29
29
29
CA.Rajkumar S. Adukia
rajkumarfca@gmail.com
+91 93230 61049
INDEX
Section 1: Foundation of Internal auditing
1.1 What is internal auditing?
1.2 History and background
1.3 Purpose of internal auditing
1.4 Scope of internal auditing
1.5 Role of auditors
1.6 Organisational Independence and Objectivity
1.7 Professionalism
Field survey
4.2
Audit programme
4.3
Audit procedures
4.4
4.5
Audit sampling
4.6
Audit Tests
4.7
Specimen letters
Section 5: CAATs
5.1
Definition
5.2
Need
5.3
Techniques
5.4
8.2
8.3
8.4
Thus, internal audit activity can play an important role and support the board
and management in fulfilling an essential component of their governance mechanisms.
The internal auditor furnishes analysis, appraisals, recommendations, counsel and
information concerning the activities reviewed. The internal auditor can suggest ways
A Partnership...
The internal auditing function varied greatly between organisations and a number of
internal auditors pushed vigorously for greater understanding and recognition of the
internal auditing function. One such person was John B. Thurston, head of the internal
auditing function at the North American utility company. He is credited with being the
person most responsible for the creation of The Institute. He was joined by Robert B.
Milne, general auditor of the Columbia Engineering Corporation, and Victor Z. Brink,
a former auditor and Columbia University educator who authored the first major book
on internal auditing. They gathered friends and associates from the utilities industries,
On November 17, The IIAs Certificate of Incorporation was filed which officially
established The Institute of Internal Auditors name; recognized The Institute as a
membership corporation; and identified corporations specific purposes
monitors and coordinates the risk management processes and the outcomes,
This assurance from the management is fundamental. There is a need for additional
assurance from a different source. Internal audit can be the key source providing
objective assurance that all the significant risks have been identified, risk management
process is working effectively and efficiently, risks are being reported and controls are
effective. As part of this work, the internal audit activity will provide advice, coaching
and facilitation services to assist executive management in carrying out their
responsibilities.
The external auditors have to express an opinion on accuracy and fairness of financial
information. The scope of internal audit is much wider than statutory/external audit. It
should ideally cover all the organisations activities. They include:
Safeguarding of assets
Review of projects
Management audit
Whether the companies has kept all the requisite books of accounts
The financial statements present a true and fair view of the state of affairs
Proper records for assets, inventory, loans etc. have been maintained by the
company
Although internal and external auditors have different and clearly defined roles they do
share the same broad purpose of serving the public by helping to ensure the highest
standards of regularity and propriety for the use resources and in promoting efficient,
effective and economic administration.
1.7 Professionalism
In the current scenario, the demands for professionalism, knowledge and integrity has
increased manifold. To be effective, auditors must serve as objective assurance
providers and advisors to the other participants in the governance process like Board of
Directors and the audit committee; provide guidance on improving operational
efficiency and control; evaluate risk and advise the management on risk identification,
risk tolerance and risk management.
The scope on internal audit has widened and may cover the whole gamut of
organisations activities. It is the internal auditor's task to operate within the framework
of professionalism to assist the company in achieving the highest-quality results and
long-term objectives. This calls for clear and concise guidance that can be readily
adopted and followed regardless of the industry, audit specialty, or sector.
Proficiency
Internal auditors need to have the knowledge and skills to perform their
individual responsibilities. If the knowledge, skills, or other competencies needed to
perform all or part of the engagement are not available within the internal audit staff,
then the chief audit executive should obtain competent advice and assistance from
outside the activity.
Though the internal auditors are not expected to have the expertise of a person whose
primary responsibility is detecting and investigating fraud, they should have sufficient
knowledge to identify the indicators of fraud.
10
Extent of work
Professional Behaviour
Internal auditors need to act professionally and maintain the good reputation of
the profession. The organisation should benefit from the internal audit activity in its
risk management and internal control process.
An auditors responsibility is not limited to satisfy the needs of an individual
employer. The standards of the accountancy profession are heavily determined by the
public interest, for example - Internal auditors provide assurance about a sound internal
control system which enhances the reliability of the external financial information of the
employer. Accountancy and audit bodies like IIA and IFAC have formulated some
important principles of behaviour.
Independence
Professionalism entails a heavy responsibility. It means subscribing to a Code of
Conduct. The professional internal auditor needs to have independence to provide an
objective, unbiased opinion. They can never have complete independence but they need
sufficient independence.
11
The Institute of Internal Auditors Code of Ethics provides internal auditors with
sufficient mechanism for reporting of audit results, findings, opinion or information.
The auditor can report to the appropriate level of management and there should be no
need to report in an unauthorized manner to anyone outside the organisation.
Only if the matter is not resolved satisfactorily, or the services of auditor are terminated
due to that, he should secure the advice of outside counsel.
12
13
o Analytical procedures
Meeting these objectives involves verification of:
o Revenue
o Sales
o Bank deposits
o Bank reconciliation
o Accounts payable
o Accounts receivable
o Disbursements
o Petty cash transactions
o Loans & Advances
o Assets
the extent to which resources have been managed with due regard to economy
and efficiency; and,
14
not so clear or well defined. The first step would be to brainstorm along with the
client and define the scope and objectives of audit. It is also necessary to decide
the exclusions to the scope.
2. Set audit objectives -The second step would be to set audit objectives.
Appropriate audit evidence can be gathered only when objectives are clear.
Three elements need to be identified-criteria, cause and effect. They will be
concerned with whether the operating objectives will be met.
Review and update the audit objectives after the preliminary survey.
a. Operating standards
b. Organisation chart
c. Nature of operations
d. Operating reports
e. Senior management
f. Prior audit papers, if available
g. Internet
h. Industry, trade journals and publications
i. Files and papers
5. Preliminary survey: preliminary survey is essential to gain a working
15
Make the audit plan - time , resources and expertise required, audit programme,
audit tests and identify audit risks
on internal controls. This step takes place throughout the audit process. Methods
to review would include
a.
16
9. Report: the report should inform the recipients of the issues or opportunities for
17
1.
Obtain copies of the Grant application and award documentation (grant file) which
specify the purpose and scope of work to be done with the funds provided.
2.
3.
