5. Chapter 4 PLANNING AND CONDUCTING INTERNAL AUDIT ENGAGEMENTS (FIELDWORK)

5. Chapter 4 - PLANNING AND CONDUCTING INTERNAL AUDIT ENGAGEMENTS (FIELDWORK) manual pdf -FilePursuit

User Manual: manual pdf -FilePursuit

Open the PDF directly: View PDF .
Page Count: 20

Internal Audit Manual

66

Ministry of Finance

66

CHAPTER IV

PLANNING AND CONDUCTING INTERNAL AUDIT ENGAGEMENTS

FIELDWORK

IIA Standard 1200 - Prociency and Due Professional Care:

Engagements must be performed with prociency and due professional care.

IIA Standard 1220 - Due Professional Care:

Internal auditors must apply the care and skill expected of a reasonably prudent and

competent internal auditor. Due professional care does not imply infallibility.

IIA Standard 1220.A1 - e internal auditor must exercise due professional care by

considering the:

• Extentofworkneededtoachievetheengagement’sobjectives;

• Relative complexity, materiality, or signicance of matters to which assurance

procedures are applied;

• Adequacyandeectivenessofgovernance,riskmanagement,andcontrolprocesses;

• Probabilityofsignicanterrors,fraudornoncompliance;and

• Costofassuranceinrelationtopotentialbenets.

IIA Standard 2200 – Engagement Planning:

Internal auditors must develop and document a plan for each engagement, including the

engagement’s objectives, scope, timing and resource allocations.

IIA Standard 2201 - Planning Considerations:

In planning the engagement, internal auditors must consider:

• eobjectivesoftheactivitybeingreviewedandthemeansbywhichtheactivity

controls its performance;

• esignicantriskstotheactivity,itsobjectives,resources,andoperationsandthe

means by which the potential impact of risk is kept to an acceptable level;

• e adequacy and eectiveness of the activity’s risk management and control

processes compared to a relevant control framework or model; and

• e opportunities for making signicant improvements to the activity’s risk

management and control processes.

IIA Standard 2210 – Engagement Objectives:

Objectives must be established for each engagement.

IIA Standard 2210.A1 – Internal auditors must conduct a preliminary assessment of the

risks relevant to the activity under review. Engagement objectives must reect the results

of this assessment.

Internal Audit Manual

67

Ministry of Finance

67

IIA Standard 2210.A2 – Internal auditors must consider the probability of signicant

errors, fraud, noncompliance, and other exposures when developing the engagement

objectives.

IIA Standard 2210.A3 – Adequate criteria are needed to evaluate controls. Internal

auditors must ascertain the extent to which management has established adequate criteria

to determine whether objectives and goals have been accomplished. If adequate, internal

auditors must use such criteria in their evaluation. If inadequate, internal auditors must

work with management to develop appropriate evaluation criteria.

IIA Standard 2220 – Engagement Scope:

eestablishedscopemustbesucienttosatisfytheobjectivesoftheengagement.

IIA Standard 2220.A1 – e scope of the engagement must include consideration of

relevant systems, records, personnel, and physical properties, including those under the

control of third parties.

IIA Standard 2230 – Engagement Resource Allocation:

Internalauditorsmustdetermineappropriateandsucientresourcestoachieveengagement

objectives based on an evaluation of the nature and complexity of each engagement, time

constraints, and available resources.

IIA Standard 2240 – Engagement Work Program:

Internal auditors must develop and document work programs that achieve the engagement

objectives.

IIA Standard 2240.A1 - Work programs must include the procedures for identifying,

analyzing, evaluating, and documenting information during the engagement. e work

program must be approved prior to its implementation, and any adjustments approved

promptly.

IIA Standard 2300 – Performing the Engagement:

Internalauditorsmustidentify,analyze,evaluate,anddocumentsucientinformationto

achieve the engagement’s objectives.

2310 – Identifying Information

Internal auditors must identify sucient, reliable, relevant, and useful information to

achieve the engagement’s objectives.

Internal Audit Manual

68

Ministry of Finance

68

1. Introduction

1.1 Dierent internal audit organizations use a variety of methods, terminologies and steps for

planning and conducting internal audits. e methodologies and processes to be used in planning

and conducting an audit engagement by the IAS are outlined in this Chapter.

1.2 e following Practice Advisories issued by the IIA, which provide guidance on engagement

planning and eldwork, should be reviewed together with the relevant auditing standards. e

processes outlined in this Chapter take into account the guidance contained in these Advisories.

(i) Practice Advisory 2200-1: Engagement Planning.

(ii) Practice Advisory 2200-2: Using a Top-down, Risk based Approach to Identify the

Controls to Be Assessed in an Internal Audit Engagement.

(iii) Practice Advisory 2210-1: Engagement Objectives.

(iv) Practice Advisory 2210.A1-1: Engagement Planning.

