
audit goals and deliver the broad audit programme described earlier.
Examples of management strategies might include:
14
If specified in the internal audit chapter.
•
changes in work practices and enhancement of audit methodologies to assist in ensuring
that internal audit meets the needs of stakeholders and delivers value for money
•
review of the internal audit professional development programme
•
introduction of new audit technology
•
benchmarking exercises or external reviews, and
•
the introduction of secondment programmes aimed at ensuring internal audit has the
necessary skilled and experienced staffing resources to deliver the internal audit annual
work plan.
Risks to the Internal Audit Strategy
This section will describe the major risks that may prevent internal audit from achieving
its objectives and the strategies that will be implemented to mitigate such risks.
The following example illustrates possible risks and mitigation strategies.
Risk event
Description of Risk
Mitigation Strategy
The expiration of the external provider
contract in 15 months time
This has the potential to result in
delays in the audit programme if there
is a change in audit service provider.
There is also the risk of increased
costs, in line with market changes
over the last three years.
Immediate review of service delivery
options followed by early
commencement of the tendering
process.
Increase in staff turnover
Turnover of in-house audit staff is a
significant risk over the next 12-18
months as senior staff approach
retirement age.
Allowance has been made for
managing staff retention and
recruitment activities and the
introduction of a secondment
programme.
Management requests additional
audits
Internal audit unable to respond in a
timely way to requests for additional
audits that have not been included in
the audit work programme.
Programme includes allowance for
urgent and unforseen tasks subject to
approval by Chief Executive/Board or
Audit Committee.
Performance measures
This section will list the performance measures that will be used to measure the performance of
internal audit and any changes in measures or targets over time.
Review of plan
This section will describe the timeframe and arrangements to be made for the review and
update of the plan. It would normally cover a three year rolling period and be reviewed at least
annually. It would be developed by the Head of Internal Audit for approval by either the Chief
Executive/Board or the Audit Committee.
Part B: Internal audit annual work plan for [year]
Audit theme*
Area Responsible
Audit title
Sponsor
Audit orientation
Governance
Cyclical compliance check
Certificate of Compliance
Governance and reporting of
related business partners
IT security environment
Programme performance
Programme grants to client
organisations
Strategy/planning
Implementation of strategic
changes and organisational
restructure
*
^
These themes should be aligned with the entity’s main business risks.
The plan could also include the cost of individual audits.
Audit description
Potential benefit/
rationale
Priority
Provider
Estimated duration^
Estimated start date
Date of consideration by
Audit Committee
Audit theme*
Area Responsible
Audit title
Sponsor
Selection of a new financial
management system
Human resources
Personnel security clearances
Financial
Asset management
Corporate Taxation
Contingency for unforseen
audits
Total
Audit orientation
Audit description
Potential benefit/
rationale
Priority
Provider
Estimated duration^
Estimated start date
Date of consideration by
Audit Committee
Reserve topics
Audit theme*
Area responsible
Audit orientation
Audit description
Potential benefit/ rationale
Audit title
Programme performance
Achievement of funding objectives
Strategy/ planning
IT project planning
High ranking topics not included in annual work plan
Audit title
Environmental management
Insurance arrangements
Area responsible
Audit orientation
Audit description
Estimated duration
Resource allocation
There are a number of options that can be used to illustrate the allocation of internal audit
resources in the internal audit annual work plan. Some of these are illustrated below.
Example list of contents - internal audit manual
An internal audit manual documents the policies and procedures for conducting audits and
for managing the internal audit function. It is an important aid in assisting internal audit to
produce high quality audit reports that meet the expectations of stakeholders.
The audit manual should be tailored to the individual needs of entities but Heads of Internal
Audit are encouraged to review their audit manuals against this example list of contents.
