OFFICE OF THE MUNICIPAL MANAGER: INTERNAL AUDIT INTERNAL AUDIT METHODOLOGY AND MANUAL
Internal Audit
Internal Audit Methodology and Manual
OFFICE OF THE MUNICIPAL MANAGER:
INTERNAL AUDIT
INTERNAL AUDIT METHODOLOGY AND MANUAL
FEBRUARY 2014
Internal Audit Framework
Page 1
Internal Audit
Internal Audit Methodology and Manual
INDEX
1. Introduction
3
2. Project Management
10
3. Phase 1 – The Preliminary Survey and Project Planning
24
4. Phase 2 – Document the systems, identify risk and specific audit objectives and scope
30
5. Phase 3 – Assessment of Adequacy of Controls (Adequacy Phase)
42
6. Phase 4 –Audit programme development and selection of samples
50
7. Phase 5 – Audit Execution and the assessment of effectiveness of Internal Controls
59
8. Phase 6 – Reporting
69
9. Phase 7 – Follow – up
72
10. Ad-hoc assignments
76
11. Inter-relationships with other components
78
12. Quality Assurance
80
13. Glossary
82
Internal Audit Framework
Page 2
Internal Audit
Internal Audit Methodology and Manual
1.
Introduction
Objective of this guide
The objective of this guide is to establish a standard methodology for conducting internal audit reviews as
required by the Municipal Finance Management Act (MFMA) [in terms of section 165 of the MFMA], and to
comply with the Standards for the Professional Practice of Internal Auditing (SPPIA) of the Institute of
Internal Auditors of South Africa (IIASA). This methodology is applicable to all audit reviews except those
conducted by the Specialist audit functions. The guideline is modelled on the SPPIA.
(Attribute Standards 1100, 1200)
In line with the definition of internal auditing set by the Institute of Internal Auditors, the internal audit
function of the Ugu District Municipality is an independent, objective assurance and consulting activity
designed to add value and improve operations. It assists the municipality accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control and the governance process.
The objective of the internal audit function is to be a strategic partner and work co-operatively with
Management and staff to improve the economy, efficiency, effectiveness, and accountability for the
municipality’s and operations. The scope of work of the internal audit function is to determine whether the
systems of financial and risk management, internal control and governance processes, as designed and
represented by management, are adequate and functioning in the following manner:
risks are appropriately identified and managed;
municipal operations are carried out in an efficient and effective manner, and objectives are
achieved;
adequate financial and operating information is provided to Management and staff for decision
making and accountability;
legislative, regulatory or contractual requirements are recognized and met; and
resources are adequately protected, used economically and effectively applied against stated
priorities.
The internal audit function does not relieve Management of its primary responsibility for establishing and
supporting an adequate control environment within their areas of responsibility.
It is Management's
responsibility to plan, organize and direct the performance of sufficient controls to provide reasonable
assurance that municipality goals and objectives will be accomplished in the most effective, efficient and
economical manner.
Internal Audit Framework
Page 3
Internal Audit
Internal Audit Methodology and Manual
Purpose, Authority and Responsibility:
(Attribute Standard 1000)0
The purpose, authority and responsibility to undertake an internal audit is derived from section 165 of the
Municipal Finance Management Act (MFMA), Act No 56 of 2003. Furthermore, the authority, purpose and
responsibility of the internal audit function is formally defined in the Internal Audit Charter as approved by
the Audit Committee.
Responsibility for the activities and operations of the internal audit function within the Municipality has been
delegated to the Manager: Internal Audit, whose specific responsibilities include:
developing a flexible annual audit schedule and long-term audit plan using an appropriate riskbased methodology, in consultation with Management and for approval by thevAudit Committee;
implementing approved annual audit schedule(s), including as appropriate any special tasks or
projects requested by Management and approved by the Audit Committee;
maintaining a professional audit staff with sufficient knowledge, skills and experience to meet
requirements; and
issuing periodic (quarterly) reports to the Audit Committee and Management summarizing the
results of audit activities and the benefits derived; and
(Attribute Standard 1100)
The Municipality will be subject to an independent, comprehensive, systematic internal audit function that
evaluates the performance of all operations, based on a risk assessment, including the overall system of
internal control and governance processes.
The Internal Audit function, including internal audit staff, must be given direct and unrestricted
access to all records, reports, files, contracts, vouchers, other documents, people or premises as
they consider necessary for the proper conduct of their audits.
The Manager: Internal Audit is accountable to the Audit Committee and/or the Accounting Officer of
the Municipality. He/She reports functionally to the Audit Committee and administratively to the
Accounting Officer.
Internal Audit Framework
Page 4
Internal Audit
Internal Audit Methodology and Manual
The Manager: Internal Audit must report to the Audit Committee on the status of the annual operation
plan. The report, where appropriate will provide corrective measures that have already been taken or
actions that are envisaged to implement functional matters.
The Internal Audit function will comply with the International Standards for Professional Practice of
Internal Auditing as set by the Institute of Internal Auditors'.
Audit Committee:
(Attribute Standard 1110) (Performance Standards 2010, 2100)
An Audit Committee, appointed by the Accounting Officer in consultation with the Executive Authority, is
responsible for overseeing the performance of the internal audit function and ensuring the effective
provision of internal audit services. In accordance with the provisions of the MFMA, the Audit Committee
should meet at least four times a year and comprises of at least three persons, of which:
2.
one must be from outside the public service;
the majority may not be persons employed by the municipality; and
the chairperson may not be in the employ of the municipality.
Audit Approach
(Performance Standard 2010) (Practice Advisory 2010-1)
Understanding stakeholder expectations:
Risk management and stakeholder expectations are the two primary drivers affecting the focus and
direction of an internal audit function. As the specifics of the drivers vary between individual department
units, a fundamental underlying philosophy of the IAS approach is the recognition that unique internal
audit solutions are required in each departmental unit situation. In other words, a ―one size fits all‖
approach is not appropriate
The first step in an IAS approach is to obtain an understanding of both management’s and other
stakeholders expectations, including applicable departments. This may be accomplished by discussions
with executive management, and operational and functional management, to the extent considered
necessary. The objective is to fully understand the significant drivers of the internal audit function.
Initial efforts involve gaining an understanding of executive management and audit committee
expectations of internal audit; ultimately, these can significantly impact the strategic direction, planning
and ―customer‖ focused processes of the internal audit function. Other stakeholders whose views may be
solicited include line management, regulators, and external auditors.
Internal Audit Framework
Page 5
Internal Audit
Internal Audit Methodology and Manual
Risk-based approach:
To maximize audit coverage with limited internal audit resources, the Manager: Internal Audit follows a
risk-based audit approach.
The objectives of risk-based internal auditing is to provide independent assurance to the Accounting
Officer, Management and the Audit Committee that the risks as identified by Management are managed
appropriately and the Municipality will at the end achieve its strategic objectives. As part of a risk based
approach the first step is to conduct a risk assessment that is based on a holistic model covering the full
spectrum, from strategic to compliance risk in order to identify opportunities to enhance stakeholder value
by examining the relationships between the drivers of stakeholder value and management of risk in the
context of both the overall department strategy and the financial management process
Therefore, the application of this approach is based on the understanding of the municipality’s objectives,
focuses on those specific risks that may hinder the achievement of the objectives and developing an audit
plan that responds to these and to the municipality’s circumstances.
It is tailored according to
circumstances based on the internal auditor’s professional judgment, which may vary from time to time in
order to avoid a pure mechanistic execution of the audit approach.
Under the municipality’s strategically focussed IAS approach, the impact of key objectives and risks is
mapped to the Department’s section units. Determining how to structure the audit universe is a key
activity to ensuring that risks are evaluated effectively during the detailed auditing process.
The results of the risk assessment, data analysis, analytical review techniques, branch evaluations,
discussions with Management and our knowledge of the department will be used to identify specific risks
and areas of audit focus. By continuously evaluating risk during the audit/review, we may determine at
any phase of the audit that no further work is needed to conclude on the financial and risk management,
control and governance processes of the area under review. Upon validating this conclusion with the
respective General Manager, the audit may be ended and an audit report issued.
While internal audit’s main contribution is to provide assurance on management’s treatment of risk
(through governance and control processes), it may also advise management on other aspects of their
response to risk such as decisions to terminate, transfer or tolerate risks.
The outcome of this approach will enable us, as internal audit, to focus on performing value-added cost
effective audits, aligning with municipality’s expectations / deliverables, strategic objectives and the risk
profile of the Municipality.
Internal Audit Framework
Page 6
Internal Audit
Internal Audit Methodology and Manual
Phases of an Internal Audit Review
SPPIA 2200 to 2500 relates to the Performance of Audit work and states that the audit work should
include
Strategic Planning (SPPIA 2000)
Detailed Planning of the audit (SPPIA 2200);
Examining and evaluating information (SPPIA 2300);
Communicating results (SPPIA 2400); and
Following up (SPPIA 2500).
Internal Audit reviews occur as a result of the municipality’s wide risk analysis and internal audit’s long-term
plan. Internal Audit reviews consist of the following phases:
1. Project planning (refer to paragraph 2.2.1)
2. The preliminary survey (refer to paragraphs 2.2.1 and 3.1-3.5)
3. Identify risks and specific audit objectives and scope(refer to paragraph 2.2.2 and 4.1 -4.3)
4. Assessment for adequacy of controls(refer to paragraph 2.2.2 and 5.1 – 5.3)
5. Audit programme development and selection of samples (refer to paragraph 2.2.2 and 6.1 -6.3 )
6. Audit execution and the assessment for effectiveness of internal controls(refer to paragraph 2.2.2,
2.2.3 and 7.1 -7.27 )
7. Reporting (refer to paragraph 2.2.3 and 8.1-8.5)
8. Follow-up (refer to paragraph 9.1-9.2.4)
After the completion of every review the municipality wide risk data base and internal audit’s long-term plan
must be updated.
3.
Quality Assurance (Refer to paragraph 12)
The Internal auditor must use this Methodology for quality assurance purpose. The Manager: Internal audit
and Officer: Internal Audit should undertake regular reviews of adherence to this methodology.
4.
Final Sign-off
The Internal auditor is responsible for the quality and integrity of all final audit reports and must therefore,
sign-off the audit file and submit the final audit report to the Officer: Internal Audit for signature. Before
signing-off the file, the internal auditor must ensure that the audit evidence obtained supports the scope,
objectives and findings of the review. This is done by appropriate review throughout the audit project life
cycle.
Internal Audit Framework
Page 7
Internal Audit
Internal Audit Methodology and Manual
5.
Nature and scope of Work
SPPIA 2100 states that internal audit must evaluate and contribute to the improvement of governance,
risk management and control processes using a systematic and disciplined approach.
The purpose of evaluating the adequacy of the municipality's existing risk management, control and governance
processes is to provide reasonable assurance that these processes are functioning as intended and will enable
the municipality’s objectives and goals to be met, and to provide recommendations for improving the
municipality's operations in terms of both efficient and effective performance.
Primary Objectives of Internal Control
SPPIA 2130.A1 states that the Internal Audit Activity must evaluate the adequacy and effectiveness of
control regarding the:
1.
2.
3.
4.
Reliability and integrity of financial and operational information;
Effectiveness and efficiency operations;
Safeguarding of assets;
Compliance with laws, regulations and contracts.
The objectives (CARES) are dealt with in greater detail in the paragraphs that follow.
a. Compliance with policies, plans, procedures, laws, regulations, contracts, etc.
Management is responsible for creating systems to ensure compliance with these requirements.
a) Internal auditors determine whether systems are adequate and effective, and
b) Whether the activities are complying with the appropriate requirements.
b. Accomplishment of established objectives and goals for operations and programs.
1. Management is responsible for a) Establishing operating and program objectives and goals
b) Developing and implementing control procedures, and
c) Accomplishing desired operating and program results.
2. Internal auditors should ascertain whether such objectives and goals conform with organisational
goals and objectives
3. Internal auditors can assist managers in developing and evaluating goals, objectives, and
systems by determining whether
i. The underlying assumptions are appropriate; and
ii. Accurate, current and relevant information is being used.
Internal Audit Framework
Page 8
Internal Audit
Internal Audit Methodology and Manual
c. Reliability and integrity of information
Information systems provide data for decision-making, control, and compliance with external
requirements. Thus:
a) Financial and operating records must contain accurate, reliable, timely, complete, and
useful information.
b) Controls over record keeping and reporting must be adequate and effective.
d. Economical and efficient use of resources.
1. Management is responsible for setting operating standards to measure economical and efficient
use of resources. Internal auditors are responsible for determining that –
a) These standards have been established;
b) The standards are understood and being met;
c) Deviations are being identified, analysed, and communicated for corrective action; and
d) Corrective action has been taken.
2. Reviews should identify:
a) Underused facilities;
b) Non productive work;
c) Uneconomical procedures; and
d) Overstaffing or understaffing
e. Safeguarding of assets
1. Internal auditors should review the means used to safeguard assets from various losses such as
fire, theft, improper or illegal activities, and exposure to elements; and
2. Verify the existence of such assets by using appropriate audit procedures.
Internal Audit should therefore examine and evaluate control systems that provide reasonable
assurance that these objectives will be achieved.
Internal Audit Framework
Page 9
Internal Audit
Internal Audit Methodology and Manual
2. Project management (SPPIA 1310, SPPIA 2340)
2.1
Purpose of Project Management
SPPIA 1310 states that quality assurance and improvement program must include both internal and
external assessments.
SPPIA 2340 states that Engagements must be properly supervised to ensure objectives are achieved,
quality is assured and staff is developed.
The purpose of project management is to ensure that the standards of the institute and the Municipality are
adhered to and that the audit is conducted in the most effective, efficient and economic way possible.
All reviews should be managed as projects in order to ensure that the project performance objectives are
achieved at the required standards of performance.
Project management will achieve this by managing project risk effectively.
In the broadest sense, project management is a control because it provides managers and Municipalitys with
assurance that a project will achieve its objectives.
The objectives of project management are to –
Ensure that the project is completed within the required deadline.
Improve relationships wherever possible by regular and timely communications.
Ensure that the auditors receive adequate supervision during the project.
Ensure that a quality service is provided by proper and timeous reviews.
Value added auditing is performed
Setting performance standards for the required level of achievement of the project objectives (i.e. the
required performance) as measured by the project measures.
Evaluating performance and taking any necessary corrective action to improve performance.
Improving performance by lifting performance standards for the objectives.
Ensure that the risks to the Internal Audit Section are adequately managed.
Establishing clearly defined project objectives that reflect the client’s needs for output and clear
statements of what is to be achieved regarding the project.
2.2
Identifying and assessing the likelihood of risks occurring and their impact should they occur.
Steps to be followed during the project
Internal Audit Framework
Page 10
Internal Audit
Internal Audit Methodology and Manual
2.2.1
Initial engagement
(Responsible: Officer: Internal Audit and Internal Auditors)
Objective
The auditors will be required to set up the initial engagement and arrange for the audit to begin.
Required
The auditors are required to complete a number of tasks prior to the commencement of the audit itself.
These tasks include the following: a) Identifying the audit that is to be conducted:
The audit that is identified could come direct from the audit work plan, or it may be a special
request from the client (Ad hoc assignment).
b) Notifying the Manager: Internal Audit of the audit that has been selected and is due to proceed.
An e-mail should be sent to the Manager: Internal Audit notifying him/ her of the commencement
of the audit.
This should also allow the Manager: Internal Audit to pass on any specific
information he/she may have to the Officer: Internal Audit regarding the process that is to be
audited.
c) Drafting a letter to (Audit Planning Memorandum) the Municipality/head of the department and
Accounting Officer to inform them of the upcoming audit and obtain a contact person to liaise
with.