(v) Practice Advisory 2230-1: Engagement Resource Allocation.

(vi) Practice Advisory 2240-1: Engagement Work Program.

(vii) Practice Advisory 2300-1: Use of Personal Information in Conducting Engagements

1.3 e Annual Audit Plan, when prepared and approved in accordance with the processes outlined in

Chapter III, would have identied a portfolio of potential audit engagements. e objectives and

scope of the audit engagements contained in the Annual Plan are generally based on preliminary

information obtained during the macro planning process, particularly what are considered to be

the key risks to the organization. Refer to paragraphs 1 to 3 in PA 2200-2 for further guidance.

As additional and more detailed information on the auditable area encompassed in the proposed

audit engagement is obtained through the engagement planning process, the objectives and scope

of the engagement would be continuously rened. is process is aimed at providing a more

precise focus on signicant and material risks and issues relating to governance, risk management

and control processes in the auditable or subject area.

IIA Standard 2320 – Analysis and Evaluation –

Internal auditors must base conclusions and engagement results on appropriate analysis

and evaluations.

IIA Standard 2330 – Documenting Information -

Internal auditors must document relevant information to support the conclusions and

engagement results.

Internal Audit Manual

69

Ministry of Finance

69

1.4 In planning and conducting the engagement, the CIA should be careful to minimize Audit

Risk, mentioned in Section 3.4 of Chapter II. Audit Risk is the possibility that audit ndings,

conclusions, recommendations, or assurance may be improper or incomplete, as a result of:

(i) Evidence that is not sucient and/or relevant;

(ii) Conclusions based on a weak internal control structure that is susceptible to

manipulation.

(iii) e chance of not detecting a material problem due to inappropriate methodology.

(iv) Reliance on information that is not properly veried

(v) Inadequate cooperation from the auditees’ agencies.

(vi) Lack of professional competency.

(vii) Working papers

1.5 Audit risk can be reduced by clearly dening the audit objectives and the scope of work of an

audit engagement and applying proper methodology and audit steps in collecting evidence that

is necessary to support all audit ndings and conclusions.

1.6 CIAs should follow the planning processes outlined below to minimize audit risks and ensure

that resources and eorts are devoted to key areas that can have a signicant impact on the

performance and results of the program or activity being audited. At the end of the planning

phase, the CIA should be able to clearly state what will be audited, why it will be audited, and

how it will be audited. is will ensure that the conduct of the audit itself is properly directed to

gathering the necessary evidence to form conclusions in relation to the audit objectives.

2. Initiating the Engagement

2.1 As a rst step in initiating an audit engagement, the CIA should formally notify or inform the

Auditee in writing about the proposed audit engagement. e Auditee is normally the most

senior manager directly responsible or accountable for the program, activity, organization or

initiative. is may be a head of a Department, Division, Oce or an organizational unit. In

some cases, particularly in crosscutting or ‘across the board’ audits, there may be more that one

Auditee. Subject to the local arrangements, the notication could be made direct to the Auditee(s)

concerned and copies of the notication could be forwarded to the higher level Managers within

the organizational hierarchy to keep them informed of the audit activity.

2.2. e Audit Notication should normally:

(i) Inform the Auditee of the:

(a) Purpose of the engagement based on the preliminary objectives and scope together with

any specic considerations or concerns.

(b) Names of the auditors assigned to the audit.

(c) List of schedules, documents required;

(d) Time frame for the start and completion of the audit engagement.

Internal Audit Manual

70

Ministry of Finance

70

(ii) Request the Auditee to:

(a) Appoint a primary focal or contact person to facilitate the coordination of audit work.

(b) Arrange an opening meeting to discuss the audit engagement

2.3 In the Opening Meeting with the Auditee, the CIA should inform, discuss, clarify or seek:

(i) e known details of the program, activity or organization to be audited, e.g. mandate,

resources, structure.

(ii) e Auditee’s responsibilities in the audit process.

(iii) Information and copies of documents deemed to be important to acquiring a good

understanding of the Auditee’s activities, including any recent internal and external

developments that may have an impact on the auditable area and internal and external reports

of any review conducted in respect of the audit area or other related areas.

(iv) To identify, at least on a preliminary basis, all the relevant sta and others who will need to be

contacted and interviewed by the Auditors.

(v) Any suggestions from the Auditee with respect to the engagement particularly in relation to

the audit objectives, scope and audit approach.

(vi) Any concerns that the Auditee may have with respect to the Audit Engagement, including the

timing of specic work so as to avoid any undue disruption of the Auditee sta’s work.

3. Planning the Audit Engagement

3.1 e planning phase normally consists of three distinct, but oen overlapping, activities, i.e.

gaining an understanding of the nature of the program, activity, organization or initiative being

audited, determining and assessing risks, and determining the most appropriate audit objectives,

scope and criteria to be employed as outlined below.