Introduction
Purpose of internal audit
Purpose of the manual
Application to in-house staff and external providers
Review of audit manual
Overview of entity internal audit
Internal audit charter
Audit Committee charter
Structure of entity internal audit
Roles and responsibilities of in-house and external provider positions
Internal audit protocol(s):
•
entity management
•
external auditor
•
business partners
Internal audit professional standards
Auditing frameworks
Strategic planning
Major tasks in developing the internal audit strategic business plan
Timing of tasks
Responsibilities for tasks
Development of the annual work plan
Major tasks in developing the annual work plan
Timing of tasks
Responsibilities for tasks
Overview of the audit process
Preliminary research
Audit proposal
Audit assignment planning
Preliminary research
Preparing the assignment plan
•
Objectives
•
Scope
•
Methodology/test programme
•
Timing
•
Resources
Entry interview
Fieldwork
Undertaking fieldwork
Techniques for collecting evidence and testing controls
Mid-point review
Support tools available
Supervision arrangement
Reporting
First draft report
Exit interview
Final draft report
Obtaining management response
Completing the final audit report
Audit findings and recommendations rating system
Report format
Document styles/templates
Post-audit events
Audit evaluation by sponsor
Evaluation and debrief of auditor/external provider
Disseminating better practice and lessons learnt
Quality assurance review
Recommendation monitoring and reporting
Monitoring implementation of audit and other report recommendations
Reporting progress to the Audit Committee
Appendices
Internal audit protocols
Managing external service providers
Policy and guidance
Servicing the Audit Committee
Committee papers
Internal audit management reports
Assessing internal audit performance
Key performance indicators
Records management
Registry files
Audit working papers
Audit records retention and disposal rules
Security procedures
Confidentiality
Data and document security
Asset security
Example internal audit protocol
The format and content of the internal audit protocol is a matter for the Head of Internal
Audit in consultation with entity management. This example includes the key points found in
a better practice internal audit protocol.
Entities are encouraged to review their existing protocol against this better practice
example.
Introduction
This protocol outlines the respective roles and responsibilities of internal audit and management
in the course of an audit and the opportunities for consultation during the audit process.
Purpose of internal audit15
Internal audit provides an independent and objective review and advisory service to:
•
provide assurance to the Chief Executive [and/or Board] that [the entity’s] financial and
operational controls designed to manage the organisation’s risks and achieve the
organisation’s objectives are operating in an efficient, effective and ethical manner, and
•
assist management in improving the entity’s business performance.
Independence
Internal audit has no direct authority or responsibility for the activities it reviews. Internal audit
has no responsibility for developing or implementing procedures or systems and does not
prepare records or engage in original line processing functions or activities.
Internal Audit reports functionally to the Audit Committee. The Head of Internal Audit is
accountable to the Chief Executive [or Board].
Authority and confidentiality
Subject to compliance with [entity] security policies, internal auditors are authorised to have full,
free and unrestricted access to all functions, premises, assets, personnel, records, and other
documentation and information that the Head of Internal Audit considers necessary to enable
internal audit to meet its responsibilities.
All records, documentation and information accessed in the course of audits are used solely for
auditing purposes. Under its legislation, the Australian National Audit Office has access to all
relevant [entity] documents including internal audit reports.
Agreements with purchasing departments also provide for consultation and disclosure of audit
matters affecting purchasing department programmes and other circumstances 16.
15
16
For more information on the roles and responsibilities of internal audit see the internal audit charter available on the
[entity’s] intranet.
Include where applicable.
Standards17 and values
Audit activities are also conducted in accordance with relevant professional standards including:
•
Standards for the Professional Practice of Internal Auditing issued by the Institute of
Internal Auditors
•
Standards relevant to internal audit issued by the Australian Society of Certified Practising
Accountants and the Institute of Chartered Accountants in Australia, and
•
The Statement on Information Systems Auditing Standards issued by the Information
Systems and Control Association.
Internal audit activities are conducted in accordance with the Australian Public Service and
[entity] values, policies and procedures.
Planning and consultation
Internal audit prepares a strategic business plan and annual work plan in consultation with the
Chief Executive, [the Board,] the Audit Committee and senior management. The business plan
and audit work plan are based on the risks facing [entity] and the business improvement
opportunities available to [entity].
The strategic business plan and the audit annual work plan are approved by the Chief
Executive/Board/Audit Committee18. The audit work plan is available on the [entity] intranet.
In addition, audits not on the audit work plan can be commissioned by the Chief Executive,
the Audit Committee or management19.
Audit process
The various stages in the audit process are outlined below.
Preliminary consultation
Prior to commencing the audit, internal audit will consult with the relevant senior manager on
the:
•
objectives and scope of the audit
•
likely commencement date and duration
•
locations to be visited, and
•
nomination of an audit sponsor.
Opening interview
An opening interview will be conducted shortly before the start of the audit with management of
the area to be reviewed. The purpose of the opening interview is to:
•
enable the audit team to meet key staff of the area being reviewed
•
clarify the objectives, scope and timing of the audit
17
Specify applicable standards.
Amend as applicable.