An audit planning memorandum which is a standard letter should be customised to the
circumstances requesting details of the contact person with whom the auditors are to liaise
regarding the audit.
Note: In an ad-hoc assignment, this information may already be available, in which case there is
no need to send this letter.
d) Obtain a basic background to the process and the Municipality /component
A brief conversation with the Municipality/component may reveal many changes that have
occurred over the past year or since the last audit. By briefly talking to the
Municipality/component over the phone you may get vital information such as how many areas
will need to be audited, how big the process is etc.
Internal Audit Framework
Page 11
Internal Audit
Internal Audit Methodology and Manual
e) Identify the audit team
The requirements for the audit team need to be decided. Names at this stage are not necessary,
however, numbers and the level of staff are, as well as any specifics that you may need, such as
someone who has ACL (a sampling computer package) knowledge.
f)
Draft the Scope of the Project
Here the auditor should set out a brief outline of the scope of the audit that is being planned.
Included in this should be any specific areas of the process, which will not be audited and the
number of areas or process that will be audited.
Included in the scope should be the process/es that you will audit, specific activities that you will
focus on, sites that you will visit to perform the audit, the period that you will be auditing, etc.
The scope will further be defined during the audit as more information becomes available.
g) Setting up a time / cost budget for the audit (Working paper reference)
This is very important. When setting out the time budget, it is important to clearly indicate what
each member of the audit team will be required to complete and by when they are required to
complete this.
The success of the audit will depend largely on the realistic time budgets set for each member of
the team. This will also assist the individual team members to plan their schedules and monitor
themselves. This can also be used as a tool in measuring the performance of the individuals on
the team.
Realistic budgets will also assist the Manager: Internal Audit and the Officer: Internal Audit to
closely monitor the progress of the audit and take corrective action timeously.
The Officer: Internal Audit must sign off the time budget / cost budget prior to the commencement
of the audit.
The time budget should be reviewed and updated after initial meetings with management.
h) Discuss with Computer Audit whether they have recently performed an audit on the process and
analyse their findings
Internal Audit Framework
Page 12
Internal Audit
Internal Audit Methodology and Manual
If the any part of the process is computerised the Computer Auditors may have already done a
general controls and applications control review on that part of the system. By discussing this with
them and reviewing the report you should be more aware of the process at the client and
weaknesses identified.
This will assist in the debriefing of the team and management of the exposure of audit risk the
Internal Audit Unit.
i)
Prepare lists of information that will be required during the audit
A list of all information that will be required during the audit should be prepared and customised
specific to the process and Municipality/component that you will be auditing. This will assist you
when holding discussions with Municipality/component to determine if any information is
confidential and requires special permission to access.
j)
Identify the facilities for the audit team
A list should be drawn up of the facilities that the audit team requires such as electric plug points
for computers, seating arrangements etc.
The use of telephones must also be clarified.
It may be appropriate to discuss this during the initial meeting that will be held with them.
k) Send client information on: ―How to prepare for the audit‖
Prepare a document of how the Municipality/component can best prepare for the upcoming audit.
This will assist in the smooth running of the audit and set the client’s mind at ease.
It may be appropriate to discuss this with the Municipality/component during the initial meeting
that will be held with them.
l)
Set up and attend a preliminary meeting with the client to discuss the project and specific
concerns that client may have.
It may be appropriate, depending on the size and complexity of the audit to schedule two
separate meetings.
One meeting would be held with the management of the process and should be used to discuss
the following: -
Internal Audit Framework
Page 13
Internal Audit
Internal Audit Methodology and Manual
i. Specific concerns the Municipality/component may have regarding the process that you
will be auditing. (This could mean that more audit time is required to address a specific
concern).
ii. Gathering more information on the Municipality/component to fill in any planning gaps you
may have.
iii. Set up communication protocol and steering committees to guide the audit process.
iv. Clear any questions or concerns the Municipality/component may have.
v. Exchange information such as documents that may be required during the audit, how to
prepare for the audit, etc.
vi. Introduce the Municipality/component to the various phases of the audit and what will be
required from them during the audit.
The second meeting would be held with all Municipality's/component's staff / strategic staff to
discuss the following: i.
Introduce the auditors to the staff
ii.
Set out the framework for the audit and explain the timing of events.
iii. Clear any questions that may arise from the staff.
As can be seen there is a lot of information and relationship building that takes place at this time.
It is important that these meetings are conducted proficiently and the maximum benefit be
achieved. (First impressions last). The following should be considered: i.
Timeous notification of the meeting. The Municipality may require two weeks advance
notice.
ii.
Proper agendas and preparation packs should be prepared and submitted timeously
This is an ideal time for the auditors to clarify any last queries that they may have before starting
the audit, and will also assist the Municipality's/component's staff to be more at ease during the
audit.
m) Prepare the Audit Planning Memorandum (APM) letter for the Municipality/component
Draft an APM to the Municipality/component and ensure that this is delivered timeously. The
letter will help to formalise the audit and assist us in getting the required support.
It is customary that the municipality/component signs this letter as an acceptance of having us
perform the audit and returns a signed copy to the Manager: Internal Audit.
n) Hold a briefing meeting with the auditors prior to commencement of the audit.
Internal Audit Framework
Page 14
Internal Audit
Internal Audit Methodology and Manual
This is very important. The opportunity should be used here to tell the audit team the following: i. The objectives of the audit
ii. The broad scope of the audit
iii. Specific risks to the audit
iv. Special arrangement with the client regarding the audit
2.2.2
Monitoring of the project
(Responsible: Managers: Internal Audit, Officer: Internal Audit and Internal Auditors)
Objective
The auditors will manage the audit assignment throughout the period of the audit to comply with the
standards and ensure that deadlines are met in the most efficient and effective way. The auditors should
ensure that a value added service is being supplied to the client.
Required
The auditors will be required to complete the following tasks in managing the audit during the execution
phase: a) Supervision
It is very important that the auditors assigned to a project receive adequate supervision and
guidance. This will assist the individual auditors to develop within themselves and the audit to be
completed in the most effective and efficient way.
When assigning any task, be sure that the individual is clear on what you require from them.
Check on the individual during the performance of the task to make sure that they are completing
the task correctly the first time. This will also allow the individual to ask questions that they may
not otherwise feel confident enough to do.
It is always best to complete a task correctly the first time rather than continually have to send
information back and forth.
b) Extent of work to be performed
The extent of audit work to be performed will differ from project to project. It will depend largely
on the objectives of the audit, time and resources available to perform the audit.
As most audits are conducted to establish the effectiveness of the system of internal control, our
priority is to determine what is happening currently. There may be new controls that have been
implemented and old controls no longer utilised. It is best to test the most current month to
achieve your objective. This will depend on the scope of the audit and how far you will be testing
the transactions through the system.
Internal Audit Framework
Page 15
Internal Audit
Internal Audit Methodology and Manual
c) Finalise the Scope of the Project
During the audit you will have a clear idea of exactly what the scope will be. The final scope
needs to be signed off by the Officer: Internal Audit.
d) Progress reports
It is very important that the auditors keep the Officer and the Manager informed of the status of
work that has been allocated to them, problems that they are encountering (especially if this will
affect the deadline) and any other issue that may arise.
Progress reports can take the following format: i.
Verbal feedback as and when it is required
ii.
Written feedback from internal auditors on a weekly basis to the Officer: Internal Audit.
iii.
Written feedback from the Officer: Internal Audit to the Manager: Internal Audit.
Reports should not only indicate the problems, but also the solutions to these problems.
Where the audit duration is less than a week, a mid assignment report should be given to the
Manager: Internal Audit.
e) Meetings
Meetings should be held at various times during the audit. The notice period for these meetings
should be cleared in the initial planning meeting when discussing the communication protocol.
Minutes of all meetings should be kept indicating the item discussed, the action taken / to be
taken if any, the person responsible and the due date.
The following meetings are crucial to an audit: i.
Steering committee meetings:
These meetings should be held with the head of the process that you are auditing, and
any other persons elected during the initial meeting. From the audit team side, the
Officer: Internal Audit and the internal auditors should attend.
The meeting should be set up to give the client some feedback on the status of the audit,
raise any very urgent queries, clear any issues that arise during the audit regarding the
availability of information and staff, slow responses to queries and give the client an
opportunity to raise any concerns that they may have.
Internal Audit Framework
Page 16
Internal Audit
Internal Audit Methodology and Manual
The detail of standard queries should not be discussed in this meeting unless the client
requests this.
This meeting should have a standard place (e.g. every Tuesday at 08h00) and should be
held even if you feel there is nothing to discuss. These meetings should not take long
and should be limited to a half an hour.
Make sure that an agenda is done for each meeting.
The frequency of the meeting will depend on the length of the audit. On a long audit it is
recommended that these meetings take place on a weekly basis. On a small audit it may
be more appropriate to have the meetings twice a week. The frequency of the meetings
will also depend on the availability of management.
ii.
Informal queries discussion meetings:
These meeting should be held with the line manager responsible for answering the
queries. From the audit team side, the Internal Auditor should attend only where
necessary, the Officer: Internal Audit may attend.
The purpose for the meeting is to discuss queries that arose in the audit.
These
meetings are particularly important for queries from phases 2 and 3, but should be held
with all informal queries issued.
Note:
The
wording
of
these
informal
queries
is
very
important,
as
the
Municipalities/components are particularly sensitive to this. The Manager: Internal Audit
should review these reports very carefully.
The meeting should remind the Municipality/component of what phase in the
methodology the query relates to. Each query should be discussed to ensure that the
Municipality/component has a clear understanding of the issue that you are trying to
raise. The queries should be substantiated with evidence from our audit work.
This meeting does not imply that management need not answer the queries in writing, but
should make it much easier for management to do so.
The notice time required for these meetings should be cleared during the initial planning
meeting held with the Municipality/component. It is important that, should a notice period
longer than 1 day exist, these meetings are set up to coincide with the completion of the
queries. (I.e. the meeting may need to be scheduled before the queries are complete. It
Internal Audit Framework
Page 17
Internal Audit
Internal Audit Methodology and Manual
is no good to wait till the queries are finished and then try and set up a meeting as this
will only delay the audit process.)
Significant informal queries raised that cannot be cleared at this level should be escalated
to the next level of management and so on till the informal query is cleared and
management comment obtained.
Where there is difficulty in getting appointment with the Municipality/component, which
could result in delays in the completion of the audit, the matter should be brought to the
Manager: Internal Audit’s attention.
iii. Draft audit report discussion meetings:
These meetings should be held with the line manager responsible for answering the
process. CFO and MMs should be included in the discussion meetings at any time. From
the audit team side, the Manager: Internal Audit, the Officer: Internal Audit and the
Internal Auditor should attend.
The purpose for the meeting is to discuss the draft audit report with the line manager and
prior to this report being issued to the Audit Committee.
Once the line manager is satisfied with the draft report, a copy should be distributed to
the CFO before finalisation and distribution to the HOD.
The meeting should clear out any final wording issues that should have been sorted out
in the informal queries stage.
The notice time required for this meeting should be cleared during the initial planning
meeting held with the Municipality/component. It may be appropriate to give the line
manager a copy of the report to go through prior to the meeting and in so doing reduce
the time required for the meeting.
f)
Managing the impact of one phase on another
The outcome of one phase may have a direct impact on the next phase to be executed. It is
important to update the scope and consider other audit work that may be required.
When considering other audit work that may be required it is important to consider the other
specialist functions that may exist within internal audit unit and consider whether they need to
become involved.
Internal Audit Framework
Page 18
Internal Audit
Internal Audit Methodology and Manual
g) Managing management’s response to informal queries issued
In order to effectively manage this, meetings, as indicated above, should be scheduled with the
Municipality/component.
h) Review of working papers (Standards 2330)
It is required by the standards that working papers be reviewed to ensure that the quality of the
audit is maintained.
The review of working paper should always be done at least by one level higher than the person
preparing the working paper. The Officer: Internal Audit should therefore review Internal Auditor’s
working papers. No audit member below an Internal Auditor should be involved in the review
process.
Review queries should be written down and then discussed with the auditor and not merely
handed to them to correct. This will also assist in ensuring that the review queries are cleared
first time.
When auditors correct review queries, they must correct the working document itself, and not
merely comment on the review queries. Corrected working papers should be referenced to the
review queries.
Auditors should be encouraged to ask questions should they have difficulty in answering a review
query.
The Manager: Internal Audit should always review the file from a high-level quality control
perspective.
i)
Managing the final report
The final report should be compiled in the standard format decided on by the Manager Internal
Audit. All informal queries raised that are reportable items should then be included in the report.
Once a draft report is complete and the Officer: Internal Audit responsible for the audit has
reviewed it, this should be sent to the line manager for any further comments or changes they
may have and only after their comment is received should the report become final and be issued
as such.
A register should be maintained indicating the various draft reports issued and there should be a
control over the different draft versions.
j)
Managing client relationships
Internal Audit Framework
Page 19
Internal Audit
Internal Audit Methodology and Manual
This is probably the most important part of managing the audit execution phase.
Any
improvement in client relations will only make life easier for future audits. The reverse is also
true.
It must be borne in mind that Municipality/component have specific needs and relationship
management. Some Municipality/component has specific preferences, management styles and
attributes. It would be helpful to be aware of this through discussions with the Manager: Internal
Audit and Officer: Internal Audit. The following should be considered: -
i.
Maintaining a register of all correspondence sent to the Municipality during the audit.
ii.
Maintaining a register of all phone calls and attempts to get hold of the client’s staff during
the audit.
iii.
Maintaining a register of meetings set up, cancelled by the client or by us, and when the
date meetings were re-scheduled to.
As difficult as it is, Municipalities have protocols that must be followed. This should be cleared
upfront in the initial meeting to avoid antagonising the client. Notice periods for meetings etc,
should be adhered to.
Concerns of the client should be addressed immediately and any differences of opinion should be
cleared in a proficient and professional manner. Any issues or personality conflicts must be
reported immediately to the Manager: Internal Audit and Officer: Internal Audit.
The Officer: Internal Audit must submit a client satisfaction form to the client for completion at
the end of each audit. These forms must be completed by the client and submitted to the Officer:
Internal Audit. It is the Officer: Internal Audit’s responsibility to ensure that these forms are
completed and returned.
This old department principle will always remain true: ―The client is always right‖.
Source of information
The auditor should make use of the following sources of information to effectively manage the
assignment: a) The reports from the auditors
b) Reports from the client
c) Steering committee meetings or other relevant meetings
d) Policies and procedures
e) Audit working papers completed
Use of information
Internal Audit Framework
Page 20
Internal Audit
Internal Audit Methodology and Manual
The management of the audit assignment will affect future relationships with the Municipality/component
and the internal audit component. It is essential that the audit assignment be correctly managed to ensure
that the overall audit objective is achieved and that the Municipality/component is satisfied with the output
they receive.
2.2.3
Finalising the audit
(Responsible: Officer: Internal Audit and Internal auditors)
Objective
The auditors must complete the audit by finalising the file and ensuring all electronic information is backed
up.
Required
The auditors are required to ensure that the following are complete: a) All review queries have been cleared.
b) All information is filed according the internal audit unit's filing system.
c) All information not required for any purpose is disposed of.
d) All files etc belonging to the Municipality/component are returned.
e) All electronic information is consolidated
f)
The electronic consolidation is backed up.
g) Etc
Source of information
The auditors should utilise the following sources of information: a) Internal audit unit files for filing
b) Review queries sheet
c) Internal audit unit protocol regarding back-ups and filing
d) Etc
Use of information
The information will serve as a permanent record of the audit work conducted and may be used in future
audits, as well as court cases should the need arise.