Determine whether there are limitations on the use of these funds and test to see if
they were observed. Note any exceptions.
4. Verify that the amount of the grant noted in the above documentation was actually
received and deposited in the bank account maintained for that purpose. Note any
exceptions.
5.
Ensure that any unused funds and/or interest earned are returned to the granting
agency. Test to determine compliance with such requirements. Note discrepancies.
18
compliance with the terms of the contract. They help in negotiating owner favourable
contract , design and improve expenditure processes and controls; ensure the accuracy
and proper documentation of
monthly monitoring and on-site inspections; and reduce overall project costs.
Guidelines to project audit
Each organization is unique, and the audit would be based on assessment of internal
controls and the limitations of the audit scope. However, certain issues such as
economic justification, regulatory requirements, policies, and controls over contractor
selection etc. should also be part of the audit package. Given below are few guidelines
that can help auditors to reduce costs and minimize risks to their organizations.
1. Doing a cost benefit analysis: It is necessary that the auditor ask for documented
evidence justifying the project to ensure that it is not the result of poor planning
or wrong assumptions.
2. Regulatory requirements: It is essential to find out regulatory requirements
affecting the project. The auditor should see that all clearances and certifications
are obtained.
3. Administration of project: presence of internal control would go a long way in
efficient management of construction activities.The auditor should see that
following control issues are addressed
a. Review and approval process
b. Project documentation and reporting
c. Construction administration process, including a right-to-audit
clause, change orders, substitutions, project overruns, and lien
waivers.
d. Bid and award process, including project size; contractor solicitation,
reference, and selection; and controls over bid opening
e. Management involvement and risk management
19
4. Bid bonds: A bid bond guarantees that the contractor is insurable and can obtain
a performance bond, which is procured after the bid is awarded. A contractor
who does not have the financial strength to secure a bid bond will be unable to
obtain a performance bond.
5. Adequate coverage by performance bond: In case the contractor fails to perform
in accordance with a contract, the insurance company will reimburse the
organization for the unfulfilled contract amount. If the contractor goes bankrupt,
the proceeds of the bond are available to the owner to finish the project. Certain
things need to be ensured in a performance bond:
a. Whether there is a policy based on acceptable level of risk regarding
performance bond based on acceptable level of risk (which is usually
a monetary amount)
b. Review whether bonds are for adequate amount and contract has not
been broken into smaller parts to circumvent the requirement of
bonds.
c. Review whether senior management is consulted regarding
performance bonding coverage limits.
6.
Review liability coverage and other details: Ensure that the contractor has taken
liability insurance. This provides the organisation protection if an accident or
damage occurs as a result of action of any contractors employee.
a. Ensure that certificate of insurance is taken before the contractors
commence work and retained till completion of project.
b. Ensure that Certificate is current and has not expired
c. Review a sample COI for compliance with coverage in contract
document
d. Confirm that :
i. General liability limits are adequate
ii. Workmens compensation limits are appropriate
iii. Comments and exclusions section is appropriate.
20
bid and
8. Look for accounting irregularities -- both intentional and unintentional: Find out
how projects are being coded in the general ledger account and determine
whether the project should remain active. Coding to the wrong project, whether
intentional or unintentional, can result in management decisions that are based
on inaccurate data. Intentional coding to another construction project may be
contrived to avoid scrutiny of a project-cost overrun and requisite approval and
reporting.
21
22
Policies
Standards
Contracts
Gathering
information
about
laws,
regulations,
and
other
compliance
requirements.
The auditor would design and perform procedures based on risk assessment that
would provide reasonable assurance of detecting significant illegal acts.
23
effectiveness of internal control in preventing and detecting illegal acts and acts
of non-compliance.
Sources of obtaining information about Laws, Regulations, and Other
Compliance Requirements
Taking the help of an expert: Auditors may seek help of legal counsel in
Auditors also may find it necessary to rely on the work of legal counsel when
audit objectives require testing compliance with provisions of contracts or grant
agreements.
24
Internal theft,
misappropriation of assets,
conflicts of interest
Co-ordination for this audit is usually at the highest level in the organisation like with
senior management or security department.
audits because they are normally conducted without first notifying the personnel who
may be affected by the findings.
interest, insider trading and other problems. The investigative results may be prepared
in a "due diligence report".
In addition to identifying risks and implications of an investment, due diligence may
include data on a company's solvency and assets., due diligence is the responsibility
you have to investigate and identify issues, and due care is doing something about the
findings from due diligence
25
3.1
3.2
Audit Staff
3.3
26
27
28
2.
The firm should assign appropriate staff with the necessary capabilities,
competence and time to perform engagements in accordance with
professional standards and regulatory and legal requirements.
29
Internal Audit needs a mission statement or audit charter outlining the purpose,
objectives, organisation, authorities, and responsibilities of the internal auditor, audit
staff, audit management, and the audit committee. A big part of the management
profession is creating and enforcing policies and procedures. Policies interpret and tailor
laws that apply to an organisation; serving as a written record for good practices the
management wants to emphasize and enforce in the organisation, whether or not there
are legal implications. While policies are general, procedures are specific.
3.3.1 Audit Planning
Every audit assignment should be planned carefully prior to its start. Circumstances may
occur which might call for unscheduled reviews or there might be pressures to begin
special audit without delay. However, a properly planned audit will almost always have
better audit results. A long-range audit plan should be developed which should be
reviewed at regular intervals.
Pre engagement activity Matters to be considered before accepting new assignment
would be:
i.
30
ii.
iii.
iv.
v.
vi.
i.
Records required
31
ii.
Knowledge of business
- review the prior audit reports
- policy and procedure manual, org chart, flowcharts etc.
- review financial statements or reports filed with various agencies or regulatory
bodies
- minutes of meetings of stockholders, the board of directors and relevant
committees
- effect of various laws and regulations on financial statement of auditee
- information about nature of entitys business
- client correspondence file
- gain an understanding of type of business, products & services, capital structure,
offices/branches/factories
- obtain knowledge of auditees industry like economic condition, government
regulations, competition, financial trends.
- Other external sources such as industrial publications, ICAI standards and
guidance etc.
iii. Methods used by entity to process information: The methods used need to be
considered as the methods influence the design of internal control. The extent of
computer processing and the complexity of processing will influence nature, timing
and extent of audit procedures.