3.2 Understanding the Audit Area

3.2.1 e Internal Auditor needs to develop a sound understanding of the program, activity,

organization or initiative being audited, including its management practices, business

processes, policies and procedures, and external and internal environments, focusing

attention on all important aspects of risk management, control, and governance processes

for the program, activity, organization or initiative being audited. As part of this process

the Internal Auditor should:

(i) Review key documents that are necessary to gain an understanding of the audit

subject and this would normally include:

(a) Relevant laws and regulations.

(b) Policy, procedures and standards, manuals and directives.

Internal Audit Manual

71

Ministry of Finance

71

(c) Results of previous audits or evaluations by the Internal Auditors, the

RAA and self-assessments by the Auditee.

(d) Organization charts.

(e) Listings of key personnel.

(f) Programme or organizational plans and objectives.

(g) Budget and other nancial allocations and actual performance for the

last two or three years.

(h) Operational and nancial data and related reports to obtain an

understanding of the nature of transactions, and the volume of

transactions.

(i) Job descriptions and delegation of authority instruments.

(j) Process and system maps or owcharts.

(k) Management meeting reports or minutes.

(l) Risk assessments.

(m) Management studies or reports

(ii) In addition to reviewing documentation and analyzing nancial and non-nancial

performance information, consider and where appropriate:

(a) Visit sites and observe operations.

(b) Interview management, eld sta, central agency representatives or

subject matter experts with respect to governance, risk management and

control issues as well as other operational issues relating to programme

eciency and eectiveness.

(iii) e Internal Auditor should prepare or up-date the Auditable Unit Prole (Annex

III.1) that was prepared when establishing the Annual Audit Plan.

3.3 Assessing Risks

3.3.1 e risk assessment process provides a structured means of evaluating information and

applying professional judgment as to the most important areas for audit examination. It

should be noted that in most cases the Audit Engagement is being initiated only because

some key risks that were already identied in the planning process prompted its inclusion

in the Annual Plan. e Internal Auditor should review the criteria and documentation

that went into the decision to include the engagement in the Annual Plan in the rst

instance. In other cases, a request from senior management may have prompted the audit.

Internal Audit Manual

72

Ministry of Finance

72

In such cases, the reasons advanced by senior management should be used to guide the

risk assessment process. Chapter II of this Manual, which outlines risk management and

risk assessment processes, should be reviewed when carrying out the preliminary risk

assessment.

3.3.2 A detailed risk assessment is undertaken during the planning phase of the engagement

to conrm that the initial objectives, scope and lines of enquiry have indeed focused on

the most important risks associated with the program or activity being audited. As a rst

step in the process, the Internal Auditor considers if Management has conducted risk

assessment and has established procedures to manage the risks. If so the Internal Auditor

should review:

(i) e reliability of management’s assessment of risk.

(ii) Management’s process for monitoring, reporting, and resolving risk and control

issues.

(iii) Management’s reporting of events that exceeded the limits of the organization’s risk

appetite and management’s response to those reports.

(iv) Risks in related activities relevant to the activity under review.

3.3.3 If Management has not conducted risk assessment on its own or has not properly

documented the process, then the Internal Auditor should conduct an in-depth assessment.

Internal Auditors should use the information obtained through processes mentioned in

Section 3.2, and conduct detailed assessment by using procedures already outlined in

Section 5.7.3 in Chapter III and focusing close attention to the specic operations under

review. e assessment should seek to:

(i) Identify the risks associated with the achievement of the Auditee’s objectives and

expected results, including the prevention of fraud.

(ii) Assess the relative signicance of the risks and likelihood of each risk occurring and

the impact should it occur.

(iii) Determine whether management’s assertions or its plan of controls are likely to

prevent or mitigate the occurrence of the identied risks, particularly the key risks.

3.3.4 Internal Auditors should use the template in Annex IV-1 to document the engagement

risk assessment.

3.4 Assessing Internal Controls

3.4.1 Control is any action taken by Management or its sta to manage risk and enhance the likelihood

of achieving established goals and objectives. Controls minimize both the likelihood of risks

materializing and the likely impact of the risk should it materialize. It also safeguards assets

and protects reputation and human resources. Internal Auditors should review Chapter II of

this Manual, which discusses the many aspects of Internal Controls. Using the guidelines, the

Internal Auditor should gain an understanding of the Auditee’s Internal Control Framework

and general approach to controls and monitoring. Refer to PA 2200-2 paragraphs 4 and 5 on

the nature of key controls and possible approaches for testing them.

Internal Audit Manual

73

Ministry of Finance

73

3.4.2 e Internal Auditor should rst review the Annual Plan documentation to determine

if any specic control weaknesses have already been identied in respect of the audit

area. Following this and aer obtaining a clear understanding of the key risks to the

achievement of organizational objectives, Auditee’s control objectives, and the Auditee’s

Internal Control Framework, the Internal Auditor should:

(i) Identify and document the related controls that Management asserts have been put in

place. e documentation could be in narrative form – i.e. a sequential description of

every step in the control process or in the form of a Flowchart (using Visio, Excel or

Word). Many organizational units may have documented their control processes in

narrative or owchart form. Some of these may also be contained in job descriptions.

