Anda di halaman 1dari 227




Acknowledgements ................................................................ Error! Bookmark not defined.
Article 1 ................................................................................................................................. 4
Purpose and Contents of the Manual .................................................................................... 4
1.1 Responsibility for the Manual ................................................................................. 4
1.2 Legal framework .................................................................................................... 4
Article 2 ................................................................................................................................. 6
General Definition of Internal Auditing ................................................................................... 6
2.1 Concept of Internal Auditing................................................................................... 6
2.2 Objectives of Internal Audit .................................................................................... 6
2.3 Tasks of an Internal Auditor/Inspector ................................................................... 7
2.4 Ethics and Professional Conduct of an Internal Auditor/Inspector .......................... 7
Article 3 ................................................................................................................................. 8
Internal Audit Service Delivery Process................................................................................. 8
3.1 Objectives of an effective internal audit methodology......................................... 8
3.2 Stages in the Internal Audit Methodology ........................................................... 8
3.3 Establishing the Audit Objectives and Auditee Expectations .............................. 8
3.4 Preparing for the Expectations Meeting ............................................................. 9
3.5 Developing Audit Objectives and Establishing Auditee Expectations ................. 9
3.6 Developing the Risk Assessment Criteria ........................................................ 10
3.7 Communicating Overall Audit Objectives Expectations Results to Auditees ..... 11
3.8 Risk Assessment ............................................................................................. 11
3.9 Understanding the Auditee s Business ............................................................. 13
3.10 Assessing the Control Environment ................................................................. 14
3.11 Developing and Confirming Your Understanding of the Processes .................. 14
3.12 Linking Internal Audit Focus to Key and Critical Processes .............................. 15
3.13 Identifying Risks and Related High-Level Controls ........................................... 16
3.14 Assessing Risks............................................................................................... 17
3.15 Reporting and Agreeing on the Risk Assessment ............................................ 18
3.16 Audit Plan ........................................................................................................ 18
3.17 Major Processes .............................................................................................. 19
3.18 Coordinating the Audit Plan ............................................................................. 21
3.19 Agreeing to the Audit Plan ............................................................................... 21
Article 4 ............................................................................................................................... 22
Audit Execution ................................................................................................................... 22
4.1 Designing Tests of Control................................................................................... 22
4.2 Pre-Audit Work .................................................................................................... 23
4.3 Analytical Review ................................................................................................ 23
4.4 Carrying Out Tests of Detail and Substantive Procedures ................................... 25
4.5 Issues for Management s Attention ...................................................................... 25
4.6 Concluding the Audit and Report ......................................................................... 27
4.7 Reviewing Working Papers .................................................................................. 28
4.8 Communicating Results ....................................................................................... 33
Article 5 ............................................................................................................................... 34
Working Documentation of an Internal Auditor/Inspector ................................................. 34
5.1 Working Documentation ................................................................................... 34
5.2 Principles for the Compilation of Working Documents ...................................... 35
5.3 Principles for the Preparation of Working Lists ................................................. 36


Article 6 ............................................................................................................................... 39
Financial Audits ............................................................................................................... 39
6.1 Introduction ...................................................................................................... 39
6.2 Definition of Financial Audit.............................................................................. 39
6.3 Objective of a Financial Audit........................................................................... 39
6.4 Financial Audit Procedures, Preparations and Execution ................................. 40
6.5 Review of Financial Processes ........................................................................ 42
Article 7 ............................................................................................................................... 56
Audit Inspection .............................................................................................................. 56
7.1 Introduction ...................................................................................................... 56
7.2 PAF Inspection Procedures Overview ........................................................... 56
7.3 Audit Inspection of Missions Abroad ................................................................ 61
7.4 Compliance & Inspection Checklist .................................................................. 66
7.5 Annual Accounts .............................................................................................. 85
7.6 Inspection of Computerised Accounting Systems ............................................ 85
Article 8 ............................................................................................................................... 87
Performance Audits ......................................................................................................... 87
8.1 Introduction ...................................................................................................... 87
8.2 Definitions ........................................................................................................ 87
8.3 Questions Answered by a Performance Audit .................................................. 87
8.4 Concepts in Performance Auditing ................................................................... 88
8.5 Approaches to Performance Auditing ............................................................... 89
8.6 Performance Auditing and the International Auditing Standards ...................... 90
8.7 Performance Audit Methodology ...................................................................... 90
8.8 Understand the entitys activities ...................................................................... 94
8.9 Deciding on the main elements of the study ..................................................... 94
8.10 Analysing the main study question into sub-questions ..................................... 95
8.11 Identifying criteria ............................................................................................. 95
8.12 Identifying the Audit Evidence That Answers the Study Questions................... 96
8.13 Selecting the Methods of Interpreting Audit Evidence ...................................... 99
8.14 The Preliminary Study Report .......................................................................... 99
8.15 Summarising, Analysing and Interpreting Audit Evidence .............................. 100
8.16 Documentation............................................................................................... 101
8.17 Reviewing the Evidence ................................................................................. 101
8.18 Reporting ....................................................................................................... 102
8.19 Criteria Used to Assess Performance ............................................................ 102
Article 9 ............................................................................................................................. 103
Systems Audit ............................................................................................................... 103
9.1 Manual Purpose and Contents ....................................................................... 103
9.2 Basic Terminology ......................................................................................... 103
9.3 System Audit General Description ................................................................. 104
9.4 Assessment Effectiveness of Internal Control System ................................... 106
9.5 Audit of Operations ........................................................................................ 111
Article 10 ........................................................................................................................... 114
Information Technology Audit ........................................................................................ 114
10.0 Introduction .................................................................................................... 114
10.1 Understanding IT Controls ............................................................................. 115
10.2 Internal Auditing Role in relation to IT ............................................................ 121
10.3 Common IT Process Controls ........................................................................ 121
10.4 Risk Considerations in Determining the Adequacy of IT Controls................... 125
10.5 Control Characteristics to Consider................................................................ 125


10.6 The IT Audit Procedures ................................................................................ 125
10.7 Planning an IT Audit ...................................................................................... 126
10.8 Risk Scoring System ...................................................................................... 128
10.9 Application Audit Programme ......................................................................... 128
10.10 Other Issues To consider In the Audit Programme ......................................... 132
10.11 Audit Methodology and Best Practices: Summary .......................................... 133
10.12 Audit of the Integrated Financial Management System (IFMS) ...................... 136
10.13 Review of IFMS General Controls ................................................................. 143
10.14 Computer-Assisted Audit Techniques (CAATS) ............................................. 144
10.15 Auditor/Inspector Knowledge Considerations ................................................. 144
Article 11 ........................................................................................................................... 146
Fraud and Irregularities ................................................................................................. 146
11.0 Introduction .................................................................................................... 146
11.1 Fraud Red Flags ............................................................................................ 146
11.2 Understanding the Business and the Risk of Fraud & Irregularities in ............ 147
Each Business Area/Process ......................................................................................... 147
11.3 Assessing the Impact of Each Possible Fraud & Irregularities ........................ 148
Based on its Severity and Potential Frequency .............................................................. 148
11.4 The Internal Auditor s/Inspectors Role .......................................................... 149
11.5 Conduct of the Investigation........................................................................... 150
11.6 Interviewing ................................................................................................... 151
11.7 Interviewing Techniques for Fraud Investigations .......................................... 152
11.8 Fact Finding Interviews .................................................................................. 152
11.9 Interviews with Suspect(s) ............................................................................. 153
11.10 Interview Notes .............................................................................................. 157
11.11 Voluntary Statements under Caution ............................................................. 159
11.12 Other Relevant Areas .................................................................................... 160
11.13 Components of an Appropriate Anti-Fraud and Irregularities Culture ............. 162

Appendix 1 ESAAG Guidelines

Appendix 2 International Standards for the Professional Practice of IA

Appendix 3 Fraud Prevention Check up by the Association of Certified Fraud


Article 1

Purpose and Contents of the Manual
This manual is a handbook for use by the Government of Uganda Internal Audit staff,
departments, agencies, e.t.c. It is tailored to meet the demands of Internal Audit of
adequately discharging its statutory and professional responsibilities towards those being
audited and the people of Uganda.
The manual provides the tools for Internal Audit Service staff to carry out the planning,
monitoring, reporting and execution of internal audit. It offers a number of different audit
approaches, along with the planning tools to decide which approach best fits the local
This manual should be considered as a working document, subject to amendments as new
regulations, rules and working practices are introduced. It is a property of the Government of
1.1 Responsibility for the Manual

The Permanent Secretary / Secretary to the Treasury, Accountant General and
Commissioner for Inspectorate and Internal Audit have the overall responsibility
for ensuring compliance and for updating the manual.
All suggestions for amendments, additions and improvements to the manual
should be directed to the Permanent Secretary / Secretary to the Treasury

This manual shall be available to all audit personnel and used as guidance in the
conduct of all Internal Audit work within Central Government Ministries, Departments
and Agencies.
1.2 Legal framework
The Internal Auditing Manual makes use of the following laws, regulations, standards,
and directives though direct reference to them is encouraged:
r Public Finance and Accountability Act, 2003
r Public Finance and Accountability Regulations, 2003;
r International Standards for the Professional Practice of Internal Auditing, issued
by (IIA);
r International Standards of Auditing issued by the International Standards and
Assurance Services Board of the International Federation of Accountants.
r Internal Audit Charter, issued by the Ministry of Finance, Planning and Economic
r Code of Ethics for Internal Auditors/Inspectors, issued by the Ministry of Finance,
Planning and Economic Development;
r Internal Audit Guidelines set by the East and Southern African Association of
Accountants General (ESAAG)
r The Treasury Accounting Instructions 2003, and
r Circulars issued from time to time by the Permanent Secretary, Accountant
General e.t.c


r Other Standards of other professional bodies like the Association of Certified
Fraud Examiners, the Information Systems Auditing Control Association and


Article 2

General Definition of Internal Auditing
2.1 Concept of Internal Auditing

The Institute of Internal Auditors/Inspectors defines Internal Auditing as "an
independent objective assurance and consulting activity designed to add value
and improve an organisation's operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes."
Internal Control means a set of systems operated by an organisation to ensure that
financial and other records are reliable and complete. The objective of internal control
system is to ensure that management adhere to policies and procedures for orderly
and efficient conduct of the business, proper recording and safeguarding of assets
and resources.
2.2 Objectives of Internal Audit

The Internal Audit unit shall appraise the soundness and application of accounting,
financial and operational controls and in particular shall

r Review and report on proper control over the receipt, custody and utilisation of all
financial resources of the unit;
r Review and report on conformity with financial and operational procedures;
r Review and report on the correct classification;
r Review and report on the reliability and integrity of financial and operational data,
so that information provided allows for the preparation of accurate financial
statements and other reports for the information of the unit and the general public
as required by legislation;
r Review and report on the systems in place used to safeguard assets, and as
appropriate, the verification of the existence of such assets;
r Review and report on operations or programs to ascertain whether results are
consistent with established objectives and goals;
r Review and report on the adequacy of action by management in response to
internal audit reports;
r Review and report on the adequacy of controls built into computerised systems in
place within the unit;
r Respond to ad hoc requests for audit assistance or advice as may be requested
by the Accounting Officer or the Heads of Departments of a unit;
r Check and report shortcomings in connection with the accounts, finances and
related operations of the Ministry, Department or Agency;
r Be alert to opportunities, such as control weaknesses that could allow fraud and
where fraud is suspected the appropriate authorities within the department will be


2.3 Tasks of an Internal Auditor/Inspector

r Analyse the activities of the audited organisation periodically, to monitor the
management of these activities, and to recommend adequate measures to
improve the auditee s performance;
r Verify the reliability and suitability of the information system;
r Ascertain whether the entities policies are implemented correctly;
r Monitor and revise the performance of financial management at all levels of
r Inform the management of any irregularity or anomaly revealed and to
recommend appropriate measures for their elimination;
r Assess the organisation's resources and ensure that all resources (human,
material, and financial) are utilised appropriately so that the best possible results
are achieved;
r Follow-up on whether the recommendations by the internal auditor/inspector have
been implemented.

2.4 Ethics and Professional Conduct of an Internal Auditor/Inspector

Professionally and ethically, the internal auditor/inspector should;

r Be objective in all dealings
r Behave with integrity and honesty.
r Carry out their work with due skill and care
r Ensure that he keeps all information learnt /got confidential.


Article 3

Internal Audit Service Delivery Process

3.1 Objectives of an effective internal audit methodology

Align the internal audit resources with the organisation objectives
Deliver value to the organisation.
Leverage on internal knowledge to efficiently identify and appropriately assess
Drive efficiencies throughout the service delivery process

3.2 Stages in the Internal Audit Methodology

Establish the Audit Objectives and Auditee Expectations
Undertake Enterprise Risk Assessments
Audit Plan
Communicate Results

3.3 Establishing the Audit Objectives and Auditee Expectations

Auditors/Inspectors develop a mutual understanding of the scope of their internal
audit services among the executive management and the Audit Committee.

Based on that understanding and auditor s/inspector s perception of the work needed,
the internal auditor/inspector will determine the objectives of the audit (i.e., intended
audit accomplishments). Objectives will be in enough detail to guide the audit
program development. This understanding helps in determining the criteria for
assessing the related risks, and the value to be delivered through the provision of
internal audit services

Auditors/Inspectors also gain an understanding of the relationship protocols,
management s views on audit coverage and cycling, and other information critical to
the success of the engagement.

Importance of this step

It helps the Internal Auditor/inspector to:
Determine the auditees s expectations and establish relationship objectives and
Gain a high-level understanding of the auditees organisations objectives and
associated critical success factors
Understand the internal audit focus
Determine the benefits the auditee wants to receive from their internal audit
services and establish the criteria for measuring and communicating the results of
our service
Develop the Risk Assessment Criteria
Obtain sponsorship commitment for their audit process


Steps in establishing audit objectives and auditee expectations

a) Arrange an Auditees Expectations Meeting.
b) Develop the Audit Objectives and Auditee Expectations.
c) Develop the Risk Assessment Criteria.
d) Communicate Audit Objectives and Expectations Results to auditees

3.4 Preparing for the Expectations Meeting

Identify the internal audit team and the auditee liaison person
Discuss and agree the role of the auditees liaison, including identifying available
dates and location for the meeting
Obtain, review, and analyze background information by obtaining a copy of the
relevant legislation (laws, directives, and internal regulations), guidelines,
organisational chart, definition of the posts, delegation of powers, etc.
Perform a preliminary review of the accounting environment, the chart of
accounts, the computer systems (the safety and storage of data) to ascertain the
reliability and regularity of accounting and financial data:
Assign roles and responsibilities among the internal audit team.
Confirm attendees and mail correspondence to auditee participants

Information that should be documented in the working papers

At this stage, the following information should be maintained in our working papers:
Background information obtained about auditee or organisation
Institutions organization chart
Institutions strategic plan
Correspondence sent to auditee participants

3.5 Developing Audit Objectives and Establishing Auditee Expectations

Expectations meetings should periodically be conducted with the organizations key
decision makers to discuss and agree upon the engagement s relationship objectives
and protocols.

Issues to be examined in the meeting

1. Management s strategic objectives
2. Desired internal audit focus and value criteria
3. Risk coverage
4. Strategic objectives
5. Internal audit focus
6. Critical and major processes of the organization
7. Organizational structure and alignment with processes
8. Audit coverage expectations
9. Relationship protocols
10. Role of the internal audit liaison
11. Distribution and format of audit reports
12. Measurement and communication of value
13. Receipt of feedback on internal audit services
14. Overall Audit Objectives


Information to be documented in the working papers
Auditees strategic objectives
Agreed-upon internal audit focus
Role of the internal audit liaison
All agreed-upon engagement protocols

3.6 Developing the Risk Assessment Criteria

This process consists of the following steps:
Determine the assessment ratings to be used for the auditee. The ratings can be
High, Moderate or Low.
Determine the risk factors against which to assess organizational risks. The
factors could be determined by asking executive management questions such as:
With respect to the agreed-upon business objectives, at a high level, how would
the existence of a risk manifest itself, e.g., financial cost/lost opportunity,
reputation damage?
Consider both the likelihood and the impact of the risk.
Determine and agree upon the specific characteristics of the likelihood and impact
of a risk.
Analyze and detail the respective impacts that would fall within the high, moderate
or low categories.
Where appropriate repeat this analysis for likelihood, i.e., how could the likelihood
of the risk be measured and indicate this likelihood within the high, moderate or
low scale.
Document the characteristics in a table form.


Example of Risk Assessment Criteria

High Moderate Low
Adverse impact on actual
revenues or actual costs >
External audit qualification
on the report and accounts
Adverse impact on actual revenues
or actual costs of shs.10m
External audit management letter
contains significant issues
Adverse impact on actual
revenues or actual costs of <
External audit raises some
isolated findings

Serious failure to comply
with legal or regulatory
Instances of bad publicity/
reputation damaged to a
national audience
Failure to comply with legal or
requirements in some instances
Instances of bad
damaged to regional audience
Failure to comply with legal or
regulatory requirements in non-
serious and isolated cases
Instances of bad publicity/
reputation damaged to local
Technology System enhancement or
implemented without major
Loss of systems leading to
severe or ongoing business
disruption (over 1 day)
Management information
used in key decision making
is inaccurate
System enhancement or
implemented without some
Loss or disruption to systems
leading to significant business
disruption (up to 1 day)
Management information used for
reporting purposes is inaccurate
Minor delays in implementation
of new/enhanced systems
Loss to systems leading to
business disruption (up to
Delays in availability of
general management

Likelihood Highly Likely

Information to be documented in the working papers
The final agreed-upon Risk Assessment Criteria should be included in our
working papers.

3.7 Communicating Overall Audit Objectives Expectations Results to Auditees

The information agreed upon at developing expectations meeting is crucial to the
overall success of the internal audit engagement. To capture the agreements reached
during the meeting, provide the attendees with a key deliverable from the meeting, a
communication of all issues agreed on.

Information to be documented in the working papers
The communication sent to the auditees about the agreed upon expectations and
audit objectives should be included in the working papers.

3.8 Risk Assessment

Risks are events, actions, or inactions that could cause the business objectives not to
be achieved. To mitigate and manage these risks, an organization typically
implements controls and other risk management activities.

Risk assessment is the identification and analysis of risks to the achievement of the
institutions established objectives.


Risk assessment provides a guideline for facilitating a high-level assessment of
financial and compliance risks and to identify internal controls to manage those risks.
Parties responsible for risk assessment
Management has the responsibility of identifying, assessing, and managing risk.

Internal audit has the role of:
Facilitating the identification and assessment of risk and,
Monitoring how well risks are actually being managed by the entity.

Importance of risk assessment

It enables the auditor/inspector to:
Identify, assess, and document the risks and related risk management activities
that exist within the organizations processes and across its key organizational
components (geographic locations, service lines, or functional units)
Provide the primary focus for allocating audit resources in the Audit Plan process

Potential sources of risk

Major steps in risk assessment process:
Government Agenda:
Citizen focus
Values and ethics
Responsible spending
Government on-line
Improved reporting
Modern comptrollership
Fairness & equity
Modern HRM
Integrated Risk

Corporate Management:
Structure and reporting
Planning and priority setting
Budgeting and resource allocation
Expenditure management
Procurement and contracting
Performance management
Project management
Inventory management
Asset management
Human resources
Information and knowledge
Risk management
Funding and appropriations
Statutory reporting
Compliance with laws and
Policy and strategy
Corporate reputation
Political factors
Public expectations
Stakeholder relations
Industry developments
Changing demographics
National security threats
Business continuity
Competitive trends


Planning the Risk Assessment
Understanding the Auditees Entity
Mapping Major Processes to the Internal Audit Focus
Identifying Risks and Related High-Level Controls
Assessing Risks
Agreeing on and Report the Risk Assessment

Planning the risk assessment

The objective of planning the Risk Assessment is to give the engagement team clarity
and structure in order to complete the work successfully and efficiently.
The Risk Assessment builds on the information obtained during the Co-Develop
Expectations process.

How it is done

Review engagement objectives, team member roles and responsibilities, and
Determine advance preparation requirements (if applicable) and documentation
Determine the final output from the Risk Assessment (e.g., presentation to
executive management and the Audit Committee)

Preparing the preliminary plan

A team or individual should be given the responsibility of:
Gathering existing knowledge about the auditee and engagement
Developing a preliminary work-plan for the Risk Assessment.

3.9 Understanding the Auditees Business

Understanding the Auditees business is the necessary first step in performing the
Risk Assessment.

Determinants of the level of analysis to be done
The nature,
Scope, and
Size of the engagement will drive how much analysis should be undertaken to
understand the auditee s business.

How to understand the business

Assess the organizations control environment
Confirm and review the organizations business objectives and critical success
factors for achieving the objectives, recognizing that an organization will have
implicit objectives in addition to those explicitly stated
Identify how the organization is structured (by process and function) and begin to
understand how the business objectives and internal audit focus are related to the


Identify both internal and external influences that affect the organizations
business objectives, internal audit focus, and critical success factors
Identify the significant risks inherent in the achievement of the business objectives
and critical success factors
Identify which process owners to meet with in order to complete the Risk
Understand the auditee s information technology environment
Understand the auditees existing risk management process and reporting

3.10 Assessing the Control Environment

Control environment refers to management s explicit and implicit control
consciousness and attitude.

Use a control environment questionnaire to develop an understanding of the auditees
control environment. The questionnaire consists of questions that may indicate risks
that should be further evaluated or areas that might require additional audit

Issues examined by the questionnaire

Management s control consciousness and operating style.
Integrity and ethical values.
Corporate governance arrangements.
Organizational structure and assignment of authority and responsibility.
Human resource policies, practices, and commitment to competence.

3.11 Developing and Confirming Your Understanding of the Processes

Arrange Meetings with the Key Department Heads to:
Confirm the business objectives and identify critical success factors
Identify Key Performance Indicators (KPIs)
Identify and understand stakeholders and any external factors and how they
influence the process
Identify any high-level risks that exist
Discuss any relevant IT issues
Understand departmental strategic objectives

Critical success factors and key performance indicators

For each objective, identify and discuss the critical success factors and how these
relate to the major processes.
Identify the key performance indicators used to measure the critical success
Determine how they are used by management to monitor the effectiveness of the
Determine the different factors (internal or external) facing the key processes in
Analyse the influence of each factor on the process.


Examples of factors affecting key processes

1. Stakeholder Influences. Examples include shareholders, debtors, employees,
customers, and suppliers.
2. External Factors. These include political and economic trends, market conditions,
legal and regulatory framework, competitors, technological change, and social
3. Information Technology (IT) and Human Resources (HR). Assess how IT and HR
enables the key processes.

Understanding the IT environment

Understand the implications and extent to which technology, as it relates to the
attainment of the business objectives, enables each process.
Technology should be considered as an integral part of the Risk Assessment

The identification and subsequent assessment of IT risks should be performed in
conjunction with the other risks to the organization.

Determine how IT supports the key processes.

Key questions to consider

Is the organizations strategy heavily IT enabled?
What is the IT infrastructure?
What is the IT change environment?
What is the appropriate size of the IT department and budget?
How best is it to use service bureaus (e.g., ADP, and/or consultants and

Information to be documented in the working papers

The following should be maintained in the working papers:
The auditor/inspector s assessment of the control environment and any identified
risk factors.
Appropriate notes to document the characteristics of the key processes.

3.12 Linking Internal Audit Focus to Key and Critical Processes

The principal objective of this step is to enable available internal audit resources to be
efficiently allocated to those processes that significantly affect the strategic objectives
or other concerns, which are the agreed-upon focus of the auditor s/inspectors
internal audit services.

Information to be maintained in the working papers

A matrix to analyze which processes are relevant to the internal audit focus


Documentation of the relative importance of each process, including the rationale
for this as agreed on with management.
A matrix to analyze which processes are relevant to business objectives (if this
mapping is performed)

3.13 Identifying Risks and Related High-Level Controls

The objective of this process is to provide adequate guidance to the identification of
the significant risks as influenced by the internal audit focus (e.g., business
objectives) and to determine, at a high level, the controls over these risks.

Issues to discuss wi th the auditee

1. The purpose and objective(s) of the process and the critical success factors which
management has identified.
2. The beginning, end, key inputs, key outputs, key transformations and the sub-
3. The impact of information technology on the process.

Important questions to be asked by the internal auditor/inspector

What could go wrong?
How could we fail as an entity?
What must go right for us to succeed?
Where are we most vulnerable?
What assets do we need to protect?
Do we have liquid assets or assets with alternative uses?
How could someone steal from the department?
How could someone disrupt operations?
On what information do we rely most?
On what do we spend the most money?
How do we bill and collect our revenue?
What decisions require the most judgment?
What activities are most complex?
What activities are regulated?
Where is our greatest legal exposure?

It is important that risk identification be comprehensive at the departmental level and
the activity-level for operations, financial reporting and compliance objectives.
Internal and external factors must be considered.

Significant risks that exist in the process

Performing an analytical review of the process being audited is important. Such a
review will help to provide an indication of the health of the process.

Typically, trend analysis is the most appropriate form of analytical review during the
Risk Assessment. Capturing, acquiring, and analyzing data is time-consuming and
generally considered appropriate for the Execution process only.


Questions to help identify significant risks

What must go right in order for the process to achieve its objectives? One answer
might be: Purchased materials must be paid for within the discount period.
What could go wrong with the process that would prevent the entity objectives
from being achieved? One answer might be: Failure to deliver the services within
the stipulated time.
How does IT or human resources enable the process and what significant risks
exist as a result of these enablers?
One answer might be: Unauthorized or uncontrolled access to networks results in
service disruption.
Is the process designed to be properly responsive to public and environmental
forces (i.e., stakeholder influences or external factors)? One answer might be:
Failure to respond to regulatory changes resulting in heavy penalties.
Does the process contain any inherent conditions that may result in a financial or
other loss? (e.g., the risks of theft of cash/goods that exists within retailing

Information to be maintained in the working papers

Process characteristics for the key process.
A list of risks and associated controls agreed upon with management.

3.14 Assessing Risks

Risk is defined as any event, action, or inaction that hinders an organizations
achievement of its business (explicit and implicit) objectives. Risk has two attributes:
cause and effect.

Issues to consider when assessing risks

The likelihood of the cause occurring.
The resulting impact of the risk (e.g., on revenue, reputation, reporting).
Initial assessment of risk.
Initial evaluation of high-level controls, assuming that controls can mitigate the
likelihood and/or impact of the risk occurring.
The predetermined scale (e.g., high, moderate, or low) to use. This should be
discussed with the auditee.
The relevant time period. A risk may have a small impact if it occurs once, but if it
could occur frequently during the year, consider what the cumulative impact would
The factors that influence the risk (e.g., people, process, or technology).


Questions to use when evaluating high level controls

Do the high-level controls appear effective or ineffective at mitigating the
likelihood of the risk identified within the process?
Are there several controls in place to mitigate the risk that result in process
Do the high-level controls appear effective or ineffective at mitigating the impact of
the risk?

Information to maintain in the working papers

Documentation of the likelihood and importance of risks, as agreed upon with
Risk assessment rationale for risks, processes, and auditable units agreed upon
with management.
Rationale for initial evaluation of high-level controls.

3.15 Reporting and Agreeing on the Risk Assessment

The engagement team presents the results of the risk assessment along with the
audit plan to the audit committee. This allows the audit committee to readily see that
the audit resources are allocated to those areas that significantly affect the internal
audit focus and business objectives of the organization.

Information to maintain in the working papers

Formalized agreement of the risk assessment (e.g. copies of minutes of audit
committee or executive meeting.)

3.16 Audit Plan

It is derived from the developing expectations and risk assessment processes.
Potential processes and areas (e.g. regulatory compliance, system implementation)
that should be considered for inclusion in the audit plan are identified.

Importance of this step

It helps the internal auditors/inspectors to:

Review management s expectations regarding audit coverage, as communicated
in developing expectations, and develop an audit plan that is in line with those
expectations (to the extent that audit resources are available)
Align the audit plan with the results of the risk assessment (to the extent that audit
resources are available)
Determine skills needed to execute the audit plan and schedule resources
needed for the engagement
Prepare the audit plan and obtain approval from the internal audit liaison,
executive management, and the audit committee


3.17 Major Processes

1. Risk Assessment. This is used to:
Develop audit work schedules.
Identify potential auditable activities.
Analyse the significance of the relative risk factors.

2. Auditable Activities. These are identified after reviewing the Ministrys Chart of
Accounts and budget.
3. Identification of Relevant Risk Factors. Examples include: competitive
conditions, financial and economic conditions, adequacy and effectiveness of the
system of internal controls, organizational, operational, and technological
changes, competency, adequacy and integrity of personnel e.t.c.

Audit work schedules
The risk assessment process leads the Head of Internal Audit to establish audit work
schedule priorities. The internal auditing department develops audit work schedules
that include the following:

What is included in the audit work schedule

The activity to be audited.
When the activities will be audited.
The estimated time required to audit the activity.

Issues to consider when establishing work schedules

The date and results of the last audit.
Financial exposure.
Potential loss and risk
Requests by management.
Major changes in operations, programs, systems, and controls.
Opportunities to achieve operating benefits
Changes to and capabilities of the audit staff.

The Head may adjust these priorities after considering other information such as
coordination with external auditors/inspectors, requests by management and/or the

Annual audit plan

The annual audit plan is prepared based on the risk assessment and is presented in
the standardized format established by the Head of Internal Audit. At the beginning
of the fiscal year, the internal audit department presents the annual audit plan to the
audit committee for approval.


Components of the audit plan

List of audit projects.
Estimated hours for each audit project.
Objective of each audit project.
Type of review (internal control, financial, compliance).
Priority (high, medium, low) and reason for the priority.
Budgeted hours.

Developing an audit program

The audit program details each of the audit steps to be performed during the
course of the review.
The Head of Internal Audit or his designee should approve the audit program prior
to beginning the audit work. Any adjustments should also first be approved by
As evidence of work performed, each of the steps in the program should be cross-
referenced to the corresponding work paper.
Upon completion of each audit step, the auditor/inspector should initial the audit
program in the appropriate box indicating its completeness. In some cases (when
not readily apparent), the reason for the audit step should be included in the audit

Identify resource needs and estimate hours to execute procedures

Using the proposed audit strategy as a basis, identify resource needs and estimate
the respective amount of hours required to perform the work for each of the selected
processes and areas.

This is achieved by allocating available hours to each of the selected processes and
areas based on the significance of the risk, complexity of the process, impact on
internal audit focus and the audit procedures expected to be performed.

Financial budget

The Internal Audit unit shall prepare a budget that will be reviewed by the Audit
Committee and incorporated into the entitys budget estimates.

Reviewing the audit plan to determine its consistency with managements

Upon completing the audit plan, the engagement team should review the Plan and
consider the following questions:

Is the audit plan consistent with managements audit coverage expectations?
Is the audit plan consistent with managements view of cycling audits?
Is the audit plan within the budgetary expectations of management?
Do significant gaps in risk coverage exist and has this been appropriately
Do we or the auditee have the resources necessary to perform the audit plan?


Are all expectations and coverage issues noted during the co-develop
expectations process appropriately considered in the audit plan?

3.18 Coordinating the Audit Plan

Once the engagement team has co-developed the audit plan, the next step is to
begin to review the schedules of available resources and assign resources to
processes and areas based on their individual skill sets. This allows the engagement
team to be ready, upon approval of the audit plan, to execute the plan as resources
are preliminary scheduled. If management or the audit committee should have
changes to the audit plan, the engagement team can easily revisit the engagement
project plan to accommodate the modification by shuffling resources.

3.19 Agreeing to the Audit Plan

The engagement team and the internal audit liaison present the preliminary audit plan
to executive management and the audit committee in accordance with the
established protocols communicated in the co-develop expectations process. The
audit plan outlines the following:

Risk assessment results
Listing of potential audits

It is important for the engagement team to follow all change request protocols to
ensure the proper allocation of resources.

Information to be maintained in the working papers

A copy of the audit plan
A copy of the executive management and audit committee meeting minutes,
documenting approval of the audit plan as presented or other appropriate
documentation showing approval
Documentation of any points that auditee personnel have asked you to consider
for future audits so that you can revisit them when you update your audit plan


Article 4

Audit Execution
4.1 Designing Tests of Control

This is necessary when an auditor/inspector is asked to conduct a systems audit or
when, after the PSE, the auditor/inspector believes it will be feasible to conduct a
system based audit as opposed to a substantive approach.

The auditor/inspector is seeking evidence of the operation of control procedures, for
example, the checking of a travel claims, which should be prepared in accordance
with the financial regulations and recording in the cashbook.

When planning substantive tests, the auditor/inspector may use the sample size of 40
tests of control as part of a representative substantive sample, as long as the
evidence from the tests of control clearly provides substantive evidence.

Instances when tests of control can be designed

When the system design has been documented, evaluated and found to meet the
audit control objectives;
When the control operations to be tested are separately listed on the audit
working papers.

What to use when designing tests of control

1. Enquiry. It is the cheapest form of testing and the least reliable.
2. Observation,
3. Inspection and
4. Reperformance

In planning tests of control, evidence is required about the satisfactory operation of
the control.

Issues to note about the evidence collected

Evidence that substantiates the correctness of transactions does not
automatically provide evidence that the control (check) was correctly operated.
The best evidence that the auditor/inspector could get is transactions, which were
in error when they came before the clerk (the errors which were detected by the
clerk whilst conducting the control procedure).
The only evidence of transaction errors will be transactions rejected by the clerk,
transactions amended by the clerk or transactions remaining in the population, in
The audit evidence available respectively will be: formal records or lists of
rejected transactions kept by the clerk, alterations on prime documents observed
during testing and errors discovered by the auditor/inspector during substantive


Items to include when recording the program of tests of control

The population;
The population size;
The sample size;
The method of sample selection.

For as long as the system remains the same, the compliance-testing plan can be re-
used from year to year.

4.2 Pre-Audit Work

The internal auditor/inspector should prepare for the audit visit before commencing
the audit. This provides time for review of the previous years reports and papers and
such research and information gathering as is necessary to ensure that the team will
be ready to start as soon as they arrive on site.

Typical procedures, which should be included in that process, are suggested below:

4.2.1 Familiarisation

Obtain an understanding of the control environment.
Obtain copies of all standard financial documents relating to this area;
Prepare a record of the accounting records in use;
Obtain an understanding of the financial regulations and any ministerial or
departmental operating policies.

NB: If possible, most of the familiarisation tasks should be made easier by the
maintenance of permanent files of information so this task might be
incorporated within a single procedure: Review and update permanent file
4.3 Analytical Review

Compare current years actual income and expenditure, line by line, with the
current year s budget;
Compare current years actual income and expenditure, line by line, with previous
year s expenditure;
For all income and expenditure heads, compare monthly income and expenditure
during the current year. Other analytical techniques include:

4.3.1 Ratios

Ratios can be calculated using financial or non-financial information or mixture of
Using his/her knowledge of the audited body, the auditor/inspector should
establish the various relationships between different items of information and
examine how they change overtime.
Care should be taken to ensure that the correct relationships between figures
have been established.


4.3.2 Examination of trends

The examination of trends may be seen as an extension of the time comparison over
a period of years and may be valid for ratios as well as specific account figures.
Observed trends must be critically examined. Relatively small changes from year to
year may generate little interest but, over a period of years their cumulative effect
may be significant.

As with the other procedures, the information selected for this type of review needs to
be determined by the auditor/inspector using his / her knowledge of the body.
Explanations of any abnormality must be sought by the auditor/inspector for the
procedure to be effective.

4.3.3 Reviewing for consistency

Related elements within the financial systems should be reviewed for consistency
because there may be a direct relationship between the expenditure and receipts for
certain items. An example of this would be posters supplied by the Ministry of
Tourism; the purchase price is negotiated, pricing policy established and the
auditor/inspector could calculate the relationship between the cost of stores issues
and receipts and use this as a standard from month to month or year to year.

4.3.4 Proof-in-total techniques

Proof-in-total is a predictive test used to gain assurance regarding the correct
statement of a financial figure. It is often considered as a substantive test, and can be
used to complement or even replace tests of detail. It is particularly useful where the
expected value of a figure can be calculated based on the prior year value, and
known changes to the composition of the figure.

Proof-in-total involves estimating the value of a figure based on independently verified
audit evidence. As a guide, if the estimate is within 3% of the actual figure, this
provides reasonable audit assurance that the figure is not materially mis-stated.

4.3.5 Examination of management information

Obtain a copy of any information available to the Head of Department under
review for the purposes of exercising overall control;
Confirm that it is accurate and up-to-date;
Examine information and follow up any items, which appear to be odd. This is a
re-performance test and ought to provide evidence about the exercise of control
by the Head of Department based on the use of the information supplied.

4.3.6 Assembly of Information

Examine all intelligence information filed since the last audit visit relating to
allegations and current developments in the ministry or department to be audited;
Discuss with officers in the Ministry of Finance their impression of the
performance of the Head of Department in adhering to financial regulations,
specific instructions or completion of returns or other documents;
Establish whether officials in the Ministry of Finance have experienced problems
with the Accounting Officer;


4.4 Carrying Out Tests of Detail and Substantive Procedures

The conduct of audit work usually follows a standardised route through the audit.
Audit programs should be drafted in such a way that the timing of the work is
recognised. The order of the performance of audit tests is usually;

Pre-audit work: To highlight any specific issues which need to be examined this
Compliance tests: To form a view about the operation of control. If systems are
not reliable then substantive or weakness tests will be required
Substantive tests: To confirm the correctness of records and documents.

NB: Weakness tests should be designed specially for the circumstances
discovered at the audit and should not normally stay in the audit program.
4.5 Issues for Managements Attention

a) Preparing an Issue Summary
It is prepared when risks are inappropriately controlled. It should be reviewed by
the in-charge auditor/inspector, and presented it to management for action.

Objectives of the Issue Summary

Obtain confirmation of factual accuracy of identified issues
Request an action plan from management to address the control weakness, for
inclusion in the audit report
Enable corrective action to take place as soon as possible
Communicate a cooperative spirit with auditees by advising them early about
business risks, related controls, and recommendations
Co-Develop an understanding of significant reportable issues and non-reportable
issues with the auditee

Components of the issue summary

Observations: Details of any observations that indicate the absence of control or
the results of testing with regard to the appropriateness of the controls. If
appropriate, the observations should also describe the standard that should have
been adopted (i.e., what should be) and the cause (i.e. why the observation
Risk: Details of the risk that is being inadequately controlled because controls
have not been implemented or are not functioning as designed. When the issue
identified is a process improvement in nature, it may be appropriate to use
Implication rather than Risk.
Recommendation: Action recommended to address the risk. Always be aware of
the cost/ benefit implications of any recommendations made. If the costs of
implementing controls exceed the risk, look for alternatives.
Management Response: Management s response to the observation, including
identifying the action to be taken to address the risk, who will take the action, and
a date by which the action will be completed.