32
v. Audit Scheduling: on the basis of annual plan and preliminary survey the
manpower requirements and time budgets need to be fixed. The following factors
need to be considered.
-
nature of audit
complexity of work
staff availability
audit period
vi. The auditor should consider whether specialized skills are needed for any area such
as the effect of computer processing on the audit, to understand the controls, or to
design and perform audit procedures. If specialized skills are needed, the auditor
should seek the assistance of a professional possessing such skills.
Prepare a Draft Annual Internal Audit Plan based upon the results
of the risk assessment process.
33
Find out whether there are areas which management would like to be
included in the audit
34
c. Prior working papers and audit reports and information about past
activities
d. Information about any separate audit in the area being audited.
e. Review any departmental policies and procedures manuals, flowcharts, or
control narratives that may exist.
f. Any activity /area which the management requests to be included
b.
Audit objectives
c.
d.
e.
35
36
37
The fact that the audit process may be subjected to a peer review under the
Chartered Accountants Act, 1949.
4.1
Field survey
4.2
Audit programme
4.3
Audit procedures
4.4
4.5
Audit sampling
4.6
Audit Tests
4.7
Specimen letters
Walkthrough of activity
38
The field survey is the initial contact point and might take one or two days depending
on the size of the audit.
The completion of field survey helps the auditor to understand key systems and
processes. If the information during preliminary audit planning is imperfect , the audit
team can make adjustments to planned audit scope .
4.2 Audit programme
After the conclusion of preliminary survey, the auditor has a fair idea of the audit
objectives and the control systems. At this stage the audit programme should be made
providing the proposed procedures, budgeting and basis for controlling the audit. The
audit programme will prevent the auditor from going off the scope pursuing irrelevant
items and help in completing the audit project in an efficient manner.
Things to be considered while preparing audit programme
Management controls
Significant findings and recommendations from previous audits that could affect
the current audit objectives. Also determine whether corrective action has been
taken and earlier recommendations implemented.
Potential sources of data that could be used as audit evidence and consider the
validity and reliability of these data.
Consider whether the work of other auditors and experts may be used to satisfy
some of the audit objectives.
39
The audit team holds a meeting with the audit supervisor to decide on the priority
/ high risk areas and tests to be conducted.
The programme should consist of detailed directions for carrying out the
assignment.
Have the final programme reviewed by Audit supervisor and Audit manager.
All major changes must be documented in writing and the reason documented.
The audit programme should contain a statement of the objectives of the area
being reviewed. These objectives would be achieved through the detailed audit
programme procedure. Objectives should fit within the overall scope of the audit.
Every audit procedure should help answer one of the objectives and every
objective should be addressed in the procedures or steps.
40
The tests have to be designed in such a manner that they achieve their objectives.
Use imagination, ingenuity and intelligence in creating audit steps responsive to
objectives.
The goals should be made amply clear by prefacing major steps with : to test
whether . . .; or, to determine that . .
TIME BUDGET
Planning should continue throughout the audit. Audit objectives, scope, and
methodologies are not determined in isolation. They have to be determined together, as
the considerations in determining each often overlap.
Audit Evidence
Evidential matter obtained during the course of the audit provides the documented
basis for the auditor's opinions, findings, and recommendations as expressed in the
audit report.
Types of audit evidence
Evidence may be categorized as physical, documentary, testimonial, and analytical.
Test of Evidence
41
source of
information.
4.3 Audit procedures
42
audit ). Documentation should be kept for each step that would generally be in the form
of working papers.
Review and Evaluation of Internal Control Environment
The auditor will have to review the internal control structure .The effectiveness and
efficiency of the internal control will determine the extent of tests to be performed. This
evaluation will also provide assurance on whether the systems are functioning
properly. The auditor should provide for tests in the audit programme which could be
in the form of interviews, internal control questionnaires , checklists, audit tests.
Matters to be considered while evaluating internal controls
Identification of risks
Internal control structure put in place to prevent, detect, correct undesired events
Flowcharts
Tests of compliance are performed to obtain sufficient evidence that the system is
operating in accordance with the understanding the auditor obtained from the
review. The nature, timing, and extent of tests of compliance are closely related
to the control procedures and methods studied by the auditor.
43
The auditor can meet the audit objectives through detailed review of the audit evidence.
Review of the entire population is not possible where the auditor has to examine large
number of items .The internal auditor needs a consistent approach to draw a sample
from the data and draw conclusions from that sample. The challenge here is that the
sample should be representative of the entire population. Any situation in which one
has to draw conclusions based on an inspection of part of a population should consider
using statistical sampling techniques.
Any form of sampling, whether statistical or judgmental, is an application of a
procedure to less than 100% of the population. Under sampling there is always a risk
that some or all errors will not be found and the conclusions drawn (i.e. all transactions
were proper and accurate) may be wrong.
Audit sampling can be of two types-statistical and non-statistical. Statistical sampling is
a mathematical based method of selecting a sample representative of the population
while non statistical sampling or judgmental sampling is not based on mathematics.
The type of sampling used and the number of items selected should be based on the
auditors understanding of the relative risks and exposures of the areas audited. The
description of the methods used and reason for selection should be documented in the
audit programme and approved by audit administration.
Sample Selection Techniques
The manner in which the population is filed or distributed will determine the kind of
selection techniques to be used to select the sample. Several techniques are available :
1. Estimation Sampling : There are two types of estimation sampling.
Attributes Sampling.
Variables Sampling.
44
2.Acceptance Sampling
3. Discovery Sampling
4. Judgment Sampling
Sampling selection technique
The more commonly used sampling selection techniques are :
1. Unrestricted Random Number.
2. Interval Sampling
3. Stratified Sampling.
4. Cluster Sampling.
Evaluation of Results
Whatever sampling plan or selection technique is used conclusion has to be drawn from
the test results. The auditor should keep in mind few rules for better evaluation:
1. Findings for each characteristic being tested should be evaluated separately
2. The auditor has to decide upon the "acceptable error rate" after a full study of the
surrounding circumstances.
3. When significant errors are found , the auditor should extend the examination or
apply other procedures to attempt to determine the cause and effect of the
exception.