Audits commissioned by management and not included in the audit work plan require the agreement of the
Audit Committee.
18
19
•
provide an opportunity for staff of the area being reviewed to present their views and
perspectives on the matters subject to audit
•
finalise the plan for conducting the audit in terms of timing, duration, staff involvement, and
•
arrange access to buildings, personnel, files, systems and data in order to commence
fieldwork.
Fieldwork
Internal audit is committed to a ‘no surprises’ approach and on-going discussions will be held
with management as findings emerge and conclusions are developed. At the mid point of the
audit, a formal meeting will be sought with the sponsor to discuss the audit programme and
any emerging issues.
If necessary, internal audit will communicate significant matters of concern to the Chief
Executive and/or the Audit Committee prior to the completion of the final report.
Exit interview
At the conclusion of the fieldwork, internal audit will prepare a first draft report to be used as the
basis for discussion at an exit interview.
The purpose of the exit interview is to:
•
advise management about the provisional findings, conclusions and recommendations
•
afford management the opportunity to correct any misunderstandings or misinterpretations
•
discuss findings and conclusions and obtain management’s views, and
•
discuss the practicality of recommendations and timeframes for any remedial action.
Draft report
Internal audit will issue a final draft audit report promptly following the exit interview, generally
within 10 working days.
Management comments
On receipt of the final draft report, the sponsor and management of the work area under
review should:
•
consider the findings and recommendations in the draft report
•
formally advise internal audit whether management agrees or disagrees with the
recommendations in the draft report
•
where management agrees with a recommendation, management should prepare an action
plan to address the recommendation, set a timeframe for implementing the action plan and
nominate the individual responsible for implementation, and
•
where management disagrees with a recommendation, the reason for the disagreement
should be provided20.
Management comments are required within 10 working days of the receipt of the draft report.
20
While management agreement is not always necessary, it would be expected that discussions would be held with the
sponsor with the aim of reaching agreement. The reasons for any disagreement will be included in the final audit report
together with any internal audit response.
Final report
Within 5 working days of the receipt of management comments, internal audit will issue a
final report to:
•
the Chief Executive
•
the Chair and members of the audit committee
•
the sponsor, and
•
the sponsor’s supervisor.
Where appropriate, lessons learnt and examples of better practice will be disseminated to a
wider audience in [entity].
A client satisfaction questionnaire will be sent with the final report. The sponsor should complete
the client satisfaction questionnaire and return it to the Head of Internal Audit. The Head of
Internal Audit will follow up any feedback indicating possible shortcomings in internal audit
performance.
Monitoring the implementation of agreed recommendations
The Audit Committee is responsible for examining all internal audit reports. Internal audit assists
the Audit Committee in monitoring progress in implementing agreed recommendations. Internal
audit will, therefore, periodically seek advice from management regarding progress in
implementing agreed recommendations.
Pro-forma internal audit annual work plan progress report
Status of [year] internal audit plan as at [date]
Audit title
Progress status21
Original date for
consideration by
Audit Committee
Revised date for
consideration by
Audit Committee
Percentage of
estimated days used
Last milestone
achieved22
Status comment23
Progress status legend
Red: Significant delays
Orange: Some delays
Green: On track
Milestones
•
Assignment planning commenced
•
Entry interview
21
Internal audit’s assessment of audit progress represented by ‘traffic lights’.
Selected from list of milestones.
Internal audit’s commentary on audit progress. An opportunity also exists to advise the Audit Committee of the significance of any findings that are emerging from audits in progress.
22
23
•
Fieldwork commenced
•
Fieldwork completed
•
Exit interview completed
•
Draft report issued
•
Management comments received
•
Report considered by Audit Committee
Pro-forma Implementation of recommendations progress report
Status of the implementation of internal audit and other report24 recommendations as at [date]
Report title and date
considered by audit
committee25
Recommendation/ issue26
Progress status27
Category/ priority of
recommendation
Progress status legend
Red: Significant delays
Orange: Some delays
Green: On track
24
Including external audit and recommendations of Parliamentary Committees and other relevant bodies.
Or date issued, if not considered by the Audit Committee.
26
Summary of recommendation or issue.
27
Internal audit’s assessment of progress represented by appropriate coloured ‘traffic lights’.
28
Internal audit’s commentary on the adequacy of progress, as required.
25
Manager responsible for
implementation
Original
completion date
Revised
completion date
Comment28
Example key performance indicators
Measuring performance over time using a number of key performance indicators (KPIs)
linked to internal audit objectives, and acting on the results, is important for an effective
internal audit function.