Do not include a recommendation in the Issue Summary. Allow management to agree
that the i ssue exists and co-develop the most appropriate solution to address the risk.
This facilitates ownership of the action plan by management. It is still critical to
consider what action the auditor/inspector would recommend, as this will be useful
when evaluating managements suggested action or to provide guidance to

4.5.1 Format of the Issue Summary

Audit Project:
Audit Date:



Management Response (Please include the proposed date of implementation or a reason for non-

Auditee Signature and Date:
Significance: High Moderate Low

Include in Report? Yes No Order in Report
Reviewed by:

b) Reviewing the Issue Summary
The in-charge auditor/inspector or his/her designee should review it before it is
sent to the auditee.
The in-charge auditor/inspector or designee should:
Be aware of all audit issues
Review the summaries for accuracy and adequate supporting documentation.
Determine whether the working papers support the conclusions reached
Ensure that the Issue Summaries are professionally written.


c) Presenting Issues to Management
Present each Issue Summary to management in person and in accordance with
the agreed-upon protocol, but make sure that the recipient will be the person
responsible for taking or authorizing the corrective action. Ask management to
provide a response to the issue within a reasonably short time frame.

d) Evaluating Responses
When received, responses should be reviewed for:
Factually inaccurate findings
Adequate corrective action to reduce risk
Timeliness of corrective action

When there is a disagreement regarding factual accuracy, verify the additional
information that management provides and re-evaluate the risk and control.
If a response is inadequate, discuss the corrective action with the responder and
request the additional information needed.

The additional response should be provided by the auditee in writing. Ultimately, if
agreement cannot be reached, refer to the protocol agreed to in the Co-Develop
Expectations mega process.

If managements response is not received by the agreed date, contact the auditee to
determine the reason for the delay and to determine when the response will be
received. The best solution may be to arrange a meeting to discuss the action to be

4.5.2 Information to be maintained in the working papers

Our working papers should include the following:
Analysis of the controls in place to mitigate each risk identified in major
For each identified risk, the auditor/inspector should have an Issue Summary on
file containing a response from management.
The response and details of the action the auditor/inspector take when
management s response accepts the risk but indicates that management is
unwilling or unable to take remedial action.
4.6 Concluding the Audit and Report

The steps taken to conclude the audit, including the preparation of the audit report,
are essential elements for producing a quality audit product. The audit report is one of
our most visible deliverables, providing feedback to auditee management on the
results of our audit. The report should include all the significant issues identified as a
result of our audit procedures.

At the end of our fieldwork, issues from the audit are collated, reviewed, prioritized,
and consolidated in the audit report. This report is published in draft form prior to
holding a closing meeting with process owners, during which its contents are
discussed and agreed upon.


4.7 Reviewing Working Papers
a) Review throughout audit project
b) Perform final working paper review
c) Remove review comments, to do notes, and report drafts
d) Look for complete documentation that supports issues and scope
e) Look for findings that have not been recognized and reported
f) Document ideas to improve future audits (when appropriate)
g) Prioritize observations
h) Rate findings op!
i) Review for inappropriate language

Elements to be included in an audit report

Background: a high-level description of the audit process
Objectives and Scope of the Audit Project: a brief description of the
scope/objectives of the audit project
Period: an indication of the period covered by our procedures
Findings: significant issues identified and documented throughout the audit using
the issue summary
Recommendations: outlines suggested actions that management should
consider to address an audit finding
Date: the report is dated (month, date, and year) on the day that fieldwork is
substantially completed
Signature: Report should be signed.

4.7.5 Illustration of writing reports:


Institute of Internal Auditor/Inspectors Leading Practice

Background information may identify the
organizational units and activities reviewed
and provide relevant explanatory
The background description of the area or
process audited should be brief and should
provide a short overview of the area. It can
provide additional insight to the reader. It also
can demonstrate our understanding of the
area audited. The types of information that
may be included are:
1. Personnel/turnover/staffing needs
2. Organization/major changes
3. Other factors
4. System issues
5. Process ownership and inherent problems
6. External factors affecting area audited
It is not necessary to include all six types of
background information.

Purpose statements should describe the
internal audit focus and, when necessary,
inform the reader why the audit was
conducted and what it was expected to
The objectives of the audit are described in
the report

Scope statements should identify the
audited activities and include, where
appropriate, supportive information such as
time period audited. The nature and extent
of auditing performed should also be
The scope is described in the report and
should not be a listing of the steps of the audit



Institute of Internal
Leading Practice

The time and period audited
should be included in the scope
All reports should indicate the period covered by the
auditors /inspectors procedures

Findings are pertinent
statements of fact. Less
significant findings may be
communicated orally or through
informal correspondence.

Observation and Risk/Implication is the last
section of the report. The heading would include
the client name and area or process audited. The
business risk identified as a result of the finding
should always be listed.
Appropriate sections of the Issue Summary can be
copied into the audit report. If the Issue Summary is
properly written, the audit report writing process
should be streamlined and be more consistent.
Each observation and risk should be listed in the
order of importance.
It may enhance the reader s experience if like
observations and risks are grouped together under
each topic. In situations where the
recommendations for several observations are the
same, consider grouping the findings together
under one topic related to the recommendation.
Bullet points often make it easier for the reader.
Numbering of observations and risks (instead of
bullets) is not recommended since it is often
perceived as a counting of mistakes.
Working papers should indicate that less significant
findings have been reviewed with management,
noting the date and name of client contact.

Recommendations are based on
the internal auditor/inspector s
findings and conclusions.
They call for action to correct
existing conditions or improve
The recommendations are actions that management
should consider to address audit findings.

A signed, written report should
be issued after the audit
examination is completed.
The term signed means that
the authorized internal
auditor/inspector s name should
be manually signed in the report.

The report is signed after all required reviews are
completed and issuance of the report has been
authorized by the Team leader.
Date The report is dated (month, date, and year) on the day
it and issued is substantially completed.



Institute of Internal
Leading Practice

Conclusions are the internal
auditor/inspector s evaluations of
the effects of the findings on the
activities reviewed. They usually
put the findings in perspective
based upon the findings overall


Auditee accomplishments, in
terms of improvements since the
last audit or the existence of a
well controlled operation, may be
included in the audit report.

A list of strengths and/or best practices may be
included in the report. This typically demonstrates
recognition of positive issues (tends to softens the
We cannot endorse any issues without total
consideration of the applicability throughout the
As a result, the Strengths or Leading Practices
sections should be prefaced by During the course of
our internal audit, we noted the following strengths of
the operations.
Although each is considered as strength of the area
audited, the applicability of each of these issues to
other areas of the Company must also be
considered. The strengths or leading practices can
then be bullet-pointed
Management s

The auditee's views about audit
conclusions or recommendations
may be included in the audit
As part of the internal
auditor/inspector's discussions
with the auditee, the internal
auditor/inspector should try to
obtain agreement on the results
of the audit and on a plan of
action to improve operations, as

Management s response should be included in the
internal audit report to put the finding in perspective.
The reader can then understand the finding and the
status of the action taken to correct it at one time.
Action to Be Taken or Action Plan can be used in
our reports instead of Management s Response and
Recommendation. This approach concentrates on
the corrective action taken versus who made the

When constructing the report, the following guidelines should be used.

Cover Page

The cover should include:
Auditee name
Process or area evaluated
Period covered


The titles and headings should be in a larger font than the text.

Table of Contents
Consider using a table of contents when the report is longer than five pages. If
applicable, the index should have the same title as the cover sheet and should
include a list of the headings of each section within the report.

Appendices can be used to provide additional information that does not belong to the
body of the report. It may include an overview of the risks examined, ratings
definitions, etc.

Appendices should be used only when needed in order to provide the reader with
required reference material.

Page Numbers
All reports should have page numbers. The report should be consecutively numbered
with the first page number starting after the index.

Unresolved Issues from the Previous Audit Report
Unresolved issues from a previous audit report are treated in the same manner as
other issues identified. Reference should be made to the fact that the issue was
raised previously but remains outstanding.

Issuing a Draft Report
a) Prepare a Draft Report
Prepare a draft report of detailed findings and recommendations. The draft audit
report, including findings and recommendations, typically is only distributed to
process owners. The final report distribution includes executive management and the
Audit Committee. The principal reason for this is that the draft report provides a final
opportunity for:
Management to challenge the accuracy of the issues raised in the report
The engagement team to validate the action plan to address each issue
b) Issue the Draft Report
Issue the draft report in accordance with the agreed-upon distribution.
c) Schedule the Closing Meeting
The closing meeting or exit conference should be held soon after completing the audit
field work.

4.7.6 Conducting a closing meeting

a) Select Attendees
Members of auditee management who are invited to attend the closing meeting
should have been discussed and identified during the scoping stages of the audit
project. As a minimum guideline, members of management who have ultimate
responsibility for implementing the action plan of each issue should be invited to


The engagement team member in charge of the audit project should attend.
Additional staff members can also be asked to participate, particularly when those
individuals have specific knowledge of complex or technical matters that may be

b) Discuss Draft Audit Report
Discuss the draft audit report to reach agreement on each of its components.
Specifically, the meeting provides an opportunity to:
Clarify points or issues
Resolve any misunderstandings
Demonstrate the value we have provided
Agree on follow-up activities

Maintain detailed minutes to provide evidence of management s response to the
issues raised. The minutes should be kept in the working papers.

4.7.7 Issuing a final audit report

Make any required changes to the draft audit report and issue it in accordance with
the agreed-upon final audit distribution.

Follow up on reported audit findings

The protocol for the follow-up on reported findings should be discussed with the
internal audit liaison during the Co-Develop Expectations process. The nature, timing,
extent, and scheduling of follow-up activities and the procedures and techniques
employed are determined by the auditee.


4.8 Communicating Results

At a minimum, executive management and the Audit Committee must formally
review, agree and approve the Risk Assessment and the Audit Plan prior to executing
a substantial portion of the Audit Plan.

Throughout the year, we communicate the status of executing the Audit Plan and a
summary of the results of our audit projects, including significant findings.


Article 5
Working Documentation of an Internal Auditor/Inspector
5.1 Working Documentation
Working documentation is a set of documents prepared/for the internal
auditor/inspector in connection with the conduct of an internal audit. Working
documentation consists of a constant part and a variable part. The constant part
contains usual data, which are of historical and permanent nature. The variable part
contains working documents relating to the current year.
The internal auditor/inspector is obliged to document things that are important as
evidence supporting the auditor/inspector's opinion and documenting that the internal
audit has been carried out in accordance with the auditing standards.
How working papers are stored
1. Paper
2. Films
3. Electronic data media
Purposes & uses of audit working papers

To provide the principal support for our audit opinion
To facilitate the conduct of an internal audit;
To facilitate supervision and inspection of the work of an internal
To record any evidence resulting from the work of an internal auditor/inspector in
support of the auditor/inspector's opinion
To aid us in the conduct and supervision of the engagement consistent with
professional standards and firm policies and procedures
To provide important information for subsequent audits and for potential review by
third parties who may challenge the sufficiency of our work.
Working papers may provide information for further investigation
Review by third parties
Components of the title page of the working documentation
Full name of the internal auditor/inspector;
Name of the auditee
Subject of the internal audit;
Organisation/department being audited (auditee);
Time period of the internal audit;
Full names of the auditors/inspectors who carried out the internal audit/inspection
(where the audit/inspection is conducted by several auditors/inspectors);
Contents of the working documentation.


5.2 Principles for the Compilation of Working Documents

Internal auditors/inspectors are required to compile and maintain detailed working
documentation, giving an overall picture of the internal audit performed.

In the working documentation, the internal auditor/inspector should record information
on the:

The objective of the audit/inspection
The planning, nature, time period, and scope of the auditing/inspecting
The results of these procedures, and
The conclusions arising from the audit/inspection performed.
All the data on which the opinions and judgements of the auditor/inspector are
The nature, term, and scope of tests of correctness are based on the evaluation
of financial management at the audited organisation;
The working documentation obtained, auditing/inspection procedures applied, and
tests performed, provide sufficient evidence, which is an adequate basis for an
opinion on the activity that is audited.

Determinants of the contents of the working documentation

The nature and type of the internal audit;
The form of the internal auditor/inspector's report;
The nature and type of activities performed by the auditee;
The nature and conditions of accounting and financial management applied by the
The needs in the area of management, supervision, and control of the work
performed by the internal auditor/inspector;
The specific aspects of the methodology and technology applied during an
internal audit.

Contents of the working documentation

Information about the legal form and organisational chart of the audited
Extracts or copies of important legal documents, contracts, records, and plans;
Information about the sector, the economic and legislative environment in which
the organisation operates;
Evidence of the fact that the internal audit was planned, including the programme
of the audit and its changes;
Evidence of the internal auditor s/inspector's decision to carry out an audit and of
the conclusions reached;
Analysis of transactions and balances;
Analysis of relations, relationships, and trends;
Records in respect of the nature, time limit, and scope of the audit work
The name of the person who determined the auditing process, including the date;


Details about the procedures applied during external audit, if an external audit
was conducted in the organisation concerned;
Copies of correspondence between the internal auditor/inspector and other
auditors/inspectors, experts, or third parties;
Letters with statements, made by the management of the audi ted organisation;
A copy of the organisation's financial statement, report of an external
auditor/inspector, report on internal control.
5.3 Principles for the Preparation of Working Lists

The internal auditor/inspector should record his activities in working lists on a daily
basis, according to the following principles:

Each working list should contain the name of the area that is audited, the time
limit for the audit, title contents, name of the person who has prepared the
working list, date of elaboration and the index designation of the list;
the working lists are to be indexed marked with cross references enabling rapid
Completed working papers shall clearly document the work of auditors/inspectors.
This can be achieved, for example, by writing a final evaluation of the internal
audit performed (memorandum), with notes on the working list, using symbols
with clear explanations on the working list;
The overall in charge of audit needs to be able to satisfy himself/herself that work
delegated by him/her has been properly performed. He/she can generally only do
this by having available to him/her detailed audit working papers prepared by the
audit staff who performed the work.
The audit working papers provide, for future reference, details of problems
encountered and adequate evidence of work performed and conclusions drawn
there from in arriving at the audit opinion.
Audit working papers should always be sufficiently complete and detailed for an
experienced auditor/inspector with no previous connection with the audit to
subsequently ascertain from them what work was performed and to support the
conclusions reached.
Working papers should be prepared as the audit proceeds so that details and
problems are not omitted.
Audit working papers should include a summary of all significant matters identified
which may require the exercise of judgement, together with the
auditor s/inspector s conclusions thereon.
If difficult questions of principle or judgement arise, the auditor/inspector should
record the relevant information received and summarise both the managements
and his conclusion.

Working papers can conveniently be split into three:

1. Permanent File

Permanent files are used for data that can reasonably be expected to be needed
in audits for more than two years. The following are typical permanent file


Law establishing the institution/project
General information about the auditee
Regulations governing the institution/project/ministry
Accounting policies and procedures
Historical analysis of accounts
Income tax information.

2. Systems File

The systems file can be used to record the way in which the auditees internal
control and accounting systems operate. Typically, this will be in the form of flow
charts recording each of the accounting areas supplemented, where necessary,
by narrative notes.

3. Current files

The current file will contain all the working papers in relation to the current year s
audit, and these can be quite extensive. A typical format would be as follows:

Indexing Working Papers

The objective is to make it easy for anyone to retrace the steps we took to complete
the audit, and to make working papers easy to locate.

Use the pyramid system: At the base are detailed working papers. As we proceed
to the top of the pyramid, we need to continue to build a supportive base that
meets our audit objective
Each working paper has a unique index
An index is assigned to each audit working paper as soon after its preparation as
is practical. Indexing is used to maintain consistency

Purpose of Cross-Referencing

To indicate where certain numbers or other data originated (i.e. where supporting
detail can be located)
To indicate where various detail amounts have been summarised in the working
How do we Cross-Reference? We cross-reference amounts between two working
papers by placing the other working paper reference next to the number being
cross-referenced. Generally, we try to cross reference our amounts from the detail
working papers up to the summary-level working papers. In this manner,
someone can easily follow our process and flow of information.

Effective Working Papers should contain

Working paper headings

It is important that working papers are properly identified. Details should include;
auditee name, a title or description, and the audit period to which they apply.
The proper use of headings is imperative to appropriate identification.


Clear and concise tick marks

Tick marks are used to indicate the procedures performed on data in the working
Tick mark explanations may be customized by the engagement team and will
always have the same meanings when used throughout the engagement
Other tick marks may be used on working papers. When creating new tick marks,
their explanations should be clear and concise, specifically describe the work
performed, and be fully explained on the particular working paper where they are
Tick mark explanations normally include a description of the following:
Evidence examined, findings, and results
Unusual items noted and how they were resolved

Narrative comments

Narrative comments on audit schedules can include many forms of
documentation. Narrative comments include;
Brief summary of discussions with auditee personnel
Data needed for notes to the financial statements
Description of an account when it is not evident from the title
Additional information that would clarify data on the schedule and make it easier
for others to review

Audit conclusions
We document overall audit conclusions relating to all audit areas we reviewed.

All audit working papers require the sign-off of the preparer and the detailed reviewer
at a minimum and also should document the date of each sign-off.

An Illustrative example of the general index of working papers

WP General File
1 Internal auditor s/inspector s report
2 Exit conference & findings
3 Entrance conference/notification
4 Preliminary survey/planning memo
5 Review & supervision notes
6 Audit program
7 and Up Evidence working papers

Permanent File
PF 1 Organizational chart
PF 2 Applicable statutes and regulations
PF 3 Internal control information - narratives, flowcharts, questionnaires, etc
PF 4 Description of the accounting records, description of the funds, basis of
accounting, etc.
PF 5 Departmental mission statement
PF 6 Department budget and other strategy documents


Article 6
Financial Audits
6.1 Introduction

The purpose of this article is to set procedures for conducting a financial audit and
also to provide an overview on major tools to assist an internal auditor/inspector in
conducting an effective financial audit.

6.2 Definition of Financial Audi t

A financial audit evaluates whether financial statements or reports accurately portray
the financial condition and/or activities of the audited entity.

Components of a financial audit
a) Examination and evaluation of financial records, and where applicable,
expression of opinions on financial statements;
b) Verification of financial accountability of the government administration as a
c) Audit of financial systems and transactions, including an evaluation of compliance
with statutes and regulations;
d) Evaluation of internal control systems;
e) Audit of the integrity and propriety of financial and related administrative decisions
taken within the audited entity.
During a financial audit execution, the Internal Auditor/Inspector also focuses on
evaluation of management procedures, reporting and operations inside an auditee as
well as on effectiveness of financial transaction controls in place.
6.3 Objective of a Financial Audit

The objective of a financial audit is to verify data recorded in financial statements and
evaluate the financial controls in place to ascertain whether there was proper
stewardship of public funds and efficient use of public money;
Issues to Consider
Correctness, entirety, provability, understandability of accounting information
Physical safeguards and security of accounting information
Integrity and protection of assets
Timely provision of accurate and reliable information for decision making


6.4 Financial Audit Procedures, Preparations and Execution
The following are the usual stages of the Financial Audit Execution:
Acquaintance with areas which will become subject of Financial Audit
Collection and evaluation of information
Internal control review
Accounts verification phase of testing and examinations
Audit completion, reporting and follow up.
6.4.1 Acquaintance with areas which will become subject of Financial Audit
Understanding the auditee s business is an important step in all categories of audit.
This helps the Internal Auditor/inspector to identify risks which could have a
significant effect on financial statements: This can further be analysed as follows:
6.4.2 Acquaintance with legislation relevant for the auditee
laws, regulations and directives effective
legal, taxation or budgetary specific details
special accounting rules
responsibilities related to fund management
6.4.3 Acquaintance with auditee's social and economic environment
overall organisation and structure
organisational charts task and function descriptions decision-making system
important external factors
nature and specifics of auditee's activities
strategy and objectives of auditee's management
assess the reporting structure
number of staff and working environment
volume and types of transactions
trends of development to be considered, reforms undergoing
evaluation of events that have happened since the beginning of year and after the
financial statements have been produced
6.4.4 Acquaintance with auditee's accounting and financial environment
Accounting, financial and budgetary procedures
Managerial arrangements and control mechanisms for funds managed
Chart of accounts, accounting methods and accounting principles
Accounting entries specific for auditee's activities
Accounting cycles (periods), chains and assignments to be subject of Audit
Forms of accounting records
Types of accounting books, accounting documents and written documents


Way of starting, registering and accounting each of transactions
Possibility to track back the overall course of transactions
Cash operation management
Financial statements, administration and control system to adhere to the budget
Actual state and frequency of financial control execution
Budgetary items, accounts, allocations and resource consumption

6.4.5 Acquaintance with auditee's data processing environment
Staff, level of education accomplished
Configuration of computer technology and systems
What software has been established? Do they cover 100% of financial
operations? How are transactions processed and registered in contrary (adverse)
What about protecti ve and security systems? Are they reliable and applicable?
What systems are used for data archiving?
Are there any monitoring tools in place that would monitor systematically
execution of controls in the overall course of operations?
6.4.6 Evaluation of processes should cover:

1. Management and Strategy (does it exist or not?)
a) Organisation structure
b) Clear identification of powers and authorisations
c) Transparent, generally applied valid procedures
d) Goals and objectives, strategies of achieving objectives
e) Performance indicators
f) Measures to identify risks and areas to be improved
f) Actual risk management culture
g) Information system to identify internal or external information necessary for
h) Communication system to provide proper information to the recipients within
the deadlines set.

2. Accounting Budget Reporting
After the initial overall evaluation of accounting, financial and information systems,
the internal auditor s/inspector's role shall be to focus on areas linked with
potential financial and system-based risks in terms of missing or insufficient
procedures and controls.

Potential risks in the accounting area may include for i nstance:

a) Unrealistic asset values
b) Cases of negligence in maintaining accounting records
c) Accounting documents lacking for some accounting entries
d) Accounting entries with incorrect amounts
e) Accounting entries made on incorrect account
f) Chart of accounts applied incorrectly or not adjusted


g) No accounting entry made where it should have been made or wrong
accounting entry and final balances not explained or unchecked accounting
records corrected incorrectly
h) disputable state of accounts due to the fact that the auditee concerned does
not do any accounting entry or does not report any accounting entry in the
period which such entry is related to in terms of time or its subject matter
(hereinafter referred to as the Accounting Period )
i) Concerns about reliability of auditee's financial statements or management
schemes Potential budgetary risks may include:
k) Risks linked with respecting of the budgetary indices,
l) Risks of transparency, completeness and reality of the budget,
m) Risks connected with budgetary measures,
n) Risks connected with the budget observation,
o) Risks connected with other than budgetary sources,
p) Other risks for instance: failure to observe the limits of accounts, budgetary
structure etc.
6.5 Review of Financial Processes

6.5.1 Budgeting

Activities involved
The key areas that an auditor/inspector should focus on include budget;
- Formulation
- Approval
- Execution
- Control

Key Control Objectives:

To ensure that;
1. The ministrys budget is prepared in accordance with the laid down regulations
and instructions,
2. There is effective monitoring of expenditure and revenue against estimates
3. The budgetary control is effective.

Key Risks
- Inadequate monitoring and reporting results into overspending and under
- Government s priority areas may not be catered for as per the set plan.
- Poor quality budget estimates because of the wrong budget estimates being

Important Records needed for the audit

At the start of the audit, the auditor/inspector should request for the following;
1. Approved budget
2. Development Plan
3. Budget Work Plans
4. Vote books


Budget Audit Programme

Ref Audit Programme Tasks
Budgetary Preparation
1 Review;
- Review the personnel charged with budgeting.
- The various departments annual work plans and budgets.
- The annual plan and budget approval.
Budgeting, Monitoring and Control
2 Examine the vote books and confirm that the vote books correctly record the
amounts as per the approved budget estimates.
3 Examine the vote book and confirm whether the expenditure budget has
been adhered to.
4 Ascertain whether timely action was taken when applying budget revisions.
5 Review appropriate reports to confirm whether the actual expenditure against
budget estimates are monitored by the relevant parties.
6 Through discussions with the Head of Finance and review of relevant
reports, confirm that there is monitoring of actual revenue against the set
revenue estimates.


Donor Funds

Activities involved
The main emphasis is on the receipt and expenditure of donor funds.

Key Control Objectives
To ensure that;
1. There is VFM in the utilization of the funds received.
2. The funds are used in accordance with the set terms and conditions.

Key Risks
1. Failure to fulfil the donors set conditions.
2. Inadequacy in the reporting of donor programme support.
3. Poor control over the funds resulting into loss of future support from the various

Important records needed for the audit

At the start of the audit, the following should be availed to the auditor/inspector;
a) A listing of all funds received from the donors;
b) Copies of agreements with service providers and contractors;
c) Bank statements;
d) Copies of receipts for the received funds;
e) Copies of Accountability Statements;
f) Copies of the agreements that were signed with the donors.

Suggested Sampling
It is advisable to select 100% of all programmes.


Audit Programme-Donor Funds

Ref Audit Programme Tasks
Funds received and the signed agreements
1 Contact the donor and request for a schedule of all the funds donated to the
entity. Use the schedule to confirm that the receipts have been issued for all the
received donations.
2 All the donations have been posted in the relevant books of accounts and
appear on the bank statements
Stock register-(for non-financial materials donated)
3 Ensure that the materials have been entered into the relevant books of accounts
e.g. the donor stock record
4 Undertake site visits to confirm existence of the materials
5 Confirm that complete and accurate financial statements are prepared and
submitted in accordance with the agreed upon terms in the agreement with the
6 Contact each donor and get their view on whether they are satisfied with the way
the funds were utilized and accounted for.

Revenue Collection, Receipting and Banking

Activities involved
The auditor s/inspector s emphasis will be on all revenue collection and receipting

Key Control Objectives
To ensure that;
A. All revenue is accurately and promptly recorded.
B. The collected revenue is banked promptly.

Key Risks
1. Incorrect revenue accounting and recording.
2. Under banking of revenue.
3. Poor revenue collection.
4. Poor physical control over the collected cash.

Important records needed for the audit
The auditor/inspector should request for the following documents at the start of the

a) Organizational chart;
b) Revenue registers;
c) Cash books;
d) Daily cash and cheque summaries;
e) Bank statements;
f) Register of receipt books;
g) Register of paying-in books.

Suggested Sampling
It is advisable to select 100% of all the previously issued receipt books.


Audit Programme-Revenue Collection, Receipting and Banking

Ref Audit Programme Tasks
Preparation and banking of Receipts
1 Ensure that the authentic signature for the officer responsible for signings is on
the cover of each and every receipt book.
2 Confirm that the details on the receipts are legible.
3 Match receipts to the amounts banked and the details on the bank statements.
Ascertain that receipted monies were banked intact.
4 Ascertain that the amounts in the revenue collector s cash book agree with the
bank deposit slips.
5 Trace the deposits to the main cash book
Receipt Register Integrity
Using the receipt register, validate the authenticity of the signature of the person
signing on the receipts.
Reconcile each revenue collectors receipt books to the central receipts register.
Physically inspect all the unused receipt books and ascertain that their
sequences agree to the receipt register
Examine the receipt register and ascertain that all issued receipt books were
signed for.
Posting and Accuracy
Check the casting and balancing of the receipts cash book.
Post the receipt totals to the general ledger


Salaries, Pensions, and Gratuities

Activities involved
Under salaries and pensions, the following are of emphasis;
- Appointment;
- Gross pay;
- Salary levels;
- Compulsory deductions;
- Employee Training e.t.c

Key Control Objectives

To ensure that;
a) The set procedures are adhered to.
b) The maintained records are adequate and accurate.
c) The right security measures are in place to safeguard monies/ cheques to be paid

Key Risks
1. Failure to comply with the set regulations and guidelines in the recording, paying
and reporting of salaries/pensions.
2. Salaries paid may not be authorised.
3. Incorrect posting of the payments in the ledgers and the cash books.


Important records needed for the audit

The following records should be requested for at the start of the audit;
a) The current approved salary structure;
b) Staff records (of the selected sample);
c) Advances register;
d) Overtime register;
e) Time keeping register;
f) Leave records;
g) Training records; and
h) Sickness records.

Suggested Sampling
Select one months payroll for your audit.

Audit Programme-Salaries, Pensions and Gratuities

Ref Audit Programme Tasks
Payroll Payments
1 Agree 100% payroll payments to the register;
Check that all the amounts tally.
2 Using the current approved salary structure, ( and a 25% sample of all staff),
confirm that ;
-All posts are paid as per the established grade.
3 Review the deductions made and ascertain that they are reasonable. Investigate
any large variances found.
4 Get a list of the significant allowances/advances and ascertain that the
transactions were approved by the relevant person and that the correct procedures
were followed.
5 Check 100% of the net amounts per the payroll to the bank transfer instructions.
6 Ascertain that the total amount of the bank transfer instruction is reflected on the
bank statement.

Payroll Deductions
7 Review the casting of the payroll deductions to ascertain that the given total is
8 Ascertain that the deductions have been paid to the respective creditors (e.g.
9 Ascertain that the recovered advances have been correctly recorded in the
advances register.
Payroll Records
10 For the selected sample of the employees, verify that they are actually in
11 Confirm that the contained salary grade in each staff s record file is the same as
that on the Establishment Register
12 Ascertain that there is a permanent record of each employee s service
13 Ascertain that the necessary changes have been made to the Register, especially
with regard to new employees and those who have left.


Non-Wage Payments

Activities involved

Such an audit would focus on;
1. Requisitions
2. Authorisations
3. Local purchase orders (LPOs)
4. Receipt of goods
5. Payment vouchers
6. Payments (cash or cheques)
7. Postings in the relevant books of accounts

Key Control Objectives
To ensure that;
a. All payments are within the relevant approved budgets.
b. The expenditure incurred was approved.

Key Risks
1. Non-existent budget allocation for the payments made.
2. Payment made to wrong persons.
3. Wrong posting of payments in the cash book.
4. Payment vouchers may not have supporting documents.

Important records needed for the audit

The auditor/inspector should request for the following documents at the beginning of
the audit;

a) Cash book;
b) Requisitions;
c) Copies of bank payment instructions;
d) Local purchase orders (LPOs)
e) Goods received notes;
f) Accounting records;
g) Stores records;
h) Approved signatories lists;
i) Listing of all the approved suppliers and contractors


Audit Programme-Non-Wage Payments

Ref Audit Programme Tasks
1 Ensure that the payment voucher has been properly completed and authorised
by the concerned parties.
2. Ascertain that the payment voucher is supported by;
- A departmental requisition for the required goods/ services.
- A copy of the LPO.
- Copy of the delivery note from the supplier
- A GRN from the stores.
- A supplier s invoice
3 Review the purchase requisition, LPO and GRN and ascertain that the
appropriate officers have completed and signed on them.
4 Ascertain that the expenditure has been charged to the correct vote.
5 Ensure that the payment instructions have been recorded in the Payments
6 Ascertain that the payment instructions were signed by the authorised
7 Ensure that the payment instructions were directed to the correct payee as per
the contract.
8 For fixed assets purchased, ascertain that they are correctly recorded in the
fixed assets register by checking from the goods received note to the fixed
asset register.

Advances and Allowances

Activities involved
The main areas of focus include;
- Personal advances;
- Administrative advances.
Key Control Objectives
To ensure that;
a) All personal and administrative allowances are approved in accordance with the
specified rates.
b) The advance accounts are accounted for and well managed.
Key Risks
1. Poor control over advances and allowances.
2. Improper use of entity funds.


Important records needed for the audit
The auditor/inspector should request for the following records at the start of the audit;
a) Advance register;
b) Cash book;
c) Payment vouchers for advances;
d) Advance account ledger.
Audit Programme-Advances and Allowances
Ref Audit Programme Tasks
Personal Advances
1 Ascertain that recoveries are being made according to schedule, and recovery
is not overdue.
2 Check salaries to ascertain the necessary deductions were made from the
concerned staff.
3 For resignations, retirements and dismissals, ascertain that the outstanding
advance balance was fully recovered.
4 Ascertain that the advance was properly authorised.
Administrative Advances
5 Confirm that full accountability was submitted within one month of original
6 Ascertain that the submitted accountability has supporting documents
7 Confirm that the amounts advanced agree with the amounts authorised
Non Current (Fixed Assets)
Activities involved
This focuses on assets like;
- Land
- Buildings
- Roads and bridges
- Machinery and Equipment
- Furniture and fixtures
Key Control Objectives
To ensure that there is adequate management of all categories of fixed assets.
Key Risks
1. Poor control over the management of the assets.
2. Poor maintenance of the assets.
3. Breach of policies concerning the acquisition and disposal of assets.


Important records needed for the audit
The following records should be requested for at the start of the audit;

a) Asset register
b) Title deeds and registration documents
c) Cash book
d) Payment vouchers
e) Policy concerning acquisitions and disposal of assets

Suggested Sampling

Select all assets acquired during the financial year.
Audit Programme Non Current Assets (Fixed Assets)
Ref Audit Programme Tasks
Asset Acquisition
1 Confirm that the policies regarding acquisition of assets were adhered to.
2 Ascertain that the asset was recorded in the general ledger.
3 Confirm that the asset cost reflected in the general ledger agrees with the
payment voucher.
4 Confirm that the correct asset details, costs, and ownership details have been
properly captured in the asset register.
5 Obtain and review a schedule of the asset balances as per the fixed assets
register, add it up, and ensure that it balances, or has been formally reconciled
with the related general ledger account. Investigate any variances found.
6 Verify a sample of the assets by physically inspecting them.
7 Ascertain that the title deeds are available and that the ownership is in the
names of the entity.
8 Confirm that a policy for repairs and maintenance of assets is in place and
ascertain that it is adhered to.
9 Review the maintenance costs and charges made to the ledger accounts and
check that they are reasonable.
Operations and Usage
10 Confirm that the assets are being used for the tasks that they were intended for.
11 Ascertain that appropriate security measures are in place to safeguard the
12 Check that stock records like fuel and tyres for a particular vehicle agree to that
vehicles maintenance card.
13 Examine the log books for the sampled vehicles and investigate the reasons for
the low or excessive use.
14 Confirm that the vehicles are being used for the appropriate task that they were
meant for.
15 Ascertain that a system is in place to record all costs and expenditure for each
individual vehicle.


Debtors, Prepayments and Advances
Activities involved

This covers the audit of debtors, prepayments and advances.

Key Control Objectives
To ensure that;
a. Debtors, prepayments and advances have been recorded at period end;
b. The amounts in the balance sheet are stated on a consistent basis.
Key Risks
1. Misstatement of debtors, advances and prepayments.
2. Inaccurate recording of amounts due from third parties.
3. Inappropriate valuation of debtors, prepayments and advances.
Important records needed for the audit
The following records should be requested for at the beginning of the audit;
a) Schedule of debtors, prepayments, and advances.
b) Accounting records
c) List of bad debts and write-offs
Audit Programme-Debtors, Prepayments and Advances
Ref Audit Programme Tasks
1 Obtain a schedule of debtors and prepayments.
2 Confirm that the schedules add up correctly.
3 Confirm that the totals agree with those in the debtors control account.
Where they dont agree, ascertain that reconciliation was prepared.
4 Confirm that the debtors balances agree with the debtors statement.
Bad and doubtful debts
5 Establish the basis for the provision of bad and doubtful debts.
6 Ascertain the debtors/ revenues written off during the year.
7 Confirm that all write offs were properly approved and accounted for.
8 For advance payments, check that a performance bond exists.
9 Ascertain that the original payments were authorised.
10 Confirm that prepayments are being made according to the established


Cash and bank balances
Activities involved
The following areas are important;
- Treasury management;
- Cash and bank balances;
- Cash book operation
Key control objectives
To ensure that;
a) All bank accounts are properly reconciled.
b) Cash books are properly maintained and regularly reconciled to the Bank
Key Risks
1. Misuse of funds due to poor control mechanisms

Important records needed for the audit

The auditor/inspector should request for the following records at the beginning of the
a) Bank account details
b) Certificates of bank balances
c) Cheque books
d) Bank reconciliations
e) Cash books
Suggested Sampling
Select 100% of bank accounts


Audit Programme-Cash and Bank Balances

Ref Audit Programme Tasks
Bank Accounts
1 Obtain details of all bank accounts with full titles, account numbers, and
authorised signatories.
2 Obtain a copy of the contract and correspondences with the entitys bankers.
3 Confirm that all subsidiary bank accounts are operated on an i mprest basis.
Cheque Control
4 Confirm that the cheques are kept in a safe place.
5 Ascertain that a cheque register is in place and that all cheque books in use were
recorded down
6 Ascertain the signatures on the cheques.
7 Confirm that the stock balance of cheques is verified regularly e.g. once a month
8 For cancelled/spoilt cheques, inspect the cheques to ascertain that they were
properly cancelled.
Reconciliation of cash books with Bank statements
9 Verify the independence of the person responsible for preparing and despatching
cheque instructions.
10 Verify the arithmetic accuracy of the reconciliation
12 Get direct confirmation of account balances directly from the banks, and compare
them with the cash book balances.
13 Check the arithmetic accuracy of all cash books and check every cash book
balance to the respective GL accounts.
Trade Creditors and Accruals
Key Control Objectives
To ensure that there is proper and correct recording of creditors and accruals.
Key Risks
1. The recorded creditors may not represent all the amounts due to third parties.
2. Inaccurate stating of creditors and accruals.
Important records needed for the audit
The auditor/inspector should request for the following records at the start of the audit;
a) Accounting records
b) Schedule of trade creditors and accruals
c) Commitments register
d) Age Analysis
e) Annual Accounts


Audit programme-Trade Creditors and Accruals

Ref Audit Programme Tasks
Trade Creditors
1 Obtain a schedule of creditors as at the end of the last quarter.
2 Confirm that the schedule adds up correctly
3 Ascertain that the creditors totals agree with the details in the creditor
control account.
4 Confirm that the creditors balances on the schedules agree with the
creditors statements.
5 Get explanations for any material reconciling differences.
Non Trade Creditors and Accrued Liabilities
6 Verify that the basis for this year s accrued liabilities is consistent with
the previous years .
7 Confirm that the basis for the provisions is consistent with the
previous years.
8 Confirm that the material provisions have been disclosed.
Key Control Objectives
To ensure that;
a) Loans have correctly been recorded in the balance sheet.
b) The loans have been obtained in accordance with the relevant laws.
Key Risks
1. The correct procedure was not used when obtaining the loan.
2. Under declaration of the loan amounts received.
3. Wrong postings in the financial statements.
4. Non compliance with the loan terms.
Important records needed for the audit
The auditor/inspector should request for the following at the beginning of the audit;
a) Loans register
b) Accounting records
c) Loan agreement
d) Commitments register
e) Loans ledger


Audit Programme-Loans/Borrowings

Ref Audit Programme Tasks
1 Verify that the procedure used to obtain the loan was in line with the relevant
laws and guidelines.
2 Verify that the loan as approved by the responsible officer.
3 Ascertain that the loan was used for the purpose it was intended for.
4 Review the terms of the loan and verify that they are being complied to.
5 Confirm that all interest and principle due on the loan has been paid or
6 Obtain an official statement from the lender and confirm that it agrees with the
loan records.