45
The Auditor performs tests to validate processes and controls. This would include
performance of substantive testing which tests the efficiency of internal control to
ensure completeness, accuracy or validity of the accounts or transactions .
Given below are the various tests that the auditor would perform:
Tests involving continuing interaction with client staff and other parties
Facilitated meetings
Interviewing
Questioning
Surveys
Confirmation/Representation
Documentation Review
Analytical review
Data Analysis
Reconciliation
Facilitated Meetings
Inquiry involves meeting of concerned officials from different departments and key
stakeholders affected like customers and vendors. This method requires lot of efforts in
organising such a meeting. A facilitator is required so that the group does not diverge
46
from its objectives Example: meeting of purchasing , accounts payable ,stores and user
department to understand the cycle of purchases
Interview: Direct interaction facilitates greater understanding of the business processes
as the interviewer can seek clarifications and details on the spot. It has all the
advantages of face-to-face communication like establishment of rapport, personal
opinions on issues and solutions.
The type of information received depends on the skills of the interviewer. The
interviewer has to make the person feel at ease and glean significant information.
Questioning:This is the most pervasive technique and should be used with care so that
the auditee is not needlessly alienated .The auditor may seek management reaction
through questioning in case of deficiencies or error.
47
Documentation Review: This is the most widely used method and a large number of
data can be objectively verified. This involves a review of existing reports and
documents to identify controls, to understand the business or process, and to provide
evidence in supporting audit conclusion.
Analytical review: Analytical auditing procedures provide an efficient and effective
method of comparing relationship among data. As the relationship among data is
compared against a pre-defined expected relationship which is expected to continue in
the absence of unusual or non recurring transactions.
Some Analytical tests are trend analysis, benchmarking and ratio analysis
Data analysis & exception tests: This involves analysis and query of historical data files
to identify trends, exceptions. It can be used to understand volume or magnitude of
events to understand whether they are significant. It is used for identifying duplicates
or gaps in sequences or aging summary of receivables
Vouching & Verifying:It is another very popular method .The transactions or events
are verified against supporting documents for accuracy and validity. Examination of
accounting transactions against bills, attendance register against wage payments are
some examples.
Reconciliation :It is an audit test to match two sets of data which provides similar
information and analyse the variances between them. It may help in detecting frauds or
errors.
48
Recalculation & Valuation tests: The auditor may recalculate certain figures like
interests or instalments payable on a loan to verify the accuracy .the auditor may also
take the help of an external expert to revalue certain expensive assets.
49
List of all accounts (numbers and account titles) maintained by your unit.
Statement of Account and annual statements for the three fiscal years for the
department.
Key departmental productivity and performance measures for the past three
fiscal years i.e., productivity measures used for budgeting purposes, etc.
50
51
Mr. <Name>
CEO, <Company Name> Limited
<Address>
Dear Mr. <CEO>
52
process and inform the management of the audit process and regulatory
responsibilities. The exit meeting will summarize the audit results and identify specific
post-audit responsibilities where applicable.
The review will emphasise on the controls in the recently implemented financial
system. We will need to access your financial accounting system and its reports. We
plan to use some automated testing on your files .Please arrange for the system access
and working space for our audit team.
Should you require any further information or clarification, please contact the audit
manager<name>, at <number>.
Yours truly,
<Name>
<Designation>
Membership No. <Number>
53
54
Penetration testing.
5.3 Determining the need for CAAT
One thing however needs to be considered- CAATS might not always increase audit
efficiency or be cost effective. Certain processes may not be right for CAAT.
55
Developed by IT auditors; or
Whatever the source, audit software programs should remain under the strict control of
the audit department. For this reason, all documentation, test material, source listings,
source and object program modules, and all changes to such programs, should be
strictly controlled. In installations using advanced software library control systems,
audit object programs may be catalogued with password protection. Computer
programs intended for audit use should be documented carefully to define their
purpose and to ensure their continued usefulness and reliability.
With the use of Audit Software, auditors can directly obtain evidence to the quality of
records produced and maintained by clients systems. Various software whether off the
shelf, specialized or customized are a useful tool in the hands of the auditor to gain
56
access to manipulate the data maintained in the computer systems to achieve audit
objectives.
Auditor may have a broad understanding of systems but they do not have
specific knowledge or experience with particular hardware, software being used.
100% data
File access :The file access functions enable different file structures to be
accessed.
File reorganization: Sorting data, merging data, comparing data can be done
Detection of Fraud
57
Do analytical reviews
Auditors can be sure of the thoroughness and correctness of their analysis while
arriving at conclusions.
All the variables that might possibly affect revenue can be considered to ensure
there is nothing unusual in any sub-categories
Audit provides value addition to the client by providing them new information
which is not available with them in the first place.
58
ACL
CaseWare IDEA
Microsoft Access
59
6.2 Functions
Workpapers should be economical to prepare and to review. It is important to achieve a
proper balance of completeness and conciseness. Only what is essential should be
included.
Working papers record the information obtained and the analyses made during
the audit process.
60
Record information
61
62
Specimen:
Workpaper Header
ABC Associates
Client ___________________
Period __________________
Prepared by ____________________
Date ____________________
Reviewed by ____________________
Date ____________________
(in-charge)
Reviewed by ____________________
Date ____________________
(Manager)
Financial statements
A2
A3
Review schedules
C. Intangible assets
D. Tangible non-current (fixed) assets
E.
Investments
F.
Stock
63
G. Receivables
H. Advances
I.
Cash
J.
Payables
Taxation
Purchases
6.3 Organisation
Auditors today use a wide variety of formats to prepare workpapers. Audit workpapers
may be in the form of paper, tape, disk, diskette, film, or other media. Regardless of the
media used workpapers should provide a standard framework for documenting
internal audit activities. If the audit workpapers are in the form of media other than
paper, consideration should be given to generating backup copies. If the Internal
Auditor is reporting on financial information, the audit workpapers should document
whether the accounting records agree or reconcile with such financial information.
The Internal Auditor should establish standard audit workpaper files, stationary,
indexing, and other related matters. Standardized audit workpapers, such as
questionnaires and audit programmes, may improve the efficiency of an audit and
facilitate the delegation of audit work.