2.2.4
Updating the risk matrix in the Municipality
(Responsible: Officer: Internal Audit and Internal auditors)
Objective
The auditors need to maintain a central database of all threats, etc, that were identified during the course
of the audit. This database needs to be updated at the end of each audit.
Required
Internal Audit Framework
Page 21
Internal Audit
Internal Audit Methodology and Manual
The auditor is required to update the Municipality’s risk profile and the internal audit unit's database of
information at the end of each phase of the audit (preferred), or at least at the completion of the audit.
Items that will affect the long-term plan of internal audit should be communicated to the Officers: Internal
audit and updated accordingly.
Source of information
The auditor should make use of the information gathered during the entire audit process.
Use of information
This information will be used in the audit of similar processes at other Municipalities, assisting in the
preparation of internal audit work plans and the risk matrix of the Municipality as a whole.
Internal Audit Framework
Page 22
Internal Audit
Internal Audit Methodology and Manual
2.2.5
Updating the Methodology and Working Papers
(Responsible: Manager Internal Audit, Officer: Internal Audit and Internal auditors)
Objective
The auditors should always look for ways to improve on this methodology, as well as the working papers
utilised in the audit.
Required
All suggestions that the audit team have on ways to improve the audit process through the methodology
and working papers should be forwarded to the Officer to take the issue up with the Manager: Internal
Audit.
Manager: Internal Audit should consider whether the suggestion relates to the specifics of the audit, or an
improvement to the general performance of all audits.
Source of information
The auditors should make use of the following sources of information to perform this task: a) The audit team and their suggestions
b) The debriefing session
Use of information
The information will be used to improve the performance of all future audits that are to take place.
Internal Audit Framework
Page 23
Internal Audit
Internal Audit Methodology and Manual
3. Phase 1 – The Preliminary Survey (Performance Standard 2200) (Practice Advisory 2210)
3.1 Purpose of Preliminary Survey Phase
The purpose of the preliminary survey phase is to obtain a sound understanding of the client and the various
facets of the audit area in order to be able to effectively conduct the audit project.
The objectives of this phase are to establish –
An understanding under what authority the client was created.
A general background into who the client is and what they do.
A brief overview of developments of the client over the last few years.
Deeper understanding of the audit process that you will be auditing and specifics that relate to the client
that you are auditing.
3.2
Steps to follow in Phase 1
3.2.1
Brainstorm generic risks of the process
(Responsible: Internal Auditors)
Objective
To become more familiar with the process to be audited, common problems in industry regarding the
process, etc. The auditors should at this stage be preparing for the interviews with the
Municipality/component in order to document the process.
Required
The auditors should at this stage sit together and briefly brainstorm the following: a) Activities they would expect to find in the process they are required to audit.
b) Threats they would expect to see impacting on the performance of the identified activities.
Source of information
The auditors should make use of the following sources of information to document the preliminary survey:
a) Previous audit working papers
b) Past knowledge and experience.
c) Theoretical knowledge gained from courses attended.
d) Managers: Internal Audit can be approached from some guideline on the subject.
e) Knowledge of newspaper articles etc.
f)
Previous reports and follow-up findings
g) Risk database
h) Policies and procedures
Internal Audit Framework
Page 24
Internal Audit
Internal Audit Methodology and Manual
i)
Relevant legislations
Note: A detailed background search is not required, and the common knowledge of the auditors should be
used.
Use of information
This information will be very useful when conducting interviews with the Municipality/component to
document the systems description.
3.2.2
Gather background information on the organisation
(Responsible: Internal Auditor)
Objective
The auditors are at this stage required to gain a broad understanding of the Municipality's/component's
organisation.
Required
The auditors are required to complete a number of documents here, which will address the following
issues: a) Industry and Economic conditions
b) Current news events (external and internal)
c) Strategic and department plans
d) The mission of the organisation
e) Organisation Impact Assessment
f)
Objectives and scope of unit
g) The organisational structure
h) A review of past and current expenditure
i)
Analysis of audit reports from the Auditor General
j)
Applicable regulations (list)
Source of information
The auditors should consider using the following sources for obtaining the information: a) Newspapers
b) Internal newsletters
c) Mission statement
d) Organogram
e) Strategic and department plan
f)
Internet research where applicable
g) Budget reports
h) Actual expenditure reports (current and past periods)
i)
Annual financial statements and reports.
Internal Audit Framework
Page 25
Internal Audit
Internal Audit Methodology and Manual
j)
Discussions with client staff
Use of information
This information should be shared with all team members in order to ensure that the auditors understand
the Municipality's/component's department so that they can perform the audit effectively and efficiently.
By knowing what the Municipality/component does, why they are established, etc, you as an auditor will
be better equipped to add value to the Municipality.
3.2.3
Gathering information on the process being audited
(Responsible: Internal Auditors)
Objective
The auditors are required to gain a more detailed understanding of the process, which they are auditing.
Required
The auditor will be required to complete a number of documents, which will address the following issues: a) Where does the process fall within the organisation
b) What is the mission of the process and is this in line with that of the organisation
c) Who are the customers and what are their needs
d) What are the activities involved in the audit
e) Minutes of meetings held by management regarding the process
f)
Computer environment vs. manual
g) A review of past and current expenditure
h) Identification of populations and populations sizes
i)
Names and contact details of various people involved in the audit
j)
Staffing levels and vacancies in a process
k) Different locations of the various remote locations involved in the performance of any part of the
process
l)
Past internal audit report findings and summaries
m) Past indications of fraud
n) Past external audit reports / special investigation reports
o) Changes in activities/ systems since last audit
p) Delegations of authority
q) Kinds of records that are maintained
r)
Volume and value of the transactions initiated by the audit unit for the period.
s) Staffing personalities (i.e. control consciousness and awareness)
Source of information
The information required to complete the documents designed for this phase will be obtained from the
following sources: a) Mandates from the Municipality/component (especially in the case of Ad-hoc assignments)
Internal Audit Framework
Page 26
Internal Audit
Internal Audit Methodology and Manual
b) Mission statements
c) Discussions with the Municipality/component
d) Discussions with the Manager: Internal Audit
e) Organograms
f)
Job descriptions
g) Audit team members
h) Budget reports
i)
Actual expenditure reports (current and past periods)
j)
Past internal audit reports
k) Detailed list of transactions (populations sizes)
l)
Geographic locations
m) Minutes of meetings
Use of information
The information gathered here should be shared with all team members in order to ensure that the
auditors understand the process so that they can perform the audit effectively and efficiently. By knowing
what the process is all about, the auditor will be better equipped to add value to the Municipality.
The information obtained may also be required to identify the uses of specialist services. In addition to
this, all information gathered will assist in defining the correct scope of the audit.
3.2.4
Gathering information of acts and legislation governing the organisation/ process being audited
(Responsible: Internal Auditors)
Objective
The auditor should be able to identify all the different legislation and regulations that affect the process
and the organisation that is being audited.
Required
The auditor is required to: a) Identify the legislation, regulations and procedures relating to the process that they are auditing.
b) Summarise the information.
c) Identify those parts of legislation, regulations and procedures which have an impact on the
process that you are auditing (Note: some legislation will govern the organisation as a whole, and
may not have a direct effect on the process you are auditing.
Sources of information
The auditor should be able to make use of the following sources to acquire the information: a) Discussion with the client
b) The Municipality/component (Often the Municipality will have copies of the legislation)
Internal Audit Framework
Page 27
Internal Audit
Internal Audit Methodology and Manual
c) The internet
d) Manager: Internal Audit
e) Municipality's legal advisor (if they have one)
f)
Knowledge library
Use of information
The information gathered will be used during the design of audit programs to test whether the
Municipality/component is complying with the legislation and regulations and as a guide to best practices
and government practices. Information from procedures manuals can be very useful when documenting
the system.
3.2.5
Perform high level (overall) analytical review
This should be confined to relevant financial and operating information that would be of assistance in
gaining an overall understanding of the Municipality's/component's operations, as well as highlighting
potential areas of risk. It must be borne in mind that more detailed analytical review work will be
performed at a later stage.
This should be done on the basis of trend analyses, which will give an indication of materiality and point to
areas of greatest activity, economic or otherwise.
The overall analytical review should not be limited to financial or operating information produced on a
regular basis, but should include any indicators of unusual events or significant changes in circumstances
affecting the Municipality's/component's operations (e.g. new legislation, government regulations, labour
agreements, changes in Municipalities strategy, etc.)
The extent of such a review should be discussed with the Officer: Internal Audit.
3.2.6
Extent of work to be performed
The depth to which the auditor should go into understanding the Municipality's/component's operations
will depend upon the anticipated scope of work to be performed. Details of this should be available from
the Officer and Manager: Internal Audit.
Internal Audit Framework
Page 28
Internal Audit
Internal Audit Methodology and Manual
The size and complexity of the Municipality's/component's operation will also be a determinant of the
extent of work. In all cases, the Manager: Internal Audit should be consulted as to the extent of work to
be performed during the preliminary survey.
Internal Audit Framework
Page 29
Internal Audit
Internal Audit Methodology and Manual
3.3
Means of obtaining background information
The nature of the work to be performed during the preliminary survey will generally consist of enquiry,
collection and review of information and, where applicable, a broad analytical review.
The analytical reviews may already have been done by the Municipality/component if so do not waste
time by re-performance of the work. You will however need to check that the variances are correctly
calculated.
The auditor will need to conduct interviews with the Municipality's/component’s management in order to
discuss information already obtained and to obtain further information with regard to the remaining issues
to be addressed during the preliminary survey. Generally, such interviews would be confined to line
management in the Municipality's/component's organisation and should not extend to operating staff (at
this stage we are trying to get a broad picture, and need not go into excessive detail).
Depending on the extent of work to be performed, and the number of interviews required it might be
practical to use a questionnaire to elicit certain information from prospective interviewees, before
commencement of the interviews.
3.4
Reporting
At the end of this phase, any queries, which may have arisen, should be forwarded to management for
their comments. These queries are known as Informal Queries and should clearly indicate this fact.
Informal queries that may arise could include problems with the mission statement, standards set for
employees etc.
All queries that are raised must be discussed with management and not simply handed to them for
comment. Their comment should still be received in writing.
3.5
Output
The output of this phase will be a complete set of documents detailing a brief background of the
organisation as well as specific detail regarding the process being audited.
Internal Audit Framework
Page 30
Internal Audit
Internal Audit Methodology and Manual
Phase 2 – Document the systems, identify risk and specific audit objectives and scope
4.
(Performance Standard 2201) (Practice Advisory 2200-1)
4.1 Purpose for the documenting of systems, identification of risk and control strategy assessment.
The purpose of this phase is to document the systems of internal control obtain an understanding of the risks to
which the process is exposed and identify the manner in which management is dealing with the risk (i.e.
management’s strategy to control or mitigate a risk).
The objectives of this phase are as follows:
Document the systems,
Identifying system weaknesses,
Analysing the risks that would affect the process you are auditing,
Identify management’s control strategy and
Assess the control strategy benchmarking it against best practice and government practices where
applicable
4.2
Steps to follow in phase 2
4.2.1
Obtain system descriptions
(Responsible: Internal Auditors)
Objective
The auditors are to obtain information regarding the system of control that management has implemented
to control and manage the risks in the process.
At this stage it is very important that the information obtained contains all the controls (manual or
computerised) that management has in place.
Required
Document the interviews of the various personnel involved in the process to identify what controls are in
place to reduce risk.
The system’s description is prepared using the Objective, Risk, Control, and Alignment model to
document key controls in order to identify other risks and also to assist in the development of audit
programmes.
If you are happy with the adequacy/ design of the controls, compile an audit programme detailing specific
tests and other procedures to be performed to gather the required evidence to test the effectiveness of
the control by audit (assurance). The specific audit objectives and procedures must be appropriate for
completion within the total remaining budgeted hours.
Internal Audit Framework
Page 31
Internal Audit
Internal Audit Methodology and Manual
In order to ensure that you maximise on the interviews you have, you must adequately prepare. This
could include some of the following activities: a) Using the information gathered in phase 1, prepare a questionnaire for the client.
b) Make sure that during the interview you cover the risks identified during the initial brainstorm
session (Phase 1).
c) Make use of prescribes procedures to formulate questions.
d) Making use of control checklists to familiarise yourself with the controls that should be included.
e) Going over any acts, regulations and procedure manuals that require standard controls to be in
place.
f)
Obtaining copies of previous system documents in order to prepare to update these documents.
g) Looking at the informal queries raised in a previous internal audit on the system to identify
controls initially missed in the documenting of the system.
h) Identifying significant changes that have occurred since the last audit.
It is very important to document the interviews in great detail so that the person preparing the systems
documents will be able to do so accurately the first time.
Source of information
The auditor here can obtain this information from a number of sources, namely: a) Discussions with the client’s staff involved in the process.
b) Previous internal audits on the system.
c) The client may have systems documents prepared.
d) The auditor general may have copies of system documents.
e) Phase 1 (Preliminary survey) will indicate important information.
f)
System checklists that have been prepared.
Use of information
The information obtained here will be used to document the systems, assist in identifying management
control strategy towards risks and preparing the audit program.
4.2.2
Documenting the System Description
(Responsible: Internal Auditors)
Objective
The objective here is to document the information that has been accumulated. This is also a time for the
auditors to learn how the system works and what information to include in systems descriptions.
Required
The auditors are required to take the information and to document the information either in a narrative or
flow chart format.
Internal Audit Framework
Page 32
Internal Audit
Internal Audit Methodology and Manual
It is recommended that the auditors begin with the narrative in order to capture all controls. The flow
chart should then be done thereafter and should be designed to give the reader information regarding the
process flow of transactions at a glance.
Where system descriptions and flowcharts are available at the client this may be used.
Working papers should be economical to prepare and to review. It is easy to include every scrap of
information and every form into the working papers, however, the working papers then become a
confused mixture of data that is difficult to assimilate and use. Working papers should be complete but
concise--a usable record of work performed. Internal auditors should include in their working papers only
what is essential; and, they should ensure that each work-paper included serves a purpose that relates to
an audit procedure. Working papers that are created and later determined to be unnecessary should be
deleted.
Working papers should be clear and understandable. The internal auditor should keep in mind that other
people will examine and refer to the files. The working papers should not need any supplementary
information and should stand-alone. Anyone reviewing the work-papers, without referring to documents
outside of those included in the work-papers and without asking questions, should be able to tell what the
auditor set out to do, what they did, what they found and what they concluded. Conciseness is important;
but clarity should not be sacrificed just to save time and space.
Scanned Documents:
Scanned documents should include a reference to the source and the purpose of the document when
relevant to understanding or appreciating the actual audit work performed. Such information needs to be
included only when it is not provided elsewhere in the working papers.
Tick-marks:
Tick-marks do not need to be standardized throughout the set of working papers, but must be consistent
throughout a particular working paper. Tick-mark explanations must be a part of the work-paper or
included in a separate tick-mark legend work-paper.
Cross-Referencing:
Working papers should be prepared using the appropriate cross-referencing. A cross-reference from the
Audit Procedures to the primary work-paper provides a reference to where the work was performed. It is
not necessary to cross-reference all working papers to the Audit Procedures, only the primary working
papers. The primary working paper will then contain cross-references to other, supporting working papers,
which provide additional information regarding the audit procedures performed, results, and conclusions
reached.
Cross-references should be used to reference information useful in more than one place or to other
relevant information including the source of information, composition of summary totals, or other
documents or examples of transactions. To encourage conciseness, documents/information should be in
Internal Audit Framework
Page 33
Internal Audit
Internal Audit Methodology and Manual
the work-papers only once.