The most appropriate KPIs will vary according to the objectives and structure of the internal
audit function, but entities are encouraged to review their existing key performance
indicators against the following example indicators.
Performance indicator
Performance
against plan
Target
Actual
Percentage
variation
Number of audits completed
Number of audits delivered by due date
Cost of audit plan
Stakeholders
Audit Committee assessment of overall contribution
of internal audit (from committee survey
questionnaire)
Client assessment of overall satisfaction (from client
survey questionnaire)
Number of requests for ad-hoc advice/assistance
from management
Staff
Staff satisfaction (from staff survey)
Training days per staff member
% staff turnover
Overall
contribution
Audit Committee assessment of the extent audits
identified key issues (from committee survey
questionnaire)
Audit Committee assessment of the contribution
internal audits made to greater assurance and/or
improvements in performance (from Audit
Committee survey questionnaire)
Clients’ assessment of benefits resulting from
internal audits (from client survey questionnaire)
Not
applicable
Not applicable
Example client survey questionnaire
To assist in maintaining the efficiency of the audit process and the quality of the audit report
it is important to seek the views of management immediately after an audit has been
finalised.
This example client survey questionnaire is designed to assist the Head of Internal Audit to
collect the views of management regarding the audit. Where there are significant areas of
disagreement the Head of Internal Audit should explore the matters further.
Entities are encouraged to review their existing client survey questionnaire against this
example.
Rating scale
Importance:
1 = Low importance
2 = Medium importance
Performance:
1 = Strongly Disagree 2 = Disagree
3 = High importance
3 = Agree
4 = Strongly Agree
Importance
Performance
The timing of the audit was appropriate.
1 2 3
1 2 3 4
My staff and I were given the opportunity to provide input, including any
concerns and our perspectives, to the planning process.
1 2 3
1 2 3 4
The audit focused on issues that were important.
1 2 3
1 2 3 4
The internal auditor(s) kept me informed throughout the process on a timely
basis and there were ‘no surprises’.
1 2 3
1 2 3 4
The internal auditor(s) demonstrated a good knowledge of the subject matter.
1 2 3
1 2 3 4
The internal auditor(s) demonstrated professionalism and an objective
approach.
1 2 3
1 2 3 4
There was no undue disruption to my workplace during the audit and our work
environment was respected, e.g. safeguarding of documents and access to
facilities.
1 2 3
1 2 3 4
I was given the opportunity to provide input on the findings and conclusions, and
on the recommendations made to address them.
1 2 3
1 2 3 4
Conclusions reached were adequately supported by relevant facts and thorough
analysis.
1 2 3
1 2 3 4
The audit was completed on a timely basis.
1 2 3
1 2 3 4
The audit report was balanced and constructive.
1 2 3
1 2 3 4
Recommendations were useful, realistic, and cost-effective.
1 2 3
1 2 3 4
The audit was of benefit in providing me with assurance that there were no
major weaknesses and/or helped me to manage my business better.
1 2 3
1 2 3 4
Overall, I was satisfied with the audit.
1 2 3
1 2 3 4
Please use the space below to explain any specific ratings, to provide additional comments, or
to offer suggestions to improve future internal audits.
Comments:
Example Audit Committee internal audit
questionnaire
The views of the Audit Committee on the performance of internal audit should be sought
periodically, but at least annually.
This example questionnaire is designed for use by the Audit Committee to provide feedback
to the Head of Internal Audit on the performance of the internal audit function. The
questionnaire would generally be completed by each member of the committee.
Alternatively it can be completed by the committee as a whole.
Entities are encouraged to review their existing Audit Committee internal audit survey
questionnaire against this better practice example.
Rating scale
Importance:
1 = Low importance
2 = Medium importance
Performance:
1 = Strongly Disagree 2 = Disagree
3 = Agree
3 = High importance
4 = Strongly Agree
Importance
Performance
Audit Committee papers were distributed in sufficient time prior to the meetings.
1 2 3
1 2 3 4
Audit papers provided adequate pre-meeting information.
1 2 3
1 2 3 4
Audit papers were presented in a professional, well-ordered, clear and concise
manner.
1 2 3
1 2 3 4
The information provided in the audit papers assisted the Audit Committee to fulfil
its responsibilities under its charter.
1 2 3
1 2 3 4
Any changes suggested to the audit papers were implemented in a timely manner.