64
An audit requires large number information to be collected .The form and content of
workpapers depend on the nature of activities reviewed and the audit performed. They
can be broadly classified into
Permanent files
Administrative files
Bulk files
Audit reports
and have repetitive procedures. Also in case of continuing audits there might be
information of continuing importance. All this data of historical or continuing
nature should be filed in permanent files.
dependent on the type and nature of audit and audit procedures used by the
auditor.
that may be quite bulky and not required to be retained in primary workpapers.
Such papers may be filed in bulk files.
Workpapers for computer assisted audit techniques follow a different approach than
conventional audit. An auditor may use different automated procedures to perform
65
Review the audit procedures to ensure that they are adequate to accomplish the
objectives.
66
Confirm that all observation forms prepared have been discussed with the
appropriate member of management, and that the disposition of the audit
concern is documented.
Documentation
obtained
and
not
relevant
to
the
audit
should
be
67
The Internal Auditor should develop retention requirements for audit workpapers.
These retention requirements should be consistent with the organisation's guidelines
and any pertinent legal or other requirements. The guidelines could relate to:
o Time period during which files to be kept in current documents
o Subsequent movement of files to archive files.
o Movement of electronic workpapers to an electronic storage media like tape, CD
ROM.
o Separate guidelines for workpapers related to investigative audit or a lawsuit.
o Removal or deletion of workpapers.
Audit workpapers and audit reports are key tangible outputs of the audit process. As
the audit report is supported by the workpapers, it is essential that adequate
workpapers are available to support the report. The best way to establish a level of
confidence is that internal audit management performs adequate levels reviews of all
workpapers
68
Oral Reports
Interim reports
69
Oral Reports:
reports. This mode might be used for reporting any findings, which may need
emergency action, or as an oral presentation as a prelude to the formal written report.
Regular reports: in most audit assignments a detailed descriptive report is given at the
conclusion. A general format of such a report is given under Form and content of audit
report.
Summary Audit report: Such reports summarise the audit report and describe the range
of content. Such reports could be a summary of more than one report.
Cover Page - A cover page showing the department name, audit title, audit number and
audit date should be on each report. Lengthy reports may have an index.
Cover Letter - A letter should be written and signed by the Director /partner and made
a part of the audit report. It will be as brief as possible.
Introduction - Describe the type of engagement (regular scheduled, special request,
etc.) and the authority of the audit (agenda, special request). The name of the
organization or activity being audited and provide any background information
necessary. This can include nature and goals, volume or value, activities, location,
staffing, etc.
70
Statement of Objectives - The audit objectives are stated in the report and are the same
ones that appeared in the detailed audit programme.
Statement of Scope - This section should describe the depth and coverage of audit
work conducted to accomplish the audit's objectives. It would contain the calendar
dates for the test work and a date for the evaluation of internal controls.
Statement of Methodology - The statement on methodology should clearly explain the
evidence gathering and analysis techniques used to accomplish the audit's objectives.
Statement of Auditing Standards - The report should include a statement that the audit
was made in accordance with auditing standards and disclose when applicable
standards were not followed.
Audit Conclusions - The auditor must conclude on the stated audit objectives in the
order in which they appeared in the report. The auditor should conclude in the negative
or affirmative on each objective.
3) Effect - This is also known as risk (either actual or potential). Describe or show the
actual or potential effect on the condition. The risks could be inaccuracy,
inefficiency, loss to assets. Provide a monetary value to the effect. If this is not
possible, say so and emphasize the potential.
71
General Comments - This section is reserved for points of interest that are of lesser
magnitude than findings, but of interest to management.
CLARITY - Means making the reader understand what the auditor is trying to say
while writing the report.
72
report cannot supply both sufficient details for the operating manager and a summary
for the executive. The report is written for senior management. The Internal auditor can
either provide a separate report to the operating management or details for the
operating manager/supervisor can be provided upon request.
TONE - The report should be courteous and factual. It should not be petty, but should
sound like the voice of management.
GRAMMAR AND SPELLING - All auditors are expected to use acceptable grammar,
sentence structure and context. Additionally, spelling should be accurate.
Closing conference
73
74
e. Get the client comment on the draft report, and any inaccuracies or
impractical recommendations resolved to the extent possible.
f. Get managements agreement on the facts and wording of the report.
g. Ask management for written responses (give specific due date for
responses).
E. Closing conference
a. Provide the management or appropriate staff adequate opportunity to
study the report.
b. Departmental administrators and managers have the opportunity to
informally provide additional information, question findings, or challenge
conclusions. On the basis of those discussions, the final report may be
modified.
c. Try to anticipate potential questions/conflicts.
d. Inquire from the managers or appropriate staff whether they have any
questions about the opinion or background or the audit process.
e.
75
G. Dissemination of report
a. The persons to whom the report is to be delivered will vary from
organisation to organisation and from one assignment to another. Some of
the recipients could be the Corporate Vice President, for Administration
76
or the Vice President for Business and Finance, the Department Head, the
CFO, the CEO, the Board of directors and the Audit Committee.
b. In some organisations the BOD and the Audit committee may be
presented with sAudit Committee with periodic summaries of audit
findings, with access to summaries or full reports if requested.
c. In certain organisations the report is published on the website. In that
case, Copy the report file to the share drive for eventual publication on the
web page. Take the original paper copy of the letter to the management
and the signature page from the report to the webmaster. Those two pages
will be scanned and converted into a PDF format document and inserted
into the report posted on the share drive.
Follow up
Each organisation /department may have its own time limits for replying to the report
and the internal audit department may have its own rules for follow up. Some internal
audit function may conduct a follow up after six months or one year to and ascertain
the status of open recommendations.
77
Internal auditing should determine that corrective action was taken and is achieving the
desired results, or that management or the board has assumed the risk of not taking
corrective action on reported findings.
Mr. <Name>
CEO, <Company Name> Limited
<Address>
Dear Mr. <CEO>
The audit team has concluded an operational review of the internal control
structure and the recently implemented financial system SAP. The objective of our
review was to evaluate controls in the financial system, compliance with policy &
regulations and the effectiveness and efficiency of the current organisation authority
structure.
The review covered operations of the period <date> to <date>. Please find
enclosed two copies of the Audit Report of <Company Name> Limited completed on
78
June XX, 200X. I am pleased to inform you that the review found that the financial
department is well managed with generally good controls. However, controls need to
be strengthened in few areas and documentation policies need to be more strictly
enforced for travel expenses. A summary of the most significant audit findings are
provided in Part II of the report.