Standard Working papers:
All Internal Audit work should as far as possible be documented using TeamMate Audit Management tool
in accordance with the detailed internal audit methodology followed by the internal audit function of the
sections.
Future Audit Considerations
Auditors are encouraged to develop and document future audit ideas during the course of their work.
These should be included in the "Comments for next audit" section of the audit working paper file under to
―General― section.
Working paper Review:
The auditor should review all working papers to determine whether they are relevant and have a useful
purpose, evidence the audit work performed and sufficiently support the audit findings. In addition, the
auditor should ensure the conclusions reached were reasonable and valid, and that the Office working
paper standards were followed. The auditor should review all audit review notes to be certain that all
notes have been resolved within the working papers. Documentation obtained and not relevant to the
audit should be returned/destroyed upon the completion of the audit.
The review will consist of:
Determining compliance with working paper guidelines.
Reviewing the audit program that outlines the major objectives of the audit, and ensure that the
procedures accomplish the objective(s).
Reviewing the audit procedures and the referenced working papers to ensure the working papers
support the procedures performed and all procedures have been completed. Determine that the
work-papers adequately document the conclusions reached in the report.
Ensuring that all findings prepared have been discussed with the appropriate member of
management, and that the disposition of the audit concern is documented.
Documenting review notes.
Filing and Protection of Working papers:
All working papers are considered confidential, are the property of the Internal Audit section, and are to be
kept under adequate control. Working papers often contain sensitive information or data that must be
protected from unauthorized use or review.
Work-papers in process are to be controlled by the section of Internal Audit. While conducting fieldwork
away from the office, the auditors should control the work-papers to ensure that information is neither
removed, nor substituted nor altered.
Retention Policy:
Internal Audit Framework
Page 34
Internal Audit
Internal Audit Methodology and Manual
All working papers pertaining to an audit belong in the Internal Audit section. All such data is to be kept by
the Internal Audit Section and is subject to the retention requirements as required by applicable laws and
regulations.
Use of information
The information obtained here will be used to identify the system weaknesses, assist in identifying
management control strategy towards risks and preparing the audit program.
4.2.3
Verifying the Systems Description (Walkthroughs)
(Responsible: Internal Auditors)
Objective
The auditors are required to confirm, verify that the documented system is a true reflection of what
actually happens from day to day and the activities correspond to what is documented.
Required
The auditors should perform a walk through test to check that the system is operating as documented. In
order to perform this, the following should be considered: a) The starting point. (This should be the first activity that takes place on the narrative descriptions)
b) The sample size. (As all that is required at this stage is a confirmation that the process happens
as documented, it is not necessary to test an extended sample. The Officer: Internal Audit should
assist in deciding how many items to test, taking into consideration the population size etc.)
c) Follow the documents through the system noting the evidence that controls occur as
documented. (I.e. re-perform the controls on those documents to ensure that the controls were
executed as documented)
d) Differences: - The Officer: Internal Audit should assist to identify whether the differences will
result in updating/ changing the systems description as documented, or whether the control is
correct as documented, but ineffectively or inefficiently performed.
Sources of information
The auditors should make use of the following sources of information: a) Supporting documents available at the client.
b) Confirmation from the person overall in charge of the system.
c) Auditor-General, if possible, or any previous audit performed by external consultants.
Use of information
The information obtained here will be used to document the systems, assist in identifying management
control strategy towards risks and preparing the audit program.
Internal Audit Framework
Page 35
Internal Audit
Internal Audit Methodology and Manual
4.2.4
Reporting
(Responsible: Internal Auditors)
At the end of the systems description, any queries, which may have arisen, should be forwarded to
management for their comments. These queries are known as Informal Queries and should clearly
indicate this fact. Informal queries that may arise could include problems with the system, such as a lack
of segregation of duties and other system weaknesses.
Note: At this stage any inefficiency that were identified will not be reported as the purpose here is not to
test efficiencies, but rather the documenting of the system.
All queries that are raised must be discussed with management and not simply handed to them for
comment. Their comment should still be received in writing.
4.2.5
Identifying risks
(Responsible: Internal Auditors)
Objective
The auditors are required to identify those events, which will result in the non-performance of a particular
key activity.
Required
The auditors should consider the following when performing the risk identification
a) Refer to Phase 1 for the key activities, which will be audited during this project assignment.
b) For each activity that will be audited identify those events that will prevent or hinder the
performance of that activity. (This is then referred to as the threat)
c) Identify the action that will result in that particular event taking place. (This is then referred to as
the cause). (Use the information gained during the initial brainstorming that took place in phase 1
and customise this to your client)
d) Rate the impact each threat will have on the process should that event take place. This rating will
be classified as high, medium or low. (Refer to the approved risk management policy regarding
the rating of the risk)
When rating the impact it is important to consider factors such as: a. The value of transactions that pass through the process
b. The importance of the activity in terms of the organisation achieving its objective
c.
The impact this may have on other processes within the organisation
Internal Audit Framework
Page 36
Internal Audit
Internal Audit Methodology and Manual
e) Rate the likelihood of each cause occurring prior to any controls that may exist. This rating will be
classified in accordance with the approved risk management policy. (Refer to the annexure
regarding the measurement of high; medium or low)
f)
Summarise those threats and causes that are significant.
Source of information
The auditors may make use of the following sources of information: a) Specific requests from the client
b) Manager: Internal Audit
c) Knowledge and past experience of the audit team
d) Information gathered in phase 1
e) Risk database (internal)
f)
External auditors repository of risk / other previous audits
Use of information
This information will be used in the documenting of the risk assessment, and as a basis for the strategy
assessment that is to follow.
4.2.6
Documenting risks
(Responsible: Internal Auditors)
Objective
The objective of this exercise is to document the findings of the risk assessment. The auditors should use
this exercise to gain knowledge of risks and the assessment of impacts and likelihood.
Required
The auditors will be required to document the information from the Manager: Internal Audit and the
Officer: Internal Audit onto the working papers provided.
The auditors should take care not to blindly act as secretaries at this stage. They should consider the
information that they are documenting and should decide whether they agree or disagree with the
Manager and Officer and even think of threats and causes not considered by the Manager and Officer.
Where the auditors differ they must approach the Manager and Officer to obtain clarity on the information
and make their suggestions.
This experience will enable the auditor to independently identify risks in the future.
Source of information
The auditors should use the following information when documenting the risks: -
Internal Audit Framework
Page 37
Internal Audit
Internal Audit Methodology and Manual
a) Information supplied by the Manager: Internal Audit and Officer: Internal audit
b) Knowledge and past experience of auditors
c) Working papers provided.
Use of information
This information will be used as a basis for the strategy assessment that is to follow and as input into the
Internal Audit database of threats and causes.
4.2.7
Verification of Likelihood and Impact Ratings
(Responsible: Internal Auditors)
Objective
The auditors should at this stage obtain some confirmation from management that they are in agreement
with the threats and causes identified and that they agree with the ratings as indicated by the auditors.
Required
The auditors should arrange a meeting with the client to discuss the outcomes of the risk assessment to
date. In this meeting the following is of importance: a) The threats and causes identified are consistent with the client’s department and activities being
audited.
b) The ratings assigned for the impact and likelihood pre-controls are consistent with the client’s
knowledge of the department.
It is important in this interview to remind the client that the threats and causes are not actual findings but
possible implications on the department. The client should also understand that the likelihood rating
indicated is related to a pre-controls/ verification situation.
During this meeting, it is important that should the client think of any additional threats and causes they
raise them here so that they are included in the risk assessment.
The outcome of the meeting should be minuted and a copy of the minutes handed to the client for their
information.
Source of information
The auditors should make use of the following sources of information when verifying the information: a) Documented risk assessment
b) Discussion with the client.
Use of information
Internal Audit Framework
Page 38
Internal Audit
Internal Audit Methodology and Manual
This information will be used as a basis for the strategy assessment that is to follow and to update the risk
database of Internal Audit.
4.2.8
Identifying and assessing control strategies
(Responsible: Officer and Internal auditors)
Objective
The auditors are to identify the control strategy that management has in place to address the relevant
threat and cause.
Required
When identifying the various control strategies that management may have in place it is important to
consider the following: a) The control strategies available to the client include:
i.
Risk Avoidance - avoid the risk and its consequences. (I.e. to avoid that line of department)
To avoid a risk, the client needs to eliminate the activity affected by the risk. This can be
done by changing the activity, e.g. by automating a manual process, thereby changing the
human activity to that of plant and equipment.
The manager can, at a higher level, eliminate the activity itself by deciding not to render a
certain type of service.
ii.
Risk Transfer - transfer the risk and its consequences. (I.e. to get an outside party to take
rd
responsibility for the risk by outsourcing the activity to a 3 party)
―Outsourcing‖ an activity can transfer risks. This means getting a supplier to carry out an
activity previously carried out by the municipality or audit area. Although this will transfer the
risks affecting the resources previously used by the audit area, it will now expose the audit
area to new risks related to maintaining effective supplier relations.
iii. Risk Acceptance - accept the risk and its consequences. (I.e. having no controls in place to
manage the threat and its cause)
iv. Risk Insurance - insure against the risk's consequences should it occur. (I.e. by obtaining
insurance that will mitigate or reduce the impact and likelihood of the risk)
Although insurance of the risk will not reduce the likelihood of the risk occurring, it will
reduce the impact on performance because the audit area receives compensation for the
loss suffered. Insurance is most commonly used with risks affecting tangible resources, and
particularly for property, plant and equipment, financial resources, e.g. cash, and inventory.
Internal Audit Framework
Page 39
Internal Audit
Internal Audit Methodology and Manual
v.
Risk Reduction - control the risk. (I.e. implementing management controls as described on
the systems description.)
b) Decide on what strategy management is using (i.e. examining the systems description for a
control to indicate that management is implementing a risk reduction strategy).
c) At some point you may require assistance from the Manager: Internal Audit and / Officer: Internal
Audit.
When assessing the control strategies that management may have in place, it is important to consider the
following: a) In carrying out this step, the auditor should answer the question: Should the manager be
accepting the potential impact of this risk or should he control it.
b) Best practice and government practice policies.
c) In some instances it may be appropriate to have a strategy of acceptance where either the impact
or likelihood is rated as low.
d) In some instances, such as where either the impact or likelihood is low, a risk reduction strategy
may not be appropriate. (Resources are being utilised to control an insignificant threat, and
should rather be employed towards something more significant.)
e) The Manager: Internal Audit may be required to assist the auditors in the performance of this
area.
Source of information
The auditors may consult the following sources of information: a) Systems Descriptions
b) Manager: Internal Audit
c) Knowledge and past experience of auditors
Use of information
Value will be added to the client by identifying those areas where they are most exposed in terms of risk
and recommending appropriate strategies to reduce their exposure. The opposite is also true, and where
the client is spending a lot of resources controlling an insignificant threat, this should be identified and will
also be reported to the client. Those resources can then be more efficiently employed in other areas of
the process.
The information gathered in this phase is required to document the control strategies and will have an
impact on the assessment of control adequacy. Where the strategy of a control is inappropriate, these
items will not necessarily be carried forward to the control adequacy assessment, but would rather be
reported on.
Internal Audit Framework
Page 40
Internal Audit
Internal Audit Methodology and Manual
4.2.9
Documenting control strategies
(Responsible: Internal Auditors)
Objective
The objective of this exercise is to document the findings of the strategy assessment. The auditors
should use this exercise to gain knowledge of strategy identification and the strategy assessments that
are made.
Required
The auditors will be required to document the information onto the working papers provided.
Source of information
The auditors should use the following information when documenting the risks: a) Information supplied by the Audit Manager and Officer
b) Knowledge and past experience of auditors
c) Working papers provided.
d) Knowledge of the client’s department activities.
Use of information
Value will be added to the client by identifying those areas where they are most exposed in terms of risk
and recommending appropriate strategies to reduce their exposure. The opposite is also true, and where
the client is spending a lot of resources controlling an insignificant threat, this should be identified and will
also be reported to the client. Those resources can then be more efficiently employed in other areas of
the process.
The information documented will have an impact of the assessment of control adequacy. Where the
strategy of a control is inappropriate, these items will not necessarily be carried forward to the control
adequacy assessment. Inappropriate strategies should be reported upon.
Internal Audit Framework
Page 41
Internal Audit
Internal Audit Methodology and Manual
4.2.10 Reporting
(Responsible: Officer: Internal Audit and Internal Auditors)
At the end of the strategy assessment, any queries, which may have arisen, should be forwarded to
management for their comments. These queries are known as Informal Queries and should clearly
indicate this fact. Informal queries that may arise will include instances where the strategy management is
following is contradictory to best practice and government practice.
All queries that are raised must be discussed with management and not simply handed to them for
comment. Their comment should still be received in writing.
In doing the above, the auditor is in the process of agreeing the findings with the client.
4.3
Output
The output of this phase is a set of documents containing the system description, the risk assessment and
the strategy assessment to be used in the next phase. (Working paper D 200, D400 and D 500).
Alternatively this is documented in the Risk and Control Matrix (RACM)
Internal Audit Framework
Page 42
Internal Audit
Internal Audit Methodology and Manual
5.
Phase 3 - Assessment of Adequacy of controls (Adequacy Phase) (Performance Standard 2210.A1)
(Practice Advisory 2210-1, 2210.A1-1)
5.1
Purpose of the assessment of the adequacy of controls
The purpose of this phase is to determine whether the client's existing controls would be adequate and if
they were operating as intended.
The objective of this phase is
An assessment of adequacy of controls providing assurance that the activity's objective will be
achieved.
The following are important aspects to keep in mind when performing this phase:
What is adequate is a matter of professional judgement.
Standard control practice (generally accepted management practice).
The client must accept the standards.
Where controls are not adequate, unfavourable findings will be developed.
NOTE: At this stage the auditor does not form an opinion on the effectiveness of the existing
controls.
5.2
Steps to follow
5.2.1
Assessment of those controls for insignificant threats (Working paper E 200)
(Responsible: Officer: Internal audit and Internal Auditors)
Objective
The auditors must assess the controls that are in place to support insignificant threats to identify whether
these controls are crucial to the successful operation of controls for significant threats.
Required
The auditor will be required to identify the controls that are in place to manage the threats that are not
significant to the process.
The idea here is to identify those key controls on which management is reliant that will not automatically
be taken to the assessment document because it is not directly controlling a significant risk.
The dependency of other controls on the identified control will have to be assessed as high, medium or
low. Those controls on which other controls are highly reliant will need to be included in the adequacy
assessment regardless of the fact that they may merely exist to control an insignificant threat.
Internal Audit Framework
Page 43
Internal Audit
Internal Audit Methodology and Manual
Some controls exist to manage more than one threat, and in these instances, the control identified may be
serving a dual purpose, in which case it may already be included in the summary of significant risks. In
such instances it is not necessary to repeat the control.
A key control is one that makes a large contribution to providing assurance that a performance objective
will be achieved and, therefore, is one upon which management will, place heavy reliance.
Once these have been identified, they must be included in the adequacy document.
Source of information
The auditors should make use of the following sources of information
a) Systems descriptions
b) Risk assessment documentation
c) Knowledge and past experience
d) Knowledge of the department risk, functions and related activities
Use of information
The information will be used to ensure that all key controls are assessed.
5.2.2
Transfer of significant risks and ALL controls to discussion document
(Responsible: Officer: Internal Audit and Internal Auditors) (Working paper E 200)
Objective
The auditors must compile a complete list of threats and controls, to begin the documenting of the
adequacy assessment.
Required
The auditors are required to transfer the information of the significant risks from the phase 2 working
papers (summary of significant risks) and all the management controls identified for that risk, irrespective
of whether the cause is ranked as low or medium.