Internal Auditors can use such documentation, but should conrm with Management

that it is current and actually reects the process.

(ii) Where appropriate, the Internal Auditor should conduct some preliminary tests

to determine if the internal controls are working as designed. Such tests could be

in the form of “walk through” tests, which uses a small sample of transactions and

tests every step of the documented control process. In testing controls, the Internal

Auditor should pay particular attention to the extent to which it might be possible

to rely upon detective or monitoring controls, as these may reduce the necessity for

extensive testing of preventive controls. For example, a manager may have established

a quality review team to review a sample of les or transactions on a regular basis. If

this monitoring activity is tested and considered to be reliable and as being capable of

detecting material errors, then testing a small sample of original les or transactions

through the entire process should be sucient to provide the Internal Auditor

sucient assurance. Refer to Chapter VI of the Manual on sampling techniques.

(iii) Aer documenting and, where appropriate, testing the control processes, the Internal

Auditor should evaluate the eectiveness of the control in mitigating every risk

identied in paragraph 3.3 above. e control reviews should be relevant to the audit

objective and be tailored to the specic client and the client’s objectives. For example,

if the audit is being done on the procurement function, then the Auditor’s reviews

should address risk in relation to: (a) the quality of goods; (b) timely delivery; (c)

proper quantity of goods; and (d) adherence to competitive practices, etc.

(iv) Assess the cost eciency of the internal controls and determine if the risks warrant

such controls.

3.5 Preliminary conclusions - possible suspension of the Audit

3.5.1 Aer concluding the risk and internal control assessments, the CIA should undertake a

preliminary review to determine if the audit should proceed. e analysis may indicate a

satisfactory or unsatisfactory condition. e CIA may decide to close or suspend the audit

as follows:

(i) e assessments and limited tests may indicate that the Auditee has identied

risks and has established strong internal controls and they are operating eectively.

As a result, the probability of nding any signicant issue that may be useful to

Management is minimal or negligible. In order to use scarce audit resources more

usefully, the CIA can suspend the audit and report to the Chief Executive and Senior

Management the audit conclusion.

Internal Audit Manual

74

Ministry of Finance

74

(ii) ere is an absence of even basic controls and the Auditee accepts the need for

immediate improvement action. Unless, fraud is suspected, the CIA can recommend

that the Auditee seek assistance to establish the basic elements of a proper management

control framework. Under this circumstance, the CIA may use professional judgment

to report the situation to the Chief Executive Ocer with a recommendation that

proper management controls are established within a dened period and until then

the audit be deferred or suspended.

3.5.2 In all other cases, the CIA should proceed to the next step in the planning phase.

3.6 Review and Rene Audit Objectives

3.6.1 Audit objectives are what the auditor intends to accomplish. It identies the subject matter

and the expected outcomes. Oen, the objective can also be thought of as questions the

auditor seeks to answer.

3.6.2 Objectives may be focused on key generic internal auditing outcomes, e.g. assurance with

respect to risk management, controls, governance, or may be focused on specic high-risk

issues or concerns identied during the planning phase. Objectives should therefore be

carefully considered and clearly stated in such a way that a conclusion with respect to each

is possible.

3.6.3 Once an understanding of the program or activity has been acquired and the assessment

of risks has been completed, including any limited testing of controls, the Internal Auditor

and the CIA should evaluate each preliminary Audit objective and determine if it is

adequate to cover all the signicant issues that need to be addressed in the subject area.

Based on this evaluation, the Internal Auditor and the CIA should make such amendments

to the audit objectives as are necessary. Refer to IIA Practice Advisory 2210-1: Engagement

Objectives.

3.6.4 In some cases, the audit objective may seek to answer multiple questions or address multiple

issues within one area. e Internal Auditor and the CIA should use their professional

judgment to determine if it would be more optimal to classify each of the questions or

issues as separate audit objectives. Alternatively, the audit objective could be retained

as one, but supported by two or more sub-objectives. e accomplishment of the sub-

objectives would be seen as accomplishing the main objective as a whole. As stated, above,

care should be taken in dening the objectives so that a clear conclusion can be made in

respect of each.

3.7 Review and Rene Scope of Audit

3.7.1 Scope is the:

(i) Areas, processes, activities, or systems that will be the subject of the audit and to

which the audit objective and the conclusions will apply. is could cover one or

more organizational units and geographical locations. However, care must be taken

to clearly dene this.

(ii) Time period covered by the audit, for example, the period or scal year during which

les or transactions to be examined were originally prepared.

