5. Chapter 4 PLANNING AND CONDUCTING INTERNAL AUDIT ENGAGEMENTS (FIELDWORK)

5. Chapter 4 - PLANNING AND CONDUCTING INTERNAL AUDIT ENGAGEMENTS (FIELDWORK) manual pdf -FilePursuit

User Manual: manual pdf -FilePursuit

Open the PDF directly: View PDF PDF.
Page Count: 20

Download5. Chapter 4 - PLANNING AND CONDUCTING INTERNAL AUDIT ENGAGEMENTS (FIELDWORK)
Open PDF In BrowserView PDF
Internal Audit Manual

CHAPTER IV
PLANNING AND CONDUCTING INTERNAL AUDIT ENGAGEMENTS
(FIELDWORK)
IIA Standard 1200 - Proficiency and Due Professional Care:
Engagements must be performed with proficiency and due professional care.
IIA Standard 1220 - Due Professional Care:
Internal auditors must apply the care and skill expected of a reasonably prudent and
competent internal auditor. Due professional care does not imply infallibility.
IIA Standard 1220.A1 - The internal auditor must exercise due professional care by
considering the:
•
Extent of work needed to achieve the engagement’s objectives;
•
Relative complexity, materiality, or significance of matters to which assurance
procedures are applied;
•
Adequacy and effectiveness of governance, risk management, and control processes;
•
Probability of significant errors, fraud or noncompliance; and
•
Cost of assurance in relation to potential benefits.
IIA Standard 2200 – Engagement Planning:
Internal auditors must develop and document a plan for each engagement, including the
engagement’s objectives, scope, timing and resource allocations.
IIA Standard 2201 - Planning Considerations:
In planning the engagement, internal auditors must consider:
•
The objectives of the activity being reviewed and the means by which the activity
controls its performance;
•
The significant risks to the activity, its objectives, resources, and operations and the
means by which the potential impact of risk is kept to an acceptable level;
•
The adequacy and effectiveness of the activity’s risk management and control
processes compared to a relevant control framework or model; and
•
The opportunities for making significant improvements to the activity’s risk
management and control processes.
IIA Standard 2210 – Engagement Objectives:
Objectives must be established for each engagement.
IIA Standard 2210.A1 – Internal auditors must conduct a preliminary assessment of the
risks relevant to the activity under review. Engagement objectives must reflect the results
of this assessment.
66

Ministry of Finance

66

Internal Audit Manual
IIA Standard 2210.A2 – Internal auditors must consider the probability of significant
errors, fraud, noncompliance, and other exposures when developing the engagement
objectives.
IIA Standard 2210.A3 – Adequate criteria are needed to evaluate controls. Internal
auditors must ascertain the extent to which management has established adequate criteria
to determine whether objectives and goals have been accomplished. If adequate, internal
auditors must use such criteria in their evaluation. If inadequate, internal auditors must
work with management to develop appropriate evaluation criteria.
IIA Standard 2220 – Engagement Scope:
The established scope must be sufficient to satisfy the objectives of the engagement.
IIA Standard 2220.A1 – The scope of the engagement must include consideration of
relevant systems, records, personnel, and physical properties, including those under the
control of third parties.
IIA Standard 2230 – Engagement Resource Allocation:
Internal auditors must determine appropriate and sufficient resources to achieve engagement
objectives based on an evaluation of the nature and complexity of each engagement, time
constraints, and available resources.
IIA Standard 2240 – Engagement Work Program:
Internal auditors must develop and document work programs that achieve the engagement
objectives.
IIA Standard 2240.A1 - Work programs must include the procedures for identifying,
analyzing, evaluating, and documenting information during the engagement. The work
program must be approved prior to its implementation, and any adjustments approved
promptly.
IIA Standard 2300 – Performing the Engagement:
Internal auditors must identify, analyze, evaluate, and document sufficient information to
achieve the engagement’s objectives.
2310 – Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to
achieve the engagement’s objectives.

67

Ministry of Finance

67

Internal Audit Manual
IIA Standard 2320 – Analysis and Evaluation –
Internal auditors must base conclusions and engagement results on appropriate analysis
and evaluations.
IIA Standard 2330 – Documenting Information Internal auditors must document relevant information to support the conclusions and
engagement results.
1.