The individual risk activity assessments should be looked at to make sure that all the controls and risk are
transferred and that none have been erroneously skipped over.
(Hint: It may be best to group significant risks per each activity together at this stage.)
All controls applicable to the identified risks must be documented in detail. This is, inter alia, to evaluate
the suitability of the system as a basis for compiling reliable financial information.
Internal Audit Framework
Page 44
Internal Audit
Internal Audit Methodology and Manual
Source of information
The auditors should make use of the following documents.
a) Individual activity assessments
b) Summary of significant risks from the strategy assessments
Use of information
The document produced will form the basis for the adequacy assessment and later on the audit program
design and as a result the effectiveness testing.
5.2.3
Identification of ideal controls
(Responsible: : Officer: Internal audit and Internal Auditors)
Objective
The auditors are to identify the ideal controls to mitigate or eliminate the threat identified.
Required
The auditors are to consider all the ideal controls that will be considered best practice to manage the
threat identified.
The ideal controls here must be customised to the client’s circumstances. For example in a small
organisation it may not be possible to employ additional personnel in order to perform a simple control.
Ideal controls identified should not simply be a dump of information, but controls that would actually
manage the threat and assist the client.
Source of information
The following sources of information will be of particular importance to the auditors at this stage: a) Past best practice controls identified through previous audits on the process either at the
Municipality or at other Departments
b) Internal Audit database of risks and controls
c) Legislation containing government procedures and policies
d) Internal procedure manuals containing policies and procedures
e) Checklists designed by internal audit to give a guide to standard controls that should be in place
f)
Knowledge and past experience
g) Any information documented in the previous phases of the audit
Use of information
The controls identified will be used as a benchmark against which to assess whether the controls
management have in place are adequate or not.
Internal Audit Framework
Page 45
Internal Audit
Internal Audit Methodology and Manual
Value to the client will only be added if the ideal controls that are decided on are of benefit to the client
and will assist them in managing the risk.
5.2.4
Documenting the ideal controls
(Responsible: Internal Auditors)
Objective
The objective of this exercise is to document the ideal controls. The auditors should use this exercise to
gain knowledge of ideal controls and best practice.
Required
The auditors will be required to document the information onto the working papers provided.
The auditors should take care not to blindly act as secretaries at this stage. They should consider the
information that they are documenting and think of ideal controls that the may have missed.
Source of information
The auditors should use the following information when documenting the ideal controls: a) Information supplied by the Internal Auditors and Internal auditors
b) Knowledge and past experience of auditors
c) Working papers provided
d) Existing policies, procedures, regulations and manuals
Use of information
The controls identified will be used as a benchmark against which to assess whether the controls
management has in place are adequate or not.
Value to the client will only be added if the ideal controls that are decided on are of benefit to the client
and will assist them in managing the risk.
5.2.5
Assessing the adequacy of controls
(Responsible: Officer: Internal Audit and Internal Auditors)
Objective
The auditors are required to make the judgement call as to whether the control that management has in
place is adequate or not.
Required
The auditor will be required to make a judgement call during this phase. By comparing the ideal controls
to those controls in place they will have to decide on the adequacy assessment for the control.
Internal Audit Framework
Page 46
Internal Audit
Internal Audit Methodology and Manual
When the auditor considers the control for adequacy, they should consider the following aspects:
a) The impact of the control on reducing the threat
The auditor should ask whether the controls would, if effective, reduce the risk’s potential
impact to a level acceptable to the client and the auditor. He/ She should ask: "Do the controls
effectively reduce the likelihood of the risk occurring and, should it occur, would they effectively
minimise its impact?"
Evaluating the answers requires the auditor's professional judgement and knowledge of
generally accepted management practice.
b) Whether the control is efficient
As part of the assessment of whether a control is adequate or not, the auditor should also
consider the efficiency of the control. Inefficient systems should not be assessed as adequate.
The opinion on the adequacy and efficiency of existing controls could arrive at the following possible
situations. (I.e. the combined assessment of the adequacy and efficiency of controls will result in the audit
assessment being a number 1 – 6 as shown below):
Controls are -
Efficient
Inefficient
Adequate
1
2
Partially adequate
3
4
Not adequate
N/A
5/6
1. The existing controls are adequate to provide reasonable assurance that the activity will
achieve its performance objectives (because risks that could have a significant impact on the
activity achieving its objectives are now unlikely to have a significant impact) and are the most
efficient (i.e. numerous people performing the same repetitive task, or re-writing of information
onto a number of different source documents throughout the process).
2. The existing controls are adequate to provide reasonable assurance that the activity will
achieve its performance objectives, but are not the most efficient.
3. The existing controls are partially adequate to provide reasonable assurance that the activity
will achieve its performance objectives (because some risks that could have a significant impact
on the activity achieving its objectives are still likely to have a significant impact), but the
controls in place are the most efficient.
Internal Audit Framework
Page 47
Internal Audit
Internal Audit Methodology and Manual
4. The existing controls are partially adequate to provide reasonable assurance that the activity
will achieve its performance objectives (because some risks that could have a significant impact
on the activity achieving its objectives are still likely to have a significant impact), but the
controls in place are not the most efficient.
5. The existing controls are not adequate to provide reasonable assurance that the activity will
achieve its performance objectives. (Because risks that could have a significant impact on the
activity achieving its objectives are still likely to have a significant impact).
6. The client has no controls to provide reasonable assurance that the activity will achieve its
performance objectives.
Controls that are rated 1 – 3 will then be tested for effectiveness. Controls rated 4 – 6 will be reported to
the client
Source of information
The auditor will use the information gained in the previous steps in order to complete this phase, namely: a) The ideal controls
b) Past knowledge and experience.
c) The management controls
d) Discussions with Management
e) Previous audits conducted and the outcome of the findings
f)
The size of the clients department.
Use of information
The assessment whether the controls management has in place are adequate or not will have a direct
impact on which controls will be tested for effectiveness and those that will not.
Value to the client will only be added if the assessment is a fair reflection on what the client can
realistically achieve or not.
Internal Audit Framework
Page 48
Internal Audit
Internal Audit Methodology and Manual
5.2.6
Documenting the adequacy assessment
(Responsible: Internal Auditors)
Objective
The objective of this exercise is to document the ideal controls. The auditors should use this exercise to
gain knowledge of the assessment of controls.
Required
The auditors will be required to document the information onto the working papers provided.
The auditors should take care not to blindly act as secretaries at this stage. They should consider the
information that they are documenting.
Source of information
The auditors should use the following information when documenting the adequacy assessment: a) Information supplied by the Manager: Internal Audit and Officer: Internal audi
b) Knowledge and past experience of auditors
c) Working papers provided.
Use of information
Controls assessed as adequate will be tested for effectiveness in the execution phase. Inadequate and
inefficient controls will be reported to management.
Value to the client will only be added if the ideal controls that are decided on are of benefit to the client
and will assist them in managing the risk.
5.2.7
Reporting queries to management and agreeing an opinion on the controls
(Responsible: Officer: Internal Audit and Internal Auditors)
At the end of the control adequacy assessment, any queries (i.e. those controls with an audit assessment
of 2 – 6), which may have arisen, should be forwarded to management for their comments. These queries
are known as Informal Queries and should clearly indicate this fact. Informal queries that may arise will
include instances where the strategy management is following is contradictory to best practice and
government practice.
Controls with an assessment rating of 2 and 3 should be carefully considered prior to the issue of the
informal queries.
Internal Audit Framework
Page 49
Internal Audit
Internal Audit Methodology and Manual
All queries that are raised must be discussed with management and not simply handed to them for
comment. Their comment should still be received in writing.
In doing the above, the auditor is in the process of agreeing the findings with the client.
5.3
Output
The output of this phase is an opinion on the adequacy of controls (Effectiveness of controls is assessed
in the next phase).
Internal Audit Framework
Page 50
Internal Audit
Internal Audit Methodology and Manual
6.
Phase 4 - Audit Programme development and selection of samples (Effectiveness Phase)
(Performance Standard 2100, 2240) (Practice Advisory 2240-1)
6.1
Purpose for the development of audit programs and sample selection
The purpose for this phase is to design an audit programme and determine audit samples, which will
serve as a plan on how to test relevant controls for effectiveness.
Audit sampling can be defined as the application of a procedure to less than 100% of the population, to
enable the auditor to evaluate evidence of a characteristic of the population and to form a conclusion
about the characteristics of the population as a whole. Sampling can be either statistical or non-statistical.
The objectives of this phase are to:
Define the sample of transactions that will be tested.
Provide guides to the performance of the audit.
Set out the compliance and substantive tests to be carried out.
6.2
Steps to follow in phase 4
6.2.1
Identify the population to be tested
(Responsible: Internal Auditor)
Objective
The auditor is to determine the different populations within the process that will be tested.
Required
Identify and list the various types of source documents that exist within the process. These should be
listed in the order of those documents that initiate the process to those documents that determine the
process as complete, such as reports etc.
This can be determined as follows: a) The number of remote sites the process is affected by
b) Start and end numbers on sequential documents
c) Total number of employees in the process
d) Approximating the number of forms completed
Source of information
The auditor should consider the following sources for information: a) Phase 1 and 2 documentation
b) Discussions with the client
Internal Audit Framework
Page 51
Internal Audit
Internal Audit Methodology and Manual
c) Questionnaires to the clients
d) Working papers of audits performed in this area in prior periods
e) Transactions listing, such as ledger printouts, transaction printouts, etc
Use of information
The information gathered would assist the auditors in documenting the audit programs and in determining
the size of the sample to be tested and the remote sites that will be visited.
6.2.2
Determine error rate acceptances
(Responsible: Internal auditors)
Objective
The auditor must determine the acceptable expected error and tolerable error rates.
Required
The auditor must determine the acceptable error rates by taking into consideration the following:
a) The assurance required
For an auditor to be 100% certain that a control is working as designed, he/ she will need to test
100% of the population. This is neither practical nor cost effective. It is for this reason that a
sample, representative of the whole population, is to be tested by the auditor. The auditor
needs to balance between 100% and the assurance factor that he/ she is comfortable with.
The assurance required would allow the auditor to determine how much work needs to be done.
Assurance can also be translated into the following question ―How certain do I (the auditor)
have to be that this control is working as designed?‖
The more certain the auditor needs to be, the more work will need to be done and the larger the
sample size will be.
Note: The Internal Audit section and not individuals normally set this assurance factor.
b) The tolerable error
Tolerable error is determined by the Internal Audit Section and is normally 100% less the
percentage of the assurance factor. (I.e. if the assurance factor is 95%, then the tolerable error
would equate to 5%)
Tolerable error is normally between 10% – 5% depending on the standards set by the Internal
Audit Unit.
Internal Audit Framework
Page 52
Internal Audit
Internal Audit Methodology and Manual
c) Expected error
This stems from the assurance required and is the error that the auditor expects in a sample
and that which he/ she will tolerate within a sample.
Looking at past audits conducted, but also taking into consideration the current events, human
error etc, one can normally calculate the expected error. The expected error should always be
less than the tolerable error
Source of information
The auditor will make use of the following sources of information: a) Audit software
b) Past audits conducted
c) Internal Audit standards set
d) Population information
e) Scope of the audit
f)
Time/ budget constraints
Use of information
The decisions made here will assist in determining the sample size below.
6.2.3
Determine the sample size.
(Responsible: Internal Auditors)
Objective
The auditor needs to determine how many items in the population will be tested to give a fair indication of
the effectiveness of the control.
Required
Once the auditor has decided the assurance required, the tolerable error and the expected error, he/ she
can use a table to determine the sample size. (If sampling software is used the table will be built into the
system). i.e. ―How many items in the population will be tested to determine the effectiveness of the
control?‖
Tables typically give the required sample size based on the degree of assurance, tolerable and expected
error. They should also give the maximum number of errors the auditor can accept in his/ her sample
before concluding that his test objective has been met. The Manager: Internal Audit will decide on the
method to determine the sample size.
Careful consideration must be given to the sufficiency of the sample size, if these factors are not present
in the application for which the sampling table is used.
Internal Audit Framework
Page 53
Internal Audit
Internal Audit Methodology and Manual
Sources of information
The auditor will make use of the following sources of information: a) Tables
b) Audit software
c) Past audits conducted
d) Internal Audit Unit standards set
e) Population information
f)
Scope of the audit
g) Time/ budget constraints
Use of information
The decision of the final sample size will determine the audit work to be conducted during the
effectiveness phase of the audit.
6.2.4
Determine the sample selection method
(Responsible: Internal Auditors)
Objective
To determine the method that will be applied to select the sample items.
Required
The auditors are required to make use of one of the following methods when selecting the sample items: -
a) Random
The auditors will make use of the random tables when using this method. The tables will be used to
obtain the numbers of the items to be selected.
This can be used in any situation. Where sample items do not have a generic assigned number,
the auditor can number the population, thereby still making use of this method.
This is the one of the preferred methods as it is not possible to be influenced by the auditor’s
preference. I.e. it is an unbiased, independent sample selection method. Generally for all major
assignments a sample of 25 can be used.
b) Systematic
When using this method the auditors will decide on a starting number and then check every
document in the sample. The starting number can be selected by using the random number tables.
This is the one of the preferred methods as it is not possible to be influenced by the auditor’s
preference. I.e. it is an unbiased, independent sample selection method. Generally for all major
assignments a sample of 25 can be used.
Internal Audit Framework
Page 54
Internal Audit
Internal Audit Methodology and Manual
c) Haphazard.
The auditor will check documents in no particular order or preference. It will be up to the auditor to
use his/ her discretion when selecting documents or sample items to be tested.
This method may be particularly useful when selecting sample items that do not have any numbers,
i.e. selecting employees to interview.
This is the least preferred method as it is often influenced by the selecting auditor’s preference say
to a month, number etc. Generally for all major assignments a sample of 25 can be used.
Sources of information
The auditor should make use of the following sources of information: a) Audit software
b) Past audits conducted
c) Internal Audit Unit standards set
d) Population information
e) Scope of the audit
f)
Time/ budget constraints
Use of information
The decision made here will determine how the items to be tested for effectiveness will be selected by the
auditors.
6.2.5
Apply the sample selection method to the population
(Responsible: Internal Auditors)
Objective
To determine exactly which items of the population will be tested.
Required
The auditor must decide which population he/ she will test, and which populations will be tested by means
of following the initial source documents through the system. (I.e. it may be easier to select the sample of
initiating source documents (such as requisitions in an ordering system) and use this sample to test other
documents (such as orders, delivery notes etc) rather than selecting a new sample for each population.)
The reason for this is efficiency of the audit. Rather than the client drawing many different files, they can
draw one set of files that will be used throughout the audit. This will also help determine whether a
transaction has been processed correctly from start to finish.
Internal Audit Framework
Page 55
Internal Audit
Internal Audit Methodology and Manual
Once this has been decided, he/ she apply the selection method to the population until the sample size
required has been selected.
Source of information
The auditor will make use of the following sources of information: a) Tables
b) Audit software
c) Past audits conducted
d) Internal Audit Unit standards set
e) Population information
f)
Scope of the audit
g) Time/ budget constraints
Use of information
The information will be used to determine which items are required for testing. The auditors should
forward this information immediately to the client so that they can assist in availing the necessary
documents for the auditors and so speed up the audit process.
6.2.6
Decide on methods of gathering audit evidence
(Responsible: Officer: Internal audit and Internal Auditors)
Objective
The auditor is to determine the different means to gather the required information
Required
The auditor can consider the following methods of gathering information: a) Enquiry
Ask the appropriate level of the client’s staff. The questions posed should be carefully designed
so as to get the exact information that is required.