The company must respond in writing to each audit finding. The proposed
Corrective Action Plan should detail both short term corrective action to correct the
specific deficiencies cited and, where applicable, long term corrective action. Long term
corrective action should focus on modifying the system to prevent recurrence of similar
deficiencies in the future.
We wish to express our appreciation for the co-operation extended to the audit
team by you and your staff during the audit.
Yours truly,
Yours truly,
<Name>
<Designation>
Membership No. <number>
79
INTRODUCTION
Background
Audit Perspective
Scope & Objectives
EXECUTIVE SUMMARY
I.
II.
III.
APPENDIX
80
AUDIT NAME
DATE
INTRODUCTION
Background
Audit Perspective
Present audit status -
a) Royalty payments;
b) Rent received from sub tenants;
c) compliance with Food safety and hygiene regulations ;
d) Cash receipts; and
e) Credit card receivables .
Whether royalty has been calculated correctly and has been paid to
the brand owners timely.
29 hbintauditpro.doc
Page 82 of 141
Whether contract has been drawn up with sub tenants and floor
space, rent and facilities has been has been agreed upon.
Note: Audit is used in the report when actual tests are performed to
corroborate the opinion. Review is used in the report when no tests are
performed to corroborate the opinion. Comment should speak directly as
to what was done, i.e., if a test was performed, the word test should be
used. If a review was performed, the word review should be used.
Company - General
AAA Foods Limited
Provide information on background of company and its operations .Provide
details of functions and personnel in departments. Mention whether any major
change in the organisation since the last audit. (E.g. the company has opened
new food centres at 12 more locations. The staff strength has risen to 15,000. The
company is now undertaking a massive exercise to centralize its processing and
accounting at the main office).
Audit Synopsis
Mr. R. Xyz, senior partner of XYZ associates was in charge of the audit. The
audit was conducted in accordance with auditing standards and policy &
procedures detailed in the AAA Food Limiteds manual .These techniques
included interviews with key personnel, review of approved documents,
sampling of relevant files, and random inspections throughout AAA Food
Limiteds system.
main office on
<date>. During this meeting, the audit manager briefed the operators
29 hbintauditpro.doc
Page 83 of 141
management on the audit process and the team's audit plans. The officials of the
company were regularly updated on audit progress and of all audit findings
submitted. The audit was completed and the exit meeting was held in AAA Food
Limiteds main office on <date> with the senior officials namely<name>.
29 hbintauditpro.doc
Page 84 of 141
EXECUTIVE SUMMARY
Relevant Findings
29 hbintauditpro.doc
Page 85 of 141
29 hbintauditpro.doc
Page 86 of 141
AUDIT NAME
INTERNAL AUDIT OPINION
We
have
identified
opportunities
to
improve
the
controls
of
the
AUDITOR-IN-CHARGE
(E.g.
DATE
29 hbintauditpro.doc
Page 87 of 141
The areas requiring immediate attention are: <area>, which currently lack
some essential elements; <area>, which require a detailed system to
ensure that all requirements have been met; and procedures to monitor
and report on <area> activities.
29 hbintauditpro.doc
Page 88 of 141
AUDIT NAME
DETAIL REPORT
Overview
Pages X through XX outlines the specific findings resulting from our substantive
audit testing.
categorized first on the basis of departments .Within each division, the major
primary findings (significant internal control deficiencies and items potentially
having a significant or adverse effect on the units operations) are mentioned first
and then other matters (items of a lesser nature requiring attention, but not likely
to have a significant or adverse effect on the units operations).
Primary Findings
I.
COMMENT
Insert summary of the finding included in the Executive Summary
Finding
Ramifications/Implications
Recommendation(s)
29 hbintauditpro.doc
Page 89 of 141
Auditee's Response
Other Matters
II.
COMMENT
Insert summary of the finding included in the Executive Summary
Finding
Ramifications/Implications
Recommendation(s)
Auditee's Response
29 hbintauditpro.doc
Page 90 of 141
29 hbintauditpro.doc
Page 91 of 141
stakeholders. They should have the time to find out enough about the
organisation so that they can effectively challenge the executive management.
Reports
Within the management, there are different levels. The audit report has to be
designed to suit the interest, needs and requirements of different levels of
management. All the levels need to know as to what is happening in the areas of
their concern and internal audit report can serve as one of the vehicles of
information. However the degree of detail required by each is different. The local
office needs an in- depth report with all the details and documentation so that
follow up actions /rectifications can be taken. The regional offices would need
general information on the operations and performance of the local office. The
top management needs to be informed of serious issues and frauds and
information on problems across offices etc. Thus, as the levels go up the details
required are less.
For easy readability and distribution, the report could have an executive
summary,
main
report
divided
by
functional
areas
and
lastly
29 hbintauditpro.doc
Page 94 of 141
several factors determine the type of relationship. Some chief audit executives
(CAEs) are of the opinion that the relationship should be arms-length
relationship while others feel that there should be a close working relationship.
It is finally up to the organisation and the auditors to decide as to what type of
relationship best fits an organization taking into account its resources and time
and issues.
Benefits of co ordination
Varied strengths increase effectiveness
By the nature of their responsibilities, internal auditors spend a lot of time
working for the same company. This gives them a better understanding of the
culture and working of the organisation. The external auditors on the other hand
have exposure to wider variety of financial issues as they have multiple clients.
Increase in efficiency
Coordination increases efficiency. When the audit is not properly coordinated,
external auditors may duplicate work already performed by the internal
auditors.
Cost reduction
Coordination reduces the time and efforts which the external auditor would
expend on redundant work thus, reducing the audit fees.
29 hbintauditpro.doc
Page 95 of 141
External and internal auditors owe allegiance to different set of people .The
internal auditor is accountable to the management. When the external auditor
needs assistance from the internal auditor, he has to first inform the management
/governing body and seek their approval.
Commitment
As discussed earlier, both the auditors work with different objectives and
responsibilities. Given this situation when the need for coordination arises, it
requires commitment. They have to adjust and plan the work to satisfy each
others needs.