Internal Audit Manual

75

Ministry of Finance

75

3.7.2 Scope constitutes the universe or population with respect to the particular audit. Reviews,

tests, and analysis will be conned to those elements that form part of the population.

In some cases the boundaries may be unclear. For instance in an audit of “payment of

all invoices and claims by the Treasury”, the audit is not focusing on the events that gave

rise to the invoice in the rst place – such as whether a procurement invoice relates to a

properly procured service or goods. In such instances, the scope must be clearly dened

and also clearly exclude those systems that may be associated but are not the subject of

audit.

3.7.3 At this point, it is essential that the Internal Auditor needs to carefully consider whether

the Scope established in the rst instance is reasonable to accomplish the audit objective.

e scope limits the applicability of the audit objectives. For instance, if testing and review

is conned to only one month, the ndings though can sometimes be extrapolated using

meaningful analysis, can in general only be conned to that month. Sometimes, during

the preliminary review phase, Internal Auditors may have reason to believe that certain

abnormalities may extend further over a period of time or to other organizational and

geographical areas. Such instances should be carefully considered and the Scope should

be rened, as is necessary, taking into account its likely impact on the audit objective and

the subsequent ndings.

3.8 Dene and Establish Audit Criteria

3.8.1 Every audit objective either explicitly or implicitly implies an Auditee to have attained a

certain level of performance. Audit Criteria are desired standards of performance for the

programme or operation, against which the Internal Auditor measures or evaluates the

activity or performance of the Auditee. Criteria may be in many forms, and determined

by, but not limited to the following:

(i) Acts of Parliament, Rules and Regulations.

(ii) Policies and targets dened in programme documents submitted to the Parliament,

Cabinet and central agencies.

(iii) Best practices within RGoB or standards established by national and international

institutions.

(iv) Technically developed standards or norms.

(v) Contract or grant terms.

(vi) Standards that the Auditees themselves would have established to evaluate their

performance.

(vii) In some instances, criteria can be common sense. For instance an audit seeking to

determine if there is an eective control over physical properties, would establish,

among others, the criteria that an independent party regularly checks the existence

of the properties.

Internal Audit Manual

76

Ministry of Finance

76

3.8.2 It is, therefore necessary for the Internal Auditor to establish Criteria against which each

objective or sub-objective will be measured. Audit criteria should be reasonable and

attainable standards of performance and controls that can be used to assess and measure

compliance, the adequacy of systems and practices, and the economy, eciency and cost

eectiveness of operations. Audit criteria provide a basis for developing audit observations

and formulating conclusions.

3.8.3 Criteria suitable for audit purposes must be appropriate to the nature of the audit and must

be relevant, and reliable. e CIA must review and discuss the proposed audit criteria

with the Auditee, particularly when there are no generally accepted criteria, to obtain an

acknowledgement that the criteria are suitable for the audit. If agreement on the audit

criteria cannot be reached, this should be reected in the planning documentation, with

an explanation as to why the auditor believes the criteria remains appropriate.

3.9 Establish Audit Methodologies and Audit Programmes.

3.9.1 Once the audit objectives, scope and criteria have been clearly established, the audit

manager needs to design a methodology or an approach to carrying out the audit that will

provide the most meaningful result in the most cost-eective manner. e eciency and

eectiveness of an audit depend largely on how well the audit program has been designed

and executed. erefore, the audit methodology should be properly designed to obtain

sucient and appropriate audit evidence so that conclusions can be drawn in respect of

each of the audit objectives.

3.9.2 e key component of an eective audit program is the tests and procedures to be followed

in gathering and analyzing audit evidence. e tests and procedures should be structured

and described so that it is clear to which audit objective and to which audit criterion each

procedure is directly linked. e nature of evidence and the methods for collecting the

evidence is outlined in Chapter IV. e CIA and Internal Auditors should review the

guidelines when designing the Audit Programme.

3.9.3 In developing the audit programme Internal Auditors should bear in mind that substantial

evidence will be required to reach a nding or conclusion with a high degree of condence

in respect of the following important elements related to the Audit Objective and Criteria:

(i) Condition - e condition is a factual statement that describes the state of the

audited area based on evidence collected from the audit. e Internal Auditor will

compare the condition (what was found) with the audit criteria (what is expected

or the desired state) to arrive at conclusions. It answers each audit objective either

positively or negatively. e condition describes what the Auditee did or is doing

– i.e. the actual state of aairs. In determining the ‘condition’, the Auditor should

collect background information about the Auditee’s systems and procedures and a

description of how the systems and procedures are put into practice.

(ii) Cause – if the condition is dierent from the criteria (desired or expected state),

sucient evidence will be required to determine the cause of the deviation of the existing

state from the criteria. In order to make eective audit recommendations to correct a

defective condition, the Internal Auditor needs to be able to identify and understand

the root causes for the condition, although there may be more than one cause.