Article 7
Audit Inspection

7.1 Introduction

This article provides the Inspector / the Auditor with an overview of the theoretical
assumptions concerning the execution of an inspection in the public administration.
The objective of the audit inspection is to determine how well financial transactions
and/ or operating controls conform to established laws, standards, regulations and
policies and procedures. It is against this background that the inspector MUST first
identify and obtain all the applicable standards, regulations, policies and procedures.
S/he must then read and understand them prior to undertaking an inspection.

7.2 PAF Inspection Procedures Overview

7.2.1 Mandate:
Public Finance and Accountability Act 2003 mandates Ministry of Finance to inspect
Local Governments, Central Governments and other entities to ensure that the funds
released to them are used for the purpose for which they were appropriated and
properly accounted for.

PAF Inspection is carried out to control, monitor and evaluate the performance of
Local Governments. Inspection promotes standardization, uniformity and consistency
in the implementation of Government policies and programmes for improved service
delivery across the Local Governments. It helps in determining adequacy of internal
controls, the accuracy and propriety of transactions, safeguard and accountability of
assets and level of compliance with Government laws, regulations and procedures.

7.2.2 Expected benefits of inspection
When undertaken on a regular basis and in a comprehensive manner, inspection will
help the Ministry to:-
a) Confirm that projects being implemented conform to the set goals and objectives
b) Review operations and programmes to ascertain whether the implementation is
consistent with the regulations
c) Establish whether programmes are being carried out in accordance with the
budget, work plans, and in time
d) Identify factors that inhibit satisfactory performance and strategies addressing
them are developed and implanted
e) Put in place mechanisms for measuring and reporting the accomplishments of
objectives and outputs.

7.2.3 Methodology for inspection
PAF inspection will use the following methodology:
a) Physical visit to the districts, municipal councils and town councils
b) Reviewing of relevant official documents and records
c) Interviewing of key personnel of the local governments
d) Site visits to projects under implementation and those already implemented
e) Recording of the findings during inspection


f) Reporting to the PS/ST, D/ST, DB, AG, and other relevant authorities of the


7.2.4 Criteria for inspection
When carrying out inspections, the Inspectors are expected to follow the following
procedures. Releases from MoFPED
Confirm that cash released was received and dully recorded in the cash book and
that the bank account has been reconciled.

Confirm that cash due to lower councils was remitted and recorded. This should be
confirmed with the cashbooks, Bank statement and reconciliations.

Ensure that all books of accounts are posted up to date i.e ; Abstracts, cashbook for
general account, ledgers and Vote books. Work plans and progress reports
Obtain work plans from the CAO and heads of departments for the quarter being

Check with departments on the implementation of the work plans in the quarter and
activities which spill over to other quarters. The areas to be covered include;
Water and sanitation
Monitoring and accountability.

Review work plans for the quarter and progress reports and ascertain the
absorption of funds per sector identified and analyse the overall fund absorption per
quarter. Monitoring and evaluation
Obtain monitoring reports and confirm that they are in line with the work plans and

Obtain minutes of the district council to confirm their involvement in the planning,
monitoring and evaluation of the PAF Programmes.

Confirm the existence of the following statutory Boards and Commissions namely;
a) Contracts Committee
b) District Service Commission
c) Districts Public Accounts Committee

To confirm their operations and effectiveness, obtain minutes of their meetings. Staffing levels
Confirm whether all the positions have been filled
Check whether the positions were filled transparently
Look at the organization structure of finance, audit and procurement


Establish the number of staff on professional training and those who have
Check on staff deployment. Programme implementation
While at the departments, randomly identify the projects to inspect (Emphasis
should be given to projects far away from the district headquarters)

The following should be inspected (At least 3 sectors should be inspected in a

A) Education/UPE Schools
Class room construction
Pupil enrolment levels
Staffing levels
School records

B) Health Centres
Constructed health centres check whether the buildings are of quality to
match the money budgeted and paid
Availability of heath workers
Availability of records i.e.; inventory records, books of accounts, e.t.c.

C) Water and sanitation
Water coverage and how it has changed over the periods
Boreholes/wells constructed
Springs protected
Confirming whether it is functioning
Confirm the existence of the local water committee

D) Roads
Inspect road constructed
Check whether drainage has been provided for
Maintenance of existing roads

E) Production
Check whether extension workers are in place
Look at the reports of the extension workers
Look at the projects worked on and their impact on areas where they have
been implemented.

Check on LGDP funds received
Check how the LGDP funds have been allocated
Check on LGDP expenditures and accountability Bookkeeping and accountability
Confirm that all books of accounts i.e. cashbooks, vote books, ledgers, abstracts,
and payroll are posted up to date and are reconciled monthly.


Confirm whether the above books of accounts have been checked and verified by
CFO and the internal auditor/inspector. Revenue recording
Obtain sources of locally raised revenue and
Confirm if all local revenue estimates are shown in the revenue register in
accordance with Financial Regulations.
Establish if the revenue collections are periodically reconciled or registers
Establish whether the arrears of revenue are recorded and summary submitted
to the Executive Council for appropriate action. Cash books
Confirm consistency of opening and closing balances
Confirm whether they are reconciled to bank statements regularly
Check for the arithmetic accuracy of the balances
Check for any unusual items
Confirm that each account has a separate cash book Abstracts: Revenue & Expenditure
Is there an abstract book showing the funds trail
Confirm whether the abstracts were balanced off.
Check for arithmetic accuracy
Confirm the frequency of posting abstracts Ledgers
Check whether ledgers are in place
Ledgers should be updated monthly
Check for arithmetic accuracy
Check the ledgers against the abstracts to ensure that the figures reconcile Accountability
Check for:
Compliance accounting procedure, guidelines and regulations followed.
Transparency in expenditure framework
Accuracy and completeness in transactions
Audit queries raised and responses to them
whether the figures in the returns submitted tally with the ledgers, cashbooks
and abstracts Expenditure returns
Check whether they are comprehensive and timely prepared
Do they comply with recommended formats? Remittance of taxes to URA
Confirm whether the district deducts PAYE and withholding tax from employees
and suppliers
Check whether all taxes deducted have been remitted to URA

Obtain a copy of the quarterly audit report.
Establish the budget allocation to the audit department, quarterly and annually
Establish if management acts on the auditor s/inspector s reports Staffing position
Find out;
Posts substantially filled
Posts acting
Vacant posts

7.3 Audit Inspection of Missions Abroad

This consists of the following sub accounts areas:-
i. Releases (RBC s, any other)
ii. Development expenditure
iii. Revenue (visa, passport, rent, etc.)
iv. Remittance to treasury
v. Monthly expenditure

7.3.1 Releases (RBCs)

Audit Objectives

v To establish whether releases (RBC s) are receipted and accounted for monthly
(monthly returns)

v To ensure that release are as per the approved budget with the exception of
special and supplementary releases.

v To ensure that amounts released are actually remitted and received.

v To ensure that all payments made were authorized.

v To ensure that funds released were put to the purpose intended and properly
accounted for.

v To ensure that payments for salaries, FSA and other allowances to Mission staff
are at the approved scales/rates.

v To ensure that all home based Foreign Service officers recalled or who retire from
service are deleted from the missions payroll promptly.

v To ensure that all rent payments for Foreign Service officers are properly
supported with tenancy agreements and acknowledgement receipts from the




Error Conditions

Remittances not receipted
Amounts remitted less than those released
Monthly returns not prepared and sent for audit
Over payment of salaries, allowances & FSA
Unsupported payments
Unauthorized re-allocation of funds

Audit Tests

a) Obtain copies of the budget, releases, remittance advice and mission bank
statements and reconcile. Note any discrepancies.
b) Vouch / examine the monthly returns to ensure that there is proper accountability
of funds released.
c) Check whether the funds were put to the purpose for which they were
requisitioned and note any reallocations.
d) Check whether salaries, allowances and FSA to home based foreign service
officers were at the authorized rates/ scales
e) Check whether all rent payments were supported with tenancy agreements and
acknowledgement receipts from the landlords.
f) Confirm whether officers recalled or those who retire from service are deleted
from the missions payroll and all their entitlements from the Missions funds
ceases immediately.
g) Confirm whether payments made to facilitate officers at the mission conforms to
the standing orders for Foreign Service.
h) Confirm whether the Missions contracts committee handled all procurements and
disposals at the mission. Minutes and other correspondences should evidence
i) Check whether all payments made were initiated and authorized.
j) Confirm whether there was compliance with the TAI, Public Finance and
Accountability Act, Public Procurement and Disposal Act plus other Government
regulations and guidelines in the processing of transactions.
k) Check whether the engagement of local staff was competitively done and are paid
according to the established local terms of service.
l) Confirm whether funds advanced to officers while on official duties were properly
accounted for.
m) Others (please specify).


7.3.2 Revenue and remittances to treasury

Audit Objectives

v To ensure that all revenue to which the mission (Government of Uganda) is
entitled is collected.

v To ensure that all such revenue collected is properly accounted for and entered in
the records (i.e. general receipt books, revenue cash books etc.)

v To ensure that all such revenue collected is banked intact

v To ensure that all revenue collected is remitted to treasury monthly and returns
also sent.



Error Conditions

Non-disclosure of revenue collection
Unauthorized use of NTR.
Non-remittance of revenue to treasury
Circumvention of T.A.I, 2003 (i.e. Collections not receipted, banked intact,
collections not posted in the revenue cash book etc.)
Invalid receipts brought to account.
Use of Visa stamps instead of Visa stickers

Audit Tests
a) Ascertain details of all sources and rates of revenue to the mission (i.e. visa,
passport, rent etc).
b) Compare revenue returns with the general receipt books, revenue cash books,
revenue abstracts, and mission bank statements.
c) Obtain details of general receipt books issued by the Treasury to the missions
and compare with the serial numbers used. Investigate any discrepancies.
d) For Mission confirm whether visa stickers are in use as opposed to Visa stamps.
e) Ensure that separate bank account (s) for NTR is/are maintained and regularly
f) Check whether all collections were banked intact.
g) Ask for proof of remittance to Treasury (i.e. T.T forms and general receipts issued
by the Treasury).
h) Investigate any discrepancies between NTR collected and remitted to the
consolidated account.


7.3.3 Government Assets

Audit Objectives

v To ensure that all government assets are acquired only with proper authority

v To ensure that all government assets are properly maintained and used only in
the execution of government business

v To ensure that all government assets are accounted for, labeled and recorded
(assets register)

v To ensure that deposals of government assets are properly authorized.

v To ensure that there was adherence to the Public Procurement & Disposal Act in
the acquisition & disposal of Government assets



Error Conditions

Misuse of government assets
Lack of proper documentation
Unregistered government assets
Disposals without authority
Poor maintenance, handling and squalid conditions

Audit Tests

a) Obtain a fixed asset register of all high value government assets
b) Confirm existence by ascertaining the physical location of all high value
government assets
c) Ascertain ownership of high value government assets by inspecting the logbooks,
land titles/leases, purchase agreements, etc.
d) Trace some high value government assets to the fixed asset register
e) Check/ reconcile stores ledgers with physical items in the store.
f) Where there were disposals, scraping, etc. check whether it was subjected to
established government procedures on disposals.
g) Check the physical conditions of the assets and their current state to establish
whether their maintenance, handling and storage are appropriate.


7.3.4 Financial Statements (Final accounts)

Audit Objectives
v To ensure that the final accounts portray a true and fair new of the entity as per
the available source documents

v To ensure that all relevant books of accounts where opened during the financial
year and posted.

v To ensure that all transactions that took place in the financial year where
accurately computed, transferred and recorded.

v To ensure that only transactions pertaining to the financial year in question were
included in the accounts.


Error Conditions
Omissions of current year transactions.
Inclusion in the final accounts previous year s transactions
Relevant books of accounts not opened or / and posted
Computational errors
Unauthorized reallocations
Unauthorized expenditure

Audit Tests
a) Check whether all the appropriate ledgers were opened up
b) Check whether the amount debited to the chequer accounts were the approved
estimates and supplementary estimates were also approved and properly posted.
c) Check whether the amount credited to the expenditure item ledgers are as the
figures approved.
d) Check whether all credits to the exchequer accounts as counter balanced by
debits in the cashbook were all authorized cash releases from the treasury and
that there were no omissions or other questionable entries.
e) Check whether proper expenditure items in the budget where charged according
to the nature of the payments
f) Post all vouchers to the cashbook to detect errors, omissions, and miss-postings.
g) Post all the vouchers to the abstract and the abstract to the ledgers to verify the
correctness of expenditure items charged
h) For a given period, cast the cashbook, abstract and ledgers.
i) Check whether re-allocations were approved by the secretary to the treasury
j) Ensure that the trial balance and balance sheet genuinely balance
k) Check whether the financial statements submitted were prepared in the format
required by the new chart of accounts.


l) Check whether the figures appearing in the financial statements agree with those
in the already checked ledgers.
m) Check whether the necessary footnotes where included in the final accounts.
n) Check whether the accounting officer signed all the financial statements.

7.4 Compliance & Inspection Checklist

7.4.1 Revenue

The objective of inspecting revenue is to ensure that all moneys due to the
government are properly and promptly collected, recorded, safely kept and banked as
soon as possible so as to minimise losses. It is the duty of accounting officers to
ensure that the above is implemented through instituting the necessary procedures
and controls.

This checklist provides guidelines in inspecting revenue collections in general and
can be easily adopted to help the inspector in checking the appropriation-in-aid (AIA).
Remember that it should serve as a general guideline. Inspectors will have to modify
their inquiries depending on preliminary findings and the nature of the institution that
they are inspecting. They do not have to follow the check list in its entirety but should
pick those areas that are crucial depending on the institution's controls and
experiences of the previous inspections.

Any unusual answers or findings to questions in the above checklist should call for
further investigation and satisfactory explanations thereto should be sought.

Inspection Reviews Matters
Implication Management
Bank account s
For each ministry, agency or institution, check the
Number of bank accounts maintained
for each of the accounts find out the following:
name and number -
name of bank where the account is
date when account was opened
letter authorising the opening of the
signatories to the account
expected sources of revenue
nature of expected expenditure
current balance
is an associated cash book in
is it posted up to date

check details of credit to the account to ensure
it agrees with what was expressed in expected
sources of revenue

check the details of debit transactions in a
similar manner


Inspection Reviews Matters
Implication Management
check bank reconciliation details of the account
are they up to date
are all direct debits and credits posted to the
cash book
have any transfers been made to and from the
account to the consolidated fund
how often have they been made
is the account dormant, if so, when was the last
transaction to the account
why has the account not been closed

Receipt Books
Find out the details of the receipt books issued from
the Treasury to the ministry or district
number of books issued and their serial
when and to whom issued, etc.

Check whether the ministry or district maintains a
register for the receipt books

Find out to whom the receipt books have been

Pay special attention to those books issued to
upcountry centres/ posts

Check the register details against the stock of
unused receipt books

Check the used receipt books
ensure that they are posted regularly to the
cash book
ensure all copies of the cancelled receipts are
properly marked so and are retained in the

Ensure that the correct receipt is issued for the type
of revenue (Treasury Accounting Instructions
specify two types of receipts: 1001 and 1002)
Are the receipt books stored in a secure place
Are receipts issued in a sequential order

Collections recording
Are collections at the headquarters recorded

Are the collections from' outposts/upcountry
centres sent together with copies of receipts to
headquarters for recording and banking

How often are collections from the centres sent
to headquarters

Do the collections tally with receipts records

Are the collections from the outposts checked
for accuracy before processing

Are the collections checked for accuracy to
ensure that the ministry has received the correct
amounts from the payer

Collections safeguard
Are collections stored in a safe area

Is security provided for transportation of
collections to the bank


Inspection Reviews Matters
Implication Management
Are the collections banked intact
are payments made out of collections
without authority from the CTOA
are there any un-authorised payments?

How are collections in foreign money handled
how soon are they banked
is the correct exchange rate utilised

Are collection shortages followed up and

How often are surprise cash carried out

Cheques and bank drafts
Those arriving by mail are they recorded on
who opens the mail -should preferably be
somebody different from the cashier

For all cheques and bank drafts -are they
checked for accuracy before recording

When are receipts issued should be
preferably after the cheque or draft is cleared

If cheques or drafts are dishonoured
are they recorded in a register and followed
up for collection
are penalties recovered from the payers

Returns to the Treasury
Are they made regularly and on a timely basis

Are they checked by the Treasury on receipt

Has the ministry asked for assistance, in case of

Budget votes/budget line items
Are they overspent
Where did the extra funds come from -
ensure it is not from collections

Outstanding collections
Does the ministry maintain a register of
outstanding collections/defaulting payers
Have steps been taken to recover
outstanding amounts

Budgeted appropriation-in-aid (NTR)
Check the budgeted total AlA
Is any breakdown for it given in the budget
Is distribution of its receipt for the year
Is total collection still on target to achieve
the year's total collection
Is it recorded in a systematic manner
Are collections in excess of NTR remitted to
Commissioner, Treasury Officer of Accounts

Inter-ministry or departmental transactions
Does the ministry expect to receive -
revenue from another ministry or a
government funded institution


Inspection Reviews Matters
Implication Management
What steps have been taken to speed up
the collection

Internal control
Check to ensure that the following functions
are carried out by different officers -where
opening of mails
recording of collections
banking of collections
bank reconciliations

7.4.2 Cash Safeguard and Management
It is the responsibility of the Accounting Officers to ensure that cash is kept safely and
that it is only applied for the authorised purposes. Management should therefore
ensure that all necessary procedures and controls are in place to be able to achieve
the above.

Inspection Reviews Matters
Implication Management
Check to see whether the following are in place:
are the safes properly installed
have they been issued by the Treasury and
recorded thereat
are they properly installed .are they easily
who keeps the keys
are there any duplicate keys, who keeps
is it fireproof

Safe Custody of cash in transit:
how regularly is cash transferred to and
from the bank
who does the transfer - cashier and another
is the transfer done by public means
is the transfer time varied for security
is armed escort requested for

Safe custody of cash:
is cash always kept under lock and key
does the person receiving cash sign for it
and issue a receipt for the same
are proper hand over procedures followed
are surprise cash counts made regularly
are the surprise cash counts made in the
presence of the cashier
are collections banked intact and
immediately .how are cash losses reported

Imprest matters:
Are imprest holders duly appointed?


Inspection Reviews Matters
Implication Management
are adequate imprest sums held?
are imprests maintained in accordance with
the Treasury Accounting Instructions?
Cheques and drafts:
are cheques checked on receipt and
are they crossed and stamped on receipt
are receipts promptly issued for the
are dishonoured cheques registered and
followed up
are unused cheques stored safely/do they
have a register
where are spoilt cheques stored/do they
have a register

Foreign currency:
how is it handled
how is it recorded
when are receipts issued
is there an undue delay between when it is
received and when it is banked

Cash book records:
Are they kept and are they up to date
Are they reconciled regularly

Hand-over and take over procedures:
are they in place

7.4.3 Bank Reconciliation

The purpose of bank reconciliation is to agree the balances of cash in the cash book
and at the bank and to ensure that all transactions relating to cash are captured and
appropriately recorded. In this process it is therefore necessary to compare the
transactions in the ministry cash book with those of the bank account at Bank of
Uganda or any other bank where the account is kept and make sure that they are in
order. It is necessary to investigate the nature and content of those transactions that
appear at the ministry and not at the bank and vice-versa. After establishing the
authenticity of the transactions, necessary accounting entries should be made.

Bank reconciliation is one of the control measure used to ensure that cash is not lost.
It has to be carried out regularly, preferably monthly. The exercise should not be
turned into a mechanical one; all transactions should be examined and any unusual
circumstances should be followed up immediately to ensure that if there are errors,
their nature and causes are established and remedial action is taken immediately.
This is necessary because cash is a fluid asset which is easy to pilfer.


An inspector is therefore expected to pay special attention to bank reconciliation.
Treasury Accounting Instructions require the Accounting Officer to "file for audit
purposes and references, reconciliation statements of their bank balances as shown
in their cash books, the abstracts of their accounts and any other working papers
which may be required to verify the accuracy of their accounts". In addition, when a
bank account is kept, the balance at the close of business on the last day of each
month, as certified by the bank, will be reconciled with the balance shown by the cash
book in a manner shown on Treasury Form 38 (certificate of bank balance) and the
reconciliation statement, together with paid and cancelled cheques, credit and debit
advice slips and all other supporting documents will be preserved for audit". Any
irregularities unearthed here should be followed up vigorously. The inspector should
therefore carry out the following tests.

Inspection Reviews Matters
Implication Management

Cash Book:
does each bank account have a cash book
is the cash book posted up to date
is it properly ruled-off, cast and balances extracted

Bank Statements:
are bank statements regularly collected from the
are they checked for accuracy in transactions'
are bank balances independently confirmed with
the bank

Bank Reconciliations:
are they carried out regularly
are they based on the previous ones
are they checked independently
are they reviewed by a competent staff
are the reconciliations carried out by the cashier -
usually they should not be
are they carried out by a computer, if they are
are they properly filed with the relevant supporting
are they submitted to the Accountant General as

Direct Debits:
these originate from the bank and are shown on
the bank statement
are they investigated when noticed
are they due to bank errors, if so, has the bank
been requested to
correct them
after identification are they recorded in the cash
book immediately
are supporting documents obtained from the bank
and filed
is their origin vetted for authenticity and


Inspection Reviews Matters
Implication Management

Direct Credits:
these also originate from the bank
is the bank contacted immediately for their details
are they due to errors, if so, has the bank been
approached to .correct them
are they recorded immediately in the cash book
is supporting documentation obtained and filed

Un-presented cheques:
Are they listed each month
is the list checked for accuracy
are those that have taken long to clear
do they include those that have not been collected
are uncollected cheques re-banked

Outstanding deposits:
are the details of these regularly examined
are they followed up to make sure that they are
subsequently banked
is there a mechanism to ensure speedy banking of
are the delays in bankings intentional, are there
any ascertainable trends

Any unusual answers to any of the questions in the above checklist should be
thoroughly investigated and relevant explanations and information obtained if it is to
be assumed that there is nothing amiss. Any identified problem areas should be
discussed with the accounting officer and remedial action should be agreed with him
and be implemented.

7.4.4 Budget and Budgetary Control

It is the duty of every accounting officer to ensure that the amount appropriated to his
vote is properly and economically spent only for those purposes for which the funds
have been appropriated. The Constitution of Uganda stipulates that "The Permanent
Secretary or the Accounting Officer in charge of a Ministry or department shall be
accountable for the funds in that Ministry or department."

Furthermore, accounting regulations require each accounting officer, in respect of the
votes and monies for which he is responsible -

(i) an appropriation for which monies expended were voted, the sums actually
expended were voted, the sums actually expended on each service, and the state of
each vote compared with the appropriation (as varied by any supplementary estimate
approved by the National Assembly before the end of the financial year), which shall
contain such additional information and be in such form as may direct and shall be
signed by the accounting officer;.."


An inspector will therefore check the budget lines of each vote to ensure that what
has been expended is in line with the Appropriation Act details. Budget control
concerns itself with the management of budget allocations. To ensure that this is in
order an inspector will check the following:

Inspection Reviews Matters
Implication Management
Vote books:
does the ministry maintain a vote book
are the postings to it up to date
is it accurately posted
is it checked regularly by a senior officer

Budget lines:
are these specified
are they given the right codes
are their appropriations reconciled with those
posted to the vote book
are they monitored
has there been a reallocation of funds - has it
been authorised
are they updated with any supplementary
are any budget lines over committed, and if so
have they been reported to the proper authority

Payment vouchers:
are they properly
filled in
are they accompanied by proper supporting
are some of the supporting documents
how is their authenticity established
are suppliers obliged to pledge indemnity to the
ministry in cases where photocopies are accepted
as supporting documents
are payment vouchers bearing a date later than
purchase orders and/or invoices
are payment vouchers properly posted to the vote
book and ledgers
are they properly filed for future reference

Appropriation-in-aid (AlA):
has it been authorised in the budget
has it been properly recorded
is it monitored
has it been overspent

are any payments made in advance
are they posted to a register opened for this
who approves these payments - does he have
that authority


Inspection Reviews Matters
Implication Management
Authorised officers register:
is a register of authorised officers maintained
does it have their specimen signatures
does it specify the financial limit of their delegation

Foreign payments:
are these in existence
have they been properly approved
are they recorded in the correct manner using
relevant currencies

Trial balances and records:
are these extracted monthly
are the appropriate returns sent to the Accounting
Officer and
the Treasury Department

Filing and storage of records:
are the records appropriately stored
are they free from dust
are they protected from floods and fires
are they easily retrieved

7.4.5 Advances and Prepayments

Advances and prepayments are one of the most problematic areas in the quest to
properly control and manage public funds. Year in year out these areas receive
mention in the Auditor/inspector General's report for most budget votes as the ones
with the weakest controls. As a result a lot of money is lost through advances and
prepayments. As an inspector proceeds to check these areas, a lot of care should be
taken to ensure that the controls in these areas are not only in existence but are also
practised and are reviewed regularly so as to make sure that they remain effective
and up to date.

Advances and prepayments require that amounts given or paid out are properly
authorised, recorded and followed up for accountability. Their records must be
thorough: the recipient must be identified, purpose established and the officer to
effect the follow up must also be known and he should have the powers to effect the
acquittal of the advance or prepayment. Advances include salary advances which
should be subjected to the same treatment as other advances.

To ensure that all the above are possible - an inspector should utilise the check list


Inspection Reviews Matters
Implication Management
Are registers maintained for advances and
where are they maintained
who maintains them
are they checked to ensure that they capture all
advances and prepayments
are they reviewed by a senior and responsible
are they updated on time with acquittals
are reminders sent to the staff regularly

Are the advances and prepayments properly
up to the appropriate limits
are they reviewed to make sure that they are
are they approved for the right purposes
are they applied for the right purposes after

Is it possible to maintain an imprest in a place of the

The register should indicate the following -in respect of
all advances:
date issued
amount issued
purpose of issue, and acquittal date,

Are different registers maintained for the following:
salary advances (in accordance with Treasury
Accounting Instructions
travel advances (internal and external)
petrol and car repairs etc.

7.4.6 Payroll

This is another of the problematic areas in the quest to control public funds. It is
common to be told that there are ghost staffs on the payroll of ministries and
departments. It is therefore imperative that inspectors thoroughly review all
transactions associated with the payroll.

These are basically to ensure that staff are paid the correct salaries, on time and that
proper deductions are exacted from those salaries and are remitted to the
beneficiaries on time. The check list below should assist an inspector in this regard:


Inspection Reviews Matters
Implication Management
How are staff put on or off the payroll
who has that authority
are staff numbers properly controlled for issuance
is his authority free from corruption when it is
does he get feedback by way of report to cross
check and ensure that staff put onto or off the
payroll agree with his original authority.

Staff cards
are these maintained
are they regularly updated
are they kept safely to ensure no unauthorised
do they contain relevant and crucial data e.g.
name of staff
staff number
date employed
date promoted
basic pay
permanent deductions

Are staff on payroll compared with the relevant
establishment positions

Are salary payments in agreement with appropriations, if
not what are the reasons

Are the right codes used to classify and post salaries

Are computations checked for accuracy
are unusual payments investigated for accuracy
and authority
are leave payments/entitlements approved and
are any changes to pay checked for accuracy and
are differences in total salary payments between
different months investigated

Are staff advances properly authorised and followed up
for recovery

Are non acquitted advances recovered from staff
entitlements/ salaries

Is a payroll register produced as an offshoot of salary
is it checked for accuracy
filed for future reference and comparison with
payrolls of previous or subsequent months

Are salaries paid promptly and to the right staff or their
bank accounts
do staff sign for all salaries collected in person
(cash or cheques)
is their identity verified

Are uncollected salaries kept safely and re-banked if not
collected by staff within a reasonable time.


Inspection Reviews Matters
Implication Management
if salaries for particular staff are not collected over
several months are enquiries made about the
identity and actual existence of such staff
are receipts issued for re-banked salaries
are uncollected salaries totals compared with
those salaries not signed for
Are staff salary deductions checked for accuracy and
sent to the beneficiaries on time?

Are all statutory deductions made in accordance with the
law and remitted on time.?

Are payroll returns sent to Ministry of Public Service for

Are last pay certificates prepared in accordance with
Treasury Accounting Instructions ?

Are payroll staff rotated from time to time?

Do payroll staff have access to personnel records?

An inspector in asking the above questions should
satisfy himself that sufficient controls are in place to
ensure that the correct salaries are paid to staff and
correct deductions are made from staff salaries and paid
to the beneficiaries.

Where there is some risk that the controls are weak, an
inspector should satisfy himself that no loss has been
incurred and then proceed to suggest remedial
recommendations and ensure that they are implemented

7.4.7 Project Accounts

Projects are common in all ministries and departments in Uganda. It is important to
ensure that the accounting records of these projects are appropriately maintained to
the expected standards of government, donors and other stakeholders.

Projects are usually set up as a result of some agreement. The operation of the
project and its accounting records should be guided by the contract. An inspector
should always make sure that before he carries out an inspection, he is fully
conversant with the terms of the contract.

The inspector should use the following check list when planning an inspection of a


Inspection Reviews Matters
Implication Management
Establish the project identification number
Does the project have an agreement stating
source of funds
objects on which funds will be expended
when set up
conditions attaching to it
Does the project have a separate bank account
where is the account kept
who are its financial delegates
is 'the account active
if not active, why has it not been closed
Has the account been approved by the
Commissioner, Treasury Officer of Accounts and
the Accounting Officer
Does the project have the following in place;
are proper books of account kept
are all receipts accounted for
are payments properly authorised
are bank reconciliations done and properly
are the internal controls appropriate
Are reports regularly prepared for the project
their format and content in agreement with
are they reviewed
are they audited
Staff on the project
are they civil servants
how were they appointed
are the accounts staff properly qualified
Is there a budget
has it been properly drawn up by the relevant
is it adhered to
has it been approved
Is some of the money invested
with prior authority
where does investment income go
is it authorised
Check details of money paid into the account
are the receipts in accordance with the
objectives of the project
do they conform to budget expectations
Check details of payments out of the account
are they in conformity with the objectives and
budget expectations
Does the project keep a fixed assets register
is it up to date
Are cash balances carried forward at year end
are accounts closed at year end
trial balance extracted
reconciliations carried out
end of year accounts drawn up


7.4.8 Public Debt

The government of Uganda s public debt accounting records are maintained in the
treasury department. One of the divisions of the treasury department is charged with
the responsibility of maintaining accounting records of the government public debt,
loans and grants. Public debt, loans and grants are a major component of the
government annual budget. It is therefore imperative that their records are properly

Inspectors should therefore once in a while check the accounting records of the
public debt division within the treasury department. A distinction should be made
between loans, public debt and grants. Public debt refers to government borrowing
within the economy; loans usually refer to money borrowed from overseas; and
grants are donations, usually from overseas.

An inspector should use the under mentioned check-list whilst planning an inspection
of the public debt division.

Inspection Reviews Matters
Implication Management
Is there an agreement/contract for each loan
has it been properly signed and executed
is it filed properly for ease of reference
Is the loan fully disbursed
Are the loan repayments being made on time
for both principal and interest
are repayment schedules in existence
are the repayment schedules adhered to
Are all pertinent correspondence on the loan
properly attended to and filed on the correct loan
has a separate bank account been opened for
each loan
who are the signatories
are movements to and from the account in
accordance with the loan agreement?
Has the project which is associated with the loan
been reviewed and monitored
Was any budget prepared for the project
is the loan in accordance therewith
is the budget up to date
Are the amounts to be repaid (interest and
principal) budgeted for
Are the payments processed and remitted in an
efficient and effective manner
Is the loan information properly recorded,
summarised, analysed and reported
is it possible to easily extract the loan details
due date
outstanding amount
amount repaid to date (principal and interest)


Inspection Reviews Matters
Implication Management
Are the total loan figures available
have they been reconciled,
Are the loans properly numbered
do separate files exist for loans
Are proper returns and accounts made at the end of
each year or end of loan period in terms with the
loan agreement
Is the loan recorded and transacted in the right
What is the status of counterpart funds
are they readily available
are they released in accordance with the terms
of the agreement
are they hampering the success of the project
Are the loans included in the budget
Have they received approval of Parliament
do they fulfil statutory requirements
Are withdrawals properly approved by
Auditor/inspector General
Are proper books of account kept
trial balances extracted
reconciliations done
accounts prepared on time
Are the returns properly prepared and presented to
Are there other loans for which the government is a
were they properly authorised
are they well monitored
are they up to date
has Parliament been notified of the same
Are ministries or departments borrowings
approved/notified to the Treasury Department
do they have the powers to do so

7.4.9 Procurement and Stores

Government ministries hold a substantial value of stores and fixed assets. It is the
duty of the Accounting Officer to ensure that these stores and assets are
economically acquired, safeguarded and disposed of in accordance with the given
financial regulations and instructions. Inspectors will be familiar with the Treasury
Accounting Instructions 1968 - Part II Stores. These instructions are dated and need
revision but they still serve some useful purpose. The checklist below is meant to
supplement the instructions.


For purposes of this manual" stores do not include fixed assets. The fixed assets
have been handled in the next module.

In planning an inspection of stores, an inspector should refer to the following check
list. The check list looks at the procurement, receipt and storage, issuance and record
keeping and reporting for stores. In all these steps it should be ensured that stores
are safeguarded and losses thereof are rninimised.

Inspection Reviews Matters
Implication Management
Stores procurement
Who places the orders
are they in conformity with regulations in terms
size of the order
where to order from -suppliers
Who initiates the order .is it cross checked
is the budget line checked for availability of
is the store checked to find out stock levels
Once goods are received
are they checked against the order
is their condition established
is a receipt issued
are the stock records updated
Are purchases made on time
Are they made through the relevant specialist
Is there an officer responsible for procurement
how does he relate to other staff
What is the procedure for handling overseas
Are local purchase orders utilised
to whom are copies of these forms sent
Is there a file of financial delegates
Are tenders advertised -if they are within the
required values
Is the tenders board in place
Are purchases for outstations properly handled
Are staff availed guidelines to assist them in
where to buy from
who should authorise what amounts
list of approved suppliers
purchases from overseas or from in country
If tendering is involved - were
tenders properly advertised
were applications properly received and
was a meeting appropriately held
were the results communicated

Stores Issuance


Inspection Reviews Matters
Implication Management
Are the goods stored in an appropriate environment
under lock and key
away from water and fire
When issues are made from the store
are they made by an authorised officer
is the store checked for availability of the goods
are the stock records updated
Are the goods available in the stores
Are supplies made to other: ministries and
how are they cleared
are payments made between them
Are qualified staff in charge of stores
Is entry to the store restricted
Are book records regularly checked against actual
What procedures are there for reporting stock loss
Are documents associated with ordering and
issuance of stores
kept under lock and key
Is stock taking done regularly
is it checked
Is a reconci1iation made between stores requests
and stores issues
Are the forms for requisitioning and issuance of
stock serially numbered
Stores Disposal
How is old and slow moving stock disposed of
Are the procedures for disposing of non useable
Are boards of survey regularly carried out
Where do the disposal proceeds go

Stores Payments
Before payment is made ensure there is a
mechanism to ensure that
goods have been received
proper coding of expenditure has been done
payments are appropriately authorised
funds are available
Are there local stores instructions/manuals which
should cover the following:
issue and disposal
verification of balances
investigation of discrepancies
Is there separation of duties; these tasks should be
kept separate
checking deliveries


Inspection Reviews Matters
Implication Management
authorising payments
Stores Records
Does the store keep records
are the records up to date
are they checked regularly
Are stores receipts and issues posted immediately
and balances determined
Are corrections appropriately initialled
Ensure all procedures are properly recorded
If contracts-are involved
are they properly tendered
payments certified
necessary guarantees obtained
retention moneys held until the completion and
review of the contract for quality of work

7.4.10 Fixed Assets

Fixed assets have been treated separately from stores but the same procedures and
controls relating to acquisition, safeguard and disposal of stores apply equally to fixed

Government uses cash basis of accounting. As a result, fixed assets do not usually
receive the attention they deserve. They are expensed on purchase and are not
capitalised; therefore they tend to disappear from accounting records. However, fixed
assets are an important component of government expenditure and therefore require
monitoring and safeguard to discourage waste.

An inspector should ensure that all fixed assets are captured and recorded in a register
for control and monitoring purposes. The check list below should guide him in this regard.


Inspection Reviews Matters
Implication Management
Check to see if there is a fixed assets' register.
who maintains it
is it manually maintained or is maintained on a
computer ?
is it updated regularly ?
is it updated each year and are the opening
balances verified
where is it kept
Are the assets numbered and branded?
How are assets disposed of?
is proper authority obtained before they are
are boarding-off procedures followed?
are the assets valued before disposal?
how are the sale proceeds handled?
are they duly receipted and banked ?
Are the fixed assets verified against the
Review updating of process of the fixed assets
Are there land and buildings
where are the registers kept ? Do they have
are the relevant rents and rates paid ?
Have the assets been revalued ?
by whom - qualified professional?
are relevant certificates attached ?
Is the actual existence of the assets verified ?
Has ownership of the assets been verified?
Have they been registered with the relevant
the appropriate fees been paid ?
Are movements properly recorded?
Are proper records kept of
Have the disposals been made to other
government departments?

The above check list should assist an inspector to plan the inspection of fixed assets.
It is imperative that a fixed assets register is maintained as a basis for monitoring and
safeguarding the fixed assets.


7.4.11 Statutory Returns

All ministries and institutions that receive government funding are supposed to lodge
statutory returns regularly with the Accounting Officer and/or the Treasury
Department in respect of monies received or expended by them.

The details and specifications of these returns are given in the Treasury Accounting
Instructions manual. They include the following:
revenue returns
arrears of revenue
counterfoil forms
revenue stamps
safes and cash boxes

Inspectors should ensure that these returns are lodged on time and should check
them for accuracy and completeness by ensuring that they are in agreement with the
accounting records and books from which they have been prepared.

Inspectors should monitor the regularity by which the returns are submitted and
reminders should be sent to errant ministries and institutions. If reminders are
unheeded then the inspectors should visit the ministry and find out what the problem
is. It may be necessary to assist the staff in compiling the returns.

7.5 Annual Accounts

All ministries and institutions that receive government funding are supposed to lodge
their annual accounts with the Treasury Department. All Accounting Officers are
meant to submit to the Commissioner, Treasury Officer of Accounts and the
Auditor/Inspector General signed statements which include: a balance sheet,
summary of revenue and expenditure and a statement of contingent liabilities. More
statements which are to be lodged at year end are specified in the Treasury
Accounting Instructions. In order to be able to produce the above accounts and
statements accounts, books, ledgers and bank accounts are closed, the necessary
reconciliations carried out and trial balances are extracted.