Communication
Communication is sine qua non for success of any coordination process. . There
should be frequent and open communication between internal and external
auditors. They should decide on timing and nature of communication-it may be
written or electronic or face to face or telephonic or combination of whatever
format is suitable.
29 hbintauditpro.doc
Page 96 of 141
Trust
Areas of co-operation
Internal control
Corporate governance
Performance indicators
Testing
o systems
o programs
29 hbintauditpro.doc
Page 97 of 141
1. Listed Company
Only the internal audit activity can provide a objective assurance to the market
regulator that
29 hbintauditpro.doc
Page 98 of 141
gaps if any are identified reported and prompt action is taken to rectify
the same.
29 hbintauditpro.doc
Page 99 of 141
the scope. The Standard also lays down the reporting responsibilities of the
internal auditor when there is restriction on usage and circulation of the report.
29 hbintauditpro.doc
Page 101 of 141
29 hbintauditpro.doc
Page 104 of 141
These are the standards issued by the Institute of Internal Auditors. Standards
29 hbintauditpro.doc
Page 105 of 141
Attribute Standards
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter, consistent with the Definition of
Internal Auditing, the Code of Ethics, and the Standards. The chief audit
executive must periodically review the internal audit charter and present it to
senior management and the board for approval.
Interpretation:
The internal audit charter is a formal document that defines the internal audit
activity's purpose, authority, and responsibility. The internal audit charter
establishes the internal audit activity's position within the organization;
authorizes access to records, personnel, and physical properties relevant to the
performance of engagements; and defines the scope of internal audit activities.
Final approval of the internal audit charter resides with the board.
29 hbintauditpro.doc
Page 106 of 141
29 hbintauditpro.doc
Page 109 of 141
1130.A2 Assurance engagements for functions over which the chief audit
executive has responsibility must be overseen by a party outside the
internal audit activity.
1130.C1 Internal auditors may provide consulting services relating to
operations for which they had previous responsibilities.
1130.C2 If internal auditors have potential impairments to independence
or objectivity relating to proposed consulting services, disclosure must be
made to the engagement client prior to accepting the engagement.
1200 Proficiency and Due Professional Care
Engagements must be performed with proficiency and due professional care.
1210 Proficiency
Internal auditors must possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. The internal audit activity
collectively must possess or obtain the knowledge, skills, and other competencies
needed to perform its responsibilities.
Interpretation:
Knowledge, skills, and other competencies is a collective term that refers to the
professional proficiency required of internal auditors to effectively carry out their
professional responsibilities. Internal auditors are encouraged to demonstrate
their proficiency by obtaining appropriate professional certifications and
qualifications, such as the Certified Internal Auditor designation and other
designations offered by The Institute of Internal Auditors and other appropriate
professional organizations.
29 hbintauditpro.doc
Page 110 of 141
1210.A1 The chief audit executive must obtain competent advice and
assistance if the internal auditors lack the knowledge, skills, or other
competencies needed to perform all or part of the engagement.
29 hbintauditpro.doc
Page 111 of 141
29 hbintauditpro.doc
Page 112 of 141
29 hbintauditpro.doc
Page 113 of 141
Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision, review,
and measurement of the internal audit activity. Ongoing monitoring is
incorporated into the routine policies and practices used to manage the internal
audit activity and uses processes, tools, and information considered necessary to
evaluate conformance with the Definition of Internal Auditing, the Code of
Ethics, and the Standards.
29 hbintauditpro.doc
Page 114 of 141
Interpretation:
A qualified reviewer or review team consists of individuals who are competent
in the professional practice of internal auditing and the external assessment
process. The evaluation of the competency of the reviewer and review team is a
judgment that considers the professional internal audit experience and
professional credentials of the individuals selected to perform the review. The
evaluation of qualifications also considers the size and complexity of the
organizations that the reviewers have been associated with in relation to the
organization for which the internal audit activity is being assessed, as well as the
need for particular sector, industry, or technical knowledge.
29 hbintauditpro.doc
Page 115 of 141
Interpretation:
The form, content, and frequency of communicating the results of the quality
assurance and improvement program is established through discussions with
senior management and the board and considers the responsibilities of the
internal audit activity and chief audit executive as contained in the internal audit
charter. To demonstrate conformance with the Definition of Internal Auditing,
the Code of Ethics, and the Standards, the results of external and periodic
internal assessments are communicated upon completion of such assessments
and the results of ongoing monitoring are communicated at least annually. The
results include the reviewers or review teams assessment with respect to the
degree of conformance.
1321 Use of Conforms with the International Standards for the Professional
Practice of Internal Auditing
The chief audit executive may state that the internal audit activity conforms with
the International Standards for the Professional Practice of Internal Auditing
only if the results of the quality assurance and improvement program support
this statement.
1322 Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of
Ethics, or the Standards impacts the overall scope or operation of the internal
audit activity, the chief audit executive must disclose the nonconformance and
the impact to senior management and the board.
29 hbintauditpro.doc
Page 116 of 141
Performance Standards
2000 Managing the Internal Audit Activity
The chief audit executive must effectively manage the internal audit activity to
ensure it adds value to the organization.
Interpretation:
The internal audit activity is effectively managed when:
The results of the internal audit activitys work achieve the purpose and
responsibility included in the internal audit charter;
The individuals who are part of the internal audit activity demonstrate
conformance with the Code of Ethics and the Standards.
2010 Planning
The chief audit executive must establish risk-based plans to determine the
priorities of the internal audit activity, consistent with the organizations goals.
Interpretation:
The chief audit executive is responsible for developing a risk-based plan. The
chief audit executive takes into account the organizations risk management
framework, including using risk appetite levels set by management for the
different activities or parts of the organization. If a framework does not exist, the
chief audit executive uses his/her own judgment of risks after consultation with
senior management and the board.
29 hbintauditpro.doc
Page 117 of 141
29 hbintauditpro.doc
Page 118 of 141
Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies
needed to perform the plan. Sufficient refers to the quantity of resources needed
to accomplish the plan. Resources are effectively deployed when they are used in
a way that optimizes the achievement of the approved plan.
Interpretation:
The form and content of policies and procedures are dependent upon the size
and structure of the internal audit activity and the complexity of its work.