Professional scepticism must be maintained when relying on enquiries made. Management
can always manipulate the system and cover it up by offering a seemingly suitable explanation.
b) Observation
The auditor should try and observe controls being performed without the person performing the
task being aware that they are being observed.
Observation should take place throughout the audit.
Observations made contrary to the
documented control should be noted and reported to management. (E.g. valuable assets not
taken care of, confidential information displayed openly, passwords written down, etc).
Internal Audit Framework
Page 56
Internal Audit
Internal Audit Methodology and Manual
c) Inspection
This involves the physical inspection of documentation for evidence that a control is being
performed, i.e. a signature authorising a document, etc. This is the most common form of
gathering audit evidence.
d) Re-performance
This involves the re-performance of the control that has taken place to ensure that it was
performed effectively. An example of this is the re-calculating of the items on the invoice for
accuracy, etc.
e) Confirmation
This confirms enquires and observations made and is normally obtained directly from third
parties, but not always. It is very important that enquires made be followed up by confirming
what management has stated with other supporting evidence where applicable.
This is normally one of the better forms of audit evidence as it often requests confirmation
directly from an independent third party (such as confirmation of debtors’ balances).
f)
Data analysis
This involves the analysis of data that is available for the audit, and is commonly used in trend
analysis etc.
Management often does certain trend analysis for their use.
The auditor should use this
information (rather than re-perform the analysis) when it is available, but should check the
calculations and supporting information source used in the calculations.
Certain procedures don’t involve sampling e.g. enquiry, observation, and data analysis.
The overriding factor in deciding on a selection strategy is that the auditor must be satisfied that
the results obtained give sufficient, competent, relevant and useful information.
Source of information
The auditor will make use of the following sources of information: a) Information gathered in Phase 1
b) Systems descriptions
c) Past audits conducted
d) Internal Audit Unit standards set
e) Population information
f)
Scope of the audit
g) Time/ budget constraints
Internal Audit Framework
Page 57
Internal Audit
Internal Audit Methodology and Manual
Use of information
The audit programs will be required to state the different methods of gathering evidence. In most cases,
all of the above methods are used in various programs.
6.2.7
Develop audit programs
(Responsible: Officer: Internal audit and Internal Auditors)
Objective
The auditors are required to develop the audit programs required to test the various controls identified in
the adequacy of controls assessment.
Required
The auditors must develop audit programs which will act, as instructions to auditors on how to test
whether the controls decided on are effective or not.
The program must therefore be clear in its instruction. The auditors performing the task should be able
to, by following the instructions, perform the task without asking any further questions. Instructions should
therefore be clear telling them what they must do (inspect, observe, re-perform, etc) and why they are
performing the task (to confirm compliance to legislation etc.)
The audit program should address the risks identified. The audit program is subject review the chages by
the Officer: Internal Audit.
Source of information
The auditor will make use of the following sources of information: a) Systems Descriptions
b) Control Adequacy Assessments
c) Past audits conducted
d) Internal Audit Unit standards set
e) Information regarding samples etc decided on above
f)
Scope of the audit
g) Samples selected
h) Time/ budget constraints
Use of information
The information here will be used to document the audit programs as indicated below.
Internal Audit Framework
Page 58
Internal Audit
Internal Audit Methodology and Manual
6.2.8
Document audit programs
(Responsible: Internal Auditors)
Objective
The objective of this exercise is to document the audit programs. The auditors should use this exercise to
gain knowledge of the design of audit programs.
Required
The auditors will be required to document the information onto the working papers provided.
The auditors should take care not to blindly act as secretaries at this stage. They should consider the
information that they are documenting and should decide whether they agree or disagree and whether
they have any additional ideas they wish to add.
Where the auditors differ they must approach the Officer: Internal audit and / or, Manager: Internal Audit
to obtain clarity on the information and make their suggestions.
Source of information
The auditors should use the following information when documenting the audit program: a) Information supplied by the Manager: Internal Audit and Officer: Internal Audit
b) Knowledge and past experience of auditors
c) Standards set by Internal Audit Unit
d) Working papers provided.
Use of information
The audit programs will act as audit procedures carried out by the Internal Auditors regarding the
effectiveness testing to be conducted in the next stage.
6.3
Output
The output of this phase is the design of audit programmes and the determination of sample size
selection.
Internal Audit Framework
Page 59
Internal Audit
Internal Audit Methodology and Manual
7.
Phase 5 - Audit Execution and the assessment of effectiveness of internal controls
(Performance Standards 2300, 2310, 2320, 2330, 2340) (Practice Advisories 2330-1, 2330. A1-1, 2330. A2-1,2340-1)
7.1
Purpose of the assessment of the effectiveness of controls
The purpose of the gathering of audit evidence is to form the basis of the audit opinion on the
effectiveness of controls.
The objective of this phase is to:
Test the effectiveness of the controls that are assessed as adequate in phase 3
Gather evidence regarding the effectiveness of controls
Document evidence regarding the effectiveness of controls to support our findings and opinions
To formulate findings to be reported to management regarding the effectiveness of the controls.
Audit evidence should comply with the standards and be sufficient, competent, relevant and useful to
support the expressed opinion.
7.2 Steps to follow in phase 5
7.2.1
Confirm with management the scope and objective
(Responsible: Internal auditors)
Objective
The auditors should indicate to management those controls that will be tested and confirm whether
management has any specific additions they wish to add to this.
Required
The auditor should highlight the controls on the systems description indicating the controls that will be
tested, or prepare a list of controls that will be tested. Management must not be handed the audit
programs.
The auditors are required to hold a brief meeting with management to confirm with them the controls that
will be tested.
To maximise the effectiveness of this meeting an agenda and supporting documents should be forwarded
to management ahead of time for their perusal. Please note that this documentation should not be
forwarded to management without the setting of a meeting simultaneously to discuss the information.
Source of information
The auditors should make use of the following information: -
Internal Audit Framework
Page 60
Internal Audit
Internal Audit Methodology and Manual
a) Phase 2 systems descriptions
b) Phase 3 adequacy of controls assessment
c) Knowledge and experience
d) Phase 4 audit programs
e) Prepared agenda
Use of information
This process will confirm with management that they are in agreement with the controls that are going to
be tested / excluded from the test process and will assist auditors in obtaining management buy-in of the
process.
7.2.2
Obtain information required to execute audit programs
(Responsible: Internal Auditors)
Objective
To increase the efficiency of the audit, the auditors should request all the information required upfront.
Required
The auditors should request all the information required upfront. This will assist in speeding up the audit.
The auditors should start with the information available immediately, but continually follow-up with
information that was requested and is still outstanding.
Information required includes working papers to document evidence, audit programs to execute tests and
documented evidence held by the client (i.e. vouchers, registers, records etc).
Source of information
The auditors should make use of the following sources of information: a) List of required information prepared
b) Audit programs prepared
c) Client’s staff and supporting documents
Use of information
The information obtained will be required in the execution of the audit to test the effectiveness of the
management controls.
7.2.3
Execute the audit programs
(Responsible: Internal Auditors)
Internal Audit Framework
Page 61
Internal Audit
Internal Audit Methodology and Manual
Objective
The auditors execute the audit programs to determine if the controls that they are testing are effective or
not.
Required
The auditors are required to perform the procedures documented in the audit programs.
The auditors should require the Manager: Internal Audit and Officer: Internal audit to assist them when
performing the procedures that are required on the audit program should they be in any way unsure as to
what is required from them.
Source of information
The auditors should make use of the following sources of information: a) Audit programs prepared
b) Client’s staff and supporting documents.
Use of information
The information obtained will be utilised to formulate findings of areas where the control is not effective.
7.2.4
Maintain a record of findings
Performance Standards 2330, 2340, 2400, 2410, 2420) (Practice Advisories 2330-1, 2330.A1-1, 2330.A2-1,
2340-1, 2410-1 and 2420-1)
(Responsible: Internal Auditors)
Objective
The auditors should keep a record of all errors detected during the execution of the audit procedures.
Required
The auditor should complete an Observation form (OF) whenever the auditor identifies a possible (a)
opportunity for operational improvement, (b) discrepancy, (c) error, (d) irregularity, (e) weakness or (f)
deviation from internal control standards, regulations, or policies. Prior audit reports and linked audit
observations should be reviewed and used to the extent possible to avoid re-creating an observation
already developed.
At the time the auditor realizes they have an audit concern, they should begin to complete the
Observation Form and discuss the observation with the auditee. This discussion should be documented in
the applicable fields of the Observation Form. The Observation Form should stand-alone and should
document the auditor's analysis (criteria, condition, cause, consequence, and corrective action) related to
the finding. That information should not be elsewhere in the work-papers. The work-paper where the
work was performed which resulted in the observation and supporting work-paper references should be
DocLinked to the Observation Form in the space provided. Documenting the analysis assists the auditor
in preparing to discuss the observation with the auditee.
Internal Audit Framework
Page 62
Internal Audit
Internal Audit Methodology and Manual
The Observation Form should document the results of the problem analysis/resolution process. The form
is not a step-by-step recipe for doing the work itself; because problem analysis/resolution is not a linear
process (so trying to fit it on a linear form is probably hopeless). Simply completing the form is not a
substitute for critical analysis of the situation. The auditor should answer such questions as the following:
What is the problem that exists?
How extensive is the problem?
What is the risk associated with the problem, or lack of controls?
Do we have our facts correct? Does the auditee agree that the problem exists?
Are there other controls to compensate for the problem?
Are there practical solutions to the problem?
Has management agreed with our recommended corrective action or formulated corrective
action?
Since the Observation Forms contain the auditor’s professional analysis of audit concerns, they
are among the most important work-papers created.
Instructions for Completing the Observation Form
1. Finding - Description of Observation [Condition]
This section of the Observation Form should contain a clear and concise statement of the condition. The
work-paper where the auditor documented the results of the audit procedures which identified the
condition should include a DocLink to the audit observation. The applicable audit procedure should also
have a DocLink to the audit observation. The audit observation should have a DocLink back to the
supporting work-paper.
a.
Discussion of the facts with the auditee
The auditor should verify the facts with applicable auditee personnel before spending
additional time developing the observation. Document the date and discussion with the
auditee as outlined on the observation form.
b.
Determine if the observation is an audit finding
An audit finding is an observation that the auditor believes deserves further development and
analysis as part of the current audit. Based on additional information provided by the auditee
or further consideration of available solutions, the auditor may be convinced that their initial
concern is not worth pursuing. This should be explained on the Audit Observation form and
the applicable disposition should be selected. Dispositions for such observations include:
Internal Audit Framework
Page 63
Internal Audit
Internal Audit Methodology and Manual
mitigating controls—other controls are in place which reduce the risk below the cost of
the control.
not significant—immaterial error(s) identified.
not a concern—determined issue was unsubstantiated.
2. Discussion & Background - Analysis of the audit finding [Criteria and Cause]
The auditor should document the analysis of the problem in this section.
References to
applicable standards and/or good department practice should be included. If possible, the auditor
should identify probable causes (as opposed to the symptoms) for the audit observation. This
section should not contain information that is redundant to that found on the work-paper.
3. Recommendation [Consequence and Corrective Action]
The auditor should include a statement of risk which is sufficient to answer the "so what?"
question so that the reason for reporting the observation is clear. This section should also include
the corrective action to be presented to the auditee.
For reporting purposes, audit observations are often combined for the purposes of clarity or
conciseness. When such a combination is appropriate, this should be documented in this field.
The auditor should indicate on both the individual observations and the summary/combined
observation that concerns were combined for reporting purposes (i.e., different concerns with the
same risk). For those documents combined, only the observation used in the report will have a
disposition of audit report. Supporting observations that were combined should have a disposition
of "combined for report". Only the recommendation section of the combined form will be updated
to reflect the final report language. Doclink's should be created on both the individual
observations and the combined observation for easier review and subsequent follow-up.
4. Comments
The auditor should document the discussions in 1 and, as applicable, 2 and 3.
5. Disposition
The following dispositions are available:
Mitigating controls—discussed in 1b above.
Not significant—discussed in 1b above.
Verbal discussion—when the observation is deemed not material for audit report
purposes.
Combined for report—discussed in 3 above.
Not a concern—discussed in 1b above.
Internal Audit Framework
Page 64
Internal Audit
Internal Audit Methodology and Manual
Future audit concern—outside of the current audit scope.
Audit report—when the observation is deemed significant and warrants auditor follow-up.
The disposition section of the Audit Observation form should be updated if the disposition of any
observation changes during the report review process.
An Observation form with an "audit report" disposition should also be DocLinked to the Internal and
External Draft reports to provide referenced copies of the report and to ensure audit observation
dispositions accurately reflect the contents of the final report.
An audit observation may result in more than one recommendation and therefore should be split to
provide for two or more distinct implementation dates for follow-up purposes. A new audit observation
should be created with the same title that refers to it as the 2nd, 3rd, etc. The Finding and Discussion and
background fields of the new audit observation(s) should refer to the original audit observation. All of the
related recommendations should be included in all audit observations with the applicable recommendation
related to each new audit observation created highlighted.
Entering an "audit report" disposition causes the following additional fields to appear on the Audit
Observation form:
Management Response: If a written response has been received for observations that are
coded as Audit Report, the response should be scanned and attached to this field.
Person(s) Responsible: This should be the complete title and name of the person who will
implement the AO (at a minimum we need the complete job title, e.g. Director: Technical
Services
Expected Completion: This is a very important date. This is the date that the auditee said
they would implement the AO. The first time this field is entered it should be the date agreed
to in the audit report. This date can change if they request a new Expected Completion (EC)
date. When we agree to a new EC date this field changes to the new EC date. The auditor
must record this new, extended EC date in this field.
Auditor Responsible: This is the field that notes which auditor is responsible for follow-up.
Planned Follow-up Date: This is the auditor’s field. The auditor can use this to plan the
follow-up or ignore it all together.
Follow-up Comments: This field should not be used by auditors. Any follow-up comments
should be placed in the appropriate 1st, 2nd, 3rd or 4th Follow-up Work-papers field.
1st Actual Follow-up Date: This is the actual date that the auditor did their first follow-up,
hence the name. 2nd Actual Follow-up Date; 3rd Actual Follow-up Date; 4th Actual Follow-up
Date - similar definition applies. Do not fill in this date until follow-up is done.
Internal Audit Framework
Page 65
Internal Audit
Internal Audit Methodology and Manual
1st Follow-up Work-papers: This is the field where the auditor enters their recommendation
as to the status (Implemented, In-Progress, Withdrawn, Not Implemented, or New Expected
Completion Date). The auditors must also DocLink or type any information relevant to the
follow-up recommendation and the work that was performed. This, as noted above, is also
the field where the auditor enters the new EC date if a new EC date is given. The auditor
does not need the General Manager’s or Director's pre-approval to agree to a new EC date.
2nd Follow-up Work-papers; 3rd Follow-up Work-papers; 4th Follow-up Work-papers similar definition applies.
For 4th Follow-up Work-papers, if the AO has not been
Implemented, or Withdrawn, it becomes Not Implemented and must be brought to the
General Manager’s or Director's attention for their decision. .
Set Actual Completion Date:
This field will also be completed by the relevant
representative of line management.
Request review by: When the auditor has completed any follow-up 1st, 2nd, 3rd or 4th,
select the General Manager’s or Director's name in this field to put the work in their review
queue. Follow-up must be approved by the General Manager or Director. They will not know
the auditor has follow-up that needs reviewed and approved unless the auditor sends it to
their review queue.
If the corrective action plan or expected implementation dates have not been received prior to issuance of
the report, the date by which a response was requested should be entered in the Overview form in the
"Mgt. Response Due Date" field. Quarterly, audit reports without responses and 30 days beyond the
response due date are identified (Overdue Mgmt. Responses view in AutoAudit). A letter from the
Manager: Internal Audit is sent to the Municipal Manager for resolution of the lack of response.