It is the duty of the inspectors to ensure that the records and books are properly kept
throughout the year to enable extraction of trial balances which will be used to
compile the accounts and statements. The format of the accounts and statements is
specified in the Treasury Accounting Instructions and this should strictly be adhered

The accounts and statements on being received by the Commissioner, Treasury
Officer of Accounts should be checked for accuracy and completeness before they
are consolidated and submitted to the Auditor/inspector General's office.

7.6 Inspection of Computerised Accounting Systems

Some ministries and institutions have computerised accounting systems and those
that have manual accounting systems are slowly computerising them. It is therefore
important that inspectors be versed with computerised accounting systems if they are
to carry out effective inspections.


The inspector will need to be familiar with the accounting system. He will have to
know its component parts; the source documents; the processing and the reports it
produces. The source documents and the reports are generally not problematic
because these can be seen. However the processing of the data takes place within
the machine and it is not visible. The inspector should therefore seek assurance that
what comes out of the machine is what he expects.

He will be able to get that reassurance if he knows the various components of the
accounting system. The system will usually consist of a general ledger, cash book
and several other, sub-components e.g. payroll, inventory, fixed assets etc. The
system should be documented and it should have user manuals. The inspector ought
to be able to understand them. He should request the accounts and data processing
staff to help him understand the system and how it operates. It is only after he has
acquired this understanding that he can carry out meaningful inspections.

Inspection Reviews

Implication Management
The inspector should always assure himself that the
following are in place:
The system is documented
The system has user manuals
Access to the computer is controlled through use
of physical access limitations passwords
Data is checked for correctness before it is input
to the computer through use of batches
check digits
Data once input will not be deleted or overwritten
without proper authority
All processing failures are logged and enquired
Backup is carried out regularly and backup files
are stored off site
Data processing staff are readily available to deal
within breakdowns
Check the output reports for accuracy


Article 8
Performance Audits

8.1 Introduction

8.2 Definitions

The INTOSAI auditing standards define performance audit as an audit of the
economy, efficiency and effectiveness with which the audited entity uses its
resources in carrying out its responsibilities.

INTOSAI standards state that performance audit is an:
a) Audit of the economy of administrative activities in accordance with sound
administrative principles and practices, and management pol icies;
b) audit of the efficiency of using human, financial and other resources, including
examining information systems, performance measures and monitoring
arrangements, and procedures followed by audited entities for remedying
identified deficiencies;
c) Audit of the effectiveness of performance in relation to the achievement of the
objectives of the audited entity, and audit of the actual impact of activities
compared with the intended impact.

Performance auditing is an independent examination of the efficiency and
effectiveness of government undertakings, programs organizations, with due regard
to economy, and the aim of leading to improvements.

It does not have its roots in the form of auditing common to the private sector. Its
roots lie in the need for independent, wide-ranging analyses of the economy,
efficiency, and effectiveness of government programs and agencies made on a non-
recurring basis.

8.3 Questions Answered by a Performance Audit
Are things done in the right way?
Are the right things being done?

8.3.1 Special Features of Performance Auditing

Not subject to specific requirements and expectations.
Flexible in its choice of subjects, audit objects, methods, and opinions.
It is an independent examination made on a non-recurring basis.

8.3.2 Objectives of Performance Auditing

to provide the legislature and audited entities with independent examination as to
the economy, efficiency and effectiveness of implementation of practices in
certain governmental programmes and to the economy, efficiency and
effectiveness of the means used in order implement it


to identify and analyse any problems of economy, efficiency and effectiveness in
government programmes and in the field with poor performance, and thus help
the Government of the audited entity to make correct managerial decisions
to report on the programme impact and to analyse the achievement of the stated
objectives. If these have not been achieved (partially or totally) the causes will be
to provide the legislature or the audited entity with results of independent
analyses related to the currency and the degree of credibility of stated
performance indices. It also provides an assessment of the degree of liability of
self-evaluation indices stated and reported by the entities developing programmes
of managing public funds;
to formulate recommendations intended to the legislature and the audited entity,
based on the findings and conclusions resulted from the auditing

8.4 Concepts in Performance Auditing

Performance auditing is based on three concepts:

1) Economy- Minimising the cost of resources for an activity, having regard to
proper quality.
2) Efficiency-The relationship between the output in terms of goods, services or
other results, and the resources used to produce them.
3) Effectiveness- Effects compared with goals and related to the resources used to
achieve these goals.

8.4.1 The Economy Approach

The auditor/inspector focussing on economy has to define expenditure correctly.

Some of the questions dealt with include;
To what extent are resources like raw materials, equipment e.t.c acquired at the
best prices and to what extent are they the right resources?
How does actual expenditure compare to the budget?
To what extent are all resources utilised?
Are the staffs often unoccupied or are they fully utilised?
Is the organization using the optimum mix of inputs (e.g. should less staff have
been employed and more money spent on computers)?

8.4.2 The Efficiency Approach

The auditor/inspector aiming at measuring efficiency has to start the audit by first
analysing the different types of output of the ministry or department being audited.

Questions that may be used in the efficiency analysis of a particular project, ministry
or department are;

Could the project have been implemented in another way which could have
resulted in lower production costs?
Are the working methods the most rational ones?


Are there any bottle-necks which should have been avoided?
Is there any unnecessary overlapping in the delegation of duties?
How well do the different units cooperate in promoting the common goal?
Are there any incentives for the staff involved to aim for cost reduction and to
complete the work on time?

8.4.3 The Effectiveness Approach

If the auditor/inspector is focussing on effectiveness, he will start by identifying the
goals of the programme and operationalise the goals to measure effectiveness. The
auditor/inspector will also need to identify the target group for the programme and
search for answers to questions like;

Has the goal been achieved at a reasonable cost and within the set time limit?
Was the target group defined correctly?
Are the objectives of managerial policy being achieved with the means used, i.e.
are the predicted results being obtained?
Are the means used and the results obtained compatible with the objectives of the
managerial policy?
Does the predicted impact represents direct results of the managerial policy rather
than one due to other circumstances

8.5 Approaches to Performance Auditing

There are two approaches;

1) The Results-Oriented Approach

This approach deals mainly with:
- the performance results;
- the results obtained;
- the fulfilment of criteria and the observance of requirements.

In this approach there is analysed the resulted performance in the context of
economy, efficiency and effectiveness by comparing the auditors/inspectors
observations to the given norms (goals, objectives, regulations, standards etc.) and
the audit criteria defined before the complete study begins.

Auditors/inspectors may work with experts in the field in order to set up criteria that
are objective, relevant, reasonable and attainable.

2) The Problem-Oriented Approach

The purpose of this approach is to deliver updated information about the problems
and how to deal with them

In this type of approach;
The auditing is concentrated on problem identification, verification and analysis,
without pre-defined auditing criteria.


The starting point is the indication of shortcomings and problems (malfunctions).
There is formulation of questions like: do the stated problems really exist? how
can they be understood and what causes them?
The auditor/inspectors formulate hypotheses on the causes and possible effects
of these problems and test them.

8.6 Performance Auditing and the International Auditing Standards

The international auditing standards that regulate the activity of financial auditing are
also applied to performance auditing.

8.6.1 Common Provisions

There are common provisions related to:

- audit planning (examples: the risk is assessed in both audits);
- assessment of accounting and internal control systems;
- audit evidence;
- audit approach;
- audit documentation;
- audit quality.

8.7 Performance Audit Methodology

Performance auditors/inspectors may deal with a multitude of topics and perspectives
covering the entire government sector. Many methods for collecting and processing
information may be used. The methodology is almost similar to that used in other

8.7.1 Summary of the Methodology

1) Planning - The process of defining issues or problems to be studied
2) Audit Questions - The questions to be answered
3) Study Design - The information needed and the study to be done
4) Audit Program - The type of investigations to be conducted.
5) Data Collection - The techniques for data collection to be used.
6) Analyses - The explanations and the relationships to be explored.

Even though these steps constitute the performance audit methodology, it must be
stated that a performance audit must also always be based on such issues like
individual insight, experience, imagination and creativity.

8.7.2 The strategic performance audit plan

This defines the departments performance audit programme and priorities and
the necessary personnel and resources.
It is founded on a good knowledge of audited fields, the changing environment
and the opportunities presented to the department.


It needs to be flexible enough to allow new topics that emerge during the year to
be introduced.
Unlike a financial audit, which aims to reach an opinion on the completeness and
accuracy of financial statements and the legality and regularity of underlying
transactions, with performance audit the audit institution is free to choose the
audit topics and audit objectives.

8.7.3 Defining fields and selecting studies

Selecting studies includes:
a) the preliminary documentation and understanding of the activity of the entity;
b) identifying risks to performance;
c) evaluating of parliamentary and public interest;
d) choosing topics;
e) Setting priorities. Preliminary documentation and understanding of the entitys activities

In order to achieve this purpose, the auditor/inspectors must identify the important
aspects of the environment in which the entity develop its activity, mainly by collecting
information related to:

The entitys objectives;
The resources, including assets;
The incomes;
The entitys legal framework;
The human resources from a qualitative and quantitative point of view;
The environment in which the entity operates;
The entitys reporting obligations;
Geographic considerations;
The organisation ad structure.

The auditors/inspectors must also seek to identify the main sources of audit
To obtain the information and understand the entity/activity/project, the
auditors/inspectors will refer to the financial audit reports and working papers, the
static plans of the entity, the business plan, the government and entity
publications, reports of previous audits, and any research from the academic
The information obtained may be summarised in a standard document called a
programme analysis*. The programme analysis includes the following rubrics:
objectives, inputs, processes, outputs, variables, and outcomes.

Here, the auditor/inspector;

Identifies the outcomes the entity aims to achieve.
Looks for objectives that are specific enough to be measured.
Discusses aims and objectives with officials to clarify any ambiguities and identify
any that are unstated.


May analyse information on entity incomes and expenditures (detailed by
programmes and elements).
There should be an ongoing survey of the governmental activities, of the
allocation of public funds and of the management of these funds.
The auditor/inspector should also identify and contact certain persons interested
with an interest in the subject matter being consider. These persons can be key
persons from the audited clients or beneficiaries of public services having
commercial relationship with the entity, experts from the academic field or
researchers etc. Identifying risks and assessing the quality of management

This stage is fundamental.
Auditors/inspectors must take into consideration that some activities carry an
inherent risk.
There is no universal formula to establish areas with high-risk. Factors that may warn of existence of risk

Unjustified expenditures, exceeding the provisions;
Untouched or partially touched economic objectives;
Cost increases and significant failure to meet deadlines in the case of certain
Complaints, litigations and reactions of the representatives of consumers groups
concerning the quality of services;
High levels of public budgetary debts;
New initiatives inappropriately founded;
Internal systems (of accounting and of control) organised or managed
Significant losses due to natural disasters, theft or extravagance;
Contracts assigned without a competitive process.
The auditor/inspector should rank risks depending on their probability of
occurrence and their impact.
Auditors/inspectors should seek to identify the causes, and effects.

8.7.4 Selecting topics

To better deal with this, the auditor/inspector should ask the following questions;
Was the programme well implemented?
Were the objectives achieved?
Are the economy, efficiency and effectiveness at risk?
Will the study give something new on performance improving?
Is there the appropriate moment to perform the audit?
Is it possible to perform the study?


8.7.5 Setting priorities

The main criteria that underlay the matter priority are:
The responsibility towards the parliament and the citizens
Improving performance auditing.
Provide a balanced programme of performance audit. Possible areas for selection

In drawing up performance audit programme it will be important to select matters that
cover a large area of studies, such as:

Studies performed in areas with high levels or cases of frauds or illegalities;
Studies of assessment of managerial performances in fields as: public
acquisitions, project management, service quality;
New governmental initiatives.

8.7.6 Elements of a study proposal

For each study, there are 2-3 proposals after answering with yes to the questions
presented above and after ordering them on priorities.

The study proposals must be clearly and concisely formulated in a brief notice which
will include the following elements:
What the study is about (the department or the departments, processes and
The motivation of the proposal to perform the study (the existence of the risk in
performance achieving, user reasons, the analysed aspect, the parliament and
public concern);
What questions will be asked;
The main methods to obtain and analyse data and information;
What is the outcome likely to be?
What is the opinion of the entity about the study idea?

8.7.7 Planning the audit activity

This comes after the study selection.
It involves a preliminary study and drawing up an audit plan for each selected
Always perform a preliminary study before drawing up the performance audit plan.
The report on the preliminary study should confirm whether the study is well
founded and whether it should be completed.
It should also include an analysis of the context for the activities involved including
the objectives, legislative environment and the questions, criteria, and how we
propose to obtain and interpret audit evidence.


8.8 Understand the entitys activities

The auditor/inspector should start by obtaining the information necessary to
understand the entity activity.

This is achieved by:

Visiting the entity locations.
Performing interviews with key persons .
Consulting experts, academics, bidders and representatives of the beneficiaries
related to the entity activity.
Understanding key systems of management and information flow.

8.8.1 Auditors/inspectors role at this stage

Gathering enough evidence to formulate questions.
Setting up criteria for performance assessment
Selecting the most appropriate methods of obtaining other reliable, relevant and
reasonable evidence.
Evaluating whether the study could improve the situation.

8.9 Deciding on the main elements of the study

The auditor/inspector formulates the audit objectives, i.e. the stated results of
effects of the study and may revise the main questions formulated in the
selection stage.
The audit objectives should improve the performance,
Questions are determined by the nature of topic and by the audit objectives.
The situation-complication technique is used to clarify the main questions of
the audit.
The term situation defines a brief description of the main study topic, including
the objectives of the audited programme or activity.
The term complication defines the problem or the problems arising out of the
situation, and is the reason for the study.

Example 1:

Study of implementing a new informatics system.
To improve efficiency, a Department intended to
introduce in 2001 a new computer system for which
there were allocated 600 millions lei with an estimated
increase of efficiency of 50 millions lei starting from
the next year.

The computer system was purchased at a price
higher than expected by 200 millions lei, the
implementation was done 5 month later than planned
and the efficiency level is lower than expected.

Question: Was the project well managed?


8.10 Analysing the main study question into sub-questions

The main questions are divided into secondary questions.
From these, the auditor/inspector should formulate hypothesis and identify the
audit evidence that can validate or invalidate the hypothesis.


It is necessary:
to formulate questions in a logic and strict succession:
in a logic order Were the acquisitions well planned?, Were they well done?,
Was the contract executed?
in a structured order Is the department A efficient?, Is the department B
efficient, Is the section C efficient?, etc;
to abandon unessential questions;
depending on objectives Are social indemnities paid to the right peopl e? Are the
stated quantum paid?


Main question can the purchasing of a new informatics system, assure the

There are three secondary questions:
1. Did the entity done the acquisition according to the regulations in force?
2. Does the informatics system satisfy the needs of the users at a reasonable cost?
3. Did the entity survey the observance of the contractual clauses by the supplier?

Secondary question (level 2) Does the informatics system satisfy the user needs
at a reasonable cost? may be divided in other three secondary questions.
2.1. Were the requirements for the system clearly formulated from the beginning?
2.2. Does the contractual clauses concerning the service comply with the
2.3. Was a good price obtained?

The secondary question (level 2.3) Was a good price obtained? Is divided in
other three secondary questions:
2.3.1. Was there a correct competition for the contract adjustment?
2.3.2. Was the competitions maintained during all the contracting process?
2.3.3. Were the different forms of public acquisitions taken into consideration?

8.11 Identifying criteria

These are the standards used to judge (evaluate) the performance achievement.
Auditors/inspectors should verify that the criteria is:
Valid, and
Based on authorised sources


The auditor/inspector should consider both the quantitative criteria (numeral) and
the qualitative criteria (good practice in a certain field).

8.11.1 Examples of authorised sources

Legislation, official policy declarations, standards;
Departmental guides and regulations;
Managerial practices accepted by the departments;
Contractual requirements;
Industrial standards and other relevant indices;
Relevant performance objectives and tasks (published).

8.12 Identifying the Audit Evidence That Answers the Study Questions

Audit evidence are documents and information collected by auditor/inspectors, in
order to support findings, conclusions and recommendations included in the audit
The INTOSAI Auditing Standards state that Competent, relevant and reasonable
evidence should be obtained to support the auditor/inspector's judgement and
conclusions regarding the organisation, program, activity or function under audit
(paragraph 3.0.3 (e)).

8.12.1 Role of the auditor/inspector

The auditor/inspector should;

Identify, collect and analyse audit evidence related to the inputs, process
description, outputs and effects, and to the public perceptions or opinions (for
instance public opinion about public services).
Collect audit evidence to answer the lowest level questions,
Take into account any limits that they can find in formulating conclusions.

8.12.3 Characteristics of audit evidence

Audit evidence is only reliable if the information and data obtained by the
auditors/inspectors is:

Appropriate (in order to achieve the audit objectives)

8.12.4 Considerations in assessing reliability of evidence

Audit evidence from sources external to the audited entity are much more
consistent than ones placed inside the entity;
The audit evidence obtained as documents are more consistent than verbal (oral)


The audit evidence directly obtained by the auditor/inspector are more consistent
than those indirectly obtained;
Oral audit evidence corroborated with written evidence are much more consistent
that isolate oral audit evidence;
The corroboration of obtained is a secure technique to consolidate their reliability;
The original documents are more consistent than copies, but if the original
documents are copied by the auditor/inspector, then he must note the source and
the date of photocopy.

8.12.5 Types of audit evidence

Audit evidence is:
Used to demonstrate whether the management and the personnel of the
audited entity perform its activity according to the operative principle stated by
policies and standards adopted, used the resources in an economic, efficient
and effective way.
Instrumental in protecting the audited entity in its relationship with other

Types of audit evidence include;

a) Physical audit evidence
Obtained by direct observation of the persons and events
Takes the form of photos, diagram, and graphical maps and other forms and

b) Oral audit evidence
Takes the form of declarations, which fervently are answers to interviews,
opinion tests etc.
The declarations are usually obtained from the entity employees, the
beneficiaries of the audited programme, experts and special advisors hired to
give support in providing additional evidence and even from the
representatives of the public opinion.

How Declarations are consolidated as audit Evidence

This is done by:
Getting a written confirmation from the person interviewed;
Soliciting independent sources that relate similar facts;
Subsequent verification of recording.

The sincerity of the persons interviewed their position inside the entity, their level of
knowledge and the desire to collaborate determines the relevance of such evidence.

c) Testimonial audit evidence

Is obtained through documents.
It can be presented in written or electronic form.
Evidence by analysing:


External documents such as: letters and memoranda received by the
audited entity
Inquiries from suppliers
Leasing contracts, other contracts
Reports of external auditor/inspectors, other reports
Confirmation letters from third parties.
Internal documents (issued by the entity), i.e. accounting, external
correspondence, entity description, budgets, internal reports, static
synthesis of the activity carried out by the entity, internal policies and

d) Analytic evidence

Obtained by verifying the explanation and the analysis of data related to the
activities on implementing a programme by the audited entity.
The analyses mainly suppose: assessments (evaluations) of indices and
trends obtained from the audited entity and from other sources. Logically
these indices and/or trends are compared to the recommendations of
standards applicable in the field or of certain technical guides (if the case
Usually numeral (i.e. assessment of the result of using resources or the ratios
of budged expended), but they may also be not numeral (i.e. noting a growing
trend of a certain type of contestations in the audited entity).

8.12.6 Selecting the methods to obtain and analyse audit evidence

The audit evidence may be obtained by:

Visiting the locations of the audited entity in order to analyse the different
documents existing in files or to perform interviews with key persons.
Sending letters or addressing questionnaires that include a list of questions on the
audited matter.
Analysing a representative sample.

Analysis of files

The auditor/inspector should use professional reasoning when choosing the most
appropriate methods and techniques to obtain audit evidence.
Analysis can be by:


By studying the general behaviour of the entity personnel one can obtain
information related to:
sensitive problems,
the management ethics and
the relationship between the entity personnel and the public/beneficiaries of
public services.


Auditors/inspectors should only choose those activities which will be directly
observed, by selecting activities appropriate for observation and that are
representative for the audited field.
Auditors/inspectors must obtain behaviour similar with auditees behaviour. In
such situations the auditor/inspectors will refer to the quality management of
the entity in order to obtain the approval for using this technique.
Photos, video or audio recording give value to direct observations.

Using Questionnaires

Are used to highlight facts or opinions
If the entity has regional locations, then questionnaires are sent by mail, but
the inconvenience is that those who are interviewed may not answer,
complete it with errors or it may be late.

8.13 Selecting the Methods of Interpreting Audit Evidence

In performance audit the audit evidence can the explained by using the following
by fulfilling tables and designing graphical representation in order to summarise
quantitative data and information;
calculation of performance indices (cost on product unit, income produced by
each person);
drawing up and analysing diagrams;
analyse the relationships between variables;
describing and analysing process in a flowchart;
Fulfilling a matrix and performing a comparison between criteria and conditions.

8.14 The Preliminary Study Report

This shows the motivation and the procedure that the auditor/inspector intends to
use to perform the study.

8.14.1 Contents of the report

a) The study scope and costs and the estimation of the publishing moment;
b) The analysis of the context in which the activities of the entity proposed for audit
are carried out, including the auditing objectives, the updated results and the
legislative framework;
c) The risk analysis in achieving the performance;
d) The audit objectives (stated impact and audit effect).


8.15 Summarising, Analysing and Interpreting Audit Evidence

8.15.1 Summarising data and information

The auditor/inspector can use any of these methods:

F Tables statistical data, results of observations, responses to close questions of
F Coding (ordering by topic and ideas) of the narrative information, results of
documents analysis, notes during the interviews and focus groups and responses
to open questions of the questionnaires.

After summarising the audit evidence, the auditor/inspector should perform an
assessment so as to ascertain the consistency.
Data and information are coded depending on topics and ideas, so that the
auditor/inspector may perform comparisons and other analysis.
Matrix and diagrams will be used to summarise data and information of a process
in order to interpret them.

Entity A B C D E F
Were tenders invited to send offers?



Was the specification drafted?



Was a contracting collective created?


Was a project manager appointed?

8.15.2 Analysing causes and effects

This is after audit evidence has been summarised and analysed.
The auditors/inspectors start their interpretation using a procedure that takes into
consideration four main elements:
Criteria: What should be?
Condition: what is, i.e. the entitys activity, outputs and/or effects?

8.15.3 Studying the causes

A process-effect matrix is used to understand how a certain process determines
and influences the effect.
A matrix is used to:
- Describe audit evidence which sustain that the effect is induced or influenced
by the process;
- Describe audit evidence which does not sustain that the effect is determined
or influenced by the process;
- Test relations process-effect, in case of audit evidence which generate


8.15.4 Studying important effects, and the relation cause-effect.

The auditors/inspectors must identify and analyse the most important effects,
which will compare to costs and benefits of programmes of with other unintended
The auditor/inspector can phrase a conclusion if he finds out that the cause and
the effect appears recurrently while implementing a process or carrying out an
Usually, one or more findings can sustain one conclusion, and one or more
conclusions ground a recommendation.
If auditor/inspectors find out that the cause and the effect are recurrent, they must
formulate conclusions and recommendations. Generally, the findings sustain
conclusions, and one or more conclusions are the basis to formulate a

8.16 Documentation

The auditors/inspectors have to appropriately document audit evidence (the results of
the analysis) in order to sustain conclusions and to confirm that the audit was
performed according to the standards of performance audit.

An appropriate documentation is important if we take into account that it:
confirms and sustain auditors/inspectors conclusions and recommendations;
increases the audit efficiency and effectiveness;
serves as source of information in the stage of drawing up reports and can
give answers to any questions of the audited entity or of thirds;
serves as evidence of the audit compliance with auditing standards in force;
contribute to the auditors/inspectors training;
sustains and sometimes provides defence evidence in case of litigates,
assure the recording of the activity carried out for further references;
Facilitates the control activity and assure the audit quality.

A detailed and strict documentation is a premise to maintain an acceptable level of
auditing, if the following considerations are taken into account:

It is necessary to exist an appropriate, defensive basis for the audit opinions
expressed in the report;
Allows the auditors/inspectors to more consistently explain to the legislator the
findings resulted from the performed audit;
Ensure an effective connection between successive audits;
Provides a basis for the audit quality control.

8.17 Reviewing the Evidence

The auditor/inspector-in-charge will analyse whether the plan of collecting audit
evidence has been achieved, whether answers were obtained to all study questions
and whether the results were well documented. They will approve the documents


8.18 Reporting

Every performance audit mission should culminate in drawing up a report.
These reports offer independent information, solutions and assurances
concerning the economy, efficiency and effectiveness of public funds use by the
audited entities, (even if it refers to past events), because by key messages can
give a vision of the future. In this context, it is important that the information of
reports be clear and documented.
To draw up the audit report, the auditor/inspectors draft in the first stage a plan of
the report. On the basis of this plan the auditor/inspector will write the report, and
edit it.

8.18.1 Report content

Performance audit reports generally include the following elements:
report title;
the syntactical presentation of the context of development of activities submitted
to the auditing, including the institutional context;
the objectives of the activity of the audited entity and the analysis of the
perspective analysis related on efficiency, effectiveness and economy, details
necessary in view to support the audit objectives;
the description of methodologies used in collecting and analysing audit evidence,
by prcising their sources;

8.19 Criteria Used to Assess Performance

Audit findings considered relevant for the report consignees and users;
Conclusions on the audit objectives;
The recommendations, logically based on the conclusions.


Article 9

Systems Audit
9.1 Manual Purpose and Contents
System Audit execution within the overall internal audit framework is dealt with in this
manual. Framework and objectives to be achieved by the Internal Auditor/inspector
are defined. The purpose of this manual is to provide an overview on main tools to be
applied for an objective assessment and evaluation of auditee's activities within the
system audit.
9.2 Basic Terminology
Adequate control and management mechanisms are in place if the management
plans and organises in a way that would provide an adequate certainty that goals and
objectives of an organisation shall be achieved in an effective and economic way.
The process of establishing the systems starts by setting goals and objectives.
Mutual links of the concepts or people operating together follow so that the goals and
objectives set are achieved. If the system project is correct, activities should be
implemented according to the plan and the results envisaged should be achieved.
Adequate certainty is in place if the adequate measures are adopted to limit biases
and deviations down to the tolerance level. That means that while projecting the
systems the management shall consider the ratio of the resources spent to the
benefit to be achieved. The term adequate certainty shall mean that the absolute
certainty can not be ensured by internal control, yet the procedures are in place that
are as efficient as possible, to handle the risks adequately .
Performance shall indicate that the scope of internal control is very broad and that it
refers not only to financial aspects but also to the quality of financial information,
organisation's growth, improving its profitability or efficiency at the costs as low as
possible, improvement of social environment, etc. In such a case, it is not a mere
adherence to legislation or internal rules of organisation but specific measures
adopted to ensure protection of organisation against any impact, threat or hazard of
any type.
Potential loss associated with any demonstration of risk; measured by costs needed
to make the risk under control.
Effective performance shall mean to achieve goals and objectives accurately and
on time with minimal resource spending.
Economic performance shall mean to achieve goals and objectives at costs
proportional to the risks. Economic performance aspect also shall be included in the
term effective .


Operation shall mean a repeated activity of an organisation with the objective to
produce a product or deliver a service. Activities may include marketing, sale,
purchase, manufacturing, human resources, finances, accounting and Government
support. The results of activities carried out shall be compared with the goals and
objectives set covering budgets, time, financial or operational plans.
Program shall mean a repeated operation of an organisation of a special purpose. It
includes capital acquisition, equipment sale, promotion events to attract financial
resources (ways how such financial resources are collected), period of more intensive
activity when introducing new product, new service, capital expenses and targeted
Governmental subsidies. Once accomplished, the program usually ceases to exist.
Programme results are compared with the programme goals and objectives set.
9.3 System Audit General Description
System audit includes:
r To execute a continual analysis of a central authority and organisations reporting
to it monitoring thus a correct organisation management, at the same time to
propose appropriate recommendations and measures to the management
r To verify reliability and appropriateness of information system at the organisation
r To audit correctness of development policy implementation, standards and
instructions of the organisation management
r To monitor and revise financial control executions at all levels of activities of the
organisation and in all its structures and systems
r To inform the management on any irregularities or deviations found out with
recommendations how to eliminate them
r To evaluate and ensure that all of the organisation's resources both, human and
material ones, are applied adequately to achieve the best possible results
r To pay special attention to the new management trends and systems, to
contribute to establish environment open to the new changes and nature of team
r To conduct special studies and economic overviews on environment in which the
organisation occurs.
Minimal scope of the internal auditor s/inspector's work includes:
1. Examination and evaluation of adequacy and efficiency of management and
control mechanisms and performance quality while implementing the functions
assigned while assessing the system adequacy (for instance, process, operation,
function or activity; it is an arrangement, set or selection of concepts, activities or
employees in some relationships with the purpose to achieve goals and objectives) of
internal management and control mechanisms; system audit is to examine whether or
not the systems established provide adequate guarantee that the goals (general
statements on what the organisation seeks to achieve. Goal setting is followed by
objective setting and development, operation and maintenance of the systems where
the purpose is to implement goals and objectives of the organisation concerned) and
objectives (specific intentions of specific systems; it is necessary to indicate them as
operational or program intentions or objectives, standards operated, performance


degrees, objective plans or results projected / expected) are implemented in an
efficient and economic way.
2. Information reliability and integrity information systems provide data for
decision making, management and control. In the framework of a System Audit
Internal Auditor/inspectors should assess reliability and integrity of financial and
operational information and resources used to identify, measure, classify and report
such information.
It is therefore important to examine whether or not:
r accurate, reliable, time, complete and helpful information is contained in financial
and operational records
r record keeping and reporting are verified by management and control
mechanisms and whether or not they are adequate and efficient.
3. Compliance with the principles, plans, procedures, laws and provisions
Internal Auditor/inspector is to examine whether or not these systems are adequate
and efficient and whether or not they comply with the above relevant requirements.
4. Property protection Internal Auditor/inspector is to assess whether or not the
tools used for property (asset) protection are secured against different types of
damages such as theft, damage, incorrect or illegal activity, and/or exposition to
natural disasters.
5. Economic and effective resource spending within this type of Internal Audit the
Internal Auditor/inspector is accountable for determining whether or not
r internal standards for measuring the economy and effectiveness have been set
r internal management acts established have been understood correctly and are
followed, whether or not any deviations have been identified, analysed and
communicated to people responsible for their remedy
6. Implementation of the goals and objectives set for operations or programmes
System Audit should find out whether or not any criteria have been set for this field. If
yes, their adequacy should be assessed. If such criteria are not adequate according
to the Auditor/inspector's opinion, the whole case should be communicated to the
competent management level and alternative source of criteria should be
recommended such as:
r Norms and standards recognised
r Standards developed by professional or other associations
r Legislation, Government resolutions (Government regulations)
Following objectives shall be met by proper accomplishment of the above
assignments through the System Audit conducted:
r efficient internal control which will be neither paralysing nor bureaucratic, however
not of a centralistic nature
r achievement of a good organisation operation, its operation systems and
adequate use of resources


r assurance of policy, standards and management instructions implementation
r continual improvement of management of organisation
r on going information communication to the management and finding out any
irregularities and also proposals of relevant measures for their elimination
r to verify how the recommendations and measures approved by responsible
employees upon auditor/inspector's proposal are implemented by a range of
organisation's departments
r support of the necessary changes undertaken and encouragement of staff to
adapt to the new systems.
9.4 Assessment Effectiveness of Internal Control System
Internal control is the process identified to ensure adequately that the specific
objectives are achieved in the field of accountability, efficiency and effectiveness of
operations, reliability of financial reports presented and compliance with the laws and
regulations applied. Efficiency of an internal control system is a process where the
objective is to have a reasonable assurance that all of the organisation's objectives
shall be achieved. One of the crucial aspects of an audit is to enhance the
organisation's environment by:
r strengthening the awareness about organisation's objectives and the role of
internal control while achieving them
r motivating staff to propose and implement control processes carefully and
r continual improving control processes.
Regardless of quality of procedures established, internal control may only be
executed upon a precondition that the two aspects below are met by the organisation
1. clear and unambiguous role separation between employees of the unit
concerned; prerequisite for that is function-separation principle reducing the risk of
fraud, mistake or neglecting, organisational chart sufficiently detail has to be in place
and administrative and accounting procedures available in writing
2. competent and coherent staff shall mean that employees are honest and adhere
to the ethics within the organisation which is a crucial factor for assessing the internal
control environment. Management involvement plays a crucial role when introducing
rules of ethics in public organisation.
Objectives of internal control system include:
r finding out any deficiencies, weaknesses
r enhancing quality in control activities (areas)
r better overview on control systems in particular units (departments, workplaces)
r management co-involvement in control system verification
r transparency of standards used for organisation management


Objective of the internal control system is to detect any deviations from the goals set
by organisation and minimise any potential surprise . Furthermore, control enables
management to face any potential risks within speedy development of economic
environment and competition, guarantee stability (reliability) of financial conditions
and adherence to legislation. In the framework of internal control system anybody in
the organisation has responsibilities. All employees play some role in activities
control, resource spending and way of how their particular work is carried out. Staff,
at large, has to be responsible for any of the problems at work, any non-permitted
deviations from standard or breach of legislation or activities concept to be
Within the overall system audit execution one of the crucial aspects is to evaluate
internal control system. Following should be taken into account by the
r any potential mistake which may occur
r control procedures which may be of a preventive nature or to detect the mistakes
r whether or not control procedures have been established
r any shortcomings of control system established leading potentially to mistakes
r effects of such shortcomings affecting the scope, duration or magnitude of audit
procedures to be focused on control mechanism.
Methods applicable for evaluation of internal control system include:
r questionnaire regarding internal control system (see Annex 1). Questionnaire
should be structured in such a way that a negative response indicates any
potential shortcoming of the control system
r verbal description of a control system
r flow chart
Following is the crucial knowledge of an Internal Auditor/inspector in this context:
r knowledge about control system of an organisation
r knowledge about risks and risk management
r internal audit procedures and techniques
r familiarity with information technologies
r resource management
r knowledge about organisation and its activities
r strategy management
r managerial procedures
r familiarity with the environment in which the organisation concerned operates
r financial management
r social patterns effective in the given time period.
Since internal control system is a process, its efficiency shall mean a state in a given
moment in time. The role of an Internal Auditor/inspector is to asses all components
of internal control as follows:


r control environment setting the way of operation of an organisation and
determining employees' relationship to control. It constitutes a basis for all other
components including structure and discipline. Control environment factors
include integrity, ethic values and capabilities of staff, management philosophy
and style, way of delegating powers and responsibilities, way of how employees
are organised and developed professionally
r risk assessment: any organisation is to face a range of external and internal
risks that have to be assessed. Preliminary condition of assessment is to identify
objectives at different levels and in their mutual links. Risk assessment shall mean
that relevant risks are identified and analysed to achieve the objectives and shall
be used as a basis for identification of a way how such risks are to be managed
r control activity shall mean procedures assisting in meeting the management
instructions. They assist in assuring that tools necessary for risk control are really
applied in link with achieving the organisational objectives
r information and communication where information has to be identified,
collected and forwarded in an appropriate form and deadline enabling thus every
employee to fulfill his/her responsibility. Within the information systems messages
are created containing operative information, financial data and data on meeting
the standards which enable to manage and control activities in a suitable manner.
Information systems do not work with information only that has originated within
the organisation concerned but with the information also referring to the external
events, activities or conditions relating to decision-making and for information
sharing with the third party as well. There must be a sharing efficient in a broad
sense, flowing to all of managerial levels through all units and departments
including both, bottom-up and top-down flows. Employees have to understand
what their respective roles are, in the internal control system and what their
individual activities are, in common with the work of others. On the other hand, it
is necessary to use the tools for transfer of important information up, to the higher
levels and also, how to manage effective communication with the third party.
What cannot be achieved by internal control:
r success of an organisation is guaranteed by a control, i.e. at least it ensures that
the basic objectives are achieved or an organisation sustains. However, control,
itself, can hardly help to achieve the objectives set. Control may provide
information for management regarding the overall development of organisation to
achieve the objectives, however, it can not ensure that a poor manager changes
to a good one! Similarly, changes in the Government policy or economic
environment may remain beyond the scope of management control. Internal
control can not ensure success neither sustainability of an organisation
r reliability of financial information and compliance with relevant legislation is
ensured by control. However, it can only provide a reasonable certainty, not an
absolute one! Success opportunities are subject to limitations inherent to any of
the internal control systems. Such limitations include an undeniable fact that any
effort which decisions are based on may be wrong and may lead to failures due to
mistakes or errors made.


Internal control is not made up by one single event or circumstance; it comprises of
several actions covering all activities of an organisation. Such actions are present
everywhere and are independent from management.
Management processes implemented within an organisation and their functions are
co-ordinated by management process phases including:
Internal control shall be a part of the processes above and shall be integrated in
them, assisting to their adequate operation, monitoring and applicability at any time. It
shall mean a helpful management tool, however it shall not replace it.
Internal control system is linked with operative activities of an organisation. Internal
control shall be much more efficient if included into the infrastructure of an
organisation and constituting thus part of its heart of the matter. It must be
incorporated not only by its formal inclusion. Internal control inclusion may affect
directly the ability of an organisation to achieve its objectives and at the same time
support its initiatives from the quality perspective.
Considering the control concept the objectives are classified as follows:

1. Efficiency and effectiveness of operations - shall mean that resources to protect
property (assets) shall be assessed and economy and efficiency of resource
spending evaluated.

2. Reliability of financial statements shall mean assessment of reliability and
integrity of financial and operational information.

3. Compliance with valid legislation and regulations shall mean that systems to
ensure compliance with main principles, regulations, etc. shall be assessed.
Internal Control Assessment
Justification of assessment by an internal auditor/inspector
r no audit of operations that would be really detail one can be conducted neither
sufficiently representative sample of such operations can be taken, except for
very small organisational units
r opinion that all entries have been made in the accounting books can not be
made without relaying on internal control procedures
r some of the verification tests of operations can only be conducted if an Internal
auditor/inspector adopts procedures enabling him/her to asses correctness of
documents demonstrated which may be presented to him/her managerial
employees can not verify by themselves that relevant procedures and decisions
have been applied
r many of the procedures which are not of a strict accounting nature, contribute to
reliability of financial statements


r quality of budgetary control and management control shall be enhanced by
reliable internal control
r in the field of an on-going monitoring and management of liabilities and
commitments of an organisation, continuity of an operation can be assessed by
an internal auditor/inspector through efficient management tools
r on-going monitoring and collection of reliable information on liabilities received
regarding expenditures shall enable to control continuity of costs accounted in last
month of an accounting period and to confirm thus correctness of separation of
respective accounting periods
r quality beyond the accounting information (reports, business records, various
records, statistics, etc.) shall enable to an internal auditor/inspector to become
assured in his/her understanding of economic conditions of an organisation as
results from analysis of accounts.
Assessment Criteria
Assessment has to be conducted in phases:
r acquaintance with procedures does not mean a detail or complete description of
a procedure examined but to find out main elements to be identified as those
elements contributing to audit reliability or which, on the other hand, represent
weaknesses. Relatively standard elements encountered with in most of
organisations or boards of directors can be included. For instance, in the field of
order processing it is necessary to verify whether or not following assignments
have been separated thoroughly:
r procedure descriptions description available within an organisation should be
used preferably such as:
detail description
flow chart
The following has to be taken into account in system description:
r reliable partners for discussions have to be selected, who are familiar with
procedures to be verified
r to much details have to be avoided. However, more time shall be needed to
produce such description which may become a barrier for acquiring sufficient
overview on the matter

However, detailed description may be necessary:
r for the purpose of activities or comprehensive part of activities
r to meet the objective of a board of directors to have a model of its procedures
available for instance for informatisation, mainly if such information refers to
information systems that are common for more boards.