Introduction
1.1 Different internal audit organizations use a variety of methods, terminologies and steps for
planning and conducting internal audits. The methodologies and processes to be used in planning
and conducting an audit engagement by the IAS are outlined in this Chapter.
1.2 The following Practice Advisories issued by the IIA, which provide guidance on engagement
planning and fieldwork, should be reviewed together with the relevant auditing standards. The
processes outlined in this Chapter take into account the guidance contained in these Advisories.
(i) Practice Advisory 2200-1: Engagement Planning.
(ii) Practice Advisory 2200-2: Using a Top-down, Risk based Approach to Identify the
Controls to Be Assessed in an Internal Audit Engagement.
(iii) Practice Advisory 2210-1: Engagement Objectives.
(iv) Practice Advisory 2210.A1-1: Engagement Planning.
(v) Practice Advisory 2230-1: Engagement Resource Allocation.
(vi) Practice Advisory 2240-1: Engagement Work Program.
(vii) Practice Advisory 2300-1: Use of Personal Information in Conducting Engagements
1.3 The Annual Audit Plan, when prepared and approved in accordance with the processes outlined in
Chapter III, would have identified a portfolio of potential audit engagements. The objectives and
scope of the audit engagements contained in the Annual Plan are generally based on preliminary
information obtained during the macro planning process, particularly what are considered to be
the key risks to the organization. Refer to paragraphs 1 to 3 in PA 2200-2 for further guidance.
As additional and more detailed information on the auditable area encompassed in the proposed
audit engagement is obtained through the engagement planning process, the objectives and scope
of the engagement would be continuously refined. This process is aimed at providing a more
precise focus on significant and material risks and issues relating to governance, risk management
and control processes in the auditable or subject area.

68

Ministry of Finance

68

Internal Audit Manual
1.4 In planning and conducting the engagement, the CIA should be careful to minimize Audit
Risk, mentioned in Section 3.4 of Chapter II. Audit Risk is the possibility that audit findings,
conclusions, recommendations, or assurance may be improper or incomplete, as a result of:
(i) Evidence that is not sufficient and/or relevant;
(ii) Conclusions based on a weak internal control structure that is susceptible to
manipulation.
(iii) The chance of not detecting a material problem due to inappropriate methodology.
(iv) Reliance on information that is not properly verified
(v) Inadequate cooperation from the auditees’ agencies.
(vi) Lack of professional competency.
(vii) Working papers
1.5 Audit risk can be reduced by clearly defining the audit objectives and the scope of work of an
audit engagement and applying proper methodology and audit steps in collecting evidence that
is necessary to support all audit findings and conclusions.
1.6 CIAs should follow the planning processes outlined below to minimize audit risks and ensure
that resources and efforts are devoted to key areas that can have a significant impact on the
performance and results of the program or activity being audited. At the end of the planning
phase, the CIA should be able to clearly state what will be audited, why it will be audited, and
how it will be audited. This will ensure that the conduct of the audit itself is properly directed to
gathering the necessary evidence to form conclusions in relation to the audit objectives.

2.

Initiating the Engagement
2.1 As a first step in initiating an audit engagement, the CIA should formally notify or inform the
Auditee in writing about the proposed audit engagement. The Auditee is normally the most
senior manager directly responsible or accountable for the program, activity, organization or
initiative. This may be a head of a Department, Division, Office or an organizational unit. In
some cases, particularly in crosscutting or ‘across the board’ audits, there may be more that one
Auditee. Subject to the local arrangements, the notification could be made direct to the Auditee(s)
concerned and copies of the notification could be forwarded to the higher level Managers within
the organizational hierarchy to keep them informed of the audit activity.
2.2. The Audit Notification should normally:
(i) Inform the Auditee of the:
(a) Purpose of the engagement based on the preliminary objectives and scope together with
any specific considerations or concerns.
(b) Names of the auditors assigned to the audit.
(c) List of schedules, documents required;
(d) Time frame for the start and completion of the audit engagement.

69

Ministry of Finance

69

Internal Audit Manual
(ii) Request the Auditee to:
(a) Appoint a primary focal or contact person to facilitate the coordination of audit work.
(b) Arrange an opening meeting to discuss the audit engagement
2.3 In the Opening Meeting with the Auditee, the CIA should inform, discuss, clarify or seek:
(i) The known details of the program, activity or organization to be audited, e.g. mandate,
resources, structure.
(ii) The Auditee’s responsibilities in the audit process.
(iii) Information and copies of documents deemed to be important to acquiring a good
understanding of the Auditee’s activities, including any recent internal and external
developments that may have an impact on the auditable area and internal and external reports
of any review conducted in respect of the audit area or other related areas.
(iv) To identify, at least on a preliminary basis, all the relevant staff and others who will need to be
contacted and interviewed by the Auditors.
(v) Any suggestions from the Auditee with respect to the engagement particularly in relation to
the audit objectives, scope and audit approach.
(vi) Any concerns that the Auditee may have with respect to the Audit Engagement, including the
timing of specific work so as to avoid any undue disruption of the Auditee staff ’s work.

3.

Planning the Audit Engagement
3.1 The planning phase normally consists of three distinct, but often overlapping, activities, i.e.
gaining an understanding of the nature of the program, activity, organization or initiative being
audited, determining and assessing risks, and determining the most appropriate audit objectives,
scope and criteria to be employed as outlined below.
3.2 Understanding the Audit Area
3.2.1 The Internal Auditor needs to develop a sound understanding of the program, activity,
organization or initiative being audited, including its management practices, business
processes, policies and procedures, and external and internal environments, focusing
attention on all important aspects of risk management, control, and governance processes
for the program, activity, organization or initiative being audited. As part of this process
the Internal Auditor should:
(i)

Review key documents that are necessary to gain an understanding of the audit
subject and this would normally include:

(a) Relevant laws and regulations.
(b) Policy, procedures and standards, manuals and directives.