2050 Coordination
The chief audit executive should share information and coordinate activities with
other internal and external providers of assurance and consulting services to
ensure proper coverage and minimize duplication of efforts.
Ensuring
effective
organizational
performance
management
and
accountability;
29 hbintauditpro.doc
Page 120 of 141
Appropriate risk responses are selected that align risks with the
organizations risk appetite; and
2120.A1 The internal audit activity must evaluate risk exposures relating
to the organizations governance, operations, and information systems
regarding the:
29 hbintauditpro.doc
Page 121 of 141
2120.A2 The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud risk.
2120.C1 During consulting engagements, internal auditors must address
risk consistent with the engagements objectives and be alert to the
existence of other significant risks.
29 hbintauditpro.doc
Page 122 of 141
The objectives of the activity being reviewed and the means by which
the activity controls its performance;
29 hbintauditpro.doc
Page 123 of 141
and
other
client
expectations.
For
significant
29 hbintauditpro.doc
Page 124 of 141
29 hbintauditpro.doc
Page 125 of 141
29 hbintauditpro.doc
Page 126 of 141
evaluating,
and
documenting
information
during
the
techniques.
Relevant
information
supports
engagement
observations and recommendations and is consistent with the objectives for the
engagement. Useful information helps the organization meet its goals.
2320 Analysis and Evaluation
29 hbintauditpro.doc
Page 127 of 141
29 hbintauditpro.doc
Page 128 of 141
contain
internal
auditors
overall
opinion
and/or
conclusions.
2410.A2 Internal auditors are encouraged to acknowledge satisfactory
performance in engagement communications.
2410.A3 When releasing engagement results to parties outside the
organization, the communication must include limitations on distribution
and use of the results.
29 hbintauditpro.doc
Page 129 of 141
and
lead
to
improvements
where
needed.
Complete
communications lack nothing that is essential to the target audience and include
all
significant
and
relevant
information
and
observations
to
support
29 hbintauditpro.doc
Page 130 of 141
29 hbintauditpro.doc
Page 131 of 141
The chief audit executive or designee reviews and approves the final engagement
communication before issuance and decides to whom and how it will be
disseminated.
2440.A1 The chief audit executive is responsible for communicating the
final results to parties who can ensure that the results are given due
consideration.
2440.A2 If not otherwise mandated by legal, statutory, or regulatory
requirements, prior to releasing results to parties outside the organization
the chief audit executive must:
29 hbintauditpro.doc
Page 132 of 141
29 hbintauditpro.doc
Page 133 of 141
Glossary
Add Value
Value is provided by improving opportunities to achieve organizational
objectives, identifying operational improvement, and/or reducing risk exposure
through both assurance and consulting services.
Adequate Control
Present if management has planned and organized (designed) in a manner that
provides reasonable assurance that the organizations risks have been managed
effectively and that the organizations goals and objectives will be achieved
efficiently and economically.
Assurance Services
An objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and control processes
for the organization. Examples may include financial, performance, compliance,
system security, and due diligence engagements.
Board
A board is an organizations governing body, such as a board of directors,
supervisory board, head of an agency or legislative body, board of governors or
trustees of a nonprofit organization, or any other designated body of the
organization, including the audit committee to whom the chief audit executive
may functionally report.
Charter
The internal audit charter is a formal document that defines the internal audit
activitys purpose, authority, and responsibility. The internal audit charter
29 hbintauditpro.doc
Page 134 of 141
29 hbintauditpro.doc
Page 135 of 141
Any relationship that is, or appears to be, not in the best interest of the
organization. A conflict of interest would prejudice an individuals ability to
perform his or her duties and responsibilities objectively.
Consulting Services
Advisory and related client service activities, the nature and scope of which are
agreed with the client, are intended to add value and improve an organizations
governance, risk management, and control processes without the internal auditor
assuming management responsibility. Examples include counsel, advice,
facilitation, and training.
Control
Any action taken by management, the board, and other parties to manage risk
and increase the likelihood that established objectives and goals will be achieved.
Management plans, organizes, and directs the performance of sufficient actions
to provide reasonable assurance that objectives and goals will be achieved.
Control Environment
The attitude and actions of the board and management regarding the significance
of control within the organization. The control environment provides the
discipline and structure for the achievement of the primary objectives of the
system of internal control. The control environment includes the following
elements:
Organizational structure.
29 hbintauditpro.doc
Page 136 of 141
Competence of personnel.
Control Processes
The policies, procedures, and activities that are part of a control framework,
designed to ensure that risks are contained within the risk tolerances established
by the risk management process.
Engagement
A specific internal audit assignment, task, or review activity, such as an internal
audit, control self-assessment review, fraud examination, or consultancy. An
engagement may include multiple tasks or activities designed to accomplish a
specific set of related objectives.
Engagement Objectives
Broad statements developed by internal auditors that define intended
engagement accomplishments.
Engagement Work Program
A document that lists the procedures to be followed during an engagement,
designed to achieve the engagement plan.
29 hbintauditpro.doc
Page 137 of 141
conceptual
framework
that
organizes
the
authoritative
guidance
Must
The Standards use the word must to specify an unconditional requirement.
Objectivity
An unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they have an honest belief in their work
product and that no significant quality compromises are made. Objectivity
requires internal auditors not to subordinate their judgment on audit matters to
others.
29 hbintauditpro.doc
Page 139 of 141
Residual Risk
The risk remaining after management takes action to reduce the impact and
likelihood of an adverse event, including control activities in responding to a
risk.
Risk
The possibility of an event occurring that will have an impact on the achievement
of objectives. Risk is measured in terms of impact and likelihood.
Risk Appetite
The level of risk that an organization is willing to accept.
Risk Management
A process to identify, assess, manage, and control potential events or situations
to provide reasonable assurance regarding the achievement of the organizations
objectives.
Should
The Standards use the word should where conformance is expected unless,
when applying professional judgment, circumstances justify deviation.
Significance
The relative importance of a matter within the context in which it is being
considered, including quantitative and qualitative factors, such as magnitude,
nature, effect, relevance, and impact. Professional judgment assists internal
auditors when evaluating the significance of matters within the context of the
relevant objectives.
Standard
29 hbintauditpro.doc
Page 140 of 141
***
29 hbintauditpro.doc
Page 141 of 141