Internal Audit Manual

77

Ministry of Finance

77

erefore, the underlying or root cause of the condition, which most likely could be

due to weaknesses associated with policies, procedures and practices established by

management, non compliance with ‘hard controls’ such as laws, regulations or with

‘so controls’ such as poorly trained, unqualied or inexperienced sta. Remedying

the cause should prevent recurrence of the condition. Cause identication could

include the following:

(a) Specic actions or inactions by ocials. – e.g. risks were not properly

identied.

(b) Failure to establish eective “hard and so” controls.

(c) Lack of clear directions or instructions, misunderstanding or no

understanding, incompetence and a variety of other reasons.

(d) Management override of controls and collusion by sta.

(iii) Eect – of the risk or exposure and the consequent actual and likely impact of the

deciency on the organization. Where possible, Internal Auditors should:

(a) Express the impact in quantitative terms.

(b) State the impact of the deciency or adverse condition on the relevant programme or

activity in terms of achieving its objectives.

(c) Comment on whether the impact on the program or function is ongoing or represents

a one-time occurrence.

3.9.4 Taking the above into account, the Internal Auditor and CIA should design and establish

a detailed Audit Programme (a plan of action) consisting of audit tests and procedures

in respect of each audit objective – basically to collect sucient and appropriate evidence

with respect to the Condition, the Cause and the Eect outlined in the paragraph 3.9.2

above. e design of the Audit Programme should reect the exercise of due care and

compliance with professional standards and policies.

3.9.5 e Audit Programme should specify:

(i) What is to be done – i.e. the specic areas that are to be reviewed.

(ii) How is it to be done – for example, by selecting and testing a random or representative

sample of transactions for specic attributes, interviewing specic sta, soliciting

information through questionnaire, substantive tests etc.

(iii) Why is it being done – i.e. the work should be related it to the objective and criteria.

(iv) When is it to be done.

(v) Who in the audit team will perform each of the programmed tasks.

Internal Audit Manual

78

Ministry of Finance

78

3.9.6 e Audit Programme should be exible for the use of initiative and sound judgment in

deviating from prescribed procedures or extending the audit work where warranted.

3.9.7 e CIA should use the checklist provided in Annex IV-2 to review the relevance and

adequacy of an Audit Programme.

3.10 Planning Stage Documents

3.10.1 e CIA and the Internal Auditor should ensure that the documents, data, reports etc

collected throughout each stage of the planning phase are properly marked and referenced

as part of the Working Papers to support the various decisions made during the planning

process. is should particularly include:

(i) Signicant audit issues and the reasons for pursuing them further (e.g. the results of

the risk and internal assessment).

(ii) Audit objectives.

(iii) Audit scope, i.e. the areas, activities, systems, or processes to be examined, together

with the rationale for not pursuing any related ones.

(iv) Audit criteria against which assessments will be made.

(v) Approach or methodology that will be used for the engagement

(vi) e projected timeline for the audit and resource requirements.

4. Conducting the Audit Engagement (Fieldwork)

4.1 e purpose of the conducting the audit engagement is to gather sucient, appropriate audit

evidence to reach a conclusion on each of the objectives identied in the planning phase. e

Internal Auditor should execute all the tasks on the basis of Audit Programmes prepared at the

end of the Planning Phase of the Audit Engagement.

4.2 Entry Meeting

4.2.1 Prior to commencing the eldwork, the CIA should convene a meeting with the Auditee

and other senior sta to discuss the next stage of the audit. e agenda for the meeting

should include the following:

(i) Introductions – identifying members of the audit team and their areas of

responsibility as well as key Auditee sta and their areas of responsibility.

(ii) e audit objectives and scope - including any limitations or exclusions.

(iii) e audit criteria – to be used in evaluating the audit objective – normally related to

the achievement of the organizational and operational objectives.

(iv) e audit process - the approach or methodology adopted for the audit, the schedule

(audit timing), and the locations where the audit will take place.

Internal Audit Manual

79

Ministry of Finance

79

(v) Expectations – that the Internal Auditor has for Auditee cooperation and involvement

and the Auditee has in terms of professional conduct and respect of the Auditee’s

environment.

(vi) Debrieng process - on the audit ndings and the reporting process.

4.2.2 Aer the entrance meeting audit team members will normally meet individually with the

supervisors responsible for the activity, organization or program for which they have been

assigned responsibility. is meeting can be used to gain an understanding of how the

supervisor’s responsibilities are carried out, to obtain access to required documentation,

and to meet other sta.

4.3 Monitoring quality of execution and progress of work

4.3.1 As the execution of the work programme proceeds, it may become necessary to make

certain revisions. Internal Auditors should be sensitive as to the purpose of the work

programme and what it expects to achieve. When in doubt, this should be reviewed as

early as possible in the audit process in order to minimize wasted eort.