70

Ministry of Finance

70

Internal Audit Manual
(c) Results of previous audits or evaluations by the Internal Auditors, the
RAA and self-assessments by the Auditee.
(d) Organization charts.
(e) Listings of key personnel.
(f) Programme or organizational plans and objectives.
(g) Budget and other financial allocations and actual performance for the
last two or three years.
(h) Operational and financial data and related reports to obtain an
understanding of the nature of transactions, and the volume of
transactions.
(i) Job descriptions and delegation of authority instruments.
(j) Process and system maps or flowcharts.
(k) Management meeting reports or minutes.
(l) Risk assessments.
(m) Management studies or reports
(ii) In addition to reviewing documentation and analyzing financial and non-financial
performance information, consider and where appropriate:

(a) Visit sites and observe operations.
(b) Interview management, field staff, central agency representatives or
subject matter experts with respect to governance, risk management and
control issues as well as other operational issues relating to programme
efficiency and effectiveness.
(iii) The Internal Auditor should prepare or up-date the Auditable Unit Profile (Annex
III.1) that was prepared when establishing the Annual Audit Plan.
3.3 Assessing Risks
3.3.1 The risk assessment process provides a structured means of evaluating information and
applying professional judgment as to the most important areas for audit examination. It
should be noted that in most cases the Audit Engagement is being initiated only because
some key risks that were already identified in the planning process prompted its inclusion
in the Annual Plan. The Internal Auditor should review the criteria and documentation
that went into the decision to include the engagement in the Annual Plan in the first
instance. In other cases, a request from senior management may have prompted the audit.

71

Ministry of Finance

71

Internal Audit Manual
In such cases, the reasons advanced by senior management should be used to guide the
risk assessment process. Chapter II of this Manual, which outlines risk management and
risk assessment processes, should be reviewed when carrying out the preliminary risk
assessment.
3.3.2 A detailed risk assessment is undertaken during the planning phase of the engagement
to confirm that the initial objectives, scope and lines of enquiry have indeed focused on
the most important risks associated with the program or activity being audited. As a first
step in the process, the Internal Auditor considers if Management has conducted risk
assessment and has established procedures to manage the risks. If so the Internal Auditor
should review:
(i)

The reliability of management’s assessment of risk.

(ii) Management’s process for monitoring, reporting, and resolving risk and control
issues.
(iii) Management’s reporting of events that exceeded the limits of the organization’s risk
appetite and management’s response to those reports.
(iv) Risks in related activities relevant to the activity under review.
3.3.3 If Management has not conducted risk assessment on its own or has not properly
documented the process, then the Internal Auditor should conduct an in-depth assessment.
Internal Auditors should use the information obtained through processes mentioned in
Section 3.2, and conduct detailed assessment by using procedures already outlined in
Section 5.7.3 in Chapter III and focusing close attention to the specific operations under
review. The assessment should seek to:
(i)

Identify the risks associated with the achievement of the Auditee’s objectives and
expected results, including the prevention of fraud.

(ii) Assess the relative significance of the risks and likelihood of each risk occurring and
the impact should it occur.
(iii) Determine whether management’s assertions or its plan of controls are likely to
prevent or mitigate the occurrence of the identified risks, particularly the key risks.
3.3.4 Internal Auditors should use the template in Annex IV-1 to document the engagement
risk assessment.
3.4 Assessing Internal Controls
3.4.1 Control is any action taken by Management or its staff to manage risk and enhance the likelihood
of achieving established goals and objectives. Controls minimize both the likelihood of risks
materializing and the likely impact of the risk should it materialize. It also safeguards assets
and protects reputation and human resources. Internal Auditors should review Chapter II of
this Manual, which discusses the many aspects of Internal Controls. Using the guidelines, the
Internal Auditor should gain an understanding of the Auditee’s Internal Control Framework
and general approach to controls and monitoring. Refer to PA 2200-2 paragraphs 4 and 5 on
the nature of key controls and possible approaches for testing them.

72

Ministry of Finance

72

Internal Audit Manual
3.4.2 The Internal Auditor should first review the Annual Plan documentation to determine
if any specific control weaknesses have already been identified in respect of the audit
area. Following this and after obtaining a clear understanding of the key risks to the
achievement of organizational objectives, Auditee’s control objectives, and the Auditee’s
Internal Control Framework, the Internal Auditor should:
(i)

Identify and document the related controls that Management asserts have been put in
place. The documentation could be in narrative form – i.e. a sequential description of
every step in the control process or in the form of a Flowchart (using Visio, Excel or
Word). Many organizational units may have documented their control processes in
narrative or flowchart form. Some of these may also be contained in job descriptions.
Internal Auditors can use such documentation, but should confirm with Management
that it is current and actually reflects the process.