When responses to audit reports are subsequently received, the auditor should record the
applicable dates on the Audit Observation forms and also record the date the response was
received on the Overview form, in the "Mgt. responses received" field.
Developing a Finding
This worksheet is designed to assist the System Auditor in writing findings and recommendations for the
report. The Recommendation solves/matches the Condition and the Cause.
Condition
Effect
Cause
Criteria
Recommendation 1 - Solves the Condition
Recommendation 2 - Solves the Cause
Internal Audit Framework
Page 66
Internal Audit
Internal Audit Methodology and Manual
Use of information
The information recorded will be used as a base to raise informal queries with management during the
course of the audit. By maintaining a summary of the information, this will help the audit run more
efficiently.
7.2.5
Maintain and document audit evidence
(Responsible: Internal Auditors)
Objective
The auditors must document their audit evidence to support findings and recommendations.
Required
The results of the performance of all steps of the audit programs should be documented. This includes
procedures of enquiry and observation. From the audit evidence, one should immediately be able to
determine whether a procedure is complied with or not.
When documenting audit evidence avoid long paragraph descriptions of the procedures performed, rather
concentrate on documenting the factual evidence.
Clearly indicate any exceptions that occur during the execution of the control, and obtain a copy of the
evidence highlighting the area indicating the non-performance of a control. It is not necessary to copy all
the documents indicating that the control is performed, only the exceptions to the rule.
Source of information
The auditors should make use of the following sources of information: a) Audit programs prepared
b) Client’s staff and supporting documents
c) Working papers provided
Use of information
The auditors must be able to support the findings and recommendations made to the client in the final
audit report. The documented evidence in the form of working papers is the base for that support.
7.2.6
Evaluate findings
(Responsible: Internal Auditors)
Objective
To evaluate the audit evidence collected in terms of the original objective.
Internal Audit Framework
Page 67
Internal Audit
Internal Audit Methodology and Manual
Required
The auditors are required to analyse the findings of the execution of the audit in order to determine
whether the controls are effective or not.
When evaluating the outcome of the audit procedures performed, the auditor should use the tolerable
error and expected error as benchmarks during the evaluation.
The auditor should also consider evidence of the threat occurring that the control is in place to prevent.
This may not be specifically discovered during the test, but may be part of the information that the auditor
gathers throughout the audit. This must be noted in the evaluation of the evidence. (I.e. even if all the
controls are adhered to, but the threat still occurs, could imply that the controls are not effective.)
Where the tests are not satisfactory, the auditor should consider the need for extending the tests or
considering the control to be not effective. This occurs where the tolerable error has just been exceeded,
but it is clear that the control may be working, and should the auditor extend his/ her testing by a few more
transactions, the actual error will be reduced. The Manager: Internal Audit or Officer: Internal Audit
should always be contacted when such a decision needs to be made.
The auditor is providing an opinion on effectiveness of the controls and not on the achievement of the
performance objectives themselves. The auditor will only give an opinion on the achievement of the audit
area's performance objectives after carrying out a Quality of Performance Assessment. The difference
may appear subtle, but it is fundamental.
Audit assessments should be agreed with the client at the end of the phase.
Source of information
The auditor will make use of the following sources of information: a) Execution working papers
b) Set objective of the audit
c) Knowledge and experience gained
d) Benchmarks established for tolerable and expected errors.
Use of information
The assessment of audit findings will determine the type of report issued to management at the
completion of the audit.
Internal Audit Framework
Page 68
Internal Audit
Internal Audit Methodology and Manual
7.2.7
Fraud Indications (Performance Standard 1210.A2) (Practice Advisory 1210 -1, 1210.A1-1)
(Responsible: Internal Auditors)
Objective
The auditors will be required to indicate whether there are any fraud indicators in the system.
Requirement
The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected
to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
In conducting engagements, the internal auditor s responsibilities for detecting fraud are to:
Consider fraud risks in the assessment of control design and determination of audit steps to
perform. While internal auditors are not expected to detect fraud and irregularities, internal
auditors are expected to obtain reasonable assurance that department objectives for the
process under review are being achieved and material control deficiencies whether through
simple error or intentional effort are detected.
Have sufficient knowledge of fraud to identify red flags indicating fraud may have been
committed. This knowledge includes the characteristics of fraud, the techniques used to
commit fraud, and the various fraud schemes and scenarios associated with the activities
reviewed.
Be alert to opportunities that could allow fraud, such as control weaknesses. If significant
control weaknesses are detected, additional tests conducted by internal auditors should be
directed at identifying other fraud indicators. Some examples of indicators are unauthorized
transactions, sudden fluctuations in the volume or value of transactions, control overrides,
unexplained pricing exceptions, and unusually large product losses. Internal auditors should
recognize that the presence of more than one indicator at any one time increases the
probability that fraud has occurred.
Evaluate the indicators of fraud and decide whether any further action is necessary or
whether an investigation should be recommended.
Notify the appropriate authorities within the municipality if a determination is made that fraud
has occurred to recommend an investigation.
Specialist Forensic Auditors are to be engaged where red flags are identified in order to investigate
possible case(s) of fraud/ corruption. The Officer: Forensics can be consulted at this stage with comments
being appropriately documented in the working paper file.
Internal Audit Framework
Page 69
Internal Audit
Internal Audit Methodology and Manual
8.
Phase 6 – Reporting
8.1
The purpose for reporting
Reporting (Performance Standards 2400, 2410, 2420, 2421, 2430, 2431, 2440, 2600) (Practice Advisories 2410-1,
2420-1)
The internal audit report communicates the results of the audit work and for that reason alone it is
perhaps one of the most important parts of the audit process. It is important because it is what the
Municipality and senior management sees, and in some cases may be the only product of our work that
management receives. If written and communicated well, it can act as a positive change agent prompting
management to take corrective action.
Writing an effective audit report starts with a clear understanding of how the report will be used, viewed,
acted upon by Municipality management. Internal audit reports have three major objectives:
Inform - To make Management of the Municipality aware of a situation by communicating the
results of our audit work.
Persuade - To convince Management of the Municipality that our comments are valid and
worthwhile.
Results - To convince Managers of the area under review to take appropriate action.
The Internal Auditors shall clarify issues as documented in the schedule of audit findings and
recommendations and compile the draft audit report, which shall be reviewed by the Officer: Internal Audit
after making the necessary changes, the draft shall be submitted to the Manager: Internal Audit for final
review and approval of issuance to client Management.
Exit Conference
Meet with the key client personnel to discuss how the audit has progressed and furnish them with a
summary of findings for clarification
N.B. Minutes should be taken
Audit findings and recommendations
A summary list of findings may be presented at the front of the section. The findings may also be
classified as high, medium and low priority, if meaningful. Alternatively, the listing could be presented
in action plan format outlining accountabilities and due dates together with the summary findings and
recommendations.
Audit findings may be presented in order of importance. In lengthy reports it may be useful to subdivide them into logical groupings. Consideration may also be given to the order of presentation of
these sections.
Internal Audit Framework
Page 70
Internal Audit
Internal Audit Methodology and Manual
8.2
Management Comments – in writing
To the extent management responses are included in the report; they should generally be action-oriented
and include responsible parties, action to be taken and timing of completion. While management is
responsible for its responses, the team should be comfortable that the planned action is practical and
could be implemented within the specified time frame. This is because senior management may
erroneously presume that we endorse the feasibility and timetable of management’s action plan. Where
management disagrees with or do not accept a recommendation, this should generally be reflected in the
report
8.3
Executive Summary Reports
Most readers of a report and more importantly, key decision makers, tend to focus on the executive
summary and may delegate the detailed consideration of the report to other staff. Consequently
executive summaries represent the best opportunity to communicate the significant matters arising from
the audit.
Key considerations include:
8.4
Executive summaries should generally not exceed 2-3 pages and contain high-level information
regarding significant findings and action plans or recommendations. The characterisation of
issues should be consistent with the detail report.
The contents of the executive summary should reflect the requirements and preferences of the
senior management recipients. The summary can be balanced by including:
relevant background information, objectives, scope, approach, restrictions and or limitations;
summaries of the key issues and/or recommendations;
Risk profile and previous audit results;
acknowledgement of the actions taken or proposed by management on current and previously
reported issues;
areas of significant disagreement between management and the audit team; and
Acknowledgement of satisfactory performance and distinctive best practices.
Periodic Management / Audit Committee Reports
(Performance Standards 2400, 2410, 2420, 2421, 2430, 2431, 2440) (Practice Advisories 2410-1, 2420-1)
The timing, form and content of periodic reporting should generally be agreed as part of the Municipality
expectations definition in Phase A. As part of the periodic reporting process, Internal Audit should usually
meet formally with the Audit Committee at least annually but preferably more often (e.g., quarterly).
Periodic reports may serve as the key document in demonstrating the delivery and performance of the
internal audit services. Throughout the year there should generally be regular contact with senior
management and at least the Chairman of the Audit Committee to keep them fully informed of the internal
audit activities and report progress against agreed standards and plans. Key considerations include:
Wherever possible, reports should be presented in person to senior management and/or the
Audit Committee. This ensures the context is clearly understood, questions can be answered
and department unit satisfaction can be evaluated. Minutes of such meetings should
generally be included in the record of work performed.
Wherever possible, reports to the Audit Committee should utilise graphical interpretation and
colour printing, in order to maximise their impact and the perception of our service.
Typical elements of periodic reporting include:
Internal Audit Framework
Page 71
Internal Audit
Internal Audit Methodology and Manual
Audit plan status (audits planned, completed, delayed, cancelled, added)
Summary of significant findings and trends for the period
Status of previous recommendations (implemented, in-progress, not addressed) (follow up
reports)
Operational plan for the upcoming period
Performance report (see Stage IV – Internal Quality Assurance)
Other examples might include:
8.5
Issues identified in the planning stages of the assignment (e.g., alignment gaps, we might
have identified areas lacking defined arrangements such as lack of succession planning, lack
of communication of strategic objectives, etc.).
Summary of value-added results (compilation of quantified results/impacts).
Completion
(Performance Standard 2340) (Practice Advisory 2340-1)
Audit completion comprises the final stages of the audit and processes have been completed
satisfactorily. The objective is to complete the audit in an orderly manner in accordance with our
professional obligations and assignment objectives. We also wish to minimise the time spent on
completion tasks and perform as much of the work as possible at the clients site.
Key considerations include:
It may be helpful to hold debriefing meeting to update the clients on the audit status and to obtain
feedback for improving the audit process.
Performance evaluations should be completed in accordance with Internal Audit Section Performance
Management System, where such system is available.
Audit files should be prepared for archiving to ensure coaching notes are addressed and team
member sign-off are documented.
Debriefing
All queries to be cleared
Reconcile actual time to budget where applicable ( i.e. if the Internal Audit Section maintains
the timesheet system)
Client satisfaction questionnaire (i.e. Client Survey Feedback) to be sent out.
Audits built on this framework contribute to the integrity of financial records; help to safeguard assets; encourage
components to comply with laws, policies, and procedures; and help promote efficient, effective, and economical
operations.
Internal Audit Framework
Page 72
Internal Audit
Internal Audit Methodology and Manual
9.
Phase 7: Follow - up
(Performance Standard 2500) (Practice Advisories 2500-1, 2500.A1-1,)
9.1
Purpose of a follow-up audit
This phase evaluates whether management implemented the corrective measures agreed to the Final
Audit Report.
The objectives of this phase are to:
Select a sample of items
Test these items for evidence that the action plans have been implemented
Report on the implementation of action plans
9.2
Steps to follow
9.2.1
Identify the scope for the follow-up audit
(Responsible: Officer: Internal Audit)
Objective
The Officer: Internal Audit must identify the scope of the follow-up audit.
Required
The auditor must develop the scope of the follow-up audit. In order to do this the following must be
considered:
a) Time/ budget of the audit available
b) Significant items (i.e. those with the higher ratings)
c) Discussions with management
d) Implementation dates and time of the audit
A summary containing the following information should be prepared to facilitate the audit: a) Audit phase the finding relates to ( e.g. planning or testing)
b) Finding
c) Ratings for Impact and Likelihood
d) Action planned
e) Person responsible
f)
Implementation date
g) Assessment of the various phases when applicable
h) Reference to audit work
Prior to finalisation of the scope identification a discussion should be held with management to confirm
that the implementation dates have been met and to identify where any delays have occurred. Where
delays have occurred, documentation of the reasons and root causes will be required.
Internal Audit Framework
Page 73
Internal Audit
Internal Audit Methodology and Manual
The Manager: Internal audit should sign off on the scope document prior to the commencement of the
audit. Normal project management procedures should be followed to the extent that they would facilitate
the audit and enhance the efficiency of the audit.
Source of information
The auditors should consider the following source of information when preparing the scope: a) Final audit report
b) Discussions with management
c) Past experience and knowledge
Use of information
The setting of the scope of an audit will assist the audit team in determining exactly what audit work must
be done.
9.2.2
Select the sample size and items to be tested
(Responsible: Officer: Internal Audit and Internal Auditors)
Objective
The auditors are to determine the sample size and items to be tested.
Required
The auditors should consider the following when deciding on sample size and items.
a) Scope of the audit as defined above
b) Implementation date and the number of transaction since
The sample size and items should be selected as would be done when carrying out phase 4 of this
methodology. Generally a sample size of ten (10) will be used if it can be demonstrated that it will be
practical and efficient during the audit.
Source of information
The auditors should use the following as a source of information when deciding on the sample size and
items: a) Final Report
b) Scope document
c) Working papers
Use of information
The outcome of this section will decide what the audit team will audit when carrying out the effectiveness,
adequacy and strategy assessment work.
Internal Audit Framework
Page 74
Internal Audit
Internal Audit Methodology and Manual
9.2.3
Execute the audit work
(Responsible: Officer: Internal Audit and Internal Auditors)
Objective
The auditors want to determine whether the action plan has been implemented as was stated.
Required
The auditors will be required to perform audit work that would be sufficient in the circumstances to
establish whether the action decided on during the audit has been implemented according to the action
plan.
Source of information
The auditors should use the following as a source of information when performing the audit work: a) Final Report
b) Discussion with the client
c) Sample size and items
d) Documentation kept by the client
e) Working papers
Use of information
The outcome of this section will assist in determining whether the corrective action taken by the client’s
management is appropriate, adequate, efficient and effective
9.2.4
Develop informal queries and discuss with the client
(Responsible: Officer Internal Audit and Internal Auditors)
Objective
The auditors need to raise any additional queries that arise with management.
Required
The auditors need to bring to management’s attention any areas where the implementation of the action
plan has not occurred. These queries will be raised in the same format as mentioned under phase 6 of
the audit methodology.
Remember to discuss the queries with management and not merely hand them to management.
Source of information
The auditors will make use of the following information: a) Documented audit work
b) Professional judgement
Internal Audit Framework
Page 75
Internal Audit
Internal Audit Methodology and Manual
c) Working papers
Use of information
The information will form the basis of the final report that will be submitted to management.
Internal Audit Framework
Page 76
Internal Audit
Internal Audit Methodology and Manual
10.
Ad-hoc assignments
10.1
Purpose for this section on ad-hoc assignments
This section of the methodology is designed to provide a guide to the internal auditors who are involved in
the execution of ad-hoc assignments.
The objectives of this section are to: -
10.2
Clarify the specific nature of ad-hoc assignments
Provide a guide to the auditors regarding ad-hoc assignments
Guideline
10.2.1 Nature of Ad hoc Assignments
Audit assignments that are received specifically from the clients are usually very specific in nature and
have arisen due to problems that have been identified.