1 2 3
1 2 3 4
Internal audit actively participates in meetings.
1 2 3
1 2 3 4
Internal audit offers suggestions and solutions to issues during discussions.
1 2 3
1 2 3 4
Minutes from meetings are accurate, concise and distributed in a timely manner.
1 2 3
1 2 3 4
The strategic business plan and annual work plan were appropriately aligned with
the entity’s business and operating environment (including key issues and business
risks), its strategy and its key priorities.
1 2 3
1 2 3 4
The internal audit strategic business plan and annual audit plan was developed in
consultation with the Chief Executive, the Audit Committee and senior
management.
1 2 3
1 2 3 4
The internal audit strategic business plan and annual audit plan takes into account
the work of other sources of assurance and review.
1 2 3
1 2 3 4
Audit Committee Papers
Meetings
Internal audit strategic business plan and internal audit annual work plan
Audit reports
Importance
Performance
The issues addressed by each audit assignment were appropriate to the business
needs of the entity.
1 2 3
1 2 3 4
Audit assignments were completed in a timely manner.
1 2 3
1 2 3 4
Reports were well structured and concise.
1 2 3
1 2 3 4
Reports reflected a realistic understanding of the area under review.
1 2 3
1 2 3 4
Recommendations were practical and cost-effective to implement.
1 2 3
1 2 3 4
Better practice suggestions and lessons learnt were disseminated to relevant areas
of the entity.
1 2 3
1 2 3 4
Audits represented good value for money.
1 2 3
1 2 3 4
Audits identified key issues.
1 2 3
1 2 3 4
Audits contributed to greater assurance and/or improvements in performance.
1 2 3
1 2 3 4
1 2 3
1 2 3 4
Overall contribution
Overall, internal audit has made a valuable contribution to the achievement of the
entity’s objectives.
Please use the space below to explain any specific ratings, to provide additional comments, or
to offer suggestions for improvement.
Comments:
Example internal audit self-review questionnaire
This self-review questionnaire is designed to assist the Head of Internal Audit to assess if
the key elements of a better practice internal audit function are in place.
Rating scale
Ratings:
1 = Strongly Disagree 2 = Disagree
3 = Agree
4 = Strongly Agree
Rating
You have the confidence and support of:
• the Chief Executive
• the Board (where applicable)
• the Audit Committee
• senior management, and
• line management.
1
1
1
1
1
You have direct access to the Chief Executive/Chair of the Board and the Chair of the Audit Committee.
1 2 3 4
Internal audit is part of an integrated governance framework.
1 2 3 4
The internal audit charter is up to date and clearly articulates the roles, responsibilities and
accountability lines of the internal audit function.
1 2 3 4
Your role is clear and well understood by management and staff in the entity.
1 2 3 4
You have access to all entity records, information and staff in the conduct of your work.
1 2 3 4
You and your staff know the entity’s business and the risks it faces.
1 2 3 4
There is a strategic internal audit business plan and internal audit annual work plan that is aligned with
the entity’s business objectives, risks and major business systems and processes.
1 2 3 4
You have access to sufficient skilled and experienced staff and financial resources to meet your
responsibilities and the expectations of key stakeholders.
1 2 3 4
Internal audit’s working practices are efficient and effective and are supported by an up to date Internal
Audit Manual.
1 2 3 4
Relevant professional standards are adhered to.
1 2 3 4
There is adequate supervision of audit work and review of audit reports.
1 2 3 4
Audit reports rate the risk exposure of findings to the entity.
1 2 3 4
All audit recommendations are practical, cost-effective to implement and are risk-rated.
1 2 3 4
Outstanding agreed internal and external audit, Parliamentary Committee recommendations and those
of other relevant bodies, are monitored effectively, and progress in implementing recommendations
reported periodically to the Audit Committee.
1 2 3 4
Examples of better practice and lessons learnt are disseminated to relevant areas of the entity.
1 2 3 4
An annual report that assesses the effectiveness of the entity’s internal controls and identifies systemic
issues is provided to the Audit Committee.
1 2 3 4
The key performance indicators provide effective accountability and drive performance improvement.
1 2 3 4
The internal audit function is reviewed periodically.
1 2 3 4
2
2
2
2
2
3
3
3
3
3
4
4
4
4
4
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Title: Audit
Title: Audit
CIS 349 – Information Technology Audit and Control
CIS 349 – Information Technology Audit and Control
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Download
advertisement