(ii) Where appropriate, the Internal Auditor should conduct some preliminary tests
to determine if the internal controls are working as designed. Such tests could be
in the form of “walk through” tests, which uses a small sample of transactions and
tests every step of the documented control process. In testing controls, the Internal
Auditor should pay particular attention to the extent to which it might be possible
to rely upon detective or monitoring controls, as these may reduce the necessity for
extensive testing of preventive controls. For example, a manager may have established
a quality review team to review a sample of files or transactions on a regular basis. If
this monitoring activity is tested and considered to be reliable and as being capable of
detecting material errors, then testing a small sample of original files or transactions
through the entire process should be sufficient to provide the Internal Auditor
sufficient assurance. Refer to Chapter VI of the Manual on sampling techniques.
(iii) After documenting and, where appropriate, testing the control processes, the Internal
Auditor should evaluate the effectiveness of the control in mitigating every risk
identified in paragraph 3.3 above. The control reviews should be relevant to the audit
objective and be tailored to the specific client and the client’s objectives. For example,
if the audit is being done on the procurement function, then the Auditor’s reviews
should address risk in relation to: (a) the quality of goods; (b) timely delivery; (c)
proper quantity of goods; and (d) adherence to competitive practices, etc.
(iv) Assess the cost efficiency of the internal controls and determine if the risks warrant
such controls.
3.5 Preliminary conclusions - possible suspension of the Audit
3.5.1 After concluding the risk and internal control assessments, the CIA should undertake a
preliminary review to determine if the audit should proceed. The analysis may indicate a
satisfactory or unsatisfactory condition. The CIA may decide to close or suspend the audit
as follows:
(i)

The assessments and limited tests may indicate that the Auditee has identified
risks and has established strong internal controls and they are operating effectively.
As a result, the probability of finding any significant issue that may be useful to
Management is minimal or negligible. In order to use scarce audit resources more
usefully, the CIA can suspend the audit and report to the Chief Executive and Senior
Management the audit conclusion.

73

Ministry of Finance

73

Internal Audit Manual
(ii) There is an absence of even basic controls and the Auditee accepts the need for
immediate improvement action. Unless, fraud is suspected, the CIA can recommend
that the Auditee seek assistance to establish the basic elements of a proper management
control framework. Under this circumstance, the CIA may use professional judgment
to report the situation to the Chief Executive Officer with a recommendation that
proper management controls are established within a defined period and until then
the audit be deferred or suspended.
3.5.2 In all other cases, the CIA should proceed to the next step in the planning phase.
3.6 Review and Refine Audit Objectives
3.6.1 Audit objectives are what the auditor intends to accomplish. It identifies the subject matter
and the expected outcomes. Often, the objective can also be thought of as questions the
auditor seeks to answer.
3.6.2 Objectives may be focused on key generic internal auditing outcomes, e.g. assurance with
respect to risk management, controls, governance, or may be focused on specific high-risk
issues or concerns identified during the planning phase. Objectives should therefore be
carefully considered and clearly stated in such a way that a conclusion with respect to each
is possible.
3.6.3 Once an understanding of the program or activity has been acquired and the assessment
of risks has been completed, including any limited testing of controls, the Internal Auditor
and the CIA should evaluate each preliminary Audit objective and determine if it is
adequate to cover all the significant issues that need to be addressed in the subject area.
Based on this evaluation, the Internal Auditor and the CIA should make such amendments
to the audit objectives as are necessary. Refer to IIA Practice Advisory 2210-1: Engagement
Objectives.
3.6.4 In some cases, the audit objective may seek to answer multiple questions or address multiple
issues within one area. The Internal Auditor and the CIA should use their professional
judgment to determine if it would be more optimal to classify each of the questions or
issues as separate audit objectives. Alternatively, the audit objective could be retained
as one, but supported by two or more sub-objectives. The accomplishment of the subobjectives would be seen as accomplishing the main objective as a whole. As stated, above,
care should be taken in defining the objectives so that a clear conclusion can be made in
respect of each.
3.7 Review and Refine Scope of Audit
3.7.1 Scope is the:

(i)

Areas, processes, activities, or systems that will be the subject of the audit and to
which the audit objective and the conclusions will apply. This could cover one or
more organizational units and geographical locations. However, care must be taken
to clearly define this.

(ii) Time period covered by the audit, for example, the period or fiscal year during which
files or transactions to be examined were originally prepared.