In practice, it is a matter of:
r elaborating schematic and brief description of a procedure (list of main
participants and description of their respective assignments)
r a description of key elements of procedure which may be identified upon
reflecting related risks and through an internal control questionnaire where
auditor/inspector's statements shall be recorded (responses to the questions in
questionnaires) referring to the procedure upon examination
r compliance or understanding tests enable to make sure that the procedures and
key elements established have been understood. The tests include:
r tests of link-up and sequence to track the whole course of procedure upon some
selected operations
r specific tests focused on some particular procedural elements which are not clear
r return to the employees concerned by describing their respective operations and
asking them to provide explanation. Advantage of such procedure is its simplicity
and involvement of more employees which, at the end, shall mean a guarantee
that no element is neglected or forgotten.
9.5 Audit of Operations
This type of audit action can be described as a formal and systematic verification
conducted by qualified professionals to identify to what extend an auditee
accomplishes particular objectives set by management and to find out room for
improvement. Therefore within the audit of operations an in-depth study of an auditee
is to be conducted focused either on a particular department and function or on
activity, methods, systems and utilisation of equipment and human resources.
Objective is to assist management to achieve more efficiency through detecting
defects or irregularities and recommending appropriate measures which must be
feasible in the context of organisation's objectives and policy.
Audit of operations must be an independent and objective exercise implemented by
staff specialised in the field of audit, and according to the goals set before. It may be
a survey of sets of auditee's activities or functions, and/or part of them, while the
current level of internal control and adequacy of procedures and systems applied in
an audited area are being verified.

Comparison of audit of operations with financial audit
There is whole bunch of similarities between financial audit and that of operations. In
the essence, one can say that both of them represent a need to say some opinion
backed duly and based on facts detected and formulated from the position which
does not depend on auditee's functional structure. Within an Internal Audit methods
and procedures are assessed from the perspective of compliance with some
requirements and principles, however not from a perspective of person concerned.
Financial audit and that of operations meet frequently in using accounting as an
information and verification resource. Anyway, what distinguishes these two audits is
the objective.


Financial Audit is to verify operations authenticity, accuracy and compliance with
the organisation's standards and policy set. It seeks to have a coherent (rational
coherence, mutual knits) approach of an internal control to ensure integrity of
auditee's assets.
Audit of Operations is to improve management of audited areas. Therefore its role
is to point out any shortcomings preventing from proper activity and produce
recommendations for their remedy to come to the improved situation.
Financial audit programme (plan) is standardised. It includes audit objectives and
internal control questionnaires necessary to collect basic information so that the
program components are accomplished gradually.
In case of an audit of operations it is necessary to compile for each of the areas or
functions audited a specific programme (plan) according to the auditee's
characteristic feature and its internal policy. While a financial audit detects a failure to
comply with some of accounting standards or principles, its immediate
recommendation has to point out the obligation of its compliance. Recommendations
formulated within an audit of operations are not mandatory as they do not result from
principles of their obligatory adoption and are backed only by rational contemplation
and common sense. Recommendations referring to the failure to comply with
standards and management instructions are the only exception. During this type of
audit the Auditor/inspector has to be very creative to verify situations from the
management perspective.
Within such perception of audit of operations the workplace of internal audit actually
becomes management's extended arm which has given their authorisation to an
auditor/inspector to carry out his/her work.
Any audit of operation may only be implemented if its methodology and requirements
are known.
Internal Auditor/inspectors conducting audit of operations have to know the principles
and rules of financial management and should possess an accurate and
comprehensive knowledge of managing the auditee concerned. Quality audit of
operations can only be conducted by internal audit units equipped for such action with
staff and degree of independence and have some level of prestigious position and
are acknowledged.
Objective of this type of internal audit is to endure that functions of the systems,
processes and mechanisms of management are the best possible. Therefore, all
units, including management, have to keep in mind that the elements of any system
are gradually worn-out and procedures may become obsolete and structures
affected by ravages of time. Organisation can always be improved and enhanced.
Basic issue emerging during the audit of operation execution is a total lack of
standard rules, procedures or programmes as each organisation is different and has
its own characteristic nature. Auditor/inspector, on the other hand, shall not be (and
he/she even does not need to be!) an expert on every single field or activity audited.
He/she has to rely on systematic survey leading to his/her knowledge of specific


methods, systems, processes and control mechanisms in each of the areas,
activities, functions or departments to be audited.
Audit of operations shall be tied up with an analysis of:
efficiency and effectiveness audit shall focus, for instance, on:
r an inconvenient organisational chart
r unnecessary actions or activities
r complicated information flow
r inappropriate working methods, procedures, etc.
objective achievement audit shall focus on:
r level of achieving the objectives
r planning system to plan realistic objectives
r factors reducing the value of a result achieved, etc.
economy - audit shall focus on:
r any resource wasting and whether or not control mechanisms are in place to
prevent from the wasting
r whether or not unnecessary expensive equipment is used
r any labour force wasting in units or at operations
To expand the audit of operations would mean that the following factors that become
subject of auditor/inspector's interests are reflected:
r Equity to assess results of operations in relation to the environment so that no
discrimination neither unfairness occurs to work correctly
r Environment to assess operations and their results in relation to the working
and natural environment
r Ethics to assess correct and moral behaviour of management and employees
to work morally.
Core of the internal audit is related to the audit of operations where the objective is to
enhance efficiency of organisations. Audit of operations is to verify whether or not an
auditee carries out the activities properly, using a proper way, in a cost-effective
manner, whether or not an auditee behaves in an ethic way and has responsible


Article 10

Information Technology Audit

10.0 Introduction
Information and technology that supports it represent the organisations most
valuable assets. In todays rapidly changing environment, management have
heightened expectations regarding IT delivery functions management requires
increased quality, functionality and ease of use, decreased delivery time and
continuously improving service levels while demanding that this be accomplished at
lower costs.
There are numerous changes in IT and its operating environment that emphasise the
need to better manage IT related risks. Dependence on electronic information and IT
systems is essential to support critical business processes. Additionally, the
regulatory environment and best practices call for stricter control over information and
IT due to the increasing disclosures of information system disasters and increasing
electronic fraud. The management of IT related risks is now considered as a key part
of an organisations governance. The onus is on the internal auditor/inspector, to plan
and adequately review IT systems in use and report to management on IT risks and
how to mitigate them.
Many Ministries, Government departments and processes, etc are increasingly
becoming computerised. The Ministry of Finance, for example, has implemented the
Integrated Financial Management System (IFMS) to improve on the quality of
financial management and decision making. Automation, however good, comes with
specific risks. Specifically, it replaces manual processes and controls (checks and
balances) with programmed ones. These risks place a great responsibility on
management, internal and external auditor/inspectors and staff to continuously
monitor automated processes and manage such risks
The major concern that all auditor/inspectors must bear in mind before undertaking
any audit assignment is that of risk. All audit findings must take into account the level
of risk to the business associated with the finding/s. The issue is therefore to consider
the risk to the organisation associated with the use of Information Technology (IT).

If the organisations core business processes are automated, then it is as good as its
IT, since failure of its IT system may result into failure of the business as a whole.
Consequently, the Internal Auditor/inspector must understand the organisations
business environment and plan the audit accordingly. The Integrated Financial
Management system is a good example of process automation. Conversely, the
success of the Ministry is more and more dependant on its IT system/s. This chapter
discusses a simple approach for auditing in an IT environment, covering key areas of
audit planning, step-by-step IT audit procedures, risk assessment and reporting.

The key issue is to understand IT best practices and the organisations business
environment, processes and controls.


Internal auditors/inspectors should ask the following questions;
What do we mean by IT controls?
Why do we need IT controls?
Who is responsible for IT controls?
When is it appropriate to conduct IT controls?
Where exactly are IT controls applied?
How do we perform IT control assessments?

The audit process provides a formal structure for addressing IT controls within the
overall system of internal controls.

The internal auditor/inspectors role in IT controls begins with a sound conceptual
understanding and ends with providing the results of risk and control assessments.
Internal auditors/inspectors interact with the people responsible for controls and must
pursue continuous learning and reassessment as new technologies emerge and the
organizations opportunities, uses, dependencies, strategies, risks, and requirements

10.1 Understanding IT Controls

Internal control is defined as: A process, effected by an organizations board of
directors, management, and other personnel designed to provide reasonable
assurance regarding the achievement of objectives in the categories below;
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.

IT controls include those processes that provide assurance for information and
information services and help mitigate the risks associated with an organizations use
of technology. The controls range from written corporate policies to their
implementation within coded instructions; from physical access protection to the
ability to trace actions and transactions to the individuals who are responsible for
them; and from automatic edits to reasonability analysis for large bodies of data.

10.1.1 Control Classifications

Controls are classified to help understand their purposes and how they fit into the
overall system of internal controls.

Understanding of the classification will help the auditor/inspector in answering key
questions like;

Are the detective controls adequate to identify errors that may get past the
preventive controls?
Are corrective controls sufficient to fix the detected errors?


The following are the classifications of IT controls;

1) General Controls (Infrastructure controls)

This applies to all systems components, processes, and data for Ministry of

General controls include;
Information security policy
Administration, access, and authentication
Separation of key IT functions
Management of systems acquisition and implementation
Change management
Recovery and business continuity

2) Application Controls

These are concerned with the scope of individual business processes or
application systems.

Application controls include;
Data edits
Separation of business functions (e.g. transaction initiation versus
Balancing of processing totals
Transaction logging
Error reporting

Controls are further classified as;

a) Preventive Controls

These prevent errors, omissions, or security incidents from occurring.

They include;
Access controls that protect sensitive data or systems resources from
unauthorised people
Antivirus software
Intrusion prevention systems

b) Detective Controls

These detect errors or incidents not curtailed by the preventive controls.

They include;
Identifying account numbers of inactive accounts
Identifying accounts that have been flagged for monitoring of suspicious


Monitoring and analysis to uncover activities or events that exceed
authority limits

c) Corrective Controls

These correct errors, omissions, or incidents that have been detected.
They include;
simple correction of data entry errors ,
Identifying and removing unauthorized users or software from systems or
Recovery from disruptions or disasters

To simplify correction, it is more efficient to prevent errors or detect them as
close as possible to their source.

The controls should also be subject to detective and preventive controls,
because they represent another opportunity for errors, omissions, or
falsification. IT Controls

1) Policies

Clear policy statements regarding all aspects of IT should be devised and
approved by management, and communicated to all staff.

Examples of IT policy statements include;
A general policy on the level of security and privacy throughout Ministry of
Finance. This should be consistent with all relevant national and
international legislation and should specify the level of control and security
required depending on the sensitivity of the system and data processed.
A statement on the classification of information and the rights of access at
each level. The policy should also define any limitations on the use of this
information by those approved for access.
Clear distinction of the parties with the authority to originate, modifies, or
delete information.
Personnel policies that define and enforce conditions for staff in sensitive
areas. This includes having employees sign agreements accepting
responsibilities for the required levels of control, security, and confidentiality.
This policy also includes related disciplinary procedures.
Definitions of overall business continuity planning requirements. The policy
should ensure that all aspects of the business are considered in the event of
a disruption or a disaster.


2) Standards

Standards enable the organization to maintain the whole operating environment
more efficiently.

There should be standards on issues like:
Systems Development Process
This looks at the processes for designing, developing, testing, implementing,
and maintaining systems and programs.
Systems Software Configuration
Systems software provides a large element of control in the IT environment.
The way operating systems, networking software, and database
management systems are configured can either enhance security or create
weaknesses that can be exploited.
Applications Controls
All applications that support business activities should be controlled.
Standards should specify the minimum level of documentation required for
each application system or IT installation, as well as for different classes of
applications, processes, and processing centres.

3) Organization and Management

Issues to look at include;
Separation of duties
This is a vital element of many controls. The structure should not allow
responsibility for all aspects of processing data to rest upon one individual or

The functions of initiating, authorising, inputting, processing, and checking
data should be separated so that no individual can both create an error,
omission, or other irregularity and authorize it or obscure the evidence.

4) Physical and Environmental Control

All equipment must be protected. This includes servers and workstations that
allow staff access to the applications.

Some physical controls include;
Locating servers in locked rooms to which access is restricted.
Restricting server access to specific individuals.
Providing fire detection and suppression equipment.
Housing sensitive equipment, applications, and data away from
environmental hazards like low lying- flood plains or flammable liquid stores.

Under this, serious consideration should be put on contingency planning.
Questions to ask include;
What will the organization do if there is a fire or flood, or if any other threat
manifests itself?


How will the organization restore the business and related IT services to
ensure normal processing continues with minimum effect on regular

5) Systems Software Controls

Through system software products, application systems and users are able to
use the organizations IT equipment. Software products include: operating
systems like Windows, Linux; firewalls, antivirus products, and database
management systems like Oracle.

The following controls should be in a well managed IT environment;

Access rights allocated and controlled according to MOF s stated policy
Division of duties enforced through systems software and other
configuration controls
Intrusion and vulnerability assessment, prevention, and detection in place
and continuously monitored
Intrusion testing performed on a regular basis
Encryption services applied where confidentiality is a stated requirement
Change management processes

6) Systems Development and Acquisition Controls

All applications should perform only those functions the user requires in an
efficient way. By examining application development procedures, the
auditor/inspector gains assurance that applications work in a controlled manner.

The following basic control issues should be evident in all systems development
and acquisition work;
User requirements should be documented and their achievement should be
Systems design should follow a formal process to ensure that user
requirements and controls are designed into the system.
Systems development should be conducted in a structured manner to
ensure that requirements and design features are incorporated into the
finished product.

7) Application based Controls

Application controls should be the priority of every internal auditor/inspector. All
internal auditors/inspectors should be able to evaluate a business process and
understand and assess the controls provided by automated processes.

The objective of internal controls over application systems is to ensure that;
All input data is accurate, complete, authorized, and correct.
All data is processed as intended
All data stored is accurate and complete
All output is accurate and complete


A record is maintained to track the process of data from input to storage,
and to the eventual output.

Some of the controls expected to be found in any application include;

Input Controls - These check the integrity of the data entered into the
IFMS application. Input is checked to ensure that it remains within the
specified parameters.
Processing Controls - These provide automated means to ensure
processing is complete, accurate and authorized.
Integrity Controls - These monitor data in process and/ or in storage to
ensure that data remains consistent and correct.
Management Trail (Processing History Controls) - These enable the
tracking of transactions from the source to the ultimate result and to trace
backward from results to identify the transactions and events they record.
These controls should be adequate to monitor the effectiveness of overall
controls and identify errors as close as possible to their sources.

8) Baseline IT Controls
These are the basic set of controls that need to be in place in order to provide a
fundamental level of IT security. Baseline controls are most widely applicable to
all IT infrastructures.

Some of the questions to be considered when selecting a suitable set of
baseline controls include;
Do IT policies exist?
Have responsibilities for IT and IT controls been defined, assigned, and
Are IT infrastructure equipment and tools logically and physically secured?
Are access and authentication control mechanisms used?
Is antivirus software implemented and maintained?
Is firewall technology implemented in accordance with policy?
Are change and configuration management and quality assurance
processes in place?
Are structured monitoring and service measurement processes in place?
Are specialist IT audit skills available (either internally or outsourced)? Control Weaknesses In IT Systems
Lack of formal IT planning mechanisms with the result that IT does not serve the
ministrys pressing needs or does not do so in a timely and secure manner.
Lack of formal security policies resulting in a piecemeal or after-an-incident
approach to security
Inadequate program change control leaving software vulnerable to unauthorized
Little or no awareness of key security issues and inadequate staff to address
the issues
Failure to take full advantage of all security software features like selective
monitoring capabilities, enforcement of stringent password rules, and review of
key security reports.


Inadequate user involvement in testing and sign-off for new applications
resulting in systems that fail to meet user functional requirements or
confidentiality integrity.
Virus definitions that are not kept up to date
Failure to formally assign security administration responsibilities to staff that are
technically competent, independent, and report to senior management. Monitoring IT Controls

Management is responsible for monitoring and assessing controls. The internal
auditor/inspectors monitoring and assessment are performed to independently
attest to managements assertions regarding the adequacy of controls.

Management s control monitoring and assessment activities should be planned and
conducted within several categories like; ongoing monitoring and special reviews.
10.2 Internal Auditing Role in relation to IT

This involves the following;
Advising the audit committee and senior management on IT internal control
Ensuring IT is included in the annual audit plan
Ensuring IT risks are considered when assigning resources and priorities to audit
Defining IT resources needed by the internal audit department, including
specialized training of audit staff.
Ensuring that audit planning considers IT issues for each audit.
Liaising with audit auditees to determine what they want or need to know
Performing IT risk assessments
Determining what constitutes reliable and verifiable evidence.
Performing IT enterprise-level control audits.
Performing IT general control audits.
Performing IT application controls audits.
Performing specialist technical IT control audits.
Making effective and efficient use of IT to assist the audit process.
During systems development or analysis activities, operating as experts who
understand how controls can be implanted and circumvented.
Helping to monitor and verify the proper implementation of activities that minimize
all known and documented IT risks.
10.3 Common IT Process Controls

This Appendix includes illustrative IT Process controls that are commonly used.
These lists are intended for use as a guide for discussions between the engagement
team and auditee personnel. They are not intended to be checklists for identifying
controls over the IT processes, nor are they intended to be considered exhaustive
lists of potential controls over the IT processes.

The absence of one or more of these controls does not necessarily mean that the
auditee s controls are ineffective. The evaluation of the effectiveness of controls over


an IT process is considered within the context of all of the controls in place over that

10.3.1 Acquisition, Implementation, and Maintenance of IT Solutions

Below is a listing of common controls over the IT process of Acquisition,
Implementation, and Maintenance of IT Solutions.

The auditee has formal policies and procedures in place that define its approach
to systems acquisition and change management (e.g., a formal systems
development methodology).
User department and IT department management approval is required before
systems acquisition and/or change projects are undertaken.
Project documentation that includes systems requirements definitions, risk
analyses, and cost-benefit analyses is maintained.
There is a mechanism in place for the periodic review of the service organizations
operational and control effectiveness.
The auditees systems acquisition and change approach addresses security risks.
The auditees systems acquisition and change approach addresses data
Environments (either logical or physical) separate from production systems exist
for development (or modification) and testing of IT solutions.
Management must review and approve IT solutions prior to their implementation.
End users are actively involved in the test process.
Development personnel are prohibited from migrating applications and data from
the test environment to production.
Post-implementation review procedures are performed for any system
modifications made during an emergency.

10.3.2 Delivery and Support of IT Solutions

Below is a listing of common controls over the IT process of delivery and support of IT

The auditee has formal policies and procedures in place that define its approach to
system security (including confidentiality of data and information).
A mechanism is in place for communicating security policy to employees (e.g.,
requiring users to sign an acknowledgement that they have read and understood
the auditees security policies).


A security organization exists that is independent of both the user departments
and other IT department functions.
IT department personnel do not have operational or accounting responsibilities.
Appropriate user department and IT department management controls access to
the following:
- Local and wide area networks.
- Remote connection to networks and/or applications.
- Internet/intranet sites.
- Applications and application modules.
The following user account security parameters are in place:
- Users are assigned unique accounts.
- Adequate passwords are required (e.g., minimum and maximum password
length, non-alphabetic characters, upper and lower case alphabetic characters).
- Users created their own passwords (e.g., passwords are not assigned).
- Periodic password changes are required.
- User accounts are disabled after a limited number of unsuccessful logon
- Users are limited to one session per account (e.g., concurrent sessions or
logons are not allowed).
- Measures are in place to prevent the repeated use of a password.
- Administrator rights are assigned to a limited number of individuals who require
those rights to perform their job duties.
Communications with public networks are controlled by a firewall. The firewall is
implemented to:
- Hide the structure of the auditees network.
- Provide an audit trail of communications with public parties.
- Generate alarms when suspicious activity is suspected.
- Defend itself and/or the auditees network against attack.
Procedures for protection against malicious programs are in place through the use
of anti-virus software and other measures (which may include policies limiting the
installation of unapproved programs, procedures for reporting suspected
occurrences of viruses, etc.).
Physical access to technology infrastructure is restricted.
Access to internal networks and/or applications by suppliers, customers, and/or
other business partners is approved by appropriate management and limited to
those networks and/or applications required for the conduct of business.
Representatives of suppliers, customers, and/or other business partners are
required to adhere to the auditees policies, procedures, and security standards
when accessing the auditees systems.


These controls may be identified while we gain an understanding of the other IT processes.

Below is a listing of common controls over the IT process of Monitoring IT

Security settings and parameters are periodically reviewed for compliance
with organizational standards.
Activities of systems administrators and other privileged users are logged and
frequently reviewed.
Processing errors and access violations are logged. These logs are routinely
reviewed and follow-up is performed for any unusual or unexpected items
appearing in the logs.
The auditee has formal policies and procedures in place concerning the
update and/or removal of systems access rights to employees who change job
duties or leave the company.
User department and IT department management periodically review each
significant system and application for unauthorized user accounts.
Control effectiveness of service organizations is periodically reviewed. (For
example, the auditee may conduct an audit or request of the service
Policies and procedures are revised (in a timely manner) to reflect
organizational and/or operational changes in the business.
Management acts on recommendations provided by independent performance
assessments (e.g., Internal Audit reports).


10.4 Risk Considerations in Determining the Adequacy of IT Controls

The chosen IT controls must add value to the organization by reducing risk efficiently
and increasing effectiveness.

In considering the adequacy of IT controls with MOF s internal control framework, the
internal auditor/inspector should consider the processes established by management
to determine:

The value and criticality of information.
Ministry of Finances risk appetite and tolerance for each function and process.
IT risks faced by MOF and the quality of service provided by its users.
The complexity of the IT structure.
The appropriate IT controls and the benefits they provide.
Harmful IT incidents in the past 24 months.

10.5 Control Characteristics to Consider

Some of the issues to be addressed during the IT control evaluation process include;
Is the control effective?
Does it achieve the desired result?
Is the mix of preventive, detective and corrective controls effective?
Do the controls provide evidence when control parameters are exceeded or when
controls fail? How is management alerted to failures, and which steps are
expected to be taken?
Is evidence retained (audit trail)?
10.6 The IT Audit Procedures
The Auditor/inspector must identify the principal audit risks so as to develop an
appropriate audit strategy in the overall audit plan. The IT auditor/inspector must
therefore gain a thorough understanding of the IT environment prior to planning the
audit. The following guidelines provide a step-by-step procedures which the Internal
Auditor/inspector may follow when undertaking an audit of information systems.
The Auditor/inspector shall:
(i) Determine the audit objective/s

(ii) Conduct a preliminary survey

Ascertain the organisations core processes and operations, determine
whether they are automated, and assess the extent of automation

Establish whether the organisation has policies, procedures and guidelines
in respect to both automated, manual processes and IT applications, and
whether they have been communicated to ALL employees. [Lack of policies


and procedures indicates a weak control environment and high control risk]
this helps the Auditor/inspector to plan and select the appropriate CAATs
(computer assisted audit techniques), BEASTs (beneficial electronic
analysis and support tools) and audit tools to use i.e. Audit Software (used
for substantive procedures) or Test Data (used for testing controls).

If the policies and procedures exist, the Auditor/inspector must ensure that
they are up-to-date. The Auditor/inspector must thereafter benchmark the
policies and procedures against best practices. Report any inconsistency
and advise accordingly

Understand the organisations hardware and software platforms. Identify
whether the computing environment is Linux or LAN environment, Windows
NT, OS/400/390, etc this helps to determine the appropriate CAATs and
BEASTs to use.

(iii) Develop an audit program and budget

(iv) Conduct field work and undertake audit tests

(v) Determine findings and conclusions

(vi) Communicate results to appropriate parties

(vii) Follow up and review the extent of implementation of recommendations.

10.7 Planning an IT Audit
In planning an IT audit, the auditor/inspector shall obtain an understanding of the
significance and complexity of the IT activities and the availability of data for use in
the audit.

The auditor/inspector may consider the following issues at this stage of the

(a) Undertake all those procedures that may enable obtaining an understanding of
the entity and its environment, including:

- Holding meetings with management and IT personnel
- Making inquiries of management and others within the entity
- Observing and inspecting the entitys processes and operations so as to
obtain the required understanding of the entitys control environment, IT
system and the related business process relevant to financial reporting.
(b) Identify the standards and best practices against which the organisations IT
systems can be benchmarked. These are quiet a number and they include:
accounting, auditing and IT standards for example, International Standards on
Auditing (ISAs). a code of practice for information security management, the
Organisations own IT policy, ISO 17799 the international standards on
security, the Basel Accord on IT operational risk management guidelines, CoBIT


Edition Control Objectives for IT Strategic Management and any other
known best practice in IT management and control.
(c) The auditor/inspector must consider the significance and complexity of
computer processing in each accounting application. Significance relates to
materiality of the financial statement assertions affected by computer
processing. This may be considered complex, when for example;
The volume of transactions is such that users would find it difficult to identify
and correct errors in processing
The computer automatically generates material transactions or entries
directly to another application
The computer performs complicated computations of financial information
and or automatically generates material transactions or entries that can not
be (or are not) validated independently
Transactions are exchanged electronically with other organisations (as the
case with EDI systems) without manual review for propriety or
(d) The organisational structure of the IT activities and the extent of concentration
or distribution of computer processing throughout the organisation, particularly,
may affect segregation of duties.
(e) When conducting an IT systems review, the internal auditor/inspector shall
obtain an understanding of the IT environment and whether it may influence the
assessment of inherent and control risks. The internal auditor/inspector must be
aware of the internal control characteristics and the nature of the risks in an IT
environment. These typically include the following:

(i) Uniform processing of transactions and consistency of performance (In
case of a system error, all transactions processed would be incorrect,
unlike manual processing).
(ii) Lack of segregation of duties (where a staff performs incompatible
functions like receiving cash, authorising transactions and updating the
system. This risk of fraud and error is increased in absence of proper
segregation of duties)
(iii) Potential for errors and irregularities (potential for the IT staff (or other
staff) to gain unauthorised access to data or to alter data without visible
(iv) Decreased human involvement in handling transactions processed by a
CIS environment reduce the potential for observing errors and
irregularities (IT environment decrease the need for human involvement)
(v) Concentration of knowledge, programs and data (The IFMS, for example,,
all the financial information is kept in one server, this threatens the
Ministrys operations, if say, it got spoilt)
(vi) Automatically generated transactions (The IFMS system automatically
generates reports and accounts)


(vii) Lack of source documentation and audit trail (computers do not show
handwriting, so as to indicate who authorised what and when. Other
controls (like access rights show this, however, passwords can be cracked
or copied a policy is needed here too)
(viii) Ease of access to data and programs (it could be easier to tap into a
network, or access the server from within in case of lack of security
controls. Virus and other spy ware(s) from the internet can easily find their
way in)
(ix) Multiple files update (incorrect data input may incorrectly update all other
accounts in the system)
(x) Vulnerability of storage media (Computer diskettes, memory chips and
floppy disks may be vulnerable to risks of theft and loss in absence of a
policy and proper access controls).
10.8 Risk Scoring System

An effective scoring system ensures that the risk-based IT audit program is

The following are some of the major risk factors that should be considered;

The adequacy of internal controls
The nature of transactions
The age of the application or system;
The nature of the operating environment (for example, changes in volume)
The physical and logical security of information, equipment, and premises;

Auditor/inspectors need to develop written guidelines on the use of risk assessment
tools and risk factors and review these guidelines with the audit committee.

The guidelines should be used to asses major risk areas and to define the range of
scores or assessments (e.g. groupings like low, medium, and hi gh risk)
10.9 Application Audit Programme

This is a sample of the Application Audit programme that can be used by an IT

Procedure Working
1. Gain an understanding of the use of the application in the
business area, including the key processes supported.

2. Identify the population of application users, including third
parties, administrators and members of the IT department by
obtaining a system-generated report of users and discussing the
list with the administrator.


Procedure Working
3. Gain an understanding of the user administration process. The
process should include
Authorisation for users access from an appropriate person;
Periodic reviews of user access;
Identification of employees leaving the organization and
revocation of their access.
Administrators should not have operational responsibilities or
be involved in processing transactions in the application, and
the user administration process should be clearly documented.

4. Select a sample of users and confirm their access to the
application has been appropriately authorised.
For each member of the sample, confirm that the access
assigned to him or her matches that authorised.
Appropriateness of user access is tested under procedure 8.

5. Verify whether periodic reviews of user access are performed
and whether appropriate follow-up actions have been executed.
These reviews should be evidenced.
Using system reports, identify users whose accounts have been
inactive for more than 30 days. For any such users confirm that
they are valid employees with authorised access.

6. Select a sample of leavers (including transfers) from the past 12
months and confirm that their access to the application has
been revoked, deleted or amended (for transfers).

7. Gain an understanding of the method of adequately segregating
within the application, such that users are not capable of
processing an entire transaction without independent
authorisation. An individual user should not be able to initiate
record, process and report a transaction independently.
Assess whether there is a process in place for identifying
incompatible functions and for ensuring access rights do not
compromise the effective segregation of duties.

As well as preventing users fromexecuting a transaction independently frominitiation to reporting, there are
also elements within a transaction or process that should be segregated. For example, it is recommended that
users with the ability to create or amend vendor details not be involved in processing purchase orders, invoices
or receiving goods to reduce the risk of fraud.


Procedure Working
8. Gain an understanding of how users access rights are assigned
(e.g. through the use of profiles, membership of groups).
For a sample of users, profiles or groups (as applicable)
evaluate whether the access assigned is appropriate for their
role in the business.
Identify users with access to sensitive or privileged transactions
(including the ability to amend, reverse, cancel or delete
transactions) or powerful access rights (including administrator
rights). Confirm that users with such rights are appropriate.
If applicable, identify users with access to transactions identified
as being key to elements of related business audit procedures
and confirm that users with such rights are appropriate.
If applicable, gain an understanding of authorisation procedures
and authority limits for key activities within related business
processes, the corresponding transactions within the application
used to initiate or control such activities and the users with
access to them. Assess whether procedures and authority
limits are appropriate and that only authorised users have
access to amend them.

9. Gain an understanding of how users IDs are assigned to users.
Users should be assigned unique user IDs.
Identify the existence of any shared or standard IDs (e.g. guest,
test) and assess the controls surrounding their usage.
Investigate questionable IDs.

10. Gain an understanding of the password structure and usage
within the application. Characteristics to identify include:
Minimum/maximum password length (6-10 characters);
Password masking upon entry (i.e. passwords are not
visible when entered);
Password expiry (frequency of enforced change, every 30
to 90 days);
Requirement for particular characters (e.g. numeric in
addition to alpha characters);
Password history (to prevent reuse of old passwords);
Account lockout after a given number of failed access
attempts (three to five attempts); and
Disabling of user IDs after a given period of inactivity (30
Confirm whether any globally established password settings
could be overridden at the user level.


Procedure Working
11. Identify whether any audit logs are created relating to user
activities, including:
Unauthorised access attempts;
Access to privileged functions (eg creation/deletion of
users); and
Alterations to security parameters.
If available, assess whether they are reviewed on a timely basis
and appropriate follow-up actions taken.
Review security logs to identify any apparent issues (e.g.
repeated failed access attempts by a single user) and ensure
they have been appropriately resolved.

12. Confirm that the hardware (e.g. server(s)) on which the
application operates is centrally hosted by the IT department.
If not, gain an understanding of the physical security controls
around servers, terminals and workstations related to the
application. Hardware should be physically secured from
accidental or deliberate abuse. The environment in which the
hardware operates should have appropriate environmental
controls (e.g. fire detection and suppression, uninterruptible
power supply, air conditioning).

13. Confirm that application data is subject to centrally managed
backup procedures.
If not, gain an understanding of the procedures implemented for
the backing up and restoration of application data. Data should
be regularly backed up (typically daily). Controls should be in
place to ensure backups have been successful, are regularly
tested and are stored securely offsite (i.e. separately from the
application hardware).

14. Confirm that the changes to the application are managed under
centrally established processes. Changes could include vendor
patches, maintenance and internally initiated developments.
If not, gain an understanding of procedures implemented for the
authorisation (e.g. that the change passes cost/benefit
testing (e.g. that the change meets business
requirements); and
approval (e.g. that the change should be implemented).


Procedure Working
15. Gain an understanding of the interfaces in place with other
Consider the need to identify and evaluate controls designed to
ensure data passed between related applications is:
complete (i.e. that all data sent is received); and
accurate (i.e. that the data is not subject to unauthorised
change during the interface process).
These controls might be programmed (e.g. header and footer
records in interface files) or involve manual intervention (e.g.
reconciliation of data from source application to destination).

10.10 Other Issues To consider In the Audit Programme

Logical access controls relating to supporting operating systems, networks or
Physical security controls (including environmental controls and data centre
Physical access to computer facilities and data should be appropriately restricted.
The auditor/inspector should consider the following points of focus:
How is physical access to the site/building containing the computer facilities
How is physical access to the room(s) containing the computers restricted?
How well protected is removable media (such as off-line data storage)?
How are confidential documents labelled and protected?
To what extent has the organisation adopted a clear desk policy?
How well secured is systems documentation?
How secure is the disposal of discarded computer equipment and data media?

Controls over data input, output and processing (including transaction audit trails);
Continuity and availability procedures (including disaster recovery plans and
The auditor/inspector needs to ascertain that there is adequate back-up of
information and that the procedure to deal with operational failures is effective. For
back-ups, the auditor/inspector should focus on the following;
- Are backup procedures appropriate for data and programs?
- Are backups accurately logged and stored in a secure location?
- What ensures that backup and recovery procedures will work when required?
- Is data retained sufficiently to meet regulatory requirements?

Recovery from operational failure


There should be appropriate procedures to ensure that operational failures (e.g.
disk drive problems, program amends, other emergencies) are identified, resolved
in a timely manner, and, where appropriate, approved retrospectively by
appropriate IT staff and users.

The following are some of the points of focus for the auditor/inspector auditing this

To what extent is computer equipment appropriately sited or protected to prevent
the risk of accidental damage (e.g. from fire, smoke, water, dust, vibration,
chemicals, electromagnetic radiation)?
To what extent is equipment being appropriately maintained?
What controls are in place to prevent operational failures arising from hardware
How is the power supply to the computer facilities secured?
What procedures are in place to ensure performance meets business needs?
How are faults logged?
What procedures are in place to resolve operational failures?

o Anti-virus procedures;
o Data privacy considerations;
o Software licenses;
o Operational controls (including batch processing); and
o Change control (including application selection, implementation and
10.11 Audit Methodology and Best Practices: Summary

The following methodology may be used as a reference guide to help successfully
undertake an audit in an IT environment. It must not be used in lieu of an expert
opinion and advice.





Define the

Identify the area to be
audited. For example,
each organisational
department or
process may be
identified as an audit
area, which may
further be classified
into sub-audit areas.

Audit subject: Finance Department in the Finance

(Note: A number of processes may exist in the
finance department, e.g. payroll processing,
procurement and payments processing, MIS and
asset management. It is unlikely that these processes
would be manually operated) as long as any
computer is involved in the processing, an IT
environment exists.)

For the finance department, the audit subject would
be the Accounting and Stock Control System.


the audit

Identify the intention
or purpose of the

Examples of audit objectives could include:





audit. This helps the
auditor/inspector to
plan the audit
To ensure that assets, liabilities and transactions
are free from material misstatements, by ensuring
that each asset, liability and transaction meet the
Completeness, Occurrence, Valuation, Existence,
Reasonable Measurement Presentati on (COVER
MP) assertions.
To determine whether business systems are
adequately backed and that backup copies are held
in a secure and remote media store.
To determine whether the companys information
meets the quality, fiduciary and security
requirements. E.g., X Ltds accounting system, one
may consider the use of CAATs (ACL, SQL, IDEA
etc) to do thi s.
To determine that policies and procedures exist in
respect to
-data centre and network operations
-software and hardware acquisition, change and
-information security and internet use


Audit scope
or extent

This involves
identification of
specific functions,
processes or systems
of the organisation to
be included in the

For example, in the above systems backups example,
the audit scope statement might limit the review to a
single application system (e.g. the accounting system,
payroll, EFT system etc ) or to a limited period of
time. The scope of the audit is usually limited to the 12
months period ended.



The auditor/inspector
shall obtain an
understanding of how
the entity responds or
has responded to the
risks arising from IT.

The auditor/inspector

-Identify processes/
assets/ facilities to
be audited
-Identify technical
skills and resources
-Identify the
appropriate CAAT
tool/s to use, based
on the organisations
IT platform, and
-Identify the sources

At this stage, the auditor/inspector needs to obtain the

Finance and accounting policy
IT security policy
Risk management policy
Operational policies and procedures
Functional flow-charts

The auditor/inspector has to benchmark the entitys
policies, standards, practices and procedures against
best standard practices identified. The
auditor/inspector must then consider whether risks are
of magnitude to result in material misstatement of the
financial statements based on the degree the entitys
standards divert from best practices.




of information for
test or review.


Design audit
and steps of

Depending on the
results of the risk
assessment, the
auditor/inspector has
to identify and select
the audit approach to
verify and test the
controls or to
undertake detailed
tests of account
balances and
transactions relevant
to the entitys
financial reporting
objective/s (which are

Review the policy documents
Use audit tools, e.g. BEASTS, (CAATs which
review data and those which review controls) to
reduce the audit risk to acceptable levels (you may
consider the use of specialist) examples of
CAATs include IDEA, ACL, SQL. It is important to
obtain a professional advice prior to using CAATs.
Analyse data and identify areas of risk. Evaluate
whether identified weaknesses/risks could result
into material weaknesses and fail the entitys
financial reporting objective/s.

Assess the entitys risk assessment and management
process. Review the entitys risk management policy.
Determine how management identifies business risks
relevant to financial reporting, estimates the
significance of the risks and their likelihood of
occurrence and how the risks are managed


and review

The auditor/inspector
must review all the
working papers and
document findings.
This is important for
audit work quality
control in line with
ISA 220.