4.3.2 Likewise, the scope of the audit may also occasionally be required to be amended in order

to capture useful additional evidence. In addition, the extent of testing (for example instead

of testing a sample of 50, it may be necessary to sample 100) may also be required to be

extended. is may particularly be necessary when a fraud or other serious deciencies,

such as misinterpretation of a rule, is suspected and it may become necessary to fully

quantify the eect of that deciency.

4.3.3 When there is adequate evidence to substantiate that a fraud has indeed taken place, the

Internal Auditor should consult with the CIA on the steps to be taken – this should include

the necessity to protect the evidence and inform appropriate levels of senior management.

4.3.4 Internal Auditors should take care to ensure that changes to the audit programme do not

impact the audit objective, the audit criteria or time schedules. Internal Auditors should

consult with and obtain the approval of the CIA for any changes in the work programme.

4.3.5 Internal Auditors should ensure that evidence is properly recorded in appropriate

worksheets, supported with copies of documents when deemed necessary. Further

guidance on preparation of Working Papers is provided in Chapter IV.

4.3.6 As the work progresses, the Internal Auditor should complete in respect of each Audit

Objective or Sub-objective the Audit Observation Worksheet provided in Annex IV-3.

While doing so, the Internal Auditors should continuously evaluate the evidence is being

collected to make a conclusion on the ‘condition’. And if the ‘condition’ is considered to

be defective, they should consider whether the evidence would be sucient to determine

the cause and the eect. If additional testing and evidence is considered to be necessary

to minimize audit risk, then the CIA should be consulted as per paragraph 4.3.3 and 4.3.4

above and action taken accordingly.

4.4 Developing Recommendations

4.4.1 Recommendations describe the course of action management should follow to rectify

deciencies by addressing underlying causes. ese may include weaknesses in systems

and/or controls. Aer identifying a defective condition and the underlying causes,

Internal Audit Manual

80

Ministry of Finance

80

Internal Auditors should formulate recommendation(s) for corrective actions.

Recommendations should not be developed in a vacuum but should be discussed with the

client, considered in the light of best practice, and take into account costs and other factors

in the client’s working environment.

4.4.2. Recommendations should be action-oriented, convincing, well supported, and eective.

When appropriately implemented, they should get the desired benecial results.

Recommendations should be:

(i) Properly directed –to those who have responsibility and authority to act on them. It

must be clear who should be responsible for any corrective action.

(ii) Brief - without indicating specically all the actions that are necessary for corrective

action. For instance, the Auditor should not have to tell the client how to develop a

system, but they should be specic about the system that needs improvement and the

objectives that should be achieved by the change.

(iii) Convincing – and well supported by facts and should ow logically from the ndings.

(iv) Eective - so as to provide reasonable assurance that the proposed recommendation

will correct an identied problem or remove a root cause and will result in signicant

improvements within the foreseeable future.

(v) Cost Eective – so that it will be readily embraced by Management. Recommendations

should be made only aer the costs of acting on them have been considered.

Osetting costs should be considered. Favorable consideration of a recommendation

is more likely if the report makes it apparent that the recommendation was made

with knowledge of osetting costs. Recommendations that the client must comply

with rules and regulations should propose the least costly basis for eective

compliance. In other instances, a Regulation or Rule may no longer be relevant or the

cost of implementing may far outweigh the likely benet. In such cases, the Internal

Auditor should recommend that the regulation or rule be amended or removed, as

appropriate. In making such a recommendation, due diligence should be exercised

carefully taking into account all possibilities.

4.5 Liaison with the Auditee and other senior sta during eldwork

4.5.1 roughout the audit, the Chief Internal Audit should have discussions with the Auditee

and the senior sta of the Auditee to review and discuss observations and ndings and

potential recommendations. is helps ensure that all pertinent information has been

considered in developing conclusions and provides an opportunity for the audit team and

the Auditee to work to develop eective solutions to identied deciencies. is process

is likely to result in more prompt corrective actions. At the end of the audit, this informal

communication process is formalized through closing or exit meetings and written reports.

4.6 Completion of eldwork and exit meeting with Auditee

4.6.1 Upon completion of the eldwork, the CIA and the Internal Auditors should consider if

all the necessary evidence to support ndings have been properly analyzed, evaluated and

recorded in the Audit Observation Worksheet (Annex IV-3). e Checklist in Annex IV-4

will facilitate such a review.

Internal Audit Manual

81

Ministry of Finance

81

4.6.2 At this stage, the CIA should convene a formal exit meeting with the Auditee and other

senior managers as necessary and appropriate to discuss all signicant audit ndings and

conclusions before the Audit Report is draed. is formal debrieng helps ensure that:

(i) ere are no “surprises” with respect to reporting results.

(ii) ere have been no misunderstandings or misinterpretations.

(iii) e Internal Auditor has considered all relevant evidence and becomes aware of any

corrective action that has already been initiated by the Auditee.

(iv) e likelihood of the Auditee embracing the audit ndings and the proposed

recommendations is increased.