74

Ministry of Finance

74

Internal Audit Manual
3.7.2 Scope constitutes the universe or population with respect to the particular audit. Reviews,
tests, and analysis will be confined to those elements that form part of the population.
In some cases the boundaries may be unclear. For instance in an audit of “payment of
all invoices and claims by the Treasury”, the audit is not focusing on the events that gave
rise to the invoice in the first place – such as whether a procurement invoice relates to a
properly procured service or goods. In such instances, the scope must be clearly defined
and also clearly exclude those systems that may be associated but are not the subject of
audit.
3.7.3 At this point, it is essential that the Internal Auditor needs to carefully consider whether
the Scope established in the first instance is reasonable to accomplish the audit objective.
The scope limits the applicability of the audit objectives. For instance, if testing and review
is confined to only one month, the findings though can sometimes be extrapolated using
meaningful analysis, can in general only be confined to that month. Sometimes, during
the preliminary review phase, Internal Auditors may have reason to believe that certain
abnormalities may extend further over a period of time or to other organizational and
geographical areas. Such instances should be carefully considered and the Scope should
be refined, as is necessary, taking into account its likely impact on the audit objective and
the subsequent findings.
3.8 Define and Establish Audit Criteria
3.8.1 Every audit objective either explicitly or implicitly implies an Auditee to have attained a
certain level of performance. Audit Criteria are desired standards of performance for the
programme or operation, against which the Internal Auditor measures or evaluates the
activity or performance of the Auditee. Criteria may be in many forms, and determined
by, but not limited to the following:
(i)

Acts of Parliament, Rules and Regulations.

(ii) Policies and targets defined in programme documents submitted to the Parliament,
Cabinet and central agencies.
(iii) Best practices within RGoB or standards established by national and international
institutions.
(iv) Technically developed standards or norms.
(v) Contract or grant terms.
(vi) Standards that the Auditees themselves would have established to evaluate their
performance.
(vii) In some instances, criteria can be common sense. For instance an audit seeking to
determine if there is an effective control over physical properties, would establish,
among others, the criteria that an independent party regularly checks the existence
of the properties.

75

Ministry of Finance

75

Internal Audit Manual
3.8.2 It is, therefore necessary for the Internal Auditor to establish Criteria against which each
objective or sub-objective will be measured. Audit criteria should be reasonable and
attainable standards of performance and controls that can be used to assess and measure
compliance, the adequacy of systems and practices, and the economy, efficiency and cost
effectiveness of operations. Audit criteria provide a basis for developing audit observations
and formulating conclusions.
3.8.3 Criteria suitable for audit purposes must be appropriate to the nature of the audit and must
be relevant, and reliable. The CIA must review and discuss the proposed audit criteria
with the Auditee, particularly when there are no generally accepted criteria, to obtain an
acknowledgement that the criteria are suitable for the audit. If agreement on the audit
criteria cannot be reached, this should be reflected in the planning documentation, with
an explanation as to why the auditor believes the criteria remains appropriate.
3.9 Establish Audit Methodologies and Audit Programmes.
3.9.1 Once the audit objectives, scope and criteria have been clearly established, the audit
manager needs to design a methodology or an approach to carrying out the audit that will
provide the most meaningful result in the most cost-effective manner. The efficiency and
effectiveness of an audit depend largely on how well the audit program has been designed
and executed. Therefore, the audit methodology should be properly designed to obtain
sufficient and appropriate audit evidence so that conclusions can be drawn in respect of
each of the audit objectives.
3.9.2 The key component of an effective audit program is the tests and procedures to be followed
in gathering and analyzing audit evidence. The tests and procedures should be structured
and described so that it is clear to which audit objective and to which audit criterion each
procedure is directly linked. The nature of evidence and the methods for collecting the
evidence is outlined in Chapter IV. The CIA and Internal Auditors should review the
guidelines when designing the Audit Programme.
3.9.3 In developing the audit programme Internal Auditors should bear in mind that substantial
evidence will be required to reach a finding or conclusion with a high degree of confidence
in respect of the following important elements related to the Audit Objective and Criteria:
(i)

Condition - The condition is a factual statement that describes the state of the
audited area based on evidence collected from the audit. The Internal Auditor will
compare the condition (what was found) with the audit criteria (what is expected
or the desired state) to arrive at conclusions. It answers each audit objective either
positively or negatively. The condition describes what the Auditee did or is doing
– i.e. the actual state of affairs. In determining the ‘condition’, the Auditor should
collect background information about the Auditee’s systems and procedures and a
description of how the systems and procedures are put into practice.

(ii) Cause – if the condition is different from the criteria (desired or expected state),
sufficient evidence will be required to determine the cause of the deviation of the existing
state from the criteria. In order to make effective audit recommendations to correct a
defective condition, the Internal Auditor needs to be able to identify and understand
the root causes for the condition, although there may be more than one cause.