The procedures for evaluating the test or review of
results might be organisation specific. Each audit firm
or internal audit dept must have documented
procedures for reviewing and evaluating audit results.
The audit senior might re-perform the audit tests prior
to signing off.


Prepare draft
report and

A draft report
detailing potential
areas of risk has to
be prepared, which
must then be
discussed with the
auditee management
before a final audit
report is written.

Whether the auditor/inspector s opinion is qualified or
unqualified, reasons for arriving at the opinion must be
documented and explained to the auditee. Detailed
analysis of weaknesses within the entitys system is
necessary. The auditor/inspector must also provide
recommendations which may help mitigate the
identified risks.


Prepare final
audit report

The final report may
also contain a
summery report of
observations, risks
and auditee

The final report may be submitted to senior
management (because they make decisions and can
implement the auditor/inspector s recommendations
and make a follow up).






Review and
follow up

It is important for the
auditor/inspector to
make a follow up so
as to ascertain the
extent to which the
auditor/inspector s
have been

Follow up would help ease auditing exercise of the
subsequent audit. This is good to both the
auditor/inspector and the entity, as it would help
reduce the amount of audit work and cost.

The above methodology is not conclusive. The auditor/inspector must
continuously keep abreast with latest changes in technology and be able to
undertake real value adding audits.
10.12 Audit of the Integrated Financial Management System (IFMS)

The IFMS is organized according to modules. Each module has risks attached to it
and therefore the internal auditor/inspector has to apply different procedures
depending on the category being audited.

10.12.1 Journal Voucher Processing

This is the entering of journals manually or from sub ledger systems and other
IFMS modules as input data into the General Ledger. Control Objectives
Only valid and authorized J Vs may be entered into the GL Control Questionnaire

Key control questions Yes/No Remarks WP
Are the journals posted timely from the sub-

Are procedures in place to ensure that only
authorised manual journals are posted to GL?

Are some journal entries not in accordance with
the Generally Accepted accounting principles?
Do they result in material misstatement? Audit Procedure
Review documentation relating to the manual procedures concerning the
preparation, submission and approval of manual J Vs
Export a list of journals whose source is manual (use the GL J ournal enquiry
Get a sample of the manual J Vs and ascertain whether their purpose is clearly
recorded and whether the authorized officer approved them


Interview the HOA to ascertain whether he checks the accuracy of the J V
Review the sample of journals online
Download the posted General J ournal report from the system
Review the posted journal batches and the journals associated with each
posted journal batch. (This will help you trace transactions back to the original
Review journals posted from the sub ledgers using the drill down facility of GL
Export the Trial Balance detail report. Analyze and identify accounts with
significant balances. Use the account enquiry feature to investigate the
corresponding journals. General Ledger Set Up

Set up documentation helps to maintain the continuity of the set up parameters
and to ensure that no unauthorized changes to the GL set up were made. The
biggest risk here is unauthorised changes being made to the GL set up. Control Questionnaire

Key control questions Yes/No Remarks WP
Is the suspense account posting allowed in IFMS

Is the journal approval feature enabled?
Are procedures in place to ensure that all
changes to the GL set up are authorized and

Is there restriction and monitoring of changes to
GL set up parameters, flex field security rules,
and cross validation rules? Audit Procedure

Review documentation regarding the GL set up, segment qualifiers and cross
validation rules.
Ascertain that no unauthorised changes to the set up parameters have been
Review the set of books documentation and also the options. Chart of Accounts Maintenance

The process of maintaining the Chart of Accounts (CoA) includes functions like
system maintenance of application control files, configuration of standard tables,
user access and control issues, as well as defining currency, accounting periods
and user parameters. Once the structure has been defined, it can not be
modified. The IFMS captures, stores, reports and controls all information and
transactions at the Code Combination level. It is only the Commissioner, Treasury
Office of Accounts with the Chart of Account value access.


Before any alteration/ addition is made to the COA, a valid request from an
MALG and approved by the Accountant General should be got. A paper trail
of the request should be in existence. Audit Procedure

Review the documentation of procedures
Review the new account code request forms
Review documentation relating to the determination of the code structure by
the DOB.
Review evidence of approval of then new code by the AG Purchasing Module Audit Procedures

The purchasing function has a number of sub-processes as shown below;
Set up
Creation of Supplier Master and Item Master
Request for quotation
Issuance of Purchased Order

The purchasing module integrates with the GL module, Payables module and the
Dossier. Purchasing Control Objectives

Laid down procedures are observed
All purchases are authorised
Procurements are as per work plan and in line with the Procurement Act
Procurement of only valid goods and services
Payments are made to only valid people for valid reasons
No overpayment occurs
No undue delays in making payments
Making of purchases at approved rates
Only approved vendors are used. Monitoring Controls

Fraud and wastage is minimised
Reports are reviewed by management so as to give assurance that the made
procurements accomplish the stated objectives
Irregularities are detected, investigated and corrective action taken by

INTERNAL AUDIT & INSPECTION MANUAL Supplier Creation and maintenance

Each ministrys Head of Procurement has the rights to create and enter supplier
information. This information is used when making Requisitions, Purchase orders,
Invoices and Expense Payments. No purchase can be made from a supplier not
in the system.

Supplier information recorded in the master file includes;
Supplier name
Tax payer ID
Tax registration Number Control Objectives

Integrity of the supplier master should be protected
A hard copy audit trail of the supplier approval process should be present
Creation and maintenance of only valid suppliers/employees on the master file Controls over supplier master files data General IT Controls

IT security controls - password
Data file integrity controls
Access controls Application Controls

These include;
a) Automated Controls

The following are automatically enforced by the IFMS;
Unique VAT ID
Unique URA ID
Unique supplier name
Duplicate name check

b) Other important controls

Established and documented procedures for reviewing the supplier master
file and payment files and for analysis vendor performance.
A hard copy audit trail of the approval process should be maintained. It
should justify why a supplier was entered for a particular good or service.
Procedure should be established to ensure the completeness, accuracy,
and validity of data entry to the master file. E.g. one for one check and
Manual procedures should be in place and adhered to. Some important
procedures include: inviting applications from suppliers, recording the
received applications, approval process, and the selection criteria used.


Key control questions Yes/
Remarks WP
Is the hardcopy audit trail of the supplier approval
process maintained?

Are there procedures to ensure that only valid
MALG employees are entered as suppliers for
payment claims?

Have the rules and procedures concerning
payment of claims and types of claims by
employees been documented?

Are there controls for ensuring completeness,
accuracy and validity of data entry to the master file
e.g. one for one checks and edits?

Have the basis for inactivation of suppliers been

Do the manual procedures precede entering of
supplier data e.g. approval of suppliers? Audit Procedures

Date WP
Perform a walk through of the supplier approval
and data entry process

Interview the CAO, Head of Accounts and the HOP
about the supplier creation and maintenance

Review documentation and procedural manuals
Make a print out of the supplier report and compare
a sample with the hard copies of approval
documents to ascertain whether the proper
approval procedures had been followed

Check for evidence of management supervision and
monitoring The Requisition Process

The purchasing cycle begins with a requisition by the authorized officers. Some of
the details filled in the requisition include; requisition type, description, status, and
estimate of the amount to be spent.


Requisitions should be made against appropriate charge accounts so as to
check the availability of funds
Only goods and services with a specific business purpose should be
Specifications, rate, quantity and amount of the requested for expense items
must be valid and authorized. Control Questionnaire

Key Control questions Yes/No Remarks WP
Are requisitions only being entered by
authorized persons

Is a paper audit trail of requisitions maintained
Are there developed guidelines for procurement
action to ensure that requisitioning officers
initiate only valid procurement actions?

Do the different departments and cost centres
review and analyse the made requisitions and
purchases? Audit Procedure

Date WP
Interview CAO, HOA, HODs and HOP
Check documentation and manuals
Review a sample of amount based requisitions
Check for Pos that have no requisitions
Check for PO amounts that differ from the requisition
amount and quantity Purchase Orders

These are created automatically from the valid and approved requisitions. Control Objectives

Purchase should be charged to correct accounts
Only goods and services that meet the business objectives will have purchase
orders issued
There should be complete and accurate information regarding description of
goods and services, rates etc
Only approved purchase orders should be issued to approved suppliers


Get a print out of the purchase orders and review for appropriateness of
charge account
Check whether the documented procedures require a hard copy trail to be
kept for each transaction in the form of a voucher.
The following reports should be printed and reviewed;
Cancelled Requisitions Report
Cancelled Purchase Orders Report
Encumbrance Detail Report Receiving of Goods and Services

After the goods have been received and the store keeper prepares a Goods
Received Note (GRN), the Head of Purchasing will enter it into the IFMS. Control Objectives

There should be assurance that the receipts are only entered into the IFMS
system after ensuring that the description and quantity of the items agree with
the details on the purchase order. Control Questionnaire

Key Control questions Yes/No Remarks WP
Is a system in place to inspect the received goods
for quality and quantity before the receipts are
entered into the system?

Does the store keeper have the technical
competence to verify the quality of all received

Is a system in place to record suppliers shipping
advice details upon receipt of goods?

Does the system provide for the correct treatment
of partial receipt of goods and services?

Does the system allow for receipt of goods?
Is a mechanism in place to certify the satisfactory
delivery and completion of technical services
ordered through amount based purchase orders?

Does the store keeper follow documented

Is there an investigation and reconciliation into the
receipts that do not match to purchase orders?


Interview the storekeeper, his supervisors, and users.
Review documentation regarding the storekeeper s functions.
Select a sample of GRNs and verify against stores accounts.
Review the accounting system in place.
Review a sample of payments for services.
10.13 Review of IFMS General Controls

General IT controls mainly focus on the IT infrastructure. Issues like IT related
policies, procedures and working practices are dealt with. These controls are not
specific to any individual transaction streams or accounting packages or financial

Some categories of general controls include;
Segregation of duties
Logical access controls
Physical controls (access and environment)
Systems development and program change
Business continuity planning
Organization and management (IT policies and standards) Data centre control objectives and audit procedures

The data centre is a very critical facility for the IFMS system. Key resources like:
databases, people, application software, infrastructure, hardware and operating
systems are all housed here. Objectives of the data center controls review

To get assurance that;
Key resources are protected and safeguarded
Usage of key resources is monitored
Usage of key resources is maintained at an optimal level. Examples of Control Objectives

Senior management should define a framework that promotes the definition of
formal service level agreements and defines the minimal contents: availability,
reliability, performance, level of support provided by users, continuity planning.
Appropriate physical security and access control measures should be
established for information technology, including off-site use of devices to
conform to the general security policy.
Information services function management should ensure that a low profile is
kept and the physical identification of the site of its information technology
operations is limited.


Health and safety practices should be in place and maintained in conformance
with applicable international, national, regional and local laws and regulations
Sufficient measures should be in place to protect against environmental
factors like fire, dust, excessive heat.
Management controls should guarantee that sufficient chronological
information is being stored in operations logs to enable reconstruction, timely
review and examination of the time sequences of processing and other
activities surrounding or supporting processing.
Management should establish the data centre organizational structure and
develop job descriptions
Management should ensure that all information assets have an appointed
owner who makes decisions about classifications and access rights
There should be well documented standard procedures for information
technology operations.
Software vendors should supply technical manuals concerning their products.
10.14 Computer-Assisted Audit Techniques (CAATS)

CAATS should be used to improve audit coverage by reducing the cost of testing
and sampling procedures that otherwise would be performed manually. CAATS
include many types of tools and techniques, such as generalized audit software,
utility software, test data, application software tracing and mapping.

Some audit procedures where CAATs may be used include;

Tests of transactions and balances, such as recalculating interest;
Analytical review procedures ,such as identifying inconsistencies of significant
Compliance tests of general controls, such as testing the set-up or
configuration of the operating system or access procedures to the program
Sampling programs to extract data for audit testing;
Compliance tests for application controls like testing the functioning of a
programmed control;
Recalculating entries performed by MOF s accounting systems;
Penetration testing.
10.15 Auditor/Inspector Knowledge Considerations

Standard 1210- Proficiency of The IIA s Standards requires that the internal audit
activity collectively should possess or obtain knowledge, skills, and other
competences needed to perform its responsibilities. Varying levels of IT
knowledge are need throughout the organization to provide a systematic,
disciplined approach to evaluating and improving the effectiveness of risk
management, control, and governance processes. Knowledge of how IT is used,
the related risks, and the ability to use IT as a resource in the performance of
audit work is essential for auditor/inspector effectiveness at all levels.


The following three categories for IT knowledge for internal auditor/inspectors
were identified by the IIAs International Advanced Technology Committee;

a) Category 1 - All Auditor/inspectors

This is the knowledge of IT needed by all professional auditor/inspectors, from
new recruits up through the Chief of Audit. Basic IT knowledge includes;

Understanding concepts like differences in software used in applications,
operating systems and systems software
Comprehending basic IT security and control components like perimeter
defences, intrusion detection, authentication, and application system
Understanding how business controls and assurance objectives can be
impacted by vulnerabilities in business operations and the related
supporting systems, networks, and data components.

b) Category 2 - Audit Supervisors

This is concerned with the supervisory level of auditing. In addition to having
basic IT skills, supervisors must understand IT issues and elements
sufficiently to address them in audit planning, testing, analysis, reporting,
follow-up, and assigning auditor/inspector skills to the elements of audit

Each audit supervisor must:
Understand the threats and vulnerabilities associated with automated
business processes.
Understand business controls and risk mitigation that should be provided
by IT.
Plan and supervise audit tasks to address IT-related vulnerabilities and
controls, as well as the effectiveness of IT in providing controls for
business application and environments.
Ensure the audit team has sufficient competence- including IT proficiency-
for audits.
Ensure the effective use of IT tools in audit assessment and testing.
Approve plans and techniques for testing controls and information.
Assess audit test results for evidence of IT vulnerabilities or control
Analyse symptoms detected and relate them to causes that may have
their sources in business or IT: planning, execution, operations, change
management, authentication, or other risk areas.
Provide audit recommendation based on business assurance objectives
appropriate to the sources of problems noted rather than just reporting on
problems or errors detected.

c) Category 3 - Technical IT Audit Specialists

These are the IT specialists who go into the deeper aspects of critically
evaluating the IT controls in place.


Article 11

Fraud and Irregularities

11.0 Introduction

The profile of fraud and corruption in both the public and private sectors continues to
be high.

Fraud can be defined as any illegal acts characterised by deceit, concealment or
violation of trust. These acts are not dependant upon the application of threat of
violence or physical force. Frauds are perpetrated by individuals and organisations to
obtain money, property or services; to avoid payment or loss of services; or to secure
personal or business advantage.

Internal auditors/inspectors do not have all the expertise to deal with cases of
suspected fraud, corruption or other irregularity. When such a case is found or
suspected, the Internal Auditor/inspector must contact the Commissioner Internal
Auditor/Inspector, who will contact the Head of Internal Audit. The Chief Internal
Auditor/Inspector will decide what steps need to be taken and when to contact other
institutions, for example, the Prevention of Corruption Bureau.

11.1 Fraud Red Flags

11.1.1 People

Management dominated by one person (or a small group) and no effective
oversight board or committee.
High turnover rate of key accounting and financial personnel.
Significant and prolonged understaffing of departments such as the accounting or
internal audit department.
Frequent changes of legal advisers, auditor/inspectors or other professional
Undue pressure on accounting personnel to complete financial statements or
management information in an unreasonably short period.
Remuneration overly based on financial performance.
Inadequate segregation between the risk-takers and the record makers.
Low morale.
An employee whose lifestyle is at variance with their known sources of income.
Changes in lifestyle or habits by key members of staff.
Excessive hours worked by key staff and/or a lack of delegation of apparently
mundane tasks.

11.1.2 Processes

No checks to ensure that only appropriate employees are recruited by taking
references, checking for criminal convictions and regulatory body disciplinary
No checks to ensure that sales are only made to appropriate customers by, for
example, establishing their ability to pay.


No checks to ensure that only appropriate suppliers are used by, for example,
checking for connections with company employees or officers.
Lack of appropriate response to queries from management, suppliers,
auditors/inspectors, bankers, or lawyers.
Suggestions that internal controls have been overridden by management.
Rumours and tipoffs relating to fraud & irregularities not dealt with.
Indications that internal financial information is unreliable.
Continuing failure to correct major weaknesses in internal control where such
corrections are practicable and cost-effective.
No enforcement of holidays and procedures during absence and work always left
until the employee returns.
Accounts office not keeping up with operations and the books apparently in a
mess, for example key reconciliations not completed.
Loss of records or other information.
Overly complex corporate and/or reporting structure.
Control of the business, especially internal control, given low priority and little
management time.

11.1.3 Surplus/Deficit

Unusual transactions that have a significant effect on earnings.
Complex transactions or accounting treatments that require such intricate
explanations that are difficult for most non-specialists to comprehend.
Unusual transactions with related parties.
Payments for services (for example to lawyers, consultants or agents) that appear
excessive in relation to the services actually provided.
Unusually high or unexpected levels of surplus or deficit.
Results that are out of line with the rest of the industry.
Transactions where surplus is not consistent with cash flow.
Secrecy about a particular auditee or project and/or where the auditee will only
deal with one member of staff.
Inadequate documentation about a auditee or transaction, for example, where the
only contact details are a mobile phone number.
Deteriorating quality of earnings, for example increased risk-taking with respect to
credit sales, changes in business practice.
Need for a rising surplus trend to support the market price of the companys
shares due to a contemplated public offering, a takeover or other reason.
Surplus and cash flow at variance with each other, or with the market.

11.2 Understanding the Business and the Risk of Fraud & Irregularities in
Each Business Area/Process

Managers should be prepared to ask if they do not understand. There is a strong
correlation between managers understanding of their business and the level of
fraud & irregularities in that business.
What are the common fraud & irregularities seen in the industry in each
How well do senior management/the board of directors understand each of the
business areas/business processes?
What level of fraud & irregularities risk is tolerated by the business?


Who within each area could produce a comprehensive list of the critical risk
Who could check that list for completeness and accuracy?
Are understanding and control of any process solely or principally in the hands of
one individual?
How is this individual monitored and controlled and is this appropriate?
Are any such key individuals demonstrating fraud & irregularities warning signs?
Is the culture of the business conducive to fraud & irregularities, for example, is it
overly secretive/complicated?
How would you perpetrate a fraud & irregularities in each business area/process?
How would you be found out?
What are the key controls on which the business is relying?

11.3 Assessing the Impact of Each Possible Fraud & Irregularities
Based on its Severity and Potential Frequency

Repeat the exercise, assuming that a key employee is involved in the fraud &
irregularities, to highlight the key controls and individuals on which the business is
How big would the fraud & irregularities get before it was noticed?
Could cost-effective controls be introduced to mitigate the risks?

11.3.1 Key controls

Procedures to prevent management overriding controls.
Adequate segregation of responsibilities between the risk-takers and the
Management involvement and understanding of the key items in all key
reconciliations and journal postings.
Internal controls up-to-date procedures manuals explaining the controls applied.
Use of pre-numbered, sequential documents wherever possible.
Maintenance and review of audit logs, for example, review of amendments to
standing data.
Recruitment pre-employment screening, adequate inductions, performance
evaluation, counselling, coaching and training.
Internal audit and internal checks.
Dual signatories on all cheques.
Appropriate authorisation limits.
Backing up all data regularly to ensure an adequate audit trail is maintained.
Exit interviews ask all leavers whether they are aware of any fraud &
irregularities or other irregularity.
Adequate job rotation, for example, ensuring that all staff take holidays and that
their role is handled by another person in their absence.
Procedures for notification of tip-offs, exceptions, control failures and their follow-
up, for example, the provision of a fraud & irregularities hotline.


11.3.2 Are controls operating effectively?

What evidence exists to prove that the control operates?
How frequently does management check to see whether a control operates?
What information is provided to management on a timely basis?
What action does management take to resolve issues and exceptions?
How well does management demonstrate prompt, appropriate action?
How often does internal audit check to see whether controls are operating?
How aware are staff of the key risks facing the business and the controls relied on
to prevent it?
Who is able to override the controls and how?
How responsive are the controls to changes in the business, its people and its
processes, for example, redundancies etc?
Who is assessing the control over the director/manager undertaking this fraud &
irregularities risk review?

11.4 The Internal Auditors/Inspectors Role

As noted above, responsibility for prevention and detection of fraud rests with

The internal auditor/inspector, in preparing audit needs assessments and audit plans,
should ensure that high-risk areas are identified. High-risk areas include areas of high
inherent risk, areas where controls are weak, areas typically exposed to fraud,
computer fraud, etc.

Internal audit may discover fraud either through their audit checks, or from
information received from management or tip-offs . Information concerning suspected
fraud could be received by formal complaints, anonymous letters, telephone calls,
through operating hotlines, or referrals from the external auditor/inspector. The
auditor/inspector should get as much detail as possible, and also try and obtain the
identities of informants, assuring them of confidentiality.

Management may come across areas where they suspect fraud, for example
employees working while sick, or living beyond their means. The Internal Audit
Service should establish a special telephone line for whistleblowers at selected
ministries. This will allow key officers in these ministries to report suspected fraud or
other irregularities to the Internal Audit Service without having to provide their names
or posts.

The auditor/inspector could usefully identify some signs, personal circumstances or
organisational conditions that could point to fraud, and therefore require more
detailed examination, such as:

r overspending against budget
r unexplained items in suspense accounts
r frequent late banking
r altered petty cash vouchers and receipts
r goods invoiced that are not normally purchased


r employees who never take annual leave; also staff who constantly work outside
normal working hours
r employees personal financial problems
r employees whose lifestyle is more extravagant than their salary would warrant
r unusual concerns about visits by auditor/inspectors
r someone who often breaks the rules and regulations - cutting corners may be a
way of concealing fraud
r complaints about member of staff from customers or employers
r people who rule their subordinates with a rod of iron, and unnecessary anger,
sarcasm or criticism, so they become too frightened to question anything
r lack of effective internal controls
r failure of management information systems
r undocumented procedures
r general laxity of attitude by management and employees towards security.
r Once an investigation is completed internal audit may have responsibilities in
relation to:
o recommending improvements to systems
o attendance at disciplinary proceedings
o attendance at Court

11.5 Conduct of the Investigation

11.5.1 Objectives of fraud investigations

r To prove or disprove the original suspicions of fraud
r If proven, to support the findings by producing evidence
r Presenting the evidence got in an appropriate format

11.5.2 Who to inform about the suspected fraud

Chief Executive Officer
Internal auditors/inspectors
External auditors/inspectors (if fraud is significant)
Department head.

11.5.3 Police involvement

There should be a clear policy on the involvement of the police.
Good working relationships with the local police, appropriate police fraud units
and with other organisations working in this area should be established.
Protocols should be agreed with the police covering interviewing, documentation
and other key issues, a major one being the stages at which contact with the
police should be established.

Agreement should be reached on:
r terms of reference and scope of the investigation
r estimated target dates
r staffing resources
r provision of suitable facilities - transport, cameras, mobile phones etc as may be


All investigations must be properly authorised; relevant information properly
documented; secrecy and confidentiality must be maintained.
All original documentation, material to the investigation, should be secured by the
auditor/inspector at the earliest possible stage.

At some stage - initially, or during the investigation, suspension of the suspect
may need to be considered. This will ensure that evidence is not tampered with,
and will also prevent any undue influence by the suspect on the course of the
investigation. The suspension is, of course, without prejudice to the outcome of
the investigation.

The investigation will involve gathering of evidence, and its evaluation. If there is a
high volume of detail and documentary evidence, it is preferable to take the
strongest cases for full and detailed appraisal, for example where a successful
prosecution is most likely to be secured.

11.6 Interviewing

Interviews can be of two types:
r to seek more information
r Interviewing suspects.

Potential suspects should normally be interviewed towards the end of the
Thorough preparation must always be done for interviews; questions to be asked
should be predetermined and written, but auditors/inspectors must always be alert
when to ask supplementary questions.
Avoid leading questions.
A caution should be issued to a person where there are grounds to suspect that
they may have committed an offence before any questions about the offence are
put. The auditor/inspector should not be in a position at the start of any suspect
interview where it would be required to issue a caution at the outset; if the
suspicion for this was strong enough to be necessary the case should normally be
referred to the police. If there is a doubt on whether a caution should be issued, it
should be remembered that, without a caution, the case will not be admissible in

11.6.1 Issues to consider before the interview

r The information needed; questions should, preferably, be prepared in advance
of interview
r Arrange the time and place of the interview - preferably during normal working
hours, but away from the interviewee s normal place of work
r The parties to be present - all interested parties should be represented, and
preferably two auditor/inspectors; the interviewee should be given the
opportunity to be accompanied.

11.6.2 Pointers at the interview

r One auditor/inspector should ask questions - and another person should take
r Ensure that nothing is done that can be construed as duress by the interviewee
r Begin by asking the interviewee to outline their understanding of their duties and
responsibilities of the matter under review
r Ask supplementary questions where necessary


r If at any time the auditor/inspector forms the opinion that they have reasonable
grounds for believing that the interviewee has committed an offence, the caution
should be administered
r The auditor/inspectors notes should be agreed, signed and dated by all present
at the interview.

11.6.3 Action to take after the interview

After the interview the following need to be considered:
r Suspension
r Informing the police
r Informing the external auditor/inspector
r Insurance
r Review of systems

11.7 Interviewing Techniques for Fraud Investigations

As the investigation develops there will be matters arising that can only be
substantiated or clarified by interviews conducted by the auditor/inspector. These
interviews will broadly fall into two main categories, firstly there may be a need to
obtain more information of a factual nature and this can only be obtained by
interviewing those people with the relevant knowledge. These people are more likely
to be employees of the organisation but could be third parties who are willing to assist
voluntarily with the enquiries. The second category will involve interviewing the
suspect(s) with a view to ascertaining any knowledge of and involvement in the
suspected fraud.

11.8 Fact Finding Interviews

Although the basic evidence in fraud investigation is more likely to be documentary it
will normally be necessary to establish certain other facts either relating to those
documents, other people, the application of rules/regulations, procedures in operation
and/or specific events. This can be obtained from the testimony and recollection of
others through fact-finding interviews which will generally be of a formal nature and
comprise predetermined questions although other supplementary questions may be
raised during the course of the interview. The questions should be designed to elicit
the relevant facts from the interviewee and answers which enhance the
auditors/inspectors knowledge of the circumstances connected with the
investigation. Leading questions (which indicate the answer which is anticipated)
should not be asked. If predetermined questions are not used a checklist needs to be
prepared to ensure that spontaneous questions cover all the necessary areas of the
investigation. Depending on the scale and sensitivity of the investigation these
interviews will normally be undertaken by two auditors/inspectors, one of whom will
take detailed notes of the answers given to the questions asked. It is important to
ensure proper procedures are adopted in such interviews and they should generally
be in line with the procedures set out later.

Where the interview is conducted with a third party outside the organisation certain
additional matters need to be taken into consideration. Wherever possible a proper
appointment should be made agreeing the arrangements. Where the interview takes
place at a persons private residence the auditor/inspector should ensure that the
interviewee is aware of the auditor s/inspector s name and will carry an identification


pass which will be shown on arrival. If the interviewee is an aged person it is sensible
for the auditor/inspector to be accompanied by a social/welfare worker, who is known
to the person. This is also important when the interviewee is female and lives alone
and in these circumstances it is preferable that the interview be conducted by a
female auditor/inspector where possible.

11.9 Interviews with Suspect(s)

Interviews with potential suspects should be conducted towards the end of the
investigation when the auditor/inspector has assimilated the available evidence
and the examination of records and interviews with third parties and others has
established, as far as possible, the veracity of the facts of the case.
If the interview is carried out at an early stage where the auditor/inspector is
working largely on personal suspicions then the interview becomes a fact finding
interview with the possibility of a further interview being necessary. This could
however enable the suspect to gain considerable insight into areas being covered
by the investigation and be given an early opportunity to frustrate the investigation
as previously mentioned.

11.9.1 Preparation for interviewing suspects

The auditor/inspector should;

Understand and be fully conversant with all the details of the case.
Have sufficient knowledge to introduce supplementary questions spontaneously, if
appropriate, during the interview.
Study the evidence thoroughly and draw upon the strongest aspects of the case
and with all the necessary supporting evidence.
Formulate the areas to be covered and the sequence in which those areas should
be dealt with in a logical structure.
Be methodical in approach.
Ensure that documents connected with the suspected fraud and those that will be
subsequently be relied on in proving that fraud has occurred, are shown to the
suspect at interview and accepted as valid, accurate and complete documents.
Seek confirmation of such documents in total from the suspect in the initial stages
of an interview when the suspect is not aware of the detailed suspicions of the
auditor/inspector or the direction which the interview will take.
Give all such documentary evidence produced at interviews unique references
which will clearly identify individual documents and which will be recorded in the
question asked, for example Would you examine this time-sheet dated 10/12/06
which I have referenced ABI. Is this the time-sheet which you completed for the
week ended 10/12/06? A positive answer to such a question, contemporaneously
recorded, would be difficult for the suspect to refute at a later date.
Predetermine and write down the questions to be asked at the interview.


11.9.2 Purpose of pre-determined questions:

r the questions are asked in the most beneficial sequence and in the most
appropriate form
r the auditor/inspector taking notes of the answers given can concentrate on writing
down the answers only
r no area of the investigation is missed from the interview as a result of the
auditor/inspector being side-tracked by the interviewee, and
r the overall interview time is reduced as the process is speeded-up.

Future disputes as to the conduct of the audit interview can be forestalled to some
extent if a final question is included, as a matter of course to the effect, Are you
satisfied with the way in which this interview has been conducted? An affirmative
answer to such a question should preclude any complaints of duress, unfair
treatment or denial of natural justice by the auditor/inspectors being made by the
interviewee at a later date.

11.9.3 Formulation of questions

There should be no leading questions. These are questions which contain the
answer the questioner is looking for, e.g. You do open the post on your own,
dont you?
Questions should be kept simple. It is better to use several short questions
rather than long involved ones.
If a question is not understood, repeat it.
Avoid multiple questions as these allow the suspect to choose which individual
aspect of the question to answer and can be confusing, especially when a yes
or no answer is given, as it is impossible to determine whether it is yes or no
to all aspects, or one, or more.
Ask a question the correct answer to which is already known to the
auditor/inspector. This type of question allows the auditor/inspector to determine
whether the suspect is telling the truth.
Where questions are asked about two related documents, for example, a
correct one and an identical fictitious one, the fictitious document should be
questioned first as the suspect will not be aware that the auditor/inspector
possesses the correct one and will have committed an answer before the
correct document is produced and therefore be unable to easily retract it.
Ensure that the questions are constructed to elicit all information otherwise the
auditor/inspector will find that only specific responses are made and these may
not reflect the whole truth.
Use either Open questions or closed questions ,depending on the situation.


a) Open Questions

Allow the suspect to explain matters in detail.
Are useful in circumstances where the person is reluctant to answer.
They allow the auditor/inspector to lose control of the situation if they are widely
used particularly where the suspect is talkative and wanders away from the nub of
the question.
Begin with expressions such as, Tell me about ..

b) Closed Questions

Establish specific points of fact.
Enable the auditor/inspector to probe single and specific facts.
They may be used to obtain specific yes/no answers or to identify a person, etc.
An example of the first type would be Are unofficial receipts issued? and an
example of the second type would be Who authorises payments from petty

11.9.4 Other arrangements for the interview

The auditor/inspector should make other arrangements in advance to enable
things to run as smoothly as possible.
Audit interviews should always be conducted in a formal manner and are best
undertaken at a location away from the interviewee s normal work place.

There are several reasons for this:

r the interview can be confidential
r it reduces the embarrassment which the interviewee may feel, and
r if conducted away from the suspects work place it will remove any advantage
which the suspect may gain from being on home ground.

Ensure that adequate safeguards are adopted, both from the point of view of the
interviewee and the interviewer.
Arrange the interview at a reasonable time of day (having taken into account the
estimated time which will be required to carry out the full interview).
Breaks from interviewing shall be made at recognised meal times.
Short breaks for refreshment shall also be provided at intervals of approximately
two hours, subject to the interviewing officer s discretion to delay a break if there
are reasonable grounds.
As far as practicable interviews should take place in interview rooms which must
be adequately heated, ventilated and lit.
The interviewee should be given the opportunity to be accompanied if requested
so advance warning will be necessary so that the requisite arrangements can be
A person who wants legal advice may not be interviewed or continue to be
interviewed until they have received it.


11.9.5 Conduct and structure of the interview

The interview should be conducted by a senior member of the audit team
accompanied by another auditor/inspector whose duty will be to record
contemporaneously the answers given by the interviewee together with any
supplementary questions asked or explanatory statements made by either party.
At the start of the interview both auditors/inspectors should formally introduce
themselves to the interviewee giving their names and positions.
It is sensible for the auditor/inspector to explain at the outset the procedure to be
followed and that if the interviewee does not wish to answer any question that fact
will be recorded in the interview notes.
There should be formal note taking. The taking of good notes may in fact be the
difference between success and failure in a subsequent disciplinary or criminal
Where someone (this may be a trade union representative, a solicitor, or a
colleague) accompanies the interviewee it should be clearly explained at the
commencement of the interview that their role is that of an observer to see that
the interview is conducted fairly and not to answer on behalf of the interviewee.
These interviews are not part of the disciplinary process but are conducted by the
auditor/inspector in order to seek out the facts.
In the case where an interviewee is not able to understand English or where the
interviewing officer cannot speak or understand the language of the interviewee
then an interpreter should also be present to record what takes place during the
interview in the actual language which is used. (This record should then be
formally certified as accurate and complete by the interpreter).
Similar provisions will also need to be made when the interviewee is deaf and the
auditor/inspector should contact the social services department of the local
authority who should be able to provide assistance.
Formulate a standard prefix sheet for use in all audit interviews.

The following details should be recorded:

r name of the interviewee
r the place and date of interview
r details of any friend accompanying the interviewee
r the matters being investigated, and on which the interviewee is to be questioned
r the time of commencement of the interview, and
r the details (i.e. names and positions) of the audit staff conducting the interview.

The prefix sheet should incorporate a paragraph which sets out the
auditor s/inspector s authority to conduct the interview and seek explanations and
information from the interviewee. This can be read out to the interviewee and will
assist in precluding any dispute and consequent delay which might otherwise
arise over the right of the auditor/inspector to carry out the interview.
Before, during and after the interview nothing should be done in any way
whatsoever which could be construed as duress to force the interviewee to
answer in a specific way or even confess to an offence. An auditor/inspector
tapping fingers on the desk could be interpreted as an act of duress and could
bring the interview into question in any future court hearing.


The auditor/inspector should always be alert to the behaviour/responses/reactions
of the suspect.
Include a question in the interview which allows the interviewee to make any
comments which they may wish to add and have recorded in the interview notes.

11.10 Interview Notes

Audit interviews are normally recorded by the use of contemporaneous notes taken
by a member of the audit staff as the interview proceeds. This process should be
explained to the interviewee at the commencement of the interview.

Auditors/inspectors are not trained shorthand writers and so cannot normally be
expected to produce a complete verbatim record of the answers given at interview but
the person taking notes should record the answers given as fully as possible. There is
a danger that the note taker might disregard, or fail to record an apparently trivial
statement made by the interviewee which is in fact of singular significance to the
case, but which could not later be introduced as evidence if it is not recorded in the
interview notes. To this end, where particularly complex investigations require such
interviews it is perhaps appropriate that the person taking notes is fully conversant
with the case in order to minimise the risk of any significant comment not being
recorded. The recording of the interview fully and correctly is a vital aspect of the
whole investigation, both from the point of view of the auditor/inspector and the
interviewee. This applies whether or not the interview is being tape recorded.

Where an audit interview continues for any length of time, the offer of breaks and
their acceptance, or refusal by the interviewee must be recorded, together with the
relevant times in the contemporaneous notes taken of the interview. Any complaints
raised by the interviewee should also be recorded in the interview notes.

When the interview has been completed, any sheets containing predetermined
questions which were not asked, should be removed.

The interviewee should be invited to read the interview notes which have been taken
and should be given the opportunity to make any additions, deletions or amendments
which are considered necessary. When any such alterations have been made and
the interviewee agrees that the notes are a complete and accurate record of the
interview they should then be asked to sign each page of the interview notes and to
initial any alterations which have been made.

Once this has been done, and in the presence of the interviewee the auditor/inspector
who has taken the notes should:
r consecutively number the pages of notes, e.g. 1 of 10 etc
r cross through all blank spaces on the pages of notes to demonstrate to the
interviewee that nothing can subsequently be added to the agreed interview notes
r sign each page of notes, together with the auditor/inspector who has conducted
the interview, and
r enter on the last page of notes the time at which the interview ended.


11.10.1 Refusal of the interviewee to sign the notes taken

It may arise that an interviewee will refuse to sign the notes taken of the interview.
The circumstances of the refusal should in those cases be noted on the last sheet
of the interview notes, preferably in the presence of the interviewee, and the notes
should be signed by the two auditor/inspectors who conducted the interview. Under
no circumstances whatsoever should the interviewee be pressured into appending
a signature.

11.10.2 Cautioning

It is appropriate at this point to examine the circumstances of cautioning a suspect.

The objective of an audit interview is to establish facts and this applies equally to
interviews with suspects in an investigation. It may well be that a suspect will
provide apparently genuine explanations for the actions which have prompted the
audit investigation, and which the auditor/inspector will subsequently need to follow-
up and verify.

A caution should be issued to a person where there are grounds to suspect that
they may have committed an offence before any questions about the offence are
put. This is therefore an important consideration for the auditor/inspector when
undertaking suspect interviews.

Even though an auditor/inspector may have accumulated substantial amounts of
evidence during the investigation which could be seen as suggestive of the guilt of
the suspect there may well be other possible explanations.

Having discussed the situation informally as previously suggested with the local
police, the auditor/inspector should not be in a position at the start of any suspect
interview where it would be required to issue a caution at the outset. If the suspicion
were strong enough for that to be necessary the case should normally be referred
to the police.

It is perhaps appropriate to help prevent any future dispute for the auditor/inspector
to explain to the suspect at the outset of the interview that the purpose of the
interview is to establish facts and obtain explanations. This statement should be
fully recorded in the interview notes.

As the interview proceeds however, it may be that the answers given by the
suspect, coupled with other evidence known to the auditor/inspector, give rise to
clear grounds to suspect that the interviewee has carried out a fraudulent act or
indeed the suspect may confess.

At this point, if the auditor/inspector is to avoid any evidence obtained from the
interview ruled to be inadmissible in any subsequent criminal proceedings, the
auditor/inspector may take one of two courses of action:
r terminate the interview at that point and refer the investigation to the police for
further action; or
r issue a caution to the suspect, before proceeding with any further questioning.


The words to be used to give such a caution should be:

You do not have to say anything. But it may harm your defence if you do not
mention when questioned something which you later rely on in court. Anything
you do or say may be given in evidence.