It is important for the auditor to fully understand the requirements of the audit prior to the commencement
of the audit. Usually the specific request will be assigned to auditors via a Manager: Internal Audit. The
Manager will already have gathered information on the audit and the briefing of the auditors is very
important at this stage.
The whole audit approach must be tailored to meet the objectives of the audit, which should be agreed
with the client upfront.
10.2.2 Approach
As far as possible the auditors involved in the project should use this methodology. Due to the nature of
the audits, there may be specific instances where certain phases of the methodology may not be practical
to execute, or may not assist the auditor in achieving the objectives set.
In these circumstances, the auditors should approach the Manager: Internal Audit, with a document
stating which phases should be ignored and why. The Manager will then review the situation and decide
whether the circumstances warrant the justification provided or not. Should the Manager agree, he will
sign off the working paper, and the auditors could then skip those areas of the methodology.
The auditor should however, always bear in mind the systems that the clients have in place to maintain
the information. All suggestions should then be noted on the Summary to add value to client points (Refer
8.2.5) above.
Internal Audit Framework
Page 77
Internal Audit
Internal Audit Methodology and Manual
10.2.3 Essential requirement for an Ad-hoc Audit
The following sections are deemed essential for any ad hoc audit that may take place: -
a) Scope and objective document signed off by the Manager: Internal Audit
b) Summary documents for both the municipality and the process must be completed
c) Brief outline of systems descriptions
d) Sample Selection
e) Audit Programs
f)
Evidence Documentation
g) Findings Summary
h) Informal Queries
i)
Report
10.2.4 Working papers
Due to the specific nature of an ad-hoc assignment, the documentation designed may not always be
suitable. The auditors are always free to design documents that would help them achieve their objectives
in a more efficient manner.
Auditors should however be careful when designing new documentation. This takes time and they should
consider the documents already prepared as a base to work from to save time. The current working
paper may simply need a few minor alterations to make it achieve the purpose the auditor requires. (Such
as changing the headings, or adding a column.)
The auditor should also consider using documentation that the client has prepared as a base for working
papers if it is applicable to the situation. By simply adding a heading and a key, the auditor may be able
to record the work performed without the need of designing a new working paper.
Internal Audit Framework
Page 78
Internal Audit
Internal Audit Methodology and Manual
11.
Inter- relationships with other components
(Attribute Standard 1000)(Performance Standard 2000)
11.1
Purpose of this section
This section sets out our inter-action with the other Internal Audit components such as: a) Computer Audit
b) Forensic Audit
c) Performance Audit
The objectives of this section are to:
Remind the auditors of the importance of good communication within the different components of
the Internal Audit Section
11.2
Set out a guideline for the interaction with the various components
Guidelines
Compliance and Governance
During compliance audits, the internal auditor assesses to what degree an operation conforms with legal
agreements and obligations to outside parties. Included in this category are reviews of contracts as well
of audit of transfer of funds in terms of the annual Division of Revenue Act. Also included in compliance
auditing is assessing to what degree the municipality or department adheres to applicable policies and
procedures and Acts e.g. Municipal Finance Management Act; Municipal Systems and Structures Act and
other relevant legislated Acts
Financial
During financial reviews, internal auditors determine whether historical financial information presents fairly
the financial position and result of operations. To form an opinion, auditors examine the internal control
structure and test transactions surrounding economic events. Financial audits are not primarily intended
to evaluate clients' effectiveness or efficiency. As a result, comments and recommendations are byproducts of a financial audit rather than the main objective.
Operational*
This category is also known as performance audits or managerial audits. These reviews are aimed at
assessing an operation's ongoing administrative efficiency and effectiveness. The objective is to assist
management in identifying and resolving problems. To successfully audit operations, internal auditors
develop standard managerial yardsticks and approaches to administrative activities.
This process
enables the Internal Auditors to analyze and evaluate the effectiveness, efficiency, and economy of
operations.
Although financial data continues to be the base of reference, auditors look beyond the figures to provide
assistance toward improving clients' operations. At the end of the audit, the internal auditor prepares a
Internal Audit Framework
Page 79
Internal Audit
Internal Audit Methodology and Manual
written report containing significant findings and recommended measures for improvement, which is sent
to affected and responsible management for action.
Investigative
The internal audit function undertakes investigative audits when circumstances or evidence suggest
financial misconduct or irregularity involving public funds, property, or personnel. Investigative audits
differ from other audits in that they may be conducted without first notifying the client.
Ad-Hoc Audits
Individual audit engagements/projects that may emanate from Requests from Accounting Officer and
Audit Committee.
Internal Audit Framework
Page 80
Internal Audit
Internal Audit Methodology and Manual
12.
QUALITY ASSURANCE
(Attribute Standards 1300,)(Practice Advisory 1300-1)
General
The establishment and implementation of a quality assurance and improvement program for the Internal
Audit section is required by the Standards. The objective of the program is to ensure achievement of
audit objectives, performance of audits in accordance with applicable standards, and development of
staff.
Supervision
Supervision is a continuing process. It focuses on individual audits. It is to provide assurance that
auditors are doing what they are supposed to be doing in their on-going projects. The assurance given
should include not only that staff auditors conformed to the methodology as outlined throughout this
manual (audit objectives were met, working papers supported findings and conclusions, and work-papers
provide adequate information for a meaningful report) but also that the work was completed in accordance
with the Standards. Properly supervised audit projects are the first and, perhaps, the most important step
in a program of quality assurance.
Internal Assessments
Internal assessments can provide both quality assurance to audit management and training for the staff.
The assessments can be done regularly or intermittently. The assessments are appraisals of how well
auditors and internal auditors have complied with the Standards and methodology. They encompass the
work of both staff and audit management and are an evaluation of a sample of audit working papers and
reports. The assessments should also provide recommendations for improvement.
The internal
assessments should typically be performed by a senior staff auditor, audit management, or combination
thereof.
External Assessments
The purpose of the external assessments is to provide an independent assurance of quality to the Audit
Committee, management and staff and others such as external auditors who may rely on the work of the
Internal Audit.
In compliance with The IIA Standards, an external assessment of the work performed by the Internal Audit
section will be performed every five years to appraise the quality of the Internal Audit's operation. Upon
completion, the Manager: Internal Audit will receive a formal, written report expressing an opinion as to
the internal audit section compliance with the Standards and will include recommendations for
improvement as appropriate. The Manager of IA should communicate the results of external assessments
to the Audit Committee.
Internal Audit Framework
Page 81
Internal Audit
Internal Audit Methodology and Manual
13
POST AUDIT REVIEW {CLIENT SURVEY FEEDBACK}
Attribute Standards 1000, 1100, 1200)(Performance Standard 2000)
Clients are asked to contribute to Internal Audit's continuous improvement process by providing feedback on our
Client Survey Feedback Client Management is asked to provide written comments about the work performed, as
well as asked to rate Internal Audit on the following key areas:
Appropriate performance criteria should generally be agreed in Phase A – Auditee/Client
Expectations/Deliverables. It is recommended that such surveys be conducted after completion of each project
and a summary of the results be discussed with senior management and the Audit Committee.
It is important that each auditee’s Key Performance Indicators (KPI) is identified and additionally:
o
Potential areas of conflict between the KPI’s are identified (e.g., responsiveness to management requests
versus adherence to the agreed plan and independence); and
o
What standard needs to be achieved for each KPI (e.g., all reports to be issued within two weeks of
completion of the fieldwork)?
o
A number of performance measures may be measured throughout the year and may be presented to the
Audit Committee in the annual report.
o
These may indicate:
o
how well the service delivered the agreed plan;
o
what additional work has been carried out or requested; and
o
what effect the audit service has had on the risk profile of the Municipality and its ability to achieve its
objectives.
This is usually the most important area for performance measurement and is often difficult to measure as it
involves the quality of the service in general - a subjective judgement. This may include an assessment of internal
audit’s performance in reducing exposure to risk. A number of quantitative measures can be identified which will
balance the subjective views.
Audit Planning
Communicating Results
Professionalism/Conduct of Internal Auditors
Audit Impact
Internal Audit Framework
Page 82
Internal Audit
Internal Audit Methodology and Manual
14.
GLOSSARY
Adequacy Audit
The purpose of the audit for adequacy of the system of internal control is to ascertain whether the system
established provides reasonable assurance that the municipality's objectives and goals will be met
efficiently and economically. (SPPIA 2100-1)
Audit Budget
The audit budget is the amount of a resource (time or money) available for consumption for the
completions of the internal audit.
Adequate Control
Adequate control is present if management has planned and organized (designed) in a manner which
provides reasonable assurance that the municipality's objectives and goals will be achieved efficiently and
economically. (SPPIA 2100-1)
Audit Objectives
Audit Objectives are broad statements developed by internal audit and define intended audit
accomplishments. (SPPIA 2100) It is a comprehensive statement of what the audit is intended to achieve.
Authorising
Authorizing includes initiating or granting permission to perform activities or transactions. (SPPIA 2100-1)
Cause
Cause is the reason for the difference between the expected and actual conditions (why the difference
exists).
Clear reports
Clear reports are easily understood and logical. Avoiding unnecessary technical language and providing
sufficient supportive information can improve clarity of reports.
Concise reports
Concise reports are to the point and avoid unnecessary detail. They express thoughts completely in the
fewest possible words.
Conclusions (opinions)
Conclusions (opinions) are the internal auditor's evaluations of the effects of the findings on the
activities audited. They usually put the findings in perspective based upon their overall implications.
Internal Audit Framework
Page 83
Internal Audit
Internal Audit Methodology and Manual
Condition
Condition is the factual evidence, which the internal auditor found in the course of the examination (what
does exist).
Constructive reports
Constructive reports are those which, as a result of their content and tone, help the auditee (client) and
the municipality and lead to improvements where needed.
Controls (Control Techniques)
The policies, procedures and methods, which ensure that adverse events, which may negatively impact
on the successful achievement of the control objectives, are prevented or detected and corrected. It
includes Soft controls such as the management style, ethics, communication, control environment, etc.
Criteria
Criteria are the standards, measures, or expectations used in making an evaluation and/or verification
(what should exist).
Directing
Directing involves, in addition to accomplishing objectives and planned activities, authorizing and
monitoring performance, periodically comparing actual with planned performance, and documenting these
activities to provide additional assurance that systems operate as planned.
Documenting
Documenting provides evidence of the exercise of authority and responsibility; compliance with policies,
procedures, and standards of performance; supervising, observing, and testing.
Economical Performance
Economical performance accomplishes objectives and goals at a cost commensurate with the risk.
Effect
Effect is the risk or exposure the auditee (client) municipality and/or others encounter because the
condition is not the same as the criteria (the impact of the difference). (SPPIA 430.04.7d) In determining
the degree of risk or exposure, internal auditors should consider the effect their audit findings may have
on the municipality's financial statements.
Effectiveness
The purpose of the review for effectiveness of the system of internal control is to ascertain whether the
system is functioning as intended.
Internal Audit Framework
Page 84
Internal Audit
Internal Audit Methodology and Manual
Effective control
Effective control is present when management directs systems in such a manner as to provide reasonable
assurance that the municipality's objectives and goals will be achieved.
Efficiency
Efficient performance accomplishes objectives and goals in an accurate and timely fashion with minimal
use of resources.
Findings
Findings are pertinent statements of fact. Audit findings emerge by a process of comparing what should
be with what is. Those findings that are necessary to support or prevent misunderstanding of the internal
auditor’s conclusions and recommendations should be included in the final audit report. Less significant
information or findings may be communicated orally or through informal correspondence.
Flowchart
Flowchart is a representation, primarily through the use of symbols, of the sequence of activities in a
system (process, operation, function, or activity).
Goals
Goals are specific objectives of specific systems and may be otherwise referred to as operating or
program objectives or goals, operating standards, performance levels, targets, or expected results.
High Impact
A rating of high implies that the threat/ event/ activity have:
A disaster with a potential collapse of the department.
A critical event that could be seen through, but would have a long-term negative effect on the
municipality.
A critical event that would have the potential to prevent the municipality form achieving its
objectives.
A long-term delay in allowing the organisation to achieve its objectives.
High Likelihood
A rating of high implies that before any controls are implement the event has a likelihood of occurrence of
every 6 months or more.
Internal Audit
Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve a municipality's operations. It helps an municipality accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.
Internal Audit Framework
Page 85
Internal Audit
Internal Audit Methodology and Manual
Internal Control
Internal control is a process within an organisation designed to provide reasonable assurance regarding
the achievement of the following primary objectives:
The reliability and integrity of information.
Compliance with policies, plans, procedures, laws and regulations.
The safeguarding of assets.
The economical and efficient use of resources.
The accomplishment of established objectives and goals for operations or programs.
Identification of risk exposures and use of effective strategies to control them.
Low Impact
A rating of low implies that the threat/ event/ activity:
Results can be easily absorbed under normal department circumstances
Not worth being concerned about the effect of the event
The event will have little to no impact on the organisation achieving its objectives.
Low Likelihood
A rating of low implies that before any controls are implement the event has a likelihood of occurrence of
once in every two or more years.
Medium Impact
A rating of medium implies that the threat/ event/ activity:
Could be seen through with additional resources and management input.
Can be managed under the normal department circumstances.
Could prevent the organisation from achieving its objectives, but can be managed with additional
resources and management input.
Could prevent the organisation from achieving its objectives, but can be managed under the
normal department circumstances.
Medium Likelihood
A rating of medium implies that before any controls are implemented the event has a likelihood of
occurrence of an average of once a year.
Monitoring
Monitoring encompasses supervising, observing, and testing activities and appropriately reporting to
responsible individuals. Monitoring provides an ongoing verification of progress toward achievement of
objectives and goals.
Internal Audit Framework
Page 86
Internal Audit
Internal Audit Methodology and Manual
Objectives
Objectives are the broadest statements of what the municipality chooses to accomplish.
Objective reports
Objective reports are factual, unbiased, and free from distortion. Findings, conclusions, and
recommendations should be included without prejudice.
Performance Measures
Performance measures are yardsticks against which the achievement of the project objectives can be
measured.
Performance Standards
Performance Standards are the statement of the required level of achievement of the project objectives
(i.e. the required performance) as measured by the project measures.
Project Objective
Project objectives are clear statements of what the Internal auditor is trying to achieve regarding the
project.
Purpose statements
Purpose statements should describe the audit objectives and may, where necessary, inform the reader
why the review was conducted and what it was expected to achieve.
Quality of Performance
The purpose of the audit for quality of performance is to ascertain whether the municipality's objectives
and goals have been achieved.
Reasonable Assurance
Reasonable assurance is provided when cost-effective actions are taken to restrict deviations to a
tolerable level.
Results
Results may include findings, conclusions (opinions), and recommendations.
Risks
The term risk is the probability that an event or action may adversely affect the activity under review.
Risks are what can go wrong in the system of internal control to prevent the organisation from achieving
its objectives.
Internal Audit Framework
Page 87
Internal Audit
Internal Audit Methodology and Manual
Scope statements
Scope statements should identify the audited activities and include, where appropriate, supportive
information such as time period audited. Related activities not audited should be identified if necessary to
delineate the boundaries of the audit. The nature and extent of auditing performed also should be
described.
SPPIA
SPPIA is the abbreviation for the Standards for the Professional Practice of Internal
Auditing of the Institute of Internal Auditors of SA,
System
A system (process, operation, function, or activity) is an arrangement, a set, or a collection of concepts,
parts, and activities. And/or people that are connected or interrelated to achieve objectives and goals.
(This definition applies to both manual and automated systems.)
Timely reports
Timely reports are those that are issued without undue delay and enable prompt effective action.
Internal Audit Framework
Page 88
© Copyright 2025