76

Ministry of Finance

76

Internal Audit Manual
Therefore, the underlying or root cause of the condition, which most likely could be
due to weaknesses associated with policies, procedures and practices established by
management, non compliance with ‘hard controls’ such as laws, regulations or with
‘soft controls’ such as poorly trained, unqualified or inexperienced staff. Remedying
the cause should prevent recurrence of the condition. Cause identification could
include the following:

(a) Specific actions or inactions by officials. – e.g. risks were not properly
identified.
(b) Failure to establish effective “hard and soft” controls.
(c) Lack of clear directions or instructions, misunderstanding or no
understanding, incompetence and a variety of other reasons.
(d) Management override of controls and collusion by staff.
(iii) Effect – of the risk or exposure and the consequent actual and likely impact of the
deficiency on the organization. Where possible, Internal Auditors should:
(a) Express the impact in quantitative terms.
(b) State the impact of the deficiency or adverse condition on the relevant programme or
activity in terms of achieving its objectives.
(c) Comment on whether the impact on the program or function is ongoing or represents
a one-time occurrence.
3.9.4 Taking the above into account, the Internal Auditor and CIA should design and establish
a detailed Audit Programme (a plan of action) consisting of audit tests and procedures
in respect of each audit objective – basically to collect sufficient and appropriate evidence
with respect to the Condition, the Cause and the Effect outlined in the paragraph 3.9.2
above. The design of the Audit Programme should reflect the exercise of due care and
compliance with professional standards and policies.
3.9.5 The Audit Programme should specify:
(i)

What is to be done – i.e. the specific areas that are to be reviewed.

(ii) How is it to be done – for example, by selecting and testing a random or representative
sample of transactions for specific attributes, interviewing specific staff, soliciting
information through questionnaire, substantive tests etc.
(iii) Why is it being done – i.e. the work should be related it to the objective and criteria.
(iv) When is it to be done.
(v) Who in the audit team will perform each of the programmed tasks.

77

Ministry of Finance

77

Internal Audit Manual
3.9.6 The Audit Programme should be flexible for the use of initiative and sound judgment in
deviating from prescribed procedures or extending the audit work where warranted.
3.9.7 The CIA should use the checklist provided in Annex IV-2 to review the relevance and
adequacy of an Audit Programme.
3.10 Planning Stage Documents
3.10.1 The CIA and the Internal Auditor should ensure that the documents, data, reports etc
collected throughout each stage of the planning phase are properly marked and referenced
as part of the Working Papers to support the various decisions made during the planning
process. This should particularly include:
(i)

Significant audit issues and the reasons for pursuing them further (e.g. the results of
the risk and internal assessment).

(ii) Audit objectives.
(iii) Audit scope, i.e. the areas, activities, systems, or processes to be examined, together
with the rationale for not pursuing any related ones.
(iv) Audit criteria against which assessments will be made.
(v) Approach or methodology that will be used for the engagement
(vi) The projected timeline for the audit and resource requirements.

4.

Conducting the Audit Engagement (Fieldwork)
4.1 The purpose of the conducting the audit engagement is to gather sufficient, appropriate audit
evidence to reach a conclusion on each of the objectives identified in the planning phase. The
Internal Auditor should execute all the tasks on the basis of Audit Programmes prepared at the
end of the Planning Phase of the Audit Engagement.
4.2 Entry Meeting
4.2.1 Prior to commencing the fieldwork, the CIA should convene a meeting with the Auditee
and other senior staff to discuss the next stage of the audit. The agenda for the meeting
should include the following:
(i)

Introductions – identifying members of the audit team and their areas of
responsibility as well as key Auditee staff and their areas of responsibility.

(ii) The audit objectives and scope - including any limitations or exclusions.
(iii) The audit criteria – to be used in evaluating the audit objective – normally related to
the achievement of the organizational and operational objectives.
(iv) The audit process - the approach or methodology adopted for the audit, the schedule
(audit timing), and the locations where the audit will take place.