The fact that the caution was given, the words used, and the time that the caution
was given must be recorded in the interview notes. The interviewee must also be
formally reminded that they are still under caution after any subsequent breaks in
the interview and this must also be recorded and timed in the interview notes.

11.11 Voluntary Statements under Caution

In certain circumstances the interviewee may not wish to answer any further
questions but may wish to make a statement to the auditor/inspectors. If the
interviewee wishes to write out this statement personally then the statement should
begin with this declaration:

I make this statement of my own free will. I understand that I do not have to
say anything but that it may harm my defence if I do not mention when
questioned something which I later rely on in court. This statement may be
given in evidence.

This should be followed by the signature of the interviewee.

The interviewee should, on completion of such a statement, be invited to re-read
what has been written and be given the opportunity to make any amendments
before signing the statement.

Where the interviewee wishes to make a statement rather than answer further
questions but wishes the interviewing auditor/inspector to write down what is said
the statement should be prefixed as follows:

I, wish to make a statement. I want someone to write down what I say. I
understand that I do not have to say anything but that it may harm my defence
if I do not mention when questioned something I later rely on in court. This
statement may be given in evidence.

In these circumstances what is said by the interviewee must be recorded verbatim
and upon completion the interviewee should be asked to read through what has
been written, and should be allowed to make any alterations, additions or
corrections. Any such changes must be initialled by the interviewee.

When the statement has been agreed the following certificate should be added, at
the end of the statement, by the interviewee:

I have read the above statement, and I have been able to correct, alter or add
anything I wish. This statement is true, I have made it of my own free will .

This certificate should then be signed by the interviewee.


11.11.1 Offers of resignation/restitution

If during the course of an interview the interviewee offers to resign then the
auditor/inspector should not accept it but should refer the individual to the
manager/personnel officer and record the offer in the interview notes.
Auditor/inspectors should not accept money in restitution of an offence at
interview as it may be construed as being obtained under duress and legal
advice should be taken afterwards.
Any offer of restitution should be incorporated in the interview notes.
The auditor/inspector should not enter into any discussion on doing a deal
whereby the employee will pay restitution in order for the matter not to be
referred to the police etc.

11.12 Other Relevant Areas

11.12.1 The use of audit notes as evidence

As a general principle evidence is essentially fact and not impressions or opinions
formed or conclusions drawn.

Throughout the investigation of any fraud, situations will occur and conversations
take place which are material to the matter under investigation, for example, the
content of a telephone call to an outside organisation to confirm or otherwise
alleged events will be very important to the direction of the investigation. In any
such situation any auditor/inspector involved must either at the time, or immediately
afterwards make a formal note of what has taken place. The object of such notes is
to assist the auditor/inspector to:

r produce an honest and factual statement of evidence if subsequently required
by the police or as part of formal disciplinary proceedings, and
r refresh the auditor/inspectors memory and bring all aspects clearly to mind
should the auditor/inspector later be called on to give evidence either in a
disciplinary or criminal hearing.

11.12.2 Rough notes made during conversations, etc

Occasionally the auditor/inspector will not be able to follow formal interview
procedures when speaking to persons connected with an investigation as in some
cases the person concerned will not be an employee of the organisation and the
auditor/inspector has no authority to interview formally in such cases.

The evidence which these people have to give, however, may still be very material
to the investigation and in such circumstances the auditor/inspector should record
the contents of the interview as contemporaneous rough notes. These notes should
be made in the manner most appropriate to the circumstances but should attempt to
cover the essential facts disclosed.

As soon as possible after completion of the conversation the rough notes should be
used by the auditor/inspector(s) to produce a full written note of what has occurred.
These notes should be signed by the auditor/inspector(s), timed and dated, and
where possible the rough notes attached. Notes made on this basis may be
acceptable to the police in any subsequent criminal investigation.


Such notes are also generally accepted by the courts for use by a witness when
giving evidence but the courts may, on occasion, rule that only the rough notes
made contemporaneously may be used. It is therefore important that these notes be
as detailed as possible and are retained intact.

11.12.3 Conclusion of the investigation

Having conducted the interviews necessary to complete the auditor/inspectors
knowledge of the situation disclosed by the investigation the auditor/inspector must
draw together all the evidence obtained from the investigations and formulate the
conclusions based on all the evidence so that the audit report can be prepared.

At this stage the auditor/inspector must take full account of all their investigations in
reaching their conclusions.

It is also important that conclusions are only based on fact. It may well be prudent to
obtain legal advice from within the organisation before finally determining the
conclusions of the investigation.

The need to obtain legal advice on the evidence resulting from the

In almost every fraud investigation some legal advice on the strength of the
evidence obtained will be required. This may be:
r informal - an off the record discussion with a member of the organisations legal
r a referral of a draft report for specific examination as to whether the evidence
disclosed is strong enough to warrant referral to the police
r a formal referral to outside counsel for advice both on the case and perhaps
proper procedures for investigation/reporting when the culprit is covered by a
detailed and specific nationally laid down disciplinary code.

It must always be remembered that the legal opinion obtained is purely that, an
expression of opinion, and must not ever be regarded as definite and infallible
prediction of the outcome of any investigation/criminal action. The opinion given can
only be formed from the information available. Therefore any omissions or errors in
that information, or subsequent discoveries (unforeseen when the information was
provided) will effect the validity of the opinion which is drawn from the information

The following expressions are those generally used by the legal profession when
giving an opinion on the strength of evidence, and can be interpreted as shown

The evidence should be sufficient to support successful proceedings
This can be taken as legal opinion that the evidence obtained should be more likely
to result in conviction of the culprit than in the acquittal.


The evidence should be sufficient to support a prima facie case
This can be taken to mean that the evidence disclosed is evidence of the essential
facts of the case which are required to undertake a prosecution but that there are
sufficient factors (which would normally be detailed in the opinion) to suggest that
the prosecution could fail.

The evidence is not sufficient to support proceedings
This is basically self explanatory in that it means that the evidence produced does
not prove one or more of the essential facts necessary to secure the conviction of
the culprit, for example obvious lack of creditability of some witness(es) or failure to
prove the connection between the fraudulent action and the culprit.

Such advice will normally detail the deficiencies in the evidence produced and
where possible suggest what is required to remedy these deficiencies.

In certain circumstances, although the evidence produced may well be sufficient to
ensure prosecution there may be certain features, either of the case and its
circumstances or the culprit which would make the case unlikely to succeed, and
therefore to make the prosecution of the case contrary to the interests of the
organisation. If such features exist, they should be brought to attention in any legal
opinion obtained.

Such features include:
r the serious ill health of the culprit
r the staleness of the offence, and
r the age or youth of the culprit.

11.13 Components of an Appropriate Anti-Fraud and Irregularities Culture

An anti-fraud & irregularities culture refers to an attitude of mind, not a list of
Issues that may suggest the existence of an appropriate anti-fraud &
irregularities culture include:

Fair treatment of employees/customers and suppliers, in areas such as staff
performance and development evaluation tied in with coaching and counselling.
Managers and staff who understand business and risks.
Segregation of duty between risk-takers and recorders.
Regular two-way communication, encouraging challenges to managers.
An ethics policy and contingency plan that are regularly reviewed, tested,
updated and approved.
Staff accountability for maintaining adequate controls.
Appropriate anti-fraud & irregularities training.
An emphasis on staff s responsibility to report fraud & irregularities and the
existence of appropriate escalation procedures.
Provision of a fraud & irregularities hotline for reporting fraud & irregularities.
The existence of an internal audit department of an appropriate size.
An emphasis on recruiting staff with high integrity.
Regular discussion and knowledge sharing with others in the same




East and Southern Africa Association of Accountants General

February 2001



The East and Southern African Association of Accountants General


1. Introduction 1

2. Nature, Objectives and Scope of Internal Audit 1

3. Internal Audit Independence 7

4. Managing Internal Audit 12

5. Professional Proficiency 15

6. Relationships 20

7. Internal Audit Planning 23

8. Approaches to Internal Audit 26

9. Reporting, Monitoring and Follow-up 28

Glossary of Technical Internal Audit Terms 32


1.0 These Internal Auditing Guidelines are recommended to all government institutions in member countries.
These may include Ministries, Departments, Regions, and other public sector organisations or entities,
where appropriate. The Guidelines are prepared in compliance with the Standards for the Professional
Practice of Internal Auditing developed by the Institute of Internal Auditors and international best
practice in public sector Internal Audit.

1.1 The guidelines are intended to provide best practice principals rather than specific guidance on Internal
Audit procedures and techniques. Each professional Internal Auditor should hold the general skills and
knowledge of Internal Audit practice.

1.2 A brief explanatory note to facilitate a clear understanding of the guidelines is included before each

1.3 These guidelines provide criteria by which Internal Auditing in the Public Sector in member countries
should be measured and evaluated.

1.4 Any standards or guidelines should be dynamic to keep up to date and these guidelines will be revised
from time to time as necessary.


2.0 Explanatory Notes:

2.1 This guideline explains the nature, objectives and scope of Internal Auditing and indicates the range of
responsibilities that Internal Audit should cover. The Head of Internal Audit should ensure that each
Accounting Officer (see Glossary of Technical Internal Audit Terms at the end of these Guidelines) in the
public sector organisations for which they are responsible are aware of the full range of activities that fall
within the scope of Internal Audit.

2.2 Nature: The Institute of Internal Auditors defines Internal Auditing as "an independent objective
assurance and consulting activity designed to add value and improve an organisation's operations. It
helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control and governance processes."

2.3 Internal Audit should be an independent function or division within the public sector organisation. It
assists management by reviewing, assessing and helping to improve the internal control system. Internal
Auditors work with Accounting Officers and other managers to help to improve internal controls within
their public sector organisation and so reduce the risks the Government faces in achieving its objectives
to an acceptable level. Internal Audit undertakes reviews of individual systems and processes. As a
result, recommendations are made to the relevant Accounting Officer on how internal controls could be

2.4 Scope: The scope of internal audit needs to cover the systematic review, appraisal and reporting of the
adequacy of the systems of managerial, financial, operational and budgetary control and their reliability
in practice, including:
the relevance of established policies, plans and procedures, the extent of compliance with these
the appropriateness of organisational, personnel and supervision arrangements
the extent to which assets and interests are accounted for and safeguarded from losses of all kinds
arising from waste, extravagance, inefficient administration, fraud or other causes
the appropriateness, reliability and integrity of financial and other management information and the
means used to identify, measure, classify, report and act upon that information
the integrity of computer systems, including systems under development
the follow-up action taken to remedy previously identified weaknesses.

2.5 The actual areas reviewed by Internal Audit should be determined by a risk assessment that guides
Internal Audit planning (see Guideline Seven).

2.6 There should be an Internal Audit service for all public sector and government organisations including
the armed and secret services.

2.7 Objectives: Internal Audit should operate in partnership with management by helping to enhance their
accountability, transparency and corporate governance. This is achieved by identifying and evaluating
their internal control systems and making recommendations for improvements and refinements to these

2.8 Internal Audit assists Accounting Officers by evaluating and reporting on the elements of the internal
control system for which the Accounting Officer is responsible. It is not, however, an extension of, or a
substitute for, effective internal controls. Responsibility for internal control rests fully with the
Accounting Officer, who should ensure that appropriate and adequate arrangements for internal control
exist in addition to any Internal Audit activity in their public sector organisation. It is for the Accounting
Officer to decide whether or not to accept and implement Internal Audit findings and recommendations.

However, the Accounting Officer should be responsible to an Audit Committee and the Public Accounts
Committee for ensuring that prompt and effective action is taken to address Internal Audit's findings. An
Audit Committee may assist in ensuring that prompt and effective action is taken in response to audit

2.9 Internal Audit may undertake checks that individual items of expenditure are necessary and have been
authorised as required. This may be undertaken before the payment is made (pre-audit) or may be
undertaken later (post-audit). Internal Audit may also be required to undertake independent checks on
stores and fixed assets. However, international best practice suggests that the core element of Internal
Audit work should be systems audit. The objective of systems audit is to improve the controls operated by
management rather than Internal Audit acting as a control itself.

2.10 If Internal Auditors undertake pre-audit, they should not also undertake system reviews of the same
transactions or systems.
Advantages and Disadvantages of Pre-Audit
Advantages Disadvantages
Could help to ensure that expenditure is
necessary and appropriate.
May reduceofficers' responsibilities for
internal control. Managers may not check
payments properly, but rely on Internal Audit
to do these checks.
Could help to ensure that expenditure is
properly authorised before payment is
Payments may be delayed until Internal
Audit has completed their checks.
Could help to prevent management fraud. It may be an inefficient useof valuable
Internal Audit time.
Could help to reduce the incidence of fraud
or irregularity.
Could provide an opportunity for unethical
Internal Auditors to seek bribes.
Could help to confirmthe existence of
projects, supplies and stores.
Could relax Internal Audit objectivity when
doing systems audit work.
Could put Internal Audit security at risk.

2.11 In some countries, Internal Audit may be required to undertake pre-audit. Where this is the case
consideration should be given to reducing this role. This could be achieved by only undertaking pre-audit
on larger payments or those that are particularly vulnerable to fraud or irregularity. Public sector
organisations with good internal controls could be rewarded with a reduced requirement to have their
expenditure subject to pre-audit.

2.12 Internal Audit is not necessarily best suited to under take investigations into suspected fraud, corruption
or irregularity. This is a specialised function that requires expert knowledge and experience. The
approach to fraud investigation is different to that used in routine Internal Audit work. For these reasons,
where possible, fraud investigations should be undertaken by a special unit.

2.13 Internal Audit can:
independently review and appraise the systems of control throughout the public sector organisation
(not just the financial controls);
recommend improvements to internal controls;
ascertain the extent of compliance with procedures, policies, regulations and legislation;
provide reassurance to management that their policies are being carried out with adequate control of
the associated risks;
facilitate good practice in managing risks;
save money by identifying waste and inefficiency, and by facilitating the spread of good practice;
avoid duplication of effort by an effective partnership with the Auditor-General and other review
by its activities help to ensure that assets and interests are safeguarded from fraud, deter fraudsters
and possibly identify fraud.

2.14 The existence of Internal Audit in a public sector organisation should not cause a general relaxation or
vigilance on the responsibility of the line managers. It is not the responsibility of Internal Audit to detect
and/or prevent fraudulent activities and irregularities. This is the responsibility of all officers, managers
and the Accounting Officer.


Internal Auditing is an independent objective assurance and consulting activity
designed to add value and improve an organisation's operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control and governance
processes. The effect of Internal Audit should be continual improvements and
refinements to the internal control system as a contribution to proper, economic,
efficient and effective use of government resources.


Internal Audit has two main objectives. These are to:
a) ensure that internal control and risk management systems are continually being
improved and optimised in response to an ever changing environment;
b) provide reasonable assurance to the relevant Accounting Officer and the Audit
Committee that significant risks in the public sector organisation are being
appropriately managed, with an emphasis on the role of internal controls.
3 The way that these objectives are achieved will vary between countries and
organisations. This leads to a variety of different approaches to Internal Audit. This
subject is covered in the Guideline below on Approaches to Internal Audit.
4 The Head of Internal Audit should be consulted when the Accounting Officer wishes to
change the system of internal control. The Head of Internal Audit should be required
to co-ordinate inter-ministerial or departmental issues concerning control.
5 If Internal Auditors are used to investigate potential fraud or irregularity they will need
specialist knowledge and experience. An expert team should be created to investigate
cases of actual or potential fraud and irregularity.

Internal control has been defined by the Committee of Sponsoring Organisations of the
Treadway Commission (COSO) in Internal Control Integrated Framework, as:
'A process, effected by an entitys board of directors, management and other
personnel(people), designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of operations; (basic operational objectives,
performance goals and safeguarding resources)
reliability of financial reporting
compliance with applicable laws and regulations.'
7 Internal control is a management tool used to provide reasonable assurance that the
public sector organisation's objectives are being achieved efficiently. Internal control
covers the whole system of controls, policies and procedures established by
management to meet their targets and objectives.

8 The responsibility for the adequacy and reliability of internal controls rests with
management. The relevant Accounting Officer has overall responsibility for the
establishment and maintenance of internal controls within their area of responsibility.
The Accounting Officer of each public sector organisation should ensure that proper
internal controls are introduced, reviewed, and updated to keep them effective. An
Audit Committee can assist with this role.

The potential scope of Internal Audit is the whole system of internal control established
by a public sector organisation. This may include controls over all the organisation's
activities, not just controls over financial accounting and reporting. Internal Audit
should review all significant operational and management controls, including policies
and procedures for the management of risk. However, Internal Audit should
concentrate its efforts on the high risk areas and the most important internal controls.
10 The Accounting Officer and Audit Committee should not restrict Internal Audit to
work on financial systems or checking that assets are safeguarded. Internal Audit work
should go beyond the accounts to check that public officials and others entrusted with
public resources are:
a) complying with applicable laws and regulations
b) achieving government objectives and desired services or benefits established by the
public sector organisation.
11 The Audit Committee and the Accounting Officers should ensure that Internal Audit
has the widest scope to ensure that internal controls across the whole public sector
organisation may be subject to review by Internal Audit.
12 Internal Audit should have unrestricted access to all the people, systems, documents
and property it considers necessary for the proper fulfilment of its responsibilities.


3.0 Explanatory Notes:

3.1 Internal Audit should be sufficiently independent from line management to ensure that Internal Audit's
professional judgements and recommendations are objective and impartial. To be effective, Internal
Audit needs to have adequate authority and report at a sufficiently senior level within the public sector
organisation. As a result, the Head of Internal Audit should report (for pay and rations) at a level at least
equivalent to the Accountant-General in the Ministry of Finance or the Permanent Secretary in other
ministries. Internal Audit should also report to an Audit Committee and have a direct reporting line to
the Accounting Officer.

3.2 It is generally considered that Internal Audit should not report to a manager if Internal Audit regularly
reviews systems that this manager is directly responsible for. For this reason, in some countries it is
considered inappropriate for the Accountant-General to be responsible for Internal Audit. The reason for
this is that the Accountant-General is the accounting advisor to the Permanent Secretary in the Ministry
of Finance and is also in charge of the treasury and the national accounts. The Head of Internal Audit
regularly reviews systems that the Accountant-General is responsible for and so should not report on
these systems to the same officer.

3.3 Internal Audit will achieve respect through the status it is given in a public sector organisation. For the
individual Internal Auditor, objectivity is essential to ensure an attitude of mind characterised by
integrity, steadfastness and an impartial approach to work. Objectivity may be impaired through
familiarity both with systems and non-audit staff. This may occur if Internal Audit staff are involved with
the same work assignments and ministerial officers for several years.

3.4 Internal Audit should take its authority and terms of reference from the Audit Committee and Accounting
Officer to whom the Head of Internal Audit should report and have the right of direct access. Internal
Audit's terms of reference (or charter) should clearly outline the nature, objectives, responsibilities and
scope of Internal Audit. Internal Audits terms of reference should be approved by the Audit Committee
subject to applicable legislation.

3.5 The written terms of reference for Internal Audit should clearly:
a) establish Internal Audit's position within the organisation
b) establish Internal Audit's right of access to all records (both electronic or otherwise), assets,
personnel and premises, and its authority to obtain such information and explanations, as it considers
necessary to fulfil its responsibilities
c) define the scope of Internal Auditing activities.

3.6 Objectivity is an independent attitude of mind that Internal Auditors should maintain when performing
Internal Audit work. It is important that Internal Auditors always retain a critical edge in undertaking
their work. Internal Auditors need to be sceptical in discussions with officers and to obtain an adequate
level of proof from Audit testing.

3.7 Objectivity requires Internal Auditors to carry out Audits in such a way that the quality of their work or
their honest belief in the results of that work is not compromised. Internal Auditors should not be placed
in situations in which they feel unable to make objective professional judgements.

3.8 Internal Auditors should not be placed in situations in which they feel unable to make objective and
impartial professional judgements. If any of the situations referred to below arise, Internal Auditors
should inform their Head of Internal Audit so that alternative arrangements for the Internal Audit
assignment may be made:

(a) Internal Auditors, notwithstanding their employment by the organisation, should be free from any
conflict of interest arising either from professional or personal relationships or from pecuniary or other
interests in an organisation or activity that is subject to Audit.

(b) Internal Auditors should be free from undue influences, which either restrict or modify the scope
or conduct of his work or over-rule or significantly affect judgement as to the content of the Internal Audit

(c) Internal Auditors should not allow their objectivity to be impaired when Auditing an activity for
which they have had authority or responsibility in the past.

(d) Internal Audit should be consulted about significant proposed changes to the internal control
system or the implementation of new systems. Internal Audit may make recommendations on the
standards of control to be applied without prejudicing Internal Audit's objectivity in reviewing those
systems at a later date.

(e) Internal Auditors should not normally undertake non-Audit duties, but if they do, exceptionally,
they should ensure that management understands that they are not then functioning as Internal Auditors.

3.9 International best practice suggests that Audit Committees should be established. Audit Committees are
generally considered to improve the independence of Internal Audit. Audit Committees should be
established for each public sector organisation. Members of an Audit Committee, especially the chair,
should be chosen so that they are sufficiently independent from the senior managers of the public sector
organisation and so they are suitably experienced. An Audit Committee may deal with more than one

3.10 The role an Audit Committee with regard to Internal Audit is that it should:
approve Internal Audit's strategic and operational plans and review performance against them
discuss with Internal Audit its findings and the responses of management to its major
recommendations; and, periodically, its views on the overall quality of internal control
consider the objectives and scope of any additional ( non-audit work) work undertaken by the Internal
Auditors to ensure there are no conflicts of interest and that independence is not compromised
review the adequacy of the Internal Audit function, its adherence to professional standards,
particularly independence, standing, scope, resourcing, its liaison with the Auditor-General and other
review agencies and its reporting arrangements
meet regularly two or three times a year and meet with the Internal Auditors at their request as they
deem necessary
through its Chair represent the concerns of Internal Audit to the relevant Accounting Officer,
Permanent Secretary or Minister
be involved in the process of appointment or dismissal of the Head of Internal Audit
periodically review the Internal Audit terms of reference.


13 Internal Auditors should be objective, and, as far as possible, operationally independent
of the management of the public sector organisation.
14 Internal Audit independence should permit it to provide impartial and unbiased
judgements that are essential for its proper function. Internal Audit independence
should also ensure that the Head of Internal Audit can report without 'fear or favour' to
all levels within the public sector organisation. Internal Audit independence can be
ensured through status and objectivity.
It is the responsibility of the Accounting Officer and the Audit Committee to ensure
that conflicts of interest do not arise and that Internal Audit s objectivity and
independence are not compromised. If the independence or objectivity of Internal
Audit is impaired, in fact or appearance, the details of the impairment should be
disclosed to the Accounting Officer and the Audit Committee.

The Head of Internal Audit should be responsible to an individual with sufficient
authority to promote Internal Audit independence and to ensure the broadest Internal
Audit coverage, adequate consideration of Internal Audit reports and appropriate action
on Internal Audit recommendations. Internal Audit needs the support of top
management officials so that they can gain the co-operation of officers and perform
their work without interference. Internal Audit should have a direct reporting line to
the Accounting Officer and the Audit Committee.
17 The Head Internal Auditor should report to the Accounting Officer and an Audit

Internal Audit should have written terms of reference (or charter) that are agreed by the
Accounting Officer and the Audit Committee. These should clearly outline the nature,
objectives, responsibilities and scope of Internal Audit. The Head of Internal Audit
should actively seek to develop and obtain approval of such terms of reference. The
terms of reference should be reviewed and revised, if necessary, at least every three

19 The terms of reference for Internal Audit should include the requirement for Internal
Audit to have the access, to all personnel, records, assets and property that Internal
Audit considers necessary for it to undertake its work effectively.
20 The terms of reference for Internal Audit should be supported by a law, by-law or
regulation that specifies the position of the Internal Auditor in the government

The term objectivity includes the requirement on the part of Internal Auditors to have
an independent mental attitude to the performance of their work. Objectivity should
ensure that Internal Auditors have an honest belief in their work product and that no
significant quality compromises are made.
22 Internal Auditors should not be placed in any situation where they feel unable to make
objective professional judgements. Objectivity may be impaired through familiarity,
with both systems and officers. This may be created by Internal Audit staff being
involved with work assignments for too long a period of time. In order to maintain
maximum awareness and motivation amongst Internal Audit staff, work assignments
should be rotated on a planned basis. Transfers of Internal Audit staff between public
sector organisations are to be recommended, every few years, where possible.
23 Internal Audit assignments should be undertaken in such a way that there is no
potential or actual conflict of interest. Internal Audit staff should not undertake Audits
of systems if they worked in this area in the last year. Internal Audit staff should
declare any conflict of interest that may arise.
24 Recommending standards of control for new systems or reviewing procedures before
they are implemented is part of Internal Audit work. However, designing, installing
and operating systems is not an Internal Audit function. Performing such work is
presumed to impair Internal Audit objectivity.

The position of Internal Audit should be categorised specifically as a Staff function as
opposed to all Line Functions. Internal Auditors should not supervise or manage other
sections or activities. If Internal Auditors perform non-audit work they are not
functioning as Internal Auditors. Performance of such activities is presumed to impair
Internal Audit objectivity. Therefore, the Internal Auditor should not undertake
executive functions outside their divisional activities.

26 The position of Internal Audit within the public sector organisation should be high
enough to ensure that there is no impairment of Internal Audit scope.


4.0 Explanatory notes:

4.1 The appointment of appropriate staff is important to the success of Internal Audit. Internal Auditors must
be able to develop good working relationships with all officers. Internal Auditors must also be able to
quickly understand how systems work and be able to identify suitable improvements. The Head of
Internal Audit should ensure that all their staff are appropriately trained and receive suitable guidance.

4.2 Controlling: Internal Audit work should be controlled at all levels of operation to achieve objectives and
ensure the economic and efficient use of resources.

4.3 The Head of Internal Audit should continually monitor Internal Auditors' performance. Any significant
variations from work plans should be investigated and dealt with appropriately. The results of each
Internal Audit assignment or groups of Audit assignments should be reviewed against Internal Audit
plans. Efficiency should be assessed and any necessary revisions made to subsequent planned work.

4.4 Recording: The Head of Internal Audit should specify standards of Audit documentation, ensure that
those standards are maintained and monitor compliance with the standards.

4.5 Appraisal: Like any other department, Internal Audit should be constantly appraised to ensure that its
performance and value to the management of the public sector organisation is maximised. The Internal
Audit function is subject to budgetary constraints, in common with all other elements of the public sector,
therefore its value should continually be re-assessed. This appraisal or assessment should be undertaken
by Internal Audit managers and also periodically by independent suitably experienced external assessors.
The assessment should consider the views of the Accounting Officer and other senior managers on the
success of Internal Audit. It may also consider Internal Audits effectiveness and any appropriate
directional changes.

4.6 An Internal Audit management unit in the Ministry of Finance may assist in maintaining the quality of
internal audit across all public sector organisations and can assist with ensuring the independence of
Internal Audit. The Internal Audit management unit may have responsibility for the staffing, planning,
organisation and co-ordination of Internal Audit units in all public sector organisations. The
management unit may provide guidance to Internal Audit units in other public sector organisations,
monitor all Internal Audit reports, and co-ordinate training across the public sector. In some countries
Internal Audit units in all public sector organisations are managed by a central Controller of Internal
Audit in the Ministry of Finance.


27 The Head of Internal Audit should effectively manage Internal Audit to ensure it adds
value to the public sector organisation and to ensure that:
(a) Internal Audit work fulfils its terms of reference
(b) resources for Internal Audit are used efficiently and effectively
(c) Internal Audit staff undergo suitable professional development
(d) Internal Audit work conforms to approved standards
(e) the morale of Internal Audit staff is developed and maintained.
28 The Head of Internal Audit should submit periodic activity reports to the Accounting
Officer and the Audit Committee. These reports should compare:
(a) actual performance with goals and Internal Audit plans
(b) actual expenditures with financial budgets.
The Head of Internal Audit should explain major variances (positive or negative) together
with action taken to address these.
29 The Head of Internal Audit should ensure that Internal Audit staff are provided with a
suitable Audit Manual including written policies and procedures to guide them with their
work. This guidance should also include programmes for particular Internal Audit
assignments. The Internal Audit programmes should specify reporting lines at each level
of management.
30 The Head of Internal Audit should ensure that the work of all levels of Internal Audit staff
is effectively supervised from planning to conclusion. This supervision should include:
(a) provision of suitable instructions and guidance at the outset of an Internal Audit
assignment and approving the Audit programme
(b) seeing that the approved Audit programme is carried out unless deviations are both
justified and authorised
(c) ensuring that Internal Audit staff understand the work to be undertaken and obtain and
document sufficient relevant and reliable audit evidence
(d) determining that Internal Audit objectives are being met.


All Internal Audit working papers and reports should be reviewed by Internal Audit
managers before the reports are released. This review should include:
(a) determining that Audit working papers adequately support the Audit findings,
conclusions and report
(b) making sure that Audit reports are accurate, objective, clear, concise, constructive and
32 Internal Audit working papers should show clear evidence of this management review.

There should be periodical reviews of Internal Audit performance to ensure that its
performance and value to the management of the public sector organisation is maximised
and to ensure compliance with appropriate standards and guidance.
34 The Head of Internal Audit should establish and maintain a quality assurance programme
to evaluate the operations of Internal Audit. This programme should provide reasonable
assurance that Internal Audit work conforms to relevant standards and these Internal
Auditing Guidelines. It should also ensure that Internal Audit adds value by improving
internal control. This quality programme should include:
(a) supervision (b) internal review
(c) external review.
35 Supervision of Internal Audit work should continuously ensure conformance with the
Institute of Internal Auditors Standards, these Internal Auditing Guidelines, department
policies and Audit programmes.
36 Internal reviews should be performed periodically by senior Internal Audit staff to
appraise the quality of the Internal Audit work that is undertaken in all public sector
37 External reviews should be performed to assess the quality of Internal Audit work against
these Guidelines. These reviews should be performed by suitably qualified Internal
Auditors who are independent of the organisation and who do not have either a real or an
apparent conflict of interest. The external reviews should be undertaken at least once
every five years.
38 On completion of such reviews, formal written reports should be issued to the relevant
Accounting Officer and the Audit Committee. These reports should express an opinion on
Internal Audit's compliance with these Internal Auditing Guidelines and, where necessary,
should include recommendations for improvement.



5.0 Explanatory notes:

5.1 In carrying out their duties Internal Auditors should exercise due professional care, that is competence
based on appropriate experience, training, ability, integrity and objectivity.

5.2 Due professional care is defined as carrying out Internal Audit work with competence and diligence. Due
care does not mean infallibility. Consequently Internal Auditors cannot provide absolute assurance that
non-compliance or irregularities do not exist. However, it will be incumbent upon the Internal Auditor to
consider the effect of significant weaknesses in the systems under review and evaluate the possibility of
material irregularity or non-compliance with the legislation and regulations when undertaking Internal

5.3 Professional care requires the use of Audit skills and judgements based on appropriate experience,
training, ability, integrity and objectivity. The level of professional care to be exercised should be
appropriate to the objective and complexity of the Internal Audit work being performed.

5.4 In order to demonstrate due professional care, Internal Auditors should be able to show that their work
has been performed in the manner which meets the criteria set by these Internal Auditing Guidelines or
specific departmental policies.

5.5 Internal Audits should be performed by, or supervised and controlled by, Audit staff who have the
technical skills, experience and perspective which will enable them to comply with these Guidelines. This
is necessary to maintain Internal Audit's credibility as a dependable instrument of management.

5.6 The Head of Internal Audit should therefore ensure that Audit staff have the capacity to meet the
responsibilities identified by the terms of reference agreed with the Audit Committee and the Accounting

5.7 The Head of Audit should ensure that all Internal Audit staff are reminded of their ethical responsibilities
and also ensure that their declarations of interest are reviewed, and where appropriate, updated at least
once a year.

5.8 Internal Auditors should not accept any gift or inducement from an officer, worker, supplier or other third
party. Information acquired by Auditors in the course of their work should not be used for unauthorised
purposes or for personal benefit or gain. Internal Auditors should only accept hospitality when this is
consistent with the public sector organisations documented arrangements.

5.9 The most important source of information for Internal Auditors is the staff working within the area subject
to Audit. These officers know how the system actually operates and should have a reasonable idea of how
practical any improvements may be. Thus interviewing skills are essential for all Internal Auditors.
Internal Auditors need to be able to understand what may be a complex system. Internal Auditors also
need to be able to critically assess each stage of the process. Why is its performed? Could it be
undertaken more efficiently?

5.10 Staff who operate the system will know what they do, but not necessarily why they do it. They may also
try and explain the system in the most positive light. The skill of Internal Auditors is to enable all the staff
they interview to open up and describe what they actually do (not just what they think they should do) and
to identify any aspects they think could be improved. Understanding why each step is taken is more
difficult. Staff may just do it because weve always done it that way or even worse because the
Auditors told us to!

5.11 An experienced Internal Auditor will ensure that the staff they talk to are relaxed and so describe the
system, its bad points as well as the good points. They will also challenge the staff to ensure that they
describe what actually happens and through discussion ascertain whether any improvements are possible
and practical.



Internal Auditors should be appointed through free and open competition on the basis
of merit. The criteria used to fill Internal Audit posts should be suitable and clearly
documented. They should be developed after considering the level of required scope
and responsibility. Deliberate attempts should be made to ensure the proficiency and
qualifications of each prospective Auditor.

Compliance with Codes of Conduct
Internal Audit staff should follow existing codes of conduct and ethics for their
organisation. All professional Internal Audit staff should be members of the relevant
accounting or Internal Auditing professional body and follow their code of conduct or
ethics. All Internal Auditors should follow a professional code of conduct which calls
a) high standards of honesty
b) high standards of diligence
c) high standards of loyalty.

Knowledge Skills and Discipline
Internal Auditors should be required to (individually) possess the knowledge, skills and
competencies essential to the performance of effective Internal Audit. Internal Audit
staff should be required to possess the following skills:
a) proficiency in applying Internal Auditing Guidelines
b) knowledge of techniques required to perform Internal Audit
c) proficiency in accounting principles and techniques (especially government
d) an understanding of management principles and administrative procedures to
enable recognition and evaluation of the materiality and significance of deviations from
good and acceptable practice.

Human Relation and Communication
Internal Auditors should possess the skills required to deal with people and to
communicate effectively. They should cultivate harmonious relationships with officers
and managers. Internal Auditors should be proficient in oral and written
communication to enable effective reporting.


Continuing Education
Training of Internal Auditors should be a planned and continuous process at all levels
and should be designed to cover:
a) basic training providing the minimum level of skills and knowledge which all
Internal Auditors should possess
b) development training in Audit skills, techniques and behavioural aspects to
improve the effectiveness of those staff currently engaged as Internal Auditors
c) management training for those Auditors with responsibility for managing and
directing Audit teams, together with those staff members who show the potential for
management positions
d) specialist training for those Auditors responsible for a special field of Audit work
which requires specialist skills and knowledge, for example, computer auditing or
performance auditing.
44 Internal Auditors, as responsible Government officers, should be responsible for
continuing their education in order that they maintain their knowledge, skills and
proficiency. They should keep themselves informed on changes and developments in
their public sector organisation's activities and other Government developments.
Internal Auditors also need to be aware of developments across the Internal Auditing
45 If there is an Internal Audit management unit in the Ministry of Finance, this unit
should be responsible for the co-ordination of training requirements for all government
Internal Auditors. The foundation, from which the assessment of training requirements
of Internal Audit will be derived, should be the database of Internal Audit staff in all
public sector organisations.
46 Internal Auditors should be aware of their responsibility for continuing their education
on order to maintain their proficiency through participation in professional societies,
conferences and seminars, college courses, in-house training and engage in research to
identify new Internal Auditing developments.

Due Professional Care
The term due professional care means and includes the application of the care and skill
expected of a reasonable, prudent and competent Internal Auditor in the same or
similar circumstances.

48 In exercising due professional care, Internal Auditors should be alert to the following:
a) the possibility of intentional wrong doing
b) errors and omissions
c) inefficiency, waste, ineffectiveness
d) conflicts of interest
e) conditions and activities likely to give rise to irregularities
f) inadequate control situations.
49 In exercising due professional care the Head of Internal Audit is required to consider
the following:
a) the extent of Internal Audit work needed to achieve the Audit objectives
b) the relative complexity, materiality or significance of matters to which Audit
procedures are applied
c) adequacy and reliability of risk management and control processes
d) likelihood of material irregularities or non-compliance
e) the cost of Internal Audit work compared to potential benefits or the risk of poor
internal controls.


6.0 Explanatory notes:

6.1 Management and staff at all levels should have confidence in the integrity, independence and capacity of
Internal Audit. This should be reflected and maintained in good working relationships between Internal
Auditors and the staff in the sections that they review.

6.2 The Head of Internal Audit should seek to foster and maintain constructive working relationships with
stock verifiers, fraud investigators, inspectors and any other review staff. Consultations between Internal
Audit and review staff should lead to effective co-ordination and minimise duplication of work.

6.3 Internal Audit should not improperly disclose any information obtained during the course of their work.
Permission should be provided by senior management before any information is passed outside the
organisation. Internal Audit will, quite properly, reveal to appropriate responsible parties (for example,
police or Auditor-General) all material facts they have established which, if not so revealed, may prevent
the uncovering of unlawful acts or could distort Audit reports. The passing of this information should be
treated as confidential and legally privileged. That is the Internal Auditor will be exempt from any legal
liability from the passing of such information.

6.4 It is important for Internal Audit to market the services it can provide to managers. This could include
producing leaflets and making presentations to Accounting Officers and other senior officers on the
services, assistance and role that Internal Audit can play.

6.5 The relationship between Internal Audit and the Auditor-General's Office needs to take account of their
differing roles and responsibilities. Internal Audit is an independent appraisal function within the
organisation and Internal Auditors are direct employees. It is the Auditor-General's role to ensure that
the financial statements, operating performance and related statements are properly stated in all material
respects. Internal Audit and the Auditor-General may also have responsibility for performance audit to
ensure that economy, efficiency and effectiveness are improved.

6.6 The aim should be to achieve mutual recognition and respect, leading to a joint improvement in
performance and the avoidance of unnecessary overlapping of work. It should be possible for the
Auditor-General and the Head of Internal Audit to rely on each other's work, subject to limits determined
by their different responsibilities, respective strengths and special abilities. Consultations should be held
and consideration given to whether any work of either Auditor is adequate for the purpose of the other.
Internal Audit does not automatically have a right of access to the records of the Auditor-General.

However, the relationship between the Head of Internal Audit and the Auditor-General should be such
that the Auditor-General will allow access to the necessary records.