4.6.3 e debrieng meeting may also be used to discuss points that are of interest but are

not signicant enough for inclusion in the written audit report. ese ndings of lesser

signicance may be addressed in a management letter to the Auditee.

4.6.4 Chapter V provides guidelines on the reporting the results of the audit.

Internal Audit Manual

82

Ministry of Finance

82

ANNEX IV  1

TEMPLATE FOR DOCUMENTING ENGAGEMENT RISK

ASSESSMENT

1. Audit entity objectives: e key objectives of the audit entity, including those that may not be spe-

cically stated but address the entity’s obligations to account for results achieved and for the ecient

and eective use of resources.

2. Key risks: e events or circumstances that could signicantly prevent the audit entity from achiev-

ing its organizational and operational objectives.

3. Eect: Each risk is evaluated as to whether the eect on achievement of objectives would be low,

medium, or high should it occur.

4. Likelihood: Each risk is evaluated as to whether the likelihood that it will occur is low, medium, or

high.

5. Risk exposure: e audit will normally focus on the risks with a combined eect and likelihood

assessment in the medium or high exposure range.

6. Summary of key control considerations: From the engagement planning, the known control

processes associated with the risks with a medium or high exposure is documented. A preliminary

assessment should be made as to whether or not the control appears to adequately mitigate the risk.

is assessment will guide the extent of testing to be undertaken. (A reference to the documentation

supporting the identication and assessment may be included.)

7. Inclusion in audit: An indication as to whether or not the risk should (and can) be addressed in the

objectives and scope of the audit.

8. Engagement objectives and scope: Considering the audit entity objectives, the identied medium

to high risks, and the availability of resources, whether the preliminary audit objectives and scope

should be amended.

Internal Audit Manual

83

Ministry of Finance

83

ANNEX IV  2

CHECKLIST FOR REVIEWING AN AUDIT PROGRAMME

Considerations

1. Is it clear which audit objective and which related criteria each section of the audit program is

intended to address?

2. Does the audit program cover all the audit objectives and all the criteria related to each audit

objective?

3. Is the nature of evidence to be sought clear and appropriate for the expected audit accomplishments,

e.g. to provide an assurance opinion or conclusion?

4. Is the evidence to be sought available?

5. Have the methods to be used to gather, analyze, and evaluate the evidence been clearly identied

and are they appropriate, e.g. cost-eective, relevant, to generate sucient reliable evidence?

6. Can the methods be completed in the allocated time frames, and is there sucient exibility built in

to allow for unexpected opportunities or issues?

7. Do the Internal Auditors have the capability to gather, analyze, and evaluate the evidence sought?

8. Can the evidence to be gathered support coming to conclusions on other criteria, either related to

the same objective or to another objective?

9. Can the evidence to be gathered be sucient to form a conclusion or an opinion on the condition

(positive or negative) of the activities, operations and programmes, processes that the subject of

audit.

10. If the condition is found to be decient, would it be possible to identify the root causes of the

condition.

11. Would it possible to determine the eect or impact of a defective condition on the subject area or

the organization.

Internal Audit Manual

84

Ministry of Finance

84

ANNEX IV  3

AUDIT OBSERVATION WORKSHEET

Working Paper Reference

Audit objective:

Activity or function examined (scope):

Audit criterion:

Audit Tests/ Procedures applied

Audit observation:

Supporting evidence:

Cause:

Eect:

Potential recommendations:

Management comments:

Prepared by: Approved by:

Date: Date

Internal Audit Manual

85

Ministry of Finance

85

ANNEX IV  4

CHECKLIST FOR REVIEWING AUDIT OBSERVATIONS AND

SUPPORTING EVIDENCE

A. Key Considerations: Audit Observation Worksheets

1. Is the observation clear, i.e. does it provide sucient information in a logical order to

encourage positive management reaction?

2. Does the observation clearly address a criterion (and its related objective) of the engagement?

3. Is the cause of the problem or situation clearly dened?

4. Is the impact or signicance (eect) of the situation clear, and does it justify remedial action?

5. If the recommendation were implemented, would the situation causing the observation be

resolved?

6. Is the recommendation within the Auditee’s capacity or capability to implement?

7. Can the recommendation be implemented cost-eectively?

8. Is the individual (or position) to whom the recommendation is addressed clear, and does the

individual have the necessary authority to implement it?

B, Key Considerations: Evidence

1. Is the evidence supportive of the observation, and is it sucient to lead to an opinion or

conclusion on assurance?

2. Are observation sheets cross-referenced appropriately to the supporting evidence, e.g. cause-

eect analysis, impact analysis?

3. Does the cross-referenced documentation demonstrate that the internal auditor has identied,

analyzed, and evaluated sucient information to achieve the engagement objectives, e.g.

every program step has been completed or reasons for omission are clearly documented and

appropriately approved?