78

Ministry of Finance

78

Internal Audit Manual
(v) Expectations – that the Internal Auditor has for Auditee cooperation and involvement
and the Auditee has in terms of professional conduct and respect of the Auditee’s
environment.
(vi) Debriefing process - on the audit findings and the reporting process.
4.2.2 After the entrance meeting audit team members will normally meet individually with the
supervisors responsible for the activity, organization or program for which they have been
assigned responsibility. This meeting can be used to gain an understanding of how the
supervisor’s responsibilities are carried out, to obtain access to required documentation,
and to meet other staff.
4.3 Monitoring quality of execution and progress of work
4.3.1 As the execution of the work programme proceeds, it may become necessary to make
certain revisions. Internal Auditors should be sensitive as to the purpose of the work
programme and what it expects to achieve. When in doubt, this should be reviewed as
early as possible in the audit process in order to minimize wasted effort.
4.3.2 Likewise, the scope of the audit may also occasionally be required to be amended in order
to capture useful additional evidence. In addition, the extent of testing (for example instead
of testing a sample of 50, it may be necessary to sample 100) may also be required to be
extended. This may particularly be necessary when a fraud or other serious deficiencies,
such as misinterpretation of a rule, is suspected and it may become necessary to fully
quantify the effect of that deficiency.
4.3.3 When there is adequate evidence to substantiate that a fraud has indeed taken place, the
Internal Auditor should consult with the CIA on the steps to be taken – this should include
the necessity to protect the evidence and inform appropriate levels of senior management.
4.3.4 Internal Auditors should take care to ensure that changes to the audit programme do not
impact the audit objective, the audit criteria or time schedules. Internal Auditors should
consult with and obtain the approval of the CIA for any changes in the work programme.
4.3.5 Internal Auditors should ensure that evidence is properly recorded in appropriate
worksheets, supported with copies of documents when deemed necessary. Further
guidance on preparation of Working Papers is provided in Chapter IV.
4.3.6 As the work progresses, the Internal Auditor should complete in respect of each Audit
Objective or Sub-objective the Audit Observation Worksheet provided in Annex IV-3.
While doing so, the Internal Auditors should continuously evaluate the evidence is being
collected to make a conclusion on the ‘condition’. And if the ‘condition’ is considered to
be defective, they should consider whether the evidence would be sufficient to determine
the cause and the effect. If additional testing and evidence is considered to be necessary
to minimize audit risk, then the CIA should be consulted as per paragraph 4.3.3 and 4.3.4
above and action taken accordingly.
4.4 Developing Recommendations
4.4.1 Recommendations describe the course of action management should follow to rectify
deficiencies by addressing underlying causes. These may include weaknesses in systems
and/or controls. After identifying a defective condition and the underlying causes,

79

Ministry of Finance

79

Internal Audit Manual
Internal Auditors should formulate recommendation(s) for corrective actions.
Recommendations should not be developed in a vacuum but should be discussed with the
client, considered in the light of best practice, and take into account costs and other factors
in the client’s working environment.
4.4.2. Recommendations should be action-oriented, convincing, well supported, and effective.
When appropriately implemented, they should get the desired beneficial results.
Recommendations should be:
(i)

Properly directed –to those who have responsibility and authority to act on them. It
must be clear who should be responsible for any corrective action.

(ii) Brief - without indicating specifically all the actions that are necessary for corrective
action. For instance, the Auditor should not have to tell the client how to develop a
system, but they should be specific about the system that needs improvement and the
objectives that should be achieved by the change.
(iii) Convincing – and well supported by facts and should flow logically from the findings.
(iv) Effective - so as to provide reasonable assurance that the proposed recommendation
will correct an identified problem or remove a root cause and will result in significant
improvements within the foreseeable future.
(v) Cost Effective – so that it will be readily embraced by Management. Recommendations
should be made only after the costs of acting on them have been considered.
Offsetting costs should be considered. Favorable consideration of a recommendation
is more likely if the report makes it apparent that the recommendation was made
with knowledge of offsetting costs. Recommendations that the client must comply
with rules and regulations should propose the least costly basis for effective
compliance. In other instances, a Regulation or Rule may no longer be relevant or the
cost of implementing may far outweigh the likely benefit. In such cases, the Internal
Auditor should recommend that the regulation or rule be amended or removed, as
appropriate. In making such a recommendation, due diligence should be exercised
carefully taking into account all possibilities.
4.5 Liaison with the Auditee and other senior staff during fieldwork
4.5.1 Throughout the audit, the Chief Internal Audit should have discussions with the Auditee
and the senior staff of the Auditee to review and discuss observations and findings and
potential recommendations. This helps ensure that all pertinent information has been
considered in developing conclusions and provides an opportunity for the audit team and
the Auditee to work to develop effective solutions to identified deficiencies. This process
is likely to result in more prompt corrective actions. At the end of the audit, this informal
communication process is formalized through closing or exit meetings and written reports.
4.6 Completion of fieldwork and exit meeting with Auditee
4.6.1 Upon completion of the fieldwork, the CIA and the Internal Auditors should consider if
all the necessary evidence to support findings have been properly analyzed, evaluated and
recorded in the Audit Observation Worksheet (Annex IV-3). The Checklist in Annex IV-4
will facilitate such a review.

80

Ministry of Finance

80

Internal Audit Manual
4.6.2 At this stage, the CIA should convene a formal exit meeting with the Auditee and other
senior managers as necessary and appropriate to discuss all significant audit findings and
conclusions before the Audit Report is drafted. This formal debriefing helps ensure that:
(i)

There are no “surprises” with respect to reporting results.

(ii) There have been no misunderstandings or misinterpretations.
(iii) The Internal Auditor has considered all relevant evidence and becomes aware of any
corrective action that has already been initiated by the Auditee.
(iv) The likelihood of the Auditee embracing the audit findings and the proposed
recommendations is increased.
4.6.3 The debriefing meeting may also be used to discuss points that are of interest but are
not significant enough for inclusion in the written audit report. These findings of lesser
significance may be addressed in a management letter to the Auditee.
4.6.4 Chapter V provides guidelines on the reporting the results of the audit.