6.7 The Head of Internal Audit should seek, where appropriate, co-ordination of the plans of Internal Audit
with those of the Auditor-General's Office and the programme of, for example, stock verifiers. This co-
operation should promote the most effective total audit coverage and should avoid duplication of work.
The Auditor-General's Office will have to decide if they can place reliance on the work of Internal Audit
and so reduce the amount of work undertaken by their own staff.

6.8 The Head of Internal Audit should meet regularly with staff from the Auditor-General's Office to:
discuss work plans for Internal Audit and the Auditor-General's Office
agree and review the performance of the work relied on
evaluate the relationships with the Auditor-General's Office and report as required to the
Accounting Officer and Audit Committee on this relationship
agree access to each other's audit programmes and working papers
exchange audit reports and management letters
enhance understanding of each other's audit techniques and methods
discuss any other matters of mutual interest.

50 Internal Audit s relations with other staff in the public sector organisation, the Auditor-
General, stock verifies and other review agencies should be based on mutual
confidence, understanding of each others needs and a reciprocal desire for co-
operation. Management, at all levels should have complete confidence in the integrity,
independence and capability of the Internal Audit unit.
51 There should not be any form of rivalry or conflict between the Internal Auditors and
staff in the Auditor-General's Office. Similarly, there should be a constructive
relationship between Internal Auditors, stock verifiers and other review agencies.

52 The Head of Internal Audit should initiate action to ensure the development of co-
ordination, effective working relationships and the avoidance of duplication of work
with other review agencies. This could include:
a) liaison meetings to discuss matters of mutual interest
b) arranging for access to each other s plans, system notes and findings
c) arranging for consultation on plans and proposed visits
d) reviewing training proposals to arrange joint training sessions where possible
e) dissemination of literature for discussion to promote understanding of techniques,
methods and terminology.
53 Copies of Internal Audit reports should be made available to the Auditor-General for
information and co-ordination.
54 Internal Auditors should be familiar with the legislation that defines the statutory
responsibility, duty and rights of access of the Auditor-General. The Head of Internal
Audit should recognise the differences between the roles of Internal Audit and that of
the Auditor-General.
55 The staff of the Auditor-General's Office may review the effectiveness of Internal
Audit as part of their evaluation of management control arrangements. This review
should determine the extent that the Auditor General's Office is able to rely on Internal
Audit work. Internal Audit should not necessarily undertake special tasks at the request
of the Auditor General's Office. However, routine, planned Internal Audit work may
be used by the Auditor General's Office for their own purposes.
56 The relationship between the Internal Auditor and the public sector organisation should
be considered legally privileged. That is the Internal Auditor will be exempt from any
legal liability from the proper undertaking of their work.
Internal Auditors should not release Audit findings or other information outside the
normal reporting arrangements without the knowledge and permission of those
57 Internal Auditors should normally consult and advise managers when arranging Audit
visits to their department. The exception to this rule would be for unannounced
surprise visits.


7.0 Explanatory notes:

7.1 Internal Audit work should be planned at all levels of operation in order to establish priorities, achieve
objectives and ensure the efficient and effective use of Audit resources. Planning should be based on
Internal Audit's terms of reference and allow for coverage of all significant systems, operations, staff and
sites within the public sector organisation.

7.2 Internal Audit plans should be based on a comprehensive understanding of the public sector organisation
and the way in which it operates. High-risk systems or transactions and any known problem areas should
be clearly identified. The emphasis of the Internal Audit plan should be directed towards these systems.

7.3 Internal Audit plans should be developed in consultation with senior staff and the relevant Accounting
Officer. The appropriate Audit Committee should then approve the Internal Audit plans.

7.4 Internal Audit planning should include the following steps:
identify all auditable activities within the agreed scope of Internal Audit
carry out a risk assessment on these activities in conjunction with management, identifying categories
such as high, medium, low
prepare an audit needs assessment based on the risk assessment
develop an overall strategic plan from the audit needs assessment to cover these risks, over, say, a
three-year period
bring to the Accounting Officer and/or the Audit Committee's attention any mismatch between Audit
needs and actual Audit resources
identify systems to be covered in the first year of the strategic plan and prepare an annual Internal
Audit plan
discuss the strategic and annual plans with appropriate senior managers, Accounting Officers and the
Auditor-General's Office and amend as necessary
present the plans to the Accounting Officer and/or the Audit Committee for approval.

7.5 Internal Audit plans should be amended as necessary to take account of changing circumstances. The
Accounting Officer and the Audit Committee should formally approve all significant changes to the
Internal Audit plans.


58 The Head of Internal Audit should establish plans to carry out the responsibilities of
Internal Audit consistent with the public sector organisation's goals and objectives.
59 The Internal Audit planning process should include the following:
(a) identifying goals
(b) preparation of strategic Internal Audit plans
(c) establishing proper staffing plans and financial budgets
(d) preparation of activity reports.
60 Internal Audit plans should:
(a) establish a list of systems that could be Audited and prescribe a period within which it
is desirable that each significant system should be examined
(b) define the tasks to be performed
(c) assist in the direction and control of work by identifying critical areas, setting target
dates and allocating resources.
61 To be effective, the Head of Internal Audit should:
(a) define audit needs taking into account the Internal Audit's terms of reference
(b) identify the staff and other resources needed and reconcile these with available,
(c) choose an appropriate time period for the Audit plans
(d) record all plans in writing
(e) monitor work against planned activity and revise plans as appropriate.
62 Internal Audit plans should be based on a risk assessment. The risk assessment process, to
be conducted at least annually, includes an assessment of:
a) relevant risks and their significance
b) consideration of senior management, the Accounting Officer and the Audit
Committee's professional judgement
c) identification of activities to be audited.

63 Internal Audit strategic plans should take into account the following factors:
(a) the date and results of the last Internal Audit assignment
(b) the estimated time required, taking into account the scope of the planned work and the
nature and extent of audit work to be performed by others.
(c) requests by management
(d) major changes in operations, programs systems, and controls
(e) staffing, planning and effective utilisation of financial budgets
(f) Internal Audit priorities
(g) flexibility to cover unanticipated demands on the department.
64 Internal Audit plans and staffing and financial budgets should be developed from strategic
plans, administrative activities, education and training requirements and research and
development efforts.
65 The Head of Internal Audit should submit annually to the Accounting Officer and Audit
Committee for approval a summary of Internal Audit's strategic plans, staffing plans and
financial budgets. All significant amendments to these plans should similarly be approved
by the Accounting Officer and Audit Committee.
66 The Head of Internal Audit should explain, if necessary, why the Audit needs are not
being met. This should prompt the relevant Accounting Officer to take action to ensure
that their public sector organisation is provided with sufficient Internal Audit resources.


8.0 Explanatory notes:

8.1 There are several different approaches to Internal Audit. International best practice suggests that
systems audit is the most effective way that Internal Audit can add value to an organisation. However, in
many countries it is considered necessary for Internal Audit to complement systems audit with a pre-audit
approach. If a pre-audit approach is adopted the Head of Internal Audit, the Audit Committee and the
Accounting Officer should discuss the extent that this is necessary. They should also consider suitable
means of reducing the proportion of time that Internal Auditors spend on pre-audit work.

8.2 The systems approach to Internal Audit seeks to assess and improve the effectiveness of the public sector
organisations internal control system. The prime purpose of a systems Audit should be to evaluate the
extent to which the system may be relied upon to ensure that the objectives of the system are met. Where
internal controls are not adequate and reliable Internal Audit should make practical recommendations to
ensure that these controls are improved.

8.3 Internal Audit evidence should be adequate to meet the objectives of Audit assignments. Internal Auditors
should be satisfied with the nature, adequacy and relevance of Audit evidence before placing reliance on
that evidence. Information should be collected analysed and documented by the use of appropriate Audit

8.4 The production of Audit evidence should be supervised and reviewed by the Head of Internal Audit. To
meet an acceptable standard the evidence should be sufficiently adequate and convincing to the extent
that a prudent, informed person would be able to appreciate how the Auditor's conclusions were reached.

8.5 Internal Audit may also complement its systems approach with other techniques, for example:
performance auditing
control self assessment
advice and assistance on control issues
helping with risk management.


67 Internal Auditors should ensure that their approach and methods enable them to discharge
their responsibilities effectively. This will involve careful thought and discussion with the
Accounting Officer, the Audit Committee and others on the most effective approach to
Internal Audit given the particular circumstances of the public sector organisation.
68 Internal Audit should assess and improve the public sector organisation's risk
management, control, and governance processes. The internal auditing activity should
assist the public sector organisation in maintaining effective controls. Assistance can be
provided by evaluating the public sector organisation's controls to determine their
effectiveness and efficiency and by developing recommendations for improvement.
Internal Auditors should ensure that the costs of maintaining controls balances the
potential benefits.

Internal Audit should, where possible, adopt a systems approach. The systems approach
aims to asses and helps to improve the control features that govern the system. This
approach should provide reasonable assurance that existing controls will ensure that each
systems objective is achieved.
70 When undertaking systems audit an Internal Auditor should:
a) document and analyse the internal control system across all public sector organisations
and establish Internal Audit plans
b) identify and evaluate the controls that are established in individual systems to achieve
the public sector organisation's objectives in the most economic and efficient manner
c) obtain and record relevant, reliable and sufficient audit evidence to support their
findings and recommendations
d) report findings and recommendations for each individual system that is Audited
e) provide an opinion on the adequacy and reliability of the controls in the individual
system under review
f) provide periodic assurance based on an evaluation of the whole internal control system
across all public sector organisations.
71 The use of the systems approach should enable Internal Audit to confirm the following:
a) the official system
b) whether it is operating according to agreed guidance and regulations
c) whether the system is adequate
d) whether the controls are reliable.

72 The system's adequacy should be used to ascertain the following:
a) what should happen to achieve the systems objectives
b) what could go wrong in view of the system's design
c) what has been done to stop things going wrong.


9.0 Explanatory notes:

9.1 The findings and recommendations arising from each Internal Audit assignment should be promptly
reported to management. The recommendations should then be followed up to check that agreed action
has been implemented. A summary of Internal Audit findings, recommendations and activities should be
submitted periodically to the Accounting Officer and the Audit Committee.

9.2 In general Internal Audit reports should:
state the scope, purpose, extent and conclusions of the Internal Audit assignment, including Internal
Audit's opinion on the adequacy of controls
make recommendations that are appropriate and relevant, that call for action to correct identified
weaknesses or improve the efficiency of operations
acknowledge the action taken, or proposed, by management.

9.3 Recommendations included in the Internal Audit reports should:
be practical and provide constructive solutions to problems identified
be sufficiently detailed to act as a guide for action and facilitate the efficient achievement of the
organisations objectives
be prioritised based on the significance of the weakness identified.

9.4 Conclusions are the Internal Auditor's evaluations of the effects of the findings on the particular system
reviewed. They should:
put the findings in perspective based on the overall implications and significance of the weaknesses
identify the extent to which the system's control objectives are being achieved and the degree to
which the internal control systems should ensure that the goals and objectives of the public sector
organisation are accomplished efficiently.

9.5 Management should be required to respond in writing to each Internal Audit report. Management and
Internal Audit should agree officer responsibility and target dates for implementation of agreed
recommendations. The responsibility for final editing of Audit reports should remain with the Head of
Internal Audit who should always retain the right to issue reports without further editing.

9.6 Follow-up activity is the process by which Internal Audit confirms that agreed recommendations have
been implemented by line managers. Internal Audit should periodically follow up Audit reports to review
and test the implementation of agreed Internal Audit recommendations.

9.7 The Head of the Internal Audit should submit to the Accounting Officer and Audit Committee, at agreed
intervals, a report of Internal Audit activity and results. The report should compare actual Internal Audit
activity against the annual Internal Audit plan and should clearly indicate the extent to which the total
Internal Audit needs of the public sector organisation have been met.

9.8 In the annual Internal Audit report the Head of the Internal Audit should give a formal opinion to the
Accounting Officer and Audit Committee on the extent to which reliance can be placed on the public
sector organisations internal control system. The attention of the Accounting Officer and Audit
Committee should be drawn to any major Internal Audit findings where action appears to be necessary
but has not been undertaken.


73 The Head of Internal Audit should report periodically to the Accounting Officer and the
Audit Committee on Internal Audit's purpose, authority, responsibility, and performance
relative to its plan. Reporting should also include significant risks and control issues,
corporate governance issues, and other matters needed or requested by the Accounting
Officer and the Audit Committee.
74 The findings and recommendations arising from each Internal Audit assignment should be
promptly reported to the Accounting Officer and others who are affected by the report.
The final Internal Audit report including any comments from the Accounting Officer
should be reported to the Audit Committee.
75 The Head of Internal Audit should have complete freedom in the way in which Internal
Audit findings are reported and to whom each report is issued. The Head of Internal
Audit should review and approve each final Internal Audit report before it is issued.
76 Internal Audit reports should contain all material facts known to the Auditor concerning
the system under review to avoid distortion or concealment of any unlawful or improper
77 Internal Audit reports should be regarded as confidential and exclusive to the public sector
organisation concerned except for privileged external reviews by the Auditor-General and
Permanent Secretary to the Treasury.
78 The Head of Internal Audit should submit monthly or periodic progress reports to the
Accounting Officer and the Audit Committee and explain significant deviations from
approved strategic plans, staffing plans and financial budgets.
79 The Head of Internal Audit should provide an annual report to the Accounting Officer and
the Audit Committee. This report should include:
a) the Head of Internal Audit's opinion on the adequacy and reliability of the whole
internal control system
b) the extent that the Internal Audit needs of the public sector organisation have been met
c) any significant Internal Audit findings where action appears necessary but has not
been taken
d) any systems within the public sector organisation where the internal controls are not
adequate and reliable
e) a comparison of actual Internal Audit activity against the agreed annual plan.


When communicating results of their work Internal Audit should:
a) oral reports may be issued and should be confirmed in writing
b) discuss conclusions and recommendations at appropriate ministerial, departmental or
regional levels before issuing final written reports
c) issue a signed written report after each Internal Audit assignment that is objective
clear, concise, constructive and timely.
d) give reports which clearly present the purpose, scope and results of the Audit
e) give reports with recommendations for potential improvement, suggestions of
corrective action and acknowledgement of satisfactory performance
f) obtain and include in the report the system managers' views about the conclusions or
g) include the officer who is to implement each agreed recommendation and a target
dates for its implementation.

Internal Auditors should follow up their reports to ascertain that appropriate action is
taken on agreed Internal Audit recommendations. Internal Audit should determine, with
appropriate Audit testing, that corrective actin has been taken and is having the desired
82 If the Accounting Officer does not agree with an Internal Audit recommendation or does
not ensure that agreed recommendations are implemented they should accept the
associated risks. The Audit Committee may advice the Accounting Officer to implement
an Internal Audit recommendation if it considers necessary to achieve sound internal
83 The Auditor-General may review and report on the extent that Internal Audit
recommendations have been implemented. Internal Audit may also review the extent that
recommendations made by the Auditor-General have been implemented.

Glossary of Technical Internal Audit Terms

Accounting Officer the head of a government ministry or department who is personally responsible for the
management and internal controls of the ministry or department and any fraud or irregularity that may occur.

Adequacy of internal control an assessment of the quality of internal control. Controls may be
considered to be adequate if, when applied consistently, the controls should help to provide reasonable
assurance that a control objective will be achieved.

Auditor-General the head of the governments external audit service. The Auditor-General is
responsible for certifying that the government accounts show a true and fair view, there has been a
proper use of public funds and often for undertaking value for money reviews.

Audit Committee a high level committee, comprising, where possible, independent, non-executive
members, with responsibility for overseeing the independent review of the framework of internal control,
monitoring the Internal Audit function and the external audit processes.

Audit Needs Assessment - an assessment undertaken by Internal Audit in consultation with
managment to determine the extent of Internal Audit that is needed within an organisation and the
frequency that particular systems should be reviewed.

Control objectives the objectives of a control system. Used by Internal auditors as a framework for
undertaking systems auditing and so assessing the overall quality of the internal control system.

Control Self Assessment an approach to risk management, that may be facilitated by Internal Audit,
that enables management to assess the risks and controls to the achievement of the organi sations
objectives. It may include the development of a risk register that lists the main risks the organisation
faces and an action plan for improvements to internal control.

Head of Internal Audit - is a generic title for Chief Internal Auditor or Director of Internal Audit or any
other equivalent title.

Internal Audit - is an independent objective assurance and consulting activity designed to add value
and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control and governance processes.

Internal Control - is a process, effected by an entitys board of directors, management and other
personnel (people), designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:
effectiveness and efficiency of operations; (basic operational objectives, performance goals and
safeguarding resources)
reliability of financial reporting
compliance with applicable laws and regulations.

Management - implies the Permanent Secretary and Accounting Officers in Ministries, or Controlling
officers in Regions or other responsible officers in a public sector organisation.

Performance Audit an approach to Audit that aims to improve the economy, efficiency and
effectiveness of operations. The objective of Performance Audit is to improve the value for money
provided by a public sector organisation.

Public Sector Organisation types of public sector entities, for example, ministries, departments,
regions or districts, as examples of the range of possible governmental entities that may exist.

Reliability of Internal Control an assessment of the extent that internal controls are applied
consistently by all staff, at all times and in all circumstances.

Risk the chance (or probability) that one or more of the organisations objectives will not be achieved.
It may refer to the failure to achieve objectives efficiently or the occurrence of unwanted outcomes. It
may also refer to the inability to exploit possible opportunities.

Risk management - the formal identification, assessment and planned management of significant risks
facing the organisation.

Systems Audit - systems audit is the structured analysis of internal control in relation to the objectives
of the organisation. Systems audit should enable internal audit to make practical recommendations to
address any weaknesses that have been identified within the context of risks to the achievement of the
systems objectives. It should also enable internal audit to form an opinion on the adequacy and
reliability of the organisations internal control system.

International Standards for
the Professional Practice of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
Internal audit activities are performed in diverse legal and cultural environments; within
organizations that vary in purpose, size, complexity, and structure; and by persons within or outside
the organization. While differences may affect the practice of internal auditing in each environment,
compliance with the International Standards for the Professional Practice of Internal Auditing is
essential if the responsibilities of internal auditors are to be met. If internal auditors are prohibited by
laws or regulations from complying with certain parts of the Standards, they should comply with all
other parts of the Standards and make appropriate disclosures.
Assurance services involve the internal auditors objective assessment of evidence to provide an
independent opinion or conclusions regarding a process, system or other subject matter. The nature
and scope of the assurance engagement are determined by the internal auditor. There are generally
three parties involved in assurance services: (1) the person or group directly involved with the process,
system or other subject matter the process owner, (2) the person or group making the assessment
the internal auditor, and (3) the person or group using the assessment - the user.
Consulting services are advisory in nature, and are generally performed at the specific request of an
engagement client. The nature and scope of the consulting engagement are subject to agreement with
the engagement client. Consulting services generally involve two parties: (1) the person or group
offering the advice the internal auditor, and (2) the person or group seeking and receiving the
advice the engagement client. When performing consulting services the internal auditor should
maintain objectivity and not assume management responsibility.
The purpose of theStandards is to:
1. Delineate basic principles that represent the practice of internal auditing as it should
2. Provide a framework for performing and promoting a broad range of value-added
internal audit activities.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards consist of Attribute Standards, Performance Standards, and Implementation
Standards. The Attribute Standards address the characteristics of organizations and parties performing
internal audit activities. The Performance Standards describe the nature of internal audit activities and

provide quality criteria against which the performance of these services can be evaluated. While the
Attribute and Performance Standards apply to all internal audit services, the Implementation
Standards apply to specific types of engagements.
There is one set of Attribute and Performance Standards, however, there are multiple sets of
Implementation Standards: a set for each of the major types of internal audit activity. The
Implementation Standards have been established for assurance (A) and consulting (C) activities.
The Standards are part of the Professional Practices Framework. The Professional Practices
Framework includes the Definition of Internal Auditing, the Code of Ethics, the Standards, and other
guidance. Guidance regarding how the Standards might be applied is included in Practice Advisories
that are issued by the Professional Issues Committee.
The Standards employ terms that have been given specific meanings that are included in the Glossary.
The development and issuance of the Standards is an ongoing process. The Internal Auditing
Standards Board engages in extensive consultation and discussion prior to the issuance of the
Standards. This includes worldwide solicitation for public comment through the exposure draft
All exposure drafts are posted on The IIAs Web site as well as being distributed to all IIA Affiliates.
Suggestions and comments regarding the Standards can be sent to:
The Institute of Internal Auditors
Global Practices Center, Professional Practices Group
247 Maitland Avenue
Altamonte Springs, FL 32701-4201, USA
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity should be formally defined in a
charter, consistent with the Standards, and approved by the board.
1000.A1 - The nature of assurance services provided to the organization should be defined in the audit
charter. If assurances are to be provided to parties outside the organization, the nature of these
assurances should also be defined in the charter.
1000.C1 - The nature of consulting services should be defined in the audit charter.
1100 Independence and Objectivity
The internal audit activity should be independent, and internal auditors should be objective in
performing their work.
1110 Organizational Independence

The chief audit executive should report to a level within the organization that allows the internal audit
activity to fulfill its responsibilities.
1110.A1 - The internal audit activity should be free from interference in determining the scope of
internal auditing, performing work, and communicating results.
1120 Individual Objectivity
Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.
1130 Impairments to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment should be
disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.
1130.A1 Internal auditors should refrain from assessing specific operations for which they were
previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance
services for an activity for which the internal auditor had responsibility within the previous year.
1130.A2 Assurance engagements for functions over which the chief audit executive has responsibility
should be overseen by a party outside the internal audit activity.
1130.C1 - Internal auditors may provide consulting services relating to operations for which they had
previous responsibilities.
1130.C2 - If internal auditors have potential impairments to independence or objectivity relating to
proposed consulting services, disclosure should be made to the engagement client prior to accepting the
1200 Proficiency and Due Professional Care
Engagements should be performed with proficiency and due professional care.
1210 Proficiency
Internal auditors should possess the knowledge, skills, and other competencies needed to perform their
individual responsibilities. The internal audit activity collectively should possess or obtain the
knowledge, skills, and other competencies needed to perform its responsibilities.
1210.A1 - The chief audit executive should obtain competent advice and assistance if the internal audit
staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.
1210.A2 The internal auditor should have sufficient knowledge to identify the indicators of fraud but is
not expected to have the expertise of a person whose primary responsibility is detecting and
investigating fraud.
1210.A3 Internal auditors should have knowledge of key information technology risks and controls
and available technology-based audit techniques to perform their assigned work. However, not all
internal auditors are expected to have the expertise of an internal auditor whose primary
responsibility is information technology auditing.

1210.C1 - The chief audit executive should decline the consulting engagement or obtain competent
advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed
to perform all or part of the engagement.
1220 - Due Professional Care
Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal
auditor. Due professional care does not imply infallibility.
1220.A1 - The internal auditor should exercise due professional care by considering the:
Extent of work needed to achieve the engagement's objectives.
Relative complexity, materiality, or significance of matters to which
assurance procedures are applied.
Adequacy and effectiveness of risk management, control, and
governance processes.
Probability of significant errors, irregularities, or noncompliance.
Cost of assurance in relation to potential benefits.
1220.A2 - In exercising due professional care the internal auditor should consider the use of
computer-assisted audit tools and other data analysis techniques.
1220.A3 The internal auditor should be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with due
professional care, do not guarantee that all significant risks will be identified.
1220.C1 - The internal auditor should exercise due professional care during a consulting engagement by
considering the:
Needs and expectations of clients, including the nature, timing, and
communication of engagement results.
Relative complexity and extent of work needed to achieve the
engagement s objectives.
Cost of the consulting engagement in relation to potential benefits.
1230 Continuing Professional Development
Internal auditors should enhance their knowledge, skills, and other competencies through continuing
professional development.
1300 Quality Assurance and Improvement Program
The chief audit executive should develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This
program includes periodic internal and external quality assessments and ongoing internal
monitoring. Each part of the program should be designed to help the internal auditing activity add
value and improve the organization s operations and to provide assurance that the internal audit activity
is in conformity with the Standards and the Code of Ethics.

1310 Quality Program Assessments
The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the
quality program. The process should include both internal and external assessments.
1311 Internal Assessments
Internal assessments should include:
Ongoing reviews of the performance of the internal audit activity; and
Periodic reviews performed through self-assessment or by other persons within
the organization, with knowledge of internal audit practices and the Standards.
1312 External Assessments
External assessments, such as quality assurance reviews, should be conducted at least once
every five years by a qualified, independent reviewer or review team from outside the
1320 Reporting on the Quality Program
The chief audit executive should communicate the results of external assessments to the board.
1330 Use of "Conducted in Accordance with the Standards"
Internal auditors are encouraged to report that their activities are "conducted in accordance with the
International Standards for the Professional Practice of Internal Auditing." However, internal auditors
may use the statement only if assessments of the quality improvement program demonstrate that the
internal audit activity is in compliance with the Standards.
1340 Disclosure of Noncompliance
Although the internal audit activity should achieve full compliance with the Standards and internal
auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When
noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be
made to senior management and the board.
2000 Managing the Internal Audit Activity
The chief audit executive should effectively manage the internal audit activity to ensure it adds value to
the organization.
2010 Planning
The chief audit executive should establish risk-based plans to determine the priorities of the internal
audit activity, consistent with the organization's goals.

2010.A1 - The internal audit activity's plan of engagements should be based on a risk assessment,
undertaken at least annually. The input of senior management and the board should be considered in this
2010.C1 - The chief audit executive should consider accepting proposed consulting engagements based
on the engagement's potential to improve management of risks, add value, and improve the
organizations operations. Those engagements that have been accepted should be included in the plan.
2020 Communication and Approval
The chief audit executive should communicate the internal audit activity s plans and resource
requirements, including significant interim changes, to senior management and to the board for review
and approval. The chief audit executive should also communicate the impact of resource limitations.
2030 Resource Management
The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and
effectively deployed to achieve the approved plan.
2040 Policies and Procedures
The chief audit executive should establish policies and procedures to guide the internal audit activity.
2050 Coordination
The chief audit executive should share information and coordinate activities with other internal and
external providers of relevant assurance and consulting services to ensure proper coverage and minimize
duplication of efforts.
2060 Reporting to the Board and Senior Management
The chief audit executive should report periodically to the board and senior management on the internal
audit activity s purpose, authority, responsibility, and performance relative to its plan. Reporting should
also include significant risk exposures and control issues, corporate governance issues, and other matters
needed or requested by the board and senior management.
2100 Nature of Work
The internal audit activity should evaluate and contribute to the improvement of risk management,
control, and governance processes using a systematic and disciplined approach.
2110 Risk Management
The internal audit activity should assist the organization by identifying and evaluating
significant exposures to risk and contributing to the improvement of risk management and
control systems.
2110.A1 - The internal audit activity should monitor and evaluate the effectiveness of the organization's
risk management system.

2110.A2 - The internal audit activity should evaluate risk exposures relating to the organization's
governance, operations, and information systems regarding the
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations.
Safeguarding of assets.
Compliance with laws, regulations, and contracts.
2110.C1 - During consulting engagements, internal auditors should address risk consistent with the
engagement s objectives and be alert to the existence of other significant risks.
2110.C2 Internal auditors should incorporate knowledge of risks gained from consulting engagements
into the process of identifying and evaluating significant risk exposures of the organization.
2120 Control
The internal audit activity should assist the organization in maintaining effective controls by evaluating
their effectiveness and efficiency and by promoting continuous improvement.
2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the
adequacy and effectiveness of controls encompassing the organization's governance, operations, and
information systems. This should include:
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations.
Safeguarding of assets.
Compliance with laws, regulations, and contracts.
2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and
objectives have been established and conform to those of the organization.
2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which
results are consistent with established goals and objectives to determine whether operations and
programs are being implemented or performed as intended.
2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent
to which management has established adequate criteria to determine whether objectives and goals have
been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If
inadequate, internal auditors should work with management to develop appropriate evaluation criteria.
2120.C1 - During consulting engagements, internal auditors should address controls consistent with the
engagement s objectives and be alert to the existence of any significant control weaknesses.
2120.C2 Internal auditors should incorporate knowledge of controls gained from consulting
engagements into the process of identifying and evaluating significant risk exposures of the
2130 Governance

The internal audit activity should assess and make appropriate recommendations for improving the
governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and
Effectively communicating risk and control information to appropriate areas
of the organization.
Effectively coordinating the activities of and communicating information
among the board, external and internal auditors and management.
2130.A1 The internal audit activity should evaluate the design, implementation, and effectiveness of
the organizations ethics-related objectives, programs and activities.
2130.C1 Consulting engagement objectives should be consistent with the overall values and goals of
the organization.
2200 Engagement Planning
Internal auditors should develop and record a plan for each engagement, including the scope,
objectives, timing and resource allocations.
2201 - Planning Considerations
In planning the engagement, internal auditors should consider:
The objectives of the activity being reviewed and the means by which the
activity controls its performance.
The significant risks to the activity, its objectives, resources, and operations and
the means by which the potential impact of risk is kept to an acceptable level.
The adequacy and effectiveness of the activity s risk management and control
systems compared to a relevant control framework or model.
The opportunities for making significant improvements to the activity s risk
management and control systems.
2201.A1 When planning an engagement for parties outside the organization, internal auditors
should establish a written understanding with them about objectives, scope, respective responsibilities
and other expectations, including restrictions on distribution of the results of the engagement and
access to engagement records.
2201.C1 - Internal auditors should establish an understanding with consulting engagement clients about
objectives, scope, respective responsibilities, and other client expectations. For significant engagements,
this understanding should be documented.
2210 Engagement Objectives
Objectives should be established for each engagement.

2210.A1 Internal auditors should conduct a preliminary assessment of the risks relevant to the
activity under review. Engagement objectives should reflect the results of this assessment.
2210.A2 - The internal auditor should consider the probability of significant errors, irregularities,
noncompliance, and other exposures when developing the engagement objectives.
2210.C1 Consulting engagement objectives should address risks, controls, and governance processes
to the extent agreed upon with the client.
2220 Engagement Scope
The established scope should be sufficient to satisfy the objectives of the engagement.
2220.A1 - The scope of the engagement should include consideration of relevant systems, records,
personnel, and physical properties, including those under the control of third parties.
2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific
written understanding as to the objectives, scope, respective responsibilities and other expectations
should be reached and the results of the consulting engagement communicated in accordance with
consulting standards.
2220.C1 In performing consulting engagements, internal auditors should ensure that the scope of the
engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations
about the scope during the engagement, these reservations should be discussed with the client to
determine whether to continue with the engagement.
2230 Engagement Resource Allocation
Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing
should be based on an evaluation of the nature and complexity of each engagement, time constraints, and
available resources.
2240 Engagement Work Program
Internal auditors should develop work programs that achieve the engagement objectives. These work
programs should be recorded.
2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating, and
recording information during the engagement. The work program should be approved prior to its
implementation, and any adjustments approved promptly.
2240.C1 - Work programs for consulting engagements may vary in form and content depending upon
the nature of the engagement.
2300 Performing the Engagement
Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the
engagement's objectives.
2310 Identifying Information

Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the
engagement s objectives.
2320 Analysis and Evaluation
Internal auditors should base conclusions and engagement results on appropriate analyses and
2330 Recording Information
Internal auditors should record relevant information to support the conclusions and engagement results.
2330.A1 - The chief audit executive should control access to engagement records. The chief audit
executive should obtain the approval of senior management and/or legal counsel prior to releasing such
records to external parties, as appropriate.
2330.A2 - The chief audit executive should develop retention requirements for engagement records.
These retention requirements should be consistent with the organization s guidelines and any pertinent
regulatory or other requirements.
2330.C1 - The chief audit executive should develop policies governing the custody and retention of
engagement records, as well as their release to internal and external parties. These policies should be
consistent with the organization s guidelines and any pertinent regulatory or other requirements.
2340 Engagement Supervision
Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and
staff is developed.
2400 Communicating Results
Internal auditors should communicate the engagement results.
2410 Criteria for Communicating
Communications should include the engagement s objectives and scope as well as applicable
conclusions, recommendations, and action plans.
2410.A1 Final communication of engagement results should, where appropriate, contain the
internal auditors overall opinion and or conclusions.
2410.A2 Internal auditors are encouraged to acknowledge satisfactory performance in engagement
2410.A3 When releasing engagement results to parties outside the organization, the communication
should include limitations on distribution and use of the results.
2410.C1 Communication of the progress and results of consulting engagements will vary in form and
content depending upon the nature of the engagement and the needs of the client.
2420 Quality of Communications

Communications should be accurate, objective, clear, concise, constructive, complete, and timely.
2421 Errors and Omissions
If a final communication contains a significant error or omission, the chief audit executive should
communicate corrected information to all parties who received the original communication.
2430 Engagement Disclosure of Noncompliance with the Standards
When noncompliance with the Standards impacts a specific engagement, communication of the results
should disclose the:
Standard(s) with which full compliance was not achieved,
Reason(s) for noncompliance, and
Impact of noncompliance on the engagement.
2440 Disseminating Results
The chief audit executive should communicate results to the appropriate parties.
2440.A1 - The chief audit executive is responsible for communicating the final results to parties who
can ensure that the results are given due consideration.
2440.A2 - If not otherwise mandated by legal, statutory or regulatory requirements, prior to releasing
results to parties outside the organization, the chief audit executive should:
Assess the potential risk to the organization.
Consult with senior management and/or legal counsel as appropriate
Control dissemination by restricting the use of the results.
2440.C1 - The chief audit executive is responsible for communicating the final results of consulting
engagements to clients.
2440.C2 During consulting engagements, risk management, control, and governance issues may be
identified. Whenever these issues are significant to the organization, they should be communicated to
senior management and the board.
2500 Monitoring Progress
The chief audit executive should establish and maintain a system to monitor the disposition of results
communicated to management.
2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure that
management actions have been effectively implemented or that senior management has accepted the risk
of not taking action.
2500.C1 The internal audit activity should monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.
2600 Resolution of Managements Acceptance of Risks

When the chief audit executive believes that senior management has accepted a level of residual risk that
may be unacceptable to the organization, the chief audit executive should discuss the matter with senior
management. If the decision regarding residual risk is not resolved, the chief audit executive and senior
management should report the matter to the board for resolution.
Add Value Value is provided by improving opportunities to achieve organizational objectives,
identifying operational improvement, and/or reducing risk exposure through both assurance and
consulting services.
Adequate Control - Present if management has planned and organized (designed) in a manner that
provides reasonable assurance that the organization's risks have been managed effectively and that the
organizations goals and objectives will be achieved efficiently and economically.
Assurance Services - An objective examination of evidence for the purpose of providing an independent
assessment on risk management, control, or governance processes for the organization. Examples may
include financial, performance, compliance, system security, and due diligence engagements.
Board A board is an organizations governing body, such as a board of directors, supervisory board,
head of an agency or legislative body, board of governors or trustees of a non profit organization, or
any other designated body of the organization, including the audit committee, to whom the chief audit
executive may functionally report.
Charter - The charter of the internal audit activity is a formal written document that defines the
activity s purpose, authority, and responsibility. The charter should (a) establish the internal audit
activity s position within the organization; (b) authorize access to records, personnel, and physical
properties relevant to the performance of engagements; and (c) define the scope of internal audit
Chief Audit Executive - Top position within the organization responsible for internal audit activities.
Normally, this would be the internal audit director. In the case where internal audit activities are
obtained from outside service providers, the chief audit executive is the person responsible for
overseeing the service contract and the overall quality assurance of these activities, reporting to senior
management and the board regarding internal audit activities, and follow up of engagement results. The
term also includes such titles as general auditor, chief internal auditor, and inspector general.
Code of Ethics The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant
to the profession and practice of internal auditing, and Rules of Conduct that describe behavior
expected of internal auditors. The Code of Ethics applies to both parties and entities that provide
internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the
global profession of internal auditing.
Compliance Conformity and adherence to policies, plans, procedures, laws, regulations, contracts,
or other requirements.
Conflict of Interest - Any relationship that is or appears to be not in the best interest of the
organization. A conflict of interest would prejudice an individual s ability to perform his or her duties
and responsibilities objectively.

Consulting Services Advisory and related client service activities, the nature and scope of which are
agreed with the client and which are intended to add value and improve an organizations
governance, risk management, and control processes without the internal auditor assuming
management responsibility. Examples include counsel, advice, facilitation and training.
Control - Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes, and
directs the performance of sufficient actions to provide reasonable assurance that objectives and goals
will be achieved.
Control Environment - The attitude and actions of the board and management regarding the
significance of control within the organization. The control environment provides the discipline and
structure for the achievement of the primary objectives of the system of internal control. The control
environment includes the following elements:
Integrity and ethical values.
Management s philosophy and operating style.
Organizational structure.
Assignment of authority and responsibility.
Human resource policies and practices.
Competence of personnel.
Control Processes - The policies, procedures, and activities that are part of a control framework,
designed to ensure that risks are contained within the risk tolerances established by the risk management
Engagement A specific internal audit assignment, task, or review activity, such as an internal audit,
Control Self-Assessment review, fraud examination, or consultancy. An engagement may include
multiple tasks or activities designed to accomplish a specific set of related objectives.
Engagement Objectives - Broad statements developed by internal auditors that define intended
engagement accomplishments.
Engagement Work Program - A document that lists the procedures to be followed during an
engagement, designed to achieve the engagement plan.
External Service Provider - A person or firm, outside of the organization, who has special
knowledge, skill, and experience in a particular discipline.
Fraud - Any illegal acts characterized by deceit, concealment or violation of trust. These acts are not
dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by
parties and organizations to obtain money, property or services; to avoid payment or loss of services; or
to secure personal or business advantage.
Governance The combination of processes and structures implemented by the board in order to
inform, direct, manage and monitor the activities of the organization toward the achievement of its

Impairments - Impairments to individual objectivity and organizational independence may include
personal conflicts of interest, scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations (funding).
Independence - The freedom from conditions that threaten objectivity or the appearance of
objectivity. Such threats to objectivity must be managed at the individual auditor, engagement,
functional and organizational levels.
Internal Audit Activity A department, division, team of consultants, or other practitioner(s) that
provides independent, objective assurance and consulting services designed to add value and improve an
organization's operations. The internal audit activity helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Objectivity - An unbiased mental attitude that allows internal auditors to perform engagements in such a
manner that they have an honest belief in their work product and that no significant quality compromises
are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to
that of others.
Residual Risks The risk remaining after management takes action to reduce the impact and
likelihood of an adverse event, including control activities in responding to a risk.
Risk - The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Risk Management A process to identify, assess, manage, and control potential events or situations, to
provide reasonable assurance regarding the achievement of the organizations objectives.
Should The use of the word should in the Standards represents a mandatory obligation.
Standard A professional pronouncement promulgated by the Internal Auditing
Standards Board that delineates the requirements for performing a broad range of
internal audit activities, and for evaluating internal audit performance.

Appendix II

Monday, June 15, 2009
4:16 PM