81

Ministry of Finance

81

Internal Audit Manual
ANNEX IV - 1

TEMPLATE FOR DOCUMENTING ENGAGEMENT RISK
ASSESSMENT
1.

Audit entity objectives: The key objectives of the audit entity, including those that may not be specifically stated but address the entity’s obligations to account for results achieved and for the efficient
and effective use of resources.

2.

Key risks: The events or circumstances that could significantly prevent the audit entity from achieving its organizational and operational objectives.

3.

Effect: Each risk is evaluated as to whether the effect on achievement of objectives would be low,
medium, or high should it occur.

4.

Likelihood: Each risk is evaluated as to whether the likelihood that it will occur is low, medium, or
high.

5.

Risk exposure: The audit will normally focus on the risks with a combined effect and likelihood
assessment in the medium or high exposure range.

6.

Summary of key control considerations: From the engagement planning, the known control
processes associated with the risks with a medium or high exposure is documented. A preliminary
assessment should be made as to whether or not the control appears to adequately mitigate the risk.
This assessment will guide the extent of testing to be undertaken. (A reference to the documentation
supporting the identification and assessment may be included.)

7.

Inclusion in audit: An indication as to whether or not the risk should (and can) be addressed in the
objectives and scope of the audit.

8.

Engagement objectives and scope: Considering the audit entity objectives, the identified medium
to high risks, and the availability of resources, whether the preliminary audit objectives and scope
should be amended.

82

Ministry of Finance

82

Internal Audit Manual
ANNEX IV - 2

CHECKLIST FOR REVIEWING AN AUDIT PROGRAMME
Considerations
1.

Is it clear which audit objective and which related criteria each section of the audit program is
intended to address?

2.

Does the audit program cover all the audit objectives and all the criteria related to each audit
objective?

3.

Is the nature of evidence to be sought clear and appropriate for the expected audit accomplishments,
e.g. to provide an assurance opinion or conclusion?

4.

Is the evidence to be sought available?

5.

Have the methods to be used to gather, analyze, and evaluate the evidence been clearly identified
and are they appropriate, e.g. cost-effective, relevant, to generate sufficient reliable evidence?

6.

Can the methods be completed in the allocated time frames, and is there sufficient flexibility built in
to allow for unexpected opportunities or issues?

7.

Do the Internal Auditors have the capability to gather, analyze, and evaluate the evidence sought?

8.

Can the evidence to be gathered support coming to conclusions on other criteria, either related to
the same objective or to another objective?

9.

Can the evidence to be gathered be sufficient to form a conclusion or an opinion on the condition
(positive or negative) of the activities, operations and programmes, processes that the subject of
audit.

10. If the condition is found to be deficient, would it be possible to identify the root causes of the
condition.
11. Would it possible to determine the effect or impact of a defective condition on the subject area or
the organization.

83

Ministry of Finance

83

Internal Audit Manual
ANNEX IV - 3

AUDIT OBSERVATION WORKSHEET
Working Paper Reference
Audit objective:
Activity or function examined (scope):
Audit criterion:
Audit Tests/ Procedures applied
Audit observation:
Supporting evidence:
Cause:
Effect:
Potential recommendations:
Management comments:
Prepared by: 			

Approved by:

Date:					Date

84

Ministry of Finance

84

Internal Audit Manual
ANNEX IV - 4

CHECKLIST FOR REVIEWING AUDIT OBSERVATIONS AND
SUPPORTING EVIDENCE
A.

Key Considerations: Audit Observation Worksheets

1.

Is the observation clear, i.e. does it provide sufficient information in a logical order to
encourage positive management reaction?

2.

Does the observation clearly address a criterion (and its related objective) of the engagement?

3.

Is the cause of the problem or situation clearly defined?

4.

Is the impact or significance (effect) of the situation clear, and does it justify remedial action?

5.

If the recommendation were implemented, would the situation causing the observation be
resolved?

6.

Is the recommendation within the Auditee’s capacity or capability to implement?

7.

Can the recommendation be implemented cost-effectively?

8.

Is the individual (or position) to whom the recommendation is addressed clear, and does the
individual have the necessary authority to implement it?

B,

Key Considerations: Evidence

1.

Is the evidence supportive of the observation, and is it sufficient to lead to an opinion or
conclusion on assurance?

2.

Are observation sheets cross-referenced appropriately to the supporting evidence, e.g. causeeffect analysis, impact analysis?

3.

Does the cross-referenced documentation demonstrate that the internal auditor has identified,
analyzed, and evaluated sufficient information to achieve the engagement objectives, e.g.
every program step has been completed or reasons for omission are clearly documented and
appropriately approved?

85

Ministry of Finance

85
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.3
Linearized                      : No
Page Count                      : 20
Producer                        : Python PDF Library - http://pybrary.net/pyPdf/
EXIF Metadata provided by EXIF.tools

Navigation menu